This paper introduces a new concept of public key encryption with secure key leasing (PKE-SKL), enabling controlled decryption key leasing with security guarantees, and provides constructions for PKE-SKL and related encryption schemes.
Contribution
It formalizes the notion of secure key leasing, introduces security definitions, and constructs PKE-SKL schemes leveraging existing encryption frameworks.
Findings
01
Defined PKE with secure key leasing and security notions
02
Constructed PKE-SKL using CoIC-KLA security and CPFE
03
Extended secure key leasing to IBE, ABE, and FE schemes
Abstract
We introduce the notion of public key encryption with secure key leasing (PKE-SKL). Our notion supports the leasing of decryption keys so that a leased key achieves the decryption functionality but comes with the guarantee that if the quantum decryption key returned by a user passes a validity test, then the user has lost the ability to decrypt. Our notion is similar in spirit to the notion of secure software leasing (SSL) introduced by Ananth and La Placa (Eurocrypt 2021) but captures significantly more general adversarial strategies. In more detail, our adversary is not restricted to use an honest evaluation algorithm to run pirated software. Our results can be summarized as follows: 1. Definitions: We introduce the definition of PKE with secure key leasing and formalize security notions. 2. Constructing PKE with Secure Key Leasing: We provide a construction of PKE-SKL by…
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cryptographic Implementations and Security · Chaos-based Image/Signal Encryption
We introduce the notion of public key encryption with secure key leasing (PKE-SKL). Our notion supports the leasing of decryption keys so that a leased key achieves the decryption functionality but comes with the guarantee that if the quantum decryption key returned by a user passes a validity test, then the user has lost the ability to decrypt. Our notion is similar in spirit to the notion of secure software leasing (SSL) introduced by Ananth and La Placa (Eurocrypt 2021) but captures significantly more general adversarial strategies111In more detail, our adversary is not restricted to use an honest evaluation algorithm to run pirated software.. Our results can be summarized as follows:
*Definitions: * We introduce the definition of PKE with secure key leasing and formalize a security notion that we call indistinguishability against key leasing attacks (IND-KLA security). We also define a one-wayness notion for PKE-SKL that we call OW-KLA security and show that an OW-KLA secure PKE-SKL scheme can be lifted to an IND-KLA secure one by using the (quantum) Goldreich-Levin lemma.
2. 2.
Constructing IND-KLA PKE with Secure Key Leasing: We provide a construction of OW-KLA secure PKE-SKL (which implies IND-KLA secure PKE-SKL as discussed above) by leveraging a PKE scheme that satisfies a new security notion that we call consistent or inconsistent security against key leasing attacks (CoIC-KLA security). We then construct a CoIC-KLA secure PKE scheme using 1-key Ciphertext-Policy Functional Encryption (CPFE) that in turn can be based on any IND-CPA secure PKE scheme.
3. 3.
Identity Based Encryption, Attribute Based Encryption and Functional Encryption with Secure Key Leasing: We provide definitions of secure key leasing in the context of advanced encryption schemes such as identity based encryption (IBE), attribute-based encryption (ABE) and functional encryption (FE). Then we provide constructions by combining the above PKE-SKL with standard IBE, ABE and FE schemes.
Notably, our definitions allow the adversary to request distinguishing keys in the security game, namely, keys that distinguish the challenge bit by simply decrypting the challenge ciphertext, as long as it returns them (and they pass the validity test) before it sees the challenge ciphertext. All our constructions satisfy this stronger definition, albeit with the restriction that only a bounded number of such keys is allowed to the adversary in the IBE and ABE (but not FE) security games.
Prior to our work, the notion of single decryptor encryption (SDE) has been studied in the context of PKE (Georgiou and Zhandry, Eprint 2020) and FE (Kitigawa and Nishimaki, Asiacrypt 2022) but all their constructions rely on strong assumptions including indistinguishability obfuscation. In contrast, our constructions do not require any additional assumptions, showing that PKE/IBE/ABE/FE can be upgraded to support secure key leasing for free.
Recent years have seen amazing advances in cryptography by leveraging the power of quantum computation. Several novel primitives such as perfectly secure key agreement [BB20], quantum money [Wie83], quantum copy protection [Aar09], one shot signatures [AGKZ20] and such others, which are not known to exist in the classical world, can be constructed in the quantum setting, significantly advancing cryptographic capabilities.
In this work, we continue to study harnessing quantum powers to protect against software piracy. The quantum no-cloning principle intuitively suggests applicability to anti-piracy, an approach which was first investigated in the seminal work of Aaronson [Aar09], who introduced the notion of quantum copy protection. At a high level, quantum copy protection prevents users from copying software in the sense that it guarantees that when an adversary is given a copy protected circuit for computing some function f, it cannot create two (possibly entangled) quantum states, both of which can compute f. While interesting in its own right for preventing software piracy, quantum copy protection (for some class of circuits) also has the amazing application of public-key quantum money [AC12]. Perhaps unsurprisingly, constructions of quantum copy protection schemes from standard cryptographic assumptions have remained largely elusive. This motivates the study of primitives weaker than quantum copy protection, which nevertheless offer meaningful guarantees for anti-piracy.
Secure software leasing (SSL), introduced by Ananth and La Placa [AL21], is such a primitive, which while being weaker than quantum copy-protection, is nevertheless still meaningful for software anti-piracy. Intuitively, this notion allows to encode software into a version which may be leased or rented out, for some specific term at some given cost. Once the lease expires, the lessee returns the software and the lessor can run an efficient procedure to verify its validity. If the software passes the test, we have the guarantee that the lessee is no longer able to run the software (using the honest evaluation algorithm).
In this work, we explore the possibility of equipping public key encryption (PKE) with a key leasing capability. The benefits of such a capability are indisputable – in the real world, decryption keys of users often need to be revoked, for instance, when a user leaves an organization. In the classical setting, nothing prevents the user from maintaining a copy of her decryption key and misusing its power. Revocation mechanisms have been designed to prevent such attacks, but these are often cumbersome in practice. Typically, such a mechanism entails the revoked key being included in a Certificate Revocation List (CRL) or Certificate Revocation Trees (CRT), or some database which is publicly available, so that other users are warned against its usage. However, the challenges of effective certificate revocation are well acknowledged in public key infrastructure – please see [BDTW01] for a detailed discussion. If the decryption keys of a PKE could be encoded as quantum states and allow for verifiable leasing, this would constitute a natural and well-fitting solution to the challenge of key revocation.
1.1 Prior Work
In this section, we discuss prior work related to public key encryption (PKE) and public key functional encryption (PKFE), where decryption keys are encoded into quantum states to benefit from uncloneability. For a broader discussion on prior work related to quantum copy protection and secure software leasing, we refer the reader to
Section 1.4.
Georgiou and Zhandry [GZ20] introduced the notion of single decryptor encryption (SDE), where the decryption keys are unclonable quantum objects. They showed how to use one-shot signatures together with extractable witness encryption with quantum auxiliary information to achieve public key SDE. Subsequently, Coladangelo, Liu, Liu, and Zhandry [CLLZ21] achieved SDE assuming iO and extractable witness encryption or assuming subexponential iO, subexponential OWF, LWE and a strong monogamy property (which was subsequently shown to be true [CV22]). Very recently, Kitagawa and Nishimaki [KN22a] introduced the notion of single-decryptor functional encryption (SDFE), where each functional decryption key is copy protected and provided collusion-resistant single decryptor PKFE for P/poly from the subexponential hardness of iO and LWE.
