Protecting the Privacy of Voters: New Definitions of Ballot Secrecy for E-Voting

Abstract

Protecting the privacy of voters is a basic requirement of any electronic voting scheme, and formal definitions can be used to prove that a scheme satisfies privacy. In this work, we provide new game-based definitions of ballot secrecy for electronic voting schemes. First, we propose an intuitive definition in the honest model, i.e., a model in which all election officials are honest. Then, we show that this definition can be easily extended to the malicious ballot box setting and a setting that allows for a distributed tallier. In fact, to the best of our knowledge, we provide the first game-based definition of ballot secrecy that models both a malicious ballot box and a malicious subset of talliers. We demonstrate that our definitions of ballot secrecy are satisfiable, defining electronic voting scheme constructions which we prove satisfy our definitions. Finally, we revisit existing definitions, exploring their limitations and contextualising our contributions to the field.

Appendices

A Building Blocks for our Constructions

1.1 A.1 Public-Key Encryption

Definition 6

(PKE scheme) A public key encryption scheme \(\varPi \) is a tuple of PPT algorithms \((\varPi .\mathsf {Gen}, \varPi .\mathsf {Enc}, \varPi .\mathsf {Dec})\) such that

• On input security parameter , algorithm \(\varPi .\mathsf {Gen}\) outputs a key pair \((pk_\varPi ,sk_\varPi )\).

• \(\varPi .\mathsf {Enc}(pk_\varPi ,m)\) On input public key \(pk_\varPi \) and message m, algorithm \(\varPi .\mathsf {Enc}\) outputs a ciphertext c.

• \(\varPi .\mathsf {Dec}(sk_\varPi ,c)\) On input private key \(sk_\varPi \) and ciphertext c, algorithm \(\varPi .\mathsf {Dec}\) outputs a message m.

Definition 7

( \(\mathsf {NM}\text {-}\mathsf {CPA}\) ). A public key encryption scheme \(\varPi \) satisfies \(\mathsf {NM}\text {-}\mathsf {CPA}\) if, for any PPT adversary , there exists a negligible function such that

where is the experiment defined in Fig. 4.

Fig. 4.

The \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment for public key encryption scheme \(\varPi \) and the \(t\text {-}\mathsf {NM}\text {-}\mathsf {CPA}\) experiment for (t, n)-threshold public key encryption scheme \(\varPhi \).

1.2 A.2 Threshold Public Key Encryption

Definition 8

(Threshold PKE scheme) A (t, n)-threshold public key encryption scheme \(\varPhi \) is a tuple of PPT algorithms \((\varPhi .\mathsf {Gen}, \varPhi .\mathsf {Enc}, \varPhi .\mathsf {Dec}, \varPhi .\mathsf {Combine})\) such that

• On input security parameter , threshold t and n, algorithm \(\varPhi .\mathsf {Gen}\) outputs a public key \(pk_\varPhi \) and n private keys, \(sk_{\varPhi _1}, \dots , sk_{\varPhi _n}\).

• \(\varPhi .\mathsf {Enc}(pk_\varPhi ,m)\) On input public key \(pk_\varPhi \) and message m, algorithm \(\varPhi .\mathsf {Enc}\) outputs a ciphertext c.

• \(\varPhi .\mathsf {Dec}(pk_\varPhi ,i,sk_{\varPhi _i},c)\) On input public key \(pk_\varPhi \), an index \(1\le i\le n\), private key \(sk_{\varPhi _i}\) and ciphertext c, algorithm \(\varPhi .\mathsf {Dec}\) outputs a decryption share \(c_i\).

• \(\varPhi .\mathsf {Combine}(pk_\varPhi ,c,c_1,\dots ,c_t)\) On input public key \(pk_\varPhi \), ciphertext c and t decryption shares \(c_1,\dots ,c_t\), algorithm \(\varPhi .\mathsf {Combine}\) outputs a message m.

Definition 9

( \(t\text {-}\mathsf {NM}\text {-}\mathsf {CPA}\) ). A (t, n)-threshold public key encryption scheme \(\varPhi \) satisfies \(t\text {-}\mathsf {NM}\text {-}\mathsf {CPA}\) if, for any PPT adversary , there exists a negligible function such that

where is the experiment defined in Fig. 4.

