Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions

Lyu, Lin; Liu, Shengli; Han, Shuai; Gu, Dawu

doi:10.1007/978-3-319-76578-5_3

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10769))

Included in the following conference series:

IACR International Workshop on Public Key Cryptography

2717 Accesses
9 Citations

Abstract

Selective opening security (SO security) is desirable for public key encryption (PKE) in a multi-user setting. In a selective opening attack, an adversary receives a number of ciphertexts for possibly correlated messages, then it opens a subset of them and gets the corresponding messages together with the randomnesses used in the encryptions. SO security aims at providing security for the unopened ciphertexts. Among the existing simulation-based, selective opening, chosen ciphertext secure (SIM-SO-CCA secure) PKEs, only one (Libert et al. Crypto’17) enjoys tight security, which is reduced to the Non-Uniform LWE assumption. However, their public key and ciphertext are not compact.

In this work, we focus on constructing PKE with tight SIM-SO-CCA security based on standard assumptions. We formalize security notions needed for key encapsulation mechanism (KEM) and show how to transform these securities into SIM-SO-CCA security of PKE through a tight security reduction, while the construction of PKE from KEM follows the general framework proposed by Liu and Paterson (PKC’15). We present two KEM constructions with tight securities based on the Matrix Decision Diffie-Hellman assumption. These KEMs in turn lead to two tightly SIM-SO-CCA secure PKE schemes. One of them enjoys not only tight security but also compact public key.

You have full access to this open access chapter, Download conference paper PDF

SO-CCA Secure PKE in the Quantum Random Oracle Model or the Quantum Ideal Cipher Model

IBE with tight security against selective opening and chosen-ciphertext attacks

Article 16 April 2020

Simulation-Based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Selective Opening Security. In the context of public key encryption (PKE), IND-CPA (CCA) security is widely believed to be the right security notion. However, multi-user settings enable more complicated attacks and the traditional IND-CPA (CCA) security may not be strong enough. Consider a scenario of N senders and one receiver. The senders encrypt N (possibly correlated) messages $\varvec{\mathrm {m}}_1,\cdots ,\varvec{\mathrm {m}}_N$ under the receiver’s public key $\mathsf {pk}$ using fresh randomnesses $\varvec{\mathrm {r}}_1,\cdots ,\varvec{\mathrm {r}}_N$ to get ciphertexts $\varvec{\mathrm {c}}_1,\cdots ,\varvec{\mathrm {c}}_N$, respectively, i.e., each sender i computes $\varvec{\mathrm {c}}_i=\textsf {Enc}(\mathsf {pk},\varvec{\mathrm {m}}_i;\varvec{\mathrm {r}}_i)$. Upon receiving the ciphertexts $\varvec{\mathrm {c}}_1,\cdots ,\varvec{\mathrm {c}}_N$, the adversary might be able to open a subset of them via implementing corruptions. Namely, by corrupting a subset of users, say $I\subset [N]$, the adversary obtains the messages $\{\varvec{\mathrm {m}}_i\}_{i\in I}$ together with the randomnesses $\{\varvec{\mathrm {r}}_i\}_{i\in I}$. Such an attack is called selective opening attack (SOA). It is desirable that the unopened ciphertexts $\{\varvec{\mathrm {c}}_i\}_{i\in [N]\backslash I}$ still protect the privacy of $\{\varvec{\mathrm {m}}_i\}_{i\in [N]\backslash I}$, which is exactly what the SO security concerns.

The potential correlation between $\{\varvec{\mathrm {m}}_i\}_{i\in I}$ and $\{\varvec{\mathrm {m}}_i\}_{i\in [N]\backslash I}$ hinders the use of hybrid argument proof technique. Hence, traditional IND-CPA security may not imply SO security. To date, there exist two types of SO security formalizations: indistinguishability-based SO security (IND-SO, [1, 2]) and simulation-based SO security (SIM-SO, [1, 5]). According to whether the adversary has access to a decryption oracle, these securities are further classified into IND-SO-CPA, IND-SO-CCA, SIM-SO-CPA and SIM-SO-CCA.

Intuitively, IND-SO security requires that, given public key $\mathsf {pk}$, ciphertexts $\{\varvec{\mathrm {c}}_i\}_{i\in [N]}$, the opened messages $\{\varvec{\mathrm {m}}_i\}_{i\in I}$ and randomnesses $\{\varvec{\mathrm {r}}_i\}_{i\in I}$ (together with a decryption oracle in the CCA case), the unopened messages $\{\varvec{\mathrm {m}}_i\}_{i\in [N]\backslash I}$ remain computationally indistinguishable from independently sampled messages conditioned on the already opened messages $\{\varvec{\mathrm {m}}_i\}_{i\in I}$. Accordingly, the IND-SO security usually requires the message distributions be efficiently conditionally re-samplable [1, 10, 11] (and such security is referred to as weak IND-SO security in [2]), which limits its application scenarios.

On the other hand, SIM-SO security is conceptually similar to semantic security [9]. It requires that the output of the SO adversary can be simulated by a simulator which only takes the opened messages $\{\varvec{\mathrm {m}}_i\}_{i\in I}$ as its input after it assigns the corruption set I. Since there is no restriction on message distribution, SIM-SO security has an advantage over IND-SO security from an application point of view. SIM-SO security was also shown to be stronger than (weak) IND-SO security in [2]. However, as shown in [13], SIM-SO security turns out to be significantly harder to achieve.

Generally speaking, there are two approaches to achieve SIM-SO-CCA security. The first approach uses lossy trapdoor functions [22], All-But-N lossy trapdoor functions [10] or All-But-Many lossy trapdoor functions [11] to construct lossy encryption schemes. If this lossy encryption has an efficient opener, then the resulting PKE scheme can be proven to be SIM-SO-CCA secure as shown in [1]. A DCR-based scheme in [11] and a LWE-based scheme in [18] are the only two schemes known to have such an opener. The second approach uses extended hash proof system and cross-authentication codes (XACs) [6]. As pointed out in [14, 15], a stronger property of XAC is required to make this proof rigorous. Following this line of research, Liu and Paterson proposed a general framework for constructing SIM-SO-CCA PKE from a special kind of key encapsulation mechanism (KEM) in combination with a strengthened XAC [19].

Tight Security Reductions. Usually, the security of a cryptographic primitive is established on the hardness of some underlying mathematical problems through a security reduction. It shows that any successful probabilistic polynomial-time (PPT) adversary $\mathcal {A}$ breaking the cryptographic primitive with advantage $\epsilon _{\mathcal {A}}$ can be transformed into a successful PPT problem solver $\mathcal {B}$ for the underlying hard problem with advantage $\epsilon _{\mathcal {B}}$. The ideal case is $\epsilon _{\mathcal {A}}=\epsilon _{\mathcal {B}}$. However, most reductions suffer from a loss in the advantage, for example, $\epsilon _{\mathcal {A}}=L\cdot \epsilon _{\mathcal {B}}$ where L is called security loss factor of the reduction. Smaller L always indicates a better security level for a fixed security parameter. For a PKE scheme, L usually depends on $\lambda $ (the security parameter) as well as $Q_e$ (the number of challenge ciphertexts) and $Q_d$ (the number of decryption queries). A security reduction for a PKE scheme is tight and the PKE scheme is called a tightly secure one [7, 12] if L depends only on the security parameter $\lambda $ ^{Footnote 1} (and is independent of both $Q_e$ and $Q_d$). Note that for concrete settings, $\lambda $ is much smaller than $Q_e$ and $Q_d$ (for example, $\lambda =80$ and $Q_e,Q_d$ can be as large as $2^{20}$ or even $2^{30}$ in some settings). Most reductions are not tight and it appears to be a non-trivial problem to construct tightly IND-CCA secure PKE schemes.

Among the existing SIM-SO-CCA secure PKEs, only one of them has a tight security reduction [18]. Very recently, Libert et al. [18] provide an all-but-many lossy trapdoor function with an efficient opener, leading to a tightly SIM-SO-CCA secure PKE based on the Non-Uniform LWE assumption. Note that, their construction relies on a specific tightly secure PRF which is computable in $\textsf {NC}^1$. So far, no construction of such a PRF based on standard LWE assumption is known, which is why their PKE has to rely on a non-standard assumption. Meanwhile, there is no PKE scheme enjoying both tight SIM-SO-CCA security and compact public key & ciphertext up to now.

1.1 Our Contribution

We explore how to construct tightly SIM-SO-CCA secure PKE based on standard assumptions. Following the KEM+XAC framework proposed in [19],

we characterize stronger security notions needed for KEM and present a tightness preserving security reduction, which shows the PKE is tightly SIM-SO-CCA secure as long as the underlying KEM is tightly secure;
we present two KEM instantiations and prove that their security can be tightly reduced to the Matrix Decision Diffie-Hellman (MDDH) assumption, thus leading to two tightly SIM-SO-CCA secure PKE schemes. One of them enjoys not only tight security but also compact public key.

1.2 Technique Overview

Roughly speaking, to prove the SIM-SO-CCA security of a PKE (see for Definition 1), for any PPT adversary, we need to construct a simulator and show that the adversary’s outputs are indistinguishable with those of the simulator. Naturally, such a simulator can be realized simply by simulating the entire real SO-CCA environment, invoking the adversary and returning the adversary’s outputs. However, due to lack of essential information like messages and randomnesses, the simulator is not able to provide a perfect environment directly. Therefore, both the PKE scheme and the simulator has to be carefully designed, so that the simulator is able to provide the adversary a computational indistinguishable environment. To this end, we have to solve two problems.

The first problem is how the simulator prepares ciphertexts for the adversary without knowing the messages.
The second problem is how the simulator prepares randomnesses for the adversary according to the opened messages $\{\varvec{\mathrm {m}}_i\}_{i\in I}$ that it receives later.

To solve the first problem, the simulator has to provide ciphertexts that are computational indistinguishable with real ciphertexts in the setting of selective opening (together with chosen-ciphertext attacks). As to the second problem, note that the adversary can always check the consistence between $\{\varvec{\mathrm {m}}_i\}_{i\in I},\{\varvec{\mathrm {c}}_i\}_{i\in I}$ and the randomnesses by re-encryption. Therefore, the simulator should not only provide indistinguishable ciphertexts but also be able to explain these ciphertexts as encryptions of any designated messages.

Liu and Paterson [19] solved these two problems and proposed a general framework for constructing SIM-SO-CCA secure PKE with the help of KEM in combination with XAC. Their PKE construction encrypts message in a bitwise manner. Suppose the message $\varvec{\mathrm {m}}$ has bit length $\ell $. If the i-th bit of $\varvec{\mathrm {m}}$ is 1 ($\varvec{\mathrm {m}}_i=1$), a pair of encapsulation $\psi _i$ and key $\gamma _i$ is generated from KEM, i.e., $(\psi _i,\gamma _i)\leftarrow _{\$}\textsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$. If $\varvec{\mathrm {m}}_i=0$, a random pair is generated, i.e., $(\psi _i,\gamma _i)\leftarrow _{\$}\varPsi \times \varGamma $. Then a tag T is generated to bind up $(\gamma _1,\cdots ,\gamma _{\ell })$ and $(\psi _1,\cdots ,\psi _{\ell })$ via XAC. And the final ciphertext is $C=(\psi _1,\cdots ,\psi _{\ell },T)$.

They construct a simulator in the following way.

Without knowledge of the message, the simulator uses an encryption of $1^{\ell }$ as the ciphertext. Thus the encryption involves $\ell $ encapsulated pairs $(\psi _i,\gamma _i)\leftarrow _{\$}\textsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$. The simulator then saves all the randomnesses used in these encapsulations.
When providing the randomnesses for the opened messages, the simulator checks the opened messages bit by bit. If a specific bit is 1, then the simulator outputs the original randomnesses and the simulation is perfect. Otherwise, the simulator views the encapsulated pair as a random pair. Then the simulator resamples randomnesses as if this pair is randomly chosen using these resampled randomnesses.

Thanks to the bit-wise encryption mode and the resampling property of spaces $\varPsi $ and $\varGamma $, an encapsulation pair (encrypting bit 1) can be easily explained as a random pair (encrypting bit 0). Therefore the second problem is solved.

To solve the first problem, one has to show that the encapsulated pairs and the random pairs are computationally indistinguishable. In [19], a special security named IND-tCCCA is formalized for KEM. This security guarantees that one encapsulated pair is computationally indistinguishable with one random pair even when a constrained decryption oracle is provided. With the help of IND-tCCCA security of KEM, the indistinguishability between the encryption of $1^{\ell }$ and the encryption of real messages are proved with $\ell $ hybrid arguments, each hybrid replacing only one encapsulated pair with one random pair.

To pursue tight security reduction, the $\ell $ hybrid arguments have to be avoided. To this end, we enhance the IND-tCCCA security and consider the pseudorandomness for multiple pairs even when a constrained decryption oracle is provided. This new security for KEM is formalized as mPR-CCCA security in Definition 5. Armed with this enhanced security, it is possible to replace the $\ell $ encapsulated pairs once for all in the security reduction from the SIM-SO-CCA security of PKE to the mPR-CCCA security of KEM. However, this gives rise to another problem. The SIM-SO-CCA adversary $\mathcal {A}$ may submit a fresh ciphertext which shares the same encapsulation $\psi $ with some challenge encapsulation. In the security reduction, the adversary $\mathcal {B}$, who invokes $\mathcal {A}$ to attack the mPR-CCCA security of KEM, cannot ask its own decapsulation oracle to decapsulate $\psi $ since $\psi $ is already embedded in some challenge ciphertext for $\mathcal {A}$. To solve this problem, we define another security notion for KEM, namely, the Random Encapsulation Rejection (RER) security of KEM (cf. Definition 6). Equipped with the RER security of KEM and a security of XAC, $\mathcal {B}$ could simply set 0 as the decryption bit for $\psi $.

Although the enhancement from IND-tCCCA to mPR-CCCA is conceptually simple, finding an mPR-CCCA secure KEM instantiation with tight reduction to standard assumptions is highly non-trivial. Inspired by the recent work on constructing tightly IND-CCA secure PKE [7, 8], we are able to give two tightly mPR-CCCA & RER secure KEM instantiations, one of which also enjoys compact public key.

1.3 Instantiation Overview

We provide two KEM instantiations.

The first KEM instantiation is inspired by a recent work in Eurocrypt’16. In the work [7], Gay et al. proposed the first tightly multi-challenge IND-CCA secure PKE scheme based on the MDDH assumption. From their PKE construction, we extract a KEM and tightly prove its mPR-CCCA security & RER security based on the MDDH assumption.^{Footnote 2}

The second KEM instantiation is contained in a very recent work by Gay et al. [8] in Crypto’17. In [8], a qualified proof system (QPS) is proposed to construct multi-challenge IND-CCCA secure KEM, which can be used to obtain a tightly multi-challenge IND-CCA secure PKE scheme with help of an authenticated encryption scheme. Note that our mPR-CCCA security is stronger than multi-challenge IND-CCCA security. To achieve mPR-CCCA security, we formalize a so-called Pseudorandom Simulated Proof property for QPS. We prove that if QPS has this property, the KEM from QPS is mPR-CCCA secure. Finally, we show that the QPS in [8] possesses the pseudorandom simulated proof property.

Compared with the first instantiation, the public key of our second KEM instantiation has a constant number of group elements. The compactness of public key is in turn transferred to the PKE, resulting in the first tightly SIM-SO-CCA secure PKE based on standard assumptions together with a compact public key.

2 Preliminaries

We use $\lambda $ to denote the security parameter in this work. Let $\varepsilon $ be the empty string. For $n\in \mathbb {N}$, denote by [n] the set $\{1,\cdots ,n\}$. Denote by $s_1,\cdots ,s_n\leftarrow _{\$}S$ the process of picking n elements uniformly from set S. For a PPT algorithm $\mathcal {A}$, we use $y\leftarrow \mathcal {A}(x;r)$ to denote the process of running $\mathcal {A}$ on input x with randomness r and assigning the deterministic result to y. Let $\mathcal {R}_{\mathcal {A}}$ be the randomness space of $\mathcal {A}$, we use $y\leftarrow _{\$}\mathcal {A}(x)$ to denote $y\leftarrow \mathcal {A}(x;r)$ where $r\leftarrow _{\$}\mathcal {R}_{\mathcal {A}}$. We use $\varvec{\mathrm {T}}(\mathcal {A})$ to denote the running time of $\mathcal {A}$, which is a polynomial in $\lambda $ if $\mathcal {A}$ is PPT.

