1 Introduction

The most basic security guarantee we require of a public key encryption scheme is that of semantic security against chosen-plaintext attacks (CPA) [21]: it is infeasible to learn anything about the plaintext from the ciphertext. However, a series of increasingly sophisticated use of encryption —both directly in the case of practical applications, and indirectly as a cryptographic building block in more theoretical work — call for encryption schemes with much stronger security guarantees. In this work, we consider two such security notions.

Key-Dependent Message (KDM) Security. The standard CPA security definition does not provide any guarantee where the plaintext depends on the secret key (as pointed out in [21]), as may be the case in disk encryption. It was later observed that this situation is not so unlikely and may sometimes even be desirable [1, 12]. Black, Rogaway and Shrimpton [7] formally defined key-dependent message (KDM) security: roughly speaking, we want to guarantee semantic security even against an adversary that can obtain encryptions of (efficient) functions of its choosing, taken from some specified class of functions \(\mathcal {F}\), applied to the secret key.

Several years ago, Boneh et al. (BHHO) [9] presented a public-key encryption scheme that is KDM-secure w.r.t. the class of affine functions under the decisional Diffie-Hellman (DDH) assumption. Since then, Applebaum et al. [4] presented a scheme under the LWE assumption (which is itself a variant of Regev’s cryptosystem [33]) and Brakerski and Goldwasser [10] presented a BHHO-like scheme based on the quadratic residuocity (QR) and decisional composite residuocity (DCR) assumptions. All of these schemes achieve KDM-security w.r.t. the class of affine functions, which can in turn be “boosted” to the class of circuits of a-priori bounded size [3, 5]. In spite of the fact that many of these schemes inherit the BHHO algebraic structure, there does not seem to be a general principle that explains the design or analysis of these schemes: the BHHO analysis uses an intermediate notion of an “expanded system”, whereas that of Brakerski and Goldwasser rely on an incomparable “interactive vector” game.

Dual-Mode Cryptosystems. Dual-mode cryptosystems were put forth by Peikert et al. [32] as a tool for constructing efficient and universally composable oblivious transfer (OT) protocols. Oblivious transfer is a fundamental two-party cryptographic primitive for secure two-party and multi-party computation [20, 28, 35]: it allows one party, called the receiver, to obtain exactly one of two values from another party, called the sender. The receiver remains oblivious to the other value, and the sender is oblivious to which value was received.

A natural approach towards realizing OT is to have the receiver generate a pair of public keys, and have the sender encrypt both of its input values under the respective public keys [17, 19]. In order to provide security against a malicious sender, we can simply generate a pair of “normal” public keys along with the corresponding secret keys and we can then decrypt the ciphertexts sent by the sender to extract both its inputs. On the other hand, if the receiver is malicious, we need to ensure that (at least) one of the two public keys be “messy”, namely it carries no information about the ciphertext encrypted under the key.

A dual-mode cryptosystem provides exactly both of these guarantees in the common reference string (CRS) model. The cryptosystem admits two types of public keys, “normal” keys that enable correct decryption, and “messy” keys that carry no information statistically about the ciphertext. Moreover, a simulator can generate the CRS in one of two indistinguishable modes: a “messy” mode which ensures that amongst any pair of possibly adversarially chosen public keys, at least one must be “messy”; and a “decryption” mode which allows a simulator to generate a pair of “normal” keys.

Peikert et al. also presented three instantiations of dual-mode cryptosystems based on DDH, QR and LWE. However, there seems to be no overarching theme to the three constructions – the DDH-based scheme relies on a “re-randomization trick” from the earlier OT protocols of Naor and Pinkas [30] whereas the QR-based scheme relies on algebraic properties of Cocks’ IBE scheme [14].

Our Results. We present new frameworks for constructing KDM-secure encryption schemes and dual-mode cryptosystems that admit a very simple and modular analysis. Both of these frameworks build on the notion of smooth projective hashing, introduced by Cramer and Shoup in the context of CCA-secure encryption [15, 16], with the additional requirement that the hash function is homomorphic, as is the case for all known instantiations. Using our frameworks, we obtain:

  • a unified treatment of the KDM-secure encryption schemes based on DDH, QR, and DCR given in [9, 10] for affine functions of the secret key, as well as those for low-degree functions of the secret key in [11] (we focus here on the single-key setting, which already captures much of the difficulty in realizing KDM-security in prior works; see Sect. 2.1 for a discussion on multiple keys),

  • new constructions of dual-mode cryptosystems: (i) a construction based on the d-linear assumption, generalizing the previous construction based on DDH; (ii) a simple construction based on QR, which does not rely on the Cocks IBE; (iii) a new construction based on DCR.

We regard our first construction for KDM security as our primary technical contribution. The second for dual-mode cryptosystems builds heavily upon existing constructions of OT from smooth project hashing in [23], although highlighting the role of the group structure and homomorphism for dual-mode cryptosystems appears to be novel to this work (c.f. comparison in Sect. 2.2).

Our high-level approach for KDM security is quite simple. Via the projective property, we will define ciphertexts via decryption with the secret key instead of encryption with the public key. Now, by feeding the decryption algorithm some “malformed” ciphertext, decryption leaks a function f of the secret key \(\textsc {sk}\). In fact, we can design the malformed ciphertexts carefully so that they decrypt to \(f(\textsc {sk})\); moreover, these malformed ciphertexts are indistinguishable from random encryptions of \(f(\textsc {sk})\). It is important here that the distribution of the malformed ciphertext depends only on f and the public key \(\textsc {pk}\). For this to work out, we require some algebraic structure for the decryption algorithm and the space of ciphertexts, as is captured by precisely by homomorphic projective hashing.

We note that in the proof of KDM security, we show that the simulated encryptions of \(f(\textsc {sk})\) are computationally indistinguishable from honest encryptions of \(f(\textsc {sk})\), even if the indistinguisher gets \(\textsc {sk}\); this is necessary to enable a hybrid argument across the KDM queries. (As a side remark, we note that we cannot rely on smoothness at this step of the proof.) Projective hashing have the distinctive and extremely useful property in that it enables a computational assumption on the ciphertext space even against distinguishers that know the secret key; this property also played a crucial role in the original work on CCA-security [16], and the more recent work on leakage resilience [31].

2 Overview of Our Constructions

Smooth Projective Hashing. We begin with an informal overview of smooth projective hashing [15, 16], since our constructions build on this framework. We consider a family of hash functions \(\Lambda _\textsc {hk}(\cdot )\) indexed by a hashing key \(\textsc {hk}\), whose input comes from a group \(\mathcal {G}\). Let \(\mathcal {G}_{\textsc {yes}}\) be a subgroup of \(\mathcal {G}\) and let \(\mu (\cdot )\) denote a projection map defined on the hashing key \(\textsc {hk}\). We are interested in hash functions that satisfy the following properties:

  • (projective) for \(C \in \mathcal {G}_{\textsc {yes}}\), the value \(\Lambda _\textsc {hk}(C)\) is uniquely determined by \(\mu (\textsc {hk})\) and C. Moreover, there is an algorithm \(\mathsf {Pub}\) that given \(\mu (\textsc {hk})\) along with the randomness r used to sample C, outputs \(\Lambda _\textsc {hk}(C)\).

  • (smoothness) for \(C \notin \mathcal {G}_{\textsc {yes}}\), the value \(\Lambda _\textsc {hk}(C)\) is statistically close to random even given \(\mu (\textsc {hk})\) and C.

  • (homomorphic) for all \(C_0,C_1 \in \mathcal {G}\), we have \(\Lambda _\textsc {hk}(C_0 \cdot C_1) = \Lambda _\textsc {hk}(C_0) \cdot \Lambda _\textsc {hk}(C_1)\).

In addition, we require that the uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}\) be computationally indistinguishable, and that the uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}_{\textsc {no}}:= \mathcal {G}\setminus \mathcal {G}_{\textsc {yes}}\) are also computationally indistinguishable. (If \(\mathcal {G}_{\textsc {yes}}\) has negligible density, then the former implies the latter.)

2.1 KDM-Security

Starting with a smooth projective hash function \(\Lambda _\textsc {hk}(\cdot )\) defined on \(\mathcal {G}\), we can build a CPA-secure encryption scheme —which we will refer to as the “Cramer-Shoup scheme”— as follows:

  • \(\mathsf {Gen}(1^k)\): Sample a uniform hashing key \(\textsc {hk}\) and output the key pair

    $$\begin{aligned} \textsc {pk}:= \mu (\textsc {hk}) \quad \text{ and } \quad \textsc {sk}:= \textsc {hk}\end{aligned}$$

    Henceforth, we will use \(\textsc {sk}\) and \(\textsc {hk}\) interchangeably for this scheme.

  • \(\mathsf {Enc}(\textsc {pk},m)\): To encrypt a message m, sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness r, output the ciphertext

    $$\begin{aligned} (C, \Lambda _\textsc {sk}(C) \cdot m) \end{aligned}$$

    where \(\Lambda _\textsc {sk}(C)\) is computed via the projective property using \(\mathsf {Pub}(\textsc {pk},C,r)\).