It is well-known [ALL*+*21, AL21] that copy protection is a stronger notion than SSL222The informed reader may observe that this implication may not always be true due to some subtleties, but we ignore these for the purpose of the overview. – intuitively, if an adversary can generate two copies of a program, then it can return one of them while keeping the other for later use. Thus, constructions of single decryptor encryption [GZ20, CLLZ21, KN22a] imply our notion of PKE with secure key leasing from their respective assumptions, which all include at least the assumption of iO
(see Appendix A for the detail).
Additionally, in the context of public key FE, the only prior work by Kitagawa and Nishimaki [KN22a] considers the restricted single-key setting where an adversary is given a single decryption key that can be used to detect the challenge bit. In contrast, we consider the more powerful multi-key setting, which makes our definition of FE-SKL incomparable to the SDFE considered by [KN22a]. For the primitives of IBE and ABE, there has been no prior work achieving any notion of key leasing to the best of our knowledge. We also note that Aaronson et al. [ALL*+*21] studied the notion of “copy-detection”, which is a weaker form of copy protection, for any “watermarkable” functionalities based on iO and OWF. In particular, by instantiating the construction with the watermarkable PKE of [GKM*+*19], they obtain PKE with copy-detection from iO + PKE.
Overall, all previous works that imply PKE-SKL are designed to achieve the stronger goal of copy protection (or the incomparable goal of copy detection) and rely at least on the strong assumption of iO. In this work, our goal is to achieve the weaker goal of PKE-SKL from standard assumptions.
1.2 Our Results
In this work, we initiate the study of public key encryption with secure key leasing. Our results can be summarized as follows:
*Definitions: * We introduce the definition of PKE with secure key leasing (PKE-SKL) to formalize the arguably natural requirement that decryption keys of a PKE scheme is encoded into a leased version so that the leased key continues to achieve the decryption functionality but now comes with an additional “returnability” guarantee. In more detail, the security of PKE-SKL requires that if the quantum decryption key returned by a user passes a validity test, then the user has lost the ability to decrypt. To capture this intuition, we formalize a security notion that we call indistinguishability against key leasing attacks (IND-KLA security). We also define a one-wayness notion for PKE-SKL that we call OW-KLA security and show that an OW-KLA secure PKE-SKL scheme can be lifted to an IND-KLA secure one by using the (quantum) Goldreich-Levin lemma.
2. 2.
Constructing IND-KLA PKE with Secure Key Leasing: We provide a construction of OW-KLA secure PKE-SKL (which imples IND-KLA PKE-SKL as discussed above) by leveraging a PKE scheme that satisfies a new security notion that we call consistent or inconsistent security against key leasing attacks (CoIC-KLA security). We then construct a CoIC-KLA secure PKE scheme using 1-key Ciphertext-Policy Functional Encryption (CPFE) that in turn can be based on any IND-CPA secure PKE scheme.
3. 3.
Identity Based Encryption, Attribute Based Encryption and Functional Encryption with Secure Key Leasing: We provide definitions of secure key leasing in the context of advanced encryption schemes such as identity based encryption (IBE), attribute-based encryption (ABE) and functional encryption (FE). Then we provide constructions by combining the above PKE-SKL with standard IBE, ABE and FE schemes.
Notably, our definitions allow the adversary to request distinguishing keys in the security game, namely, keys that distinguish the challenge bit by simply decrypting the challenge ciphertext. Recall that this was not permitted in the classical setting to avoid trivializing the security definition. However, in the quantum setting, we consider a stronger definition where the adversary can request such keys so long as it returns them (and they pass the validity test) before it sees the challenge ciphertext. All our constructions satisfy this stronger definition, albeit with the restriction that only a bounded number of such keys be allowed to the adversary in the IBE and ABE (but not FE) security games. We emphasize that this restriction is a result of our techniques and could potentially be removed in future work.
We note that, in general, secure software leasing (SSL) only ensures a notion of security where the adversary is forced to use an honest evaluation algorithm for the software. However, our definition (and hence constructions) of PKE/ABE/FE SKL do not suffer from this limitation. Our constructions do not require any additional assumptions, showing that PKE/IBE/ABE/FE can be upgraded to support secure key leasing for free.
1.3 Technical Overview
We proceed to give a technical overview of this work.
Definition of PKE with secure key leasing.
We first introduce the definition of PKE with secure key leasing (PKE-SKL).
A PKE-SKL scheme SKL consists of four algorithms (\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy), where the first three algorithms form a standard PKE scheme except the following differences on \mathpzcKG.333In this paper, standard math or sans serif font stands for classical algorithms and classical variables. The calligraphic font stands for quantum algorithms and the calligraphic font and/or the bracket notation for (mixed) quantum states.
•
\mathpzcKG outputs a quantum decryption key \mathpzcdk instead of a classical decryption key.
•
\mathpzcKG outputs a (secret) verification key vk, together with a public encryption key and quantum decryption key.
The verification algorithm \mathpzcVrfy takes as input a verification key and a quantum decryption key, and outputs ⊤ or ⊥.
In addition to decryption correctness, SKL should satisfy verification correctness that states that \mathpzcVrfy(vk,\mathpzcdk)=⊤ holds, where (ek,\mathpzcdk,vk)←\mathpzcKG(1λ).
The security of PKE-SKL requires that once a user holding a quantum decryption key returns the key correctly, the user can no longer use the key and lose the ability to decrypt.
We formalize this as a security notion that we call indistinguishability against key leasing attacks (IND-KLA security).
It is defined by using the following security game.
First, the challenger generates (ek,\mathpzcdk,vk)←\mathpzcKG(1λ) and sends ek and \mathpzcdk to an adversary \mathpzcA.
2. 2.
\mathpzcA sends two challenge plaintexts (m0∗,m1∗) and a quantum state \mathpzcdk that is supposed to be a correct decryption key. The challenger checks if \mathpzcVrfy(vk,\mathpzcdk)=⊤ holds. If not, \mathpzcA is regarded as invalid and the game ends here. Otherwise, the game goes to the next step.444We also consider a slightly stronger definition where the adversary can get access to a verification oracle many times, and the adversary is regarded as valid if the answer to at least one query \mathpzcdk is ⊤. In this overview, we focus on the “1-query” security for simplicity.
3. 3.
The challenger generates ct∗←Enc(ek,mcoin∗) and sends it to \mathpzcA, where coin←{0,1}.
4. 4.
\mathpzcA outputs coin′.
IND-KLA security guarantees that any QPT \mathpzcA cannot guess coin correctly significantly better than random guessing, conditioned on \mathpzcA being valid. In more detail, for any QPT adversary \mathpzcA that passes the verification with a non-negligible probability, we have \absolutevaluePr[coin′=coin∣\mathpzcVrfy(vk,\mathpzcdk)=⊤]−1/2=negl(λ).
One-wayness to indistinguishability.
It is natural to define a one-wayness notion for PKE-SKL, which we call OW-KLA security, by modifying the above definition so that the adversary is required to recover entire bits of a randomly chosen message from its ciphertext.
Similarly to standard PKE, we can transform a OW-KLA secure PKE-SKL scheme into an IND-KLA secure one by using (quantum) Goldreich-Levin lemma [AC02, CLLZ21].
Hence, though our goal is to construct an IND-KLA secure scheme, it suffices to construct an OW-KLA secure one.
Basic idea for OW-KLA secure scheme.
Towards realizing a OW-KLA secure PKE-SKL scheme, we construct an intermediate scheme Basic=(Basic.\mathpzcKG,Basic.Enc,Basic.\mathpzcDec,Basic.\mathpzcVrfy) using two instances of a standard PKE scheme, with parallel repetition.