We use boldface letters to denote vectors or matrices. For a vector $\varvec{\mathrm {m}}$ of finite dimension, $|\varvec{\mathrm {m}}|$ denotes the dimension of the vector and $\varvec{\mathrm {m}}_i$ denotes the i-th component of $\varvec{\mathrm {m}}$. For a set $I=\{i_1,i_2,\cdots ,i_{|I|}\}\subseteq [|\varvec{\mathrm {m}}|]$, define $\varvec{\mathrm {m}}_I:=(\varvec{\mathrm {m}}_{i_1},\varvec{\mathrm {m}}_{i_2},\cdots ,\varvec{\mathrm {m}}_{i_{|I|}})$. For all matrix $\varvec{\mathrm {A}}\in \mathbb {Z}_q^{\ell \times k}$ with $\ell >k$, $\overline{\varvec{\mathrm {A}}}\in \mathbb {Z}_q^{k\times k}$ denotes the upper square matrix of $\varvec{\mathrm {A}}$ and $\underline{\varvec{\mathrm {A}}}\in \mathbb {Z}_q^{(\ell -k)\times k}$ denotes the lower $\ell -k$ rows of $\varvec{\mathrm {A}}$. By $\textsf {span}(\varvec{\mathrm {A}}):=\{\varvec{\mathrm {Ar}}~|~\varvec{\mathrm {r}}\in \mathbb {Z}_q^k\}$, we denote the span of $\varvec{\mathrm {A}}$. By $\textsf {Ker}(\varvec{\mathrm {A}}^{\top })$, we denote the orthogonal space of $\textsf {span}(\varvec{\mathrm {A}})$. For $\ell =k$, we define the trace of $\varvec{\mathrm {A}}$ as the sum of all diagonal elements of $\varvec{\mathrm {A}}$, i.e., $\textsf {trace}(\varvec{\mathrm {A}}):=\sum _{i=1}^{k}\varvec{\mathrm {A}}_{i,i}$.

A function $f(\lambda )$ is negligible, if for every $c>0$ there exists a $\lambda _c$ such that $f(\lambda )<1/\lambda ^c$ for all $\lambda >\lambda _c$.

We use game-based security proof. The games are illustrated using pseudo-codes in figures. By a box in a figure, we denote that the codes in the box appears in a specific game. For example, means that $G_4$ contains the codes in , $G_5$ contains the codes in , and both of them contain codes in $\fbox {square box}$. Moreover, we assume that the unboxed codes are contained in all games. We use the notation $\mathrm{{Pr}}_i[\textsf {E}]$ to denote the probability that event $\textsf {E}$ occurs in game $G_i$, and use the notation $G\Rightarrow 1$ to denote the event that game G returns 1. All variables in games are initialized to $\bot $. We use “$\square $” to denote the end of proof of lemmas and use “$\blacksquare $” to denote the end of proof of theorems.

Due to space limitations, we refer to the full version of this paper [21] for the definitions of collision resistant hash function, universal hash function, public key encryption, the MDDH assumption and its random self-reducibility property, together with leftover hash lemma.

2.1 Prime-Order Groups

Let $\textsf {GGen}$ be a PPT algorithm that on input $1^{\lambda }$ returns $\mathcal {G}=(\mathbb {G},q,P)$, a description of an additive cyclic group $\mathbb {G}$ with a generator P of order q which is a $\lambda $-bit prime. For $a\in \mathbb {Z}_q$, define $[a]:=aP\in \mathbb {G}$ as the implicit representation of a in $\mathbb {G}$. More generally, for a matrix $\varvec{\mathrm {A}}=(a_{ij})\in \mathbb {Z}_q^{n\times m}$, we define $[\varvec{\mathrm {A}}]$ as the implicit representation of $\varvec{\mathrm {A}}$ in $\mathbb {G}$, i.e., $[\varvec{\mathrm {A}}]:=(a_{ij}P)\in \mathbb {G}^{n\times m}$. Note that from $[a]\in \mathbb {G}$ it is generally hard to compute the value a (discrete logarithm problem is hard in $\mathbb {G}$). Obviously, given $[a],[b]\in \mathbb {G}$ and a scalar $x\in \mathbb {Z}$, one can efficiently compute $[ax]\in \mathbb {G}$ and $[a+b]\in \mathbb {G}$. Similarly, for $\varvec{\mathrm {A}}\in \mathbb {Z}_q^{m\times n},\varvec{\mathrm {B}}\in \mathbb {Z}_q^{n\times t}$, given $\varvec{\mathrm {A}},\varvec{\mathrm {B}}$ or $[\varvec{\mathrm {A}}],\varvec{\mathrm {B}}$ or $\varvec{\mathrm {A}},[\varvec{\mathrm {B}}]$, one can efficiently compute $[\varvec{\mathrm {AB}}]\in \mathbb {G}^{m\times t}$.

2.2 Simulation-Based, Selective-Opening CCA Security of PKE

Let $\varvec{\mathrm {m}}$ and $\varvec{\mathrm {r}}$ be two vectors of dimension $n:=n(\lambda )$. Define $\mathsf {Enc}(\mathsf {pk},\varvec{\mathrm {m}};\varvec{\mathrm {r}}):=\left( \mathsf {Enc}(\mathsf {pk},\varvec{\mathrm {m}}_1;\varvec{\mathrm {r}}_1),\cdots ,\mathsf {Enc}(\mathsf {pk},\varvec{\mathrm {m}}_n;\varvec{\mathrm {r}}_n)\right) $ where $\varvec{\mathrm {r}}_i$ is a fresh randomness used for the encryption of $\varvec{\mathrm {m}}_i$ for $i\in [n]$. Then we review the SIM-SO-CCA security definition in [6]. Let $\mathcal {M}$ denote an n-message sampler, which on input a string $\alpha \in \{0,1\}^{*}$ outputs a message vector $\varvec{\mathrm {m}}$ of dimension n, i.e., $\varvec{\mathrm {m}}=(\varvec{\mathrm {m}}_1,\cdots ,\varvec{\mathrm {m}}_n)$. Let R be any PPT relation.

Definition 1

(SIM-SO-CCA Security). A PKE scheme $\mathsf {PKE}=(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})$ is simulation-based, selective-opening, chosen-ciphertext secure (SIM-SO-CCA secure) if for every PPT n-message sampler $\mathcal {M}$, every PPT relation R, every stateful PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, there is a stateful PPT simulator $\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3)$ such that $\textsf {Adv}^{\mathrm{so}\text {-}\mathrm{cca}}_{\mathsf {PKE},\mathcal {A},\mathcal {S},n,\mathcal {M},R}(\lambda )$ is negligible, where

$$\begin{aligned} \mathsf {Adv}^{\mathrm{so}\text {-}\mathrm{cca}}_{\mathsf {PKE},\mathcal {A},\mathcal {S},n,\mathcal {M},R}(\lambda ):=\left| \mathrm {Pr}\left[ \mathsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{real}}_{\mathsf {PKE},\mathcal {A},n,\mathcal {M},R}(\lambda )=1\right] -\mathrm {Pr}\left[ \mathsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{ideal}}_{\mathcal {S},n,\mathcal {M},R}(\lambda )=1\right] \right| . \end{aligned}$$

Experiments $\mathsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{real}}_{\mathsf {PKE},\mathcal {A},n,\mathcal {M},R}(\lambda )$ and $\mathsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{ideal}}_{\mathcal {S},n,\mathcal {M},R}(\lambda )$ are defined in Fig. 1. Here the restriction on $\mathcal {A}$ is that $\mathcal {A}_2,\mathcal {A}_3$ are not allowed to query the decryption oracle $\mathsf {Dec}(\cdot )$ with any challenge ciphertext $\varvec{\mathrm {C}}_i\in \varvec{\mathrm {C}}$.

2.3 Efficiently Samplable and Explainable (ESE) Domain

A domain $\mathcal {D}$ is said to be efficiently samplable and explainable (ESE) [6] if there exist two PPT algorithms $(\textsf {Sample}_{\mathcal {D}},\textsf {Sample}_{\mathcal {D}}^{-1})$ where $\textsf {Sample}_{\mathcal {D}}(1^{\lambda })$ outputs a uniform element over $\mathcal {D}$ and $\textsf {Sample}_{\mathcal {D}}^{-1}(x)$, on input $x\in \mathcal {D}$, outputs r that is uniformly distributed over the set $\{r\in \mathcal {R}_{\textsf {Sample}_{\mathcal {D}}}~|~\textsf {Sample}_{\mathcal {D}}(1^{\lambda };r)=x\}$.

It was shown by Damgård and Nielsen in [4] that any dense subset of an efficiently samplable domain is ESE as long as the dense subset admits an efficient membership test.

2.4 Cross-Authentication Codes

The concept of XAC was first proposed by Fehr et al. in [6] and later adapted to strong XAC in [15] and strengthened XAC in [17].

Definition 2

( $\ell $ -Cross-Authentication Code, XAC).

An $\ell $-cross-authentication code $\mathsf {XAC}$ (for $\ell \in \mathbb {N}$) consists of three PPT algorithms $(\mathsf {XGen},\mathsf {XAuth},\mathsf {XVer})$ and two associated spaces, the key space $\mathcal {XK}$ and the tag space $\mathcal {XT}$. The key generation algorithm $\mathsf {XGen}(1^{\lambda })$ outputs a uniformly random key $K\in \mathcal {XK}$, the authentication algorithm $\mathsf {XAuth}(K_1,$ $\cdots ,K_{\ell })$ takes $\ell $ keys $(K_1,\cdots ,K_{\ell })\in \mathcal {XK}^{\ell }$ as input and outputs a tag $T\in \mathcal {XT}$, and the verification algorithm $\mathsf {XVer}(K,T)$ outputs a decision bit.

Correctness. $\mathsf {fail}_{\mathsf {XAC}}(\lambda ):=\mathrm{{Pr}}[\mathsf {XVer}(K_i,\mathsf {XAuth}(K_1,\cdots ,K_{\ell }))\ne 1]$ is negligible for all $i\in [\ell ]$, where the probability is taken over $K_1,\cdots ,K_{\ell }\leftarrow _{\$}\mathcal {XK}$.

Security against impersonation and substitution attacks. Define where $\max $ is over all $T^{\prime }\in \mathcal {XT}$, and where $\max $ is over all $i\in [\ell ]$, all $K_{\ne i}:=(K_j)_{j\in [\ell \backslash i]}\in \mathcal {XK}^{\ell -1}$ and all (possibly randomized) functions $F:\mathcal {XT}\rightarrow \mathcal {XT}$. Then we say $\mathsf {XAC}$ is secure against impersonation and substitution attacks if both $\epsilon ^{\text {imp}}_{\mathsf {XAC}}(\lambda )$ and $\epsilon ^{\text {sub}}_{\mathsf {XAC}}(\lambda )$ are negligible.

Definition 3

(Strong and semi-unique XACs). An $\ell $-cross-authentication code $\mathsf {XAC}$ is strong and semi-unique if it has the following two properties.

Strongness [15]. There exists a PPT algorithm $\mathsf {ReSamp}$, which takes as input $T\in \mathcal {XT}$ and $i\in [\ell ]$, with $K_1,\cdots ,K_{\ell }\leftarrow _{\$}\mathsf {XGen}(1^{\lambda }), T\leftarrow \mathsf {XAuth}(K_1,\cdots ,K_{\ell })$, and outputs $\hat{K}_i\in \mathcal {XK}$, denoted by $\hat{K}_i\leftarrow _{\$}\mathsf {ReSamp}(T,i)$. Suppose for each fixed $(k_1,\cdots ,k_{\ell -1},t)\in (\mathcal {XK})^{\ell -1}\times \mathcal {XT}$, the statistical distance between $\hat{K}_i$ and $K_i$, conditioned on $(K_{\ne i},T)=(k_1,\cdots ,k_{\ell -1},t)$, is bounded by $\delta (\lambda )$, i.e.,

Then the code $\mathsf {XAC}$ is said to be $\delta (\lambda )$-strong or strong if $\delta (\lambda )$ is negligible.

Semi-uniqueness [17]. The code $\mathsf {XAC}$ is said to be semi-unique if $\mathcal {XK}=\mathcal {K}_x\times \mathcal {K}_y$, and given $T\in \mathcal {XT}$ and $K^x\in \mathcal {K}_x$, there exists at most one $K^y\in \mathcal {K}_y$ such that $\mathsf {XVer}((K^x,K^y),T)=1$.

See the full version [21] for a concrete XAC instantiation by Fehr et al. in [6].

3 Key Encapsulation Mechanism

In this section, we recall the definition of key encapsulation mechanism and formalize two new security notions for it.

Definition 4

(Key Encapsulation Mechanism). A KEM $\mathsf {KEM}$ is a tuple of PPT algorithms $(\mathsf {KGen},\mathsf {KEnc},\mathsf {KDec})$ such that, $\mathsf {KGen}(1^{\lambda })$ generates a (public, secret) key pair $(\mathsf {pk}_{\mathsf {kem}},\mathsf {sk}_{\mathsf {kem}})$; $\mathsf {KEnc}(\mathsf {pk}_{\mathsf {kem}})$ returns an encapsulation $\psi \in \varPsi $ and a key $\gamma \in \varGamma $, where $\varPsi $ is the encapsulation space and $\varGamma $ is the key space; $\mathsf {KDec}(\mathsf {sk}_{\mathsf {kem}},\psi )$ deterministically decapsulates $\psi $ with $\mathsf {sk}_{\mathsf {kem}}$ to get $\gamma \in \varGamma $ or $\bot $.

We say $\mathsf {KEM}$ is perfectly correct if for all $\lambda $, $\mathrm{{Pr}}[\mathsf {KDec}(\mathsf {sk}_{\mathsf {kem}},\psi )=\gamma ]=1,$ where $(\mathsf {pk}_{\mathsf {kem}},\mathsf {sk}_{\mathsf {kem}})\leftarrow _{\$}\mathsf {KGen}(1^{\lambda })$ and $(\psi ,\gamma )\leftarrow _{\$}\mathsf {KEnc}(\mathsf {pk}_{\mathsf {kem}})$.

3.1 mPR-CCCA Security for KEM

We formalize a new security notion for KEM, namely mPR-CCCA. Roughly speaking, mPR-CCCA security guarantees pseudorandomness of multiple $(\psi ,\gamma )$ pairs outputted by $\textsf {KEnc}$ even if a constrained decapsulation oracle is provided.

Definition 5

(mPR-CCCA Security for KEM). Let $\mathcal {A}$ be an adversary and $b\in \{0,1\}$ be a bit. Let $\mathsf {KEM}=(\mathsf {KGen},\mathsf {KEnc},\mathsf {KDec})$ be a KEM with encapsulation space $\varPsi $ and key space $\varGamma $. Define the experiment $\mathsf {Exp}^{\mathrm{mpr}\text {-}\mathrm{ccca}\text {-}b}_{\mathsf {KEM},\mathcal {A}}(\lambda )$ in Fig. 2.

In $\mathsf {Exp}^{\mathrm{mpr}\text {-}\mathrm{ccca}\text {-}b}_{\mathsf {KEM},\mathcal {A}}(\lambda )$, $\mathsf {pred}:\varGamma \cup \{\bot \}\rightarrow \{0,1\}$ denotes a PPT predicate and $\mathsf {pred}(\bot ):=0$. Let $Q_{\text {dec}}$ be the total number of decapsulation queries made by $\mathcal {A}$, which is independent of the environment without loss of generality. The uncertainty of $\mathcal {A}$ is defined as $uncert_{\mathcal {A}}(\lambda ):=\frac{1}{Q_{\text {dec}}}\sum _{i=1}^{Q_{\text {dec}}}\mathrm{{Pr}}_{\gamma \leftarrow _{\$}\varGamma }[\mathsf {pred}_i(\gamma )=1],$ where $\mathsf {pred}_i$ is the predicate in the i-th $\mathcal {O}_{\text {dec}}$ query.