  • \(\mathsf {Dec}(\textsc {sk},(C,\psi ))\): On input a ciphertext \((C,\psi )\), output the plaintext

    $$\begin{aligned} ( \Lambda _\textsc {sk}(C)^{-1} \cdot \psi ) \end{aligned}$$

A standard argument shows that this scheme is CPA-secure: we switch the distribution of C in the ciphertext to \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {no}}\) and then by smoothness, the ciphertext statistically hides m. Moreover:

Theorem (informal). Suppose in addition that \(\Lambda _\textsc {sk}(\cdot )\) is homomorphic. Then this encryption scheme is KDM-secure w.r.t. the class of functions \(\{ \textsc {sk}\mapsto \Lambda _\textsc {sk}(e) \}\) for any \(e \in \mathcal {G}\).

Once we have KDM-security for affine functions, we can “boost” to the class of circuits of a-priori bounded size [3, 5].

Simulating KDM Queries. The core difficulty lies in simulating encryptions of \(\Lambda _\textsc {sk}(e)\) given only the public key, which turns out to be really simple in our framework.

$$\begin{array}{rlll} \mathsf {Enc}(\textsc {pk},\Lambda _\textsc {sk}(e))&{}\equiv &{} ( C, \mathsf {Pub}(\textsc {pk}, C,r) \cdot \Lambda _\textsc {sk}(e) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ randomness } \text{ r }\\ &{}\equiv &{} ( C, \Lambda _\textsc {sk}(C) \cdot \Lambda _\textsc {sk}(e) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ via } \text{ projective } \text{ property }\\ &{}\approx _c&{} ( C, \Lambda _\textsc {sk}(C) \cdot \Lambda _\textsc {sk}(e) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ via } \text{ subgroup } \text{ membership }\\ &{}\equiv &{} ( C, \Lambda _\textsc {sk}(C \cdot e) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ since } \Lambda _\textsc {sk}(\cdot ) \text{ is } \text{ homomorphic }\\ &{}\equiv &{} ( C \cdot e^{-1}, \Lambda _\textsc {sk}(C) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ since } e \in \mathcal {G}\\ &{}\approx _c&{} ( C \cdot e^{-1}, \Lambda _\textsc {sk}(C) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\\ &{}\equiv &{} ( C \cdot e^{-1}, \mathsf {Pub}(\textsc {pk}, C,r) ) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ randomness } \text{ r, } \text{ via } \text{ projective } \end{array}$$

Note that:

  • we can sample from the final distribution given only \(\textsc {pk}\);

  • the above transition does not rely on smoothness, and therefore everything goes through even if we append \(\textsc {sk}\) to the view, namely \((\textsc {sk}, \mathsf {Enc}(\Lambda _\textsc {sk}(e))) \approx _c (\textsc {sk}, ( C \cdot e^{-1}, \mathsf {Pub}(\textsc {pk}, C,r)))\), which allows us to carry out a hybrid argument over the KDM queries;

  • the treatment of KDM queries relies on the projective and homomorphic properties of \(\Lambda _\textsc {sk}(\cdot )\) but not smoothness; instead, we will use smoothness for the normal encryption queries.

Again, we stress that the proof crucially exploits the projective property; the role of the projective property is not captured by any of the prior “expanded system”, “interactive vector” or the “triple proofs” frameworks for KDM-security in [9, 10, 29].

An Instantiation. In the BHHO DDH-based KDM-secure encryption scheme, the underlying projective hash function is defined on a group \(\mathcal {G}:= \mathbb {G}^\ell \) where \(\mathbb {G}\) is the DDH group with some generator g, and \(\ell \) is a parameter. The hashing key (also the secret key) \(\textsc {sk}= (s_1,\ldots ,s_\ell )\) lies in \(\{0,1\}^\ell \), and given an instance \(C = (c_1,\ldots ,c_\ell ) \in \mathbb {G}^\ell \),

$$ \Lambda ^\mathsf {BHHO}_\textsc {sk}(C) = c_1^{s_1} \cdot c_2^{s_2} \cdots c_\ell ^{s_\ell } $$

This means that given any \((a_1,\ldots ,a_\ell ) \in \mathbb {Z}_q^\ell \),

$$ \Lambda ^\mathsf {BHHO}_\textsc {sk}((g^{a_1},\ldots ,g^{a_\ell })) = g^{a_1 s_1 + \cdots + a_\ell s_\ell } $$

Average-case smoothness follows readily from the left-over hash lemma. Now, if we modify the underlying Cramer-Shoup scheme to encrypt the message in the exponent, this function corresponds precisely to linear functions of the bits of the secret key. To handle affine functions, we need to handle an additional offset as described in Sect. 4.

Moreover, we can further extend the hash proof system to handle KDM-security with respect to some fixed functions \(f_1,\ldots ,f_t\) for any polynomial t (for instance, constant-degree polynomials in the bits of the secret keys or uniform Turing machine computation of description at most \(c \log k\) bits) as is the setting considered in Brakerski, Goldwasser and Kalai [11]. We now consider instances \(C = (c_1,\ldots ,c_{\ell +t}) \in \mathbb {G}^{\ell +t}\),

$$ \Lambda ^\mathsf {BHHO}_\textsc {sk}(C) = c_1^{s_1} \cdot c_2^{s_2} \cdots c_\ell ^{s_\ell } \cdot c_{\ell +1}^{f_1(\textsc {sk})} \cdots c_{\ell +t}^{f_t(\textsc {sk})} $$

Average-case smoothness follows as before from the left-over hash lemma. Then, \(\Lambda ^\mathsf {BHHO}_\textsc {sk}(g^{\mathbf {e}_{\ell +i}}) = g^{f_i(\textsc {sk})}\) corresponds to an encryption of \(f_i(\textsc {sk})\). This provides a more direct construction of KDM-security with respect to \(f_1,\ldots ,f_t\) as opposed to the entropic-KDM framework in [11].

On KDM-Security with Multiple Keys. We clarify that we only address KDM-security in this paper with a single public/secret key, whereas the previous constructions in [9, 10] address KDM-security with multiple public/secret key pairs. We note that simplifying KDM-security for a single public/secret key is still important in and of itself: (1) it suffices for some applications, e.g. disk encryption, (2) it already captures much of the technical difficulty in realizing KDM-security, (3) previous schemes in [4, 9, 10] first establish KDM-security for a single public/secret key, and then “bootstrap” to multiple keys (in a non-black-box way), (4) more recent schemes for RKA-KDM-security in [8] also reduces security to KDM-security for a single public/secret key. In particular, our framework clarifies the first step of the analysis for multiple key pairs; our framework is also the first to point out the role of the projective property for KDM-security (which is not covered in prior “expanded system”, “interactive vector” or the “triple proofs” frameworks for KDM-security in [9, 10, 29]) and that captures the algebraic structure needed for the decryption algorithm and the space of ciphertexts via homomorphic projective hashing.

Connection to Leakage Resilience. Let us informally refer to a Cramer-Shoup scheme as “linear” if \(\Lambda _\textsc {sk}(\cdot )\) computes a linear function of \(\textsc {sk}\) (possibly in the exponent), where the coefficients of the linear function are specified by the instance. From the preceding discussion, we see that (1) linear Cramer-Shoup schemes are KDM-secure w.r.t. linear functions, and (2) the BHHO scheme [9] along with the BHHO-like schemes given by Brakerski and Goldwasser [10] are examples of such schemes. Naor and Segev [31] also showed that linear Cramer-Shoup schemes are resilient to bounded key leakage; this follows from the fact that random linear functions are good strong extractors. This yields a simple explanation as to why the BHHO scheme and variants there-of are both KDM-secure and resilient to bounded key leakage.

2.2 Dual-Mode Encryption

Starting with a smooth projective hash function \(\Lambda _\textsc {hk}(\cdot )\) defined on \(\mathcal {G}\), we can build a different CPA-secure encryption scheme —which we will refer to as the “dual Cramer-Shoup scheme”— as follows:

  • \(\mathsf {Gen}(1^k)\): Sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness r and output the key pair

    $$\begin{aligned} \textsc {pk}:= C \quad \text{ and } \quad \textsc {sk}:= r \end{aligned}$$

  • \(\mathsf {Enc}(\textsc {pk},m)\): To encrypt a message m, sample a random \(\textsc {hk}\) and output the ciphertext

    $$\begin{aligned} (\mu (\textsc {hk}), \Lambda _\textsc {hk}(C) \cdot m) \end{aligned}$$

  • \(\mathsf {Dec}(\textsc {sk},(p,\psi ))\): On input a ciphertext \((p,\psi )\), compute \(K := \Lambda _\textsc {hk}(C)\) using \(\mathsf {Pub}\) on input pC and r (via the projective property) and output

    $$\begin{aligned} ( K^{-1} \cdot \psi ) \end{aligned}$$

As observed in by Halevi and Kalai [23, 24], if we sample the public key \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {no}}\), smoothness tells us that we obtain a “messy” public key where the ciphertext carries no information about the message. This suggests the following natural construction of a dual-mode cryptosystem / OT protocol:

  • the receiver generates a pair of public keys \(C_0,C_1 \in \mathcal {G}\) subject to the constraint that \(C_0 \cdot C_1\) is the CRS.

  • in the normal mode, we pick \(C_0, C_1 \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\), and the CRS is chosen uniformly from \(\mathcal {G}_{\textsc {yes}}\).

