ii – encryption...provable security in the computational model ii – encryption david pointcheval...
TRANSCRIPT
![Page 1: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/1.jpg)
Provable Security in the Computational Model
II – Encryption
David Pointcheval
MPRI – Paris
Ecole normale superieure, CNRS & INRIA
ENS/CNRS/INRIA Cascade David Pointcheval 1/68
![Page 2: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/2.jpg)
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 2/68
![Page 3: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/3.jpg)
Basic Security Notions
![Page 4: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/4.jpg)
Outline
Basic Security Notions
Public-Key Encryption
Signatures
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 3/68
![Page 5: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/5.jpg)
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 4/68
![Page 6: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/6.jpg)
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 4/68
![Page 7: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/7.jpg)
OW− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 8: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/8.jpg)
OW− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 9: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/9.jpg)
OW− CPA Security Game
A
kdke Gm* randomr* random
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 10: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/10.jpg)
OW− CPA Security Game
A
kdke Gm* randomr* random
Er*m* c*
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 11: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/11.jpg)
OW− CPA Security Game
A
kdke Gm* randomr* random
Er*m* c*
m
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 12: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/12.jpg)
OW− CPA Security Game
A
kdke G
m
m* randomr* random
m* = m?
Er*m* c*
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 13: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/13.jpg)
OW− CPA Security Game
A
kdke G
m
m* randomr* random
m* = m?
Er*m* c*
SuccowS (A) = Pr[(sk ,pk)← K(); m R←M; c = Epk (m) : A(pk , c)→ m]
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
![Page 14: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/14.jpg)
IND− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 15: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/15.jpg)
IND− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 16: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/16.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 17: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/17.jpg)
IND− CPA Security Game
A
m1
m0
kdke Gb∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 18: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/18.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 19: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/19.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 20: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/20.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 21: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/21.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
(sk ,pk)← K();(m0,m1, state)← A(pk);
b R← {0,1};c = Epk (mb); b′ ← A(state, c)
Advind−cpaS (A)=
∣∣Pr[b′ = 1|b = 1]−Pr[b′ = 1|b = 0]∣∣= ∣∣2× Pr[b′ = b]−1
∣∣ENS/CNRS/INRIA Cascade David Pointcheval 6/68
![Page 22: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/22.jpg)
Outline
Basic Security Notions
Public-Key Encryption
Signatures
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 7/68
![Page 23: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/23.jpg)
Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 8/68
![Page 24: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/24.jpg)
Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 8/68
![Page 25: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/25.jpg)
EUF− NMA
A
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
![Page 26: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/26.jpg)
EUF− NMA
A
kskv G
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
![Page 27: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/27.jpg)
EUF− NMA
A
kskv G
(m,σ)
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
![Page 28: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/28.jpg)
EUF− NMA
A
kskv G
(m,σ)
V(kv,m,σ)?
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
![Page 29: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/29.jpg)
EUF− NMA
A
kskv G
(m,σ)
V(kv,m,σ)?