We say $\mathsf {KEM}$ has multi-encapsulation pseudorandom security against constrained CCA adversaries (mPR-CCCA security) if for each PPT adversary $\mathcal {A}$ with negligible uncertainty $uncert_{\mathcal {A}}(\lambda )$, the advantage $\mathsf {Adv}_{\mathsf {KEM},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )$ is negligible, where $\mathsf {Adv}_{\mathsf {KEM},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda ):=\left| \mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{mpr}\text {-}\mathrm{ccca}\text {-}0}_{\mathsf {KEM},\mathcal {A}}(\lambda )=1\right] -\mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{mpr}\text {-}\mathrm{ccca}\text {-}1}_{\mathsf {KEM},\mathcal {A}}(\lambda )=1\right] \right| $.

Note that the afore-defined mPR-CCCA security implies multi-challenge IND-CCCA security defined in [8].

3.2 RER Security of KEM

We define Random Encapsulation Rejection security for KEM which requires the decapsulation of a random encapsulation is rejected overwhelmingly.

Definition 6

(Random Encapsulation Rejection Security for KEM). Let $\mathsf {KEM}=(\mathsf {KGen},$ $\mathsf {KEnc},\mathsf {KDec})$ be a KEM with encapsulation space $\varPsi $ and key space $\varGamma $. Let $\mathcal {A}$ be a stateful adversary and $b\in \{0,1\}$ be a bit. Define the following experiment $\mathsf {Exp}^{\mathrm{rer}\text {-}b}_{\mathsf {KEM},\mathcal {A}}(\lambda )$ in Fig. 3.

In $\mathsf {Exp}^{\mathrm{rer}\text {-}b}_{\mathsf {KEM},\mathcal {A}}(\lambda )$, $\mathsf {pred}:\varGamma \cup \{\bot \}\rightarrow \{0,1\}$ denotes a PPT predicate and $\mathsf {pred}(\bot ):=0$. Let $Q_{\text {cha}}$ be the total number of $\mathcal {O}_{\text {cha}}$ queries made by $\mathcal {A}$, which is independent of the environment without loss of generality. The uncertainty of $\mathcal {A}$ is defined as $uncert_{\mathcal {A}}(\lambda ):=\frac{1}{Q_{\text {cha}}}\sum _{i=1}^{Q_{\text {cha}}}\mathrm{{Pr}}_{\gamma \leftarrow _{\$}{\varGamma }}[\mathsf {pred}_i(\gamma )=1],$ where $\mathsf {pred}_i$ is the predicate in the i-th $\mathcal {O}_{\text {cha}}$ query.

We say $\mathsf {KEM}$ has Random Encapsulation Rejection security (RER security) if for each PPT adversary $\mathcal {A}$ with negligible uncertainty $uncert_{\mathcal {A}}(\lambda )$, the advantage

$$\begin{aligned} \mathsf {Adv}_{\mathsf {KEM},\mathcal {A}}^\mathrm{rer}(\lambda ):=\left| \mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{rer}\text {-}0}_{\mathsf {KEM},\mathcal {A}}(\lambda )=1\right] -\mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{rer}\text {-}1}_{\mathsf {KEM},\mathcal {A}}(\lambda )=1\right] \right| \ is \ negligible. \end{aligned}$$

4 SIM-SO-CCA Secure PKE from KEM

4.1 PKE Construction

In Fig. 4, we recall the general framework for constructing SIM-SO-CCA secure PKE proposed in [19]. A small difference from [19] is that we make use of hash function $\mathsf {H}_1$ to convert the key space of KEM to the key space of XAC.

Ingredients. This construction uses the following ingredients.

$\textsf {KEM}=(\textsf {KGen},\textsf {KEnc},\textsf {KDec})$ with key space $\varGamma $ & ESE encapsulation space $\varPsi $.
$(\ell +1)$-XAC $\mathsf {XAC}$ with ESE key space $\mathcal {XK}=\mathcal {K}_x\times \mathcal {K}_y$.
Hash function $\textsf {H}_1:\varGamma \rightarrow \mathcal {XK}$ generated by hash function generator $\mathcal {H}_1(1^{\lambda })$.
Hash function $\textsf {H}_2:\varPsi ^{\ell }\rightarrow \mathcal {K}_y$ generated by hash function generator $\mathcal {H}_2(1^{\lambda })$.

4.2 Tight Security Proof of PKE

In this subsection, we prove the SIM-SO-CCA security of $\mathsf {PKE}$ with tight reduction to the security of KEM. We state our main result in the following theorem.

Theorem 1

Suppose the KEM $\mathsf {KEM}$ is mPR-CCCA and RER secure, the $(\ell +1)$-cross-authentication code $\mathsf {XAC}$ is $\delta (\lambda )$-strong, semi-unique, and secure against impersonation and substitution attacks; $\mathcal {H}_1$ is universal; $\mathcal {H}_2$ outputs collision resistant function. Then the PKE scheme $\mathsf {PKE}$ constructed in Fig. 4 is SIM-SO-CCA secure. More precisely, for each PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$ against $\mathsf {PKE}$ in the SIM-SO-CCA real experiment, for each PPT n-message sampler $\mathcal {M}$, and each PPT relation R, we can construct a stateful PPT simulator $\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3)$ for the SIM-SO-CCA ideal experiment and PPT adversaries $\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3$ with $\varvec{\mathrm {T}}(\mathcal {B}_1)\approx \varvec{\mathrm {T}}(\mathcal {B}_2)\approx \varvec{\mathrm {T}}(\mathcal {B}_3)\le \varvec{\mathrm {T}}(\mathcal {A})+Q_{\text {dec}}\cdot \mathsf {poly}(\lambda )$, such that

$$\begin{aligned} \mathsf {Adv}^{\mathrm{so}\text {-}\mathrm{cca}}_{\mathsf {PKE},\mathcal {A},\mathcal {S},n,\mathcal {M},R}(\lambda )\le & {} \mathsf {Adv}_{\mathsf {KEM},\mathcal {B}_2}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda ) +\mathsf {Adv}_{\mathsf {KEM},\mathcal {B}_3}^\mathrm{rer}(\lambda ) +\ell \cdot Q_\mathrm{{dec}}\cdot \epsilon ^\mathrm{sub}_{\mathsf {XAC}}(\lambda )\nonumber \\+ & {} 2\mathsf {Adv}^\mathrm{cr}_{\mathcal {H},\mathcal {B}_1}(\lambda ) +(n\ell )\cdot (\delta (\lambda )+\varDelta ), \end{aligned}$$

(1)

where $Q_{\text {dec}}$ denotes the total number of $\mathcal {A}$’s decryption oracle queries, $\mathsf {poly}(\lambda )$ is a polynomial independent of $\varvec{\mathrm {T}}(\mathcal {A})$ and $\varDelta =\frac{1}{2}\cdot \sqrt{|\mathcal {XK}|/|\varGamma |}$.

Remark. If we instantiate the construction with the information-theoretically secure XAC in [6] and choose proper set $\mathcal {XK}$ and $\varGamma $, then $\varDelta ,\delta (\lambda )$, $\epsilon ^{\text {imp}}_{\mathsf {XAC}}(\lambda )$ and $\epsilon ^{\text {sub}}_{\mathsf {XAC}}(\lambda )$ are all exponentially small in $\lambda $. Then (1) turns out to be

$$\begin{aligned} \textsf {Adv}^{\mathrm{so}\text {-}\mathrm{cca}}_{\mathsf {PKE},\mathcal {A},\mathcal {S},n,\mathcal {M},R}(\lambda )\le \textsf {Adv}_{\textsf {KEM},\mathcal {B}_2}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda ) +\textsf {Adv}_{\textsf {KEM},\mathcal {B}_3}^{\mathrm{rer}}(\lambda ) +2\textsf {Adv}^\mathrm{cr}_{\mathcal {H},\mathcal {B}_1}(\lambda ) +2^{-\varOmega (\lambda )}. \end{aligned}$$

If the underlying KEM has tight mPR-CCCA security and RER security, then our PKE turns out to be tightly SIM-SO-CCA secure.

Proof of Theorem 1. For each PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, we can construct a stateful PPT simulator $\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3)$ as shown in Fig. 5.

The differences between the real and the ideal experiments lie in two aspects. The first is how the challenge ciphertext vector is generated and the second is how the corrupted ciphertexts are opened. In other words, the algorithms $\textsf {SimCtGen}$ and $\textsf {SimOpen}$ used by the simulator differ from the real experiment. In the proof, we focus on these two algorithms and gradually change them through a series of games starting with game $G_0$ and ending with game $G_9$, with adjacent games being proved to be computationally indistinguishable. The full set of games are illustrated in Fig. 6.

Game $G_0$ is exactly the ideal experiment $\textsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{ideal}}_{\mathcal {S},n,\mathcal {M},R}(\lambda )$. Hence

$$\begin{aligned} \mathrm{{Pr}}\left[ \textsf {Exp}^\mathrm{{so}\text {-}\mathrm{cca}\text {-}\mathrm{ideal}}_{\mathcal {S},n,\mathcal {M},R}(\lambda )=1\right] ={\mathrm{{Pr}}_{0}}[G\Rightarrow 1]. \end{aligned}$$

(2)

The only difference between $G_1$ and $G_0$ is that a collision check for $\textsf {H}_2$ is added in $G_1$ and $G_1$ aborts if a collision is found. More precisely, we use a set $\mathcal {Q}$ to log all the (input, output) pairs for $\textsf {H}_2$ in algorithm $\textsf {SimCtGen}$. Then in the $\mathsf {Dec}$ oracle, if there exists a usage of $\textsf {H}_2$ such that its output collides with some output in $\mathcal {Q}$ but with different inputs, then a collision for $\textsf {H}_2$ is found and the game $G_1$ aborts immediately. It is straightforward to build a PPT adversary $\mathcal {B}_1$ with $\varvec{\mathrm {T}}(\mathcal {B}_1)\approx \varvec{\mathrm {T}}(\mathcal {A})+Q_{\text {dec}}\cdot \textsf {poly}(\lambda )$, where $\textsf {poly}(\lambda )$ is a polynomial independent of $\varvec{\mathrm {T}}(\mathcal {A})$, such that,

$$\begin{aligned} \left| \mathrm{{Pr}}_0[G\Rightarrow 1]-\mathrm{{Pr}}_1[G\Rightarrow 1]\right| \le \textsf {Adv}^\mathrm{cr}_{\mathcal {H},\mathcal {B}_1}(\lambda ). \end{aligned}$$

(3)

$G_2$ is essentially the same as $G_1$ except for one conceptual change in the $\mathsf {Dec}$ oracle. More precisely, for a $\mathsf {Dec}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ query such that $\exists (i,j)\in [n]\times [\ell ],\eta \in [\ell ]\text { s.t. }\varvec{\mathrm {m}}_{i,j}=0\wedge \psi _{\eta }=\psi _{i,j}$,

in $G_1$, we proceed exactly the same as the decryption algorithm, i.e.,
$$ \text {set} \varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow \mathsf {XVer}(\textsf {H}_1(\gamma _{\eta }^{\prime }),T) \text { where } \gamma _{\eta }^{\prime }=\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta }); $$
in $G_2$, we set $\varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow \mathsf {XVer}(K_{i,j},T)$.

Since $\psi _{\eta }=\psi _{i,j}$, $\gamma _{\eta }^{\prime }=\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })$ and $(\psi _{i,j},\gamma _{i,j})$ is the output of $\mathsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$, we have that $\gamma _{\eta }^{\prime }=\gamma _{i,j}$ due to the perfect correctness of $\textsf {KEM}$. Then $K_{i,j}=\textsf {H}_1(\gamma _{i,j})=\textsf {H}_1(\gamma _{\eta }^{\prime })$. Thus the difference between $G_1$ and $G_2$ is only conceptual, and it follows

$$\begin{aligned} \mathrm{{Pr}}_1[G\Rightarrow 1]=\mathrm{{Pr}}_2[G\Rightarrow 1]. \end{aligned}$$

(4)

$G_3$ is almost the same as $G_2$ except for one change in the $\textsf {SimCtGen}$ algorithm.

In $G_2$, all $(\psi _{i,j},\gamma _{i,j})$ pairs are the output of $\mathsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$.
In $G_3$, for $\varvec{\mathrm {m}}_{i,j}=1$, $(\psi _{i,j},\gamma _{i,j})$ pairs are the output of $\mathsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$;

for $\varvec{\mathrm {m}}_{i,j}=0$, $(\psi _{i,j},\gamma _{i,j})$ pairs are uniformly selected from $\varPsi \times \varGamma $.

We will reduce the indistinguishability between game $G_2$ and $G_3$ to the mPR-CCCA security of $\textsf {KEM}$. Given $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, we can build a PPT adversary $\mathcal {B}_2$ with $\varvec{\mathrm {T}}(\mathcal {B}_2)\approx \varvec{\mathrm {T}}(\mathcal {A})$ and uncertainty $uncert_{\mathcal {B}_2}(\lambda )\le \epsilon ^{\text {imp}}_{\mathsf {XAC}}(\lambda )+\varDelta $ such that

$$\begin{aligned} \left| \mathrm{{Pr}}_2[G\Rightarrow 1]-\mathrm{{Pr}}_3[G\Rightarrow 1]\right| \le \textsf {Adv}_{\textsf {KEM},\mathcal {B}_2}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda ). \end{aligned}$$

(5)

On input $\mathsf {pk}_{\textsf {kem}}$, $\mathcal {B}_2$ selects $\textsf {H}_1,\textsf {H}_2$ and $K^x$ itself and embeds $\mathsf {pk}_{\textsf {kem}}$ in $\mathsf {pk}=(\mathsf {pk}_{\textsf {kem}},\textsf {H}_1,$ $\textsf {H}_2,K^x)$. In the first phase, $\mathcal {B}_2$ calls $\mathcal {A}_1^{\mathsf {Dec}(\cdot )}(\mathsf {pk})$. To respond the decryption query $\mathsf {Dec}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ submitted by $\mathcal {A}$, $\mathcal {B}_2$ simulates $\mathsf {Dec}$ until it needs to call $\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })$ to decapsulate $\psi _{\eta }$. Since $\mathcal {B}_2$ does not possess $\mathsf {sk}_{\textsf {kem}}$ relative to $\mathsf {pk}_{\textsf {kem}}$, $\mathcal {B}_2$ is not able to invoke $\textsf {KDec}$ itself. Then $\mathcal {B}_2$ submits a $\mathcal {O}_{\text {dec}}(\textsf {pred},\psi _{\eta })$ query to its own oracle $\mathcal {O}_{\text {dec}}$ where $\textsf {pred}(\cdot ):=\mathsf {XVer}(\textsf {H}_1(\cdot ),T)$. Clearly, this predicate is a PPT one. If the response of $\mathcal {O}_{\text {dec}}$ is $\bot $, $\mathcal {B}_2$ sets $\varvec{\mathrm {m}}_{\eta }^{\prime }$ to 0. Otherwise $\mathcal {B}_2$ sets $\varvec{\mathrm {m}}_{\eta }^{\prime }$ to 1.

Case 1: $\mathcal {O}_{\text {dec}}(\mathsf {XVer}(\textsf {H}_1(\cdot ),T),\psi _{\eta })=\bot $. This happens if and only if

$$ \psi _{\eta }\in \varvec{\mathrm {\psi }}_{\text {enc}}\vee \mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)=0.$$

In the first phase, $\mathcal {B}_2$ has not submitted any $\mathcal {O}_{\text {enc}}$ query yet and $\varvec{\mathrm {\psi }}_{\text {enc}}$ is empty. So $\psi _{\eta }\notin \varvec{\mathrm {\psi }}_{\text {enc}}$. In this case, $\mathcal {O}_{\text {dec}}(\mathsf {XVer}(\textsf {H}_1(\cdot ),T),\psi _{\eta })=\bot $ if and only if

$$\mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)=0. $$

Therefore $\mathcal {B}_2$ perfectly simulates the $\textsf {Dec}$ oracle in $G_2(G_3)$ by setting $\varvec{\mathrm {m}}_{\eta }^{\prime }\leftarrow 0$.

Case 2: $\mathcal {O}_{\text {dec}}(\mathsf {XVer}(\textsf {H}_1(\cdot ),T),\psi _{\eta })\ne \bot $. This happens if and only if

$$ \psi _{\eta }\notin \varvec{\mathrm {\psi }}_{\text {enc}}\wedge \mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)=1. $$

For the same reason as case 1, the condition $\psi _{\eta }\notin \varvec{\mathrm {\psi }}_{\text {enc}}$ always holds. In this case, $\mathcal {O}_{\text {dec}}(\mathsf {XVer}(\textsf {H}_1(\cdot ),T),\psi _{\eta })\ne \bot $ if and only if $\mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)=1$. Therefore $\mathcal {B}_2$ perfectly simulates the $\textsf {Dec}$ oracle in $G_2(G_3)$ by setting $\varvec{\mathrm {m}}_{\eta }^{\prime }\leftarrow 1$.