Let PKE=(PKE.KG,PKE.Enc,PKE.Dec) be a standard PKE scheme.
Basic.\mathpzcKG generates two key pairs (ek0,dk0) and (ek1,dk1) using PKE.KG and outputs ek:=(ek0,ek1), \mathpzcdk:=1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩), and vk:=(dk0,dk1).
Given m and ek, Basic.Enc generates ct0←PKE.Enc(ek0,m) and ct1←PKE.Enc(ek1,m) and outputs ct:=(ct0,ct1).
Basic.\mathpzcDec can decrypt this ciphertext using the decryption keys dk0 and dk1, respectively, in superposition. Since both decryptions result in the same message m, we can decrypt ciphertexts without collapsing \mathpzcdk. Finally, Basic.\mathpzcVrfy checks if the input decryption key is an equal-weight superposition of dk0 and dk1. Concretely, it applies a binary outcome measurement w.r.t. a projection
Πvrfy:=21(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩)(⟨0∣⟨dk0∣+⟨1∣⟨dk1∣),
and returns ⊤ if and only if the state is projected onto Πvrfy.
Intuitively, if the adversary has returned the correct decryption key, then it no longer has the capability to decrypt since the decryption key cannot be cloned. However, this scheme does not satisfy OW-KLA because an adversary can pass the verification with probability 1/2 simply by measuring the decryption key and returning the collapsed decryption key.
Such an adversary can keep the decryption capability even after passing verification because the decryption key collapses to a classical string, which can be easily copied.
Nonetheless, it is reasonable to expect that this attack strategy is optimal because there appears to be no obvious way to attack with a better advantage. That said, it is unclear how to turn this intuition into a formal proof assuming only IND-CPA security of the underlying PKE. To address this gap, we introduce a new security notion for PKE, that we call consistent or inconsistent security against key leasing attacks (CoIC-KLA security). Using this, we can prove that the aforementioned adversarial strategy is optimal and Basic satisfies 1/2-OW-KLA security.
By being 1/2-OW-KLA secure, we mean that the probability that an adversary can correctly return a decryption key and recover the challenge plaintext simultaneously is at most 1/2+negl(λ).
Below, we introduce the definition of CoIC-KLA security and how to prove 1/2-OW-KLA security of Basic using CoIC-KLA security.
Then, we explain how to achieve a full OW-KLA secure scheme by applying parallel amplification to Basic.
Definition of CoIC-KLA security.
CoIC-KLA security is defined by using the following game.
The challenger generates (ek0,dk0) and (ek1,dk1) using PKE.KG, and generates \mathpzcdk:=1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩). The challenger sends ek0, ek1, and \mathpzcdk to an adversary \mathpzcA.
In this game, \mathpzcA can access the verification oracle only once, where the oracle is given a quantum state and
returns the outcome of the projective measurement (Πvrfy,I−Πvrfy).
2. 2.
\mathpzcA sends two plaintexts (m0∗,m1∗) to the challenger.
The challenger picks random bits a,b and generates ct0=Enc(ek0,ma) and ct1=Enc(ek1,ma⊕b). Then, the challenger sends ct0 and ct1 to \mathpzcA.
3. 3.
\mathpzcA outputs a bit b′.
Then, CoIC-KLA security requires that any QPT \mathpzcA cannot guess b significantly better than random guessing.
In the above game, if b=0, ct0 and ct1 are ciphertexts of the same plaintext ma∗. On the other hand, if b=1, ct0 and ct1 are ciphertexts of the different plaintexts ma∗ and m1⊕a∗. Thus, we call this security notion consistent or inconsistent security.
1/2-OW-KLA security of Basic.
We explain how to prove 1/2-OW-KLA security of Basic based on CoIC-KLA security of PKE.
The OW-KLA security game for Basic is as follows.
The challenger generates (ek0,dk0) and (ek1,dk1) using PKE.KG, sets ek:=(ek0,ek1) and \mathpzcdk:=1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩), and sends ek and \mathpzcdk to an adversary \mathpzcA.
2. 2.
The adversary returns a quantum state \mathpzcdk that is supposed to be a correct decryption key. The challenger checks if the result of applying Πvrfy defined above to \mathpzcdk is 1. If not, \mathpzcA is regarded as invalid and the game ends here. Otherwise, the game goes to the next step.
3. 3.
The challenger generates random plaintext m∗ and two ciphertexts ct0←PKE.Enc(ek0,m∗) and ct1←PKE.Enc(ek1,m∗), and sends ct:=(ct0,ct1) to \mathpzcA.
4. 4.
\mathpzcA outputs m′.
In this game, we say that \mathpzcA wins if (a)\mathpzcdk passes the verification, that is, the result of applying Πvrfy to \mathpzcdk is 1, and (b)m′=m∗ holds.
\mathpzcA can win this game with probability at least 1/2 by just measuring 1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩), returns collapsed key, and decrypt the challenge ciphertext with the key. As stated above, we can prove that this is the optimal strategy for \mathpzcA, that is, we can bound the advantage of \mathpzcA by 1/2+negl(λ).
The proof can be done by using game sequences. We denote the probability that \mathpzcA wins in Game i as Pr[Si].
Game [math]:
This is exactly the above game.
Game 1:
We defer the verification of the returned key \mathpzcdk after \mathpzcA outputs m′.
From the deferred measurement principle, we have Pr[S0]=Pr[S1].
Game 2:
We change \mathpzcA’s winning condition (b). Concretely, we replace (b) with (b′)m′∈{m∗,m~} holds, where m~ is a random plaintext.
Since we relaxed \mathpzcA’s winning condition, we have Pr[S1]≤Pr[S2].
Game 3:
We generate ct1 as ct1←PKE.Enc(ek1,m~) instead of ct1←PKE.Enc(ek1,m∗).
The only difference between Game 2 and 3 is that ct0 and ct1 are ciphertexts of the same plaintext in Game 2, but they are ciphertexts of different plaintexts in Game 3.
Thus, we obtain \absolutevaluePr[S2]−Pr[S3]=negl(λ) using CoIC security of PKE.
We complete the proof by showing that Pr[S3]≤1/2+negl(λ) holds if PKE satisfies one-wayness (that is implied by CoIC-KLA security).
To show it, we use the following Fact 1.
Fact 1:
Assume PKE satisfies one-wayness. Then, given 1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩), PKE.Enc(ek0,m∗), and PKE.Enc(ek1,m~), no adversary can obtain (dk0,m~) or (dk1,m∗) with non-negligible probability.
This can be proved by using the fact that even if we measure 1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩) in the computational basis before giving it to the adversary, the adversary still has success probability at least ϵ/2, where ϵ is the success probability of the original experiment
[BZ13, Lemma 2.1] (which is stated as Lemma 2.21).
Suppose Pr[S3]=1/2+1/poly(λ) for some polynomial poly.
This means that conditioned that m′∈{m∗,m~}, \mathpzcdk returned by \mathpzcA passes the verification with probability significantly greater than 1/2.
Thus, if we measure \mathpzcdk in the computational basis, we obtain dk0 with some inverse polynomial probability and also dk1 with some inverse polynomial probability. (If either one is obtained with overwhelming probability, \mathpzcdk cannot pass the verification with probability significantly greater than 1/2.) This means that using \mathpzcA, we can obtain either one pair of (dk0,m~) or (dk1,m∗) with inverse polynomial probability, which contradicts Fact 1.