SucceufSG(A) = Pr[(sk ,pk)← K(); (m, σ)← A(pk) : Vpk (m, σ) = 1]
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
![Page 30: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/30.jpg)
Game-based Proofs
![Page 31: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/31.jpg)
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 10/68
![Page 32: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/32.jpg)
Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme
• then one can break the underlying problem(integer factoring, discrete logarithm, 3-SAT, etc)
ENS/CNRS/INRIA Cascade David Pointcheval 11/68
![Page 33: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/33.jpg)
Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme
• then one can break the underlying problem(integer factoring, discrete logarithm, 3-SAT, etc)
hard →instance
→solution
ENS/CNRS/INRIA Cascade David Pointcheval 11/68
![Page 34: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/34.jpg)
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
![Page 35: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/35.jpg)
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
![Page 36: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/36.jpg)
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
![Page 37: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/37.jpg)
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
![Page 38: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/38.jpg)
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 13/68
![Page 39: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/39.jpg)
Sequence of Games
Real Attack GameThe adversary plays a game, against a challenger (security notion)
Oracles
ChallengerAdversary 0 / 1
Game 0
ENS/CNRS/INRIA Cascade David Pointcheval 14/68
![Page 40: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/40.jpg)
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 1
Simulator 1
Game 1
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 15/68
![Page 41: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/41.jpg)
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 2
Simulator 2
Game 2
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 16/68
![Page 42: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/42.jpg)
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 3
Simulator 3
Game 3
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 17/68
![Page 43: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/43.jpg)
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
![Page 44: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/44.jpg)
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
![Page 45: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/45.jpg)
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
Oracles
ChallengerAdversary
Distribution 1
Simulator 1
Game 1
0 / 1
Oracles
ChallengerAdversary
Distribution 3
Simulator 3
Game 3
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
![Page 46: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/46.jpg)
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 19/68
![Page 47: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/47.jpg)
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
![Page 48: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/48.jpg)
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
![Page 49: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/49.jpg)
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
![Page 50: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/50.jpg)
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
![Page 51: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/51.jpg)
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
![Page 52: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/52.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
![Page 53: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/53.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
![Page 54: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/54.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
![Page 55: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/55.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
![Page 56: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/56.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
![Page 57: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/57.jpg)
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
![Page 58: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/58.jpg)
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
![Page 59: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/59.jpg)
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
![Page 60: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/60.jpg)
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore it• Ev is non-negligible and independent of the output in GameA,
Simulator B terminates and outputs 0, in case of event Ev:
Pr[GameB] = Pr[GameB|Ev] Pr[Ev] + Pr[GameB|¬Ev] Pr[¬Ev]
= 0× Pr[Ev] + Pr[GameA|¬Ev]× Pr[¬Ev]
= Pr[GameA]× Pr[¬Ev]
Simulator B terminates and flips a coin, in case of event Ev:
Pr[GameB] = Pr[GameB|Ev] Pr[Ev] + Pr[GameB|¬Ev] Pr[¬Ev]
= 12 × Pr[Ev] + Pr[GameA|¬Ev]× Pr[¬Ev]
= 12 + (Pr[GameA]− 1
2 )× Pr[¬Ev]
ENS/CNRS/INRIA Cascade David Pointcheval 23/68
![Page 61: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/61.jpg)
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore it• Ev is non-negligible and independent of the output in GameA,
Simulator B terminates in case of event Ev
Event Ev
• Either Ev is negligible, or the output is independent of Ev
• For being able to terminate simulation B in case of event Ev,this event must be efficiently detectable
• For evaluating Pr[Ev], one re-iterates the above process,with an initial game that outputs 1 when event Ev happens
ENS/CNRS/INRIA Cascade David Pointcheval 24/68
![Page 62: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/62.jpg)
Two Distributions
Oracles
ChallengerAdversary
Distribution
0 / 1
Distinguisheur
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
ENS/CNRS/INRIA Cascade David Pointcheval 25/68
![Page 63: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/63.jpg)
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
![Page 64: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/64.jpg)
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
![Page 65: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/65.jpg)
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
![Page 66: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/66.jpg)
Advanced Security for Encryption
![Page 67: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/67.jpg)
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 27/68
![Page 68: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/68.jpg)
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 28/68
![Page 69: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/69.jpg)
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 28/68
![Page 70: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/70.jpg)
IND− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 71: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/71.jpg)
IND− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 72: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/72.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 73: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/73.jpg)
IND− CPA Security Game
A
m1
m0
kdke Gb∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 74: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/74.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 75: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/75.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 76: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/76.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 77: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/77.jpg)
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
The adversary cannot get any information about a plaintext of aspecific ciphertext (validity, partial value, etc)
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
![Page 78: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/78.jpg)
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
![Page 79: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/79.jpg)
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
![Page 80: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/80.jpg)
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
![Page 81: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/81.jpg)
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
![Page 82: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/82.jpg)
Non-Malleability: NM− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 83: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/83.jpg)
Non-Malleability: NM− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 84: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/84.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 85: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/85.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 86: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/86.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 87: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/87.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 88: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/88.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
m = D(c)
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 89: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/89.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
R(m*,m)vs. R(m',m) m = D(c)
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 90: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/90.jpg)
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
R(m*,m)vs. R(m',m) m = D(c)
Advnm−cpaS (A) =
∣∣Pr[R(m∗,m)]− Pr[R(m′,m)]∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
![Page 91: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/91.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 92: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/92.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 93: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/93.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 94: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/94.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 95: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/95.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 96: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/96.jpg)
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
![Page 97: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/97.jpg)
IND− CCA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 98: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/98.jpg)
IND− CCA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 99: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/99.jpg)
IND− CCA Security Game
A
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 100: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/100.jpg)
IND− CCA Security Game
Am1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 101: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/101.jpg)
IND− CCA Security Game
A
b∈{0,1}r random
m1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 102: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/102.jpg)
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 103: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/103.jpg)
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 104: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/104.jpg)
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 105: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/105.jpg)
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 106: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/106.jpg)
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’b’ = b?
