CCA Security and Trapdoor Functions via Key-Dependent-Message Security

Abstract

We study the relationship among public-key encryption (PKE) satisfying indistinguishability against chosen plaintext attacks (IND-CPA security), that against chosen ciphertext attacks (IND-CCA security), and trapdoor functions (TDF). Specifically, we aim at finding a unified approach and some additional requirement to realize IND-CCA secure PKE and TDF based on IND-CPA secure PKE, and show the following two main results. As the first main result, we show how to achieve IND-CCA security via a weak form of key-dependent-message (KDM) security. More specifically, we construct an IND-CCA secure PKE scheme based on an IND-CPA secure PKE scheme and a secret-key encryption (SKE) scheme satisfying one-time KDM security with respect to projection functions (projection-KDM security). Projection functions are elementary functions with respect to which KDM security has been widely studied. Since the existence of projection-KDM secure PKE implies that of the above two building blocks, as a corollary of this result, we see that the existence of IND-CCA secure PKE is implied by that of projection-KDM secure PKE. As the second main result, we extend the above construction of IND-CCA secure PKE into that of TDF by additionally requiring a mild requirement for each building block. Our TDF satisfies adaptive one-wayness. We can instantiate our TDF based on a wide variety of computational assumptions. Especially, we obtain the first TDF (with adaptive one-wayness) based on the sub-exponential hardness of the constant-noise learning-parity-with-noise (LPN) problem. In addition, we show that by extending the above constructions, we can obtain PKE schemes satisfying advanced security notions under CCA, that is, optimal rate leakage-resilience under CCA and selective-opening security under CCA. As a result, we obtain the first PKE schemes satisfying these security notions based on the computational Diffie–Hellman (CDH) assumption or the low-noise LPN assumption.

Appendices

Other Definitions

1.1 Public-Key Encryption

Definition 13

(Public-key encryption) A public-key encryption (PKE) scheme \({\mathsf {PKE}}\) consists of the three PPT algorithms \(({\mathsf {KG}}, {\mathsf {Enc}}, {\mathsf {Dec}})\):

• \({\mathsf {KG}}\) is the key generation algorithm that takes \(1^\lambda \) as input, and outputs a public/secret key pair \(({{{\mathsf {pk}}}}, {{{\mathsf {sk}}}})\). We assume that the security parameter \(\lambda \) determines the secret key space \({\mathcal {K}}\) and the message space \({\mathcal {M}}\).

• \({\mathsf {Enc}}\) is the encryption algorithm that takes a public key \({{{\mathsf {pk}}}}\) and a plaintext \({{{\mathsf {m}}}}\) as input, and outputs a ciphertext \({{{\mathsf {ct}}}}\).

• \({\mathsf {Dec}}\) is the (deterministic) decryption algorithm that takes a secret key \({{{\mathsf {sk}}}}\) and a ciphertext \({{{\mathsf {ct}}}}\) as input, and outputs a plaintext \({{{\mathsf {m}}}}\) or the invalid symbol \(\bot \notin {\mathcal {M}}\).

Let \(\epsilon : {\mathbb {N}}\rightarrow [0,1]\). We say that a PKE scheme \({\mathsf {PKE}}= ({\mathsf {KG}}, {\mathsf {Enc}}, {\mathsf {Dec}})\) is \(\epsilon \)-almost-all-keys correct if we have

$$\begin{aligned} {\mathsf {Err}}_{{\mathsf {PKE}}}(\lambda ) := \Pr _{({{{\mathsf {pk}}}}, {{{\mathsf {sk}}}}) \leftarrow {\mathsf {KG}}(1^\lambda )}\left[ ~ \begin{array}{l} \exists ({{{\mathsf {m}}}}, {{{\mathsf {r}}}}) \in \\ ~~{\mathcal {M}}\times {\mathcal {R}}\end{array} ~~\mathrm {s.t.}~{\mathsf {Dec}}({{{\mathsf {sk}}}}, {\mathsf {Enc}}({{{\mathsf {pk}}}}, {{{\mathsf {m}}}};{{{\mathsf {r}}}})) \ne {{{\mathsf {m}}}}\right] = \epsilon (\lambda ). \end{aligned}$$

Furthermore, we just say that \({\mathsf {PKE}}\) is correct (resp. almost-all-keys correct) if \({\mathsf {Err}}_{{\mathsf {PKE}}}(\lambda )\) is zero (resp. \({\mathsf {negl}}(\lambda )\)).

Here, we recall IND-CCA, IND-CCA1, and KDM security for a PKE scheme that are treated in this paper. As in the case of SKE, for simplicity, here we only give the definition for the single key setting for KDM security.

Definition 14

(Security notions for PKE) Let \({\mathsf {PKE}}= ({\mathsf {KG}}, {\mathsf {Enc}}, {\mathsf {Dec}})\) be a PKE scheme with a secret key space \({\mathcal {K}}\) and a plaintext space \({\mathcal {M}}\), and let \({\mathcal {F}}_{{\mathsf {}}}\) be a function family with domain \({\mathcal {K}}\) and range \({\mathcal {M}}\).

We say that \({\mathsf {PKE}}\) is

• IND-CCA secure (a.k.a. IND-CCA2 secure) if for all PPT adversaries \({\mathcal {A}}= ({\mathcal {A}}_1,{\mathcal {A}}_2)\), we have \({\mathsf {Adv}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca}}}(\lambda ) := 2 \cdot |\Pr [{\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca}}}(\lambda ) = 1] - 1/2| = {\mathsf {negl}}(\lambda )\), where the experiment \({\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca}}}(\lambda )\) is defined as in Fig. 7 (left), and in the experiment, it is required that \(|{{{\mathsf {m}}}}_0|=|{{{\mathsf {m}}}}_1|\) and \({\mathcal {A}}_2\) is not allowed to submit \({{{\mathsf {ct}}}}^*\) to the decryption oracle \({\mathsf {Dec}}({{{\mathsf {sk}}}}, \cdot )\).

• IND-CCA1 secure if for all PPT adversaries \({\mathcal {A}}= ({\mathcal {A}}_1,{\mathcal {A}}_2)\), we have \({\mathsf {Adv}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca1}}}(\lambda ) := 2 \cdot |\Pr [{\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca1}}}(\lambda ) = 1] - 1/2| = {\mathsf {negl}}(\lambda )\), where the experiment \({\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca1}}}(\lambda )\) is defined exactly as in \({\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {A}}}^{{\mathsf {cca}}}(\lambda )\), except that \({\mathcal {A}}_2\) is not given access to the decryption oracle \({\mathsf {Dec}}({{{\mathsf {sk}}}},\cdot )\).

