A CCA-PKE Secure-Cryptosystem Resilient to Randomness Reset and Secret-Key Leakage

Abstract

In recent years, several new notions of security have begun receiving consideration for public-key cryptosystems, beyond the standard of security against adaptive chosen ciphertext attack (CCA2). Among these are security against randomness reset attacks, in which the randomness used in encryption is forcibly set to some previous value, and against constant secret-key leakage attacks, wherein the constant factor of a secret key’s bits is leaked. In terms of formal security definitions, cast as attack games between a challenger and an adversary, a joint combination of these attacks means that the adversary has access to additional encryption queries under a randomness of his own choosing along with secret-key leakage queries. This implies that both the encryption and decryption processes of a cryptosystem are being tampered under this security notion. In this paper, we attempt to address this problem of a joint combination of randomness and secret-key leakage attacks through two cryptosystems that incorporate hash proof system and randomness extractor primitives. The first cryptosystem relies on the random oracle model and is secure against a class of adversaries, called non-reversing adversaries. We remove the random oracle oracle assumption and the non-reversing adversary requirement in our second cryptosystem, which is a standard model that relies on a proposed primitive called $L^M$ lossy functions. These functions allow up to M lossy branches in the collection to substantially lose information, allowing the cryptosystem to use this loss of information for several encryption and challenge queries. For each cryptosystem, we present detailed security proofs using the game-hopping procedure. In addition, we present a concrete instantation of $L^M$ lossy functions in the end of the paper—which relies on the DDH assumption.

1. Introduction

Adaptive Chosen ciphertext attack (CCA2) secure cryptosystems. Since the invention of the Diffie–Helman key exchange and the RSA primitive, public-key cryptography has become one of the most well-studied areas in cryptography research [1]. Currently, the security notion required of any public-key cryptosystem is security against adaptive chosen ciphertext attacks [2,3], or CCA2 security. Security against adaptive chosen ciphertext attacks guarantees that ciphertexts are not malleable, which implies that ciphertexts cannot be modified in transit by some efficient adversarial algorithm. Initially, encryption schemes provided CCA2 security under the random oracle model [4]. Random oracle-based models are heuristic in approach and are randomness-recovering, i.e., they allow a scheme to recover its randomness during an encryption. However, they rely on very strong assumptions, for example, that some functions, i.e., hash functions, are indistinguishable from truly random functions. A more practical CCA2-secure public-key encryption scheme is presented in [3], which relies on the decisional Diffie–Helman (DDH) assumption. The scheme of [3] uses hash-proof systems, which involve projective hash functions that perform function delegation through auxiliary information. Without this auxiliary information, however, the function’s behaviour is close to uniform and it is hard to distinguish as non-random. The design of several practical public-key encryption schemes essentially use this hash proof system by [5] or some variants of it [6,7].

Following the hash proof system of [3], several other CCA2 secure cryptosystems have been proposed. Among these is the CCA2 secure cryptosystem of [8] that relies on a lossy function primitive. The lossy function primitive is a collection of functions, such that some functions in the collection, i.e., the lossy functions, substantially lose significant information from the input. It is difficult, however, to determine if a function is lossy or not. By exploiting the loss of information in the function, along with the computational difficulty in determining the type of a function, several CCA2 secure cryptosystems can be developed under the standard model, thereby presenting an alternative to the practical CCA2 cryptosystem of [3].

Yet, while more practical and efficient CCA2 cryptosystems are being developed, recently, a number of cryptography papers have called into question the security guarantees provided by CCA2 security [9,10,11,12,13,14], due to newer types of attacks. Among the common categories of these newer attacks are (i) randomness attacks and (ii) secret-key leakage attacks. Both of these attack categories have been shown to be strong enough to trivially break CCA2 security. These attacks are briefly described as follows.

Randomness Attacks. The first category, i.e., randomness attacks, considers the case where the randomness used in cryptosystems fails to be truly random. These attacks tamper with the encryption process of a cryptosystem. Randomness failures can be due to a faulty, pseudorandom generator design and implementation [15], or due to simple attacks, such as virtual machine resets [16]. In a virtual machine reset—called randomness reset attack—a computer is forced to restart to some previous state stored in memory and random number variables are reset to some previous value. This applies, especially, to virtual machine systems that use virtual machine monitors (or hypervisors) to manage several operating systems. Given the increased use of cloud computing, such as with Amazon’s servers, several systems have become reliant on virtual machines. A feature of a virtual machine monitor is the taking of snapshots [16] of the system’s state, where the snapshot includes all items of the system in memory, at a certain point in time, for backup and fault tolerance. Included in this snapshot are the random numbers used by the operating system for its encryptions. A hacker, however, may force a virtual machine to be reset to a prior snapshot and re-use the randomness therefrom. For instance, a hacker may perform a denial-of-service attack against a virtual machine, whereupon the virtual machine is forced to be reset to some previous state. In particular [17] point out that snapshots of virtual machines may impair security due to the reuse of security-critical states. Ref. [18] exhibits virtual machine reset vulnerabilities in TLS clients and servers, wherein the attacker takes advantage of snapshots to expose a server’s DSA signing key. Given these actual examples, ref. [16] considered the effect of virtual machine resets on existing CCA2 secure cryptosystems. The results were not positive, as [16] showed a scenario wherein an adversary can trivially break CCA2 security by exploiting such vulnerabilities.

We demonstrate such vulnerabilities on a simpler cryptosystem in Section 3, wherein we present a concrete example of a randomness reset attack in the context of the ElGamal cryptosystem, along with the effect of a randomness reset attack on the formal definition of CCA2 security as done in [16]. Briefly, CCA2 security is formally defined in terms of an attack game between a challenger and an adversary [19], where the adversary may perform challenge queries and decryption queries. The adversary’s task is to correctly guess the underlying message of a challenge ciphertext, given that the challenge ciphertext cannot serve as input to a decryption query. An attack game with a randomness reset attack will incorporate additional encryption queries, in which random numbers can be set, by the adversary, to some previous value. These may present difficulties to some existing cryptosystems, since, unlike challenge ciphertexts, ciphertexts from encryption queries may validly serve as input for decryption queries. In fact, randomness reset attacks are so strong that [11,16,20] have been forced to rule-out situations wherein adversaries can perform arbitrary queries. Instead, adversaries are assumed to satisfy the equality pattern, respecting constraint. The cryptosystem of [16] provides a generic transformation to render a CCA2 public-key cryptosystem secure against randomness reset attacks. The transformation involves feeding a random number and an associated plaintext message to a pseudorandom function. If the joint entropy of the random number and the plaintext message is high enough, the security properties of the pseudorandom function can fix any faulty randomness in the cryptosystem. In Section 4, we present a list of schemes that consider various other types of randomness reset attacks.

Secret Key Leakage Attacks. The second category, i.e., secret-key leakage attacks, considers the case where an adversary learns bits of the secret key [9].These attacks tamper with the decryption process of a cryptosystem. Leakage of secret keys may, perhaps, be due to some devious means, such as side-channel attacks. For instance [21] have reported that practical implementations of cryptosystems in software are often vulnerable to side-channel attacks. For example, the power traces of 8000 encryptions are sufficient to extract the secret key of ASIC AES, which is substantially faster than a brute-force search for the secret key. It follows that, given enough bits of the secret key, a simple exhaustive search over the set of candidate keys can break any cryptosystem’s security. A formal definition of this attack is first considered in [9]. Several articles have provided cryptosystems that are provably secure against secret-key leakage attacks, on top of CCA2 security [12,13]. In particular, the scheme of [13] provides a cryptosystem that is secure against a constant factor of secret key bits leaked to the adversary, where the factor can be as high as $1/2-o\left(1\right)$ bits of the secret key. The scheme of [13] is composed of an ensemble of various cryptographic primitives, such hash proof systems [5], lossy functions [8], and randomness extractors [22,23]. In particular, ref. [13] proposed the one-time lossy filter, which is a special type of lossy function that does not implement a trapdoor. Unlike the cryptosystem of [3], the scheme of [13] is randomness-recovering and can tolerate a higher degree of secret-key leakage. The paper of [12] showed that the cryptosystem of [13] is also secure against arbitrary functions of secret-key leakage. In Section 3, we illustrate how secret-key leakage attacks would affect the formal definition of CCA2 security (expressed as an attack game between a challenger and an adversary). Briefly, secret-key leakage attacks would provide additional leakage queries for the adversary, where he gets to learn a constant factor of bits of the secret key. In Section 4, we present a list of various other types of secret-key leakage attacks along with the primitives that they use.

Our contributions. As noted in [11], given these new types of attacks, an interesting problem is the construction of a public-key cryptosystem that is both resistant to randomness attacks and secret-key leakage attacks. Attacks that jointly involve both types effectively tamper with both the encryption and decryption processes of a cryptosystem, and the cryptosystem has to deal with attacks from both sides. On the one hand, in a randomness attack, the randomness involved in encryption is tampered to some value dictated by the adversary. On the other hand, in a secret-key leakage attack, the adversary learns information about the secret key involved in decryption. In terms of attack games between a challenger and an adversary, this implies that the adversary has access to additional encryption queries and secret-key leakage queries, aside from the usual decryption and challenge queries in a CCA2 attack game. To address these challenges, we propose two cryptosystems; the first is a random oracle model, and the second is a standard model that relies on a proposed primitive, called $L^M$ lossy functions. A collection of $L^M$ lossy functions provides multiple lossy branches and is simple to construct from existing ABO lossy functions [8]. Having multiple lossy branches is crucial for our cryptosystem, given that the adversary may query multiple encryption and challenge queries, and, unlike challenge ciphertexts, encrypted ciphertexts can validly serve as input for decryption. By having several lossy branches, the cryptosystem is able to exploit the loss of information given by the lossy branch even under multiple encryption and challenge queries. We can say that the $L^M$ lossy function forms the core primitive of our second cryptosystem since, without this primitive, the hash proof systems would be insufficient for security (at least in the context of constructions). The presentation of our cryptosystems follows [2,10], which begins from random oracle models and is followed by standard models. This is because, while the random oracle model from [4] is useful for simplifying security proofs, it relies on the strong assumption that some hash functions are truly random, which may not necessarily be true, in practice [2]. For this reason, standard models usually follow initial random models, albeit with some added complexity in their schemes. Both of our proposed cryptosystems apply several primitives, such as hash proof systems, pseudorandom functions, and randomness extractors.

To put our contributions into context, the problem mentioned in [11] considers general classes of related randomness and related secret-key leakage attacks. For this paper, however, we approach the problem under a more limited class of randomness reset attacks [16], in which random numbers are reset to previous values, and under constant-bit secret-key leakage attacks [13], where a constant number of bits of the secret key are leaked. At the end of the paper, we present concrete instances of $L^M$ collections that rely on the decisional Diffie–Helman assumption, and on ElGamal matrix encryptions. We present security proofs for our proposed cryptosystems using the well-known game-hopping proving scheme, as described in [2,19].

2. Preliminaries

2.1. Notations

Given the set of natural numbers $\mathbb{N}$, let $\left[a\right]$ denote the set $\{1,2, \dots ,a\}$ for any $a\in \mathbb{N}$. Let $\kappa \in \mathbb{N}$ denote a security parameter following standard cryptography literature [2]. A function $f\left(\kappa \right)$ is negligible in κ if $f\left(\kappa \right)=o\left({\kappa }^{-c}\right)$ for every fixed constant c. A function $f\left(\kappa \right)$ is superpolynomial in κ if $1/f\left(\kappa \right)$ is negligible. Throughout the paper, the notation $x\leftarrow X$ refers to x being randomly drawn from the probability distribution of a random variable, X. Let $\mathcal{A}$ be any probabilistic polynomial-time algorithm. The advantage of $\mathcal{A}$ is defined to be its capacity to distinguish between the probability distributions of two collections of random variables. For instance, let $\mathcal{X}={\left\{X_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ and $Y={\left\{Y_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ be two collections of random variables indexed by $\kappa$. The advantage of $\mathcal{A}$, in this instance, is $|Pr(\mathcal{A}(1^{\kappa },x)=1)-Pr(\mathcal{A}(1^{\kappa },y)=1)|$ for $x\leftarrow X_{\kappa }$ and $y\leftarrow Y_{\kappa }$. Two collections of random variables $\mathcal{X}$ and Y are computationally indistinguishable if the advantage of any polynomial-time algorithm is negligible in $\kappa$. The statistical distance between two random variables X and Y with the same domain D is denoted as $\Delta (X,Y)=(1/2){\sum }_{z\in D}|Pr(X=z)-Pr(Y=z)|$ [22]. The min-entropy of X is denoted as ${\Gamma }_{\infty }\left(X\right)=-log({max}_{z}Pr(X=z))$. If X is conditioned on Y, the average min-entropy of X conditioned on Y is ${\tilde{\Gamma }}_{\infty }\left(X\right|Y)=-log\left(E_{y\leftarrow Y}{2}^{-{\Gamma }_{\infty }\left(X\right|Y=y)}\right)$.

2.2. Hashing and Randomness Extractors

Given the security parameter $\kappa \in \mathbb{N}$, let $l\left(\kappa \right)$ and $l^{\prime }\left(\kappa \right)$ be values of polynomials in $\kappa$. A hash function maps inputs of length $l\left(\kappa \right)$ to outputs of length $l^{\prime }\left(\kappa \right)$, where $l^{\prime }\left(\kappa \right)<l\left(\kappa \right)$. A family of hash functions $\mathcal{H}={\{h_i:X\to Y\}}_{i\in \mathbb{N}}$ with domain X and range Y is pairwise independent if, for every distinct pair $x,x^{\prime }\leftarrow X$ and $y,y^{\prime }\leftarrow Y$, the probability that $h_i\left(x\right)=y$ and $h_i\left(x^{\prime }\right)=y^{\prime }$ is equal to $1/{\left|Y\right|}^2$ for any $h_i\in \mathcal{H}$. On the other hand, if, for every distinct pair $x,x^{\prime }\leftarrow X$, we have ${Pr}_{h_i\leftarrow \mathcal{H}}(h_i\left(x\right)=h_i\left(x^{\prime }\right))=1/\left|Y\right|$ for any $h_i\in \mathcal{H}$, the family $\mathcal{H}$ is a universal family of hash functions, which is a strictly weaker property than pairwise independence [13]. A family of hash functions is collision resistant if no polynomial time algorithm can compute a distinct pair $x,x^{\prime }\leftarrow X$ such that $h_i\left(x\right)=h_i\left(x^{\prime }\right)$ for any $h_i\in \mathcal{H}$. The following useful result regarding average min-entropy will be used in several security proofs.

Lemma 1

([24]). Given the random variables X, Y, and Z, suppose that Y has $2^r$ possible values; then, ${\Gamma }_{\infty }\left(X\right|Y,Z)\ge {\Gamma }_{\infty }\left(X\right|Z)-r$.

Definition 1.

Randomness Extractor. Let X and Z be random variables such that $X\in {\{0,1\}}^a$ and $Z\in {\{0,1\}}^b$ with $a,b\in \mathbb{N}$ and $b<a$. Let Y any random variable such that ${\tilde{\Gamma }}_{\infty }\left(X\right|Y)\ge \nu$ for some $\nu \ge 0\in \mathbb{R}$. Let R be any random variable. An efficiently computable function, $E:X\times R\to Z$ is an average case $(\nu ,ϵ)$ strong extractor if $\Delta \left(\right(Y,r,E(X,r)),(Y,r,Uz\left)\right)\le ϵ$, where $r\leftarrow R$, $Uz$ is the uniform distribution over Z, and $ϵ>0\in \mathbb{R}$.

Concrete instantiations of strong randomness extractors involve a family of universal hash functions. This leads to the following lemma.

Lemma 2

([25]). A universal family of hash functions $\mathcal{H}$ can be used as average-case $({\tilde{\Gamma }}_{\infty }\left(X\right|Y),ϵ)$ strong extractors whenever ${\tilde{\Gamma }}_{\infty }\left(X\right|Y)\ge log\left|Z\right|+2log(1/ϵ)$.

2.3. Public Key Cryptosystems and CCA2 Security

A public-key cryptosystem consists of three probabilistic algorithms, $(\mathcal{G},\mathcal{E},\mathcal{D})$, described as follows.

• $\mathcal{G}\left(1^{\kappa }\right)$ is an initialization algorithm that outputs a public/secret key pair $(pk,sk)$ given security parameter $\kappa \in \mathbb{N}$.
• $\mathcal{E}(pk,m;r)$ is an encryption algorithm that outputs a ciphertext, c, given $pk$, a plaintext message, m, and a sampled random number, r, during computation.
• $\mathcal{D}(sk,c)$ is a decryption algorithm that outputs m such that $m=\mathcal{D}(sk,\mathcal{E}(pk,m;r\left)\right)$.

We now describe security against adaptive chosen ciphertext attacks or CCA2 security using attack games, following [4].