The adversary can ask any decryption of its choice:Chosen-Ciphertext Attacks (oracle access)
(sk ,pk)← K();(m0,m1, state)← AD(pk);
b R← {0,1};c = Epk (mb); b′ ← AD(state, c)
Advind−ccaS (A)=
∣∣Pr[b′ = 1|b = 1]−Pr[b′ = 1|b = 0]∣∣= ∣∣2× Pr[b′ = b]−1
∣∣ENS/CNRS/INRIA Cascade David Pointcheval 33/68
![Page 107: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/107.jpg)
Relations [Bellare-Desai-Pointcheval-Rogaway – Crypto ’98]
NM-CPA ⇐ NM-CCA1 ⇐ NM-CCA2
IND-CPA ⇐ IND-CCA1 ⇐ IND-CCA2
strong security: CCA
minimalsecurity
weak security
OW-CPA
⇒ ⇔⇒
⇒ENS/CNRS/INRIA Cascade David Pointcheval 34/68
![Page 108: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/108.jpg)
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 35/68
![Page 109: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/109.jpg)
Cramer-Shoup Encryption Scheme [Cramer-Shoup – Crypto ’98]
Key Generation
• G = (〈g〉,×) group of order q
• sk = (x1, x2, y1, y2, z), where x1, x2, y1, y2, zR← Zq
• pk = (g1,g2,H, c,d ,h), where• g1, g2 are independent elements in G• H a hash function (second-preimage resistant)• c = gx1
1 gx22 , d = gy1
1 gy22 , and h = gz
1
Encryptionu1 = gr
1, u2 = gr2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 36/68
![Page 110: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/110.jpg)
Cramer-Shoup Encryption Scheme [Cramer-Shoup – Crypto ’98]
Key Generation
• G = (〈g〉,×) group of order q
• sk = (x1, x2, y1, y2, z), where x1, x2, y1, y2, zR← Zq
• pk = (g1,g2,H, c,d ,h), where• g1, g2 are independent elements in G• H a hash function (second-preimage resistant)• c = gx1
1 gx22 , d = gy1
1 gy22 , and h = gz
1
Encryptionu1 = gr
1, u2 = gr2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 36/68
![Page 111: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/111.jpg)
Cramer-Shoup Encryption Scheme vs. ElGamal
u1 = gr1, u2 = gr
2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
(u1,e) is an ElGamal ciphertext, with public key h = gz1
Decryption
• since h = gz1 , hr = uz
1 , thus m = e/uz1
• since c = gx11 gx2
2 and d = gy11 gy2
2
cr = grx11 grx2
2 = ux11 ux2
2 d r = uy11 uy2
2
One thus first checks whether
v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 37/68
![Page 112: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/112.jpg)
Security of the Cramer-Shoup Encryption Scheme
TheoremThe Cramer-Shoup encryption scheme achieves IND− CCAsecurity, under the DDH assumption, and the second-preimageresistance of H:
Advind−ccaCS (t) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/q
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Cramer-Shoup encryptionscheme.