• \({\mathcal {F}}_{{\mathsf {}}}\)-KDM secure if for all PPT adversaries \({\mathcal {A}}\), we have \({\mathsf {Adv}}_{{\mathsf {PKE}},{\mathcal {F}}_{{\mathsf {}}},{\mathcal {A}}}^{{\mathsf {kdm}}}(\lambda ) := 2 \cdot |\Pr [{\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {F}}_{{\mathsf {}}},{\mathcal {A}}}^{{\mathsf {kdm}}}(\lambda ) = 1] - 1/2| = {\mathsf {negl}}(\lambda )\), where the experiment \({\mathsf {Expt}}_{{\mathsf {PKE}},{\mathcal {F}}_{{\mathsf {}}},{\mathcal {A}}}^{{\mathsf {kdm}}}(\lambda )\) is defined as in Fig. 7 (center), and the KDM-encryption oracle \({\mathcal {O}}_{{\mathsf {kdm}}}\) is described in Fig. 7 (right).

Fig. 7

Security experiments for PKE: The IND-CCA experiment (left), the KDM security experiment (center), and the KDM-encryption oracle used in the KDM security experiment (right)

As in the case of SKE, we will deal with the function families \({\mathcal {P}}\) and \(\mathcal {B}_{\mathsf {size}}\) as the function classes for KDM security of PKE. (See Sect. 3.3 for their definitions.)

1.2 Hinting PRG

Here, we review the definition of a hinting PRG [40]. We make a slight simplification to the syntax from [40] in that the “block length” (i.e., the output length of \({\mathsf {HEval}}\)) is fixed to be \(\lambda \), instead of allowing it to be decided at the setup.

Definition 15

(Hinting PRG) A hinting PRG \({\mathsf {HPRG}}\) consists of the two PPT algorithms \(({\mathsf {HSetup}},{\mathsf {HEval}})\) with the following syntax.

• \({\mathsf {HSetup}}\) is the setup algorithm that takes \(1^\lambda \) as inputs, and outputs a public parameter \({{{\mathsf {pp}}}}\). We assume that \({{{\mathsf {pp}}}}\) specifies the seed length \(n=n(\lambda )\).

• \({\mathsf {HEval}}\) is the evaluation algorithm (for computing each “block”) that takes a public parameter \({{{\mathsf {pp}}}}\), a seed \({{{\mathsf {s}}}}\in \{0,1\}^n\), and an index \(i \in \{0\} \cup [n]\) as input, and outputs a string \({{{\mathsf {y}}}}\in \{0,1\}^\lambda \).¹⁴

Security:

We say that \({\mathsf {HPRG}}\) is a secure hinting PRG if for all PPT adversaries \({\mathcal {A}}\), we have \({\mathsf {Adv}}_{{\mathsf {HPRG}},{\mathcal {A}}}^{{\mathsf {hprg}}}(\lambda ) := 2 \cdot |\Pr [{\mathsf {Expt}}_{{\mathsf {HPRG}},{\mathcal {A}}}^{{\mathsf {hprg}}}(\lambda ) = 1] - 1/2| = {\mathsf {negl}}(\lambda )\), where the experiment \({\mathsf {Expt}}_{{\mathsf {HPRG}}, {\mathcal {A}}}^{{\mathsf {hprg}}}(\lambda )\) is defined as in Fig. 8 (left).

Fig. 8

The security experiments for a hinting PRG (left) and that for a circuit garbling scheme (right)

1.3 Garbled Circuits

Here, we review the definition of a circuit garbling scheme [57].

Definition 16

(Circuit garbling) Let \(\{{\mathcal {C}}_n\}_{n \in {\mathbb {N}}}\) be a family of circuits where the input length of each circuit in \({\mathcal {C}}_n\) is n. A circuit garbling scheme \({\mathsf {GC}}\) consists of the three PPT algorithms \(({\mathsf {Garble}}, {\mathsf {Eval}}, {\mathsf {Sim}})\):

• \({\mathsf {Garble}}\) is the garbling algorithm that takes \(1^\lambda \) and a circuit \(C \in {\mathcal {C}}_n\) as input, and outputs a garbled circuit \({\widetilde{C}}\) together with 2n labels \(({{{\mathsf {lab}}}}_i^v)_{i \in [n],v \in \{0,1\}}\). For simplicity and without loss of generality, we assume that the length of each \({{{\mathsf {lab}}}}_i^v\) is \(\lambda \).

• \({\mathsf {Eval}}\) is the (deterministic) evaluation algorithm that takes a garbled circuit \({\widetilde{C}}\) and n labels \(({{{\mathsf {lab}}}}_i)_{i \in [n]}\) as input, and outputs an evaluation result \({{{\mathsf {y}}}}\).

• \({\mathsf {Sim}}\) is the simulator algorithm that takes \(1^\lambda \), the size parameter \({\mathsf {size}}\) (of a circuit), and a string \({{{\mathsf {y}}}}\) as input, and outputs a simulated garbled circuit \({\widetilde{C}}\) and n labels \(({{{\mathsf {lab}}}}_i)_{i \in [n]}\).

Correctness:

A circuit garbling scheme \({\mathsf {GC}}= ({\mathsf {Garble}}, {\mathsf {Eval}}, {\mathsf {Sim}})\) is said to be correct if for all \(\lambda ,n \in {\mathbb {N}}\), all circuits \(C \in {\mathcal {C}}_n\), all strings \({{{\mathsf {x}}}}= ({{{\mathsf {x}}}}_1, \dots , {{{\mathsf {x}}}}_n) \in \{0,1\}^n\), and all \(({\widetilde{C}}, ({{{\mathsf {lab}}}}_i^v)_{i \in [n], v \in \{0,1\}}) \leftarrow {\mathsf {Garble}}(1^\lambda , C)\), it holds that \({\mathsf {Eval}}({\widetilde{C}}, ({{{\mathsf {lab}}}}_i^{{{{\mathsf {x}}}}_i})_{i \in [n]}) = C({{{\mathsf {x}}}})\).