  • in the messy mode, the CRS is chosen uniformly from \(\mathcal {G}_{\textsc {no}}\). Now, whenever a possibly malicious receiver sends a pair of public keys \((C_0,C_1)\) such that \(C_0 \cdot C_1 \in \mathcal {G}_{\textsc {no}}\), then we know that one of \(C_0, C_1\) lies in \(\mathcal {G}_{\textsc {no}}\) and is therefore messy. (Otherwise, if \(C_0,C_1 \in \mathcal {G}_{\textsc {yes}}\), then \(C_0 \cdot C_1 \in \mathcal {G}_{\textsc {yes}}\) by closure properties of the subgroup.)

We note that exploiting subgroup structure of \(\mathcal {G}_{\textsc {yes}}\) appears to be novel to this work, and we use subgroup structure in two ways: first, to argue that if \(C_0 \cdot C_1 \in \mathcal {G}_{\textsc {no}}\), then one of \(C_0, C_1\) lies in \(\mathcal {G}_{\textsc {no}}\); and second, randomizing \(\mathcal {G}_{\textsc {yes}}\) in the CRS (which is necessary for reusability in the context of UC security) by adding another random \(\mathcal {G}_{\textsc {yes}}\) instance. In contrast, the prior work [23] uses the fact that if two pairs of group elements agree on the first component and disagree on the second, then one of them is a non-DDH tuple, and there is no need for randomizing \(\mathcal {G}_{\textsc {yes}}\) as it addresses stand-alone security.

2.3 Discussion

On Lattice-Based Instantiations. A natural question is whether our frameworks extend to LWE-based instantiations of KDM-secure encryption and dual-mode cryptosystems given in [2, 4, 32], while relying on an approximate notions of smooth projective hashing as given in [27]. In the LWE setting, the “yes” instances as given by valid LWE instances do not form a subgroup. We note that for KDM security, our proof does not rely on the fact that \(\mathcal {G}_{\textsc {yes}}\) forms a subgroup. For dual-mode cryptosystems, we only require that the “product” of two instances in \(\mathcal {G}_{\textsc {yes}}\) is “far” from \(\mathcal {G}_{\textsc {no}}\), which is indeed satisfied by LWE instances. However, in order to obtain an OT protocol where the same CRS can be reused for an a-priori unbounded number executions, it is crucial that we can statistically rerandomize instances in \(\mathcal {G}_{\textsc {yes}}\). We do not know how to achieve the latter for LWE; indeed, the LWE-based OT in [32] only achieves security for an a-priori bounded number of OT executions. In particular, we do not know any LWE instantiations for the “full-fledged” notion of dual-mode cryptosystems.

Additional Related Work. Smooth projective hashing is an extremely versatile tool that has found many other applications beyond CCA-security – two-message oblivious transfer [23], password-authenticated key exchange [6, 18], bounded leakage resilience [31], and encryption schemes secure against selective opening attacks [24]. The works of Barak et al. and Applebaum [3, 5], Brakerski, Goldwasser and Kalai [11], and Malkin, Teranishi and Yung [29] each presented general and different techniques to extend KDM-security to richer classes of functions with incomparable trade-offs. Haitner and Holenstein [22] presented black-box impossibility results for (single-key) KDM-security based on general assumptions. In subsequent work, Hofheinz [25] presented a KDM-CCA-secure scheme with compact ciphertexts, inspired in part by the connection between smooth projective hashing and KDM-security established in this work.

Organization. We present definition and results on KDM-secure public-key encryption in Sect. 4, and those for dual-mode encryption in Sect. 5. We present the instantiations in Sects. 6 and 7.

3 Preliminaries

Notation. We denote by \(s \leftarrow _{\textsc {r}}S\) the fact that s is picked uniformly at random from a finite set S and by \(x,y,z \leftarrow _{\textsc {r}}S\) that all xyz are picked independently and uniformly at random from S. By PPT, we denote a probabilistic polynomial-time algorithm. Throughout, we use \(1^k\) as the security parameter. We use \(\cdot \) to denote multiplication (or group operation) as well as component-wise multiplication. We use lower case boldface to denote (column) vectors and upper case boldface to denote matrices.

3.1 Smooth Projective Hashing

We present the notion of smooth projective hashing as introduced by Cramer and Shoup [16], in the context of group-theoretic languages.

Setup. Fix a family of groups \(\mathcal {G}_\textsc {pp}\) indexed by a public parameter \(\textsc {pp}\). We require that \(\textsc {pp}\) be efficiently samplable along with a secret parameter \(\textsc {sp}\) given a security parameter \(1^k\), and assume that all algorithms are given \(\textsc {pp}\) as part of its input. We omit \(\textsc {pp}\) henceforth whenever the context is clear. We consider subgroups \(\mathcal {G}_{\textsc {yes}}\) of \(\mathcal {G}\) and we use \(\mathcal {G}_{\textsc {no}}\) to denote \(\mathcal {G}\setminus \mathcal {G}_{\textsc {yes}}\). We will require that each of these groups \(\mathcal {G}, \mathcal {G}_{\textsc {yes}}, \mathcal {G}_{\textsc {no}}\) be efficiently samplable given \(\textsc {pp}\), and that given the secret parameter \(\textsc {sp}\), we can efficiently verify membership in \(\mathcal {G}_{\textsc {yes}}\). Observe that if \(\mathcal {G}_{\textsc {yes}}\) has negligible density (as is the case for most instantiations), we may use the same sampling algorithm for both \(\mathcal {G}\) and \(\mathcal {G}_{\textsc {no}}\) since both distributions are statistically indistinguishable.

Subgroup Membership Assumption. We will consider two related computational assumptions pertaining to the group \(\mathcal {G}\), which we refer to collectively as the subgroup membership assumption. The first assumption states that the uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}\) are computationally indistinguishable, even given \(\textsc {pp}\). The second assumption states that the uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}_{\textsc {no}}\) are computationally indistinguishable, even given \(\textsc {pp}\). Again, observe that if \(\mathcal {G}_{\textsc {yes}}\) has negligible density, these two assumptions are equivalent, since the distributions over \(\mathcal {G}\) and \(\mathcal {G}_{\textsc {no}}\) are then statistically indistinguishable.

Homomorphic Projective Hashing. Fix a public parameter \(\textsc {pp}\). We consider a family of hash functions \(\{ \Lambda _\textsc {hk}: \mathcal {G}\rightarrow \mathcal {K}\}\) indexed by a hashing key \(\textsc {hk}\). We require that \(\Lambda _\textsc {hk}(\cdot )\) be efficiently computable (by a ‘private evaluation’ algorithm), and \(\textsc {hk}\) be efficiently samplable. In addition, we require that both \(\mathcal {G}\) and \(\mathcal {K}\) are groups, and that \(\Lambda _\textsc {hk}(\cdot )\) is a group homomorphism, that is, for all \(\textsc {hk}\) and all \(C_0,C_1 \in \mathcal {G}\), we have \(\Lambda _\textsc {hk}(C_0) \cdot \Lambda _\textsc {hk}(C_1) = \Lambda (C_0 \cdot C_1)\). We say that \(\Lambda _\textsc {hk}(\cdot )\) is projective if there exists a projection map \(\mu (\cdot )\) defined on \(\textsc {hk}\) such that \(\mu (\textsc {hk})\) determines the behavior of \(\Lambda _\textsc {hk}\) on inputs from \(\mathcal {G}_{\textsc {yes}}\). Specifically, we require that there exists an efficient public evaluation algorithm \(\mathsf {Pub}\) that on input \(\mu (\textsc {hk})\) and \(C \in \mathcal {G}_{\textsc {yes}}\) along with the randomness r used to sample C, outputs the value \(\Lambda _\textsc {hk}(C)\).

Smoothness. We say that \(\Lambda _\textsc {hk}(\cdot )\) is smooth if the behavior of \(\Lambda _\textsc {hk}\) on \(\mathcal {G}_{\textsc {no}}\) is completely undetermined. That is, for all \(C \in \mathcal {G}_{\textsc {no}}\), the following distributions are statistically close:

$$\begin{aligned} ( \textsc {pk}, \Lambda _\textsc {hk}(C) ) \quad \text{ and } \quad ( \textsc {pk}, K ) \end{aligned}$$

where \(\textsc {hk}\) is random, \(\textsc {pk}= \mu (\textsc {hk})\) and \(K \leftarrow _{\textsc {r}}\mathcal {K}\). (Looking ahead, we will also consider a relaxed notion in some of our instantiations where we choose K from the uniform distribution over some subset of \(\mathcal {K}\); see Sect. 7.) We also say that \(\Lambda _\textsc {hk}(\cdot )\) is average-case smooth where we relax the requirement for smoothness to hold for a random \(C \in \mathcal {G}\) [31]. That is, the following distributions are statistically close:

$$\begin{aligned} ( C, \textsc {pk}, \Lambda _\textsc {hk}(C) ) \quad \text{ and } \quad ( C, \textsc {pk}, K ) \end{aligned}$$

where \(\textsc {hk}\) is random, \(\textsc {pk}= \mu (\textsc {hk})\), \(C \leftarrow _{\textsc {r}}\mathcal {G}\) and \(K \leftarrow _{\textsc {r}}\mathcal {K}\).