Security Notion of Adaptive Chosen Ciphertext Attack (CCA2 Security)

This security notion is defined in terms of an attack game between a challenger and an adversary, $\mathcal{A}$, in which both are polynomial-time algorithms. On input $\kappa$, the challenger draws $a\in \{0,1\}$ then generates the public/secret key pair $(pk,sk)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$. It forwards $pk$ to $\mathcal{A}$. $\mathcal{A}$ can perform decryption queries by providing a ciphertext, c, to the challenger, and the challenger returns $\mathcal{D}(sk,c)$. $\mathcal{A}$ performs a challenge query by giving a message pair $(m_0,m_1)$ to the challenger, and the challenger returns the challenge ciphertext, $c^{*}=$ $\mathcal{E}$$(pk,m_a)$. To prevent trivial wins, any ciphertext input for decryption should not equal $c^{*}$. The game ends when $\mathcal{A}$ outputs a guess $a^{\prime }\in \{0,1\}$, who wins the game if $a=a^{\prime }$. The advantage of $\mathcal{A}$ is $|Pr(a^{\prime }=a)-1/2|$. If the advantage of any polynomial-time adversary for this game is negligible in $\kappa$, the public-key cryptosystem is CCA2 secure.

2.4. Hash Proof Systems

A hash proof system is an encapsulation system that uses a projective hash [5]. The domain of a projective hash consists of two disjoint sets, the valid set and the invalid set. Each projective hash function is associated with a projection function whose role is to provide auxiliary information. Without this auxiliary information, it is computationally difficult to evaluate the projective hash over the valid set in its domain, and its behaviour is close to uniform. In more detail, let ${\Lambda }_{s{k}_H}$ denote a projective hash with ciphertext domain C. Let $V\subseteq C$ denote the set of valid ciphertexts and $C\backslash V$ denote the set of invalid ciphertexts. Let K denote a set of encapsulated ciphertexts. A hash proof system, H, consists of three polynomial time algorithms $(H_g,H_{pub},H_{priv})$ that are as follows.

• $H_g\left(1^{\kappa }\right)$ is a parameter generation algorithm that generates a secret key $s{k}_H$ and projective hash ${\Lambda }_{s{k}_H}:C\to K$, with the associated projection function $\mu$. It computes public key $p{k}_H=\mu \left(s{k}_H\right)$, representing auxiliary information.
• $H_{pub}(p{k}_H,c_H,\omega )$ is a public evaluation algorithm that, given $p{k}_H$, ciphertext $c_H\in C$, and witness, $\omega$, of the fact that $c_H\in V$, outputs $k\in K$.
• $H_{priv}(s{k}_H,c)$ is a private evaluation algorithm that, given $s{k}_H$, ciphertext $c_H\in C$, outputs $k\in K$, without requiring witness, $\omega$, of the fact that $c_H\in V$.

A key property required of H is the subset membership hardness property, whereby V is computationally difficult to distinguish from $C\backslash V$. Formally, let $\mathcal{A}$ be any polynomial-time algorithm. The advantage of $\mathcal{A}$ with respect to the subset membership problem over $\{C,V\}$ is defined as $|Pr(\mathcal{A}\left(c_0\right)=1|c_0\leftarrow V)-Pr(\mathcal{A}\left(c_1\right)=1|c_1\leftarrow C\backslash V)|$. If this advantage is negligible for any $\mathcal{A}$, the subset membership problem over $\{C,V\}$ is computationally hard.

Definition 2.

Given $ϵ\ge 0$, a projective hash function, ${\Lambda }_{s{k}_H}$, with corresponding projection function, μ, is ϵ-universal if, for all $p{k}_H$, $c\in C\backslash V$, we have $Pr({\Lambda }_{s{k}_H}\left(c\right)=k|(pk,c))\le ϵ$, where the probability is computed over all $s{k}_H$ and $p{k}_H=\mu \left(s{k}_H\right)$.

The following lemma and definition will be used in the security proofs.

Lemma 3

([13]). Let ${\Lambda }_{s{k}_H}$ be an ϵ-universal projective hash function with the associated projection function, μ. For all $p{k}_H$ and invalid ciphertexts $c_H\in C\backslash V$, we have ${\Gamma }_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H))\ge log(1/ϵ)$, where $s{k}_H$ is a randomly drawn secret key, and $p{k}_H=\mu \left(s{k}_H\right)$.

Definition 3.

A hash proof system, H, is ϵ-universal if the underlying projective hash function is ϵ-universal and the underlying subset membership problem is computationally hard.

2.5. Lossy Functions

2.5.1. Lossy Functions

A lossy function is a function that loses information from its input. A collection of lossy functions (lossy collection) consists of a set of injective functions, along with a set of lossy functions [8]. Let $n\left(\kappa \right)$ and $p\left(\kappa \right)$ be values of polynomials in $\kappa \in \mathbb{N}$. Given $\kappa$, the input length of any function in the collection is $n\left(\kappa \right)$, and the size of the domain is $2^{n\left(\kappa \right)}$. A lossy function in the collection has an image size of, at most, $2^{logp\left(\kappa \right)}=p\left(\kappa \right)$, where $p\left(\kappa \right)<2^{n\left(\kappa \right)}$. For convenience, the dependence of n and p on $\kappa$ is omitted hereafter. The functions in the collection are indexed by the set S. A collection of $(n,p)$ lossy functions is given by the polynomial-time algorithms $(L_g,L_e)$:

• $L_g(1^{\kappa },i)$ for $i\in \{0,1\}$ is a function index sampling algorithm. If $i=1$, it outputs $s=L_g(1^{\kappa },1)\in S$, where s is the index of an injective function. If $i=0$, its output is $s=L_g(1^{\kappa },0)\in S$, where s is the index of a lossy function.
• $L_e(s,k)$ is an evaluation algorithm that, on input $s\in S$ and $k\in {\{0,1\}}^n$, outputs an element in ${\{0,1\}}^n$. If s refers to an injective function, $L_e$ is injective. If s refers to a lossy function, the image size of $L_e$ is, at most, p.

Definition 4.

Required properties of a collection of lossy functions: (i) the index of an injective or lossy function can be efficiently sampled, (ii) the distribution of $L_g(1^{\kappa },0)$ is computationally hard to distinguish from the distribution of $L_g(1^{\kappa },1)$.

2.5.2. ABO Lossy Functions

A collection of all-but-one (ABO) lossy functions (ABO collection) consists of functions that are each equipped with a set of branches [8]. One branch corresponds to a lossy branch, while the rest are injective branches. Let $\mathcal{B}={\left\{B_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ denote the collection of branches indexed by $\kappa$. Given $\kappa$, define $B:=B_{\kappa }$ with lossy branch $b^{\circ }\in B$. The functions in the ABO collection are indexed by the set S. A $(n,p)$ collection of ABO lossy functions is given by polynomial-time algorithms $(L_{g^{abo}},L_{e^{abo}})$, which are as follows.

• $L_{g^{abo}}(1^{\kappa },b^{\circ })$ is a function index sampling algorithm that, given lossy branch $b^{\circ }\in B$, outputs function index $s=L_{g^{abo}}(1^{\kappa },b^{\circ })\in S$.
• $L_{e^{abo}}(s,b,k)$ is an evaluation algorithm that, on input $s\in S$, branch $b\in B$ and $k\in {\{0,1\}}^n$, outputs an element in ${\{0,1\}}^n$. If $b=b^{\circ }$, its image has size at most p. Otherwise, it is injective.

Definition 5.

Required properties of a collection of ABO lossy functions: (i) given κ, a lossy branch $b^{\circ }\in B$ can be efficiently sampled; (ii) $L_{g^{abo}}$ can efficiently sample s given $b^{\circ }$; (iii) it is computationally difficult to distinguish the distributions of $L_{g^{abo}}(1^{\kappa },b_0^{\circ })$ from $L_{g^{abo}}(1^{\kappa },b_1^{\circ })$ for any $b_0^{\circ }\ne b_1^{\circ }$; and (iv) given s, it is computationally difficult to determine $b^{\circ }$.

2.5.3. $L^M$ Lossy Functions

A collection of $L^M$ lossy functions (or $L^M$ collection for short) generalizes the ABO collection. Each function in the $L^M$ collection is equipped with a set of branches, but there are several possible lossy branches. $L^M$ collections are similar to ABN lossy functions in [26] and ABM lossy functions in [27]. However, they are simpler and can be constructed from a set of ABO collections using Cartesian products. Let $\mathcal{B}={\left\{B_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ denote the collection of branches indexed by $\kappa$. Define $B:=B_{\kappa }$, with lossy branch set $B^{\circ }\subseteq B$ of size $M=|B^{\circ }|$ and with elements $b^{\circ }\in B^{\circ }$. Define q to be an ordered tuple that corresponds to $B^{\circ }$, i.e., $q=(b_1^{\circ },b_2^{\circ },...,b_M^{\circ })$ and $b_i^{\circ }\in B^{\circ }$ for $i\in \left[M\right]$. The functions in the $L^M$ collection are indexed by the set S. A $(n,p)$ collection of $L^M$ lossy functions is given by the polynomial-time algorithms $(L_{g^M},L_{e^M})$, which are as follows.

• $L_{g^M}(1^{\kappa },q)$ is a function index sampling algorithm that takes as input q corresponding to $B^{\circ }$ and outputs $s\in S$.
• $L_{e^M}(s,b,k)$ is an evaluation algorithm that, on input $s\in S$, branch $b\in B$, and $k\in {\{0,1\}}^n$, outputs an element in ${\{0,1\}}^{nM}$. If $b\in B^{\circ }$, the image size is at most $2^{n(M-1)+log\left(p\right)}$.

Definition 6.

Required properties of a collection of $L^M$ lossy functions: (i) given κ, a lossy branch set $B^{\circ }\subseteq B$ can be efficiently sampled; (ii) $L_{g^M}$ can efficiently sample s, given q corresponding to $B^{\circ }$; (iii) it is computationally difficult to distinguish the distributions of $L_{g^M}(1^{\kappa },q_0)$ from $L_{g^{abo}}(1^{\kappa },q_1)$ for $q_0\ne q_1$; and (iv) given s, it is computationally difficult to generate an element of $B^{\circ }$.

2.6. Pseudorandom Functions

A pseudorandom function $P:R\times M\to Y$, where R is a key space and M is an input data block, is a deterministic algorithm that behaves like a truly random function [2].

Security Notion of a Pseudorandom Function

The security of a pseudorandom function, P, is defined in terms of an attack game between a challenger and an adversary. Given $\kappa$, at the start of the game the challenger draws $a\in \{0,1\}$ and selects a random function, f, from M to Y. The adversary submits a sequence of queries to the challenger, where each query consists of an element $m\in M$. If $a=0$, the challenger draws $r\leftarrow R$ and submits $P(r,m)$ to the adversary. If $a=1$, the challenger submits $f\left(m\right)$ to the adversary. The game ends once the adversary submits a guess $a^{\prime }\in \{0,1\}$ who wins if $a^{\prime }=b$. The advantage of the adversary in this game is defined as $|Pr(a^{\prime }=a)-1/2|$. The pseudorandom function, P, is a secure PRF if the advantage of any polynomial time adversary in this game is negligible in $\kappa$.

2.7. Strongly Unforgeable One-Time Signatures

A strongly unforgeable one-time signature scheme has the strong one-time unforgeability property [8] and is given by the algorithms below.

 Key Generation. 

$F_g\left(1^{\kappa }\right)$. On input $\kappa$, $F_g$ outputs the verification/signing key pair $(v{k}_{\sigma },s{k}_{\sigma })$.

 Signing. 

$F_s(s{k}_{\sigma },x)$: given $s{k}_{\sigma }$ and a plaintext x, outputs a signature $\sigma$.

 Verification. 

$F_v(v{k}_{\sigma },x,\sigma )$: given $v{k}_{\sigma }$, x, and $\sigma$, it outputs 0 if $\sigma \ne F_s(s{k}_{\sigma },x)$ and 1 otherwise.

Security Notion of a Strongly Unforgeable One-Time Signature Scheme

The security of a strongly unforgeable one-time signature scheme is defined in terms of an attack game consisting of a challenger and an adversary, $\mathcal{A}$. Given $\kappa$, at the start of the game, the challenger generates $(v{k}_{\sigma },s{k}_{\sigma })$ and gives $v{k}_{\sigma }$ to adversary $\mathcal{A}$. $\mathcal{A}$ queries a plaintext message, x, to the challenger and the challenger returns $\sigma \leftarrow F_s(s{k}_{\sigma },x)$. $\mathcal{A}$ wins the game if it outputs a distinct message signature pair $(x^{\prime },{\sigma }^{\prime })$ such that $F_v(v{k}_{\sigma },x^{\prime },{\sigma }^{\prime })=1$. A signature scheme is strongly unforgeable one-time secure if no probabilistic polynomial time adversary can win the attack game described with non-negligible probability.

3. Security Notions

For illustration, we first describe randomness reset attacks and secret-key leakage attacks in the context of the ElGamal public-key cryptosystem. Recall that given a group, $\mathbb{G}$, of prime order p, with generator g, the ElGamal cryptosystem draws a secret key, $sk=z\leftarrow {\mathbb{Z}}_p$, and defines the public key as $pk=h=g^z$. A message, $m\in {\mathbb{Z}}_p$, is encrypted as $c=(g^r,h^r{g}^m)$ for a randomly chosen $r\leftarrow {\mathbb{Z}}_p$.

Randomness Reset Attack Example. In a randomness reset attack [16], an adversary can force the cryptosystem to re-use a previous random number. In terms of the ElGamal cryptosystem above, suppose that Alice draws a secret key, $sk=z$, and gives the public key, $pk=h=g^z$, to Bob. Bob now encrypts a message, m, by drawing a random number, $r_0$, and sends the ciphertext $c_0=(g^{r_0},h^{r_0}{g}^m)$ to Alice. In a normal setting, without randomness reset attacks, suppose that Bob wants to send another message, $m_a\in \{m_0,m_1\}$, for $m\ne m_0\ne m_1$, to Alice. To do this in the normal setting Bob draws a fresh random number, $r_1$, and sends the new ciphertext $c_1^{\prime }=(g^{r_1},h^{r_1}{g}^{m_a})$ to Alice. Given that $c_1^{\prime }$ and $c_0$ involve different random numbers, they are computationally indistinguishable for any efficient adversary. In a setting with randomness reset attacks, however, an adversary forces Bob to re-use $r_0$ in encrypting m, i.e., $c_1=(g^{r_0},h^{r_0}{g}^m)$. This arbitrarily breaks the security of the ElGamal cryptosystem. To see this, suppose that some adversary obtained $c_0$ and $c_1$, and let the adversary know, as well, m, $m_0$, and $m_1$. The adversary can compute $c_0/c_1=h^{r_0}{g}^m/h^{r_0}{g}^{m_1}=g^{m-m_a}$. It follows that if $m_a=m_0$, we have $c_0/c_1=g^{m-m_0}$, but if $m_a=m_1$, we have $c_0/c_1=g^{m-m_1}$. The adversary can compute $g^{m-m_0}$ and $g^{m-m_1}$ on its own, given that it knows g, $m_0$, and $m_1$. It follows that, with randomness reset attacks, the ElGamal cryptosystem is not even semantically secure. Relating this scenario to a CCA2 attack game between a challenger and an adversary, a randomness reset attack allows the adversary to perform encryption queries apart from challenge queries. In the example above, the adversary can ask the challenger to encrypt m (encryption query) followed by the encryption of $m_a\in \{m_0,m_1\}$. The adversary can also force the challenger to re-use a previous random number in both encryption and challenge queries. For more details on the power of randomness attacks, in [16], it has been shown that randomness reset attacks may break arbitrary CCA2 cryptosystems that are more complicated than the ElGamal crypstosystem if no additional primitives are applied to secure the randomness.

Constant secret-key leakage attack example. In a secret-key leakage attack, the adversary can obtain bits of the secret key. The secret-key leakage attack in [13] considers the leakage of a constant factor of bits of the secret key, where it should be a percentage of the secret key’s length. The percentage for any public-key cryptosystem should obviously not equal one. Otherwise, the entire secret key is leaked. In terms of the ElGamal cryptosystem, this implies that $sk=z$ is leaked to the adversary, which arbitrarily breaks the cryptosystem. However, in some cryptosystems, such as the Cramer and Shoup CCA2 cryptosystem [3], the allowable amount leakage is even lower—by a factor of $1/2-o\left(1\right)$. This is because the security of the Cramer and Shoup cryptosystem involves jointly using two secret keys, and, if either is leaked, the entire cryptosystem is insecure. Relating this scenario to a CCA2 attack game between a challenger and an adversary, a constant secret-key leakage attack involves leaking some constant number of bits to the adversary through a leakage query.

We now present the attack game corresponding to the security notion of a public-key cryptosystem that is secure against (i) adapative chosen ciphertext attacks, (ii) randomness reset attacks, and (iii) constant secret-key leakage attacks.