Thus, we obtain Pr[S3]≤1/2+negl(λ).
From the above discussions, we can conclude that if PKE satisfies CoIC-KLA security, Basic satisfies 1/2-OW-KLA security.
Full OW-KLA security by parallel repetition.
To achieve a fully OW-KLA secure scheme, we apply parallel amplification to Basic in the following way.
When generating a key tuple, we generate λ key tuples (eki,\mathpzcdki,vki) of Basic and set ek′:=(eki)i∈[λ, \mathpzcdk′:=(\mathpzcdki)i∈[λ], and vk′:=(vki)i∈[λ].
When encrypting a plaintext m, we divide it into λ pieces m1,⋯,mλ, and encrypt each mi using eki.
Then decryption and verification are performed naturally by running the underlying procedures in Basic for every i∈[λ]. We can prove the full OW-KLA security of this construction using a strategy analogous to that used to achieve 1/2-OW-KLA security of Basic. We remark that it is unclear whether we can amplify 1/2-OW-KLA security to full OW-KLA security in a black box way and our security proof relies on the specific structure of our scheme.
Constructing CoIC-KLA secure PKE scheme.
In the rest of this overview, we mainly explain how to construct CoIC-KLA secure PKE scheme.
We construct it using 1-key Ciphertext-Policy Functional Encryption (CPFE) that in turn can be based on any IND-CPA secure PKE scheme.
We first review the definition of 1-key CPFE scheme.
A 1-key CPFE scheme CPFE consists of four algorithms (FE.Setup,FE.KG,FE.Enc,FE.Dec).
Given a security parameter, FE.Setup outputs a master public key mpk and a master secret key msk.
FE.KG takes as input msk and a string x and outputs a decryption key skx tied to the string x.
FE.Enc takes as input mpk and a description of a circuit C and outputs a ciphertext ct.
If we decrypt this ciphertext ct with skx using FE.Dec, we can obtain C(x).
The security of it states that ciphertexts of two circuits C0 and C1 are computationally indistinguishable for an adversary who has decryption key skx for x of its choice, as long as C0(x)=C1(x) holds.
Letting CPFE=(FE.Setup,FE.KG,FE.Enc,FE.Dec) be a 1-key CPFE scheme, we construct a CoIC secure PKE scheme PKE=(PKE.KG,PKE.Enc,PKE.Dec) as follows.
PKE.KG generates (mpk,msk)←CPFE.Setup(1λ) and a decryption key skx←CPFE.KG(msk,x) for random string x, and outputs an encryption key ek:=mpk and the corresponding decryption key dk:=skx.
Given ek=mpk and m, PKE.Enc outputs FE.Enc(mpk,C[m]), where C[m] is the constant circuit that outputs m on any input.
Given dk=skx and ct, PKE.Dec simply outputs CPFE.Dec(skx,ct).
We see that PKE satisfies decryption correctness from that of CPFE.
Before proving CoIC-KLA security of PKE, we explain a nice tracing property of PKE that plays an important role in the proof.
It says that if there exists a decoder that can distinguish PKE.Enc(ek,m0∗) and PKE.Enc(ek,m1∗) with probability 1/2+1/poly(λ) for some plaintexts m0∗,m1∗ and polynomial poly, we can extract the string x tied to the decryption key from the decoder. Concretely, the following fact holds.
Fact 2:
Consider the following experiment. The challenger generates (ek:=mpk,dk:=skx) using PKE.KG and sends them to an adversary \mathpzcA. \mathpzcA outputs a decoder D together with m0∗,m1∗ that can predict random bit b from PKE.Enc(ek,mb∗) with probability 1/2+1/poly(λ) for some polynomial poly.
Then, we can extract x from D with inverse polynomial probability.
In fact, if the decoder D is a classical decoder, we can extract x from D with a probability close to 1 as follows.
Let C~[b,m0,m1,i] be the circuit that is given x as an input and outputs mb⊕x[i], where x[i] is the i-th bit of x. Then, suppose we generate many random (b,FE.Enc(mpk,C~[b,m0∗,m1∗,i])) and estimate the probability that the decoder D outputs b given FE.Enc(mpk,C~[b,m0∗,m1∗,i]) as an input. By the CPFE’s security, FE.Enc(mpk,C~[b,m0∗,m1∗,i]) is indistinguishable from a correctly generated ciphertext of mb⊕xi∗, that is, PKE.Enc(ek,mb⊕xi∗)=FE.Enc(mpk,C[mb⊕xi∗]) from the view of \mathpzcA and D who has skx, since C~[b,m0∗,m1∗,i](x)=C[mb⊕xi∗](x)=mb⊕xi∗.
Then, the result of the estimation should be as follows.
•
In the case of x[i]=0, each sample used for the estimation looks (b,PKE.Enc(ek,mb)) from the view of D. Thus, the result of the estimation should be greater than 1/2 from the fact that D correctly predicts random bit b from PKE.Enc(ek,mb) with probability 1/2+1/poly(λ).
•
In the case of x[i]=1, each sample used for the estimation looks (b,PKE.Enc(ek,m1⊕b)) from the view of D. Thus, the result of the estimation should be smaller than 1/2 since D outputs 1⊕b given PKE.Enc(ek,m1⊕b) with probability 1/2+1/poly(λ).
Therefore, by checking if the result of the estimation is greater than 1/2 or not, we can extract x[i]. By doing this for every i, we can extract entire bits of x.
The above extraction technique is a direct application of that used by Kitagawa and Nishimaki [KN22b] to realize watermarking scheme secure against quantum adversaries.
By using their technique, even if the decoder is a quantum decoder \mathpzcD that consists of a unitary and an initial quantum state, we can extract x from \mathpzcD with inverse polynomial probability, as long as \mathpzcD has a high distinguishing advantage.
Roughly speaking, this is done by performing the above estimation using (approximate) projective implementation proposed by Zhandry [Zha20] that is based on the technique by Marriott and Watrous [MW05].
By extending the above extraction technique, we can obtain the following fact.
Fact 3:
Consider the following experiment. The challenger generates (ek0:=mpk0,dk0:=skx0) and (ek1:=mpk1,dk1:=skx1) using PKE.KG, and sends ek0, ek1, and 1/2(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩)=1/2(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩) to an adversary \mathpzcA.
\mathpzcA outputs a quantum decoder \mathpzcD together with (m0∗,m1∗) that can predict b from PKE.Enc(ek0,ma) and PKE.Enc(ek1,ma⊕b) with probability 1/2+1/poly(λ) for some polynomial poly.
Then, we can extract both x0 and x1 from \mathpzcD with inverse polynomial probability.
We now explain how we can prove CoIC-KLA security of PKE using Fact 3.
To this end, we introduce one more fact.
Fact 4:
Given mpk0, mpk1, and 1/2(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩), where (mpk0,skx0) and (mpk1,skx1) are generated as in PKE.KG, no adversary can compute both x0 and x1 with non-negligible probability.
Similarly to Fact 1, we can prove this from the fact that even if we measure 1/2(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩) in the computational basis before giving it to the adversary, the adversary still has success probability at least ϵ/2, where ϵ is the success probability of the original experiment [BZ13, Lemma 2.1].
Suppose there exists a QPT adversary \mathpzcA that breaks CoIC-KLA security of PKE.
We consider the following adversary \mathpzcB using \mathpzcA.