4 KDM-Secure Encryption

Key-Dependent Message Security. We adopt a simulation-based variant of key-dependent message (KDM) security from [7, 9], in the setting where there is only one public/secret key pair. Fix a public-key encryption scheme \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\). For a stateful adversary \(\mathcal {A}\), we define the advantage function

$$\begin{aligned} \mathsf {AdvKDM}^{\mathcal {A},\mathcal {F}}(k) := \Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk}) \leftarrow \mathsf {Gen}(1^k);\\ \mathcal {A}^{\mathsf {kdmEnc}(\cdot ),\mathsf {Enc}(\textsc {pk},\cdot )}(\textsc {pk}) = 1 \end{array}\right] - \Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk}) \leftarrow \mathsf {Gen}(1^k);\\ \mathcal {A}^{\mathsf {kdmEnc}^*(\textsc {pk},\cdot ),\mathsf {Enc}^*(\textsc {pk},\cdot )}(\textsc {pk}) = 1 \end{array} \right] \end{aligned}$$

where

  • \(\mathsf {kdmEnc}(\cdot )\) is an oracle that on input \(f \in \mathcal {F}\) returns a random encryption \(\mathsf {Enc}(\textsc {pk},f(\textsc {sk}))\);

  • \(\mathsf {kdmEnc}^*(\textsc {pk},\cdot )\) corresponds to a simulator that gets as input \(f \in \mathcal {F}\);

  • \(\mathsf {Enc}^*(\textsc {pk},\cdot )\) is an oracle that on input m, returns \(\mathsf {Enc}(\textsc {pk},0^{|m|})\).

An encryption scheme is said to be \(\mathcal {F}\) -KDM secure if there exists an efficient \(\mathsf {kdmEnc}^*()\) such that for all PPT \(\mathcal {A}\), the advantage \(|\mathsf {AdvKDM}^{\mathcal {A},\mathcal {F}}(k)|\) is a negligible function in k.

Construction. Starting with a projective hash function \(\Lambda _\textsc {hk}: \mathcal {G}\rightarrow \mathcal {K}\), we may derive a semantically secure public-key encryption scheme \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\). The message space is \(\mathcal {M}\), and we require an injective map \(\phi : \mathcal {M}\rightarrow \mathcal {K}\) which is efficiently computable and invertible.

  • \(\mathsf {Gen}(1^k)\): Sample public parameters \(\textsc {pp}\), a uniform hashing key \(\textsc {hk}\) and compute \(\textsc {pk}:= (\textsc {pp}, \mu (\textsc {hk}))\). Output the key pair

    $$\begin{aligned} \textsc {pk}:= (\textsc {pp}, \mu (\textsc {hk})) \quad \text{ and } \quad \textsc {sk}:= \textsc {hk}\end{aligned}$$

  • \(\mathsf {Enc}(\textsc {pk},m)\): Sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness r, output the ciphertext

    $$\begin{aligned} (C, \mathsf {Pub}(\textsc {pk},C,r) \cdot \phi (m)) \end{aligned}$$

  • \(\mathsf {Dec}(\textsc {sk},(C,\psi ))\): Output the plaintext

    $$\begin{aligned} \phi ^{-1}( \Lambda _\textsc {sk}(C)^{-1} \cdot \psi ) \end{aligned}$$

Theorem 1

Suppose \(\Lambda _\textsc {hk}(\cdot )\) is a projective hash function that is average-case smooth and homomorphic, and the subgroup membership problem is hard (w.r.t. \(\mathcal {G}\) vs \(\mathcal {G}_{\textsc {yes}}\)). Then, the encryption scheme \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) described above is \(\mathcal {F}\)-KDM secure where \(\mathcal {F}= \{ f_{e,k} : \textsc {sk}\mapsto \phi ^{-1}(\Lambda _\textsc {sk}(e) \cdot k) \mid e \in \mathcal {G}, k \in \mathcal {K}\}\).

We do require that given a description of the function \(f_{e,k}\), we can efficiently compute the corresponding \(e \in \mathcal {G}, k \in \mathcal {K}\). Later on in the instantiations, the term e allows us to specify the coefficients in a linear function, whereas k corresponds to the constant off-set in an affine function. On the first reading, we suggest that the reader assume \(\phi \) is the identity map.

Proof

Observe that correctness of the encryption scheme follows readily from the projective property. We proceed to establish KDM security. First, we describe \(\mathsf {kdmEnc}^*\): on input \(\textsc {pk},f_{e,k}\) and randomness r, use r to sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) and output

$$\begin{aligned} ( C \cdot e^{-1}, \mathsf {Pub}(\textsc {pk}, C,r)\cdot k) \end{aligned}$$

We proceed via a sequence of games. Fix a PPT adversary \(\mathcal {A}\) that makes at most \(Q_0\) queries to \(\mathsf {kdmEnc}\) and \(Q_1\) queries to \(\mathsf {Enc}\). We show that

$$\begin{aligned} |\mathsf {AdvKDM}^{\mathcal {A},\mathcal {F}}(k)| \le (2Q_0 + 2Q_1)\cdot \epsilon \end{aligned}$$

where \(\epsilon \) is the advantage for the subgroup membership assumption. We start with Game 0, where the challenger proceeds like in the security game with \(\mathsf {kdmEnc},\mathsf {Enc}\) oracles in the left experiment and \(\mathsf {kdmEnc}^*,\mathsf {Enc}^*\) oracles in the right experiment.

  • Game 1. We will run a hybrid argument over the \(Q_0\) queries to \(\mathsf {kdmEnc}\). That is, for \(i=1,\ldots ,Q_0\), in Game 1.i, we replace the i’th query \(f_{e,k}\) to \(\mathsf {kdmEnc}\) on the left with \(\mathsf {kdmEnc}^*\), so that we answer the first i queries using \(\mathsf {kdmEnc}^*\) and the last \(Q_0-i\) queries using \(\mathsf {kdmEnc}\). It suffices to show that for each i,

    $$(\textsc {pk}, \textsc {sk}, \mathsf {Enc}(\textsc {pk},f_{e,k}(\textsc {sk}))) \mathop {\approx _c}\limits ^{2\epsilon } (\textsc {pk}, \textsc {sk}, ( C \cdot e^{-1}, \mathsf {Pub}(\textsc {pk}, C,r)\cdot k)),$$

    where we would use \(\textsc {pk}\) to simulate the \(\mathsf {Enc}\) queries and the first \(i-1\) \(\mathsf {kdmEnc}^*\) queries, and \(\textsc {sk}\) to simulate the remaining \(Q_0-i\) \(\mathsf {kdmEnc}\) queries. For notational simplicity, we omit \((\textsc {pk},\textsc {sk})\) in the hybrid transitions below:

    $$\begin{array}{rlll} &{}&{}\mathsf {Enc}(\textsc {pk},f_{e,k}(\textsc {sk}); r)\\ &{}\equiv &{} ( C, \mathsf {Pub}(\textsc {pk}, C,r) \cdot \Lambda _\textsc {sk}(e) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ randomness } \text{ r }\\ &{}\equiv &{} ( C, \Lambda _\textsc {sk}(C) \cdot \Lambda _\textsc {sk}(e) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ via } \text{ projective } \text{ property }\\ &{}\approx _c&{} ( C, \Lambda _\textsc {sk}(C) \cdot \Lambda _\textsc {sk}(e) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ via } \text{ subgroup } \text{ membership }\\ &{}\equiv &{} ( C, \Lambda _\textsc {sk}(C \cdot e) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ since } \Lambda _\textsc {sk}(\cdot ) \text{ is } \text{ homomorphic }\\ &{}\equiv &{} ( C \cdot e^{-1}, \Lambda _\textsc {sk}(C) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ since } e \in \mathcal {G}\\ &{}\approx _c&{} ( C \cdot e^{-1}, \Lambda _\textsc {sk}(C) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\\ &{}\equiv &{} ( C \cdot e^{-1}, \mathsf {Pub}(\textsc {pk}, C,r) \cdot k) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ randomness } \text{ r, } \text{ via } \text{ projective } \end{array}$$

    Note that the above transition does not rely on smoothness, and therefore everything goes through even if we append \((\textsc {pk},\textsc {sk})\) to the view.