Security:

We say that a circuit garbling scheme \({\mathsf {GC}}= ({\mathsf {Garble}}, {\mathsf {Eval}}, {\mathsf {Sim}})\) is secure if for all PPT adversaries \({\mathcal {A}}\), we have \({\mathsf {Adv}}_{{\mathsf {GC}},{\mathcal {A}}}^{{\mathsf {gc}}}(\lambda ):= 2 \cdot |\Pr [{\mathsf {Expt}}_{{\mathsf {GC}},{\mathcal {A}}}^{{\mathsf {gc}}}(\lambda ) = 1] - 1/2|\), where the experiment \({\mathsf {Expt}}_{{\mathsf {GC}},{\mathcal {A}}}^{{\mathsf {gc}}}(\lambda )\) is defined as in Fig. 8 (right).

We can realize a circuit garbling scheme for all efficiently computable circuits based on a one-way function [57].

1.4 Standard PRG

Definition 17

(Standard PRG) We say that an efficiently computable function \({{\mathsf {G}}}: \{0,1\}^\lambda \rightarrow \{0,1\}^\ell \) (for some polynomial \(\ell = \ell (\lambda ) > \lambda \)) is a secure pseudorandom generator (PRG) if for all PPT adversaries \({\mathcal {A}}\), we have

$$\begin{aligned} {\mathsf {Adv}}_{{{\mathsf {G}}}, {\mathcal {A}}}^{{\mathsf {prg}}}(\lambda ) := \left| \Pr _{{{{\mathsf {s}}}}\xleftarrow {{{\mathsf {r}}}}\{0,1\}^\lambda }[{\mathcal {A}}({{\mathsf {G}}}({{{\mathsf {s}}}})) = 1] - \Pr _{{{{\mathsf {y}}}}\xleftarrow {{{\mathsf {r}}}}\{0,1\}^{\ell }}[{\mathcal {A}}({{{\mathsf {y}}}})=1]\right| = {\mathsf {negl}}(\lambda ). \end{aligned}$$

One-time KDM Secure SKE Based on Hinting PRG

In this section, we show how to construct an SKE scheme that is one-time \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM secure (i.e., one-time KDM secure with respect to circuits whose size is bounded by an a priori determined polynomial \({\mathsf {size}}= {\mathsf {size}}(\lambda )\)), using a hinting PRG introduced by Koppula and Waters [40]. We first show our construction, then give a security proof (Theorem 12), and finally explain how Theorem 3 stated in Sect. 4.1 is proved. Our construction of SKE uses a hinting PRG, a circuit garbling scheme, and a standard PRG as building blocks, whose formal definitions are recalled in Appendix A.

Formally, let \(m = m(\lambda )\) be a polynomial that denotes the plaintext length that we wish to encrypt by our SKE scheme, and let \({\mathsf {size}}= {\mathsf {size}}(\lambda ) \ge m\) be any polynomial that denotes the size of circuits for which we aim at achieving \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM security. Then,

• Let \({\mathsf {HPRG}}=({\mathsf {HSetup}},{\mathsf {HEval}})\) be a hinting PRG scheme whose seed length is \(n = n(\lambda )\).

• Let \({\mathsf {GC}}= ({\mathsf {Garble}}, {\mathsf {Eval}}, {\mathsf {Sim}})\) be a circuit garbling scheme, where its label length is \(\lambda \). Let \(\ell = \ell (\lambda )\) denote a polynomial that denotes the size of a garbled circuit \({\widetilde{C}}\) output by \({\mathsf {Garble}}(1^\lambda , C)\) in case C is a circuit whose input length is m and \(|C| = {\mathsf {size}}\).

• Let \({{\mathsf {G}}}: \{0,1\}^\lambda \rightarrow \{0,1\}^\ell \) be a standard PRG.

Using these ingredients, we construct an SKE scheme \({\mathsf {SKE}}= ({\mathsf {K}}, {\mathsf {E}}, {\mathsf {D}})\) with plaintext space \(\{0,1\}^m\) as described in Fig. 9. In the figure, \({{\mathsf {P}}}[{{{\mathsf {m}}}}]\) denotes a “constant” circuit of size \({\mathsf {size}}\) that has \({{{\mathsf {m}}}}\in \{0,1\}^m\) hardwired, and it always outputs \({{{\mathsf {m}}}}\) for any n-bit input.

Fig. 9

The construction of an SKE scheme \({\mathsf {SKE}}\). In \({\mathsf {E}}\), \({{\mathsf {P}}}[{{{\mathsf {m}}}}]\) is padded to \({\mathsf {size}}\)-bit

We remark that if we adopt the syntax of an SKE scheme in which there is a setup algorithm that generates a public parameter shared by all users, then the generation of the public parameter \({{{\mathsf {pp}}}}\) done in \({\mathsf {E}}\) can be moved to the setup, and \({{{\mathsf {pp}}}}\) can be removed from a ciphertext \({{{\mathsf {CT}}}}\).

The correctness of \({\mathsf {SKE}}\) follows from that of \({\mathsf {GC}}\). Moreover, \({\mathsf {SKE}}\) is one-time KDM secure with respect to functions computable by circuits of a priori bounded size \({\mathsf {size}}\) (\({\mathcal {B}}_{{\mathsf {size}}}\)-KDM secure). More precisely, the following theorem holds.

Theorem 12

Let \(m = m(\lambda )\) and \({\mathsf {size}}= {\mathsf {size}}(\lambda ) \ge m\) be any polynomials. Assume that \({\mathsf {HPRG}}\) is a secure hinting PRG, \({\mathsf {GC}}\) is a secure circuit garbling scheme, and \({{\mathsf {G}}}\) is a secure (standard) PRG. Then, \({\mathsf {SKE}}\) is a one-time \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM secure SKE scheme with m-bit plaintext space.

Proof of Theorem 12

Let \({\mathsf {size}}= {\mathsf {size}}(\lambda )\) be a polynomial. Let \({\mathcal {A}}\) be an arbitrary PPT adversary that attacks the one-time \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM security of \({\mathsf {SKE}}\). We proceed the proof via a sequence of games argument with six games. For every \(j \in [6]\), let \(\mathtt {SUC}_{j}\) be the event that \({\mathcal {A}}\) succeeds in guessing the challenge bit (i.e., \(b' = b\) occurs) in Game j.