Table 1. Attack game with adaptive chosen ciphertext attack, randomness reset, and constant secret-key leakage, where $r\left(\kappa \right)$ is the value of a polynomial in $\kappa$ that represents the combined length of the random numbers used during encryption. The adversary in this game is allowed to perform multiple encryption and challenge queries under different randomness indices. The notation $\mathtt{coins}\left[j\right]$ and $\mathtt{ciphers}\left[j\right]$, for $j\ge 1$, refers to the jth element of $\mathtt{coins}$ and $\mathtt{ciphers}$, respectively.

proc.Initialize($\mathit{\kappa }$) $\mathit{a}\leftarrow \{0,1\}$ $(\mathit{p}\mathit{k},\mathit{s}\mathit{k})\leftarrow \mathcal{G}\left(1^{\mathit{\kappa }}\right)$ $\mathtt{coins}\leftarrow \mathit{\varnothing }$ $\mathtt{ciphers}\leftarrow \mathit{\varnothing }$ return$\mathit{p}\mathit{k}$	proc.Challenge($\mathit{j},{\mathit{m}}_0,{\mathit{m}}_1$) if $|{\mathit{m}}_0|\ne |{\mathit{m}}_1|$ return ⊥ if $\mathtt{coins}\left[\mathit{j}\right]=\perp$ then $\mathtt{coins}\leftarrow {\{0,1\}}^{\mathit{r}\left(\mathit{\kappa }\right)}$ ${\mathit{r}}_{\mathit{j}}\leftarrow \mathtt{coins}\left[\mathit{j}\right]$ $\mathit{c}\leftarrow \mathcal{E}(\mathit{p}\mathit{k},\mathit{m},{\mathit{r}}_{\mathit{j}})$ $\mathtt{ciphers}\leftarrow \mathtt{ciphers}\cup \mathit{c}$ return c
proc.Dec(c) if $c\in \mathtt{ciphers}$ then return ⊥ else return $\mathcal{D}(sk,c)$	proc.Enc($p{k}^{\prime },j,m$) if $\mathtt{coins}\left[j\right]=\perp$ then $\mathtt{coins}\leftarrow {\{0,1\}}^{r\left(\kappa \right)}$ $r_j\leftarrow \mathtt{coins}\left[j\right]$ $c\leftarrow \mathcal{E}(p{k}^{\prime },m,r_j)$ return c
proc.Leak($\lambda \left(\kappa \right)$) return random $\lambda \left(\kappa \right)$ bits of $sk$	proc.Finalize($a^{\prime }$) return ($a=a^{\prime }$)

presents the attack game.

The attack game is initialized by the challenger through Initialize, where he generates the public/secret key pair $(pk,sk)$, and forwards $pk$ to the adversary. The adversary has access to (i) decryption queries Dec, (ii) secret-key leakage queries Leak, (iii) challenge query Challenge, and (iv) encryption queries Enc, which are all described in Table 1. In Table 1, the adversary has access to a set of indices that are mapped to prior random numbers generated during encryption or challenge queries. In any subsequent encryption query or challenge query, the adversary can use any of these indices at will, representing a randomness reset attack. The adversary can ask the challenger in an encryption query to use any public key—this follows [16]. In a leakage query, Leak, the adversary may request up to $\lambda \left(\kappa \right)$ bits of the secret key $sk$. The game ends once the adversary outputs a bit, $a^{\prime }$, through Finalize, who wins if $a^{\prime }=a$. The advantage of the adversary, in this case, is defined as $|Pr(a^{\prime }=a)-1/2|$, and a cryptosystem is secure with respect to the attack game of Table 1 if no polynomial-time adversary has non-negligible advantage.

3.1. Attack Game with Random Oracles

In certain situations, the random oracle heuristic [4] is convenient for simplifying security proofs. A random oracle Φ captures a truly random function and can be incorporated in cryptosystems. Suppose that a random oracle $\Phi :\mathcal{X}\to \mathcal{Y}$ is part of a cryptosystem. The corresponding attack game incorporates additional random oracle queries, whereby, on input $x\in \mathcal{X}$ from the adversary, the challenger returns $y\in \mathcal{Y}$ such that $\Phi \left(x\right)=y$.

3.2. Adversary Constraints

As stated in [11,16], if the adversary can perform a randomness reset attack and has no constraints on encryption/challenge queries, it can trivially win. To prevent this, the adversary is assumed to be equality-pattern-respecting. We provide the definition of an equality-pattern-respecting adversary below, along with the corresponding notion of a non-reversing adversary that will be used in cryptosystem 1.

Definition 7.

Let $\mathcal{A}$ be an adversary in Table 1’s attack game. Let I represent the set of randomness indices mapped to random numbers generated by the challenger during $\mathcal{A}$’s challenge and encryption queries. Let $\mathcal{A}$ perform ${\mathcal{Q}}_e$ encryption queries. Let $\mathcal{A}$ perform ${\mathcal{Q}}_{c,i}$ challenge queries using index $i\in I$. Let $MI$ represent the set of input messages, m, in the encryption queries done by $\mathcal{A}$ using the public key, $p{k}^{*}$, and randomness index, $i\in I$, i.e., $\mathit{E}\mathit{n}\mathit{c}(p{k}^{*},i,m)$. Let $(m_0^{i,1},m_1^{i,1})...(m_0^{i,{\mathcal{Q}}_{c,i}},m_1^{i,{\mathcal{Q}}_{c,i}})$ represent the set of message pairs given in challenge queries using randomness index $i\in I$. For Table 1’s attack-game, we say that $\mathcal{A}$ is equality-pattern-respecting: (1) if we have, for all $i\in I$ and for all $j\ne k\in \left[{\mathcal{Q}}_{c,i}\right]$, $m_0^{i,j}=m_0^{i,k}\mathrm{if}{m}_1^{i,j}=m_1^{i,k}$, and (2) if, for all $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_{c,i}\right]$, we have $m_0^{i,j}\notin MI$ and $m_1^{i,j}\notin MI$.

Definition 8.

Let $\mathcal{A}$ be an adversary in Table 1 attack game that performs ${\mathcal{Q}}_e$ encryption queries and ${\mathcal{Q}}_d$ decryption queries. Let ${\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ denote the set of ciphertext outputs $c_i$ received by $\mathcal{A}$ from the challenger in its encryption queries. Let ${\left\{c_j\right\}}_{j\in \left[{\mathcal{Q}}_d\right]}$ denote the set of ciphertexts $c_j$ submitted by $\mathcal{A}$ for its decryption queries. We say that $\mathcal{A}$ is non-reversing if, for any $c_i^{\prime }\in {\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$, we have $c_i^{\prime }\notin {\left\{c_j\right\}}_{j\in \left[{\mathcal{Q}}_d\right]}$ at any point in the game.

4. Comparison of Cryptosystems/Lossy Functions

Given the security notion presented in the previous section, for context, we present a list of various cryptosystems in Table 2 that deal with the related notions of randomness attacks and secret-key leakage attacks. From Table 2, the types of randomness attacks considered in the literature involve linear and polynomial functions of random numbers involved in the encryption process. The same holds for secret-key leakage attacks, where leakage may consist of affine or polynomial functions of bits of the secret key, along with bounded degrees of secret-key tampering. Our proposed cryptosystems are listed in the last two lines of Table 2 and consider joint attacks involving randomness reset and constant secret-key leakage. Similar to the other constructions in Table 2, we propose both a random oracle and standard model of our cryptosystems.

In Table 3, we list several lossy function constructions from the literature. From Table 3, the first lossy function collection is from [8] which uses the DDH assumption. The next lossy function constructions present improvements in terms of the number of lossy function branches or tags that can be sampled efficiently while retaining their amounts of lossiness. In particular, the construction of [27] provides an efficient lossy function that can sample a superpolynomially large number of lossy tags. The construction of [27], however, is quite complicated, since it involves Waters signatures along with chameleon hashing. For the purposes of our cryptosystems, our proposed lossy function collection (the last line of Table 3) is able to sample up to M lossy branches per function index but is compromised by a rather high amount of lossiness, i.e., $2^{n(M-1)+log\left(p\right)}$. Yet, despite this amount of lossiness, the security proof is still held intact, given that the factor $2^{n(M-1)+log\left(p\right)}/2^n$ is still superpolynomial in $\kappa$. In addition, our proposed lossy function collection is simpler to construct—involving only the DDH assumption, along with the Cartesian product operation. In terms of size complexity, we show, in the FIS and LBS columns, the size of the function index and the lossy branch index, respectively, where size is measured in terms of matrix representations. For instance, the function index size of the lossy functions in [8] is $n^2$, which means that the index is a square matrix consisting of n rows and n columns. Our proposed $L^M$ collection has a larger function index size, of $n^{2}M$, and a larger branch size, of $nM$. This is because it relies on the M Cartesian product operation. A concrete instantation of an $L^M$ collection is presented in Section 6.

Table 2. List of CCA2 secure PKE schemes that incorporate either randomness attack or secret-key leakage attack along with their primitives. Scheme models are classified according to random oracle or standard, where standard refers to schemes that do not use random oracles. Our proposed schemes are in the last two lines of the table and incorporate joint randomness reset attack and constant-bit secret-key leakage attack.

Reference	Randomness Attack	Secret-Key Leakage Attack	Model	Primitives/Assumptions
Canetti and Goldwasser [28]	−	−	random oracle	random oracle assumption
Cramer and Shoup [3]	−	−	standard	hash proof system/DDH
Yilek [16]	randomness reset	−	standard	pseudorandom function
Peikert and Waters [8]	−	−	standard	lossy functions/DDH/DCR
Wee [29]	−	linear leakage	standard	BDDH/LWE
Qin and Liu [13]	−	constant leakage	standard	hash proof system + lossy filter/DDH
Bellare et al. [10]	chosen distribution attack	−	random oracle	random oracle assumption
Bellare et al. [10]	chosen distribution attack	−	standard	lossy functions
Paterson et al. [11]	linear/polynomial	−	random oracle	random oracle assumption
Paterson et al. [11]	linear functions	−	standard	pseudorandom function
Paterson et al. [11]	polynomial functions	−	standard	CIS hash functions
Paterson et al. [30]	vector of functions	−	standard	Goldreich-Levin extractor
Boneh et al. [31]	−	affine leakage	random oracle	random oracle assumption
Boneh et al. [31]	−	polynomial leakage	standard	EDBDH
Faonio and Venturi [12]	−	leakage + bounded tampering	standard	hash proof system + lossy filter/RSI
ours	randomness reset	constant leakage	random oracle	random oracle assumption
ours	randomness reset	constant leakage	standard	hash proof system + $L^M$ lossy functions

Table 2. List of CCA2 secure PKE schemes that incorporate either randomness attack or secret-key leakage attack along with their primitives. Scheme models are classified according to random oracle or standard, where standard refers to schemes that do not use random oracles. Our proposed schemes are in the last two lines of the table and incorporate joint randomness reset attack and constant-bit secret-key leakage attack.

Reference	Randomness Attack	Secret-Key Leakage Attack	Model	Primitives/Assumptions
Canetti and Goldwasser [28]	−	−	random oracle	random oracle assumption
Cramer and Shoup [3]	−	−	standard	hash proof system/DDH
Yilek [16]	randomness reset	−	standard	pseudorandom function
Peikert and Waters [8]	−	−	standard	lossy functions/DDH/DCR
Wee [29]	−	linear leakage	standard	BDDH/LWE
Qin and Liu [13]	−	constant leakage	standard	hash proof system + lossy filter/DDH
Bellare et al. [10]	chosen distribution attack	−	random oracle	random oracle assumption
Bellare et al. [10]	chosen distribution attack	−	standard	lossy functions
Paterson et al. [11]	linear/polynomial	−	random oracle	random oracle assumption
Paterson et al. [11]	linear functions	−	standard	pseudorandom function
Paterson et al. [11]	polynomial functions	−	standard	CIS hash functions
Paterson et al. [30]	vector of functions	−	standard	Goldreich-Levin extractor
Boneh et al. [31]	−	affine leakage	random oracle	random oracle assumption
Boneh et al. [31]	−	polynomial leakage	standard	EDBDH
Faonio and Venturi [12]	−	leakage + bounded tampering	standard	hash proof system + lossy filter/RSI
ours	randomness reset	constant leakage	random oracle	random oracle assumption
ours	randomness reset	constant leakage	standard	hash proof system + $L^M$ lossy functions

Table 3. List of lossy function constructions found in the literature. Our proposed $L^M$ construction is shown in the last line of the table, where up to M lossy branches are given for each function index. While the lossiness of our construction is higher than the other schemes, it is simpler to construct and uses only the DDH assumption. ABO: all-but-one lossy functions; ABN: all-but-N lossy functions; ABM: all-but-many lossy functions; LF: lossy function; LB: lossy branch; LT: lossy tag; DS: domain size, LS: lossiness size; FIS: function index size (in terms of matrix representation, where n is the number of rows/columns); LBS: lossy branch index size; DDH: decisional Diffie–Helman; DCR: decisional composite residuousity; QR: quadratic residuousity; CH: chameleon hash.

Reference	Primitive	No. of LF/LB/LT	DS	LS	FIS	LBS	Assumptions
Peikert and Waters [8]	lossy functions	several	$2^n$	$2^{logp}$	$n^2$	n	DDH/DCR (lattice)
Peikert and Waters [8]	ABO lossy functions	1 LB/function	$2^n$	$2^{logp}$	$n^2$	n	DDH
Hemenway et al. [26]	ABN lossy functions	N LB/function	$2^n$	$2^{logp}$	-	-	DDH/DCR/QR
Hofheinz [27]	ABM lossy functions	superpolynomial LT	$2^n$	$2^{logp}$	-	-	Waters sig./CH
Qin and Liu [13]	one-time lossy filter	superpolynomial LT	$2^n$	$2^{logp}$	$n^2$	n	DDH/CH
ours	$L^M$ lossy functions	M LB/function	$2^{nM}$	$2^{n(M-1)+log\left(p\right)}$	$n^{2}M$	$nM$	DDH

Table 3. List of lossy function constructions found in the literature. Our proposed $L^M$ construction is shown in the last line of the table, where up to M lossy branches are given for each function index. While the lossiness of our construction is higher than the other schemes, it is simpler to construct and uses only the DDH assumption. ABO: all-but-one lossy functions; ABN: all-but-N lossy functions; ABM: all-but-many lossy functions; LF: lossy function; LB: lossy branch; LT: lossy tag; DS: domain size, LS: lossiness size; FIS: function index size (in terms of matrix representation, where n is the number of rows/columns); LBS: lossy branch index size; DDH: decisional Diffie–Helman; DCR: decisional composite residuousity; QR: quadratic residuousity; CH: chameleon hash.

Reference	Primitive	No. of LF/LB/LT	DS	LS	FIS	LBS	Assumptions
Peikert and Waters [8]	lossy functions	several	$2^n$	$2^{logp}$	$n^2$	n	DDH/DCR (lattice)
Peikert and Waters [8]	ABO lossy functions	1 LB/function	$2^n$	$2^{logp}$	$n^2$	n	DDH
Hemenway et al. [26]	ABN lossy functions	N LB/function	$2^n$	$2^{logp}$	-	-	DDH/DCR/QR
Hofheinz [27]	ABM lossy functions	superpolynomial LT	$2^n$	$2^{logp}$	-	-	Waters sig./CH
Qin and Liu [13]	one-time lossy filter	superpolynomial LT	$2^n$	$2^{logp}$	$n^2$	n	DDH/CH
ours	$L^M$ lossy functions	M LB/function	$2^{nM}$	$2^{n(M-1)+log\left(p\right)}$	$n^{2}M$	$nM$	DDH

5. Proposed Cryptosystems

5.1. Cryptosystem 1

In this section, we present our first cryptosystem that is secure against the attack game of Table 1. It uses several primitives, such as hash proof systems, randomness extractors, and pseudorandom functions, along with a random oracle $\Phi$. Using a random oracle assumption simplifies the security proof and usually serves as the starting point in cryptosystem design, as done in [10]. However, as mentioned, the random oracle assumption is rather strong. In addition, this cryptosystem is limited to facing non-reversing adversaries who cannot submit prior-encrypted ciphertexts for decryption. We overcome the non-reversing limitation in the next cryptosystem—which also does away with the random oracle requirement.

5.2. Cryptosystem 1 Requirements

Let ${\mathcal{Q}}_e$, ${\mathcal{Q}}_d$, and ${\mathcal{Q}}_c$ denote the bounds in the number of encryption, decryption and challenge queries respectively. The requirements of cryptosystem 1 are as follows.

• An ${ϵ}_1$-universal hash proof system H for some ${ϵ}_1>0$ given by $(H_g,H_{pub},H_{priv})$. The ciphertext domain of H is C, with $V\subseteq C$ as its valid subset. $S{K}_H$ and $P{K}_H$ denote the secret-key space and public-key space of H, with elements $s{k}_H\in S{K}_H$ and $p{k}_H\in P{K}_H$. The space W of the witnesses of H is set to R. The encapsulated key space of H is K, with elements $k\in K$. $H_{pub}$ is set as $H_{pub}:P{K}_H\times C\times R\to K$, and $H_{priv}:S{K}_H\times C\to K$. The projective function is ${\Lambda }_{s{k}_H}:C\to K$, with associated projection function $\mu :S{K}_H\to P{K}_H$.
• A $(n,p)$ ABO collection given by $(L_{g^{abo}},L_{e^{abo}})$. The set of branches is B with elements $b\in B$, and lossy branch $b^{\circ }\in B$. Functions are indexed by S, and $L_{e^{abo}}:S\times B\times K\to {\{0,1\}}^n$
• E is a $((\nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right))/{\mathcal{Q}}_c,{ϵ}_2)$ average-case strong-randomness extractor
• A secure pseudorandom function $P:R\times M\to R$
• A strongly unforgeable one-time signature scheme given by $(F_g,F_s,F_v)$. $S{K}_{\sigma }$ and $V{K}_{\sigma }$ denote the spaces of signature and verification keys, with elements $s{k}_{\sigma }\in S{K}_{\sigma }$ and $v{k}_{\sigma }\in V{K}_{\sigma }$, and where the domain of $F_s$ is $C\times {\{0,1\}}^l$, and the domain of $V{K}_{\sigma }$ is equal to B.
• Elements of $K,R,C,S{K}_H,P{K}_H,S,B$ have length n. Elements of M have length l.
• The values of $\nu$, l, and $\lambda$ are such that $\lambda \le \nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)-\alpha (log\kappa )$ for some $\alpha \ge 0$.
• n and p satisfy $p<2^{\sqrt{n}}$.
• The polynomial in $\kappa$ whose value is n is superpolynomial with respect to ${\mathcal{Q}}_e$, ${\mathcal{Q}}_d$, and ${\mathcal{Q}}_c$.