ENS/CNRS/INRIA Cascade David Pointcheval 38/68
![Page 113: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/113.jpg)
Security of the Cramer-Shoup Encryption Scheme
TheoremThe Cramer-Shoup encryption scheme achieves IND− CCAsecurity, under the DDH assumption, and the second-preimageresistance of H:
Advind−ccaCS (t) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/q
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Cramer-Shoup encryptionscheme.
ENS/CNRS/INRIA Cascade David Pointcheval 38/68
![Page 114: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/114.jpg)
Real Attack Game
Challenger
● (pk, sk) ← Setup()● Chooses a bit b● c ← E(pk,m
b)
● if b=b': 1● else 0
Adversary0 / 1
Game 0
pkm0,m1
c
b'
Oracles
DSetup
Key Generation Oracle
x1, x2, y1, y2, zR← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z)
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz1 : pk = (g1,g2,H, c,d ,h)
Decryption Oracle
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz1
ENS/CNRS/INRIA Cascade David Pointcheval 39/68
![Page 115: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/115.jpg)
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
![Page 116: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/116.jpg)
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
![Page 117: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/117.jpg)
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
![Page 118: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/118.jpg)
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
![Page 119: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/119.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 120: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/120.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 121: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/121.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 122: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/122.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 123: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/123.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
= AdvGame0 − PrGame0
[F](2× PrGame0
[b′ = b|F]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 124: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/124.jpg)
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
= AdvGame0 − PrGame0
[F](2× PrGame0
[b′ = b|F]− 1)
≥ AdvGame0 − PrGame0
[F]
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
![Page 125: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/125.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 126: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/126.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 127: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/127.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 128: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/128.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 129: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/129.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 130: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/130.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 131: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/131.jpg)
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
![Page 132: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/132.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 133: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/133.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 134: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/134.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 135: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/135.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 136: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/136.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 137: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/137.jpg)
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
![Page 138: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/138.jpg)
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
![Page 139: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/139.jpg)
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
![Page 140: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/140.jpg)
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
![Page 141: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/141.jpg)
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
![Page 142: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/142.jpg)
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
![Page 143: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/143.jpg)
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
![Page 144: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/144.jpg)
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
![Page 145: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/145.jpg)
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
![Page 146: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/146.jpg)
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
![Page 147: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/147.jpg)
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
![Page 148: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/148.jpg)
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
![Page 149: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/149.jpg)
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
![Page 150: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/150.jpg)
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
![Page 151: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/151.jpg)
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
![Page 152: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/152.jpg)
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
![Page 153: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/153.jpg)
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
![Page 154: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/154.jpg)
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
![Page 155: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/155.jpg)
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
![Page 156: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/156.jpg)
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
![Page 157: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/157.jpg)
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
![Page 158: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/158.jpg)
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
![Page 159: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/159.jpg)
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
![Page 160: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/160.jpg)
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
![Page 161: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/161.jpg)
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
![Page 162: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/162.jpg)
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