Game 1::

This is the KDM experiment \({\mathsf {Expt}}_{{\mathsf {SKE}},{\mathcal {B}}_{{\mathsf {size}}},{\mathcal {A}}}^{{\mathsf {kdm}}}(\lambda )\). The detailed description is as follows.

• Pick a secret-key \({{{\mathsf {sk}}}}= ({{{\mathsf {s}}}}_1,\dots ,{{{\mathsf {s}}}}_n) \xleftarrow {{{\mathsf {r}}}}\{0,1\}^n\) and the challenge bit \(b \xleftarrow {{{\mathsf {r}}}}\{0,1\}\), and run \({\mathcal {A}}(1^\lambda )\).

• Since we consider the one-time \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM security of \({\mathsf {SKE}}\), \({\mathcal {A}}\) is allowed to make at most a single KDM-encryption query. \({\mathcal {A}}\)’s KDM-encryption query \((f_0,f_1)\in ({\mathcal {B}}_{\mathsf {size}})^2\) is answered with \({{{\mathsf {CT}}}}= ({{{\mathsf {pp}}}}, {{{\mathsf {ct}}}}_0, ({{{\mathsf {ct}}}}_i^v)_{i \in [n], v \in \{0,1\}})\) computed as follows:

  1. 1.

     Set \({{{\mathsf {m}}}}:= f_b({{{\mathsf {sk}}}})\) and generate \({{{\mathsf {pp}}}}\leftarrow {\mathsf {HPRG}}(1^\lambda )\).

  2. 2.

     Compute \((\widetilde{{{\mathsf {P}}}}, ({{{\mathsf {lab}}}}_i^v)_{i \in [n],v \in \{0,1\}}) \leftarrow {\mathsf {Garble}}(1^\lambda , {{\mathsf {P}}}[{{{\mathsf {m}}}}])\).

  3. 3.

     Compute \({{{\mathsf {y}}}}_0 \leftarrow {\mathsf {HEval}}({{{\mathsf {pp}}}}, {{{\mathsf {sk}}}}, 0)\) and \({{{\mathsf {ct}}}}_0 \leftarrow \widetilde{{{\mathsf {P}}}}\oplus {{\mathsf {G}}}({{{\mathsf {y}}}}_0)\)

  4. 4.

     For every \(i \in [n]\), compute \({{{\mathsf {y}}}}_i^{{{{\mathsf {s}}}}_i} \leftarrow {\mathsf {HEval}}({{{\mathsf {pp}}}}, {{{\mathsf {sk}}}}, i)\) and \({{{\mathsf {ct}}}}_i^{{{{\mathsf {s}}}}_i} \leftarrow {{{\mathsf {lab}}}}_i^{{{{\mathsf {s}}}}_i} \oplus {{{\mathsf {y}}}}_i^{{{{\mathsf {s}}}}_i}\), and pick \({{{\mathsf {ct}}}}_i^{1 - {{{\mathsf {s}}}}_i} \xleftarrow {{{\mathsf {r}}}}\{0,1\}^\lambda \).

  5. 5.

     Set \({{{\mathsf {CT}}}}\leftarrow ({{{\mathsf {pp}}}}, {{{\mathsf {ct}}}}_0, ({{{\mathsf {ct}}}}_i^v)_{i \in [n],v \in \{0,1\}})\).

• \({\mathcal {A}}\) terminates with output \(b' \in \{0,1\}\).

Game 2::

Same as Game 1, except that \((\widetilde{{{\mathsf {P}}}}, ({{{\mathsf {lab}}}}_i^{{{{\mathsf {s}}}}_i})_{i \in [n]})\) is computed by \((\widetilde{{{\mathsf {P}}}}, ({{{\mathsf {lab}}}}_i^{{{{\mathsf {s}}}}_i})_{i \in [n]}) \leftarrow {\mathsf {Sim}}(1^\lambda , {\mathsf {size}}, f_b({{{\mathsf {sk}}}}))\). Note that in Game 1, the information of \(({{{\mathsf {lab}}}}_i^{1 - {{{\mathsf {s}}}}_i})_{i \in [n]}\) is hidden from \({\mathcal {A}}\)’s view. Hence, by the security of \({\mathsf {GC}}\), we can derive \(\left| \Pr [\mathtt {SUC}_{1}]-\Pr [\mathtt {SUC}_{2}]\right| ={\mathsf {negl}}(\lambda )\).

Game 3::

Same as Game 2, except that \((\widetilde{{{\mathsf {P}}}}, ({{{\mathsf {lab}}}}_i^{{{{\mathsf {s}}}}_i})_{i \in [n]})\) is computed by \((\widetilde{{{\mathsf {P}}}}, ({{{\mathsf {lab}}}}_i^v)_{i \in [n],v \in \{0,1\}}) \leftarrow {\mathsf {GC}}(1^\lambda ,f_b)\). By the security of \({\mathsf {GC}}\) again, we obtain \(\left| \Pr [\mathtt {SUC}_{2}]-\Pr [\mathtt {SUC}_{3}]\right| = {\mathsf {negl}}(\lambda )\). Note that due to the change made in this game, \({{{\mathsf {sk}}}}\) is now used only for computing \({{{\mathsf {y}}}}_0 = {\mathsf {HEval}}({{{\mathsf {pp}}}}, {{{\mathsf {sk}}}}, 0)\) and \(({{{\mathsf {y}}}}_i^{{{{\mathsf {s}}}}_i} = {\mathsf {HEval}}({{{\mathsf {pp}}}}, {{{\mathsf {sk}}}}, i))_{i \in [n]}\).

Game 4::

Same as Game 3, except that each \({{{\mathsf {ct}}}}_i^{1 - {{{\mathsf {s}}}}_i}\) is computed by \({{{\mathsf {ct}}}}_i^{1 - {{{\mathsf {s}}}}_i} \leftarrow {{{\mathsf {lab}}}}_i^{1 - {{{\mathsf {s}}}}_i} \oplus {{{\mathsf {y}}}}_i^{1 - {{{\mathsf {s}}}}_i}\) for every \(i \in [n]\), where \({{{\mathsf {y}}}}_i^{1 - {{{\mathsf {s}}}}_i} \xleftarrow {{{\mathsf {r}}}}\{0,1\}^\lambda \). \(({{{\mathsf {ct}}}}_i^{1-{{{\mathsf {s}}}}_i})_{i \in [n]}\) in Game 3 and those in Game 4 are distributed identically from \({\mathcal {A}}\)’s view. Thus, we have \(\left| \Pr [\mathtt {SUC}_{3}]-\Pr [\mathtt {SUC}_{4}]\right| = 0\).