5.3. Cryptosystem 1

 Key Generation. 

$\mathcal{G}\left(1^{\kappa }\right)$ first runs $H_g\left(1^{\kappa }\right)$ to obtain $s{k}_H\in S{K}_H$ and ${\Lambda }_{s{k}_H}$ with $\mu$. It computes $p{k}_H=\mu \left(s{k}_H\right)\in P{K}_H$. The output is a public/secret key pair $(pk,sk)$, where $pk=p{k}_H$ and $sk=s{k}_H$.

 Encryption. 

$\mathcal{E}(pk,m)$: on input $pk=p{k}_H$ and message $m\in M$, let $\Phi :K\to {\{0,1\}}^n$ denote a random oracle. It performs the following:

• It samples $r_1^{\prime }\leftarrow R$ then computes $r_1=P(r_1^{\prime },m)$. It sets $\omega =r_1$. Using $\omega$, it chooses $c_H\in V$
• It samples $r_2^{\prime }\leftarrow R$, then computes $r_2^{″}=r_2^{\prime }\oplus p{k}_H$, followed by $r_2=P(r_2^{″},m)\in R$.
• Using $r_2$, it computes $k=H_{pub}(p{k}_H,c_H,\omega )$ and $\Psi =E(k,r_2)\oplus m$
• It samples $(v{k}_{\sigma },s{k}_{\sigma })\leftarrow F_g\left(1^{\kappa }\right)$ and computes $\sigma =F_s(s{k}_{\sigma },(c_H,r_2,\Psi ))$
• It computes $\Pi =\Phi \left(k\right)$
• It returns ciphertext $c=(\sigma ,c_H,r_2,v{k}_{\sigma },\Psi ,\Pi )$

 Decryption. 

$\mathcal{D}(sk,c)$: on input $sk=s{k}_H$ and $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$, performs the following:

• The algorithm checks if $F_v(v{k}_{\sigma },(c_H,r_2,\Psi ),\sigma )=1$. If not, it outputs ⊥.
• It computes $k^{\prime }=H_{priv}(s{k}_H,c_h)$
• It computes ${\Pi }^{\prime }=\Phi \left(k^{\prime }\right)$
• It checks if $\Pi ={\Pi }^{\prime }$. If not, it outputs ⊥
• It returns the plaintext message $m=\Psi \oplus E(k^{\prime },r)$.

For cryptosystem 1, we note that the role of P is to generate fresh random numbers $r_1$ and $r_2$ using the joint entropy of the message m and old random numbers $r_1^{\prime }$ and $r_2^{\prime }$ (due to reset attacks). It follows that $r_1$ and $r_2$ serve as the actual randomness input to $H_{pub}$ and E, respectively. To show correctness of the cryptosystem, given m and $pk$, $\mathcal{E}$ first computes $r_1$ and $r_2$ followed by $k\leftarrow H_{pub}(p{k}_H,c_H,r_1=\omega )$, $\Psi =E(k,r_2)\oplus m$, and $\Pi =\Phi \left(k\right)$. Let $c=(\sigma ,C_H,r_2,v{k}_{\sigma },\Psi ,\Pi )$ be the corresponding ciphertext where $v{k}_{\sigma }$ is jointly sampled with $s{k}_{\sigma }$ under $F_g$, and $\sigma$ is derived using $F_s$ as shown above. If this c were given to $\mathcal{D}$, it follows that $F_v(v{k}_{\sigma },(c_H,r_2,\Psi ),\sigma )=1$ given that $\sigma =F_s(s{k}_{\sigma },(c_H,r_2,\Psi ))$ and the signature scheme $(F_g,F_s,F_v)$ satisfies the correctness property. Having passed this first check, $\mathcal{D}$ computes $k^{\prime }=H_{priv}(s{k}_H,c_H)$ and we have $k^{\prime }=k$, given that $H_{priv}$ uses the same $c_H$ from encryption and $s{k}_H$ is paired with $p{k}_H$ using $H_g$. Given that $(H_g,H_{pub},H_{priv})$ satisfies the correctness property, it follows that $k^{\prime }=k$ as claimed. Given that $k^{\prime }=k$, we have ${\Pi }^{\prime }=\Pi$ under $\Phi$ given that $\Phi$ is a function, thereby passing the second check. Finally, with $k^{\prime }=k$, we have $m=\Psi \oplus E(k^{\prime },r_2)=\Psi \oplus E(k,r_2)$, and the original message m is recovered.

5.4. Security Results for Cryptosystem 1

Theorem 1.

Let $\Phi :K\to {\{0,1\}}^n$ be a random oracle and let $(\mathcal{G},\mathcal{E},\mathcal{D})$ denote cryptosystem 1. For any non-reversing, equality-respecting, polynomial-time adversary that makes (a) at most ${\mathcal{Q}}_c$ challenge queries under multiple randomness indices, (b) at most ${\mathcal{Q}}_e$ encryption queries under multiple randomness indices, and (c) at most ${\mathcal{Q}}_d$ decryption queries, and following the attack game of Table 1, then cryptosystem 1 is secure against (i) adaptive chosen ciphertext attack, (ii) λ bits of secret-key leakage, and (iii) randomness reset attacks.

 Game 0. 

This game implements the original cryptosystem with no modifications. The following attack game incorporates random oracle $\Phi$ queries in the attack game of Table 1. $\Phi$ is modelled using an associative array, $\mathtt{map}$, which follows the faithful/forgetful gnome method [2]. The notation $\mathtt{map}\left[j\right]$ for $j\ge 1$ refers to the jth element of $\mathtt{map}$.

• proc.Initialize($\kappa$)
  • $(pk,sk)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$
  • initialize empty associative array $\mathtt{map}:K\to {\{0,1\}}^n$
  • initialize empty arrays $\mathtt{coins}$ and $\mathtt{ciphers}$
  • send $pk$ to adversary
• proc.Enc($p{k}^{\prime },j,m$)
  • if $\mathtt{coins}\left[j\right]=\perp$ then randomly sample $(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$ and set $\mathtt{coins}\left[j\right]=(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$
  • compute $c\leftarrow \mathcal{E}(p{k}^{\prime },m)$ with line 5 modified as:

    -

    if $\mathtt{map}\left[k\right]=\perp$ then $\zeta \leftarrow {\{0,1\}}^n$ and set $\mathtt{map}\left[k\right]=\zeta$. Set $\Pi =\mathtt{map}\left[k\right]$

  • return c
• proc.Challenge($j,m_0,m_1$)
  • if $|m_0|\ne |m_1|$ return ⊥
  • if $\mathtt{coins}\left[j\right]=\perp$ then randomly sample $(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$ and set $\mathtt{coins}\left[j\right]=(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$
  • compute $c^{*}\leftarrow \mathcal{E}(pk,m)$ with the line 5 modified as:

    -

    if $\mathtt{map}\left[k\right]=\perp$ then $\zeta \leftarrow {\{0,1\}}^n$ and set $\mathtt{map}\left[k\right]=\zeta$. Set $\Pi =\mathtt{map}\left[k\right]$

  • $\mathtt{ciphers}\leftarrow \mathtt{ciphers}\cup c^{*}$
  • return $c^{*}$
• proc.Dec(c)
  • if $c\in \mathtt{ciphers}$, return ⊥
  • compute $m=\mathcal{D}(sk,c)$ with line 3 modified as:

    -

    if $\mathtt{map}\left(k^{\prime }\right)=\perp$, then $\zeta \leftarrow {\{0,1\}}^n$ and set $\mathtt{map}\left[k^{\prime }\right]=\zeta$. Set ${\Pi }^{\prime }=\mathtt{map}\left[k^{\prime }\right]$

  • return m
• proc.Leak($\lambda \left(\kappa \right)$)
  • return $\lambda \left(\kappa \right)$ bits of $sk$
• proc.Oracle(k)
  • if $\mathtt{map}\left(k\right)=\perp$, then $\zeta \leftarrow {\{0,1\}}^n$ and set $\mathtt{map}\left[k\right]=\zeta$
  • return $\mathtt{map}\left[k\right]$

The adversary can perform any number of encryption queries under different randomness indices in $\mathtt{coins}$. Prior to making any challenge query, the adversary can request $\lambda$ bits of the secret key. At any point in the game, the adversary can perform a decryption query under the non-reversing condition.

 Game 1. 

This game is similar to Game 0, except that $(r_1,r_2)$ are drawn randomly, instead of being computed using the pseudorandom function P in $\mathcal{E}$.

 Game 2. 

This game is similar to Game 1, except that once the adversary submits a ciphertext $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$ for decryption such that $v{k}_{\sigma }\in c^{\prime }$ for some $c^{\prime }\in \mathtt{ciphers}$, the challenger returns ⊥.

 Game 3. 

This game is similar to Game 2, except that $\Pi$ is sampled randomly in $\mathcal{E}$ instead of being queried using $\Phi$.

 Game 4. 

This game is similar to Game 3, except that the challenger computes $k=H_{priv}(s{k}_H,c_H)$ instead of $H_{pub}$ in $\mathcal{E}$.

 Game 5. 

This game is similar to Game 4, except that $c_H$ is sampled from $C\backslash V$ instead of V in $\mathcal{E}$.

 Game 6. 

This game is similar to Game 5, except that if the adversary submits a ciphertext $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$ for decryption such that $c_H\in C\backslash V$, the challenger returns ⊥.

 Game 7. 

This game is similar to Game 6, except that the challenger draws $\Psi$ uniformly at random from ${\{0,1\}}^l$ instead of computing $\Psi =E(k,r)\oplus m$ in $\mathcal{E}$

Proposition 1.

Game 0 and Game 1 are computationally indistinguishable, given the security of the pseudorandom function P.

Proof. 

To prove this claim, we define hybrid experiments, $H_0,H_1,H_2$, where $H_0$ emulates the challenger in Game 0, $H_1$ samples $r_1$ randomly, and $H_2$ samples both $r_1$ and $r_2$ randomly. We have to show show that for any $i\in \{0,1\}$, experiments $H_i$ and $H_{i+1}$ are computationally indistinguishable.

Suppose that some adversary can efficiently distinguish between $H_i$ and $H_{i+1}$ for $i\in \{0,1\}$. Using this adversary, we construct a simulator that breaks the security of P. The simulator has access to an oracle that, on input m, returns a number, y, where we either have $y=P(r,m)$ for some random number r, or y is sampled using a truly random function. For $i\in \{0,1,2\}$, the simulator emulates the challenger in Game 0 perfectly in the initialization phase and draws $a\in \{0,1\}$. If $i=0$, the simulator does not modify anything from the challenger in Game 0. For $H_0$, $H_1$, $H_2$, the simulator knows $sk$ and it can answer decryption and secret-key leakage queries. In encryption queries with input $(p{k}^{\prime },m)$, if $i=1$, the simulator sends m to its oracle and receives y, where we either have $y=P(r_1^{\prime },m)$ or y is sampled randomly. It sets $r_1=y$ and proceeds with the rest, as before. If $i=2$, it samples $r_1$ randomly and sends m to its oracle. It receives y where we either have $y=P(r_2^{\prime }\oplus p{k}_H^{\prime },m)$ or y is sample randomly. It sets $r_2=y$.

In challenge queries, the input is a message pair, $(m_1,m_2)$. If $i=1$, the simulator sends $(m_1,m_2)$ to its oracle and receives y, where either have $y=P(r_1^{\prime },m_a)$ or y is sampled randomly. If $i=2$, the simulator samples $r_1$ randomly and sends $(m_1,m_2)$ to its oracle. It receives y, where we either have $y=P(r_2^{\prime }\oplus p{k}_H,m_a)$ or y is sample randomly. When the adversary submits a guess $a^{\prime }\in \{0,1\}$, the simulator outputs 1 if $a=a^{\prime }$ and 0 otherwise. The probability that the oracle computes y using P and the simulator outputs 1 is equal to the advantage of the simulator in distinguishing between outputs of P and randomly sampled numbers. In turn, the simulator’s advantage is equal to the probability that the adversary outputs $a^{\prime }$ such that $a^{\prime }=a$ less 1/2. However, due to the pseudo-randomness of P, no efficient adversary is able to output $a^{\prime }$ such that $a=a^{\prime }$ with non-negligible probability. Hence, the simulator’s advantage is likewise negligible. By construction, experiment $H_0$ perfectly simulates Game 0, while experiment $H_2$ perfectly simulates Game 1. The proposition thus follows. □

Proposition 2.

Game 1 and Game 2 are computationally indistinguishable, given the strong one-time existential unforgeability of the signature scheme.

Proof. 

Games 1 and 2 behave the same, except when the adversary submits a ciphertext query $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$, such that $F_v(v{k}_{\sigma },(c_H,\Psi ),\sigma )=1$ and $v{k}_{\sigma }\in c^{\prime }$ for some $c^{\prime }\in \mathtt{ciphers}$ but $c\ne c^{\prime }$. We construct a simulator that attacks the security of the signature scheme as follows. The simulator emulates Game 2 against an adversary. The simulator has access to an oracle that provides it with a verification key $v{k}_{\sigma }$ upon request. Since the simulator does not know $s{k}_{\sigma }$, it can query the oracle for a signature, where on input $(c_H,r,\Psi )$, the oracle returns $\sigma$ computed using the hidden $s{k}_{\sigma }$ associated with the latest $v{k}_{\sigma }$ provided to the simulator. The simulator emulates the challenger in every aspect of the initialization phase of Game 1, but requests for a preliminary $v{k}_{\sigma }^0$. Since the simulator knows $sk$, it can answer any decryption query and secret leakage query. Moreover, prior to any challenge or encryption query, for any decryption query with input $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$, the simulator checks if $v{k}_{\sigma }=v{k}_{\sigma }^0$ and if $F_v(v{k}_{\sigma },(c_H,r,\Psi ),\sigma )=1$. If this condition is met, the simulator outputs $((c_H,r,\Psi ),\sigma )$ as a forgery and terminates the simulation. If this event does not occur and the simulator encounters the first challenge or encryption query, the simulator uses $v{k}_{\sigma }^0$ as the verification key and queries the oracle for $\sigma$. Subsequent challenge or encryption queries require the simulator to ask the oracle for a fresh $v{k}_{\sigma }$ as well as for $\sigma$. Once it receives another decryption query with input $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$, it checks if $v{k}_{\sigma }=v{k}_{\sigma }^{\prime }$ with $v{k}_{\sigma }^{\prime }\in c^{\prime }$ for some $c^{\prime }\in \mathtt{ciphers}$. If this is true for some $c^{\prime }$, it checks if $\sigma \notin c^{\prime }$ and $(c_H,r,\Psi )\notin c^{\prime }$ and $F_v(v{k}_{\sigma },(c_H,r,\Psi ),\sigma )=1$. If this is true as well, the simulator outputs $((c_H,r,\Psi ),\sigma )$ and terminates the simulation. By construction, the simulator emulates Game 2 perfectly against the adversary, and the advantage of the simulator in coming up with a forgery is equal to the probability that the adversary queries a ciphertext that meets the conditions mentioned. However, because the signature scheme is strongly one-time unforgeable, no efficient adversary can query such a ciphertext with non-negligible probability. It follows that the probability whereby the simulator outputs a valid forgery is negligible. Thus, with large probability, the ciphertexts that involve $v{k}_{\sigma }=v{k}_{\sigma }^{\prime }$ with $v{k}_{\sigma }^{\prime }\in c^{\prime }$ for some $c^{\prime }\in \mathtt{ciphers}$, and which meet the check requirements for decryption are not forgeries and are equal to some prior challenge ciphertext. However, no challenge ciphertexts can be valid for decryption as of Game 0. □

Proposition 3.

Game 2 and Game 3 are computationally indistinguishable, given that Φ is a random oracle.

Proof. 

We note that due to the non-reversing nature of the adversary, no ciphertext outputs of prior encryption or challenge queries can be submitted for decryption. It follows that in Game 3, the adversary cannot use decryption to check if $\Pi$ is randomly drawn or not. Thus, the only event where Games 2 and 3 differ is when the adversary performs an oracle query in Game 3 on some input k, where k is computed under line 3 of $\mathcal{E}$ in some prior encryption or challenge query, and is associated with some randomly drawn ${\Pi }^{\prime }$ such that $\Phi \left(k\right)=\mathtt{map}\left[k\right]\ne {\Pi }^{\prime }$ in Game 2. The probability that this event occurs is $({\mathcal{Q}}_c+{\mathcal{Q}}_e)/\left|K\right|$. Since $\left|K\right|=2^n$, this probability is negligible. □

Proposition 4.