In either case, $\mathcal {B}_2$ can perfectly simulate the $\textsf {Dec}$ oracle for $\mathcal {A}_1$. At the end of this phase, $\mathcal {B}_2$ gets $\mathcal {A}_1$’s output $(\alpha ,a_1)$. Then $\mathcal {B}_2$ calls $\varvec{\mathrm {m}}\leftarrow _{\$}\mathcal {M}(\alpha )$ and simulates algorithm $\textsf {SimCtGen}(\mathsf {pk})$.

If $\varvec{\mathrm {m}}_{i,j}=1$, $\mathcal {B}_2$ proceeds just like game $G_2(G_3)$, i.e., $(\psi _{i,j},\gamma _{i,j})\leftarrow _{\$}\mathsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$ and set $K_{i,j}\leftarrow \textsf {H}_1(\gamma _{i,j})$.
If $\varvec{\mathrm {m}}_{i,j}=0$, $\mathcal {B}_2$ submits an $\mathcal {O}_{\text {enc}}()$ query to its own oracle and gets the response $(\psi ,\gamma )$ ($\psi $ is added into set $\varvec{\mathrm {\psi }}_{\text {enc}}$). Then $\mathcal {B}_2$ sets $(\psi _{i,j},\gamma _{i,j})\leftarrow (\psi ,\gamma )$.

If $b=1$, $(\psi ,\gamma )$ is the output of $\textsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$, $\mathcal {B}_2$ perfectly simulates $\textsf {SimCtGen}(\mathsf {pk})$ to generate challenge ciphertexts $\varvec{\mathrm {C}}$ in $G_2$.

If $b=0$, $(\psi ,\gamma )$ is uniformly over $\varPsi \times \varGamma $, $\mathcal {B}_2$ perfectly simulates $\textsf {SimCtGen}(\mathsf {pk})$ to generate challenge ciphertexts $\varvec{\mathrm {C}}$ in $G_3$.

In the second phase, $\mathcal {B}_2$ calls $\mathcal {A}_2^{\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(\cdot )}(a_1,\varvec{\mathrm {C}})$ to get $(I,a_2)$. Upon an decryption query $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ submitted by $\mathcal {A}_2$, $\mathcal {B}_2$ responds almost in the same way as in the first phase, except that $\mathcal {B}_2$ has to deal with the case of $\exists \psi _{\eta }\in \varvec{\mathrm {\psi }}_{\text {enc}}$. This case does happen: even if $C=(\psi _1,\cdots ,\psi _{\ell },T)\notin \varvec{\mathrm {C}}$, it is still possible that $\exists \psi _{\eta }\in \{\psi _i\}_{i\in [\ell ]}\text { with }\psi _{\eta }\in \varvec{\mathrm {\psi }}_{\text {enc}}$. In this case, there is no chance for $\mathcal {B}_2$ to submit an $\mathcal {O}_{\text {dec}}(\textsf {pred},\psi _{\eta })$ query for a useful response because the response will always be $\bot $. However, it does not matter. By the specification of $G_2(G_3)$, $\varvec{\mathrm {m}}^{\prime }_{\eta }$ should be set to the output of $\mathsf {XVer}(K_{i,j},T)$ which $\mathcal {B}_2$ can perfectly do.

Note that the execution of algorithm $\textsf {SimOpen}$ in game $G_2(G_3)$ does not need all information about $\varvec{\mathrm {R}}$. Only those randomnesses with respect to $\varvec{\mathrm {m}}_{i,j}=1$ are needed. Now that $\mathcal {B}_2$ does have $I,\varvec{\mathrm {m}}_I,\varvec{\mathrm {C}},\varvec{\mathrm {K}}$ and part of $\varvec{\mathrm {R}}$ (for $\varvec{\mathrm {m}}_{i,j}=1$), it can call $\textsf {SimOpen}(I,\varvec{\mathrm {m}}_I,\varvec{\mathrm {C}},\varvec{\mathrm {R}},\varvec{\mathrm {K}})$ to get $\hat{\varvec{\mathrm {R}}}_I$.

In the third phase, $\mathcal {B}_2$ calls $\mathcal {A}_3^{\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(\cdot )}(a_2,\varvec{\mathrm {m}}_I,\hat{\varvec{\mathrm {R}}}_I)$ to get $out_{\mathcal {A}}$. The $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}$ query submitted by $\mathcal {A}$ in this phase is responded by $\mathcal {B}_2$ in the same way as in the second phase. Finally, $\mathcal {B}_2$ outputs $R(\varvec{\mathrm {m}},I,out_{\mathcal {A}})$.

According to the above analysis, $\mathcal {B}_2$ perfectly simulates $G_2$ for $\mathcal {A}$ if $b=1$ and perfectly simulates $G_3$ for $\mathcal {A}$ if $b=0$. Moreover, for $\gamma \leftarrow _{\$}\varGamma $, $\textsf {H}_1(\gamma )$ is $\varDelta $-close to uniform by leftover hash lemma since $\textsf {H}_1$ is universal. Then

$$\begin{aligned} \mathop {\mathrm{{Pr}}}\limits _{{\gamma \leftarrow _{\$}\varGamma }}[\textsf {pred}(\gamma )=1]=\mathop {\mathrm{{Pr}}}\limits _{{\gamma \leftarrow _{\$}\varGamma }}[\mathsf {XVer}(\textsf {H}_1(\gamma ),T)=1]\le \epsilon ^\mathrm{imp}_{\mathsf {XAC}}(\lambda )+\varDelta . \end{aligned}$$

By the definition of uncertainty, we have.

$$\begin{aligned} uncert_{\mathcal {B}_2}(\lambda )\le \epsilon ^\mathrm{imp}_{\mathsf {XAC}}(\lambda )+\varDelta . \end{aligned}$$

(6)

Thus (5) follows.

$G_4$ is almost the same as $G_3$ except for one change in the $\textsf {SimCtGen}$ algorithm. In the $\textsf {SimCtGen}$ algorithm, if $\varvec{\mathrm {m}}_{i,j}=0$,

in $G_3$, $K_{i,j}\leftarrow \textsf {H}_1(\gamma _{i,j})$ for $\gamma _{i,j}\leftarrow _{\$}\varGamma $;
in $G_4$, $K_{i,j}$ is uniformly selected from $\mathcal {XK}$.

Since $\textsf {H}_1$ is universal, by leftover hash lemma and a union bound, we have that

$$\begin{aligned} \left| \mathrm{{Pr}}_3[G\Rightarrow 1]-\mathrm{{Pr}}_4[G\Rightarrow 1]\right| \le (n\ell )\cdot \varDelta . \end{aligned}$$

(7)

$G_5$ is almost the same as $G_4$ except for one change in the $\mathsf {Dec}$ oracle. More precisely, to reply a $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ query such that $\exists (i,j)\in [n]\times [\ell ],\eta \in [\ell ]\text { s.t. }\varvec{\mathrm {m}}_{i,j}=0\wedge \psi _{\eta }=\psi _{i,j}$,

in $G_4$, we set $\varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow \mathsf {XVer}(K_{i,j},T)$;
in $G_5$, we set $\varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow 0$ directly.

Suppose $\psi _{\eta }=\psi _{i,j}\in \varvec{\mathrm {C}}_i=(\psi _{i,1},\cdots ,\psi _{i,\ell },T_i)$ where $T_i=\mathsf {XAuth}(K_{i,1},\cdots ,K_{i,\ell +1})$. There are two cases according to whether $T=T_i$.

Case 1: $T=T_i$. In this case, since $C\notin \varvec{\mathrm {C}}$, we have that $(\psi _1,\cdots ,\psi _{\ell })\ne (\psi _{i,1},\cdots ,\psi _{i,\ell })$. Note that $K^{y}_i=\textsf {H}_2(\psi _{i,1},\cdots ,\psi _{i,\ell })$ and $K^{y\prime }=\textsf {H}_2(\psi _1,\cdots ,\psi _{\ell })$. If $K^{y}_i=K^{y\prime }$, a collision for $\textsf {H}_2$ occurs, both $G_4$ and $G_5$ abort. Otherwise, we must have $K^{y\prime }\ne K^{y}_i$, hence $K_{\ell +1}^{\prime }=(K^x,K^{y\prime })\ne (K^x,K^y_i)=K_{i,\ell +1}$. Since $\mathsf {XAC}$ is semi-unique and $\mathsf {XVer}(K_{i,\ell +1},T)=1$, it holds that $\mathsf {XVer}(K_{\ell +1}^{\prime },T)\ne 1$ which implies that $\varvec{\mathrm {m}}^{\prime }_{\eta }=0$. In this case, the responses of $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}$ make no difference in $G_4$ and $G_5$.

Case 2: $T\ne T_i$. Note that all the information about $K_{i,j}$ is leaked to $\mathcal {A}$ only through $T_i$ in game $G_4$. Thus, the probability that $\mathsf {XVer}(K_{i,j},T)=1$ for $T\ne T_i$ will be no more than $\epsilon ^\mathrm{sub}_{\mathsf {XAC}}(\lambda )$.

By a union bound, we have that

$$\begin{aligned} \left| \mathrm{{Pr}}_4[G\Rightarrow 1]-\mathrm{{Pr}}_5[G\Rightarrow 1]\right| \le \ell \cdot Q_{\text {dec}}\cdot \epsilon ^\mathrm{sub}_{\mathsf {XAC}}(\lambda ). \end{aligned}$$

(8)

$G_6$ is almost the same as $G_5$ except for one change in the $\mathsf {Dec}$ oracle. More precisely, for a $\mathsf {Dec}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ query such that $\exists (i,j)\in [n]\times [\ell ]\text { s.t. }\varvec{\mathrm {m}}_{i,j}=0\wedge \psi _{\eta }=\psi _{i,j}$ for any $\eta \in [\ell ]$,

in $G_5$, we set $\varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow 0$ directly;
in $G_6$, we proceed exactly the same as the decryption algorithm, i.e., setting $\varvec{\mathrm {m}}^{\prime }_{\eta }\leftarrow \mathsf {XVer}(\textsf {H}_1(\gamma _{\eta }^{\prime }),T)$, where $\gamma _{\eta }^{\prime }=\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })$.

We will reduce the indistinguishability between game $G_5$ and $G_6$ to the RER security of $\textsf {KEM}$. More precisely, we can build a PPT adversary $\mathcal {B}_3$ with $\varvec{\mathrm {T}}(\mathcal {B}_3)\approx \varvec{\mathrm {T}}(\mathcal {A})$ and with uncertainty $uncert_{\mathcal {B}_3}(\lambda )\le \epsilon ^\mathrm{imp}_{\mathsf {XAC}}(\lambda )+\varDelta $ such that

$$\begin{aligned} \left| \mathrm{{Pr}}_5[G\Rightarrow 1]-\mathrm{{Pr}}_6[G\Rightarrow 1]\right| \le \textsf {Adv}_{\textsf {KEM},\mathcal {B}_3}^\mathrm{rer}(\lambda ). \end{aligned}$$

(9)

On input $\mathsf {pk}_{\textsf {kem}}$, $\mathcal {B}_3$ selects $\textsf {H}_1,\textsf {H}_2$ and $K^x$ itself and embeds $\mathsf {pk}_{\textsf {kem}}$ in $\mathsf {pk}=(\mathsf {pk}_{\textsf {kem}},\textsf {H}_1,$ $\textsf {H}_2,K^x)$. In the first phase, $\mathcal {B}_3$ calls $\mathcal {A}_1^{\mathsf {Dec}(\cdot )}(\mathsf {pk})$. To respond the decryption query $\mathsf {Dec}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ submitted by $\mathcal {A}$, $\mathcal {B}_3$ simulates $\mathsf {Dec}$ until it needs to call $\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })$ to decapsulate $\psi _{\eta }$. Since $\mathcal {B}_3$ does not hold $\mathsf {sk}_{\textsf {kem}}$ relative to $\mathsf {pk}_{\textsf {kem}}$, $\mathcal {B}_3$ is not able to invoke $\textsf {KDec}$ itself. Then $\mathcal {B}_3$ submits a $\mathcal {O}_{\text {cha}}(\textsf {pred},\psi )$ query to its own oracle $\mathcal {O}_{\text {cha}}$ where $\textsf {pred}(\cdot ):=\mathsf {XVer}(\textsf {H}_1(\cdot ),T)$ and $\psi =\psi _{\eta }$. Clearly, this predicate is a PPT one. Since $\varvec{\mathrm {\psi }}_{\text {ran}}$ is empty set in this phase, the condition $\psi \notin \varvec{\mathrm {\psi }}_{\text {ran}}$ will always hold and $\mathcal {B}_3$ will get a bit $\beta =\textsf {pred}(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi ))=\mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)$ in return. Then $\mathcal {B}_3$ sets $\varvec{\mathrm {m}}_{\eta }^{\prime }\leftarrow \beta $ and perfectly simulates $\mathsf {Dec}$ for $\mathcal {A}$ in this phase.

At the end of this phase, $\mathcal {B}_3$ gets $\mathcal {A}$’s output $(\alpha ,a_1)$. Then $\mathcal {B}_3$ calls $\varvec{\mathrm {m}}\leftarrow _{\$}\mathcal {M}(\alpha )$ and then simulates algorithm $\textsf {SimCtGen}(\mathsf {pk})$ as follows. $\mathcal {B}_3$ first outputs $1^{n\ell }$ and get $\varvec{\mathrm {\psi }}_{\text {ran}}=\{\psi ^{\text {ran}}_1,\cdots ,\psi ^{\text {ran}}_{n\ell }\}$ which are $n\ell $ random encapsulations. During the generation of the challenge ciphertexts, $\mathcal {B}_3$ sets $(\psi _{i,j},K_{i,j})$ according to $\varvec{\mathrm {m}}$.

If $\varvec{\mathrm {m}}_{i,j}=1$, $\mathcal {B}_3$ sets $(\psi _{i,j},\gamma _{i,j})\leftarrow _{\$}\mathsf {KEnc}(\mathsf {pk}_{\textsf {kem}})$ and sets $K_{i,j}\leftarrow \textsf {H}_1(\gamma _{i,j})$.
If $\varvec{\mathrm {m}}_{i,j}=0$, $\mathcal {B}_3$ sets $\psi _{i,j}\leftarrow \psi ^{\text {ran}}_{(i-1)\ell +j}$ and $K_{i,j}\leftarrow _{\$}\mathcal {XK}$. Since $(i,j)\in [n]\times [\ell ]$, the subscript $(i-1)\ell +j\in \{1,\cdots ,n\ell \}$ is well defined.

Then $\mathcal {B}_3$ proceeds just like algorithm $\textsf {SimCtGen}(\mathsf {pk})$ in game $G_5(G_6)$.

In the second phase, $\mathcal {B}_3$ calls $\mathcal {A}_2^{\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(\cdot )}(a_1,\varvec{\mathrm {C}})$ to get $(I,a_2)$. To respond the decryption query $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(C=(\psi _1,\cdots ,\psi _{\ell },T))$ submitted by $\mathcal {A}$, $\mathcal {B}_3$ proceeds just like game $G_5(G_6)$. When a decapsulation of $\psi _{\eta }$ is needed, $\mathcal {B}_3$ submits a $\mathcal {O}_{\text {cha}}(\textsf {pred},\psi _{\eta })$ query to its own oracle $\mathcal {O}_{\text {cha}}$ where $\textsf {pred}(\cdot ):=\mathsf {XVer}(\textsf {H}_1(\cdot ),T)$. After that, $\mathcal {B}_3$ will get a bit $\beta $ in return and $\mathcal {B}_3$ sets $\varvec{\mathrm {m}}_{\eta }^{\prime }\leftarrow \beta $. Note that

In case of $\psi _{\eta }\notin \varvec{\mathrm {\psi }}_{\text {ran}}$, $\varvec{\mathrm {m}}_{\eta }^{\prime }=\mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)$, which is exactly how $\varvec{\mathrm {m}}_{\eta }^{\prime }$ is computed in both game $G_5$ and $G_6$.
In case of $\psi _{\eta }\in \varvec{\mathrm {\psi }}_{\text {ran}}$, there must exist $(i,j)\in [n]\times [\ell ]\text { s.t. }\varvec{\mathrm {m}}_{i,j}=0\,\wedge \,\psi _{\eta }=\psi _{i,j}$. Thus $\varvec{\mathrm {m}}_{\eta }^{\prime }=\mathsf {XVer}(\textsf {H}_1(\textsf {KDec}(\mathsf {sk}_{\textsf {kem}},\psi _{\eta })),T)$ if $b=1$ and $\varvec{\mathrm {m}}_{\eta }^{\prime }=0$ if $b=0$. The former case is exactly how $\varvec{\mathrm {m}}_{\eta }^{\prime }$ is computed in game $G_6$ and the latter case is exactly how $\varvec{\mathrm {m}}_{\eta }^{\prime }$ is computed in game $G_5$.