Game 5::

Same as Game 4, except that \({{{\mathsf {y}}}}_0\) and all of \(({{{\mathsf {y}}}}_i^{{{{\mathsf {s}}}}_i})_{i \in [n]}\) are chosen uniformly at random from \(\{0,1\}^\lambda \). By the security of \({\mathsf {HPRG}}\), we have \(\left| \Pr [\mathtt {SUC}_{4}]-\Pr [\mathtt {SUC}_{5}]\right| ={\mathsf {negl}}(\lambda )\).

Game 6::

Same as Game 5, except that \({{\mathsf {G}}}({{{\mathsf {y}}}}_0)\) is replaced with \({{{\mathsf {y}}}}'_0 \xleftarrow {{{\mathsf {r}}}}\{0,1\}^{\ell }\). By the security of \({{\mathsf {G}}}\), we have \(\left| \Pr [\mathtt {SUC}_{5}]-\Pr [\mathtt {SUC}_{6}]\right| ={\mathsf {negl}}(\lambda )\).

Notice that in Game 6, \({{{\mathsf {ct}}}}_0\) and all of \(({{{\mathsf {ct}}}}_i^v)_{i \in [n], v \in \{0,1\}}\) are distributed uniformly and independently of one another. This is because in this game, \({{{\mathsf {y}}}}'_0\) and \(({{{\mathsf {y}}}}_{i,v})_{i \in [n], v \in \{0,1\}}\) are all chosen uniformly and independently, and \({{{\mathsf {ct}}}}_0\) and each of \({{{\mathsf {ct}}}}_i^v\) are generated as \({{{\mathsf {ct}}}}_0 = \widetilde{{{\mathsf {P}}}}\oplus {{{\mathsf {y}}}}'_0\) and \({{{\mathsf {ct}}}}_i^v = {{{\mathsf {lab}}}}_i^v \oplus {{{\mathsf {y}}}}_i^v\) for every \((i,v) \in [n] \times \{0,1\}\), respectively. Thus, the information of b is completely hidden from \({\mathcal {A}}\)’s view, and we have \(\Pr [\mathtt {SUC}_{6}] = 1/2\).

From the above arguments, we have

$$\begin{aligned} {\mathsf {Adv}}_{{\mathsf {SKE}}, {\mathcal {B}}_{{\mathsf {size}}}, {\mathcal {A}}}^{{\mathsf {kdm}}}(\lambda )&=2\cdot \left| \Pr [\mathtt {SUC}_{1}]-\frac{1}{2}\right| \\&\le 2 \cdot \left( \sum _{j \in [5]} \left| \Pr [\mathtt {SUC}_{j}]-\Pr [\mathtt {SUC}_{j+1}]\right| + \left| \Pr [\mathtt {SUC}_{6}] - \frac{1}{2}\right| \right) \\&={\mathsf {negl}}(\lambda ). \end{aligned}$$

Since the choice of \({\mathcal {A}}\) was arbitrary, we can conclude that \({\mathsf {SKE}}\) is one-time \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM secure. \(\square \) (Theorem 12)

Finally, we give the proof of Theorem 3 (stated in Sect. 4.1).

Proof of Theorem 3 (in Sect. 4.1)

Firstly, the statement about the existence of \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM secure SKE in Theorem 3 is immediate from our construction \({\mathsf {SKE}}\) and Theorem 12.

To see that the statement about the fully black-box construction of a \({\mathcal {P}}\)-KDM secure SKE scheme from a hinting PRG is true, we explain that if we focus only on \({\mathcal {P}}\)-KDM security (as opposed to \({\mathcal {B}}_{{\mathsf {size}}}\)-KDM security), then our construction \({\mathsf {SKE}}\) is a fully black-box construction from a hinting PRG scheme.

Firstly, it is clear that our construction \({\mathsf {SKE}}\) uses the building blocks (a hinting PRG \({\mathsf {HPRG}}\), a circuit garbling scheme \({\mathsf {GC}}\), and a standard PRG \({{\mathsf {G}}}\)) in a black-box manner. Since a circuit garbling scheme and a standard PRG can be constructed from a hinting PRG in a black-box manner, our construction \({\mathsf {SKE}}\) can be seen as being constructed using a hinting PRG in a black-box way.

It remains to see that the security reductions used for proving the \({\mathcal {P}}\)-KDM security of \({\mathsf {SKE}}\) treats the underlying primitives (in this case, \({\mathsf {HPRG}}\), \({\mathsf {GC}}\), and \({{\mathsf {G}}}\)), and an adversary in a black-box manner. The security reductions in the proof of Theorem 12 obviously need not treat the building block primitives in a non-black-box manner. However, there is a subtle issue: Recall that in the KDM security game, a fully black-box reduction needs to treat not only an adversary itself, but also the adversary’s KDM-encryption query as a black-box. However, as seen in the proof of Theorem 12 above, the reduction algorithms that simulate Game 3 and/or the subsequent games would need to garble the adversary’s KDM-encryption query \(f_b\). This may seem to lead to a non-black-box treatment of the KDM-encryption query \(f_b\). However, recall that a projection function is learnable in the sense that its canonical description can be completely recovered by making only polynomially many oracle queries (in its input length and output length) to it and observing the outputs. Thus, we can conduct the security proofs without treating the adversary and its KDM-encryption query in a non-black-box way. \(\square \) (Theorem 3)

(Ordinary) One-Way TDF

In this section, we show a TDF achieving (ordinary) one-wayness. The construction is a simpler variant of our adaptive one-way construction presented in Sect. 6. In particular, we need not use a target collision resistant hash function.

Formally, let \(\ell = \ell (\lambda )\) be a polynomial. Our one-way TDF uses the building blocks \({\mathsf {KEM}}\) and \({\mathsf {SKE}}\) with the following properties:

• \({\mathsf {KEM}}= ({\mathsf {KKG}}, {\mathsf {Encap}},{\mathsf {Decap}})\) is a KEM such that (1) its session key space is \(\{0,1\}^{2\lambda }\), (2) the randomness space of \({\mathsf {Encap}}\) is \(\{0,1\}^\lambda \), and (3) the ciphertext space \({\mathcal {C}}\) forms an abelian group (where we use the additive notation) and satisfies \(|{\mathcal {C}}| \ge 2^{2\lambda }\).