Game 3 and Game 4 are perfectly equivalent.

Proof. 

The claim readily follows, since the change from computing k using $H_{pub}$ to computing k using $H_{priv}$ and is merely conceptual. □

Proposition 5.

Game 4 and Game 5 are computationally indistinguishable, given the hardness of the underlying subset membership problem in the hash proof system.

Proof. 

To prove this claim, we define two experiments, $H_0$ and $H_1$. $H_0$ and $H_1$ behave the same, except that $H_0$ samples $c_H$ from V, while $H_1$ samples $c_H$ from $C\backslash V$. Suppose that some adversary can distinguish $H_0$ and $H_1$ with non-negligible probability. Using this adversary, we construct a simulator that can break the hardness of the underlying subset membership problem of hash proof system H. The simulator has access to an oracle that, on input $p{k}_H$, provides it with $c_H$, where we either have $c_H\in V$, or $c_H\in C\backslash V$. At initialization, the simulator emulates the challenger of Game 4 in all aspects. In encryption queries with input $(p{k}^{\prime },m)$ the simulator forwards $p{k}_H^{\prime }\in pk$ to its oracle and receives $c_H$. In challenge queries, the simulator forwards $p{k}_H$ to its oracle and receives $c_H^{*}$. In both challenge and encryption queries, it does not compute for $c_H$ using $H_{pub}$. Since the simulator knows $sk$, the simulator can answer any decryption or secret-key leakage queries. Once the adversary submits a guess $a^{\prime }\in \{0,1\}$, the simulator outputs 1 if $a^{\prime }=a$. It follows that the advantage of the simulator in distinguishing $c_H\in V$ from $c_H\in C\backslash V$ is equal to the probability that the adversary outputs $a^{\prime }$ such that $a^{\prime }=a$. However, given the underlying subset membership problem of hash proof system H is hard, the probability that $a^{\prime }=a$ is negligible. It follows that the simulator’s advantage is likewise negligible. Experiment $H_0$ emulates Game 4, while $H_1$ emulates Game 5, thereby proving the proposition. □

Proposition 6.

Game 5 and Game 6 are computationally indistinguishable, given the ${ϵ}_1$-universal hash proof system.

Proof. 

Define Z to be the event that some ciphertext $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$ with $c_H\in C\backslash V$, is accepted for a decryption query in Game 5, but is rejected in Game 6. Games 5 and 6 proceed identically until Z occurs. We claim the following.

$$Pr\left(Z\right)\le \frac{{\mathcal{Q}}_d{2}^{\lambda +({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)}}{2^{\nu }-{\mathcal{Q}}_d}$$

(1)

Let $c=(\sigma ,c_H,r,v{k}_{\sigma },\Psi ,\Pi )$ be a decryption query input that triggers Z. In encryption, $c_H$ serves as input to ${\Lambda }_{s{k}_H}$. From the adversary’s point of view, ${\Lambda }_{s{k}_H}$ is dependent on the set of challenge ciphertexts ${\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}$ where $c_j^{*}=({\sigma }_j^{*},c_{H,j}^{*},r_j^{*},v{k}_{\sigma ,j}^{*},{\Psi }_j^{*},{\Pi }_j^{*})$ and on the set of encryption query outputs ${\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$, where $c_i=({\sigma }_i,c_{H,i},r_i,v{k}_{\sigma ,i},{\Psi }_i,{\Pi }_i)$. For $j\in \left[{\mathcal{Q}}_c\right]$, ${\sigma }_j^{*}$ do not provide additional information on ${\Lambda }_{s{k}_H}$ since it is a function of $(c_j^{*},{\Psi }_j^{*},v{k}_{\sigma ,j}^{*})$. The same applies to ${\sigma }_i$ for $i\in \left[{\mathcal{Q}}_e\right]$. The sets of verification keys ${\left\{v{k}_{\sigma ,j}^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}$ and ${\left\{v{k}_i^{*}\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ do not provide additional information on ${\Lambda }_{s{k}_H}$ since they are sampled independently. Likewise, ${\left\{{\Pi }_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}$ and ${\left\{{\Pi }_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ do not provide additional information since they are randomly sampled as of Game 5. It follows that only ${\{c_{H,j}^{*},{\Psi }_j^{*}\}}_{j\in \left[{\mathcal{Q}}_c\right]}$ and ${\{c_{H,i},{\Psi }_i\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ provide information on ${\Lambda }_{s{k}_H}$. Given that for all $j\in \left[{\mathcal{Q}}_c\right]$, ${\Psi }_j^{*}$ has $2^l$ possible values and for all $i\in \left[{\mathcal{Q}}_e\right]$, ${\Psi }_i$ has $2^l$ possible values, we have the following using Lemma 1.

$$\begin{array}{cc}\hfill & {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H,\lambda ,{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}))\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H,\lambda ))-{\mathcal{Q}}_e\left(l\right)-{\mathcal{Q}}_c\left(l\right)\hfill \end{array}$$

Applying Lemma 1 to the secret-key leakage $\lambda$, the above reduces to:

$$\begin{array}{cc}\hfill & {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H,\lambda ,{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}))\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H))-\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)\hfill \end{array}$$

Using the fact that H is an ${ϵ}_1$-universal hash proof system we have:

$${\Gamma }_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|p{k}_H,c_H)\ge \nu =log(1/{ϵ}_1)$$

In addition, we can assume that $k={\Lambda }_{s{k}_H}\left(c_H\right)$ has not been queried to the oracle, since the event that k is queried is taken into consideration in Proposition 3. It follows that, from the adversary’s point of view, the mapping of $\Pi$ to k is injective. Since injective mappings preserve average min-entropies, we have:

$${\tilde{\Gamma }}_{\infty }(\Pi |(p{k}_H,c_H,\lambda ,{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}))\ge \nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)$$

Taking the logarithm of both sides and multiplying by $-1$, the probability that Z occurs is at most ${\mathcal{Q}}_d{2}^{\lambda +({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)}/2^{\nu }$. Assuming that up to ${\mathcal{Q}}_d$ decryption queries are not rejected, the adversary can rule out up to ${\mathcal{Q}}_d$ values of $k\in K$ (i.e., outputs of ${\Lambda }_{s{k}_H}$). Combining these, we have Equation (1) which represents an upper bound on the probability of Z. This probability is negligible given that $\lambda \le \nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)-\alpha (log\kappa )$ under the assumptions. This proves the proposition. □

Proposition 7.

Game 6 and Game 7 are computationally indistinguishable, given that E is a $((\nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right))/{\mathcal{Q}}_c,{ϵ}_2)$ average case strong randomness extractor.

Proof. 

By Game 6, all ciphertexts with an invalid $c_H$ component are explicitly rejected for decryption. Given any challenge ciphertext $c_j^{*}=({\sigma }_j^{*},c_{H,j}^{*},r_j^{*},v{k}_{\sigma ,j}^{*},{\Psi }_j^{*},{\Pi }_j^{*})$ for $j\in {\mathcal{Q}}_c$, the adversary cannot learn any additional information on ${\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)$ aside from those provided by $pk$, ${\Psi }_j^{*}$, the secret-key leakage $\lambda$, and outputs of up to ${\mathcal{Q}}_e$ encryption queries: ${\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ and ${\mathcal{Q}}_c$ challenge queries: ${\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}$. Let ${\Psi }_i\in c_i$ and ${\Psi }_j^{*}\in c_j^{*}$. Both ${\Psi }_i$ and ${\Psi }_j^{*}$ have $2^l$ possible values for $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_c\right]$. Denote by $v_{\mathcal{A}}$ the information from the point of view of the adversary, i.e., $v_{\mathcal{A}}=(p{k}_H,{\left\{{\Psi }_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{{\Psi }_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]},\lambda )$. Under the assumptions of the cryptosystem, for all $p{k}_H$ and $c_{H,j}^{*}\in C\backslash V$, we have ${\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_{H,j}^{*}))\ge \nu$. Combining these, we apply Lemma 1, and have the following result for each $j\in {\mathcal{Q}}_c$.

$$\begin{array}{cc}\hfill {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|v_{\mathcal{A}})& \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_{H,j}^{*}))-\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)\hfill \\ \hfill & \ge \nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right)\hfill \end{array}$$

Given that extractor E is a $((\nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)\left(l\right))/{\mathcal{Q}}_c,{ϵ}_2)$ average case strong randomness extractor, the value of $E\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right)$ is ${ϵ}_2$ close to uniform from the point of view of the adversary. The claim thus follows. Combining all these claims prove the stated theorem as well. □

5.5. Cryptosystem 2

The rationale for constructing cryptosystem 2 over cryptosystem 1 is to do away with the non-reversing property of the adversary along with the need for random oracles. Cryptosystem 2 uses an $L^M$ collection of lossy functions. The idea behind an $L^M$ collection is that the system can sample up to M lossy branches. Having several lossy branches is useful given that, in a cryptosystem that uses lossy function primitives, the branch is published in the ciphertext.

5.6. Cryptosystem 2 Requirements

Let ${\mathcal{Q}}_e$, ${\mathcal{Q}}_d$, and ${\mathcal{Q}}_c$ denote the bounds in the number of encryption, decryption, and challenge queries, respectively. Define $\theta :=n(M-1)+log\left(p\right)$. Define $M:={\mathcal{Q}}_e+{\mathcal{Q}}_c$. All requirements of cryptosystem 2 are the same as cryptosystem 1, except for 2, 3, 6, and 7 which are, now, as follows.

2.

An $(n,p)$$L^M$ lossy function collection given by $(L_{g^M},L_{e^M})$ with function index set S, branch set B, set of lossy branches $B^{\circ }\subseteq B$, and lossy branch $b^{\circ }\in B^{\circ }$, and where $L_{e^M}:S\times B\times K\to {\{0,1\}}^{nM}$.

3.

E is a $((\nu -\lambda -\left(({\mathcal{Q}}_c+{\mathcal{Q}}_e)(\theta +l)\right)/{\mathcal{Q}}_c),{ϵ}_2)$ average-case strong-randomness extractor

6.

Elements of $K,R,C,S{K}_H,P{K}_H$ have length n. Elements of M have length l. Elements of S have length $n^{2}M$.

7.

$\nu$, l, $\lambda$, and p are such that $\lambda \le \nu -\lambda -\left(({\mathcal{Q}}_c+{\mathcal{Q}}_e)(\theta +l)\right)-\alpha (log\left(\kappa \right))$ for some constant $\alpha \ge 0$.

5.7. Cryptosystem 2

 Key Generation. 

$\mathcal{G}\left(1^{\kappa }\right)$ first runs $H_g\left(1^{\kappa }\right)$ to obtain $s{k}_H\in S{K}_H$, and ${\Lambda }_{s{k}_H}$ with $\mu$. It computes $p{k}_H=\mu \left(s{k}_H\right)\in P{K}_H$. It defines $q:=(0_1^n,0_2^n,..,0_M^n)$ and generates $s\leftarrow L_{g^{abo}}(1^{\kappa },q)$. The output is a public/secret key pair $(pk,sk)$, where $pk=(p{k}_H,s)$ and $sk=s{k}_H$ along with q.

 Encryption. 

$\mathcal{E}(pk,m)$: on input $pk=(p{k}_H,s)$ and message $m\in M$, performs the following:

• It samples $r_1^{\prime }\leftarrow R$, then computes $r_1=P(r_1^{\prime },m)$ and sets $\omega =r_1$. Using $p{k}_H$ and $\omega$, it chooses $c_H\in V$.
• It samples $r_2^{\prime }\leftarrow R$, then computes $r_2^{″}=r_2^{\prime }\oplus p{k}_H$, followed by $r_2=P(r_2^{\prime \prime },m)\in R$. Using $r_2$, it computes $k=H_{pub}(p{k}_H,c_H,\omega )$ and $\Psi =E(k,r_2)\oplus m$.
• It generates $(v{k}_{\sigma },s{k}_{\sigma })\leftarrow F_g\left(1^{\kappa }\right)$. It defines $b=v{k}_{\sigma }$, and computes $\sigma =F_s(s{k}_{\sigma },(c_H,r_2,\Psi ))$.
• It computes $\Pi =L_{e^M}(s,b,k)$.
• It returns ciphertext $c=(\sigma ,c_H,r_2,b,\Psi ,\Pi )$

 Decryption. 

$\mathcal{D}(sk,c)$: on input $sk=s{k}_H$ and $c=(\sigma ,c_H,r,b,\Psi ,\Pi )$, performs the following:

• The algorithm checks if $F_v(b,(c_H,r_2,\Psi ),\sigma )=1$. If not, it outputs ⊥
• It computes $k^{\prime }=H_{priv}(s{k}_H,c_h)$ and ${\Pi }^{\prime }=L_{e^M}(s,b,k^{\prime })$
• It checks if $\Pi ={\Pi }^{\prime }$. If not, it outputs ⊥
• It returns the plaintext message $m=\Psi \oplus E(k^{\prime },r)$

For cryptosystem 2, the role of P is to generate fresh random numbers, $r_1$ and $r_2$, using the joint entropy of the message m and old random numbers $r_1^{\prime }$ and $r_2^{\prime }$ (due to reset attacks). Similar to cryptosystem 1, $r_1$ and $r_2$ serve as the actual randomness input to $H_{pub}$ and E, respectively. To show correctness of the cryptosystem, given m and $pk$, $\mathcal{E}$ first computes $r_1$ and $r_2$ followed by $k\leftarrow H_{pub}(p{k}_H,c_H,r_1=\omega )$, $\Psi =E(k,r_2)\oplus m$, and $\Pi =L_{e^M}(s,b,k)$, where s is part of $pk$ and b is equal to $v{k}_{\sigma }$. Let $c=(\sigma ,C_H,r_2,b,\Psi ,\Pi )$ be the corresponding ciphertext where $b=v{k}_{\sigma }$ is jointly sampled with $s{k}_{\sigma }$ under $F_g$ and $\sigma$ is derived using $F_s$ as shown above. If this c were given to $\mathcal{D}$, it follows that $F_v(b,(c_H,r_2,\Psi ),\sigma )=1$ given that $b=v{k}_{\sigma }$, $\sigma =F_s(s{k}_{\sigma },(c_H,r_2,\Psi ))$ and the signature scheme $(F_g,F_s,F_v)$ satisfies the correctness property. Having passed this first check, $\mathcal{D}$ computes $k^{\prime }=H_{priv}(s{k}_H,c_H)$ and we have $k^{\prime }=k$ given that $H_{priv}$ uses the same $c_H$ from encryption and $s{k}_H$ is paired with $p{k}_H$ using $H_g$. Given that $(H_g,H_{pub},H_{priv})$ satisfies the correctness property of a hash proof system, we have $k^{\prime }=k$ as claimed. Given that $k^{\prime }=k$, we have ${\Pi }^{\prime }=\Pi$ under $L_{e^M}$, given that s and b are the same as those is used in $\mathcal{E}$ and $L_{e^M}$ is a function—thereby passing the second check. Finally, with $k^{\prime }=k$, we have $m=\Psi \oplus E(k^{\prime },r_2)=\Psi \oplus E(k,r_2)$, and the original message m is recovered.

5.8. Security Results for Cryptosystem 2 Scheme

Theorem 2.

Let $(\mathcal{G},\mathcal{E},\mathcal{D})$ denote cryptosystem 2. For any equality-respecting, polynomial-time adversary that makes (a) at most ${\mathcal{Q}}_c$ challenge queries under multiple randomness indices, (b) at most ${\mathcal{Q}}_e$ encryption queries under multiple randomness indices, and (c) at most ${\mathcal{Q}}_d$ decryption queries, and following the attack game of Table 1, then cryptosystem 2 is secure against (i) adaptive chosen ciphertext attack, (ii) λ bits of secret-key leakage, and (iii) randomness reset attacks.

Denote the challenge ciphertext as $c_j^{*}=({\sigma }_j^{*},c_{j,H}^{*},r_j^{*},b_j^{*},{\Psi }_j^{*},{\Pi }_j^{*})$ for $j\in \left[{\mathcal{Q}}_c\right]$.

 Game 0. 

This game implements the original cryptosystem with no modifications.