![Page 163: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/163.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 164: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/164.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 165: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/165.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 166: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/166.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 167: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/167.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 168: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/168.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 169: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/169.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 170: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/170.jpg)
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
![Page 171: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/171.jpg)
Details: Bad Accept (Case 3)
The adversary knows the public key, and the (invalid) challengeciphertext:
c = gx11 gx2
2 d = gy11 gy2
2
v∗ = Ux1+α∗y1V x2+α
∗y2 = gr∗1 (x1+α∗y1)
1 gr∗2 (x2+α∗y2)
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v∗ = r∗1 (x1 + α∗y1) + sr∗2 (x2 + α∗y2)
log v = r1(x1 + αy1) + sr2(x2 + αy2)
ENS/CNRS/INRIA Cascade David Pointcheval 51/68
![Page 172: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/172.jpg)
Details: Bad Accept (Case 3)
The adversary knows the public key, and the (invalid) challengeciphertext:
c = gx11 gx2
2 d = gy11 gy2
2
v∗ = Ux1+α∗y1V x2+α
∗y2 = gr∗1 (x1+α∗y1)
1 gr∗2 (x2+α∗y2)
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v∗ = r∗1 (x1 + α∗y1) + sr∗2 (x2 + α∗y2)
log v = r1(x1 + αy1) + sr2(x2 + αy2)
ENS/CNRS/INRIA Cascade David Pointcheval 51/68
![Page 173: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/173.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣∣∣1 s 0 00 0 1 sr∗1 sr∗2 r∗1α
∗ sr∗2α∗
r1 sr2 r1α sr2α
∣∣∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 174: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/174.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣∣∣1 s 0 00 0 1 sr∗1 sr∗2 r∗1α
∗ sr∗2α∗
r1 sr2 r1α sr2α
∣∣∣∣∣∣∣∣∣=
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 175: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/175.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 176: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/176.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣= s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 177: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/177.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 178: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/178.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
= s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 179: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/179.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 180: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/180.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
= s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 181: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/181.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 182: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/182.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)= s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 183: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/183.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 184: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/184.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
= s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 185: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/185.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 186: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/186.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 187: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/187.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 188: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/188.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 189: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/189.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable =⇒ Pr[F′3] ≤ qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 190: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/190.jpg)
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable =⇒ Pr[F′3] ≤ qD/q
=⇒ AdvGame7 ≥ AdvGame6 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
![Page 191: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/191.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 192: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/192.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 193: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/193.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 194: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/194.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 195: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/195.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 196: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/196.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 197: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/197.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 198: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/198.jpg)
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
![Page 199: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/199.jpg)
Conclusion
AdvGame7 = 0
AdvGame7 ≥ AdvGame6 − qD/q
AdvGame6 ≥ AdvGame5 − SuccH(t)
AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
AdvGame4 = AdvGame3
AdvGame3 ≥ AdvGame2 − qD/q
AdvGame2 = AdvGame1
AdvGame1 ≥ AdvGame0 − qD/q
AdvGame0 = Advind−ccaCS (A)
Advind−ccaCS (A) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/qENS/CNRS/INRIA Cascade David Pointcheval 54/68
![Page 200: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/200.jpg)
Conclusion
AdvGame7 = 0
AdvGame7 ≥ AdvGame6 − qD/q
AdvGame6 ≥ AdvGame5 − SuccH(t)
AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
AdvGame4 = AdvGame3
AdvGame3 ≥ AdvGame2 − qD/q
AdvGame2 = AdvGame1
AdvGame1 ≥ AdvGame0 − qD/q
AdvGame0 = Advind−ccaCS (A)
Advind−ccaCS (A) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/qENS/CNRS/INRIA Cascade David Pointcheval 54/68
![Page 201: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/201.jpg)
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 55/68
![Page 202: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/202.jpg)
First Generic Conversion [Bellare-Rogaway – Eurocrypt ’93]
For efficiency: random oracle model
Setup
• A trapdoor one-way permutation family {(f ,g)} onto the set X
• Two hash functions, for the security parameter k1,
G : X −→ {0,1}n and H : {0,1}? −→ {0,1}k1 ,
where n is the bit-length of the plaintexts.
Key GenerationOne chooses a random element in the family
• f is the public key
• the inverse g is the private key
ENS/CNRS/INRIA Cascade David Pointcheval 56/68
![Page 203: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/203.jpg)
First Generic Conversion [Bellare-Rogaway – Eurocrypt ’93]
For efficiency: random oracle model
Setup
• A trapdoor one-way permutation family {(f ,g)} onto the set X
• Two hash functions, for the security parameter k1,
G : X −→ {0,1}n and H : {0,1}? −→ {0,1}k1 ,
where n is the bit-length of the plaintexts.