Given mpk0, mpk1, and 1/2(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩), \mathpzcB simulates CoIC-KLA security game for \mathpzcA by setting ek0:=mpk0, ek1:=mpk1, and \mathpzcdk:=1/2(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩) until \mathpzcA outputs two plaintexts (m0∗,m1∗). When \mathpzcA makes a verification query, \mathpzcB just returns a random bit. Let U be the unitary that performs the rest of \mathpzcA’s actions given the challenge ciphertexts. Also, let \mathpzcq be the internal state of \mathpzcA at this point. Then, from the averaging argument and the fact that \mathpzcB correctly answers to \mathpzcA’s verification query with probability 1/2, with some inverse polynomial probability, the quantum decoder \mathpzcD=(U,\mathpzcq) is a decoder that can predict b from PKE.Enc(ek0,ma∗) and PKE.Enc(ek1,ma⊕b∗) with probability 1/2+1/poly(λ) for some polynomial poly.
Thus, by using the extractor that is guaranteed to exist by Fact 3, \mathpzcB can obtain both x0 and x1 with some inverse polynomial probability, which contradicts Fact 4.
This means that PKE satisfies CoIC-KLA security.
Extension to Advanced Encryption Systems with Secure Key Leasing.
We also provide constructions of advanced encryption schemes such as ABE and FE with secure key leasing. We do not focus on IBE in this paper since IBE is a special case of ABE and our transformation preserves the underlying function class.555Although ABE is a special case of FE, we need stronger assumptions for (collusion-resistant) FE to instantiate them. In addition, the security level of FE-SKL that we can achieve is different from that of ABE-SKL. Hence, we consider both ABE and FE.
We construct these schemes by carefully combining standard ABE (resp. FE) with PKE-SKL in the way that each decryption key of the resulting ABE-SKL (resp. FE-SKL) scheme includes a decryption key of the underlying PKE-SKL scheme and a ciphertext of the ABE-SKL (resp. FE-SKL) scheme cannot be decrypted without the decryption key of the underlying PKE-SKL scheme.
By doing so, our ABE-SKL and FE-SKL take over the secure key leasing security from the underlying PKE-SKL.
Moreover, since PKE-SKL can be based on any PKE, our ABE-SKL and FE-SKL can be based on any standard ABE and FE, respectively.
ABE-SKL.
Here, we provide an overview of ABE with secure key leasing.
Let us start with the definition of plain ABE (without key leasing).
An ABE scheme ABE consists of four algorithms (ABE.Setup,ABE.KG,ABE.Enc,ABE.Dec)
and is associated with a relation R.
Given a security parameter, ABE.Setup outputs a master public key mpk and a master secret key msk.
ABE.KG takes as input msk and a key attribute y and outputs a user secret key sky tied to the attribute y.
ABE.Enc takes as input mpk, a ciphertext attribute x, and a message m and outputs a ciphertext ct.
The decryption of the ciphertext is possible only when R(x,y)=1.
For this reason, we call a user secret key for attribute y satisfying R(x,y)=1 a decrypting key (for a ciphertext associated with x).
As for the security, we require that ABE.Enc(x∗,m0∗) should be computationally indistinguishable from ABE.Enc(x∗,m1∗) as long as an adversary is only given non-decrypting keys for the ciphertext (i.e., user secret keys for y satisfying R(x∗,y)=0).
We now define the notion of ABE with secure key leasing (ABE-SKL) by extending the syntax of ABE.
The difference from the above is that the key generation algorithm is now quantum and it outputs user secret key \mathpzcusky along with verification key vk.
We also additionally introduce a verification algorithm that takes vk and a quantum state \mathpzcusk′ and outputs ⊤ if it judges that the user secret key corresponding to vk is correctly returned and ⊥ otherwise.
As for the security, we require that ABE.Enc(x∗,m0) should be computationally indistinguishable from ABE.Enc(x∗,m1) if the adversary returns all decrypting keys before it is given the challenge ciphertext.
Here, we say the adversary returns the key if the adversary provides the challenger with a quantum state that makes the verification algorithm output ⊤.
For the construction, the basic idea is to use ABE for access control and PKE-SKL for obtaining security against key leasing attacks.
To enable this idea, we encrypt a message m for an attribute x so that the decryptor recovers PKE-SKL ciphertext skl.ct=SKL.Enc(skl.ek,m) if it has decrypting key and nothing otherwise, where skl.ek is an individual encryption key corresponding to the user.
The user is given the corresponding decryption key skl.dk and can recover the message by decrypting skl.ct.
Roughly speaking, the security follows since (1) a user with a non-decrypting key cannot obtain any information and (2) even a user with a decrypting key cannot recover the message from skl.ct once it returns skl.dk due to the security of SKL.
The generation of user individual SKL ciphertext is somewhat non-trivial since ABE can only encrypt a single message.
In order to achieve this, we use an idea similar to [SS10, GKW16] that combines encryption with the garbled circuits.
In particular, we garble the encryption circuit of SKL that hardwires a message and
encrypt the labels by ABE. We then provide a secret key of ABE for a user only for the positions corresponding to skl.ek.
This allows a user with decrypting key to recover the labels corresponding to skl.ek and then run the garbled circuit on input the labels to recover skl.ct.
Unfortunately, the introduction of the garbled circuits in the construction poses some limitations on the security of the scheme. In particular, once the adversary obtains two decrypting user secret keys, the message can be revealed from the garbled circuit in the ciphertext since the security of garbled circuits is compromised when labels for two different inputs are revealed.
Therefore, we are only able to prove 1-bounded distinguishing key security,666
When we consider the security game for ABE-SKL, a decrypting key can be used for distinguishing the challenge bit by decrypting the challenge ciphertext (if it is not returned). Therefore, we use the term “decrypting key” and “distinguishing key” interchangeably.
where the adversary can make a single decrypting key query and should return the key before the challenge ciphertext is given. We note that the adversary can make an arbitrary number of non-decrypting key queries throughout the game, unlike bounded collusion ABE [GVW12, ISV*+*17]
and only the number of decrypting keys is bounded.
Ideally, we would like to have a scheme without restriction on the number of decrypting keys. However, we do not know how to achieve it without strong assumptions like functional encryption or indistinguishability obfuscation. Instead, we achieve intermediate security notion that we call q-bounded distinguishing key security without introducing additional assumption, where the number of decrypting keys is bounded by some pre-determined polynomial.
To do so, we use the same idea as [ISV*+*17], which converts single bounded collusion ABE into q-bounded collusion ABE.
The construction is based on the balls and bins idea, where we prepare multiple “bins", each of which consists of multiple instances of 1-bounded distinguishing key secure ABE-SKL 1ABE. The key generation algorithm chooses a single instance from each bin randomly and generates a user secret key for each of them. The encryption algorithm secret shares the message and encrypts them using the instances of the 1ABE so that the same share is encrypted by the instances in the same bin.
By careful choices of the parameters and analysis, in the security proof, we can argue that there exists a bin such that 1ABE instances used for generating decrypting keys in that bin are all distinct. This means that for every 1ABE instance in that bin, only a single decrypting key is generated and thus, we can use 1-bounded distinguishing key security for each of them.
While this overall proof strategy is the same as [ISV*+*17], our proof is a little bit more complex than theirs because the adversary is allowed to make an unbounded number of (non-decrypting) key queries. We refer to Section 6 for further details.
PKFE-SKL.
We move to the overview of PKFE-SKL. In this work, we focus on Key-Policy FE (KPFE) with secure key leasing.
We start with the definition of plain FE (without key leasing).
An FE scheme FE consists of four algorithms (FE.Setup,FE.KG,FE.Enc,FE.Dec) and is associated with a function class F.
