NM-CPA Secure Encryption with Proofs of Plaintext Knowledge

Abstract

NM-CPA secure asymmetric encryption schemes which prove plaintext knowledge are sufficient for secrecy and verifiability in some domains, for example, ballot secrecy and end-to-end verifiability in electronic voting. In these domains, some applications derive encryption schemes by coupling malleable IND-CPA secure ciphertexts with proofs of plaintext knowledge, without evidence that the sufficient condition is satisfied nor an independent security proof. Consequently, it is unknown whether these applications satisfy the desired secrecy and verifiability properties. In this paper, we propose a generic construction for such a coupling and prove that our construction produces NM-CPA secure encryption schemes which prove plaintext knowledge. Accordingly, we facilitate the development of applications satisfying their secrecy and verifiability objectives and, moreover, we make progress towards security proofs for existing applications.

A Proof of Theorem 1

Suppose \(\varGamma (\varPi , \varSigma ,k)\) does not satisfy IND-1-CPA, hence \(\mathsf{IND }{\text {-}}1{\text {-}}\mathsf{CPA }_{\mathcal A, \varGamma (\varPi , \varSigma ,k)}(\kappa ) \ge \mathsf {negl}(\kappa )\) for some adversary \(\mathcal {A} = (A_1, A_2)\), negligible function f, and security parameter \(\kappa \). We construct an adversary \(\mathcal {B} = (B_1, B_2)\) against IND-CPA using \(\mathcal A\). Let \(\mathsf {S}_i\) be an event such that \(b^* = b\) in the game i.

1.1 A.1 Game 0: IND-1-CPA

Game 0 is derived from IND-1-CPA by replacing the challenger with oracles:

1. 1.

   \(A_1\) takes \((pk, \mathfrak {m}')\) from the key generation oracle KG.

2. 2.

   \(A_1\) chooses \(M_0, M_1 \in \mathfrak {m}'\) such that \(|M_0| = |M_1|\) and sends \(M_0\) and \(M_1\) to the challenge oracle E. \(A_1\) outputs \((M_0, M_1, s)\), where s is some state.

3. 3.

   \(A_2\) takes \((M_0, M_1, s, C^*)\) from E, where \(C^*\) is a challenge ciphertext.

4. 4.

   \(A_2\) sends ciphertexts \((C'_1, \dots C'_m)\) to the decryption oracle D and D responds with the corresponding plaintexts \((M'_1, \dots , M'_m)\) or the error symbol \(\perp \).

5. 5.

   Finally, \(A_2\) outputs \(b' \in [0,1]\).

The challenge and decryption oracles are defined in Tables 1 and 2, and the key generation and random oracle are defined as follows.

• Key generation oracle KG. The oracle takes a security parameter \(\kappa \) as input, computes \(( pk , sk , \mathfrak {m}') \leftarrow \mathsf {Gen}'(\kappa )\), and outputs \((pk, \mathfrak {m}')\).

• Random oracle Chal. The oracle takes \((i, pk , c, \mathsf {comm})\) as input and if \(((i, pk , c,\mathsf {comm}), \mathsf {chal}) \in L_{Chal}\), then Chal outputs \(\mathsf {chal}\), otherwise, Chal chooses \(\mathsf {chal} \in \mathcal {CH}\) uniformly at random, where \(\mathcal {CH}\) is the range of \(\mathsf {Chal}\), outputs \(\mathsf {chal}\) and adds \(((i, pk , c, \mathsf {comm}), \mathsf {chal})\) to \(L_{Chal}\).

By definition of IND-1-CPA, we have: \( | \Pr [\mathsf {S}_0] - \frac{1}{2} | = \mathsf{IND }\text {-}1\text {-}\mathsf{CPA } _{\mathcal {A}, \varGamma } (\kappa ). \)