As a result, $\mathcal {B}_3$ perfectly simulates $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}$ in the second phase of game $G_5$ for $\mathcal {A}$ if $b=0$ and perfectly simulates $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}$ in the second phase of game $G_6$ for $\mathcal {A}$ if $b=1$. After $\mathcal {B}_3$ gets $(I,a_2)$, $\mathcal {B}_3$ is able to call $\textsf {SimOpen}(I,\varvec{\mathrm {m}}_I,\varvec{\mathrm {C}},\varvec{\mathrm {R}},\varvec{\mathrm {K}})$ to get $\hat{\varvec{\mathrm {R}}}_I$ for the similar reason as in the proof of $G_2-G_3$.

In the third phase, $\mathcal {B}_3$ calls $\mathcal {A}_3^{\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}(\cdot )}(a_2,\varvec{\mathrm {m}}_I,\hat{\varvec{\mathrm {R}}}_I)$ to get $out_{\mathcal {A}}$. The $\mathsf {Dec}_{\notin \varvec{\mathrm {C}}}$ query submitted by $\mathcal {A}$ in this phase is responded using the same way as in the second phase. Finally, $\mathcal {B}_3$ outputs $R(\varvec{\mathrm {m}},I,out_{\mathcal {A}})$.

Thus $\mathcal {B}_3$ perfectly simulates $G_6$ for $\mathcal {A}$ if $b=1$ and perfectly simulates $G_5$ for $\mathcal {A}$ if $b=0$. Similar to (6), $uncert_{\mathcal {B}_3}(\lambda )\le \epsilon ^\mathrm{imp}_{\mathsf {XAC}}(\lambda )+\varDelta .$ Thus (9) follows.

$G_7$ is almost the same as $G_6$ except for one change in the $\textsf {SimOpen}$ algorithm. More precisely,

in $G_6$, $\hat{r}_{i,j}^K$ is the output of $\textsf {Sample}^{-1}_{\mathcal {XK}}(\hat{K}_{i,j})$ where $\hat{K}_{i,j}\leftarrow _{\$}\mathsf {ReSamp}(T_i,j)$;
in $G_7$, $\hat{r}_{i,j}^K$ is the output of $\textsf {Sample}^{-1}_{\mathcal {XK}}(K_{i,j})$ for the original $K_{i,j}$ generated in algorithm $\textsf {SimCtGen}$.

In game $G_6$ and $G_7$, before the invocation of algorithm $\textsf {SimOpen}$, only $T_i$ leaks information about $K_{i,j}$ to $\mathcal {A}$ when $\varvec{\mathrm {m}}_{i,j}=0$. Since $\mathsf {XAC}$ is $\delta (\lambda )$-strong, the statistical distance between the resampled $\hat{K}_{i,j}\leftarrow _{\$}\mathsf {ReSamp}(T_i,j)$ and the original $K_{i,j}$ is at most $\delta (\lambda )$. By a union bound, we have that

$$\begin{aligned} \left| \mathrm{{Pr}}_6[G\Rightarrow 1]-\mathrm{{Pr}}_7[G\Rightarrow 1]\right| \le (n\ell )\cdot \delta (\lambda ). \end{aligned}$$

(10)

$G_8$ is almost the same as $G_7$ except for the dropping of the collision check added in $G_1$. Similar to the proof of $G_0-G_1$, we can show that

$$\begin{aligned} \left| \mathrm{{Pr}}_7[G\Rightarrow 1]-\mathrm{{Pr}}_8[G\Rightarrow 1]\right| \le \textsf {Adv}^\mathrm{cr}_{\mathcal {H},\mathcal {B}_1}(\lambda ). \end{aligned}$$

(11)

$G_9$ is almost the same as $G_8$ except for one change in $\textsf {SimOpen}$. More precisely,

in $G_8$, the opened randomness is a “reverse sampled” randomness, i.e., $\hat{r}_{i,j}^K\leftarrow _{\$}\textsf {Sample}^{-1}_{\mathcal {XK}}(K_{i,j})$ and $\hat{r}_{i,j}^{\psi }\leftarrow _{\$}\textsf {Sample}^{-1}_{\varPsi }(\psi _{i,j})$;
in $G_9$, the opened randomness $(\hat{r}_{i,j}^K,\hat{r}_{i,j}^{\psi })$ is changed to be the original randomness used to sample $K_{i,j}$ and $\psi _{i,j}$, i.e., $(\hat{r}_{i,j}^K,\hat{r}_{i,j}^{\psi })\leftarrow (r_{i,j}^K,r_{i,j}^{\psi })$.

This change is conceptual since $\varPsi $ and $\mathcal {XK}$ are ESE domains. Thus

$$\begin{aligned} \mathrm{{Pr}}_8[G\Rightarrow 1]=\mathrm{{Pr}}_9[G\Rightarrow 1]. \end{aligned}$$

(12)

Game $G_9$ is exactly the real experiment $\textsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{real}}_{\mathsf {PKE},\mathcal {A},n,\mathcal {M},R}(\lambda )$. Thus

$$\begin{aligned} \mathrm{{Pr}}_9[G\Rightarrow 1]=\mathrm{{Pr}}\left[ \textsf {Exp}^{\mathrm{so}\text {-}\mathrm{cca}\text {-}\mathrm{real}}_{\mathsf {PKE},\mathcal {A},n,\mathcal {M},R}(\lambda )=1\right] . \end{aligned}$$

(13)

Finally, Theorem 1 follows from (2, 3, 4, 5, 7, 8, 9, 10, 11, 12) and (13). $\blacksquare $

5 Instantiations

We give two instantiations of KEM with mPR-CCCA security and RER security.

5.1 KEM from MDDH

We present a KEM which is extracted from the multi-challenge IND-CCA secure PKE proposed by Gay et al. in [7]. The KEM $\mathsf {KEM}_{\textsf {mddh}}=(\mathsf {KGen},\mathsf {KEnc},\mathsf {KDec})$ is shown in Fig. 7.

Suppose $\mathcal {G}=(\mathbb {G},q,P)\leftarrow _{\$}\mathsf {GGen}(1^{\lambda })$ and $\mathcal {H}$ is a hash generator outputting functions $\textsf {H}:\mathbb {G}^k\rightarrow \{0,1\}^{\lambda }$. For a vector $\varvec{\mathrm {y}}\in \mathbb {Z}_q^{3k}$, we use $\overline{\varvec{\mathrm {y}}}\in \mathbb {Z}_q^{k}$ to denote the upper k components and $\underline{\varvec{\mathrm {y}}}\in \mathbb {Z}_q^{2k}$ to denote the lower 2k components.

Perfectly correctness of $\mathsf {KEM}_{\textsf {mddh}}$ is straightforward. See the full version [21] for the proofs of its tight mPR-CCCA security and tight RER security.

5.2 KEM from Qualified Proof System with Compact Public Key

First we recall the definition of a proof system described in [8].

Definition 7

(Proof System). Let $\mathcal {L}=\{\mathcal {L}_{\textsf {pars}}\}$ be a family of languages indexed by public parameters $\mathsf {pars}$, with $\mathcal {L}_{\mathsf {pars}}\subseteq \mathcal {X}_{\mathsf {pars}}$ and an efficiently computable witness relation $\mathcal {R}$. A proof system $\mathsf {PS}=(\mathsf {PGen},\mathsf {PPrv},\mathsf {PVer},\mathsf {PSim})$ for $\mathcal {L}$ consists of a tuple of PPT algorithms.

$\mathsf {PGen}(\mathsf {pars})$. It outputs a public key $\mathsf {ppk}$ and a secret key $\mathsf {psk}$.
$\mathsf {PPrv}(\mathsf {ppk},x,w)$. On input a statement $x\in \mathcal {L}$ and a witness w with $\mathcal {R}(x,w)=1$, it deterministically outputs a proof $\varPi \in \varvec{\mathrm {\varPi }}$ and a key $K\in \mathcal {K}$.
$\mathsf {PVer}(\mathsf {ppk},\mathsf {psk},x,\varPi )$. On input $\mathsf {ppk},\mathsf {psk},x\in \mathcal {X}$ and $\varPi $, it deterministically outputs $b\in \{0,1\}$ together with a key $K\in \mathcal {K}$ if $b=1$ or $\bot $ if $b=0$.
$\mathsf {PSim}(\mathsf {ppk},\mathsf {psk},x)$. Given $\mathsf {ppk},\mathsf {psk},x\in \mathcal {X}$, it deterministically outputs a proof $\varPi $ and a key $K\in \mathcal {K}$.

Next we recall the definition of a qualified proof system.

Definition 8

(Qualified Proof System [8]). Let $\mathsf {PS}=(\mathsf {PGen},\mathsf {PPrv},\mathsf {PVer},\mathsf {PSim})$ be a proof system for a family of languages $\mathcal {L}=\mathcal {L}_{\mathsf {pars}}$. Let $\mathcal {L}^\mathrm{snd}=\{\mathcal {L}^\mathrm{snd}_{\mathsf {pars}}\}$ be a family of languages, such that $\mathcal {L}_{\mathsf {pars}}\subseteq \mathcal {L}^\mathrm{snd}_{\mathsf {pars}}$. We say that $\mathsf {PS}$ is $\mathcal {L}^\mathrm{snd}$-qualified , if the following properties hold.

Completeness: For all possible public parameters $\mathsf {pars}$, for all statements $x\in \mathcal {L}$ and all witnesses w such that $\mathcal {R}(x,w)=1$, $\mathrm{{Pr}}[\mathsf {PVer}(\mathsf {ppk},\mathsf {psk},x,\varPi )]=1,$ where $(\mathsf {ppk},\mathsf {psk})\leftarrow _{\$}\mathsf {PGen}(\mathsf {pars})$ and $(\varPi ,K)\leftarrow _{\$}\mathsf {PPrv}(\mathsf {ppk},x,w)$.
Perfect zero-knowledge: For all possible public parameters $\mathsf {pars}$, all key pairs $(\mathsf {ppk},\mathsf {psk})$ in the output range of $\mathsf {PGen}(\mathsf {pars})$, all statements $x\in \mathcal {L}$ and all witnesses w with $\mathcal {R}(x,w)=1$, we have $\mathsf {PPrv}(\mathsf {ppk},x,w)=\mathsf {PSim}(\mathsf {ppk},\mathsf {psk},x).$
Unique of the proofs: For all possible public parameters $\mathsf {pars}$, all key pairs $(\mathsf {ppk},\mathsf {psk})$ in the output range of $\mathsf {PGen}(\mathsf {pars})$ and all statements $x\in \mathcal {X}$, there exists at most one $\varPi ^{*}$ such that $\mathsf {PVer}(\mathsf {ppk},\mathsf {psk},x,\varPi ^{*})=1$.
Constrained $\mathcal {L}^\mathrm{snd}$ -Soundness: For any stateful PPT adversary $\mathcal {A}$, consider the soundness experiment in Fig. 8 (where $\mathsf {PSim}$ and $\mathsf {PVer}$ are implicitly assumed to have access to $\mathsf {ppk}$).

Let $ Q_\mathrm{{ver}}$ be the total number of $\mathcal {O}_{\text {ver}}$ queries, which is independent of the environment without loss of generality. Let $\mathsf {pred}_i:\mathcal {K}\cup \{\bot \}\rightarrow \{0,1\}$ be the predicate submitted by $\mathcal {A}$ in the i-th query, where $\mathsf {pred}_i(\bot )=0$ for all i. The uncertainty of $\mathcal {A}$ is defined as
$$\begin{aligned} uncert_{\mathcal {A}}(\lambda ):=\frac{1}{Q_{\text {ver}}}\sum _{i=1}^{Q_{\text {ver}}}\mathrm{{Pr}}_{K\leftarrow _{\$}\mathcal {K}}[\mathsf {pred}_i(K)=1]. \end{aligned}$$
We say constrained $\mathcal {L}^\mathrm{snd}$-soundness holds for $\mathsf {PS}$ if for each PPT adversary $\mathcal {A}$ with negligible uncertainty, $\mathsf {Adv}^\mathrm{csnd}_{\mathcal {L}^\mathrm{snd},\mathsf {PS},\mathcal {A}}(\lambda )$ is negligible, where
$$\begin{aligned} \mathsf {Adv}^\mathrm{csnd}_{\mathcal {L}^\mathrm{snd},\mathsf {PS},\mathcal {A}}(\lambda ):=\mathrm{{Pr}}[\mathrm {win}=1 \ \mathrm { in } \ \mathrm {Exp}_{\mathcal {L}^\mathrm{snd},\mathsf {PS},\mathcal {A}}^\mathrm{csnd}(\lambda )] \end{aligned}$$

We omit the definition for $\mathcal {L}^\mathrm{snd}$-indistinguishability of two proof systems and the definition for $\widetilde{\mathcal {L}^\mathrm{snd}}$-extensibility of a proof system (See [8] and also our full version [21] for details). Here we define a new property for qualified proof system, which stresses that the simulated proof $\varPi $ for a random $x\in \mathcal {L}^{\text {snd}}\backslash \mathcal {L}$ is pseudorandom when providing verification oracle for only $x\in \mathcal {L}$.

Definition 9

(Pseudorandom Simulated Proof of Qualified Proof System). Let $\mathsf {PS}=(\mathsf {PGen},\mathsf {PPrv},\mathsf {PVer},\mathsf {PSim})$ be a $\mathcal {L}^\mathrm{snd}$-qualified proof system for a family of languages $\mathcal {L}$. Let $\mathcal {A}$ be a stateful adversary and $b\in \{0,1\}$ be a bit. Define the following experiment ${\mathsf {Exp}}^{\mathrm{pr}\text {-}\mathrm{proof}\text {-}b}_{\mathsf {PS},\mathcal {A}}(\lambda )$ in Fig. 9. We say $\mathsf {PS}$ has pseudorandom simulated proof if for each PPT adversary $\mathcal {A}$, the advantage

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda ):=\left| \mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{pr}\text {-}\mathrm{proof}\text {-}0}_{\mathsf {PS},\mathcal {A}}(\lambda )=1\right] -\mathrm{{Pr}}\left[ \mathsf {Exp}^{\mathrm{pr}\text {-}\mathrm{proof}\text {-}1}_{\mathsf {PS},\mathcal {A}}(\lambda )=1\right] \right| \ is \ negl. \end{aligned}$$

The Qualified Proof System in [8]. First we explain how the public parameters pars are sampled. Fix some $k\in \mathbb {N}$, invoke $\mathcal {G}\leftarrow _{\$}\textsf {GGen}(1^{\lambda })$ where $\mathcal {G}=(\mathbb {G},q,P)$. Let $\mathcal {D}_{2k,k}$ be a fixed matrix distribution, we sample $\varvec{\mathrm {A}}\leftarrow _{\$}\mathcal {D}_{2k,k}$ and $\varvec{\mathrm {A}}_0\leftarrow _{\$}\mathcal {U}_{2k,k}$ where $\overline{\varvec{\mathrm {A}}}$ and $\overline{\varvec{\mathrm {A}}}_0$ are both full rank. Additionally select $\varvec{\mathrm {A}}_1\in \mathbb {Z}_q^{2k\times k}$ according to $\mathcal {U}_{2k,k}$ with the restriction $\overline{\varvec{\mathrm {A}}}_0=\overline{\varvec{\mathrm {A}}}_1$. Let $\mathcal {H}_0$ and $\mathcal {H}_1$ be universal hash function generators returning functions $\textsf {h}_0:\mathbb {G}^{k^2+1}\rightarrow \mathbb {Z}_q^{k\times k}$ and $\textsf {h}_1:\mathbb {G}^{k+1}\rightarrow \mathbb {Z}_q^k$ respectively. Let $\textsf {h}_0\leftarrow _{\$}\mathcal {H}_0$ and $\textsf {h}_1\leftarrow _{\$}\mathcal {H}_1$. Let $\textsf {pars}\leftarrow (k,\mathcal {G},[\varvec{\mathrm {A}}],[\varvec{\mathrm {A}}_0],[\varvec{\mathrm {A}}_1],\textsf {h}_0,\textsf {h}_1)$ be the public parameters and we assume $\textsf {pars}$ is an implicit input of all algorithms. The languages are defined as $\mathcal {L}{:=\textsf {span}([\varvec{\mathrm {A}}])},$ $\mathcal {L}^\mathrm{snd}:=\textsf {span}([\varvec{\mathrm {A}}])\cup \textsf {span}([\varvec{\mathrm {A}}_0])$ and $\widetilde{\mathcal {L}^\mathrm{snd}}:=\textsf {span}([\varvec{\mathrm {A}}])\cup \textsf {span}([\varvec{\mathrm {A}}_0])\cup \textsf {span}([\varvec{\mathrm {A}}_1])$.