Given a security parameter, FE.Setup outputs a public key pk and a master secret key msk.
FE.KG takes as input msk and a function f∈F and outputs a functional decryption key skf tied to the function f.
FE.Enc takes as input pk and a plaintext x and outputs a ciphertext ct.
The decryption result is f(x). For security, we require that FE.Enc(pk,x0) should be computationally indistinguishable from FE.Enc(pk,x1) as long as an adversary is only given functional decryption keys for {fi}i such that fi(x0)=fi(x1) for all i.
We define the notion of FE with secure key leasing (FE-SKL) by extending the syntax of FE like ABE-SKL.
The key generation algorithm is now quantum and it outputs functional decryption key \mathpzcskf along with verification key vk.
We also introduce a verification algorithm that takes vk and a quantum state \mathpzcsk′ and outputs ⊤ if it judges that the functional decryption key corresponding to vk is correctly returned and ⊥ otherwise.
In the security game of PKFE-SKL, the adversary can send a distinguishing key query f such that f(x0∗)=f(x1∗) where (x0∗,x1∗) are the challenge plaintexts as long as it returns a valid functional decryption key for f. We consider a security game where the adversary can send unbounded polynomially many distinguishing and non-distinguishing (that is, f(x0∗)=f(x1∗)) key queries and tries to distinguish FE.Enc(pk,x0) from FE.Enc(pk,x1).
We transform a (classical) PKFE scheme into a PKFE scheme with secure key leasing by using the power of PKE-SKL. The basic idea is as follows. When we generate a functional decryption key for function f, we generate a key triple of PKE-SKL and a functional decryption key of the classical PKFE for a function W that computes a PKE-SKL ciphertext of f(x). That is, we wrap f(x) by PKE-SKL encryption. A decryption key of PKE-SKL is appended to fe.skW, which is the functional decryption key for W. Hence, we can decrypt the PKE-SKL ciphertext and obtain f(x). The PKE-SKL decryption key for f is useless for another function g since we use different key triples of PKE-SKL for each function.
More specifically, we generate PKE-SKL keys (skl.ek,skl.\mathpzcsk,skl.vk) and a PKFE functional decryption key fe.skW←FE.KG(fe.msk,W[f,skl.ek]), where function W[f,skl.ek] takes as input x and outputs a PKE-SKL ciphertext SKL.Enc(skl.ek,f(x)).777We ignore the issue of encryption randomness here. In our construction, we use (puncturable) PRFs to generate encryption randomness. A functional decryption key for f consists of (fe.skW,skl.\mathpzcsk). A ciphertext of x is a (classical) PKFE ciphertext FE.Enc(fe.pk,x). If we return skl.\mathpzcsk for f (verified by skl.vk) before we obtain FE.Enc(fe.pk,x), we cannot obtain f(x) from SKL.Enc(skl.ek,f(x)) by the security of PKE-SKL.
We need to prove security against an adversary that obtains a functional decryption key for f such that f(x0∗)=f(x1∗) where (x0∗,x1∗) is a pair of challenge plaintexts if the adversary returns the functional decryption key. To handle this issue, we rely on IND-KLA security and need to embed a challenge ciphertext of PKE-SKL into a PKFE ciphertext. We use the trapdoor method of FE (a.k.a. Trojan method) [ABSV15, BS18] for this purpose.
We embed an SKFE functional decryption key and ciphertext in a PKFE functional decryption key and ciphertext, respectively. We use these SKFE functional decryption key and ciphertext for the trapdoor mode of PKFE. We gradually change SKFE ciphertexts and keys so that we can embed a PKE-SKL challenge ciphertext by using the adaptively single-ciphertext function privacy of SKFE. Once we succeed in embedding a PKE-SKL challenge ciphertext, we can change a ciphertext of x0∗ into a ciphertext of x1∗ such that f(x0∗)=f(x1∗) as long as the functional decryption key \mathpzcskf=(fe.skW,skl.\mathpzcsk) for f is returned.
This is because skl.\mathpzcsk is returned and we can use IND-KLA security under skl.ek.
See Section 7 for more details.
1.4 Other Related Work
Quantum Copy Protection. Aaronson [Aar09] introduced the notion of quantum copy protection and constructed a quantum copy protection scheme for arbitrary unlearnable Boolean functions relative to a quantum oracle. He also provided two heuristic copy-protection schemes for point functions in the standard model. Coladangelo et al. [CMP20] provided a quantum copy-protection scheme for a class of evasive functions in the QROM. Subsequently, Aaronson et al. [ALL*+*21] constructed a quantum copy protection scheme for unlearnable functions relative to classical oracles. By instantiating the oracle with post-quantum candidate obfuscation schemes, they obtained a heuristic construction of copy protection. Coladangelo et al. [CLLZ21] provided a copy-protection scheme for pseudorandom functions in the plain model assuming iO, OWF and extractable witness encryption, or assuming subexponential iO, subexponential OWF, LWE and a strong “monogamy property” (which was was proven to be true in a follow-up work [CV22]). Ananth et al. [AK21, AKL*+*22] also constructed copy protection for point functions, which in turn can be transformed into copy protection for compute-and-compare programs. Sattath and Wyborski [SW22] studied unclonable decryptors, which are an extension of SDE. Their unclonable decryptors scheme is secret key encryption and can be instantiated with iO and OWF, or quantum oracles.
Secure software leasing. Secure software leasing (SSL) was introduced by Ananth and La Placa [AL21], where they also provided the first SSL scheme supporting a subclass of “evasive” functions by relying on the existence of public key quantum money and the learning with errors assumption. Evasive functions is a class of functions for which it is hard to find an accepting input given only black-box access to the function. Their construction achieves a strong security notion called infinite term security. They also demonstrate that there exists an unlearnable function class such that it is impossible to achieve an SSL scheme for that function class, even in the CRS model. Later, Coladangelo et al. [CMP20] improved the security notion achieved by [AL21] by relying on the QROM, for the same class of evasive functions. Additionally, Kitagawa, Nishimaki and Yamakawa [KNY21] provided a finite term secure SSL scheme for pseudorandom functions (PRFs) in the CRS model by assuming the hardness of the LWE problem against polynomial time quantum adversaries. Additionally, this work achieves classical communication. Further, Broadbent et al. [BJL*+*21] showed that SSL is achievable for the aforementioned evasive circuits without any setup or computational assumptions that were required by previous work, but with finite term security, quantum communication and correctness based on a distribution. The notion of secure leasing for the powerful primitive of functional encryption was studied by Kitagawa and Nishimaki [KN22a], who introduced the notion of secret key functional encryption (SKFE) with secure key leasing and provided a transformation from standard SKFE into SKFE with secure key leasing without relying on any additional assumptions.
Certified deletion.
Broadbent and Islam [BI20] introduced the notion of quantum encryption with certified deletion, where we can generate a (classical) certificate to ensure that a ciphertext is deleted. They constructed a one-time SKE scheme with certified deletion without computational assumptions. After that, many works presented various quantum encryption primitives (PKE, ABE, FE and so on) with certified deletion [HMNY21, Por23, BK22, HMNY22].
The root of quantum encryption with certified deletion is revocable quantum time-released encryption by Unruh [Unr15]. It is an extension of time-released encryption where a sender can revoke quantum encrypted data before a pre-determined time. If the revocation succeeds, the receiver cannot obtain the plaintext information.
Related technique.
The basic idea of our PKE-SKL is to prepare a superposition of two decryption keys and coherently run the decryption algorithm in each branch.