• proc.Initialize($\kappa$)
  • $(pk,sk,q)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$
  • initialize empty arrays $\mathtt{coins}$ and $\mathtt{ciphers}$
  • initialize empty associative arrays ${\mathtt{keys}}_e$ and ${\mathtt{keys}}_c$
  • for $i\in \left[{\mathcal{Q}}_e\right]$ sample $(v{k}_{\sigma ,i},s{k}_{\sigma ,i})\leftarrow F_g(1^{\kappa },q)$ and set ${\mathtt{keys}}_e={\mathtt{keys}}_e\cup (v{k}_{\sigma ,i},s{k}_{\sigma ,i})$
  • for $j\in \left[{\mathcal{Q}}_c\right]$ sample $(v{k}_{\sigma ,j}^{*},s{k}_{\sigma ,j}^{*})\leftarrow F_g(1^{\kappa },q)$ and set ${\mathtt{keys}}_c={\mathtt{keys}}_c\cup (v{k}_{\sigma ,j}^{*},s{k}_{\sigma ,j}^{*})$
  • send $pk$ to adversary
• proc.Enc($p{k}^{\prime },j,m$)
  • if $\mathtt{coins}\left[j\right]=\perp$ then randomly sample $(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$ and set $\mathtt{coins}\left[j\right]=(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$
  • compute $c\leftarrow \mathcal{E}(p{k}^{\prime },m)$
  • return c
• proc.Challenge($j,m_0,m_1$)
  • if $|m_0|\ne |m_1|$ return ⊥
  • if $\mathtt{coins}\left[j\right]=\perp$ then randomly sample $(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$ and set $\mathtt{coins}\left[j\right]=(r_1^{\prime },r_2^{\prime },v{k}_{\sigma },s{k}_{\sigma })$
  • compute $c^{*}\leftarrow \mathcal{E}(pk,m)$
  • $\mathtt{ciphers}\leftarrow \mathtt{ciphers}\cup c^{*}$
  • return $c^{*}$
• proc.Dec(c)
  • if $c\in \mathtt{ciphers}$, return ⊥
  • compute $m=\mathcal{D}(sk,c)$
  • return m
• proc.Leak($\lambda \left(\kappa \right)$)
  • return $\lambda \left(\kappa \right)$ bits of $sk$

 Game 1. 

This game is similar to Game 0, except that in $\mathcal{E}$, the challenger samples $r_1,r_2$ randomly.

 Game 2. 

This game is similar to Game 1, except that once the adversary submits a ciphertext $c=(\sigma ,c_H,r,b,\Psi ,\Pi )$ for decryption such that $b=v{k}_{\sigma }^{*}$ and $v{k}_{\sigma }^{*}\in c^{\prime }$ for some $c^{\prime }\in \mathtt{ciphers}$, the challenger automatically returns ⊥.

 Game 3. 

This game is similar to Game 2, except in encryption query i for $i\in \left[{\mathcal{Q}}_e\right]$, on input $(p{k}^{\prime },j,m)$ from the adversary such that $\mathtt{coins}\left[j\right]=\perp$, instead of sampling a fresh verification/signing key pair $(v{k}_{\sigma },s{k}_{\sigma })\leftarrow F_g(1^{\kappa },q)$, it sets the verification/signing key pair as $(v{k}_{\sigma ,i},s{k}_{\sigma ,i})\in {\mathtt{keys}}_e$ from the initialization phase.

 Game 4. 

This game is similar to Game 3, except in challenge query j for all $j\in \left[{\mathcal{Q}}_c\right]$, on input $(j^{\prime },m_0,m_1)$ from the adversary such that $\mathtt{coins}\left[j^{\prime }\right]=\perp$, instead of sampling a fresh verification/signing key pair $(v{k}_{\sigma }^{*},s{k}_{\sigma }^{*})\leftarrow F_g(1^{\kappa },q)$, it sets the verification/signing key pair as $(v{k}_{\sigma ,j}^{*},s{k}_{\sigma ,j}^{*})\in {\mathtt{keys}}_e$ from the initialization phase.

 Game 5. 

This game is similar to Game 4, except that during initialization, it defines $q:=(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{\sigma ,{\mathcal{Q}}_e},v{k}_{\sigma ,1}^{*},v{k}_{\sigma ,2}^{*},...,v{k}_{\sigma ,{\mathcal{Q}}_c}^{*})$ instead of $q:=(0_1^n,0_2^n,...,0_M^n)$.

 Game 6. 

This game is similar to Game 5, except that in $\mathcal{E}$, the challenger computes $k=H_{priv}(s{k}_H,c_H)$ instead of using $H_{pub}$.

 Game 7. 

This game is similar to Game 6, except that in encryption queries or challenge queries, $c_H$ is sampled from $C\backslash V$ instead of V.

 Game 8. 

This game is similar to Game 7, except that if the adversary submits a ciphertext $c=(\sigma ,c_H,r,b,\Psi ,\Pi )$ for decryption such that $c_H\in C\backslash V$, the challenger returns ⊥.

 Game 9. 

This game is similar to Game 8, except that in $\mathcal{E}$, the challenger draws $\Psi$ uniformly at random from ${\{0,1\}}^l$ instead of computing $\Psi =E(k,r)\oplus m$.

Proposition 8.

Game 0 and Game 1 are computationally indistinguishable, given the security of the pseudorandom function P.

Proof. 

The proof for this proposition is similar to the proof for Proposition 1. □

Proposition 9.

Game 1 and Game 2 are computationally indistinguishable, given the strong one-time existential unforgeability of the signature scheme.

Proof. 

The proof for this proposition is similar to the proof for Proposition 2 since $b=v{k}_{\sigma }$ in $\mathcal{E}$. □

Proposition 10.

Games 2 and 3 are perfectly equivalent.

Proof. 

We note that the only difference in Games 2 and 3 is that, in Game 3, the verification/signature keys used in encryption queries are drawn from the initialization phase instead of being sampled on the fly. This does not affect any other part of the computation. □

Proposition 11.

Games 3 and 4 are perfectly equivalent.

Proof. 

We note that the only difference in Games 3 and 4 is that, in Game 4, the verification/signature keys used in challenge queries are drawn from the initialization phase instead of being sampled on the fly. This does not affect any other part of the computation. □

Proposition 12.

Game 4 and 5 are indistinguishable given that two candidate lossy branch sets of the $L^M$ collection are computationally indistinguishable.

Proof. 

To prove this proposition, we two experiments A and B. Experiment A is a sequence of sub-experiments $H_1,...,H_{{\mathcal{Q}}_e+1}$. Experiment B is a sequence of sub-experiments $H_1^{\prime },...,H_{{\mathcal{Q}}_c+1}$. For all sub-experiments in A and B, assume a fixed ${\mathtt{keys}}_e$ and ${\mathtt{keys}}_c$.

For experiment A, sub-experiment $H_1$ emulates the challenger of Game 4 perfectly. Given $i^{\prime }\in \left[{\mathcal{Q}}_{e+1}\right]$, sub-experiment $H_{i^{\prime }}$ defines q as $q:=(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{\sigma ,i^{\prime }-1},0_{i^{\prime }}^n,...,0_M^n)$ in the initialization phase and computes $s\leftarrow L_g(1^{\kappa },q)$, where for $i\in \left[{\mathcal{Q}}_e\right]$, we have $v{k}_{\sigma ,i}\in (v{k}_{\sigma ,i},s{k}_{\sigma ,i})$ such that $(v{k}_{\sigma ,i},s{k}_{\sigma ,i})\in {\mathtt{keys}}_e$. Suppose that there exists an efficient adversary that can distinguish between $H_{i^{\prime }}$ and $H_{i^{\prime }+1}$. Using this adversary, we construct a simulator that can distinguish between two candidate lossy branch sets of the $L^M$ collection. The simulator has access to an oracle that, on input $(q_0,q_1)$, provides it with the function index s, where s can either be $s\leftarrow L_g(1^{\kappa },q_0)$ or $s\leftarrow L_g(1^{\kappa },q_1)$. At initialization, given $i^{\prime }\in \left[{\mathcal{Q}}_e\right]$, the simulator constructs $q_0=(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{\sigma ,i^{\prime }-1},0_{i^{\prime }}^n,...,0_M^n)$ and $q_1=(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{\sigma ,i^{\prime }-1},v{k}_{\sigma ,i^{\prime }},0_{i^{\prime }+1}^n...,0_M^n)$. It forwards $(q_0,q_1)$ to its oracle and receives function index s. Using s, it constructs $pk$ and $sk$, draws $a\in \{0,1\}$, then forwards $pk$ to the adversary. Since the simulator knows $pk$, it can answer encryption and challenge queries. Since it knows $sk$, it can answer decryption and secret-key leakage queries. Once the adversary outputs a guess $a^{\prime }$, the simulator outputs 1 if $a^{\prime }=a$. The advantage of the simulator in distinguishing between two candidate lossy branch sets of the $L^M$ collection is equivalent to the probability that the adversary outputs $a^{\prime }$ such that $a^{\prime }=a$ less 1/2. However, given that it is computationally difficult to distinguish between two lossy branch sets in an $L^M$ collection, no efficient adversary can output $a^{\prime }$ such that $a^{\prime }=a$ with non-negligible probability. It follows that the advantage of the simulator is likewise negligible. By construction, if the oracle computes $s\leftarrow L_g(1^{\kappa },q_0)$, the simulator is performing sub-experiment $H_{i^{\prime }}$. If the oracle computes $s\leftarrow L_g(1^{\kappa },q_1)$, the simulator is performing sub-experiment $H_{i^{\prime }+1}$ for any $i^{\prime }\in \left[{\mathcal{Q}}_e\right]$.

For experiment B, sub-experiment $H_1^{\prime }$ emulates sub-experiment $H_{{\mathcal{Q}}_e+1}$ of experiment A perfectly. Given $j^{\prime }\in \left[{\mathcal{Q}}_c\right]$, sub-experiment $H_{j^{\prime }}$ defines q as:

$$q=(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{{\mathcal{Q}}_e},v{k}_{\sigma ,1}^{*},v{k}_{\sigma ,2}^{*},...,v{k}_{\sigma ,i^{\prime }+j^{\prime }-1}^{*},0_{i^{\prime }+j^{\prime }}^n,...,0_M^n)$$

in the initialization phase and computes $s\leftarrow L_g(1^{\kappa },q)$, where for $j\in \left[{\mathcal{Q}}_c\right]$, we have $v{k}_{\sigma ,j}^{*}\in (v{k}_{\sigma ,j}^{*},s{k}_{\sigma ,j}^{*})$ such that $(v{k}_{\sigma ,j}^{*},s{k}_{\sigma ,j}^{*})\in {\mathtt{keys}}_c$, and where for $i\in \left[{\mathcal{Q}}_e\right]$, we have $v{k}_{\sigma ,i}\in (v{k}_{\sigma ,i},s{k}_{\sigma ,i})$ such that $(v{k}_{\sigma ,i},s{k}_{\sigma ,i})\in {\mathtt{keys}}_e$. Suppose that there exists an efficient adversary that can distinguish between $H_{j^{\prime }}$ and $H_{j^{\prime }+1}$. Using this adversary, we construct a simulator that can distinguish between two candidate lossy branch sets of the $L^M$ collection. The simulator has access to an oracle that, on input $(q_0,q_1)$, provides it with function index s, where s can either be $s\leftarrow L_g(1^{\kappa },q_0)$ or $s\leftarrow L_g(1^{\kappa },q_0)$. At initialization, given $j^{\prime }\in \left[{\mathcal{Q}}_c\right]$, the simulator constructs $(q_0,q_1)$ as follows

$$\begin{array}{cc}\hfill q_0& =(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{{\mathcal{Q}}_e},v{k}_{\sigma ,1}^{*},v{k}_{\sigma ,2}^{*},...,v{k}_{\sigma ,{\mathcal{Q}}_e+j^{\prime }-1}^{*},0_{{\mathcal{Q}}_e+j^{\prime }}^n,...,0_M^n)\hfill \\ \hfill q_1& =(v{k}_{\sigma ,1},v{k}_{\sigma ,2},...,v{k}_{{\mathcal{Q}}_e},v{k}_{\sigma ,1}^{*},v{k}_{\sigma ,2}^{*},...,v{k}_{\sigma ,{\mathcal{Q}}_e+j^{\prime }-1}^{*},v{k}_{\sigma ,{\mathcal{Q}}_e+j^{\prime }}^{*},0_{{\mathcal{Q}}_e+j^{\prime }+1}^n...,0_M^n)\hfill \end{array}$$

It forwards $(q_0,q_1)$ to its oracle and receives function index s. Using s, it constructs $pk$ and $sk$, draws $a\in \{0,1\}$, then forwards $pk$ to the adversary. Since the simulator knows $pk$, it can answer encryption and challenge queries. Since it knows $sk$, it can answer decryption and secret-key leakage queries. Once the adversary outputs a guess $a^{\prime }$, the simulator outputs 1 if $a^{\prime }=a$. The advantage of the simulator in distinguishing between two candidate lossy branch sets of the $L^M$ collection is equivalent to the probability that the adversary outputs $a^{\prime }$ such that $a^{\prime }=a$ less 1/2. However, given that it is computationally difficult to distinguish between two lossy branch sets in an $L^M$ collection, no efficient adversary can output $a^{\prime }$ such that $a^{\prime }=a$ with non-negligible probability. It follows that the advantage of the simulator is likewise negligible. By construction, if the oracle computes $s\leftarrow L_g(1^{\kappa },q_0)$, the simulator is performing sub-experiment $H_{j^{\prime }}$. If the oracle computes $s\leftarrow L_g(1^{\kappa },q_1)$, the simulator is performing sub-experiment $H_{j^{\prime }+1}$ for any $j^{\prime }\in \left[{\mathcal{Q}}_c\right]$.

Combining the above, we have that sub-experiment $H_1$ of experiment A perfectly simulates Game 4. Sub-experiment $H_1^{\prime }$ of experiment B perfectly simulates sub-experiment $H_{{\mathcal{Q}}_e+1}$ of experiment A. Sub-experiment $H_{{\mathcal{Q}}_c+1}^{\prime }$ of experiment B perfectly simulates Game 5. Since all sub-experiments in A and B are pairwise indistinguishable, the proposition thus follows. □

Proposition 13.

Games 5 and 6 are perfectly equivalent.

Proof. 

The proof for this proposition is similar to the proof for Proposition 4. □

Proposition 14.

Games 6 and 7 are indistinguishable given the hardness of the underlying subset membership problem in H.

Proof. 

The proof for this proposition is similar to the proof for Proposition 5. □

Proposition 15.

Game 7 and Game 8 are computationally indistinguishable, given (i) the lossy property of the $L^M$ collection, (ii) the computational hardness of determining lossy branches for the $L^M$ collection, and (iii) the ${ϵ}_1$-universal property of H.

Proof. 

Define Z to be the event that some ciphertext $c=(\sigma ,c_H,r,b,\Psi ,\Pi )$ with $c_H\in C\backslash V$, is accepted for a decryption query in Game 7, but is rejected in Game 8. It follows that Game 7 and Game 8 proceed identically until Z occurs. Given at most ${\mathcal{Q}}_d$ decryption queries, ${\mathcal{Q}}_e$ encryption queries, and ${\mathcal{Q}}_c$ challenge queries, we claim the following.

$$Pr\left(Z\right)\le Pr\left(Z_1\right)+Pr\left(Z_2\right)\le {\mathcal{Q}}_d\Theta +{\mathcal{Q}}_d\gamma$$

(2)

where $\gamma$ represents the probability of some adversary generating a lossy branch for the $L^M$ collection and $\Theta =\left(2^{\lambda +{\mathcal{Q}}_c(\theta +l)+{\mathcal{Q}}_e(\theta +l)}\right)/(2^{\nu }-{\mathcal{Q}}_d)$, with $\theta :=n(M-1)+log\left(p\right)$ and $\nu =log(1/{ϵ}_1)$. We first prove the equation for ${\mathcal{Q}}_d\Theta$. ${\mathcal{Q}}_d\Theta$ represents the event $Z_1$ that c is accepted for decryption, and where $b\in c$ is an injective branch with $c_h\in C\backslash V$. Let $c=(\sigma ,c_H,r,b,\Psi ,\Pi )$ be a decryption query input that triggers $Z_1$. In encryption, $c_H$ serves as input to ${\Lambda }_{s{k}_H}$. From the adversary’s point of view, ${\Lambda }_{s{k}_H}$ is dependent on $p{k}_H$, $c_H$, $\lambda$, the set ${\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ of encryption query outputs and the set ${\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}$ of challenge ciphertexts. For $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_c\right]$, the signatures ${\sigma }_i\in c_i$ and ${\sigma }_j^{*}\in c_j^{*}$ do not provide additional information on ${\Lambda }_{s{k}_H}$, since they are functions of $(c_{H,i},{\Psi }_i,b_i)$ and $(c_{H,j}^{*},{\Psi }_j^{*},b_j^{*})$, respectively. For $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_c\right]$, the branches $b_i$ and $b_j^{*}$ likewise do not provide additional information as they are independently sampled. Using results of Lemma 1, we prove the following:

$$\begin{array}{cc}\hfill & {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H,\Lambda ,{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]},{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}))\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(pk,c_H,{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]},{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]}))-\lambda \hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(pk,c_H,{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}))-\lambda -{\mathcal{Q}}_c\theta -{\mathcal{Q}}_{c}l\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(pk,c_H))-\lambda -{\mathcal{Q}}_c\theta -{\mathcal{Q}}_{c}l-{\mathcal{Q}}_e\theta -{\mathcal{Q}}_{e}l\hfill \\ \hfill & \ge \nu -\lambda -{\mathcal{Q}}_c(\theta +l)-{\mathcal{Q}}_e(\theta +l)\hfill \end{array}$$

The first inequality applies Lemma 1. For the second inequality, given challenge ciphertext $c_j^{*}=({\sigma }_j^{*},c_{H,j}^{*},r_j^{*},b_j^{*},{\Psi }_j^{*},{\Pi }_j^{*})$ for $j\in \left[{\mathcal{Q}}_c\right]$, information on $s{k}_H$ is provided by $c_{H,j}^{*}$, ${\Psi }_j^{*}$ and ${\Pi }_j^{*}$ as shown above. Given that ${\Psi }_j^{*}$ has $2^l$ possible values, and ${\Pi }_j^{*}$ has $2^{log\left(p\right)}=p$ possible values, the second inequality follows by applying Lemma 1. For the third inequality, given any encryption query output $c_i=({\sigma }_i,c_{H,i},r_i,b_i,{\Psi }_i,{\Pi }_i)$ for $i\in \left[{\mathcal{Q}}_e\right]$, information on $s{k}_H$ is covered by $c_{H,i}$, ${\Psi }_i$ and ${\Pi }_i$ as shown above, where ${\Psi }_i$ has $2^l$ possible values, while ${\Pi }_i$ has $2^{log\left(p\right)}=p$ possible values. Given that the total number of encryption queries is ${\mathcal{Q}}_e$, the third inequality follows from Lemma 1. For the last inequality, for all $p{k}_H$ and $c_H\in C\backslash V$, we have ${\Gamma }_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H))\ge \nu =log(1/{ϵ}_1)$, under the assumption that H is an ${ϵ}_1$-universal hash proof system.

