El pensamiento y la reflexión en la acción

Proof for “wNM-DCCA+UNP ̸⇒ R-Inext.” Here, we show that if there exists a detectable PKE scheme that satisfies wNM-DCCA security and unpredictability, then there exists a detectable PKE scheme that satisfies wNM-DCCA security and unpredictability, but does not satisfy randomness- inextractability.

Note that if there exists a detectable PKE scheme satisfying (wNM-)DCCA security and unpre- dictability (which is guaranteed by assumption), then due to the result by Hohenberger et al. [16], there exists a CCA secure PKE scheme Π = (PKG,Enc,Dec) whose plaintext space is {0,1}k+1. Then, using this PKE scheme Π as a building block, we construct the “separating” PKE scheme

ΠSEP1 = (PKGSEP1,EncSEP1,DecSEP1,FSEP1) whose plaintext space is {0,1}, as described in Fig 9

(left).

Note that the construction in Fig. 9 (left) is in fact exactly the “transformation” of aCCAsecure PKE scheme into aCCAsecure tag-based encryption (TBE) scheme explained by Kiltz [17], except that the tag tag is always chosen uniformly at random from {0,1}k_{. (Here, we consider the CCA}

security of a TBE scheme in which an adversary is allowed to submit a tag/ciphertext pair (tag, c) as a decryption query, as long as it is different (as a pair) from the challenge tag/ciphertext pair (tag∗, c∗).) Therefore, it is straightforward from [17] that ifΠisCCAsecure, thenΠSEP1 iswNM-DCCA

secure (in particular, the final “unrestricted” decryption query in thewNM-DCCAexperiment can be handled by the CCAsecurity of the tag-based encryption scheme).

PKGSEP1(1k) : Return (pk, sk)←PKG(1k). EncSEP1(pk, m) : tag← {0,1}k c←Enc(pk,(tag∥m)) ReturnC←(tag, c). DecSEP1(sk, C) : (tag, c)←C (tag′∥m)←Dec(sk, c)

IfDechas returned⊥ortag′̸=tagthen return⊥. Returnm.

FSEP1(pk, C∗, C′) :

(tag∗, c∗)←C∗

(tag′, c′)←C′

Return (tag∗=? tag′).

PKGSEP2(1k) : Return (pk, sk)←PKG(1k). EncSEP2(pk, m) : c←Enc(pk, m) ReturnC←(0∥c). DecSEP2(sk, C) : ParseCas (γ∥c) s.t.|γ|= 1. Ifγ= 1 then return⊥. Returnm←Dec(sk, c). FSEP2(pk, C∗, C′) : ParseC∗as (γ∗∥c∗) s.t.|γ∗|= 1. ParseC′ as (γ′∥c′) s.t.|γ′|= 1. Ifγ∗̸=γ′orF(pk, c∗, c′) = 1

then return 1 else return 0.

Fig. 9.The “separating” detectable PKE schemes used to show the separations of security notions. The schemeΠSEP1

that separates randomness-inextractability from the combination of wNM-DCCA security and unpredictability (left), and the schemeΠSEP2 that separates unpredictability from the combination of wNM-DCCAsecurity and randomness-

inextractability (right).

Furthermore, it is also easy to see thatΠSEP1 is information-theoretically unpredictable. This is

because the first componenttag∗ is chosen uniformly at random, and thus even if an adversary is computationally unbounded, it can output a ciphertextC′ = (tag′, c) such thatFSEP1(pk, C∗, C′) = 1

(i.e. tag∗ = tag′) for an unseen ciphertext C∗ = (tag∗, c∗) only with negligible probability, which implies thatΠSEP1 unconditionally satisfies unpredictability.

Finally, we show that ΠSEP1 does not satisfy randomness-inextractability. Specifically, consider an adversaryAthat first submits any plaintextmto the experiment, and then is given a public key

pkand the challenge ciphertextC∗ = (tag∗, c∗), where by definitionc∗ is an encryption of (tag∗∥m) generated by c∗ ← Enc(pk,(tag∗∥m)). Now, A picks a randomness r′ = (tag∗, r) where r is any randomness in the randomness space of Enc, and terminates with output (m, r′). Note that we have C′ =EncSEP1(pk, m;r′ = (tag∗, r)) = (tag∗∥Enc(pk,(tag∗∥m);r)) = (tag∗∥c′) for some c′, and

thusFSEP1(pk, C∗, C′) = 1 holds. That is, Ahas maximum advantage in breaking the randomness-

inextractability of ΠSEP1, meaning that ΠSEP1 does not satisfy randomness-inextractability.

Proof for “wNM-DCCA+R-Inext̸⇒ UNP.” Here, we show that if there exists a detectable PKE scheme that satisfieswNM-DCCA security and randomness-inextractability, then there exists a PKE scheme that satisfies wNM-DCCA security and randomness-inextractability, but does not satisfy un- predictability.

Let Π = (PKG,Enc,Dec,F) be a detectable PKE scheme that satisfies wNM-DCCA security and randomness-inextractability that is guaranteed to exist by assumption. Then, consider the “sepa- rating” schemeΠSEP2 = (PKGSEP2,EncSEP2,DecSEP2,FSEP2) as described in Fig. 9 (right).

Firstly, it is not hard to see that ΠSEP2 preserves the wNM-DCCA security of the underlying

detectable PKE schemeΠ. Specifically, using awNM-DCCAadversaryA= (A1,A2,A3) as a building

block, we can straightforwardly construct a reduction algorithm B= (B1,B2,B3) that attacks the wNM-DCCA security of the building block scheme Π, such that AdvwNM-DCCA

Π,B (k) = AdvwNM-DCCAΠSEP2,A (k). In

particular, the challenge ciphertext C∗ for A is always of the form C∗ = (0∥c∗), and thus the allowable set of decryption queries C = (γ∥c) by the second stage A2 of the wNM-DCCA adversary

A, are those satisfyingγ = 0 andF(pk, c∗, c) = 0 simultaneously. However, such ciphertexts can be easily handled by the reduction algorithmBbyB2’s own decryption oracle. The final “unrestricted”

decryption query output by A2 can also be dealt with straightforwardly by the final decryption

query allowed for the second stage B2 of the reduction algorithm.

Secondly, it is also not hard to see that ΠSEP2 preserves the randomness-inextractability of

the underlying scheme Π. Specifically, recall that randomness-inextractability is always about ciphertexts generated “honestly” via the encryption algorithm EncSEP2. Therefore, to break the

randomness-inextractability ofΠSEP2, an adversary cannot use the conditionγ′ ̸=γ∗ = 0, and thus

it has to essentially break the randomness-inextractability of the underlying scheme Π, which is hard by assumption.

Finally, we note that it is easy to break the unpredictability of ΠSEP2. Specifically, consider an

adversaryAthat outputsC′ = (1∥c) with anyc(which need not even be in the range ofEncSEP2) and

any plaintextm. Then, since a ciphertext generated “honestly” byEncSEP2 always has the prefix 0

(and this is the case in the unpredictability experiment), the prefix ofC∗and that ofC′ are distinct. This implies FSEP2(pk, C∗, C′) = 1, and thus the adversaryA has maximum advantage in breaking

the unpredictability of ΠSEP2. Hence,ΠSEP2 does not satisfy unpredictability. ⊓⊔(Lemma 5)