Previous works by Zhang [Zha21, Zha22] use a similar idea of running some algorithm (which is an evaluation of “lookup tables” in their case) on two branches in superposition though their motivation is to construct efficient blind quantum computation and classical verification of quantum computation, which are completely irrelevant to PKE-SKL.
1.5 Concurrent Work
A concurrent and independent work by Ananth, Poremba, and Vaikuntanathan [APV23] introduces key-revocable PKE, which is similar to PKE-SKL. They construct key-revocable PKE based on the LWE assumption while our construction of PKE-SKL only assumes the existence of IND-CPA secure PKE. In addition, they only prove somewhat weaker security notion called 1-bit unpredictability. Roughly, it ensures that the probability that the adversary passes the verification for the returned key and wins the IND game is at most 1/2+negl(λ). For example, even if an adversary passes the verification with probability 1/3 and has a distinguishing advantage 1 conditioned on the acceptance, it is not considered to break the security while such an adversary breaks IND-KLA security. Thus, we believe that IND-KLA security is more desirable security notion than 1-bit unpredictability.888Strictly speaking, IND-KLA security and 1-bit unpredictability are incomparable because the
former requires the indistinguishability between ciphertexts of two different messages whereas
the latter requires the indistinguishability between a ciphertext of some message and a uniformly random string.
On the other hand, the advantages of their work are that their construction of key-revocable PKE is based on dual-Regev encryption, which is likely to be more efficient than our PKE-SKL, and that they also show a fully homomorphic encryption variant.
1.6 Organization of the paper
In Section 2 we define the notation and preliminaries that we require in this work. In Section 3, we define the notion of public key encryption with secure key leasing (PKE-SKL) and its various security notions. We also show several general relationships among those security notions. In Section 4, we define and construct Public Key Encryption with CoIC-KLA security. In Section 5, we provide our construction of PKE with secure key leasing. In Section 6 and Section 7 we provide our construction of Attribute Based Encryption with secure key leasing and public key Functional Encryption with secure key leasing respectively.
2 Preliminaries
Notations and conventions.
In this paper, standard math or sans serif font stands for classical algorithms (e.g., C or Gen) and classical variables (e.g., x or pk).
Calligraphic font stands for quantum algorithms (e.g., \mathpzcGen) and calligraphic font and/or the bracket notation for (mixed) quantum states (e.g., \mathpzcq or ∣ψ⟩).
Let [ℓ] denote the set of integers {1,⋯,ℓ}, λ denote a security parameter, and y:=z denote that y is set, defined, or substituted by z.
For a finite set X and a distribution D, x←X denotes selecting an element from X uniformly at random, x←D denotes sampling an element x according to D. Let y←A(x) and y←\mathpzcA(\mathpzcx) denote assigning to y the output of a probabilistic or deterministic algorithm A and a quantum algorithm \mathpzcA on an input x and \mathpzcx, respectively. When we explicitly show that A uses randomness r, we write y←A(x;r).
PPT and QPT algorithms stand for probabilistic polynomial-time algorithms and polynomial-time quantum algorithms, respectively.
Let negl denote a negligible function.
For strings x,y∈{0,1}n, x⋅y denotes ⨁i∈[n]xiyi where xi and yi denote the ith bit of x and y, respectively.
2.1 Standard Cryptographic Tools
Secret-key encryption.
Definition 2.1 (Secret Key Encryption).
An SKE scheme SKE is a two tuple (E,D) of PPT algorithms.
•
The encryption algorithm E, given a key K∈{0,1}λ and a plaintext m∈M, outputs a ciphertext ct,
where M is the plaintext space of SKE.
•
The decryption algorithm D, given a key K and a ciphertext ct, outputs a plaintext m~∈{⊥}∪M.
This algorithm is deterministic.
We require SKE to satisfy correctness.
Correctness:
*We require D(K,E(K,m))=m for every m∈M and key K∈{0,1}λ.
*
Definition 2.2 (Ciphertext Pseudorandomness for SKE).
Let {0,1}ℓ be the ciphertext space of SKE.
We define the following experiment Exp\mathpzcA,SKEpr\mbox−ct(1λ,coin) between a challenger and an adversary \mathpzcA.
The challenger generates K←{0,1}λ.
Then, the challenger sends 1λ to \mathpzcA.
2. 2.
\mathpzcA* may make polynomially many encryption queries adaptively.
\mathpzcA sends m∈M to the challenger.
Then, the challenger returns ct←E(K,m) if coin=0, otherwise ct←{0,1}ℓ.*
3. 3.
\mathpzcA* outputs coin′∈{0,1}.*
We say that SKE is pseudorandom-secure if for any QPT adversary \mathpzcA, we have
[TABLE]
Theorem 2.3.
If OWFs exist, there exists a pseudorandom-secure SKE scheme.
Public-key encryption.
Definition 2.4 (PKE).
A PKE scheme PKE is a tuple of three algorithms (KG,Enc,Dec).
Below, let X be the message space of PKE.
KG(1λ)→(ek,dk):
The key generation algorithm takes a security parameter 1λ, and outputs an encryption key ek and a decryption key dk.
Enc(ek,m)→ct:
The encryption algorithm takes an encryption key ek and a message m∈X, and outputs a ciphertext ct.
Dec(dk,ct)→m~:
The decryption algorithm is a deterministic algorithm that takes a decryption key dk and a ciphertext ct, and outputs a value m~.
Correctness:
For every m∈X, we have
[TABLE]
Definition 2.5 (IND-CPA Security).
We say that a PKE scheme PKE with the message space X is IND-CPA secure if it satisfies the following requirement, formalized from the experiment ExpPKE,\mathpzcAind\mbox−cpa(1λ,coin) between an adversary \mathpzcA and a challenger:
The challenger runs (ek,dk)←KG(1λ) and sends ek to \mathpzcA.
2. 2.
\mathpzcA* sends (m0∗,m1∗)∈X2
to the challenger.*
3. 3.
The challenger generates ct∗←Enc(ek,mcoin∗) and sends ct∗ to \mathpzcA.
4. 4.
\mathpzcA* outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
Definition 2.6 (OW-CPA Security).
We say that a PKE scheme PKE with the message space X is OW-CPA secure if it satisfies the following requirement, formalized from the experiment ExpPKE,\mathpzcAow\mbox−cpa(1λ) between an adversary \mathpzcA and a challenger:
The challenger runs (ek,dk)←KG(1λ), chooses m∗←X,
runs ct∗←Enc(ek,m∗),
and sends (ek,ct∗) to \mathpzcA.
2. 2.
\mathpzcA* sends m′∈X
to the challenger.*
3. 3.
The challenger outputs 1 if m′=m∗ and otherwise [math] as the final output of the experiment.
For any QPT \mathpzcA, it holds that
[TABLE]
It is well-known that IND-CPA security implies OW-CPA security if ∣X∣ is super-polynomial.
Pseudorandom functions.
Definition 2.7 (Puncturable PRF).
A puncturable PRF (PPRF) is a tuple of algorithms PPRF=(PRF.Gen,F,Puncture) where {FK:{0,1}ℓ1→{0,1}ℓ2∣K∈{0,1}λ} is a PRF family and satisfies the following two conditions. Note that ℓ1 and ℓ2 are polynomials of λ.
Punctured correctness:
For any polynomial-size set S⊆{0,1}ℓ1 and any x∈{0,1}ℓ1∖S, it holds that
[TABLE]
Pseudorandom at punctured point:
For any polynomial-size set S⊆{0,1}ℓ1
and any QPT distinguisher \mathpzcA, it holds that
[TABLE]
where K←PRF.Gen(1λ),
K∈/S←Puncture(K,S) and Uℓ2 denotes the uniform distribution over {0,1}ℓ2.