• \({\mathsf {SKE}}= ({\mathsf {K}}, {\mathsf {E}}, {\mathsf {D}})\) is an SKE scheme such that (1) it has the randomness-recovering decryption property (with the randomness-recovering decryption algorithm \({\mathsf {RD}}\)), (2) its secret key space is \(\{0,1\}^n\) for some polynomial \(n = n(\lambda )\), and (3) the plaintext space is \(\{0,1\}^{n \cdot \lambda + \ell }\). We denote the randomness space of \({\mathsf {E}}\) by \({\mathcal {R}}_{{\mathsf {SKE}}}\).

Using these building blocks, our TDF \({\mathsf {TDF}}' = ({\mathsf {Setup}}', {\mathsf {Samp}}', {\mathsf {Eval}}', {\mathsf {Inv}}')\) with one-wayness is constructed as in Fig. 10. The domain \({\mathcal {X}}\) of \({\mathsf {TDF}}'\) is \({\mathcal {X}}= \{0,1\}^n \times \{0,1\}^{n \cdot \lambda } \times {\mathcal {R}}_{{\mathsf {SKE}}}\).

As in the case of our adaptive one-way construction in Sect. 6, \({{{\mathsf {k}}}}\in \{0,1\}^\ell \) in a domain element can be used as hard-core bits.

Fig. 10

The proposed TDF \({\mathsf {TDF}}'\) with one-wayness. \(^{(\dag )}\) The arithmetic is done over \(\mathrm {GF}(2^{2\lambda })\) where we identify \(\{0,1\}^{2\lambda }\) with \(\mathrm {GF}(2^{2\lambda })\). \(^{(\ddag )}\) The addition is done over \({\mathcal {C}}\)

The correctness and one-wayness of \({\mathsf {TDF}}'\) are guaranteed by the following theorems. We omit their proofs since they are very similar to (actually, only simpler than) those of Theorems 7 and 8.

Theorem 13

Let \(\epsilon = \epsilon (\lambda ) \in [0,1]\). If \({\mathsf {KEM}}\) is \(\epsilon \)-almost-all-keys correct and \({\mathsf {SKE}}\) has the randomness-recovering decryption property, then \({\mathsf {TDF}}'\) is \((\epsilon + n \cdot 2^{-\lambda })\)-almost-all-keys correct.

Theorem 14

Assume that \({\mathsf {KEM}}\) satisfies the pseudorandom ciphertext property and almost-all-keys correctness, and \({\mathsf {SKE}}\) is one-time \({\mathcal {P}}\)-KDM secure. Then, \({\mathsf {TDF}}'\) is one-way.

Proof of Theorem 9

Let \(\epsilon : {\mathbb {N}}\rightarrow [0,1]\) be such that \({\mathsf {KEM}}\) is \(\epsilon \)-almost-all-keys correct. Let \({\mathcal {A}}\) be any PPT adversary that attacks the \({\mathsf {KEM}}'\) in the sense of the pseudorandom ciphertext property under CCA. We will show that for this \({\mathcal {A}}\), there exist PPT adversaries \(\{{\mathcal {B}}_{{\mathsf {tcr}}}^j\}_{j \in [2]}\), \(\{{\mathcal {B}}_{{\mathsf {prct}}}^j\}_{j \in [4]}\), and \({\mathcal {B}}_{{\mathsf {kdm}}}\) satisfying

$$\begin{aligned} {\mathsf {Adv}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda )\le & {} \sum _{j \in [2]} {\mathsf {Adv}}_{{\mathsf {Hash}},{\mathcal {B}}_{{\mathsf {tcr}}}^j}^{{\mathsf {tcr}}}(\lambda ) + \sum _{j \in [4]} {\mathsf {Adv}}_{{\mathsf {KEM}},n,{\mathcal {B}}_{{\mathsf {prct}}}^j}^{{\mathsf {mprct}}}(\lambda )\nonumber \\&+ {\mathsf {Adv}}_{{\mathsf {SKE}}, {\mathcal {P}}, {\mathcal {B}}_{{\mathsf {kdm}}}}^{{\mathsf {kdm-prct}}}(\lambda ) + 6\epsilon + 6n \cdot 2^{-\lambda }, \end{aligned}$$

(18)

This is negligible by our assumption, and thus will prove the theorem.

The proof proceeds using a sequence of games argument with 10 games. In the following, we let \(\mathtt {T}_{j}\) denote the event that \({\mathcal {A}}\) outputs 1 in Game \(j \in [10]\).

Game 1::

This is the experiment for the pseudorandom ciphertext property under CCA, namely \({\mathsf {Expt}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda )\), in which the challenge bit \(b = 1\). We will later show that Game 10 (the final game) corresponds to the experiment \({\mathsf {Expt}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda )\) with \(b=0\), and thus we have \({\mathsf {Adv}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda ) = |\Pr [\mathtt {T}_{1}] - \Pr [\mathtt {T}_{10}]| \le \sum _{j \in [9]}|\Pr [\mathtt {T}_{j}] - \Pr [\mathtt {T}_{j+1}]|\). Note that Game 1 is almost like \({\mathsf {Expt}}_{{\mathsf {TDF}},{\mathcal {A}}}^{{\mathsf {aow}}}(\lambda )\), except that \({\mathcal {A}}\) is additionally given the challenge session-key \({{{\mathsf {k}}}}^*\) (used in the generation of \({{{\mathsf {ct}}}}_{{\mathsf {SKE}}}^*\) in the challenge ciphertext \({{{\mathsf {CT}}}}^*\)). Furthermore, the subsequent games up to Game 5 are also designed similarly to the corresponding games in the proof of Theorem 8. We will use the same notation as in the proof of Theorem 8, such as \({\mathcal {S}}_{{\mathsf {zero}}}\) and \({\mathcal {S}}_{{\mathsf {one}}}\).