Key GenerationOne chooses a random element in the family
• f is the public key
• the inverse g is the private key
ENS/CNRS/INRIA Cascade David Pointcheval 56/68
![Page 204: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/204.jpg)
First Generic Conversion (Cont’ed)
EncryptionOne chooses a random element r ∈ X
a = f (r), b = m ⊕ G(r), c = H(m, r)
DecryptionGiven (a,b, c), and the private key g,
• one first recovers r = g(a)
• one gets m = b ⊕ G(r)
• one then checks whether c ?= H(m, r)
If the equality holds, one returns m,otherwise one rejects the ciphertext
ENS/CNRS/INRIA Cascade David Pointcheval 57/68
![Page 205: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/205.jpg)
First Generic Conversion (Cont’ed)
EncryptionOne chooses a random element r ∈ X
a = f (r), b = m ⊕ G(r), c = H(m, r)
DecryptionGiven (a,b, c), and the private key g,
• one first recovers r = g(a)
• one gets m = b ⊕ G(r)
• one then checks whether c ?= H(m, r)
If the equality holds, one returns m,otherwise one rejects the ciphertext
ENS/CNRS/INRIA Cascade David Pointcheval 57/68
![Page 206: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/206.jpg)
Security of the Bellare-Rogaway Conversion
TheoremThe Bellare-Rogaway conversion achieves IND− CCA security,under the one-wayness of the trapdoor permutation f :
Advind−ccaBR (t) ≤ 2× Succow
f (T ) +4qD
2k1,
where T ≤ t + (qG + qH) · Tf .
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Bellare-Rogaway conversion.
ENS/CNRS/INRIA Cascade David Pointcheval 58/68
![Page 207: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/207.jpg)
Security of the Bellare-Rogaway Conversion
TheoremThe Bellare-Rogaway conversion achieves IND− CCA security,under the one-wayness of the trapdoor permutation f :
Advind−ccaBR (t) ≤ 2× Succow
f (T ) +4qD
2k1,
where T ≤ t + (qG + qH) · Tf .
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Bellare-Rogaway conversion.
ENS/CNRS/INRIA Cascade David Pointcheval 58/68
![Page 208: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/208.jpg)
Real Attack Game
H
Challenger
● (pk, sk) ← Setup()● Chooses a bit b● c ← E(pk,m
b)
● if b=b': 1● else 0
Adversary0 / 1
Game 0
pkm0,m1
c
b'
Oracles
DSetup
Key Generation OracleRandom permutation f , and its inverse g
Decryption OracleCompute r = g(a), and then m = b ⊕ G(r)
if c = H(m, r), outputs m, otherwise reject
ENS/CNRS/INRIA Cascade David Pointcheval 59/68
![Page 209: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/209.jpg)
Simulation of the Random Oracles
• Game0: use of the perfect oracles
Challenge CiphertextRandom r , random bit b: a = f (r), b = mb ⊕ G(r), c = H(m, r)
AdvGame0 = 2× PrGame0
[b′ = b]− 1 = ε
• Game1: use of the simulation of the random oracles
Random OraclesFor any new query, a new random output: management of lists
AdvGame1 = AdvGame0
ENS/CNRS/INRIA Cascade David Pointcheval 60/68
![Page 210: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/210.jpg)
Simulation of the Random Oracles
• Game0: use of the perfect oracles
Challenge CiphertextRandom r , random bit b: a = f (r), b = mb ⊕ G(r), c = H(m, r)
AdvGame0 = 2× PrGame0
[b′ = b]− 1 = ε
• Game1: use of the simulation of the random oracles
Random OraclesFor any new query, a new random output: management of lists
AdvGame1 = AdvGame0
ENS/CNRS/INRIA Cascade David Pointcheval 60/68
![Page 211: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/211.jpg)
Simulation of the Challenge Ciphertext
• Game2: use of an independent random value h+
Challenge Ciphertext
Random r , random bit b: a = f (r), b = mb ⊕ G(r), c = h+
This game is indistinguishable from the previous one, unless(mb, r) is queried to H: event AskMR (it can only be asked bythe adversary, since such a query by the decryption oracle wouldbe for the challenge ciphertext).Note that in case of AskMR, we stop the simulation with arandom output:
AdvGame2 ≥ AdvGame1 − 2× PrGame2
[AskMR]
ENS/CNRS/INRIA Cascade David Pointcheval 61/68
![Page 212: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/212.jpg)
Simulation of the Decryption Oracle
• Game3: reject if (m, r) not queried to H
Decryption OracleLook in the H-list for (m, r) such that c = H(m, r).If not found: reject,if for one pair, a = f (r) and b = m ⊕ G(r), output m
This makes a difference if this value c, without having beenasked to H, is correct: for each attempt, the probability isbounded by 1/2k1 :
AdvGame3 ≥ AdvGame2 − 2qD/2k1
PrGame3
[AskMR] ≥ PrGame2
[AskMR]− qD/2k1
ENS/CNRS/INRIA Cascade David Pointcheval 62/68
![Page 213: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/213.jpg)
Simulation of the Challenge Ciphertext
• Game4: use of an independent random value g+ (and h+)
Challenge Ciphertext
Random r , random bit b: a = f (r), b = mb ⊕ g+, c = h+
This game is indistinguishable from the previous one, unless r isqueried to G by the adversary or by the decryption oracle. Wedenote by AskR the event that r is asked to G or H by theadversary (which includes AskMR). But r cannot be asked to Gby the decryption oracle without AskR: only possible if r is in theH-list, and thus asked by the adversary:
AdvGame4 ≥ AdvGame3 − 2× PrGame3
[AskR ∧ ¬AskMR]
PrGame4
[AskR] = PrGame3
[AskMR] + PrGame3
[AskR ∧ ¬AskMR]
ENS/CNRS/INRIA Cascade David Pointcheval 63/68
![Page 214: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/214.jpg)
Simulation of the Challenge Ciphertext
• Game5: use of an independent random value a+ (and g+, h+)
Challenge Ciphertext
random bit b: a = a+, b = mb ⊕ g+, c = h+
This determines r , the unique value such that a+ = f (r), whichallows to detect event AskR.This game is perfectly indistinguishable from the previous one:
AdvGame5 = AdvGame4
PrGame5
[AskR] = PrGame4
[AskR]
ENS/CNRS/INRIA Cascade David Pointcheval 64/68
![Page 215: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/215.jpg)
Inversion of the Permutation
Since we can assume that a+ is a given challenge for inverting thepermutation f , when one looks in the G-list or the H-list, one can findr , the pre-image of a+:
PrGame5
[AskR] ≤ Succowf (t + (qG + qH) · Tf )
But clearly, in the last game, because of g+ that perfectly hides mb:
AdvGame5 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 65/68
![Page 216: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/216.jpg)
Conclusion
As a consequence, 0 = AdvGame5
= AdvGame4 ≥ AdvGame3 − 2× PrGame3
[AskR ∧ ¬AskMR]
≥ AdvGame2 − 2× PrGame3
[AskR ∧ ¬AskMR]− 2qD/2k1
≥ AdvGame1 − 2× PrGame2
[AskMR]− 2× PrGame3
[AskR ∧ ¬AskMR]− 2qD/2k1
≥ AdvGame0 − 2× PrGame3
[AskMR]− 2× PrGame3
[AskR ∧ ¬AskMR]− 4qD/2k1
≥ AdvGame0 − 2× PrGame4
[AskR]− 4qD/2k1
≥ AdvGame0 − 2× PrGame5
[AskR]− 4qD/2k1
And then,
AdvGame0 ≤ 4qD/2k1 + 2× Succowf (T )
ENS/CNRS/INRIA Cascade David Pointcheval 66/68
![Page 217: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/217.jpg)
Conclusion
![Page 218: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/218.jpg)
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 67/68
![Page 219: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/219.jpg)
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
![Page 220: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/220.jpg)
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
![Page 221: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/221.jpg)
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
![Page 222: II – Encryption...Provable Security in the Computational Model II – Encryption David Pointcheval MPRI – Paris Ecole normale superieure, CNRS & INRIA´ ENS/CNRS/INRIA Cascade](https://reader036.vdocument.in/reader036/viewer/2022071516/6138b0890ad5d2067649694c/html5/thumbnails/222.jpg)
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68