The construction^{Footnote 3} of $\mathcal {L}^\mathrm{snd}$-qualified proof system $\textsf {PS}=(\textsf {PGen},\textsf {PPrv},\textsf {PVer},\textsf {PSim})$ in [8] is shown in Fig. 10.

According to Theorem 1 of [8], $\textsf {PS}$ is $\mathcal {L}^\mathrm{snd}$-qualified and $\widetilde{\mathcal {L}^\mathrm{snd}}$-extensible, both admitting tight security reductions to the MDDH assumption. More precisely, $\mathsf{Adv}^\mathrm{csnd}_{\mathcal {L}^\mathrm{snd}},\mathsf{PS},\mathcal {A}(\lambda ),{\mathsf {Adv}}^\mathrm{csnd}_{\widetilde{\mathcal {L}^\mathrm{snd}},\widetilde{\mathsf {PS}},\mathcal {A}}(\lambda )\le 2\textit{k}\cdot {\mathsf {Adv}}^\mathrm{mddh}_{\mathcal {D}_{2k,k},{\mathsf {GGen}},\mathcal {B}}(\lambda )+2^{-\varOmega (\lambda )}$, $\mathsf {Adv}^{\mathrm{PS}\text {-}\mathrm{ind}}_{\mathcal {L}^\mathrm{snd}}\le 2^{-\varOmega (\lambda )}$.

We now prove that $\textsf {PS}$ has pseudorandom simulated proof with Theorem 2.

Theorem 2

The $\mathcal {L}^\mathrm{{snd}}$-qualified proof system $\textsf {PS}$ in Fig. 10 has pseudorandom simulated proof if $\mathcal {U}_k$-$\mathsf {MDDH}$ assumption holds. Specifically, for each PPT adversary $\mathcal {A}$, we can build a PPT adversary $\mathcal {B}$ with $\varvec{\mathrm {T}}(\mathcal {B})\le \varvec{\mathrm {T}}(\mathcal {A})+(Q_\mathrm{{sim}}+Q_\mathrm{{ver}})\cdot \mathsf {poly}(\lambda )$ such that the advantage

$$\mathsf {Adv}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )\le 2\mathsf {Adv}^\mathrm{mddh}_{\mathcal {U}_k,\mathsf {GGen},\mathcal {B}}(\lambda )+2^{-\varOmega (\lambda )}. $$

where $ Q_\mathrm{{sim}}(Q_\mathrm{{ver}})$ is the total number of $\mathcal {O}_\mathrm{{sim}}(\mathcal {O}_\mathrm{{ver}})$ queries made by $\mathcal {A}$ and $\mathsf {poly}(\lambda )$ is a polynomial independent of $\varvec{\mathrm {T}}(\mathcal {A})$.

Proof of Theorem 2.

For a fixed PPT adversary $\mathcal {A}$, consider an experiment $\mathsf {Exp}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )$ which first uniformly selects $b\leftarrow _{\$}\{0,1\}$, then calls ${\mathsf {Exp}}^{\mathrm{pr}\text {-}\mathrm{proof}\text {-}b}_{\mathsf {PS},\mathcal {A}}(\lambda )$ and gets its output $b^{\prime }$. It is straightforward that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )=2\left| \mathrm{{Pr}}[b^{\prime }=b \ \mathrm { in } \ \mathsf {Exp}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )]-\frac{1}{2}\right| . \end{aligned}$$

Now we rewrite $\mathsf {Exp}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )$ in Fig. 11 and make changes to it gradually through game $G_0$ to $G_3$. Games $G_0-G_3$ are defined as follows.

This game is the same as $\textsf {Exp}_{\textsf {PS},\mathcal {A}}^{\text {pr-proof}}(\lambda )$. Then

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PS},\mathcal {A}}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )=2\left| \mathrm{{Pr}}_0[b^{\prime }=b]-\frac{1}{2}\right| . \end{aligned}$$

(14)

$G_1$ is almost the same as $G_0$ except for the $\mathcal {O}_{\text {sim}}$ oracle.

In $G_0$, $\varvec{\mathrm {X}}=\textsf {h}_0(\varvec{\mathrm {K_X}}[\varvec{\mathrm {c}}])$, where $[\varvec{\mathrm {c}}]=[\varvec{\mathrm {A}}_0]\varvec{\mathrm {r}}$ and $\varvec{\mathrm {r}}\leftarrow _{\$}\mathbb {Z}_q^k$ for each $\mathcal {O}_{\text {sim}}$ query.
In $G_1$, $\varvec{\mathrm {X}}=\textsf {h}_0([\varvec{\mathrm {Vr}}])$, where (i) a fresh $\varvec{\mathrm {r}}$ is uniformly chosen from $\mathbb {Z}_q^k$ for each $\mathcal {O}_{\text {sim}}$ query; (ii) $\varvec{\mathrm {V}}$ is uniformly chosen from $\mathbb {Z}_q^{(k^2+1)\times k}$ beforehand but will be fixed for each $\mathcal {O}_{\text {sim}}$ query.

Define $\varvec{\mathrm {U}}:=\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}\varvec{\mathrm {A}}_0$, so $(\varvec{\mathrm {P}}_{\varvec{\mathrm {X}}}|\varvec{\mathrm {U}})=\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}(\varvec{\mathrm {A}}|\varvec{\mathrm {A}}_0)$. Note that, the square matrix $(\varvec{\mathrm {A}}|\varvec{\mathrm {A}}_0)$ is of full rank with probability $1-2^{-\varOmega (\lambda )}$, then the entropy of $\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}$ is transferred to $(\varvec{\mathrm {P}}_{\varvec{\mathrm {X}}}|\varvec{\mathrm {U}})$ intactly. Recall that $\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}$ is uniform over $\mathbb {Z}_q^{(k^2+1)\times 2k}$. Therefore, $(\varvec{\mathrm {P}}_{\varvec{\mathrm {X}}}|\varvec{\mathrm {U}})$ is uniform over $\mathbb {Z}_q^{(k^2+1)\times 2k}$ as well. Consequently, $\varvec{\mathrm {U}}$ is uniformly distributed over $\mathbb {Z}_q^{(k^2+1)\times k}$ even conditioned on $\varvec{\mathrm {P}}_{\varvec{\mathrm {X}}}$.

In $G_0$, the $\mathcal {O}_{\text {ver}}$ oracle rejects all $[\varvec{\mathrm {c}}]\notin [\textsf {span}(\varvec{\mathrm {A}})]$. Therefore, the information of $\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}$ leaked through $\mathcal {O}_{\text {ver}}$ is characterized by the public key $\varvec{\mathrm {P}}_{\varvec{\mathrm {X}}}$. Together with the fact that $[\varvec{\mathrm {c}}]=[\varvec{\mathrm {A}}_0]\varvec{\mathrm {r}}$ in $\mathcal {O}_{\text {sim}}$ of $G_0$ and $G_1$, the computation of $\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}[\varvec{\mathrm {c}}]=[\varvec{\mathrm {K}}_{\varvec{\mathrm {X}}}\varvec{\mathrm {A}}_0]\varvec{\mathrm {r}}$ in $\mathcal {O}_{\text {sim}}$ of $G_0$ can be replaced with $[\varvec{\mathrm {V}}]\varvec{\mathrm {r}}$ for $\varvec{\mathrm {V}}\leftarrow _{\$}\mathbb {Z}_q^{(k^2+1)\times k}$ in $G_1$. Thus we have

$$\begin{aligned} \left| \mathrm{{Pr}}_0[b^{\prime }=b]-\mathrm{{Pr}}_1[b^{\prime }=b]\right| \le 2^{-\varOmega (\lambda )}. \end{aligned}$$

(15)

$G_2$ is the same as $G_1$ except for the $\mathcal {O}_{\text {sim}}$ oracle.

In $G_1$, $\varvec{\mathrm {X}}=\textsf {h}_0([\varvec{\mathrm {Vr}}])$ is computed with the same $\varvec{\mathrm {V}}$ but a fresh $\varvec{\mathrm {r}}\leftarrow _{\$}\mathbb {Z}_q^k$.
In $G_2$, $\varvec{\mathrm {X}}$ is uniformly selected from $\mathbb {Z}_q^{k\times k}$ for each $\mathcal {O}_{\text {sim}}$ oracle.

We will show that

$$\begin{aligned} \left| \mathrm{{Pr}}_1[b^{\prime }=b]-\mathrm{{Pr}}_2[b^{\prime }=b]\right| \le \textsf {Adv}^{\text {mddh}}_{\mathcal {U}_k,\textsf {GGen},\mathcal {B}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

(16)

To prove (16), we define two intermediate games $G_{1}^{\prime }$ and $G_{1}^{\prime \prime }$.

$G_{1}^{\prime }$ is the same as $G_1$ except for the generation of $\varvec{\mathrm {r}}$ in $\mathcal {O}_{\text {sim}}$. For each $\mathcal {O}_{\text {sim}}$ query,

in $G_1$, $\varvec{\mathrm {r}}\leftarrow _{\$}\mathbb {Z}_q^{k}$;
in $G_1^{\prime }$, $\varvec{\mathrm {r}}\leftarrow \varvec{\mathrm {Ws}}$ with a fresh $\varvec{\mathrm {s}}\leftarrow _{\$}\mathbb {Z}_q^{k}$ but the same $\varvec{\mathrm {W}}$, which is uniformly selected from $\mathbb {Z}_q^{k\times k}$ beforehand.

Since $\varvec{\mathrm {W}}$ is invertible with probability $1-2^{-\varOmega (\lambda )}$, we have that

$$\begin{aligned} \left| \mathrm{{Pr}}_1[b^{\prime }=b]-\mathrm{{Pr}}_{1^{\prime }}[b^{\prime }=b]\right| \le 2^{-\varOmega (\lambda )}. \end{aligned}$$

(17)

$G_{1}^{\prime \prime }$ is the same with $G_{1}^{\prime }$ except for the $\mathcal {O}_{\text {sim}}$ oracle. For each $\mathcal {O}_{\text {sim}}$ query,

$G_1^{\prime }$ sets $[\varvec{\mathrm {c}}]\leftarrow \varvec{\mathrm {A}}_0[\varvec{\mathrm {W}}]\varvec{\mathrm {s}}$ and $\varvec{\mathrm {X}}\leftarrow \textsf {h}_0([\varvec{\mathrm {VW}}]\varvec{\mathrm {s}})$, where $\varvec{\mathrm {s}}\leftarrow _{\$}\mathbb {Z}_q^k$;
$G_1^{\prime \prime }$ sets $[\varvec{\mathrm {c}}]\leftarrow \varvec{\mathrm {A}}_0[\varvec{\mathrm {r}}]$ and $\varvec{\mathrm {X}}\leftarrow \textsf {h}_0([\varvec{\mathrm {u}}])$, where $\varvec{\mathrm {r}}\leftarrow _{\$}\mathbb {Z}_q^k,\varvec{\mathrm {u}}\leftarrow _{\$}\mathbb {Z}_q^{k^2+1}$.

Note that, with overwhelming probability, distributes uniformly over $\mathbb {G}^{(k^2+k+1)\times k}$. Then we can build an adversary $\mathcal {B}$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_{1^{\prime }}[b^{\prime }=b]-\mathrm{{Pr}}_{1^{\prime \prime }}[b^{\prime }=b]\right| \le \textsf {Adv}^{\text {mddh}}_{\mathcal {U}_k,\textsf {GGen},\mathcal {B}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

(18)

To prove (18), we construct an adversary $\mathcal {B}^{\prime }$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_{1^{\prime }}[b^{\prime }=b]-\mathrm{{Pr}}_{1^{\prime \prime }}[b^{\prime }=b]\right| \le \textsf {Adv}^{Q_{\text {sim}}\text {-mddh}}_{\mathcal {U}_{k^2+k+1,k},\textsf {GGen},\mathcal {B}^{\prime }}(\lambda ). \end{aligned}$$

(19)

Upon receiving a challenge $(\mathcal {G},[\varvec{\mathrm {B}}]\in \mathbb {G}^{(k^2+k+1)\times k},[\varvec{\mathrm {H}}]:=([\varvec{\mathrm {h}}_1|\cdots |\varvec{\mathrm {h}}_{Q_{\text {sim}}}])\in \mathbb {G}^{(k^2+k+1)\times Q_{\text {sim}}})$ for the $Q_{\text {sim}}$-fold $\mathcal {U}_{k^2+k+1,k}$ -MDDH problem, $\mathcal {B}^{\prime }$ simulates game $G_{1}^{\prime }(G_{1}^{\prime \prime })$. In the simulation of the i-th $\mathcal {O}_{\text {sim}}$ oracle query for $i\in [Q_{\text {sim}}]$, $\mathcal {B}^{\prime }$ embeds $[\overline{\varvec{\mathrm {h}}_i}]$ in $\varvec{\mathrm {[c]}}$ with $[\varvec{\mathrm {c}}]\leftarrow \varvec{\mathrm {A}}_0[\overline{\varvec{\mathrm {h}}_i}]$. Then $\mathcal {B}^{\prime }$ embeds $[\underline{\varvec{\mathrm {h}}_i}]$ in $\varvec{\mathrm {X}}$ with $\varvec{\mathrm {X}}\leftarrow \textsf {h}_0([\underline{\varvec{\mathrm {h}}_i}])$.

If $[\varvec{\mathrm {h}}_i]$ is uniformly chosen from $\textsf {span}([\varvec{\mathrm {B}}])$ for all $i\in [Q_{\text {sim}}]$, then , $[\overline{\varvec{\mathrm {h}}_i}]=[\varvec{\mathrm {W}}]\varvec{\mathrm {s}}_i$ and $[\underline{\varvec{\mathrm {h}}_i}]=[\varvec{\mathrm {VW}}]\varvec{\mathrm {s}}_i$ with $\varvec{\mathrm {s}}_i\leftarrow _{\$}\mathbb {Z}_q^k$. In this case, $\mathcal {B}^{\prime }$ perfectly simulates $G_{1}^{\prime }$. If $[\varvec{\mathrm {h}}_i]$ is uniformly chosen from $\mathbb {G}^{k^2+k+1}$ for all $i\in [Q_{\text {sim}}]$, then both $[\overline{\varvec{\mathrm {h}}_i}]$ and $[\underline{\varvec{\mathrm {h}}_i}]$ are uniform. In this case, $\mathcal {B}^{\prime }$ perfectly simulates $G_{1}^{\prime \prime }$.

From above, (19) follows. Then, (18) follows from (19) and the random self-reducibility property of the MDDH problem.

In $G_1^{\prime \prime }$, $\varvec{\mathrm {X}}\leftarrow \textsf {h}_0([\varvec{\mathrm {u}}])$ for a uniform $\varvec{\mathrm {u}}\leftarrow _{\$}\mathbb {Z}_q^{k^2+1}$. Since $\textsf {h}_0$ is universal, by leftover hash lemma and a union bound, we have that

$$\begin{aligned} \left| \mathrm{{Pr}}_{1^{\prime \prime }}[b^{\prime }=b]-\mathrm{{Pr}}_{2}[b^{\prime }=b]\right| \le \frac{Q_{\text {sim}}}{2\sqrt{q}}=2^{-\varOmega (\lambda )}. \end{aligned}$$

(20)

Then (16) follows from (17, 18) and (20).