1.3 A.3 Signature of Knowledge

Definition 10

(Signature of knowledge). A signature of knowledge \(\mathsf {SOK}\) is a tuple of algorithms \((\mathsf {SoK.Setup},\mathsf {SimSetup},\mathsf {SoK.Sign},\mathsf {SimSign},\mathsf {SoK.Verify})\) relative to a relation \(\mathcal {R}\) such that

• : on input security parameter , algorithm \(\mathsf {SoK.Setup}\) outputs public parameters pp.

• : on input security parameter , algorithm \(\mathsf {SimSetup}\) outputs public parameters pp and trapdoor \(\tau \).

• \(\mathsf {SoK.Sign}(pp,s,w,m)\): on input pp, statement s, witness w and message m, algorithm \(\mathsf {SoK.Sign}\) outputs a signature \(\sigma \) if \((s,w)\in \mathcal {R}\).

• \(\mathsf {SimSign}(pp,s,\tau ,m)\): on input pp, s, \(\tau \) and m, algorithm \(\mathsf {SimSign}\) outputs a signature \(\sigma \).

• \(\mathsf {SoK.Verify}(pp,s,m,\sigma )\): on input pp, s, m and \(\sigma \), algorithm \(\mathsf {SoK.Verify}\) outputs 1, if the signature verifies and 0 otherwise.

Definition 11

(Extractability). Let \(\mathsf {Extract}\) be a PPT algorithm such that

• \(\mathsf {Extract}(pp,\tau ,s,m,\sigma )\): on input public parameters pp, trapdoor \(\tau \), statement s, message m and signature \(\sigma \), algorithm \(\mathsf {Extract}\) outputs a witness w.

Then signature of knowledge \(\mathsf {SOK}\) satisfies extractability if, for all PPT adversaries , there exists a negligible function such that

where is the experiment defined in Fig. 5.

Fig. 5.

The extractability experiment for signature of knowledge \(\mathsf {SOK}\).

B Ballot Secrecy of our Constructions

1.1 B.1 Proof of Theorem 1

Let be an adversary in the experiment where \(\varGamma _{\mathsf {mini}}\) is the construction in Fig. 2. Assume that can output a bit \(\beta '\) such that \(\beta '=\beta \) and queries \(\mathcal {O}\mathsf {vote}\) and \(\mathcal {O}\mathsf {cast}\) such that \(V_0'=V_1'\). Then succeeds in experiment with probability non-negligibly greater than \(\frac{1}{2}\). We note that, throughout the experiment, can only gain information about \(\beta \) through access to the bulletin board \(\mathcal {BB}_{}\) and the election result r.

Let \(\mathsf {Forge}\) denote the event that submits a valid ballot \(b=(pk_{id_{}},c,\sigma )\) to \(\mathcal {O}\mathsf {cast}\) where \((\cdot ,pk_{id_{}},\cdot )\in \mathcal {Q}\mathsf {reg}\setminus \mathcal {Q}\mathsf {corrupt}\). We write that b is valid if \(\mathsf {Valid}(b,\mathcal {BB}_{},pk,\mathcal {L})=1\) which requires, in particular, that \(\mathsf {SoK.Verify}(pp,(c,pk_\varPi ,pk_{id_{}}),c,\sigma )=1\). Moreover, let \(\mathsf {Success}\) denote the event that experiment returns 1. Note that,

We show that and . The result of the Theorem then follows.

First, we show that . In fact, we show that, if can submit a valid ballot to \(\mathcal {O}\mathsf {corrupt}\), then can be used to construct an adversary \(\mathcal {B}\) in the extractability experiment , where \(\mathcal {B}\) plays the role of the challenger in the \(\mathsf {BS}\) experiment and \(\mathcal {C}\) is the challenger in the extractability experiment. In detail, we construct adversary \(\mathcal {B}\) as follows.

1. 1.