Game 2::

Same as Game 1, except for the additional rejection rule in the decapsulation oracle: If \({\mathcal {A}}\)’s decapsulation query \({{{\mathsf {CT}}}}= (({{{\mathsf {ct}}}}_i, {{{\mathsf {T}}}}_i)_{i \in [n]}, {{{\mathsf {ct}}}}_{{\mathsf {SKE}}})\) satisfies \({{{\mathsf {h}}}}= {\mathsf {H}}({{{\mathsf {hk}}}}, ({{{\mathsf {ct}}}}_i)_{i \in [n]} \Vert {{{\mathsf {ct}}}}_{{\mathsf {SKE}}}) = {{{\mathsf {h}}}}^*\), then the decapsulation oracle immediately returns \(\bot \) to \({\mathcal {A}}\). With essentially the same argument as in the proof of Lemma 7, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {tcr}}}^1\) that attacks the target collision resistance of the underlying keyed hash function \({\mathsf {Hash}}\) and satisfies \(|\Pr [\mathtt {T}_{1}] - \Pr [\mathtt {T}_{2}]| \le {\mathsf {Adv}}_{{\mathsf {Hash}},{\mathcal {B}}_{{\mathsf {tcr}}}^1}^{{\mathsf {tcr}}}(\lambda ) + \epsilon + n \cdot 2^{-\lambda }\).

Game 3::

Same as Game 2, except that we additionally pick \({{{\mathsf {r}}}}_1^{*(1-{{{\mathsf {s}}}}_1^*)}, \dots , {{{\mathsf {r}}}}_n^{*(1-{{{\mathsf {s}}}}_n^*)} \xleftarrow {{{\mathsf {r}}}}\{0,1\}^\lambda \), and compute \(({{{\mathsf {ct}}}}_i^{*(1-{{{\mathsf {s}}}}_i^*)}, {{{\mathsf {k}}}}_i^{*(1-{{{\mathsf {s}}}}_i^*)}) \leftarrow {\mathsf {Encap}}({{{\mathsf {pk}}}}^{1-{{{\mathsf {s}}}}_i^*}; {{{\mathsf {r}}}}_i^{*(1-{{{\mathsf {s}}}}_i^*)})\) for every \(i \in [n]\). Then, for the positions \(i \in {\mathcal {S}}_{{\mathsf {zero}}}\), \({{{\mathsf {C}}}}_i\)’s and \({{{\mathsf {A}}}}_i\)’s are generated as in Eq. 15 in the proof of Theorem 8, namely \({{{\mathsf {C}}}}_i \leftarrow {{{\mathsf {ct}}}}_i^{*0} - {{{\mathsf {ct}}}}_i^{*1}\) and \({{{\mathsf {A}}}}_i \leftarrow {{{\mathsf {k}}}}_i^{*0} - {{{\mathsf {k}}}}_i^{*1} - {{{\mathsf {B}}}}\cdot {{{\mathsf {h}}}}^*\). By the above change, for \(i \in {\mathcal {S}}_{{\mathsf {zero}}}\), we always have \({{{\mathsf {ct}}}}^*_i = {{{\mathsf {ct}}}}^{*0}\) and \({{{\mathsf {T}}}}^*_i = {{{\mathsf {k}}}}^{*0}_i\). With essentially the same argument as in the proof of Lemma 8, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {prct}}}^1\) that attacks the n-multi-challenge pseudorandom ciphertext property of the underlying KEM \({\mathsf {KEM}}\) and satisfies \(|\Pr [\mathtt {T}_{2}] - \Pr [\mathtt {T}_{3}]| = {\mathsf {Adv}}_{{\mathsf {KEM}},n,{\mathcal {B}}_{{\mathsf {prct}}}^1}^{{\mathsf {prct}}}(\lambda )\).

Game 4::

Same as Game 3, except for the behavior of the decapsulation oracle. Specifically, in this game, for answering \({\mathcal {A}}\)’s decapsulation queries \({{{\mathsf {y}}}}= (({{{\mathsf {ct}}}}_i, {{{\mathsf {T}}}}_i)_{i \in [n]}, {{{\mathsf {ct}}}}_{{\mathsf {SKE}}})\), the oracle first computes \({{{\mathsf {h}}}}= {\mathsf {H}}({{{\mathsf {hk}}}}, ({{{\mathsf {ct}}}}_i)_{i \in [n]} \Vert {{{\mathsf {ct}}}}_{{\mathsf {SKE}}})\), and returns \(\bot \) to \({\mathcal {A}}\) if \({{{\mathsf {h}}}}= {{{\mathsf {h}}}}^*\). (This rejection rule is the same as in Game 3.) Otherwise, the oracle uses the “alternative inversion algorithm” \({\mathsf {AltInv}}\) defined in the proof of Theorem 8 with the alternative trapdoor \({{{\mathsf {td}}}}' = ({{{\mathsf {sk}}}}^1, {{{\mathsf {ek}}}})\). With essentially the same argument as in the proof of Lemma 9, we have \(|\Pr [\mathtt {T}_{3}] - \Pr [\mathtt {T}_{4}]| \le 2 \epsilon + n \cdot 2^{-\lambda + 1}\).

Game 5::

Same as Game 4, except that \({{{\mathsf {C}}}}_i\)’s and \({{{\mathsf {A}}}}_i\)’s for the positions \(i \in {\mathcal {S}}_{{\mathsf {one}}}\) are generated as in Game 3 (i.e., as in Eq. 15 in the proof of Theorem 8). By this change, all of \(({{{\mathsf {C}}}}_i)_{i \in [n]}\) and \(({{{\mathsf {A}}}}_i)_{i \in [n]}\) are generated as in Eq. 15, and \({{{\mathsf {ct}}}}_i^* = {{{\mathsf {ct}}}}_i^{*0}\) and \({{{\mathsf {T}}}}_i^* = {{{\mathsf {k}}}}_i^{*0}\) hold for every \(i \in [n]\), no matter whether \({{{\mathsf {s}}}}_i^* = 0\) or \({{{\mathsf {s}}}}_i^* = 1\). Hence, in this game, values dependent on \({{{\mathsf {s}}}}^*\) appear only in the plaintext of \({{{\mathsf {ct}}}}_{{\mathsf {SKE}}}^*\) (i.e., \(({{{\mathsf {r}}}}_i^{*({{{\mathsf {s}}}}_i^*)})_{i \in [n]} \Vert {{{\mathsf {k}}}}^*\)). Similarly to the transition from Game 2 to Game 3, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {prct}}}^2\) that satisfies \(|\Pr [\mathtt {T}_{4}] - \Pr [\mathtt {T}_{5}]| = {\mathsf {Adv}}_{{\mathsf {KEM}},n,{\mathcal {B}}_{{\mathsf {prct}}}^2}^{{\mathsf {prct}}}(\lambda )\).