Using the above set of inequalities, we note that $\Pi =L_{e^M}(s,b,k)$ with $k={\Lambda }_{s{k}_H}\left(c_H\right)$. Starting with Game 2, all ciphertexts for decryption involve injective branches. Injective functions preserve the min-entropy of its input, and we have ${\tilde{\Gamma }}_{\infty }\left(L_{e^{abo}}(s,b,{\Lambda }_{s{k}_H}\left(c_H\right))\right|v_{\mathcal{A}})\ge \nu$, where $v_{\mathcal{A}}=(p{k}_H,c_H,\Lambda ,{\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]},{\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]})$. Using the fact that H is an ${ϵ}_1$-universal hash proof system we have ${\Gamma }_{\infty }\left({\Lambda }_{s{k}_H}\left(c_H\right)\right|(p{k}_H,c_H))\ge \nu =log(1/{ϵ}_1)$. We then have:

$${\tilde{\Gamma }}_{\infty }\left(L_{e^M}(s,b,{\Lambda }_{s{k}_H}\left(c_H\right))\right|v_{\mathcal{A}})\ge \nu -\lambda -{\mathcal{Q}}_c(\theta +l)-{\mathcal{Q}}_e(\theta +l)$$

Taking the logarithm of both sides and multiplying by $-1$, the probability that $Z_1$ occurs is at most ${\mathcal{Q}}_d{2}^{\lambda +({\mathcal{Q}}_e+{\mathcal{Q}}_c)(\theta +l)}/2^{\nu }$. Assuming that up to ${\mathcal{Q}}_d$ decryption queries are not rejected, the adversary can rule out up to ${\mathcal{Q}}_d$ values of $k\in K$ (i.e., outputs of ${\Lambda }_{s{k}_H}$). Combining these, we have:

$$Pr\left(Z_1\right)\le {\mathcal{Q}}_d\frac{2^{\lambda +({\mathcal{Q}}_e+{\mathcal{Q}}_c)(\theta +l)}}{2^{\nu }-{\mathcal{Q}}_d}={\mathcal{Q}}_d\Theta$$

$Pr\left(Z_1\right)$ is negligible given that $\lambda \le \nu -\lambda -({\mathcal{Q}}_e+{\mathcal{Q}}_c)(\theta +l)-\alpha (log\kappa )$ by assumption. We now state the proof for the second element ${\mathcal{Q}}_d\gamma$ at the right hand side of Equation (2). ${\mathcal{Q}}_d\gamma$ accounts for the event $Z_2$ that an adversary submits c for decryption such that $b\in c$ is a new lossy branch, i.e., $b\notin c_i$ for any prior encryption query output $c_i$ and $b\notin c_j^{*}$ for any $c_j^{*}\in \mathtt{ciphers}$. Suppose that $Z_2$ occurs under some efficient adversary. Using this adversary, we construct a simulator that can efficiently generate a lossy branch for $L^M$. The simulator has access to an oracle that provides it with a function index s, but the oracle does not disclose the corresponding set of lossy branches. In encryption query i for $i\in \left[{\mathcal{Q}}_e\right]$, the oracle provides the simulator with a signing/verification key pair $(s{k}_{i,\sigma },v{k}_{i,\sigma })$ such that $v{k}_{i,\sigma }$ is equal to a lossy branch in $L^M$. The same is done by the oracle for challenge queries. At initialization, the simulator completely emulates the challenger in Game 10, but requests its oracle for s. Since the simulator knows $p{k}_H$, s, $\mathtt{coins}$, and can request its oracle for signing and verification keys, it can answer any encryption or challenge query. Since the simulator knows $sk$, it can answer secret-key leakage queries and decryption queries. The simulator keeps a list of all the ciphertext inputs it received for a decryption query. At the end of the game, the simulator randomly picks $i\in \left[{\mathcal{Q}}_d\right]$ and outputs the branch $b_i$ of the ith decryption query ciphertext input. Suppose that with probability $\gamma$, the adversary is able to query a ciphertext for decryption such that its branch is lossy. The probability that the simulator outputs a lossy branch for $L^M$ is then $\gamma /{\mathcal{Q}}_d$. However, given that it is computationally difficult to generate a lossy branch for $L^M$, $\gamma$ is negligible. It follows that ${\mathcal{Q}}_d\gamma$ in Equation (2) or $Pr\left(Z_2\right)$ is also negligible. Combining all these facts the proposition follows. □

Proposition 16.

Game 8 and Game 9 are computationally indistinguishable, given that E is a $((\nu -\lambda -\left(({\mathcal{Q}}_c+{\mathcal{Q}}_e)(\theta +l)\right)/{\mathcal{Q}}_c),{ϵ}_2)$ average case strong randomness extractor.

Proof. 

By Game 8, all ciphertexts with an invalid $c_H$ component are explicitly rejected for decryption. Denote challenge ciphertext $c_j^{*}$ as $c_j^{*}=({\sigma }_j^{*},c_{H,}^{*},r_j^{*},b_j^{*},{\Psi }_j^{*},{\Pi }_j^{*})$ for $j\in {\mathcal{Q}}_c$. Denote an encryption query output as $c_i$ as $c_i=({\sigma }_i,c^{H,i},r_i,b_i,{\Psi }_i,{\Pi }_i)$ for $i\in {\mathcal{Q}}_e$. For each $c_j^{*}$, the adversary cannot learn any information on ${\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)$ aside from those provided by $p{k}_H$, ${\Pi }_j^{*}$ and ${\Psi }_j^{*}$, $\lambda$, encryption query outputs ${\left\{c_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}$ and challenge ciphertexts ${\left\{c_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_j\right]}$. Both ${\Psi }_j^{*}$ and ${\Psi }_i$ have $2^l$ possible values for $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_c\right]$. ${\Pi }_j^{*}$ has $2^{log\left(p\right)}=p$ possible values, and ${\Pi }_i$ has $2^{log\left(p\right)}=p$ possible values for $i\in \left[{\mathcal{Q}}_e\right]$ and $j\in \left[{\mathcal{Q}}_c\right]$. Under the assumptions of the cryptosystem, for all $p{k}_H$ and $c_{H,j}^{*}\in \mathcal{C}\backslash \mathcal{V}$, we have ${\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_{J,j}^{*}))\ge \nu$. Combining these, we apply Lemma 1, and have the following result for each $j\in \left[{\mathcal{Q}}_c\right]$.

$$\begin{array}{cc}\hfill & {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_j^{*}))\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_{H,j}^{*},\lambda ,{\left\{{\Psi }_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{{\Psi }_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]},{\left\{{\Pi }_j^{*}\right\}}_{j\in \left[{\mathcal{Q}}_c\right]},{\left\{{\Pi }_i\right\}}_{i\in \left[{\mathcal{Q}}_e\right]}))\hfill \\ \hfill & \ge {\tilde{\Gamma }}_{\infty }\left({\Lambda }_{s{k}_H}\left(c_{H,j}^{*}\right)\right|(p{k}_H,c_H^{*}))-\lambda -{\mathcal{Q}}_c(log\left(p\right)+l)-{\mathcal{Q}}_e(log\left(p\right)+l)\hfill \\ \hfill & \ge \nu -\lambda -({\mathcal{Q}}_c+{\mathcal{Q}}_e)(log\left(p\right)+l)\hfill \end{array}$$

Applying the above for $j\in \left[{\mathcal{Q}}_c\right]$, and given that extractor E is a $((\nu -\lambda -\left(({\mathcal{Q}}_c+{\mathcal{Q}}_e)(\theta +l)\right)/{\mathcal{Q}}_c),{ϵ}_2)$ average case strong randomness extractor, the value of $E\left({\Lambda }_{s{k}_H}\left(c_H^{*}\right)\right)$ is ${ϵ}_2$ close to uniform from the point of view of the adversary. The claim thus follows. Combining all these claims prove the stated theorem as well. □

6. Concrete Instantiations

Let ${\mathcal{A}}_{ddh}$ be a group sampling algorithm that takes as input a security parameter, $\kappa$, and which outputs a tuple, $(p,\mathbb{G},g)$, where $\mathbb{G}$ is a cyclic group of order p for some prime p, and g is the generator of the group. Let $a,b,c\leftarrow {\mathbb{Z}}_p$. The DDH assumption states that the ensemble of tuples ${\left\{(\mathbb{G},g^a,g^b,g^{ab})\right\}}_{\kappa \in \mathbb{N}}$ is computationally difficult to distinguish from the ensemble of tuples ${\left\{(\mathbb{G},g^a,g^b,g^c)\right\}}_{\kappa \in \mathbb{N}}$

6.1. Hash Proof System Based on DDH

This concrete example of a hash proof system follows [2].

 Parameter Generation. 

$H_g\left(1^{\kappa }\right)$ first runs ${\mathcal{A}}_{ddh}$ to obtain $(p,\mathbb{G},g)\leftarrow {\mathcal{A}}_{ddh}\left(1^{\kappa }\right)$. It randomly samples $u\leftarrow \mathbb{G}$ followed by $\sigma ,\tau \leftarrow {\mathbb{A}}_p$. It defines the secret key as $s{k}_H=(\sigma ,\tau )$. It defines the projective hash function ${\Lambda }_{s{k}_H}:{\mathbb{G}}^2\to \mathbb{G}$ as ${\Lambda }_{s{k}_H}(v,w)=v^{\sigma },w^{\tau }$. In this case, the projection function $\mu$ associated with ${\Lambda }_{s{k}_H}$ is the same, i.e., $\mu :={\Lambda }_{s{k}_H}$. Using $\mu$, it constructs the public key $p{k}_H=(h,u)$, where $h:=\mu (g,u)=g^{\sigma }{u}^{\tau }$. In this case, the set of ciphertexts C consists of ${\mathbb{G}}^2$, i.e., $C:=\mathbb{G}\times \mathbb{G}$. The set of valid ciphertexts $V\subseteq C$ consists of all element $(u,v)$ of $\mathbb{G}\times \mathbb{G}$ for which $(u,v,w)$ is a DH-triple, i.e., $u^{\omega }{v}^{\omega }=w^{\omega }$.

 Public Evaluation. 

$H_{pub}(p{k}_H,c_H,\omega )$ takes as input public key $p{k}_H=(h,u)$, $c_H\in \mathbb{G}\times \mathbb{G}$ and witness $\omega \in {\mathbb{Z}}_p$ that $c_H\in V$. Let $c_H=(v,w)$. Given u, $H_{pub}$ first checks if $(v,w)=g^{\omega }{u}^{\omega }$. If true, $H_{pub}$ outputs $h^{\omega }$, which equals to ${\Lambda }_{s{k}_H}(v,w)$ given that:

$${\Lambda }_{s{k}_H}(v,w)=v^{\sigma }{w}^{\sigma }={\left(g^{\omega }\right)}^{\sigma }{\left(u^{\omega }\right)}^{\tau }={\left(g^{\sigma }{u}^{\tau }\right)}^{\omega }=h^{\omega }$$

We note here that the value of ${\Lambda }_{s{k}_H}(v,w)$ is evaluated using only the auxiliary information h, without knowing the secret key $(\sigma ,\tau )$.

 Private Evaluation. 

$H_{priv}(s{k}_H,c_H)$ takes as input private key $s{k}_H=(\sigma ,\tau )$, and $c_H\in \mathbb{G}\times \mathbb{G}$. Let $c_H=(v,w)$. $H_{priv}$ evaluates ${\Lambda }_{s{k}_H}$ on any element of C without requiring a witness. In this case, $H_{priv}$ outputs $v^{\sigma }{u}^{\tau }$.

As shown in [2] if ${\Lambda }_{s{k}_H}$ is evaluated in $(v,w)$ without using auxiliary information h, the probability that ${\Lambda }_{s{k}_H}(v,w)$ equals some number is $1/p$, which is close to uniform.

6.2. ABO Function Collection Based on DDH

Given $\kappa$, let $(p,\mathbb{G},g)\leftarrow {\mathcal{A}}_{ddh}\left(1^{\kappa }\right)$. The ElGamal cryptosystem is initiated as follows: (i) a secret key is drawn randomly $z\leftarrow {\mathbb{Z}}_p$ and (ii) the public key is computed as $h=g^z$ [8]. Given public key h and secret key z, let $E_h$ denote the encryption algorithm of ElGamal, while $D_z$ is the decryption algorithm. Encryption of a message $m\in {\mathbb{Z}}_p$ is done by first drawing random number $z\leftarrow {\mathbb{Z}}_p$, and the ciphertext c is the tuple $E_h(m,r)=c=(g^r,h^r{g}^m)$. Decryption on the other hand is computed as $D_z\left(c\right)={log}_g(h^r{g}^m/g^{rz})$. The correctness of the ElGamal cryptosystem follows from ${log}_g(h^r{g}^m/g^{rz})={log}_g(g^{rz}{g}^m/g^{rz})={log}_g\left(g^m\right)=m$. From [8], this cryptosystem is semantically secure under the DDH assumption and is additively homomorphic in the sense that, given two ciphertexts $c_a=E_h(m_1,r_1)$ and $c_b=E_H(m_2,r_1)$ for any pair of messages $m_1,m_2\in {\mathbb{Z}}_p$ and random elements $r_1,r_2\in {\mathbb{Z}}_p$, they can be ’added’, in the sense that $c_a⊠c_b=E_h(m_1+m_2,r_1+r_2)$, where ⊠ is the coordinate-wise multiplication of ciphertexts. This can, likewise, be applied to the exponentiation operation, i.e., $E_h{(m,r)}^x=E_h(mx,rx)$. We also define the operation ⊞; given ciphertext $c=(c_1,c_2)$, we can add a scalar $v\in {\mathbb{Z}}_p$ to the underlying plaintext, i.e., $c⊞v:=(c_1,c_2{g}^v)=E_h(m+v,r)$, using the r used in computing c.

6.2.1. Matrix Encryption

Let $n>0$ be some integer and p a prime number. Given a matrix $\mathit{M}=\left(m_{i,j}\right)\in {\mathbb{Z}}_p^{n\times n}$, $\mathit{M}$ can be encrypted based on ElGamal. Encryption produces indistinguishable ciphertexts under the DDH assumption (Lemma 4 below). The first step is to sample $z_j\in {\mathbb{Z}}_p$ for $j\in \left[n\right]$, followed by computing $h_j=g^{z_j}$ for $j\in \left[n\right]$. Encrypting $\mathit{M}$ is done by drawing n random numbers $r_i\in {\mathbb{Z}}_p$, and then, for rows $i\in \left[n\right]$ and columns $j\in \left[n\right]$, we compute the ciphertext $c_{ij}=E_{h_j}(m_{ij},r_i)$. This scheme outputs a ciphertext tuple $({\mathit{C}}_1,{\mathit{C}}_2)$ that serves as the encryption of $\mathit{M}$, where the vector ${\mathit{C}}_1$ and the matrix ${\mathit{C}}_2$ are as follows.

$${\mathit{C}}_1=\left(\begin{array}{c}{g}^{r_1}\\ ⋮\\ g^{r_n}\end{array}\right){\mathit{C}}_2=\left(\begin{array}{cccc}{h}_1^{r_1}{g}^{m_{1,1}}& h_2^{r_1}{g}^{m_{1,2}}& \cdots & h_n^{r_1}{g}^{m_{1,n}}\\ ⋮& ⋮& \ddots & ⋮\\ h_1^{r_n}{g}^{m_{n,1}}& h_2^{r_n}{g}^{m_{n,2}}& \cdots & h_n^{r_n}{g}^{m_{nn}}\end{array}\right)$$

Lemma 4

([8]). The ElGamal matrix encryption scheme produces indistinguishable ciphertexts.

6.2.2. DDH-Based ABO Function Collection

Let a $(n,p)$ collection of ABO functions be given by $L_{g^{abo}},L_{e^{abo}}$ ([8] also includes a trapdoor algorithm but we do not include it here). Given $\kappa$, let $B:=B_{\kappa }$ denote the set of branches with lossy branch $b^{\circ }\in B$. Each element of B belongs to ${\mathbb{Z}}_p^{1\times n}$. The algorithms are described as follows:

 Function sampling algorithm. 