$G_3$ is the same as $G_2$ except for the $\mathcal {O}_{\text {sim}}$ oracle.

For each $\mathcal {O}_{\text {sim}}$ query,

in $G_2$, $\varPi _1=[\overline{\varvec{\mathrm {A}}_0}]\cdot \varvec{\mathrm {X}}+[\overline{\varvec{\mathrm {c}}}]\cdot \varvec{\mathrm {y}}^{\top }$ for $[\varvec{\mathrm {c}}]=[\varvec{\mathrm {A}}_0]\varvec{\mathrm {r}}$ and a fresh $\varvec{\mathrm {X}}\leftarrow _{\$}\mathbb {Z}_q^{k\times k}$;
in $G_3$, $\varPi _1$ is uniformly selected from $\mathbb {G}^{k\times k}$.

Note that in $G_2$,

$$\varPi _1=[\overline{\varvec{\mathrm {A}}_0}]\cdot \varvec{\mathrm {X}}+[\overline{\varvec{\mathrm {c}}}]\cdot \varvec{\mathrm {y}}^{\top }=[\overline{\varvec{\mathrm {A}}_0}](\varvec{\mathrm {X}}+\varvec{\mathrm {r}}\cdot \varvec{\mathrm {y}}^{\top }). $$

Due to the uniformness of $\varvec{\mathrm {X}}$, $\varPi _1$ has the same distribution as $[\overline{\varvec{\mathrm {A}}_0}]\varvec{\mathrm {X}}$. Since $\overline{\varvec{\mathrm {A}}_0}$ is an invertible matrix, $[\overline{\varvec{\mathrm {A}}_0}]\varvec{\mathrm {X}}$ is uniformly distributed over $\mathbb {G}^{k\times k}$. Thus we have

$$\begin{aligned} \mathrm{{Pr}}_2[b^{\prime }=b]=\mathrm{{Pr}}_3[b^{\prime }=b]. \end{aligned}$$

(21)

In $G_3$, $\varPi _0$ distributes identically to $\varPi _1$ and

$$\begin{aligned} \mathrm{{Pr}}_3[b^{\prime }=b]=\frac{1}{2}. \end{aligned}$$

(22)

Finally, Theorem 2 follows from (14, 15, 16, 21) and (22). $\blacksquare $

KEM from Qualified Proof System. The construction of the qualified PS based KEM $\mathsf {KEM}_{\textsf {qps}}=(\mathsf {KGen},\mathsf {KEnc},\mathsf {KDec})$ from [8] is shown in Fig. 12. Suppose $\mathcal {H}$ is a hash generator outputting functions $\textsf {H}:\mathbb {G}^k\rightarrow \{0,1\}^{\lambda }$. The parameters $\textsf {pars}$ used in this construction are specified in Sect. 5.2.

Theorem 2 in [8] has shown that $\mathsf {KEM}_{\textsf {qps}}$ is IND-CCCA secure. Now we prove that $\mathsf {KEM}_{\textsf {qps}}$ is mPR-CCCA secure (through Theorem 3) and is RER secure (through Theorem 4), both admitting tight security reductions.

Theorem 3

The KEM $\mathsf {KEM}_{\mathsf {qps}}$ in Fig. 12 is mPR-CCCA secure if the $\mathcal {D}_{2k,k}$-MDDH assumption holds, $\mathcal {H}$ outputs collision-resistant hash function, $\textsf {PS}$ is $\mathcal {L}^{\text {snd}}$-qualified, $\widetilde{\mathcal {L}^{\text {snd}}}$-extensible and has pseudorandom simulated proof. Specifically, for each PPT adversary $\mathcal {A}$ with negligible uncertainty $uncert_{\mathcal {A}}(\lambda )$, we can build PPT adversaries $\mathcal {B}_1,\cdots ,\mathcal {B}_7$ with $\varvec{\mathrm {T}}(\mathcal {B}_1)\approx \cdots \approx \varvec{\mathrm {T}}(\mathcal {B}_7)\le \varvec{\mathrm {T}}(\mathcal {A})+(Q_\mathrm{enc}+Q_\mathrm{dec})\cdot \textsf {poly}(\lambda )$ and $uncert_{\mathcal {B}_4}(\lambda )=uncert_{\mathcal {B}_6}(\lambda )=uncert_{\mathcal {A}}(\lambda )$, such that the advantage

$$\begin{aligned} \begin{aligned} \mathsf {Adv}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )&\le 2\mathsf {Adv}^\mathrm{cr}_{\mathcal {H},\mathcal {B}_1}(\lambda ) +(4\lambda +3k)\mathsf {Adv}^\mathrm{mddh}_{\mathcal {D}_{2k,k},\mathsf {GGen},\mathcal {B}_2}(\lambda ) \\&+7\mathsf {Adv}^\mathrm{mddh}_{\mathcal {U}_k,\mathsf {GGen},\mathcal {B}_3}(\lambda ) +\mathsf {Adv}^\mathrm{csnd}_{\mathcal {L}^\mathrm{snd},\mathsf {PS},\mathcal {B}_4}(\lambda ) +\mathsf {Adv}^{\mathrm{PS}\text {-}\mathrm{ind}}_{\mathcal {L}^\mathrm{snd},\mathsf {PS},\widetilde{\mathsf {PS}},\mathcal {B}_5}(\lambda )\\&+\lambda \mathsf {Adv}^\mathrm{csnd}_{\widetilde{\mathcal {L}^\mathrm{snd}},\widetilde{\mathsf {PS}},\mathcal {B}_6}(\lambda ) +2\mathsf {Adv}_{\mathsf {PS},\mathcal {B}_7}^{\mathrm{pr}\text {-}\mathrm{proof}}(\lambda )\\&+((\lambda +2)\cdot Q_\mathrm{enc}+3)\cdot Q_\mathrm{dec}\cdot uncert_{\mathcal {A}}(\lambda ) +2^{-\varOmega (\lambda )}. \end{aligned} \end{aligned}$$

where $ Q_\mathrm{enc}(Q_\mathrm{dec})$ is the total number of $\mathcal {O}_\mathrm{enc}(\mathcal {O}_\mathrm{dec})$ queries made by $\mathcal {A}$ and $\mathsf {poly}(\lambda )$ is a polynomial independent of $\varvec{\mathrm {T}}(\mathcal {A})$.

Proof of Theorem 3. For a fixed PPT adversary $\mathcal {A}$ with negligible uncertainty $uncert_{\mathcal {A}}(\lambda )$, consider an experiment $\mathsf {Exp}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )$ which first randomly selects $b\leftarrow _{\$}\{0,1\}$, then calls $\mathsf {Exp}^{\mathrm{mpr}\text {-}\mathrm{ccca}\text {-}b}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}(\lambda )$ and gets its output $b^{\prime }$. It is straightforward that ${\mathsf {Adv}}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )=2\left| \mathrm{{Pr}}[b^{\prime }=b \; \mathrm{in} \; \mathsf {Exp}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )]-\frac{1}{2}\right| .$ Then we rewrite experiment $\mathsf {Exp}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )$ in Fig. 13 and make changes to it gradually through game $G_0$ to $G_9$ which are defined as follows.

This game is identical to $\mathsf {Exp}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )$. Then

$$\begin{aligned} \mathsf {Adv}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^{\mathrm{mpr}\text {-}\mathrm{ccca}}(\lambda )=2\left| \mathrm{{Pr}}_0[b^{\prime }=b]-\frac{1}{2}\right| . \end{aligned}$$

(23)

$G_1$ is the same as $G_0$ except that an additional rejection rule is added in $\mathcal {O}_{\text {dec}}$. More precisely, in $G_1$, we use a set $\mathcal {T}$ to log all the tags $\tau _b=\mathsf {H}([\overline{\varvec{\mathrm {c}}_b}])$ used in oracle $\mathcal {O}_\mathrm{enc}$, and any $\mathcal {O}_\mathrm{dec}(\mathsf {pred},\psi =([\varvec{\mathrm {c}}],\varPi ))$ query will be rejected if $\tau =\mathsf {H}([\overline{\varvec{\mathrm {c}}}])\in \mathcal {T}$.

Lemma 1

$$\begin{aligned} \begin{aligned} |\mathrm{{Pr}}_0[b^{\prime }=b]-\mathrm{{Pr}}_1[b^{\prime }=b]|&\le \mathsf {Adv}^{\text {cr}}_{\mathcal {H},\mathcal {B}_1}(\lambda )+\frac{k}{2}\cdot \mathsf {Adv}^\mathrm{mddh}_{\mathcal {D}_{2k,k},\mathsf {GGen},\mathcal {B}_2}(\lambda )\\&+\frac{1}{2}\mathsf {Adv}^\mathrm{mddh}_{\mathcal {U}_k,\mathsf {GGen},\mathcal {B}_3}(\lambda )+\frac{3}{2}Q_\mathrm{dec}\cdot uncert_{\mathcal {A}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned} \end{aligned}$$

We refer to the full version [21] for the proof of this lemma.

$G_2$ is almost the same as $G_1$ except for two changes in $\mathcal {O}_\mathrm{enc}$. The first change is that $\mathsf {PPrv}$ is replaced with $\mathsf {PSim}$. The second change is that $\mathsf {sk}_{\mathsf {KEM}}$ is used to calculate $\gamma _1$. More precisely, for $[\varvec{\mathrm {c}}_1]=[\varvec{\mathrm {A}}]\varvec{\mathrm {r}}_1$ in oracle $\mathcal {O}_{\text {enc}}$,

in $G_1$, $(\varPi _1,[\kappa _1])\leftarrow \mathsf {PPrv}(\mathsf {ppk},[\varvec{\mathrm {c}}_1],\varvec{\mathrm {r}}_1)$, $\gamma _1\leftarrow ([\varvec{\mathrm {p}}_0^{\top }]+\tau _1[\varvec{\mathrm {p}}_1^{\top }])\cdot \varvec{\mathrm {r}}_1+[\kappa _1]$;
in $G_2$, $(\varPi _1,[\kappa _1])\leftarrow \textsf {PSim}(\mathsf {psk},[\varvec{\mathrm {c}}_1])$, $\gamma _1\leftarrow (\varvec{\mathrm {k}}_0^{\top }+\tau _1\varvec{\mathrm {k}}_1^{\top })\cdot [\varvec{\mathrm {c}}_1]+[\kappa _1]$.

Due to the perfect zero-knowledge property of $\textsf {PS}$, we have $\mathsf {PPrv}(\mathsf {ppk},[\varvec{\mathrm {c}}_1],\varvec{\mathrm {r}}_1)=\mathsf {PSim}(\mathsf {psk},[\varvec{\mathrm {c}}_1]).$ Meanwhile, $[\varvec{\mathrm {p}}_0^{\top }]=\varvec{\mathrm {k}}_0^{\top }[\varvec{\mathrm {A}}]$ and $[\varvec{\mathrm {p}}_1^{\top }]=\varvec{\mathrm {k}}_1^{\top }[\varvec{\mathrm {A}}]$, so we have $([\varvec{\mathrm {p}}_0^{\top }]+\tau _1[\varvec{\mathrm {p}}_1^{\top }])\cdot \varvec{\mathrm {r}}_1+[\kappa _1]=(\varvec{\mathrm {k}}_0^{\top }+\tau _1\varvec{\mathrm {k}}_1^{\top })\cdot [\varvec{\mathrm {c}}_1]+[\kappa _1].$

These changes are only conceptual, so $G_1$ is identical to $G_2$ and

$$\begin{aligned} \mathrm{{Pr}}_1[b^{\prime }=b]=\mathrm{{Pr}}_2[b^{\prime }=b]. \end{aligned}$$

(24)

$G_3$ is the same as $G_2$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_2$, $[\varvec{\mathrm {c}}_1]$ is uniform over $\textsf {span}([\varvec{\mathrm {A}}])$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_3$, $[\varvec{\mathrm {c}}_1]$ is uniform over $\mathbb {G}^{2k}$ for each $\mathcal {O}_{\text {enc}}$ query.

We can build an adversary $\mathcal {B}_2$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_2[b^{\prime }=b]-\mathrm{{Pr}}_3[b^{\prime }=b]\right| \le k\cdot \textsf {Adv}^{\text {mddh}}_{\mathcal {D}_{2k,k},\textsf {GGen},\mathcal {B}_2}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

(25)

The reduction is straightforward, since $\mathcal {B}_2$ can simulate $G_2(G_3)$ by generating the secret key itself and embed its own challenge in $[\varvec{\mathrm {c}}_1]$. We omit the details.

We refer to the full version [21] for the proof of this lemma.

$G_4$ is the same as $G_3$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_3$, $[\varvec{\mathrm {c}}_1]$ is uniform over $\mathbb {G}^{2k}$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_4$, $[\varvec{\mathrm {c}}_1]$ is uniform over $\textsf {span}([\varvec{\mathrm {A}}_0])$ for each $\mathcal {O}_{\text {enc}}$ query.

We can build an adversary $\mathcal {B}_3$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_3[b^{\prime }=b]-\mathrm{{Pr}}_4[b^{\prime }=b]\right| \le \textsf {Adv}^{\text {mddh}}_{\mathcal {U}_k,\textsf {GGen},\mathcal {B}_3}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

(26)

The reduction is straightforward and the proof of (26) is almost the same as (25).

$G_5$ is almost the same as $G_4$ except that a rejection rule is added in $\mathcal {O}_{\text {dec}}$. More precisely, in $G_5$, an $\mathcal {O}_{\text {dec}}(\textsf {pred},\psi =([\varvec{\mathrm {c}}],\varPi ))$ query is directly rejected if $[\varvec{\mathrm {c}}]\notin \text {span}([\varvec{\mathrm {A}}])$. We have that

$$\begin{aligned}&\left| \mathrm{{Pr}}_4[b^{\prime }=b]-\mathrm{{Pr}}_5[b^{\prime }=b]\right| \le \frac{1}{2}\textsf {Adv}^{\text {csnd}}_{\mathcal {L}^{\text {snd}},\textsf {PS},\mathcal {B}_4}(\lambda ) +\frac{1}{2}\textsf {Adv}^{\text {PS-ind}}_{\mathcal {L}^{\text {snd}},\textsf {PS},\widetilde{\textsf {PS}},\mathcal {B}_5}(\lambda )+Q_{\text {enc}}\cdot 2^{-\varOmega (\lambda )}\nonumber \\&+2\lambda \cdot \textsf {Adv}^{\text {mddh}}_{\mathcal {D}_{2k,k},\textsf {GGen},\mathcal {B}_2}(\lambda ) +\frac{\lambda }{2}\textsf {Adv}^{\text {csnd}}_{\widetilde{\mathcal {L}^{\text {snd}}},\widetilde{\textsf {PS}},\mathcal {B}_6}(\lambda )+\frac{\lambda +2}{2}\cdot Q_{\text {enc}}\cdot Q_{\text {dec}}\cdot uncert_{\mathcal {A}}(\lambda ) \end{aligned}$$

(27)

The proof of (27) is the same as Lemma 9 in [8]. We refer [8] for details.

$G_6$ is almost the same as $G_5$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_5$, $\gamma _1=(\varvec{\mathrm {k}}_0^{\top }+\tau _1\varvec{\mathrm {k}}_1^{\top })\cdot [\varvec{\mathrm {c}}_1]+[\kappa _1]$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_6$, $\gamma _1=[\varvec{\mathrm {v}}^{\top }\varvec{\mathrm {r}}_1]+\tau _1\varvec{\mathrm {k}}_1^{\top }[\varvec{\mathrm {c}}_1]+[\kappa _1]$ where $\varvec{\mathrm {v}}$ is uniformly chosen from $\mathbb {Z}_q^k$ beforehand but will be fixed for each $\mathcal {O}_{\text {enc}}$ query.

We have that

$$\begin{aligned} \left| \mathrm{{Pr}}_5[b^{\prime }=b]-\mathrm{{Pr}}_6[b^{\prime }=b]\right| \le 2^{-\varOmega (\lambda )}. \end{aligned}$$

(28)

The proof of (28) is almost the same as (15), and is put in our full version [21].