   \(\mathcal {B}\) obtains public parameters pp for signature of knowledge \(\mathsf {SOK}\) from \(\mathcal {C}\) and runs , and performs the setup of \(\varGamma _{\mathsf {mini}}\), providing with pk. \(\mathcal {B}\) additionally performs the initialisation steps of the \(\mathsf {BS}\) experiment and selects a bit \(\beta \leftarrow \{0,1\}\).

2. 2.

   \(\mathcal {B}\) answers queries to \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\) and \(\mathcal {O}\mathsf {board}\) as described in the \(\mathsf {BS}\) experiment. Moreover, \(\mathcal {B}\) computes the election result as described in algorithm \(\mathsf {Tally}\).

3. 3.

   For queries to \(\mathcal {O}\mathsf {vote}(pk_{id_{}},v_0,v_1)\), \(\mathcal {B}\) computes \(c\leftarrow \varPi .\mathsf {Enc}(pk_\varPi ,m_\beta ;r)\) and queries \(\mathcal {O}_{pp,\tau }((c,pk_\varPi ,pk_{id_{}}),(sk_{id_{}},r),c)\) in the extractability experiment, receiving a signature of knowledge \(\sigma \). \(\mathcal {B}\) constructs ballot \(b\leftarrow (pk_{id_{}},c,\sigma )\) and appends the ballot to \(\mathcal {BB}_{}\).

4. 4.

   \(\mathcal {B}\) answers queries to \(\mathcal {O}\mathsf {cast}\) as described in the \(\mathsf {BS}\) experiment. By assumption that event \(\mathsf {Forge}\) occurs, \(\mathsf {SoK.Verify}\) returns 1 for at least one tuple \((pk_{id_{}},b)\) queried to \(\mathcal {O}\mathsf {cast}\) such that \(pk_{id_{}}\in \mathcal {Q}\mathsf {reg}\setminus \mathcal {Q}\mathsf {corrupt}\). We denote this ballot as \((pk_{id_{}}^*,c^*,\sigma ^*)\). Then, \(\mathcal {B}\) output \(((c^*,pk_\varPi ,pk_{id_{}}^*),c^*,\sigma ^*)\) in the extractability experiment.

\(\mathcal {B}\) perfectly simulates the role of the challenger in the \(\mathsf {BS}\) experiment to . In fact, \(\mathcal {B}\) trivially simulates oracles \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\) and \(\mathcal {O}\mathsf {board}\), and trivially computes the result of the election and returns r to . Moreover, when queries \(\mathcal {O}\mathsf {vote}\), \(\mathcal {B}\) returns a ciphertext consisting of an encryption c that is identical to the encryption viewed by in the \(\mathsf {BS}\) experiment and obtains a signature of knowledge from \(\mathcal {O}\mathsf {}\) in the extractability experiment that is identical to the signature viewed by in the \(\mathsf {BS}\) experiment. Therefore, \(\mathcal {B}\) perfectly simulates \(\mathcal {O}\mathsf {vote}\) to . Furthermore, \(\mathcal {B}\) perfectly simulates \(\mathcal {O}\mathsf {cast}\) to and, if event \(\mathsf {Forge}\) occurs, successfully creates a valid signature of knowledge without witness \((sk_{id_{}},r)\), and, therefore, \(\mathcal {B}\) can output this signature in the extractability experiment and succeeds. By assumption, the signature of knowledge \(\mathsf {SOK}\) satisfies extractability, and hence, we conclude that .

We now show that . That is, we show that, if succeeds in the \(\mathsf {BS}\) experiment without event \(\mathsf {Forge}\) occurring, we can use to construct an adversary \(\mathcal {B}'\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment , where \(\mathcal {B}'\) plays the role of the challenger in the \(\mathsf {BS}\) experiment and \(\mathcal {C}\) is the challenger in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment against scheme \(\varPi \). In detail, we construct adversary \(\mathcal {B}'\) as follows.

1. 1.

   \(\mathcal {B}'\) obtains a public key \(pk_\varPi \) for public key encryption scheme \(\varPi \) from \(\mathcal {C}\), runs , and performs the setup of \(\varGamma _{\mathsf {mini}}\), providing with pk. \(\mathcal {B}'\) additionally performs the initialisation steps of the \(\mathsf {BS}\) experiment.

2. 2.