  • Game 2. For \(i=1,\ldots ,Q_1\), replace the i’th query m to \(\mathsf {Enc}\) on the left with \(\mathsf {Enc}^*\). We will run a hybrid argument over the \(Q_1\) queries, and thus it suffices to show that for each i,

    $$(\textsc {pk}, \mathsf {Enc}(\textsc {pk},m)) \mathop {\approx _c}\limits ^{2\epsilon } (\textsc {pk}, \mathsf {Enc}(\textsc {pk},0^{|m|})).$$

    This is standard CPA-security of the Cramer-Shoup encryption. Observe that the view includes \(\textsc {pk}\), which is sufficient to run \(\mathsf {kdmEnc}^*\).

    $$\begin{array}{rlll} \mathsf {Enc}(\textsc {pk},m)&{}\equiv &{} ( C, \mathsf {Pub}(\textsc {pk}, C,r) \cdot \phi (m)) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ randomness } \text{ r }\\ &{}\equiv &{} ( C, \Lambda _\textsc {sk}(C) \cdot \phi (m) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}, \text{ via } \text{ projective } \text{ property }\\ &{}\approx _c&{} ( C, \Lambda _\textsc {sk}(C) \cdot \phi (m) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, \text{ via } \text{ subgroup } \text{ membership }\\ &{}\equiv &{} ( C, K \cdot \phi (m)) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, K \leftarrow _{\textsc {r}}\mathcal {K}, \text{ via } \text{ smoothness }\\ &{}\equiv &{} ( C, K \cdot \phi (0^{|m|})) &{}: C \leftarrow _{\textsc {r}}\mathcal {G}, K \leftarrow _{\textsc {r}}\mathcal {K}, \text{ via } \text{ uniformity } \text{ of } \text{ K }\\ &{}\approx _c&{} \mathsf {Enc}(\textsc {pk},0^{|m|}))&{}\text{ by } \text{ reversing } \text{ the } \text{ hybrids } \end{array}$$

We conclude by observing that in Game 2, the left and right experiments are identical (both use the \(\mathsf {kdmEnc}^*,\mathsf {Enc}^*\) oracles), and therefore the advantage is 0.                       \(\square \)

5 Dual-Mode Encryption

In this section, we present the definition of a dual-mode cryptosystem from [32], and show a generic construction from smooth projective hashing. By [32, Theorem 4.1], once we have a dual-mode cryptosystem, we immediately obtain UC-secure two-message oblivious transfer in the CRS model.

Preliminaries. Most of this is copied verbatim from [32, Sect. 3].

  • \(\mathsf {Setup}(1^k,\mu )\): given security parameter \(1^k\) and mode \(\mu \in \{0,1\}\), outputs \((\textsc {crs},\tau )\). The \(\textsc {crs}\) is a common string for the remaining algorithms, and \(\tau \) is a trapdoor value that enables either the \(\mathsf {FindMessy}\) or \(\mathsf {TrapKeyGen}\) algorithm, depending on the selected algorithm. We will also denote the messy setup algorithm using \(\mathsf {SetupMessy}(\cdot ) := \mathsf {Setup}(\cdot ,0)\) and the decryption mode setup algorithm using \(\mathsf {SetupDec}(\cdot ) := \mathsf {Setup}(\cdot ,1)\). All the remaining algorithms take \(\textsc {crs}\) as their first input, but for notational clarity, we usually omit it from the list of arguments.

  • \(\mathsf {KeyGen}(\sigma )\): given a desired decryptable branch value \(\sigma \in \{0,1\}\), outputs \((\textsc {pk},\textsc {sk})\) where \(\textsc {pk}\) is a public encryption key and \(\textsc {sk}\) is a corresponding secret key for messages encrypted on branch \(\sigma \).

  • \(\mathsf {Enc}(\textsc {pk},b,m)\): given a public key \(\textsc {pk}\), a branch value \(b \in \{0,1\}\), and a message \(m \in \{0,1\}^\ell \), outputs a ciphertext c encrypted on branch b.

  • \(\mathsf {Dec}(\textsc {sk},\psi )\): given a secret key \(\textsc {sk}\) and a ciphertext \(\psi \), outputs a message \(m \in \{0,1\}^\ell \).

  • \(\mathsf {FindMessy}(\tau ,\textsc {pk})\): given a trapdoor \(\tau \) for \(\textsc {crs}\) generated in messy mode and some (possibly malformed) public key \(\textsc {pk}\), outputs a branch value \(b \in \{0,1\}\) corresponding to a messy branch of \(\textsc {pk}\).

  • \(\mathsf {TrapKeyGen}(\tau )\): given a trapdoor \(\tau \) for \(\textsc {crs}\) generated in decryption mode, outputs \((\textsc {pk},\textsc {sk}_0,\textsc {sk}_1)\) where \(\textsc {pk}\) is a public encryption key and \(\textsc {sk}_0,\textsc {sk}_1\) are corresponding secret decryption keys for branches 0 and 1 respectively.

We use \(\mathsf {SetupMessy}_1,\mathsf {SetupDec}_1\) to denote the first output \(\textsc {crs}\) of \(\mathsf {SetupMessy}\), \(\mathsf {SetupDec}\) and \(\mathsf {KeyGen}_1\) to denote the first output \(\textsc {pk}\) of \(\mathsf {KeyGen}\).

Definition 1

(Dual-Mode Encryption). A dual-mode cryptosystem is a tuple of algorithms described above that satisfy the following properties:

  1. 1.

    Completeness for decryptable branch: For every \(\mu \in \{0,1\}\), every \((\textsc {crs},\tau ) \leftarrow \mathsf {Setup}(1^k,\mu )\), every \(\sigma \in \{0,1\}\), every \((\textsc {pk},\textsc {sk}) \leftarrow \mathsf {KeyGen}(\sigma )\) and every \(m \in \{0,1\}^\ell \), decryption is correct on branch \(\sigma \), i.e. \(\mathsf {Dec}(\textsc {sk},\mathsf {Enc}(\textsc {pk},\sigma ,m)) = m\).

  2. 2.

    Indistinguishability of modes: the first outputs of \(\mathsf {SetupMessy}\) and \(\mathsf {SetupDec}\) are computationally indistinguishable, i.e. \(\mathsf {SetupMessy}_1(1^k) \approx _c \mathsf {SetupDec}_1(1^k)\).

  3. 3.

    (Messy Mode) Trapdoor identification of messy branch: For every \((\textsc {crs},\tau ) \leftarrow \mathsf {SetupMessy}(1^k)\) and every (possibly malformed) \(\textsc {pk}\), \(\mathsf {FindMessy}(\tau ,\textsc {pk})\) outputs a branch value \(b \in \{0,1\}\) such that \(\mathsf {Enc}(\textsc {pk},b,\cdot )\) is messy. Namely, for every \(m_0,m_1 \in \{0,1\}^\ell \), \(\mathsf {Enc}(\textsc {pk},b,m_0) \approx _s \mathsf {Enc}(\textsc {pk},b,m_1)\).

  4. 4.

    (Decryption Mode) Trapdoor generation of keys decryptable on both branches: For every \((\textsc {crs},\tau ) \leftarrow \mathsf {SetupDec}(1^k)\), \(\mathsf {TrapKeyGen}(\tau )\) outputs \((\textsc {pk},\textsc {sk}_0,\textsc {sk}_1)\) such that for every \(\sigma \in \{0,1\}\): \((\textsc {pk}) \approx _s \mathsf {KeyGen}_1(\sigma )\) and \((\textsc {pk},\textsc {sk}_\sigma ) \in {{\mathrm{Supp}}}(\mathsf {KeyGen}(\sigma ))\).

Remark 1

Our requirement for decryption mode is actually weaker than that in [32], which stipulates that for every \(\sigma \in \{0,1\}\), \((\textsc {pk},\textsc {sk}_\sigma ) \approx _s \mathsf {KeyGen}(\sigma )\). That is, we allow \(\mathsf {TrapKeyGen}\) output any valid secret key \(\textsc {sk}_\sigma \) for branch \(\sigma \), whereas the original requirement is that the distribution of \(\textsc {sk}_\sigma \) be close to that output by \(\mathsf {KeyGen}(\sigma )\). This weaker guarantee is nonetheless sufficient for UC-secure OT, since the decryption mode is used in the case of a corrupted sender. A corrupted sender sees only \(\textsc {pk}\) and not \(\textsc {sk}_0\) or \(\textsc {sk}_1\); moreover, as long as both \(\textsc {sk}_0\) and \(\textsc {sk}_1\) are valid, we will be able to extract both of its inputs.

Dual-Mode Encryption from Projective Hashing. We begin with the set-up algorithms:

  • \(\mathsf {SetupMessy}(1^k)\): Run \(\mathsf {Param}(1^k) \leftarrow (\textsc {pp},\textsc {sp})\) and sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {no}}\). Output

    $$\begin{aligned} \textsc {crs}:= (\textsc {pp},C) \quad \text{ and } \quad \tau := \textsc {sp}\end{aligned}$$

  • \(\mathsf {SetupDec}(1^k)\): Run \(\mathsf {Param}(1^k) \leftarrow (\textsc {pp},\textsc {sp})\) and sample \(C \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness r. Output

    $$\begin{aligned} \textsc {crs}:= (\textsc {pp},C) \quad \text{ and } \quad \tau := r \end{aligned}$$

All the remaining algorithms take \(\textsc {crs}= (\textsc {pp},C)\) where \(C \in \mathcal {G}\) as their first input.