Game 6::

Same as Game 5, except that \({{{\mathsf {ct}}}}_{{\mathsf {SKE}}}^*\) in the challenge ciphertext \({{{\mathsf {CT}}}}^*\) is chosen uniformly at random from the ciphertext space of the underlying SKE scheme \({\mathsf {SKE}}\). Similarly to the proof of Lemma 11, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {kdm}}}\) that attacks the underlying SKE scheme \({\mathsf {SKE}}\) in the sense of one-time \({\mathcal {P}}\)-KDM security with the pseudorandom ciphertext property and satisfies \(|\Pr [\mathtt {T}_{5}] - \Pr [\mathtt {T}_{6}]| = {\mathsf {Adv}}_{{\mathsf {SKE}},{\mathcal {P}},{\mathcal {B}}_{{\mathsf {kdm}}}}^{{\mathsf {kdm-prct}}}(\lambda )\).

Game 7::

Same as Game 6, except that for every \(i \in [n]\), we pick \(({{{\mathsf {ct}}}}^{*0}_i, {{{\mathsf {k}}}}^{*0}_i)\) uniformly at random from \({\mathcal {C}}\times \{0,1\}^{3\lambda }\), instead of generating it by \({\mathsf {Encap}}({{{\mathsf {pk}}}}^0)\). Note that in Game 7, \({{{\mathsf {sk}}}}^0\) is not used in the decapsulation oracle. Thus, it is straightforward to construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {prct}}}^3\) that satisfies \(|\Pr [\mathtt {T}_{6}] - \Pr [\mathtt {T}_{7}]| = {\mathsf {Adv}}_{{\mathsf {KEM}},n,{\mathcal {B}}_{{\mathsf {prct}}}^3}^{{\mathsf {prct}}}(\lambda )\).

Game 8:

Same as Game 7, except that we switch the decapsulation oracle back to the one using \({\mathsf {Inv}}\) with the usual secret key \({{{\mathsf {SK}}}}= {{{\mathsf {td}}}}= ({{{\mathsf {sk}}}}^0, {{{\mathsf {ek}}}})\), but we still use the rejection rule regarding \({{{\mathsf {h}}}}\) as introduced in Game 2. Similarly to the transition from Game 3 to Game 4, we have \(|\Pr [\mathtt {T}_{7}] - \Pr [\mathtt {T}_{8}]| \le 2 \epsilon + n \cdot 2^{-\lambda + 1}\).

Game 9:

Same as Game 8, except that for every \(i \in [n]\), we pick \(({{{\mathsf {ct}}}}^{*1}_i, {{{\mathsf {k}}}}^{*1}_i)\) uniformly at random from \({\mathcal {C}}\times \{0,1\}^{3\lambda }\), instead of generating it by \({\mathsf {Encap}}({{{\mathsf {pk}}}}^1)\). Analogously to the transition from Game 6 to Game 7, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {prct}}}^4\) that satisfies \(|\Pr [\mathtt {T}_{8}] - \Pr [\mathtt {T}_{9}]| = {\mathsf {Adv}}_{{\mathsf {KEM}},n,{\mathcal {B}}_{{\mathsf {prct}}}^4}^{{\mathsf {prct}}}(\lambda )\).

Game 10:

Same as Game 9, except that the decapsulation oracle does not employ the rejection rule regarding \({{{\mathsf {h}}}}\). With the same argument as in the transition from Game 1 to Game 2, we can construct a reduction algorithm \({\mathcal {B}}_{{\mathsf {tcr}}}^2\) that satisfies \(|\Pr [\mathtt {T}_{9}] - \Pr [\mathtt {T}_{10}]| \le {\mathsf {Adv}}_{{\mathsf {Hash}},{\mathcal {B}}_{{\mathsf {tcr}}}^2}^{{\mathsf {tcr}}}(\lambda ) + \epsilon + n \cdot 2^{-\lambda }\). Finally, we argue that Game 10 is exactly the experiment for the pseudorandom ciphertext property under CCA, \({\mathsf {Expt}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda )\), in which the challenge bit \(b = 0\). To see this, note that all the labels \({{{\mathsf {A}}}}_i = {{{\mathsf {k}}}}^{*0} - {{{\mathsf {k}}}}^{*1} - {{{\mathsf {B}}}}\cdot {{{\mathsf {h}}}}^*\) and \({{{\mathsf {C}}}}_i = {{{\mathsf {ct}}}}^{*0} - {{{\mathsf {ct}}}}^{*1}\) in \({{{\mathsf {PK}}}}\) as well as all the components \({{{\mathsf {ct}}}}^*_i = {{{\mathsf {ct}}}}^{*0}\), \({{{\mathsf {T}}}}^*_i = {{{\mathsf {k}}}}^{*0}_i\), and \({{{\mathsf {ct}}}}_{{\mathsf {SKE}}}^*\) in the challenge ciphertext \({{{\mathsf {CT}}}}^*\) are distributed independently and uniformly at random in the corresponding spaces. Hence, \({{{\mathsf {PK}}}}\) is constructed exactly as that of \({\mathsf {KEM}}_{{\mathsf {prct}}}\), and \({{{\mathsf {CT}}}}^*\) and \({{{\mathsf {k}}}}^*\) are both distributed uniformly in the ciphertext and session-key spaces, respectively, which is exactly the situation in the original experiment in which \(b=0\). The decapsulation oracle is also the same as in the original experiment. Hence, Game 10 is exactly the same as the original experiment \({\mathsf {Expt}}_{{\mathsf {KEM}}_{{\mathsf {prct}}},{\mathcal {A}}}^{{\mathsf {prctcca}}}(\lambda )\) with \(b=0\).

Putting everything together, we see that there exist PPT adversaries \(\{{\mathcal {B}}_{{\mathsf {tcr}}}^j\}_{j \in [2]}\), \(\{{\mathcal {B}}_{{\mathsf {prct}}}^j\}_{j \in [4]}\), and \({\mathcal {B}}_{{\mathsf {kdm}}}\) satisfying Eq. 18. This completes the proof. \(\square \) (Theorem 9)