   \(\mathcal {B}'\) answers queries to oracles \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\), \(\mathcal {O}\mathsf {cast}\) and \(\mathcal {O}\mathsf {board}\) as described in the \(\mathsf {BS}\) experiment.

3. 3.

   For queries \(\mathcal {O}\mathsf {vote}(pk_{id_{}}, v_0,v_1)\), \(\mathcal {B}'\) queries \((m_0=v_0,m_1=v_1)\) to oracle \(\mathcal {O}\mathsf {Encrypt}\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment and receives a ciphertext c of \(m_\beta \). \(\mathcal {B}'\) then computes \(\sigma \leftarrow \mathsf {SimSign}(pp,(c,pk_\varPi ,pk_{id_{}}),\tau ,c)\) and appends ballot \(b=(pk_{id_{}},c,\sigma )\) to \(\mathcal {BB}_{}\).

4. 4.

   \(\mathcal {B}'\) computes the election result. Throughout, \(\mathcal {B}'\) keeps track of tuples \((pk_{id_{}},b)\) queried by to \(\mathcal {O}\mathsf {cast}\), such that the query results in a ballot that will be included in the result. We denote by B the set of all tuples of the form \((pk_{id_{}},b)\). \(\mathcal {B}'\) constructs a vector \(\mathbf {c}\) that consists of the ciphertext element of each ballot in B and submits \(\mathbf {c}\) to \(\mathcal {C}\). \(\mathcal {C}\) returns a vector of plaintexts \(\mathbf {m}\) (i.e., the plaintext votes encoded in ballots submitted to \(\mathcal {O}\mathsf {cast}\)) to \(\mathcal {B}'\). For each tuple \((pk_{id_{}},b)\in B\), \(\mathcal {B}'\) replaces ballot b with the corresponding plaintext included in vector \(\mathbf {m}\). \(\mathcal {B}'\) then computes the result r by computing the result function \(f(V_0\cup B)\).

5. 5.

   \(\mathcal {B}'\) returns the bit \(\beta '\) output by .

We show that \(\mathcal {B'}\) perfectly simulates the role of the challenger in the \(\mathsf {BS}\) experiment to . Trivially, \(\mathcal {B}'\) simulates oracles \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\), \(\mathcal {O}\mathsf {cast}\) and \(\mathcal {O}\mathsf {board}\) to . Additionally, \(\mathcal {B}'\) answers queries to \(\mathcal {O}\mathsf {vote}\) by obtaining a ciphertext from \(\mathcal {O}\mathsf {Encrypt}\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment that is identical to the encryption viewed by in the \(\mathsf {BS}\) experiment and constructs a signature of knowledge that is identical to that viewed by . Consequently, the ballot obtained by \(\mathcal {B}'\), and subsequently appended to the ballot box, is identical to the ballot computed by \(\mathcal {O}\mathsf {vote}\). Therefore, \(\mathcal {B}'\) perfectly simulates \(\mathcal {O}\mathsf {vote}\). Finally, \(\mathcal {B}'\) computes the result function for set \(V_0\) (and B). By the assumption that event \(\mathsf {Forge}\) does not occur, B cannot contain ballots meaningfully related to the votes of honest voters. Moreover, by assumption that succeeds in the \(\mathsf {BS}\) experiment, \(V_0=V_1\) and, as such, \(\mathcal {B}'\) perfectly simulates algorithm \(\mathsf {Tally}\) to . Moreover, we have that \(\beta '\) output by \(\mathcal {B}'\) is equal to the bit \(\beta \) chosen by \(\mathcal {C}\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. In particular, if correctly guesses \(\beta '\) in the \(\mathsf {BS}\) experiment, correctly determines whether \(\mathcal {BB}_{}\) contains ballots corresponding to left- or right-hand votes submitted via \(\mathcal {O}\mathsf {vote}\). As these ballots are created by calling \(\mathcal {O}\mathsf {Encrypt}\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment where the bit \(\beta \) is chosen by the \(\mathsf {NM}\text {-}\mathsf {CPA}\) challenger, \(\mathcal {B}'\) succeeds in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. However, by assumption, \(\varPi \) satisfies \(\mathsf {NM}\text {-}\mathsf {CPA}\) security and we conclude that .    \(\square \)