  • \(\mathsf {KeyGen}(\sigma )\): On input a branch value \(\sigma \in \{0,1\}\), sample \(C_\sigma \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness \(r_\sigma \). Set \(C_{1-\sigma } := C \cdot C_\sigma ^{-1}\). Output

    $$\begin{aligned} \textsc {pk}:= (C_0,C_1) \quad \text{ and } \quad \textsc {sk}:= (\sigma ,r_\sigma ) \end{aligned}$$

  • \(\mathsf {Enc}(\textsc {pk},b,m)\): On input \(\textsc {pk}= (C_0,C_1)\), sample a uniform hashing key \(\textsc {hk}\) and output

    $$\begin{aligned} \psi := (\mu (\textsc {hk}), \Lambda _{\textsc {hk}}(C_b) \cdot m) \end{aligned}$$

  • \(\mathsf {Dec}(\textsc {sk},\psi )\): On input \(\textsc {sk}= (\sigma ,r)\) and \(\psi = (\textsc {pk}^*,\psi ^*)\), output

    $$\begin{aligned} m := \mathsf {Pub}(\textsc {pk}^*,C_\sigma ,r)^{-1} \cdot \psi ^*\end{aligned}$$

  • \(\mathsf {FindMessy}(\tau ,\textsc {pk})\): On input \(\tau = \textsc {sp}\) and \(\textsc {pk}= (C_0,C_1)\), check that \(C_0 \cdot C_1 = C\). Output

    $$ b := {\left\{ \begin{array}{ll} 1 &{} \text{ if } C_0 \in \mathcal {G}_{\textsc {yes}}\\ 0 &{} \text{ otherwise } \end{array}\right. }$$

  • \(\mathsf {TrapKeyGen}(\tau )\): On input \(\tau = r\), sample \(C_0 \leftarrow _{\textsc {r}}\mathcal {G}_{\textsc {yes}}\) with randomness \(r_0\) and compute \(C_1 \in \mathcal {G}_{\textsc {yes}}\) with randomness \(r_1 := r - r_0\) (so that \(C_0 \cdot C_1 = C\)). Output

    $$\begin{aligned} \textsc {pk}:= (C_0,C_1) \quad \text{ and } \quad (\textsc {sk}_0,\textsc {sk}_1) := (r_0,r_1) \end{aligned}$$

Theorem 2

Suppose \(\Lambda _\textsc {hk}(\cdot )\) is a smooth projective hash function, and the subgroup membership problem is hard (w.r.t. \(\mathcal {G}_{\textsc {yes}}\) vs \(\mathcal {G}_{\textsc {no}}\)). Then, the above construction yields a dual-mode cryptosystem.

We note here that our construction requires an additional property from underlying group, namely that given the respective randomness \(r_0,r_1\) for sampling \(C_0,C_1 \in \mathcal {G}_{\textsc {yes}}\), the value \(r_0+r_1\) is the randomness for sampling \(C_0 \cdot C_1\) (that is, the sampling algorithm is also homomorphic). This requirement may be eliminated if we are willing to settle for the weaker guarantee where each CRS may only be used for a single (or a-priori bounded) instance of OT, as with the LWE-based instantiation in [32].

Proof

We verify that our construction satisfies all of the four properties in Definition 1:

  1. 1.

    Completeness for decryptable branch: This follows readily from the projective property.

  2. 2.

    Indistinguishability of modes: This follows readily from our subset membership assumption.

  3. 3.

    (Messy Mode) Trapdoor identification of messy branch: In the messy mode, we require that \(C_0 \cdot C_1 = C \in \mathcal {G}_{\textsc {no}}\). Therefore, (at least) one of \(C_0, C_1 \in \mathcal {G}_{\textsc {no}}\) (a subgroup is closed under multiplication, so if \(C_0, C_1 \in \mathcal {G}_{\textsc {yes}}\), then \(C_0 \cdot C_1 \in \mathcal {G}_{\textsc {yes}}\)). Moreover, using the membership trapdoor, we can identify which of \(C_0\) or \(C_1\) is in \(\mathcal {G}_{\textsc {no}}\). The corresponding ciphertext must be messy by smoothness.

  4. 4.

    (Decryption Mode) Trapdoor generation of keys decryptable on both branches: It is clear that the distribution of each of \(C_0\) and \(C_1\) is the uniform distribution over \(\mathcal {G}_{\textsc {yes}}\). Moreover, \(r_0\) and \(r_1\) are randomness used for sampling \(C_0\) and \(C_1\) respectively. Therefore, by the projective property, we can decrypt ciphertexts on both branches.    \(\square \)

6 Instantiations from DLIN

Let \(\mathbb {G}\) be a group of prime order q specified using a generator g. The DDH assumption asserts that \(g^{ab}\) is pseudorandom given \(g,g^a,g^b\) where \(g \leftarrow _{\textsc {r}}~\mathbb {G}; a, b \leftarrow _{\textsc {r}}\mathbb {Z}_q\). The d-LIN assumption asserts that \(g_{d+1}^{r_1 + \cdots + r_d}\) is pseudorandom given \(g_1,\ldots ,g_{d+1},g_1^{r_1},\ldots ,g_{d}^{r_d}\) where \(g_1,\ldots ,g_{d+1} \leftarrow _{\textsc {r}}\mathbb {G}; r_1,\ldots ,r_d \leftarrow _{\textsc {r}}\mathbb {Z}_q\). DDH is equivalent to 1-LIN.

6.1 Dual-Mode Encryption

For dual-mode encryption, we use the original Cramer-Shoup DDH-based hash proof system in [15, 16] and its generalization to d-LIN [26, 34].

  • Setup. Sample \(\mathbf {P}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{d \times (d+1)}\) along with a check vector \(\mathbf {v}\ne \mathbf {0}\) so that \(\mathbf {P}\mathbf {v}= \mathbf {0}\). Output

    $$\begin{aligned} \textsc {pp}:= (\mathbb {G},q,g,g^{\mathbf {P}}) \quad \text{ and } \quad \textsc {sp}:= (\mathbf {v}) \end{aligned}$$

    The subgroup indistinguishability problem is given by:

    $$\begin{aligned} \mathcal {G}_{\textsc {yes}}:= \Bigl \{ g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}} : \mathbf {r}\in \mathbb {Z}_q^{d} \Bigr \} \qquad \text{ and }\qquad \mathcal {G}:= \Bigl \{ g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}} : \mathbf {a}\in \mathbb {Z}_q^{d+1} \Bigr \} \end{aligned}$$

    where \(\mathsf {SampR}(\mathbf {r}) = g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}}\) and the group operation is the natural one given by entry-wise product. The uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}\) are computationally distinguishable under the d-LIN assumption as shown in [9, 31]. Observe that we can efficiently verify membership in \(\mathcal {G}_{\textsc {yes}}\) using \(\mathbf {v}\) since:

    $$\begin{aligned} g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}} \in \mathcal {G}_{\textsc {yes}}\quad \Longleftrightarrow \quad g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {v}} = 1 \end{aligned}$$

  • Hashing. The hashing key is given by a column vector \(\mathbf {s}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{d+1}\), with

    $$\begin{aligned} \mu (g^\mathbf {P},\mathbf {s}) := g^{\mathbf {P}\mathbf {s}} \in \mathbb {G}^{d \times 1} \end{aligned}$$

    Private and public evaluation are given by:

    $$\begin{aligned} \Lambda _\mathbf {s}(g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}}) := g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}} \in \mathbb {G}\qquad \text{ and }\qquad \mathsf {Pub}(g^{\mathbf {P}\mathbf {s}},\mathbf {C},\mathbf {r}) := g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}(\mathbf {P}\mathbf {s})} \end{aligned}$$

    Clearly, \(\Lambda _\mathbf {s}(\cdot )\) is a group homomorphism. For the projective property, observe that for \(\mathbf {C}= g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}} \in \mathcal {G}_{\textsc {yes}}\), we have

    $$\begin{aligned} \Lambda _\mathbf {s}(\mathbf {C}) = g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}\mathbf {s}} = \mathsf {Pub}(g^{\mathbf {P}\mathbf {s}},\mathbf {C},\mathbf {r}) \end{aligned}$$

  • Smoothness. Observe that for any \(g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}} \in \mathcal {G}_{\textsc {no}}\) (and \(\mathbf {a}\ne \mathbf {0}\)), we have that \(\mathbf {a}^{\!\scriptscriptstyle {\top }}\) is not in the row span of \(\mathbf {P}\). This means that for a random \(\mathbf {s}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{d+1}\), \(\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}\) is uniformly distributed over \(\mathbb {Z}_q\) given \(\mathbf {P}\mathbf {s}\). Smoothness follows readily.

6.2 KDM-security

We extend the d-LIN based hash proof system in [9, 31], which are the vectorial analogues of the preceding constructions, augmented with t functions following [11]. This in turn captures the DDH-based KDM-secure encryption in [9] and the DLIN-based scheme in [13]. Fix \(\ell \ge (d+2) \log q\) and suppose we have t additional (efficiently computable) functions \(f_1,\ldots ,f_t : \{0,1\}^\ell \rightarrow \{0,1\}\), where \(t \ge 0\). For instance, these functions may be low-degree polynomials of the bits of the input, as considered in [11].

  • Setup. Sample \(\mathbf {P}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{d \times (\ell +t)}\). Output

    $$\begin{aligned} \textsc {pp}:= (\mathbb {G},q,g,g^{\mathbf {P}}) \end{aligned}$$

    The subgroup indistinguishability problem is given by:

    $$\begin{aligned} \mathcal {G}_{\textsc {yes}}:= \Bigl \{ g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}} : \mathbf {r}\in \mathbb {Z}_q^{d} \Bigr \} \qquad \text{ and }\qquad \mathcal {G}:= \Bigl \{ g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}} : \mathbf {a}\in \mathbb {Z}_q^{\ell +t} \Bigr \} \end{aligned}$$

    where the group operation is the natural one given by entry-wise product. The uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}\) are computationally distinguishable under the d-LIN assumption as shown in [9, 31].