1.2 A.2 Game 1: Simulate Decryption Oracle

Game 1 uses simulation sound extractability to simulate the decryption oracle without knowledge of \( sk \). Formally, the simulation of the decryption oracle is presented in Table 2, where \(i^* \in [1,k]\) is chosen by \(\mathcal {B}\) uniformly at random. In the case \(c'_{i,j} = c_{b,i} \wedge i\not =i^*\), the simulator knows the plaintext \(m_{b,i}\) corresponding to \(c_{b,i}\). In the case \(c'_{i,j} \not = c_{b,i} \wedge i\not =i^*\), due to [8, Theorem 1], a plaintext \(m'_{i,j}\) and a coin \(r'_{i,j}\) can be extracted from the ciphertext \(c'_{i,j}\) with non-negligible probability using an extractor \(\mathcal {K}\). In the remaining case, \(m'_{k+1,j} = m'_{1,j} \oplus \dots \oplus m'_{i^*-1,j} \oplus m'_{i^*,j} \oplus m'_{i^* + 1,j} \oplus \dots \oplus m'_{k,j}\) and \(m'_{i^* ,j}\) can be computed as \(m'_{k+1,j} \oplus ^{-1} (m'_{1,j} \oplus \dots \oplus m'_{i^* -1,j} \oplus m'_{i^* + 1,j} \oplus \dots \oplus m'_{k,j})\).

Let \(\mathsf {F}_1\) be the event that occurs if \(\mathcal {K}\) cannot extract \(m'_{i,j}\) and \(r'_{i,j}\), i.e., \(c'_{i,j} \not = \mathsf {Enc}_{pk}(m'_{i,j}; r'_{i,j})\) or \(\mathcal {K}\) halts with no output. Game 0 and Game 1 are the same when \(\mathsf {F}_1\) does not occur. Since \(\mathsf {F}_1\) never occurs in Game 0, we have \(\Pr [\mathsf {S}_0] = \Pr [\mathsf {S}_1 | \lnot \mathsf {F}_1]\). Moreover, we have an extractor such that \(\Pr [\lnot \mathsf {F}_1] = \delta _1\), where \(\delta _1\) is a non-negligible (i.e., \(\delta _1\) is a success probability of \(\mathcal {K}\)). \(\mathcal {B}\) can detect whether \(F_1\) occurs, by checking \(c'_{i,j} = \mathsf {Enc}_{pk}(m'_{i,j}, r'_{i,j})\). Let \(\mathcal {B}\) decide \(b' \in \{ 0,1 \}\) uniformly at random if \(\mathsf {F}_1\) occurs, hence, \(\Pr [\mathsf {S}_1 | \mathsf {F}_1] = 1/2\). We have:

$$\begin{aligned} \Pr [\mathsf {S}_1]&= \Pr [\mathsf {S}_1 \wedge \lnot \mathsf {F}_1] + \Pr [\mathsf {S}_1 \wedge \mathsf {F}_1] = \Pr [\lnot \mathsf {F}_1] \cdot \Pr [ \mathsf {S}_1 | \lnot \mathsf {F}_1] + \Pr [ \mathsf {F}_1] \cdot \Pr [\mathsf {S}_1 | \mathsf {F}_1] \\&= \Pr [\lnot \mathsf {F}_1] \cdot \Pr [\mathsf {S}_0] + 1/2\cdot \Pr [\mathsf {F}_1] \\&= \delta _1 \cdot (1/2 + \mathsf{IND }\text {-}1\text {-}\mathsf{CPA }_{\mathcal {A}, \varGamma } (\kappa ) ) + 1/2\cdot (1- \delta _1 ) \\&= 1/2 + \delta _1 \cdot \mathsf{IND }\text {-}1 \text {-}\mathsf{CPA }_{\mathcal {A}, \varGamma } (\kappa ). \end{aligned}$$

Table 1. Challenge oracle and simulator E (Assume \(M_0 = (m_{0,1},\dots , m_{0,k})\) and \(M_1 = (m_{1,1},\dots , m_{1,k})\) are vectors of plaintexts, and parsing always succeeds. Let [1, k] be \(\{ 1, 2, \dots , k \}\), where k is a positive integer. Let \(\mathcal {R}\) be the random number space of \(\varPi \) and \(\varSigma \), and let \(\mathcal {CH}\) be the range of \(\mathsf {Chal}.\))