1.2 B.2 Proof of Theorem 2

The details of this result follow largely from the proof of Theorem 1. We let be an adversary in the experiment where \(\varGamma _{\mathsf {mini}}\) is the construction in Fig. 2. We assume that succeeds in experiment with probability non-negligibly greater than \(\frac{1}{2}\), that is, outputs a bit \(\beta '\) such that \(\beta '=\beta \) and constructs ballot box \(\mathcal {BB}_{}\) such that \(V_0=V_1\). Throughout the experiment, obtains information about \(\beta \) through ballots output by \(\mathcal {O}\mathsf {vote}\) and the election result r.

Let \(\mathsf {Forge}\) denote the event that posts a valid ballot \(b=(pk_{id_{}},c,\sigma )\) to \(\mathcal {BB}_{}\) where \(pk_{id_{}}\in \mathcal {L}\setminus \mathsf {corr}\mathcal {L}\) and b is not the output of \(\mathcal {O}\mathsf {vote}\). We write that b is valid if \(\mathsf {SoK.Verify}(pp,(c,pk_\varPi ,pk_{id_{}}),\sigma ,c)=1\). Moreover, let \(\mathsf {Success}\) denote the event that experiment returns 1. As before,

We show that and . The result of the Theorem then follows.

First, we show that . In fact, we show that, if can post a valid ballot to \(\mathcal {BB}_{}\) for an honest voter (without calling \(\mathcal {O}\mathsf {vote}\)), then can be used to construct an adversary \(\mathcal {B}\) in the extractability experiment , where \(\mathcal {B}\) plays the role of the challenger in the \(\mathsf {mbbBS}\) experiment and \(\mathcal {C}\) is the challenger in the extractability experiment. The detailed construction of \(\mathcal {B}\) is very similar to the adversary \(\mathcal {B}\) described in the proof of Theorem 1, and we refer the reader to this proof for full details. We describe the following changes to the adversary \(\mathcal {B}\):

1. 1.

   In step 2, \(\mathcal {B}\) does not answer queries to oracles \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\) or \(\mathcal {O}\mathsf {board}\) as does not have access to these oracles in the \(\mathsf {mbbBS}\) experiment.

2. 2.

   In step 4, by assumption that event \(\mathsf {Forge}\) occurs, \(\mathsf {SoK.Verify}\) returns 1 for at least one ballot, which we denote \(b^*=(pk_{id_{}}^*,c^*,\sigma ^*)\), that appears on \(\mathcal {BB}_{}\) such that \(pk_{id_{}}\in \mathcal {L}\setminus \mathsf {corr}\mathcal {L}\) and b is not the output of \(\mathcal {O}\mathsf {vote}\). Then, \(\mathcal {B}\) output \(((c^*,pk_\varPi ,pk_{id_{}}^*),c^*,\sigma ^*)\) in the extractability experiment.

\(\mathcal {B}\) perfectly simulates the role of the challenger in the \(\mathsf {mbbBS}\) experiment to . As in the proof of Theorem 1, \(\mathcal {B}\) perfectly simulates \(\mathcal {O}\mathsf {vote}\) to . Furthermore, if event \(\mathsf {Forge}\) occurs, successfully creates a valid signature without witness \((sk_{id_{}},r)\), and, therefore, \(\mathcal {B}\) can output this signature in the extractability experiment and succeeds. By assumption, the signature of knowledge \(\mathsf {SOK}\) satisfies extractability, and hence, we conclude that .

We now show that . That is, we show that, if succeeds in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment without event \(\mathsf {Forge}\) occurring, we can use to construct an adversary \(\mathcal {B}'\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment , where \(\mathcal {B}'\) plays the role of the challenger in the \(\mathsf {mbbBS}\) experiment and \(\mathcal {C}\) is the challenger in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. Again, the detailed construction of \(\mathcal {B'}\) is very similar to the adversary \(\mathcal {B}'\) described in the proof of Theorem 1, and we describe the following changes to \(\mathcal {B'}\):

1. 1.