  • Hashing. The hashing key is given by a column vector \(\mathbf {s}\leftarrow _{\textsc {r}}\{0,1\}^{\ell }\). We then set \(\hat{\mathbf {s}} \in \{0,1\}^{\ell +t}\) to be the concatenation of \(\mathbf {s}\) and \(f_1(\mathbf {s}),\ldots ,f_t(\mathbf {s})\).

    $$\begin{aligned} \mu (g^\mathbf {P},\mathbf {s}) := g^{\mathbf {P}\hat{\mathbf {s}}} \in \mathbb {G}^{d \times 1} \end{aligned}$$

    Private and public evaluation are given by:

    $$\begin{aligned} \Lambda _\mathbf {s}(g^\mathbf {a}) := g^{\mathbf {a}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}} \in \mathbb {G}\qquad \text{ and }\qquad \mathsf {Pub}(g^{\mathbf {P}\hat{\mathbf {s}}},\mathbf {C},\mathbf {r}) := g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}(\mathbf {P}\hat{\mathbf {s}})} \end{aligned}$$

    Clearly, \(\Lambda _\mathbf {s}(\cdot )\) is a group homomorphism and the projective property simply follows from the fact that \(g^{(\mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {P}) \hat{\mathbf {s}}} = g^{\mathbf {r}^{\!\scriptscriptstyle {\top }}(\mathbf {P}\hat{\mathbf {s}})}\).

  • Smoothness. For average-case smoothness, the left-over hash lemma implies that for \(\ell > (d+2) \log q\), the following distributions:

    $$ ( \mathbf {P}, \mathbf {P}\hat{\mathbf {s}}, \mathbf {a}, \mathbf {a}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}) \quad \text{ and } \quad ( \mathbf {P}, \mathbf {P}\hat{\mathbf {s}}, \mathbf {a}, a' )$$

    are 1 / q-statistically close, where \(\mathbf {s}\leftarrow _{\textsc {r}}\{0,1\}^\ell , \mathbf {a}\leftarrow _{\textsc {r}}\mathbb {Z}_q^\ell , a' \leftarrow _{\textsc {r}}\mathbb {Z}_q\). Note that \(\hat{\mathbf {s}}\) has \(\ell \) bits of min-entropy, so \(\hat{\mathbf {s}}\) conditioned on \(\mathbf {P}\hat{\mathbf {s}} \in \mathbb {Z}_q^{d \times 1}\) has roughly \(\ell - d\log q \ge 2 \log q\) bits of min-entropy.

  • Class \(\mathcal {F}\) . The message space \(\mathcal {M}= \{0,1\}\) and \(\phi (m) = g^m\).

    • – Observe that for all \(\mathbf {a}\in \mathbb {Z}_q^{\ell }, c \in \mathbb {Z}_q\) (such that \(\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c \in \{0,1\}\) for all \(\mathbf {s}\in \{0,1\}^\ell \)):

      $$\begin{aligned} \Lambda _\mathbf {s}(g^{(\mathbf {a}|| \mathbf {0})^{\!\scriptscriptstyle {\top }}}) \cdot g^c = g^{(\mathbf {a}|| \mathbf {0})^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}} \cdot g^c = \phi (\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+ c) \end{aligned}$$

    • – Moreover, for all \(i \in [t]\),

      $$\begin{aligned} \Lambda _\mathbf {s}(g^{\mathbf {e}_{\ell +i}}) = g^{f_i(\mathbf {s})} = \phi (f_i(\mathbf {s})) \end{aligned}$$

      where \(\mathbf {e}_{\ell +i} \in \{0,1\}^{\ell +t}\) is the unit vector with a 1 in the \((\ell +i)\)’th index.

    That is, the resulting scheme is \(\mathcal {F}\)-KDM secure for \(\mathcal {F}= \{ \mathbf {s}\mapsto \mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c \mid \mathbf {a} \in \mathbb {Z}_q^{\ell }, c \in \mathbb {Z}_q \} \cup \{ f_1,\ldots ,f_t \}\), i.e. affine functions of the bits of the secret key (which includes flipping the i’th bit of the key \(\mathbf {s}\mapsto 1-s_i\)) plus the functions \(f_1,\ldots ,f_t\).

7 Instantiations from QR and DCR

We will rely on the subgroup indistinguishability framework of Brakerski and Goldwasser [10] (also [16, Sect. 7.4.2]). We consider a family of finite commutative groups \(\mathbb {G}\) that is generated by two elements gh of co-prime order (thus \(|\mathbb {G}| = {{\mathrm{ord}}}(g) \cdot {{\mathrm{ord}}}(h)\)); we use \(\mathbb {G}_0\) to denote \(\langle g \rangle \). We will require the following additional properties:

  • given the public description of \(\mathbb {G}\), we may compute \({{\mathrm{ord}}}(h)\) and a good approximation a for \({{\mathrm{ord}}}(g)\) (so that the uniform distributions over [a] and over \([{{\mathrm{ord}}}(g)]\) are statistcally close).

  • computing discrete log with respect to h is easy.

  • the uniform distributions over \(\mathbb {G}_0\) and over \(\mathbb {G}\) are computationally indistinguishable, given gh.

  • given some trapdoor, deciding membership in \(\langle g \rangle \) is easy.

For our instantiations here, the output of \(\Lambda _\textsc {hk}(\cdot )\) lies in \(\mathbb {G}\). We will work with a relaxed notion of smoothness here in this section, where instead of requiring that \(\Lambda _\textsc {hk}(\cdot )\) be random over \(\mathbb {G}\), we only require that \(\Lambda _\textsc {hk}(\cdot ) \,\text {mod}\,\mathbb {G}_0\) be random over \(\langle h \rangle \). More formally, smoothness states that for all \(C \in \mathcal {G}_{\textsc {no}}\): \(\Lambda _\textsc {hk}(C) \,\text {mod}\,\mathbb {G}_0\) is statistically close to uniform over the subgroup \(\langle h \rangle \) even given \(\mu (\textsc {hk})\). Similarly, average-case smoothness states that the following distributions are statistically close:

$$(\mu (\textsc {hk}),C, \Lambda _\textsc {hk}(C) \,\text {mod}\,\mathbb {G}_0) \quad \text{ and } \quad (\mu (\textsc {hk}),C, h')$$

where \(C \leftarrow _{\textsc {r}}\mathcal {G}\) and \(h' \leftarrow _{\textsc {r}}\langle h \rangle \). The relaxed notion of smoothness is sufficient for all of our applications as long as we will embed the message into the subgroup \(\langle h \rangle \).

Instantiation from QR. Fix a Blum integer \(N = PQ\) for k-bit safe primes \(P,Q \equiv 3 \pmod 4\) (such that \(P = 2p+1\) and \(Q = 2q+1\) for primes pq). Let \(\mathbb {J}_N\) denote the subgroup of \(\mathbb {Z}_N^*\) with Jacobi symbol \(+1\), and let \(\mathbb {QR}_N\) denote the subgroup of quadratic residues. The QR assumption states that the uniform distributions over \(\mathbb {QR}_N\) and \(\mathbb {J}_N\setminus \mathbb {QR}_N\) are computationally indistinguishable. That is, we may take \(\mathbb {G}\) and \(\mathbb {G}_0\) to be \(\mathbb {J}_N\) and \(\mathbb {QR}_N\) respectively. Observe that \(\mathbb {J}_N\) is isomorphic to \(\mathbb {QR}_N\times (\pm 1)\) and that \(|\mathbb {J}_N| = 2pq = 2|\mathbb {QR}_N|\). We can then sample g by squaring a random element in \(\mathbb {Z}_N^*\) and fix h to be \(-1\). Note that \(|\mathbb {QR}_N| = pq = N/4 - O(\sqrt{N})\), which we may approximate by N / 4.

Instantiation from DCR. (See [16, Sect. 8.2]). Again, fix a Blum integer \(N = PQ\) for k-bit safe primes \(P,Q \equiv 3 \pmod 4\) (such that \(P = 2p+1\) and \(Q = 2q+1\) for primes pq). Let \(\mathbb {J}_{N^2}\) denote the subgroup of \(\mathbb {Z}_{N^2}^*\) with Jacobi symbol \(+1\), so \(|\mathbb {J}_{N^2}| = N\phi (N)/2 = 2Npq\). Consider the cyclic subgroup \(\mathbb {G}_0\) of \(\mathbb {J}_{N^2}\) consisting of all N’th powers of elements of \(\mathbb {J}_{N^2}\). Then, \(\mathbb {J}_{N^2}= \mathbb {G}_0 \times \langle 1+N \rangle \). Roughly speaking, the DCR assumption states that the uniform distributions over \(\mathbb {G}_0\) and \(\mathbb {J}_{N^2}\) are computationally indistinguishable. We can sample a random generator g of \(\mathbb {G}_0\) as follows: pick \(x \leftarrow _{\textsc {r}}\mathbb {Z}_{N^2}^*\) and set \(g := -x^N\). In addition, we can fix \(h := 1+N\). Note that \(|\mathbb {G}_0| = Npq = N^2/4 - O(\sqrt{N})\), which we may approximate by \(N^2/4\).