Table 2. Decryption oracle and simulator D (Assume \(\mathbf{C}'\) is a vector \((C'_1, \dots , C'_m)\) for some positive integer m represented by polynomial of the security parameter \(\kappa \). Let [1, k] be \(\{ 1, \dots , k \}\), where k is a positive integer. Assume each \(C'_j\) is a vector \((c'_{1,j}, \mathsf {comm}'_{1,j}, \mathsf {resp}'_{1,j},\) \(\dots , c'_{k,j}, \mathsf {comm}'_{k,j}, \mathsf {resp}'_{k,j},\) \(\mathsf {comm}'_{k+1, j}, \mathsf {resp}'_{k+1, j})\). We say \(c'_{i,j}\) is valid if \(\mathsf {Verify}(( pk , c'_{i, j}), (\mathsf {comm}'_{i, j}, \mathsf {chal}'_{i,j}, \mathsf {resp}'_{i, j})) = \top \). Let \(m_{b,i}\) be the plaintext encapsulated inside challenge ciphertext \(c_{b,i}\). The decryption oracle can obtain \(m_{b,i}\), because \(m_{b,i}\) is chosen by the challenge oracle, which is part of the simulator. Let \(\oplus ^{-1}\) be an inverse operator of \(\oplus .\))

1.3 A.3 Game 2: Simulate the Challenge Oracle

Game 2 uses the special honest verifier zero knowledge (special HVZK) property to simulate the challenge oracle. Table 1 formalises the simulator. By Definition 6, \(\mathcal {B}\) can compute \((\mathsf {comm}, \mathsf {resp})\) from a correct ciphertext c and challenge \(\mathsf {chal}\) such that \(\mathsf {Verify}((pk,c), (\mathsf {comm}, \mathsf {chall}, \mathsf {resp}))= {\top }\). But, if the random oracle has already been queried with \((i^*, pk , c_{b,i^*},\mathsf {comm}_{b,i^*})\) or \((k+1, pk , c_b, \mathsf {comm}_{b})\), then \(\mathcal {B}\) fails to compute the challenge ciphertext. Let \(\mathsf {F}_2\) be the event that \(\mathcal {B}\) fails. Game 1 and Game 2 are the same, when \(\mathsf {F}_2\) does not occur. Since \(\mathsf {F}_2\) never occurs in Game 1, we have \(\Pr [\mathsf {S}_1] = \Pr [\mathsf {S}_2 | \lnot \mathsf {F}_2]\). Let \(\Pr [\lnot \mathsf {F}_2] = \delta _2\). Since coins \(\{ r_j \}_{j \in [1,k]}\) are chosen from a large space, \(\delta _2\) is non-negligible. Let \(\mathcal {B}\) decide \(b' \in \{ 0,1 \}\) uniformly at random if \(\mathsf {F}_2\) occurs, hence, \(\Pr [\mathsf {S}_2 | \mathsf {F}_2] = 1/2\). We have

$$\begin{aligned} \Pr [\mathsf {S}_2]&= \Pr [\mathsf {S}_2 \wedge \mathsf {F}_2] + \Pr [\mathsf {S}_2 \wedge \lnot \mathsf {F}_2] = \Pr [\mathsf {F}_2] \cdot \Pr [\mathsf {S}_2 | \mathsf {F}_2] + \Pr [\lnot \mathsf {F}_2] \cdot \Pr [ \mathsf {S}_2 | \lnot \mathsf {F}_2] \nonumber \\&= 1/2\cdot \Pr [ \mathsf {F}_2] + \Pr [\lnot \mathsf {F}_2] \cdot \Pr [ \mathsf {S}_1 ] \nonumber \\&= 1/2\cdot (1- \delta _2) + \delta _2 \cdot (1/2 + \delta _1 {textsf{IND}}\text {-}1\text {-}\mathsf{CPA }_{\mathcal {A}, \varGamma } (\kappa )) \nonumber \\&= 1/2 + \delta _1 \cdot \delta _2 \cdot \mathsf{IND }\text {-}1\text {-}\mathsf{CPA }_{\mathcal {A}, \varGamma } (\kappa ) \end{aligned}$$

(1)

1.4 A.4 Game 3: Embed a Challenge Ciphertext

Game 3 embeds \(\mathcal {B}\)’s challenge ciphertext as the \(i^*\)th ciphertext in the vector of challenge ciphertexts sent to \(\mathcal {A}\). Formally, the embedding is handled by the decryption oracle (Table 2), where \(i^* \in [1,k]\) is chosen by \(\mathcal {B}\).