   Step 2 is no longer required as does not have access to oracles \(\mathcal {O}\mathsf {reg}\), \(\mathcal {O}\mathsf {corrupt}\) or \(\mathcal {O}\mathsf {board}\) in the \(\mathsf {mbbBS}\) experiment.

2. 2.

   For queries to \(\mathcal {O}\mathsf {vote}(pk_{id_{}},v_0,v_1)\), rather than appending ballot b to \(\mathcal {BB}_{}\), \(\mathcal {B}'\) outputs b to .

3. 3.

   To compute the election result, \(\mathcal {B}'\) creates a set B that consists of tuples \((pk_{id_{}},b)\) such that ballot b, submitted on behalf of voter credential \(pk_{id_{}}\), appears on \(\mathcal {BB}_{}\), is not an output of \(\mathcal {O}\mathsf {vote}\), and will be included in the result (i.e., is the last ballot cast for voter \(pk_{id_{}}\)). \(\mathcal {B}'\) then constructs vector \(\mathbf {c}\) from set B and proceeds to compute the election result as described in Step 4 in the proof of Theorem 1.

\(\mathcal {B}'\) perfectly simulates the role of the challenger in the \(\mathsf {mbbBS}\) experiment to . In particular, the ballot output by \(\mathcal {B}'\) following a query to \(\mathcal {O}\mathsf {vote}\) is identical to the ballot output by \(\mathcal {O}\mathsf {vote}\) because \(\mathcal {B}'\) obtains the ballot by querying \(\mathcal {O}\mathsf {Encrypt}\) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. Moreover, as in the proof of Theorem 1, \(\mathcal {B}'\) perfectly simulates algorithm \(\mathsf {Tally}\) to as we assume that \(V_0=V_1\) and, as such, the results computed for \(\beta =0\) and \(\beta =1\) are identical. \(\mathcal {B}'\) outputs \(\beta '=\beta \) in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. That is, if outputs \(\beta '=\beta \) in the \(\mathsf {mbbBS}\) experiment, correctly determines whether \(\mathcal {O}\mathsf {vote}\) returns a ballot corresponding to the left- or right-hand vote. As the ballot is constructed by calling \(\mathcal {O}\mathsf {Encrypt}\), where \(\beta \) is chosen by the challenger \(\mathcal {C}\), \(\mathcal {B}'\) succeeds in the \(\mathsf {NM}\text {-}\mathsf {CPA}\) experiment. By assumption, \(\varPi \) satisfies \(\mathsf {NM}\text {-}\mathsf {CPA}\) security and we conclude that .    \(\square \)

1.3 B.3 Proof of Theorem 3

The details of this result follow largely from the proof of Theorem 2. We focus on the changes to the proof of Theorem 2. We let be an adversary in the experiment where \(\varGamma _{\mathsf {mini}}'\) is the construction described in Sect. 4.2. We assume that succeeds in experiment with probability non-negligibly greater than \(\frac{1}{2}\). We define events \(\mathsf {Forge}\) and \(\mathsf {Success}\) as in the proof of Theorem 2 and we show that and . The result of the Theorem then follows.

First, we show that . This part of the proof is identical to the proof of Theorem 2, with the following exceptions. In step 1 of the description of adversary \(\mathcal {B}\), \(\mathcal {B}\) runs and provides with \(t-1\) private keys of choice. Additionally, \(\mathcal {B}\) computes the result using the \(t-1\) private keys given to plus one other private key. As in the proof of Theorem 2, \(\mathcal {B}\) perfectly simulates the role of the challenger in the \(\mathsf {dtBS}\) experiment to . In particular, \(\mathcal {B}\) generates the keys for \(\varPhi \) and provides with \(t-1\) private keys as expected. This concludes the first part of the proof.

We now show that . We describe the following change to adversary \(\mathcal {B}'\). In step 1, \(\mathcal {B}'\) requests the \(t-1\) private keys from \(\mathcal {C}\) that requests, and \(\mathcal {B}'\) returns the private keys provided by \(\mathcal {C}\) to . Specific to the proof of this result, \(\mathcal {B}'\) returns private keys to that are identical to the private keys output to in the \(\mathsf {dtBS}\) experiment. Therefore, the second part of the proof holds.    \(\square \)