7.1 Dual-Mode Encryption

For dual-mode encryption, we use the Cramer-Shoup QR/DCR-based hash proof system in [16].

  • Setup. Sample a random group \(\mathbb {G}\) along with generators g and h.

    $$\begin{aligned} \textsc {pp}:= (\mathbb {G},g,h) \end{aligned}$$

    The subgroup indistinguishability problem is given by:

    $$\begin{aligned} \mathcal {G}_{\textsc {yes}}:= \Bigl \{ g^{r} : r \in \mathbb {Z}_{{{\mathrm{ord}}}(g)} \Bigr \} = \mathbb {G}_0 \qquad \text{ and }\qquad \mathcal {G}:= \Bigl \{ h^d \cdot g^{r} : d \in \mathbb {Z}_{{{\mathrm{ord}}}(h)}, r \in \mathbb {Z}_{{{\mathrm{ord}}}(g)} \Bigr \} = \mathbb {G}\end{aligned}$$

    where \(\mathsf {SampR}(r) = g^r\). We also denote by \(\textsc {sp}\) the trapdoor that allows us to verify membership in \(\mathcal {G}_{\textsc {yes}}\); for the instantiations from QR and DCR, this would be the factorization of N.

  • Hashing. The hashing key is given by \(s \leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(\mathbb {G})}\).

    $$\begin{aligned} \mu (\textsc {pp},s) := g^s \in \mathbb {G}\end{aligned}$$

    Private and public evaluation are given by:

    $$\begin{aligned} \Lambda _s(C) := C^s \in \mathbb {G}\qquad \text{ and }\qquad \mathsf {Pub}(g^s,g^{r},r) := (g^s)^r = g^{rs} \end{aligned}$$

    Clearly, \(\Lambda _s(\cdot )\) is a group homomorphism. The projective property follows from the fact that \((g^r)^s = (g^s)^r\). For smoothness, first observe that by the Chinese Remainder Theorem, \(s \,\text {mod}\,{{\mathrm{ord}}}(h)\) is random even given \(g^s\). Hence, \(\Lambda _s(h^d g^r) \,\text {mod}\,\mathbb {G}_0 = h^{ds}\) is random over \(\langle h \rangle \) if \(d \ne 0\).

7.2 KDM-security

The next construction is implicit in [10], and is the vectorial analogue of the preceding construction, augmented with t functions following [11]. Let \(\ell > 3 \log |\mathbb {G}|\). Suppose we have t additional (efficiently computable) functions \(f_1,\ldots ,f_t : \{0,1\}^\ell \rightarrow \mathbb {Z}_{{{\mathrm{ord}}}(h)}\), where \(t \ge 0\).

  • Setup. Sample a random group \(\mathbb {G}\) along with generators g and h. In addition, sample \(\mathbf {p}\leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(g)}^{\ell +t}\). Output

    $$\begin{aligned} \textsc {pp}:= (\mathbb {G},g^{\mathbf {p}},h) \end{aligned}$$

    The subgroup indistinguishability problem is given by:

    $$\begin{aligned} \mathcal {G}_{\textsc {yes}}:= \Bigl \{ g^{r \mathbf {p}} : r \in \mathbb {Z}_{{{\mathrm{ord}}}(g)} \Bigr \} \subseteq \mathbb {G}_0^{\ell +t} \qquad \text{ and }\qquad \mathcal {G}:= \Bigl \{ h^\mathbf {d}\cdot g^{r \mathbf {p}} : \mathbf {d}\in \mathbb {Z}_{{{\mathrm{ord}}}(h)}^{\ell +t}, r \in \mathbb {Z}_{{{\mathrm{ord}}}(g)} \Bigr \} \subseteq \mathbb {G}^{\ell +t} \end{aligned}$$

    where the group operation over \(\mathbb {G}^{\ell +t}\) is the natural one given by coordinate-wise product. The uniform distributions over \(\mathcal {G}_{\textsc {yes}}\) and \(\mathcal {G}\) are computationally distinguishable under subgroup indistinguishability as shown in [10]. (The reduction is fairly straight-forward: it essentially takes the challenge (xgh) where either \(x \leftarrow _{\textsc {r}}\mathbb {G}_0\) or \(x \leftarrow _{\textsc {r}}\mathbb {G}\) and computes \((g^{\mathbf {p}'},x^{\mathbf {p}'})\) where \(\mathbf {p}' \leftarrow _{\textsc {r}}\mathbb {Z}_{|\mathbb {G}|}^{\ell +t}\).)

  • Hashing. The hashing key is given by a column vector \(\mathbf {s}\leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(h)}^\ell \). We then set \(\hat{\mathbf {s}} \in \mathbb {Z}_{{{\mathrm{ord}}}(h)}^{\ell +t}\) to be the concatenation of \(\mathbf {s}\) and \(f_1(\mathbf {s}),\ldots ,f_t(\mathbf {s})\).

    $$\begin{aligned} \mu (g^\mathbf {p},\mathbf {s}) := g^{\mathbf {p}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}} \in \mathbb {G}\end{aligned}$$

    Private and public evaluation are given by:

    $$\begin{aligned} \Lambda _\mathbf {s}(\mathbf {c}) := \mathbf {c}^{\hat{\mathbf {s}}} \in \mathbb {G}\qquad \text{ and }\qquad \mathsf {Pub}(g^{\mathbf {p}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}},\mathbf {c},r) := (g^{\mathbf {p}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}})^r \end{aligned}$$

    where \(\mathbf {c}^{\hat{\mathbf {s}}} := \sum _{i=1}^{\ell +t} \mathbf {c}_i^{\hat{\mathbf {s}}_i}\). Clearly, \(\Lambda _\mathbf {s}(\cdot )\) is a group homomorphism. The projective property simply follows from the fact that \(g^{(r \mathbf {p})^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}} = g^{r \mathbf {p}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}} = (g^{\mathbf {p}^{\!\scriptscriptstyle {\top }}\hat{\mathbf {s}}})^r\).

  • Smoothness. To establish average-case smoothness, first observe that:

    $$\begin{aligned} \Lambda _{\hat{\mathbf {s}}}(h^\mathbf {d}\cdot g^{r \mathbf {p}}) \,\text {mod}\,\mathbb {G}_0 = h^{\mathbf {d}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}}} \end{aligned}$$

    The left-over hash lemma tells us that \(\mathbf {d}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}}\) is statistically close to uniform over \(\mathbb {Z}_{{{\mathrm{ord}}}(h)}\). More precisely, for \(\ell > 3 \log |\mathbb {G}|\), the following distributions:

    $$ ( \mathbf {p}, \mathbf {p}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}} \,\text {mod}\,|\mathbb {G}_0|, \mathbf {d}, \mathbf {d}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}} \,\text {mod}\,{{\mathrm{ord}}}(h) ) \quad \text{ and } \quad \langle \mathbf {p}, \mathbf {p}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}} \,\text {mod}\,|\mathbb {G}_0|, \mathbf {d}, d' )$$

    are statistically close, where \(\mathbf {s}\leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(h)}^\ell , \mathbf {d}\leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(h)}^{\ell +t}, d' \leftarrow _{\textsc {r}}\mathbb {Z}_{{{\mathrm{ord}}}(h)}\). Average-case smoothness follows readily, since \(g^{\mathbf {p}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}}}\) is completely determined by \(\mathbf {p}^{\!\scriptscriptstyle {\top }}{\hat{\mathbf {s}}} \,\text {mod}\,|\mathbb {G}_0|\).

  • Class \(\mathcal {F}\) . The message space \(\mathcal {M}= \mathbb {Z}_{{{\mathrm{ord}}}(h)}\) and \(\phi (m) = h^m\).

    • – Observe that for all \(\mathbf {a}\in \mathbb {Z}^{\ell }, c \in \mathbb {Z}\) (such that \(\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c \in \mathbb {Z}_{{{\mathrm{ord}}}(h)}\) for all \(\mathbf {s}\in \mathbb {Z}_{{{\mathrm{ord}}}(h)}^\ell \)):

      $$\begin{aligned} \Lambda _\mathbf {s}(h^{\mathbf {a}|| \mathbf {0}}) \cdot h^c = h^{\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c} = \phi (\mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c) \end{aligned}$$

    • – Moreover, for all \(i \in [t]\),

      $$\begin{aligned} \Lambda _\mathbf {s}(h^{\mathbf {e}_{\ell +i}}) = h^{f_i(\mathbf {s})} = \phi (f_i(\mathbf {s})) \end{aligned}$$

      where \(\mathbf {e}_{\ell +i} \in \{0,1\}^{\ell +t}\) is the unit vector with a 1 in the \((\ell +i)\)’th index.

    That is, the resulting scheme is \(\mathcal {F}\)-KDM secure for \(\mathcal {F}= \{ \mathbf {s}\mapsto \mathbf {a}^{\!\scriptscriptstyle {\top }}\mathbf {s}+c \mid \mathbf {a}\in \mathbb {Z}^{\ell }, c \in \mathbb {Z}\} \cup \{ f_1,\ldots ,f_t \}\), i.e. affine functions of the bits of the secret key, plus the functions \(f_1,\ldots ,f_t\).