Let \(H_0\) be Game 2 modified such that b is always 1 and let \(H_n\) be Game 2 when b is always 0. For \(0 < i < k\), let \(H_i\) be \(H_{i-1}\) modified such that the first \(3\cdot i\) elements of the challenge ciphertext are generated from \(M_0\) and the remaining elements of the challenge ciphertext are generated from \(M_1\). If \(b^* = 1\), then the challenge ciphertext that \(\mathcal {B}\) inputs to \(\mathcal {A}\) is the same as the hybrid game \(H_{i^*-1}\), since \(c^* = c_{1,i^*} = \mathsf {Enc}_{ pk }(m_{1,i^*}; r_{i^*})\). Otherwise (\(b^*=0\)), \(\mathcal {B}\)’s input to \(\mathcal {A}\) is the same as the game \(H_{i^*}\), since \(c^* = c_{0,i^*} = \mathsf {Enc}_{ pk }(m_{0,i^*}; r_{i^*})\). Let \(\mathsf {E}_i\) be an event that occurs if \(\mathcal {A}\) outputs 1 in \(H_i\), then \(|\Pr [\mathsf {E}_{i-1}] - \Pr [\mathsf {E}_i]| \le \mathsf{IND }\text {-}\mathsf{CPA } _{\mathcal {B}, \varPi } (\kappa )\) holds. By a hybrid argument, we have

$$\begin{aligned} |\Pr [\mathsf {E}_{0}] - \Pr [\mathsf {E}_{k}]| \le \sum _{i=1}^{k} |\Pr [\mathsf {E}_{i-1}] - \Pr [\mathsf {E}_i]| \le k \cdot \mathsf{IND }\text {-}\mathsf{CPA } _{\mathcal {B}, \varPi } (\kappa ) \end{aligned}$$

(2)

Moreover, since

$$\begin{aligned} |2\cdot \Pr [\mathsf {S}_2] -1|&= |2\cdot (\Pr [\mathcal {A} \rightarrow 1 \text{ in } \text{ Game } \text{2 } \wedge b=1] \\&\qquad + \Pr [\mathcal {A} \rightarrow 0 \text{ in } \text{ Game } \text{2 } \wedge b=0]) -1| \\&= |2\cdot (\Pr [b=1] \cdot \Pr [\mathcal {A} \rightarrow 1 \text{ in } \text{ Game } \text{2 } | b=1] \\&\qquad + \Pr [b=0] \cdot \Pr [\mathcal {A} \rightarrow 0 \text{ in } \text{ Game } \text{2 } | b=0]) -1|\\&= |\Pr [\mathcal {A} \rightarrow 1 \text{ in } \text{ Game } \text{2 } | b=1] \\&\qquad + (1 - \Pr [\mathcal {A} \rightarrow 1 \text{ in } \text{ Game } \text{2 } | b=0]) -1| \\&= |\Pr [\mathsf {E}_0] + (1 - \Pr [\mathsf {E}_{k}]) -1| \\&= |\Pr [\mathsf {E}_0] - \Pr [\mathsf {E}_{k}]| \end{aligned}$$

We have, by (1), that

$$\begin{aligned} |\Pr [\mathsf {E}_0] - \Pr [\mathsf {E}_{k}]| = 2 \cdot \delta _1 \cdot \delta _2 \cdot {\mathsf{IND }\text {-}1\text {-}\mathsf{CPA }} _{\mathcal {A}, \varGamma } (\kappa ) \end{aligned}$$

(3)

We have \(2 \cdot \delta _1 \cdot \delta _2 \cdot \mathsf{IND }\)-1-\(\mathsf{CPA } _{\mathcal {A}, \varGamma } (\kappa ) \) is non-negligible. By (2) and (3), we have \(|\Pr [\mathsf {E}_{i-1}] - \Pr [\mathsf {E}_i]|\) is non-negligible too, i.e., \(\mathsf{IND }\)-1-\(\mathsf{CPA } _{\mathcal {B}, \varPi } (\kappa ) \) is non-negligible. It follows by Proposition 1 that \(\varGamma \) satisfies NM-CPA.    \(\Box \)