$L_{g^{abo}}(1^{\kappa },b^{\circ })$ takes as input the security parameter $\kappa$, and the lossy branch $b^{\circ }\in B$. Denote $b^{\circ }:=(b_1^{\circ },b_2^{\circ },...,b_n^{\circ })$. The algorithm first runs $(p,\mathbb{G},q)\leftarrow {\mathcal{A}}_{ddh}\left(1^{\kappa }\right)$. Let $\mathit{I}$ denote the identity matrix over ${\mathbb{Z}}_p^{n\times n}$. $L_{g^{abo}}$ samples a vector of secret keys $\mathit{z}={\left\{z_j\right\}}_{i\in \left[n\right]}$ and forms the vector $\mathit{h}=g^{\mathit{z}}\in {\mathbb{Z}}_p^{1\times n}$. It also samples a random vector, $\mathit{r}\in {\mathbb{Z}}_p^{1\times n}$. The output $\mathit{s}$ of $L_{g^{abo}}$ consists of the function index $\mathit{s}\in {\mathbb{Z}}_p^{n\times n}$, which is the second element (i.e., the matrix ${\mathit{C}}_2$) of the ElGamal matrix encryption of $-\left(b^{\circ }\mathit{I}\right)$ (using $\mathit{h}$, $\mathit{r}$, and $\mathit{z}$), along with the $\mathit{t}$ consisting of the vector of secret keys $\mathit{z}={\left\{z_j\right\}}_{i\in \left[n\right]}\in {\mathbb{Z}}_p^{1\times n}$. The vectors $\mathit{r}$ and $\mathit{h}$ do not need to be published publicly. In detail, we have $\mathit{s}$ as follows.

$$\mathit{s}=\left(\begin{array}{cccc}{h}_1^{r_1}{g}^{-b_1^{\circ }}& h_2^{r_1}& \cdots & h_n^{r1}\\ h_1^{r_2}& h_2^{r_2}{g}^{-b_2^{\circ }}& \cdots & h_n^{r_2}\\ ⋮& ⋮& \ddots & ⋮\\ h_1^{r_n}& h_2^{r_n}& \cdots & h_n^{r_n}{g}^{-b_n^{\circ }}\end{array}\right)$$

 Evaluation algorithm. 

$L_{e^{abo}}(\mathit{s},b,\mathit{m})$ takes as input the function index consisting of the matrix $\mathit{s}=-\left(b^{\circ }\mathit{I}\right)$ sampled by $L_{g^{abo}}$, a desired branch b from B, and a vector $\mathit{m}\in {\mathbb{Z}}_p^{1\times n}$. The output consists of a vector $\Pi =\mathit{m}(\mathit{s}⊞b\mathit{I})\in {\mathbb{Z}}_p^{1\times n}$. In summary:

$$\begin{array}{cc}\hfill \Pi & =\mathit{m}(\mathit{s}⊞b\mathit{I})={\left(\begin{array}{c}{g}^{m_1}\\ g^{m_2}\\ ⋮\\ g^{m_n}\end{array}\right)}^T\left(\begin{array}{cccc}{h}_1^{r_1}{g}^{(b_1-b_1^{\circ })}& h_2^{r_1}& \cdots & h_n^{r1}\\ h_1^{r_2}& h_2^{r_2}{g}^{(b_2-b_2^{\circ })}& \cdots & h_n^{r_2}\\ ⋮& ⋮& \ddots & ⋮\\ h_1^{r_n}& h_2^{r_n}& \cdots & h_n^{r_n}{g}^{(b_n-b_n^{\circ })}\end{array}\right)\hfill \\ \hfill & =\left(\begin{array}{c}{h}^{\langle \mathit{m},\mathit{r}\rangle }{g}^{m_1(b_1-b_1^{\circ })}\\ h^{\langle \mathit{m},\mathit{r}\rangle }{g}^{m_2(b_2-b_2^{\circ })}\\ ⋮\\ h^{\langle \mathit{m},\mathit{r}\rangle }{g}^{m_n(b_n-b_n^{\circ })}\end{array}\right)=\left(\begin{array}{c}{g}^{z_1(m_1{r}_1+m_2{r}_2+...m_n{r}_n)+m_1(b_1-b_1^{\circ })}\\ g^{z_2(m_1{r}_1+m_2{r}_2+...m_n{r}_n)+m_2(b_2-b_2^{\circ })}\\ ⋮\\ g^{z_n(m_1{r}_1+m_2{r}_2+...m_n{r}_n)+m_n(b_n-b_n^{\circ })}\end{array}\right)\hfill \end{array}$$

Let $y_j$ denote the jth coordinate of $\Pi$ and let $\langle \mathit{x},\mathit{y}\rangle$ denote the dot product of $\mathit{x}$ and $\mathit{y}$. Let $m_j$ denote the jth coordinate of $\mathit{m}$, and let $E_{h_j}^{c_2}$ denote the function $E_{h_j}$ that discards the first element $c_1$ in its output and returns only $c_2$. Using the homomorphic properties of the system we restate $y_j$ as: $y_j:=E_{h_j}^{c_2}((b-b^{\circ })m_j,r:=\langle \mathit{m},\mathit{r}\rangle )$. This is computed without knowing $\mathit{r}$ and $\mathit{h}$ from the sampling stage; oOnly $\mathit{s}$ is needed to compute $\Pi$.

Lemma 5

([8]). The algorithms $L_{g^{abo}},L_{e^{abo}}$, described above, give a collection of $(n,p)$ ABO lossy functions under the DDH assumption for ${\mathcal{A}}_{ddh}$.

6.3. $L^M$ Lossy Function Collection

Let n, p be values of polynomials in $\kappa$, and let $M\in \mathbb{N}$. Let S denote the set of function indices of a $L^M$ collection and let $\mathcal{B}={\left\{B\right\}}_{\kappa \in \mathbb{N}}$ denote the collection of sets of branches indexed by $\kappa$. A concrete instantiation of a $(n,p)$$L^M$ collection is given by algorithms $L_{g^M}$, $L_{e^M}$, which are as follows.

Concrete Instantiation of the $L^M$ Collection

Given $\kappa$, define $B:=B$ as the branch set corresponding to function index $s\in S$. Define $B^{\circ }\subseteq B$ as a lossy branch set of size M with elements $b_i^{\circ }\in {\mathbb{Z}}_p^{1\times n}$ for $i\in \left[M\right]$. Using $B^{\circ }$, define q as the ordered tuple $q:=(b_1^{\circ },b_2^{\circ },...,b_M^{\circ })$ for $b_i^{\circ }\in B^{\circ }$, $i\in \left[M\right]$. Suppose that $(L_{g^{abo}},L_{e^{abo}})$ are algorithms that give a $(n,p)$ ABO collection satisfying the required properties. Using $(L_{g^{abo}},L_{e^{abo}})$, we implement $(L_{g^M}$, $L_{e^M})$ as follows.

 Function sampling algorithm. 

$L_{g^M}(1^{\kappa },q)$ takes as input $\kappa$ and q. The algorithm computes $(p,\mathbb{G},q)\leftarrow {\mathcal{A}}_{ddh}\left(1^{\kappa }\right)$. Given q and p, $L_{g^M}$ outputs s, where $s\in S$. Let $s\in {\mathbb{Z}}_{p,1}^{n\times n}\times {\mathbb{Z}}_{p,2}^{n\times n}\times ...\times {\mathbb{Z}}_{p,M}^{n\times n}$. Denote by $s_i$ the ith coordinate of s, denote by $q_i$ the ith coordinate of q. Using the algorithm $L_{g^{abo}}$, we compute $s_i\leftarrow L_{g^{abo}}(1^{\kappa },q_i)$ for $i\in \left[M\right]$ so that $s=(s_1,s_2,...,s_M)$.

 Evaluation algorithm. 

$L_{e^M}(s,b,m)$: on input s, branch $b\in B$ and message $m\in {\mathbb{Z}}_p^{1\times n}$, the output is a vector $\mathit{\pi }\in {\mathbb{Z}}_{p,1}^{1\times n}\times {\mathbb{Z}}_{p,2}^{1\times n}\times ...\times {\mathbb{Z}}_{p,M}^{1\times n}$. Denote by $s_i$ the ith coordinate of s and denote by ${\mathit{\pi }}_i$ the ith coordinate of $\mathit{\pi }$. Using the algorithm $L_{e^{abo}}$, ${\mathit{\pi }}_i$ is computed as ${\mathit{\pi }}_i=L_{e^{abo}}(s_i,b,m)$ for $i\in \left[M\right]$, so that $\mathit{\pi }=({\mathit{\pi }}_1,{\mathit{\pi }}_2,..,{\mathit{\pi }}_M)$.

Lemma 6.

Assume that $(L_{g^{abo}},L_{e^{abo}})$ are algorithms that give a $(n,p)$ ABO collection of lossy functions satisfying the required properties for an ABO collection. Using $(L_{g^{abo}},L_{e^{abo}})$, the algorithms $(L_{g^M}$, $L_{e^M})$, presented above, give a $L^M$ collection of lossy functions that satisfies the required properties of a $L^M$ collection under the DDH assumption.

Proof. 

Property 1 is satisfied since $q\in {\mathbb{Z}}_{p,1}^{1\times n}\times {\mathbb{Z}}_{p,2}^{1\times n}\times ...\times {\mathbb{Z}}_{p,M}^{1\times n}$, which can be constructed in polynomial time by drawing M elements of ${\mathbb{Z}}_p^{1\times n}$. For property 3, each coordinate $s_i$ of the function index s is computed as $s_i=L_{g^{abo}}(1^{\kappa },q_i)$ in polynomial time. Since this is done M times, the total time of $L_{g^M}$ is polynomial. For property 4, to generate an element of $B^{\circ }$, one has to sample elements of ${\mathbb{Z}}_p^{1\times n}$, which cannot be done in polynomial time. To prove property 3, we construct experiments $H_1,...,H_{M+1}$. Let $q_a,q_b\in {\mathbb{Z}}_p^{(1\times n)M}$ with $q_a\ne q_b$ represent two ordered tuples. Denote $q_a=(q_{1,1},q_{1,2},...,q_{1,M})$ and $q_b=(q_{2,1},q_{2,2},...,q_{2,M})$. Experiment $H_0$ computes $s\leftarrow L_{g^M}(1^{\kappa },q_a)$. For $i^{\prime }\in [M+1]$, experiment $H_{i^{\prime }}$ constructs q as follows:

$$q=(q_{2,1},q_{2,2},q_{2,3},...,q_{2,i^{\prime }-1},q_{1,i^{\prime }},q_{1,i^{\prime }+1},...,q_{1,M})$$

Suppose that some polynomial time adversary can distinguish between $H_{i^{\prime }}$ and $H_{i^{\prime }+1}$ for any $i^{\prime }\in [M-1]$. Using this adversary, we construct a simulator that breaks property 3 of the ABO collection given by $(L_{g^{abo}},L_{e^{abo}})$. The simulator has access to an oracle that, on input $(b_0^{\circ },b_1^{\circ })$, provides it with either $s\leftarrow L_{g^{abo}}(1^{\kappa },b_0^{\circ })$ or $s\leftarrow L_{g^{abo}}(1^{\kappa },b_1^{\circ })$. For $i^{\prime }\in [M-1]$, let $q_a,q_b$ be fixed with $q_a\ne q_b$ and where $q_a=(q_{1,1},q_{1,2},...,q_{1,M})$ and $q_b=(q_{2,1},q_{2,2},...,q_{2,M})$. Given $i^{\prime }\in [M-1]$, the simulator constructs $q^0$ and $q^1$ as follows during initialization:

$$\begin{array}{cc}\hfill q^0& =(q_{2,1},q_{2,2},q_{2,3},...,q_{2,i^{\prime }-1},q_{1,i^{\prime }},q_{1,i^{\prime }+1},...,q_{1,M})\hfill \\ \hfill q^1& =(q_{2,1},q_{2,2},q_{2,3},...,q_{2,i^{\prime }-1},q_{2,i^{\prime }},q_{1,i^{\prime }+1},...,q_{1,M})\hfill \end{array}$$

For $i\in \left[M\right]\backslash i^{\prime }$, the simulator computes $s_i\leftarrow L_{g^{abo}}(1^{\kappa },q^0)$, since $q^0$ and $q^1$ are equal for all coordinates not equal to $i^{\prime }$. For $s_{i^{\prime }}$, the simulator forwards $(q_{1,i^{\prime }},q_{2,i^{\prime }})$ to its oracle and it receives $s_{i^{\prime }}$. The simulator then forms $s=(s_1,s_2,...,s_M)$ and forwards it to its adversary. Once the adversary outputs a guess $a^{\prime }\in \{0,1\}$, the simulator outputs $a^{\prime }$. The advantage of the simulator is thus equal to the probability that the adversary outputs $a^{\prime }=0$ and the oracle computes $s_i\leftarrow L_{g^{abo}}(1^{\kappa },q^0)$. However, given that the ABO collection given by $(L_{g^{abo}},L_{e^{abo}})$ satisfies the required properties, no efficient adversary would be able to output $a^{\prime }$ correctly with non-negligible probability. It follows that the advantage of the simulator is likewise negligible. By construction, if the oracle computes $s_{i^{\prime }}\leftarrow L_{g^{abo}}(1^{\kappa },q_{1,i^{\prime }})$, the simulator is performing experiment $H_{i^{\prime }}$, while if the oracle computes $s_{i^{\prime }}\leftarrow L_{g^{abo}}(1^{\kappa },q_{2,i^{\prime }})$, the simulator is performing experiment $H_{i^{\prime }+1}$ for $i\in [M-1]$. Experiment $H_0$ computes $s\leftarrow L_{g^M}(1^{\kappa },q_a)$, while $H_{M+1}$ computes $s\leftarrow L_{g^M}(1^{\kappa },q_b)$. This proves property 3.

We now show that $(L_{g^M}$, $L_{e^M})$ satisfy the lossiness property. Let $s\leftarrow L_{g^M}(1^{\kappa },q)$ for some q. We note that to efficiently sample a lossy branch, simply pick any ith coordinate $q_i$ of q. Let ${\mathit{\pi }}_j$ denote the jth coordinate of $\mathit{\pi }$, where $\mathit{\pi }$ is the output of $L_{e^M}(s,q_i,k)$ for some $k\in {\mathbb{Z}}_p^{1\times n}$. For $j\in \left[M\right]$ with $i\ne j$, we have ${\mathit{\pi }}_j=L_{e^{abo}}(s_j,q_i,k)$, as injective since $q_i\ne q_j$. For $j=i$, we have ${\mathit{\pi }}_j=L_{e^{abo}}(s_i,q_i,k)$, which is lossy given that $s_i\leftarrow L_{g^{abo}}(1^{\kappa },q_i)$, i.e., $s_i$ is computed with $q_i$ as the lossy branch. It follows that ${\mathit{\pi }}_i$ has, at most, p possible values. Transferring from the ${\mathbb{Z}}_p$ domain to the binary domain, let ${\mathit{\pi }}_j$, with $i\ne j$ have $2^{n^{\prime }}$ possible values for some $n^{\prime }\in \mathbb{N}$. It follows that $\mathit{\pi }$ can have, at most, $2^{n^{\prime }(M-1)+log\left(p\right)}$ possible values. This proves the lossiness property. □

7. Conclusions and Future Work

In this paper, we proposed cryptosystems that seek to address the problem of constructing CCA2 secure public-key cryptosystems that are resilient against related randomness attacks and related key attacks, albeit under the more limited classes of randomness reset attacks and constant-bit secret-key leakage attacks. Under this security notion, attacks from both the encryption and decryption processes of a cryptosystem are considered. We formally define this security notion in terms of an attack game between a challenger and an adversary, where the adversary has access to encryption queries with randomness reset and secret-key leakage queries aside from the standard challenge queries and decryption queries in CCA2 security. Under this attack game, we have presented two cryptosystems that are provably secure, where the first cryptosystem relies on the random oracle assumption, while the second cryptosystem is a standard model that relies on a proposed primitive called $L^M$ lossy functions, which can provide up to M lossy branches. In particular, the second cryptosystem uses the loss of information provided by multiple lossy branches to render it secure under a bounded number of encryption and challenge queries. While the $L^M$ collection exhibits a higher degree of information in the lossy branch and requires more memory than other lossy functions, it is easy to construct, as it uses Cartesian product operations over ABO lossy function primitives.

For future work, stronger public-key cryptosystems could, perhaps, be developed such that they are secure against more general types of related randomness attacks or related key attacks. For instance, instead of a randomness reset, a randomness attack may involve linear or polynomial functions of the randomness. The same can be said of secret-key leakage attacks, wherein, instead of the leakage of a constant number of bits, the leakage could be arbitrary functions of the secret key. In addition, further analysis can be done on the efficiency and experimental performance of the algorithm. In particular, the following can be explored: (1) to experimentally assess the efficiency/speed of cryptosystem 1 using an appropriate hash function as a simulated random oracle, and to compare this with cryptosystem 2 using the LM hash function and with other algorithms; (2) to experimentally assess the memory complexity of the LM lossy function relative to the other hash functions in the literature; (3) to provide a discussion on the time and space complexity of our algorithm relative to other algorithms; and (4) to perform an experimental simulation of a randomness reset attack and constant secret-key leakage attack, and demonstrate the algorithm’s response and resiliency to these attacks