$G_7$ is almost the same as $G_6$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_6$, $\gamma _1=[\varvec{\mathrm {v}}^{\top }\varvec{\mathrm {r}}_1]+\tau _1\varvec{\mathrm {k}}_1^{\top }[\varvec{\mathrm {c}}_1]+[\kappa _1]$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_7$, $\gamma _1\leftarrow [u_1]+\tau _1\varvec{\mathrm {k}}_1^{\top }[\varvec{\mathrm {c}}_1]+[\kappa _1]$ where $u_1\leftarrow _{\$}\mathbb {Z}_q$ for each $\mathcal {O}_{\text {enc}}$ query. In other words, $\gamma _1$ is uniform for each $\mathcal {O}_{\text {enc}}$ query in $G_7$. We have that
$$\begin{aligned} \left| \mathrm{{Pr}}_6[b^{\prime }=b]-\mathrm{{Pr}}_7[b^{\prime }=b]\right| \le \textsf {Adv}^{\text {mddh}}_{\mathcal {U}_k,\textsf {GGen},\mathcal {B}_3}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$
(29)

The proof of (29) is almost the same as that of (16). We can set $\varvec{\mathrm {r}}_1=\varvec{\mathrm {Ws}}$ and which has the distribution $\mathcal {U}_{k+1,k}$ overwhelmingly. Then we can reduce the indistinguishability between $G_6$ and $G_7$ to the $Q_{\text {enc}}$-fold $\mathcal {U}_{k+1,k}$ -MDDH assumption. We omit the detailed proof here.

Note that, in game $G_7$, $[\kappa _1]$ is not needed any longer since we can just select a uniform $\gamma _1$ for each $\mathcal {O}_{\text {enc}}$ query.

$G_8$ is almost the same as $G_7$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_7$, $\varPi _1$ is the output of $\textsf {PSim}(\textsf {psk},[\varvec{\mathrm {c}}_1])$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_8$, $\varPi _1$ is uniform selected for each $\mathcal {O}_{\text {enc}}$ query.

We can build an adversary $\mathcal {B}_7$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_7[b^{\prime }=b]-\mathrm{{Pr}}_8[b^{\prime }=b]\right| \le \textsf {Adv}_{\textsf {PS},\mathcal {B}_7}^{\text {pr-proof}}(\lambda ). \end{aligned}$$

(30)

On input $\textsf {ppk}$, $\mathcal {B}_7$ uniformly selects $b\leftarrow _{\$}\{0,1\}$ and sets $\mathcal {T}\leftarrow \emptyset $. Then $\mathcal {B}_7$ uniformly selects $\varvec{\mathrm {k}}_0,\varvec{\mathrm {k}}_1\leftarrow _{\$}\mathbb {Z}_q^{2k}$ and sets $[\varvec{\mathrm {p}}_0^{\top }]\leftarrow \varvec{\mathrm {k}}_0^{\top }[\varvec{\mathrm {A}}],[\varvec{\mathrm {p}}_1^{\top }]\leftarrow \varvec{\mathrm {k}}_1^{\top }[\varvec{\mathrm {A}}],\mathsf {pk}_{\textsf {KEM}}\leftarrow (\textsf {ppk},[\varvec{\mathrm {p}}_0^{\top }],[\varvec{\mathrm {p}}_1^{\top }])$. Then $\mathcal {B}_7$ calls $\mathcal {A}^{\mathcal {O}_{\text {enc}}(),\mathcal {O}_{\text {dec}}(\cdot ,\cdot )}(\mathsf {pk}_{\textsf {KEM}})$ by simulating the two oracles for $\mathcal {A}$ in the following way.

For $\mathcal {A}$’s $\mathcal {O}_{\text {enc}}()$ query, $\mathcal {B}_7$ uniformly chooses $(\psi _0,\gamma _0)$ and calculates $\tau _0$ just like game $G_7(G_8)$. Then $\mathcal {B}_7$ submits an $\mathcal {O}_{\text {sim}}$ query to its own oracle and gets $([\varvec{\mathrm {c}}],\varPi )$ where $[\varvec{\mathrm {c}}]$ is uniform over $\mathcal {L}^{\text {snd}}\backslash \mathcal {L}=\textsf {span}([\varvec{\mathrm {A}}_0])$ and $\varPi $ is either an output of $\textsf {PSim}(\textsf {psk},[\varvec{\mathrm {c}}])$ or uniformly chosen from $\varvec{\mathrm {\varPi }}$. After that $\mathcal {B}_7$ sets $[\varvec{\mathrm {c}}_1]\leftarrow [\varvec{\mathrm {c}}]$ and $\varPi _1\leftarrow \varPi $. Then $\mathcal {B}_7$ sets $\varvec{\mathrm {\psi }}_{\text {enc}}$, calculates $\tau _1$ from $[\overline{\varvec{\mathrm {c}}_1}]$ and uniformly selects $\gamma _1$ just like game $G_7(G_8)$. Finally $\mathcal {B}_7$ returns $(\psi _b,\gamma _b)$ to $\mathcal {A}$.
For $\mathcal {A}$’s $\mathcal {O}_{\text {dec}}(\textsf {pred},\psi =([\varvec{\mathrm {c}}],\varPi ))$ query, $\mathcal {B}_7$ submits $\mathcal {O}_{\text {ver}}([\varvec{\mathrm {c}}],\varPi )$ query to its own oracle and gets the response K. If $K=\bot $, $\mathcal {B}_7$ returns $\bot $ to $\mathcal {A}$. Since $K=\bot $ means $[\varvec{\mathrm {c}}]\notin \textsf {span}([\varvec{\mathrm {A}}])$ or the verification $\textsf {PVer}(\textsf {psk},[\varvec{\mathrm {c}}],\varPi )$ does not pass, $\mathcal {B}_7$ acts exactly the same as game $G_7(G_8)$ in such cases. If $[\kappa ]=K\ne \bot $, $\mathcal {B}_7$ calculates $\tau $ and $\gamma $ just like game $G_7(G_8)$. Then $\mathcal {B}_7$ tests if $([\varvec{\mathrm {c}}],\varPi )\in \varvec{\mathrm {\psi }}_{\text {enc}}$ or $\textsf {pred}(\gamma )=0$ or $\vee \tau \in \mathcal {T}$ happens. If so, $\mathcal {B}_7$ returns $\bot $ to $\mathcal {A}$. Otherwise $\mathcal {B}_7$ returns $\gamma $ to $\mathcal {A}$.

Finally, according to $\mathcal {A}$’s output $b^{\prime }$, $\mathcal {B}_7$ outputs 1 if and only if $b^{\prime }=b$. It is clear that if $\varPi $ is an output of $\textsf {PSim}(\textsf {psk},[\varvec{\mathrm {c}}])$ for each $\mathcal {O}_{\text {sim}}$ query, $\mathcal {B}_7$ perfectly simulates game $G_7$ for $\mathcal {A}$. And if $\varPi $ is uniformly chosen from $\varvec{\mathrm {\varPi }}$ for each $\mathcal {O}_{\text {sim}}$ query, $\mathcal {B}_7$ perfectly simulates game $G_8$ for $\mathcal {A}$. Thus (30) follows.

$G_9$ is the same as $G_8$ except for one difference in $\mathcal {O}_{\text {enc}}$.

In game $G_8$, $[\varvec{\mathrm {c}}_1]$ is uniform selected from $\textsf {span}([\varvec{\mathrm {A}}_0])$ for each $\mathcal {O}_{\text {enc}}$ query.
In game $G_9$, $[\varvec{\mathrm {c}}_1]$ is uniform selected from $\mathbb {G}^{2k}$ for each $\mathcal {O}_{\text {enc}}$ query.

We can build an adversary $\mathcal {B}_3$ and show that

$$\begin{aligned} \left| \mathrm{{Pr}}_8[b^{\prime }=b]-\mathrm{{Pr}}_9[b^{\prime }=b]\right| \le \textsf {Adv}^{\text {mddh}}_{\mathcal {U}_k,\textsf {GGen},\mathcal {B}_3}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

(31)

The reduction is straightforward and the proof of (31) is the same as the proof for (25). We omit the details here.

In game $G_9$, $(\psi _1,\varPi _1)$ is uniform over $\varPsi \times \varGamma $ for each $\mathcal {O}_{\text {enc}}$ query, which distributes exactly the same as $(\psi _0,\varPi _0)$. Thus we have

$$\begin{aligned} \mathrm{{Pr}}_9[b^{\prime }=b]=\frac{1}{2}. \end{aligned}$$

(32)

Finally, Theorem 3 follows from (23), Lemma 1, (24)–(32). $\blacksquare $

Theorem 4

The KEM $\mathsf {KEM}_{\mathsf {qps}}$ in Fig. 12 is RER secure. Specifically, for each PPT adversary $\mathcal {A}$ with negligible uncertainty $uncert_{\mathcal {A}}(\lambda )$, the advantage $\mathsf {Adv}_{\mathsf {KEM}_{\mathsf {qps}},\mathcal {A}}^\mathrm{rer}(\lambda )\le 2^{-\varOmega (\lambda )}.$

Proof of Theorem 4. In $\textsf {Exp}^{\text {rer-}b}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}(\lambda )$, among all the $\mathcal {O}_{\text {cha}}(\psi ,\textsf {pred})$ queries submitted by $\mathcal {A}$, if $\psi \notin \varvec{\mathrm {\psi }}_{\text {ran}}$, the oracle $\mathcal {O}_{\text {cha}}$ will answer $\mathcal {A}$ with $\textsf {pred}(\textsf {KDec}(\mathsf {sk}_{\textsf {KEM}},\psi ))$. Thus no information about b is leaked to $\mathcal {A}$.

Therefore, we only consider those $\mathcal {O}_{\text {cha}}(\psi ,\textsf {pred})$ queries such that $\psi =([\varvec{\mathrm {c}}],\varPi )\in \varvec{\mathrm {\psi }}_{\text {ran}}$. In this case, both $[\varvec{\mathrm {c}}]$ and $\varPi $ are uniform.

If $b=0$, $\mathcal {O}_{\text {cha}}(\psi ,\textsf {pred})$ will always return 0 in $\textsf {Exp}^{\text {rer-}0}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}(\lambda )$.

If $b=1$, $\mathcal {O}_{\text {cha}}(\psi ,\textsf {pred})$ will use $\textsf {KDec}(\mathsf {sk}_{\textsf {KEM}},\psi )$ to decapsulate $\psi $. More precisely, it will invoke $\textsf {PVer}(\textsf {psk},[\varvec{\mathrm {c}}],\varPi )$ to obtain $(v,[\kappa ])$ and output $\bot $ if $v=0$. By the proof uniqueness of $\textsf {PS}$ and the uniformness of $\varPi $, the probability that $v=1$ in this query is at most $\frac{1}{|\varvec{\mathrm {\varPi }}|}$. Taking into account all the $Q_{\text {cha}}$ queries, a union bound suggests that $\mathcal {O}_{\text {cha}}(\psi ,\textsf {pred})$ always outputs 0 in $\textsf {Exp}^{\text {rer-}1}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}(\lambda )$ except with probability at most $\frac{Q_{\text {cha}}}{|\varvec{\mathrm {\varPi }}|}=2^{-\varOmega (\lambda )}$. Thus

$$\textsf {Adv}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}^{\text {rer}}(\lambda )=\left| \mathrm{{Pr}}\left[ \textsf {Exp}^{\text {rer-0}}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}(\lambda )=1\right] -\mathrm{{Pr}}\left[ \textsf {Exp}^{\text {rer-1}}_{\textsf {KEM}_{\textsf {qps}},\mathcal {A}}(\lambda )=1\right] \right| \le 2^{-\varOmega (\lambda )}. $$

Notes

1.
According to [3, 8], such a security reduction is called an almost tight one and a security reduction is tight only if L is a constant.
2.
In [20], a PKE with tight SIM-SO-CCA security is constructed directly on the MDDH assumption. Our work unified their work by characterizing the mPR-CCCA security and RER security for KEM.
3.
This construction in Fig. 10 is an updated version of [8] from a personal communication.

References

Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Chapter Google Scholar
Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_31
Chapter Google Scholar
Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_25
Chapter Google Scholar
Damgård, I., Nielsen, J.B.: Improved non-committing encryption schemes based on a general complexity assumption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 432–450. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_27
Chapter Google Scholar
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: FOCS 1999, pp. 523–534. IEEE Computer Society (1999). https://doi.org/10.1109/SFFCS.1999.814626
Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_20
Chapter Google Scholar
Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-secure encryption without pairings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_1
Chapter Google Scholar
Gay, R., Hofheinz, D., Kohl, L.: Kurosawa-Desmedt meets tight security. In: Katz and Shacham [16], pp. 133–160 (2017). https://doi.org/10.1007/978-3-319-63697-9_5
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984). https://doi.org/10.1016/0022-0000(84)90070-9
Article MathSciNet MATH Google Scholar
Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_4
Chapter Google Scholar
Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_14
Chapter Google Scholar
Hofheinz, D.: Adaptive partitioning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 489–518. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_17
Chapter Google Scholar
Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 146–168. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_6
Chapter Google Scholar
Huang, Z., Liu, S., Qin, B.: Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 369–385. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_23
Chapter Google Scholar
Huang, Z., Liu, S., Qin, B., Chen, K.: Fixing the sender-equivocable encryption scheme in eurocrypt 2010. In: 2013 5th International Conference on Intelligent Networking and Collaborative Systems, pp. 366–372. IEEE (2013). https://doi.org/10.1109/INCoS.2013.69
Katz, J., Shacham, H. (eds.): CRYPTO 2017. LNCS, vol. 10403. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63697-9
MATH Google Scholar
Lai, J., Deng, R.H., Liu, S., Weng, J., Zhao, Y.: Identity-based encryption secure against selective opening chosen-ciphertext attack. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 77–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_5
Chapter Google Scholar
Libert, B., Sakzad, A., Stehlé, D., Steinfeld, R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz and Shacham [16], pp. 332–364 (2017). https://doi.org/10.1007/978-3-319-63697-9_12
Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_1
Google Scholar
Lyu, L., Liu, S., Han, S.: Public-key encryption with tight simulation-based selective-opening security. Comput. J. 1–31 (2017). https://doi.org/10.1093/comjnl/bxx080
Lyu, L., Liu, S., Han, S., Gu, D.: Tightly SIM-SO-CCA secure public key encryption from standard assumptions. Cryptology ePrint Archive, Report 2018/030 (2018). https://eprint.iacr.org/2018/030
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork, C. (ed.) 2008 ACM Symposium on Theory of Computing, pp. 187–196. ACM (2008). https://doi.org/10.1145/1374376.1374406

Download references

Acknowledgments

Lin Lyu, Shengli Liu and Shuai Han are supported by the National Natural Science Foundation of China (Grant Nos. 61672346, 61373153). Dawu Gu is supported by the National Natural Science Foundation of China (Grant No. U1636217) together with Program of Shanghai Academic Research Leader (16XD1401300). The authors greatly thank the anonymous reviewers of PKC 2018 for their comments and suggestions.

Author information

Authors and Affiliations

Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China
Lin Lyu, Shengli Liu, Shuai Han & Dawu Gu
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Lin Lyu, Shengli Liu & Shuai Han
Westone Cryptologic Research Center, Beijing, 100070, China
Shengli Liu
Karlsruhe Institute of Technology, Karlsruhe, Germany
Shuai Han
Shanghai Institute for Advanced Communication and Data Science, Shanghai, China
Dawu Gu

Authors

Lin Lyu
View author publications
You can also search for this author in PubMed Google Scholar
Shengli Liu
View author publications
You can also search for this author in PubMed Google Scholar
Shuai Han
View author publications
You can also search for this author in PubMed Google Scholar
Dawu Gu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shengli Liu .

Editor information

Editors and Affiliations

CNRS and École Normale Supérieure, Paris, France
Michel Abdalla
University of Campinas, Campinas, São Paulo, Brazil
Ricardo Dahab

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Lyu, L., Liu, S., Han, S., Gu, D. (2018). Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions. In: Abdalla, M., Dahab, R. (eds) Public-Key Cryptography – PKC 2018. PKC 2018. Lecture Notes in Computer Science(), vol 10769. Springer, Cham. https://doi.org/10.1007/978-3-319-76578-5_3

Download citation

DOI: https://doi.org/10.1007/978-3-319-76578-5_3
Published: 01 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76577-8
Online ISBN: 978-3-319-76578-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)