If S={x∗} (i.e., puncturing a single point), we simply write F=x∗(⋅) instead of FK∈/S(⋅) and consider F=x∗ as a keyed function.
It is easy to see that the Goldwasser-Goldreich-Micali tree-based construction of PRFs (GGM PRF) [GGM86] from OWF yield puncturable PRFs where the size of the punctured key grows polynomially with the size of the set S being punctured [BW13, BGI14, KPTZ13]. Thus, we have:
If OWFs exist, then for any polynomials ℓ1(λ) and ℓ2(λ), there exists a PPRF that maps ℓ1-bits to ℓ2-bits.
Garbling schemes.
Definition 2.9 (Garbling schemes).
A garbling scheme GC is a tuple of PPT algorithms GC=(Grbl,GCEval).
Grbl(1λ,C)→({labi,b}i∈[ℓ],b∈{0,1},C):
The garbling algorithm takes a security parameter 1λ and a circuit C and outputs labels {labi,b}i∈[ℓ],b∈{0,1} and garbled version of the circuit C,
where ℓ is the input length of C.
GCEval(C,{labi}i∈[ℓ])→z:
The evaluation algorithm GCEval takes the garbled circuit C and labels {labi}i∈[ℓ] and outputs an evaluation result z.
Correctness:
We require that
[TABLE]
holds for all ℓ∈N, x∈{0,1}ℓ and C with input length ℓ,
where xi is the i-th bit of x.
Security:
We require that there exists a PPT algorithm Sim.GC such the following distributions are computationally indistinguishable for all ℓ∈N, x∈{0,1}ℓ, and circuit C with input length ℓ:
[TABLE]
where Grbl(1λ,C))→({labi,b}i∈[ℓ],b∈{0,1},C)
and info(C) refers to the size of C, input and output lengths of C.
We note that we will drop info(C) from the inputs to Sim.GC when it is clear from the context.
Theorem 2.10.
[Yao86, LP09]**
If there exists a one-way function, there exists secure garbling scheme.
Attribute-based encryption.
Definition 2.11 (Attribute-Based Encryption).
An ABE scheme ABE is a tuple of four PPT algorithms (Setup,KG,Enc,Dec).
Below, let X={Xλ}λ, Y={Yλ}λ, and R={Rλ:Xλ×Yλ→{0,1}}λ be the ciphertext attribute space, key attribute space, and the relation associated with ABE, respectively.
We note that we will abuse the notation and occasionally drop the subscript for these spaces for notational simplicity.
We also note that the message space is set to be {0,1}ℓ below.
Setup(1λ)→(pk,msk):
The setup algorithm takes a security parameter 1λ and outputs a public key pk and master secret key msk.
KG(msk,y)→sky:
The key generation algorithm KG takes a master secret key msk and a key attribute y∈Y, and outputs a decryption key sky.
Enc(pk,x,m)→ct:
The encryption algorithm takes a public key pk, a ciphertext attribute x∈X, and a message x, and outputs a ciphertext ct.
Dec(sky,x,ct)→z:
The decryption algorithm takes a secret key skf, a ciphertext attribute x, and the corresponding ciphertext ct and outputs z∈{⊥}∪{0,1}ℓ.
Correctness:
We require that
[TABLE]
holds for all x∈X and y∈Y such that R(x,y)=1 and m∈{0,1}ℓ.
Definition 2.12 (Adaptive Security for ABE).
We say that ABE is an adaptively secure ABE scheme for relation R:X×Y→{0,1}, if it satisfies the following requirement, formalized from the experiment Exp\mathpzcAada\mbox−ind(1λ,coin) between an adversary \mathpzcA and a challenger:
The challenger runs (pk,msk)←Setup(1λ) and sends pk to \mathpzcA.
2. 2.
\mathpzcA* sends arbitrary key queries. That is, \mathpzcA sends a key attribute y∈Y to the challenger and the challenger responds with sky←KG(msk,y) for the query.*
3. 3.
At some point, \mathpzcA sends (x,m0,m1) to the challenger. If R(x,y)=0 for all queried y, the challenger generates a ciphertext ct∗←Enc(pk,x,mcoin). The challenger sends ct∗ to \mathpzcA.
4. 4.
Again, \mathpzcA can send key queries y such that R(x,y)=0.
5. 5.
\mathpzcA* outputs a guess coin′ for coin.*
6. 6.
The experiment outputs coin′.
We say that ABE is adaptively secure if, for any QPT \mathpzcA, it holds that
[TABLE]
Definition 2.13 (Selective Security for ABE).
We also define selective security for ABE. For doing so, we consider the same security game as that for adaptive security except that the adversary \mathpzcA should declare its target x at the beginning of the game (even before it is given pk).
We then define the advantage AdvABE,\mathpzcAsel\mbox−ind(λ) for the selective security similarly. We say ABE is selectively indistinguishably-secure if for any QPT adversary \mathpzcA, AdvABE,\mathpzcAsel\mbox−ind(λ) is negligible.
By setting X, Y, and R appropriately, we can recover important classes of ABE.
In particular, if we set Xλ=Yλ={0,1}∗ and define R so that R(x,y)=1 if x=y and R(x,y)=0 otherwise, we recover the definition of identity-based encryption (IBE).
If we set Xλ={0,1}n(λ) and Yλ to be the set of all circuits with input space {0,1}n(λ) and depth at most d(λ), where n and d are some polynomials, and define R so that R(x,y)=y(x), we recover the definition of ABE for circuits.
An SKFE scheme SKFE is a tuple of four PPT algorithms (Setup,KG,Enc,Dec).
Below, let X, Y, and F be the plaintext, output, and function spaces SKFE, respectively.
Setup(1λ)→msk:
The setup algorithm takes a security parameter 1λ, and outputs a master secret key msk.
KG(msk,f)→skf:
The key generation algorithm takes a master secret key msk and a function f∈F, and outputs a functional decryption key skf.
Enc(msk,x)→ct:
The encryption algorithm takes a master secret key msk and a plaintext x∈X, and outputs a ciphertext ct.
Dec(skf,ct)→y:
The decryption algorithm takes a functional decryption key skf and a ciphertext ct, and outputs y∈{⊥}∪Y.
Correctness:
We require that for every x∈X, f∈F, q∈N, we have that
[TABLE]
Definition 2.15 (Function Privacy).
We formalize the experiment Exp\mathpzcA,SKFEfull\mbox−fp(1λ,coin) between an adversary \mathpzcA and a challenger for SKFE scheme for X,Y, and F as follows:
At the beginning, the challenger runs msk←Setup(1λ).
Throughout the experiment, \mathpzcA can access the following oracles.
OEnc(x0,x1):
Given (x0,x1), it returns Enc(msk,xcoin).
OKG(f0,f1):
Given (f0,f1), it returns KG(msk,fcoin).
2. 2.
If the following happens during the oracle queries above, the experiment aborts: f0(x0)=f1(x1) or \absolutevaluex0=\absolutevaluex1 or \absolutevaluef0=\absolutevaluef1.
3. 3.
\mathpzcA* outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.*
We say that SKFE is fully function private if, for any QPT \mathpzcA, it holds that
[TABLE]
If \mathpzcA can access OEnc only once in ExpSKFE,\mathpzcAfull\mbox−fp, we say that SKFE is adaptively single-ciphertext function private.
A PKFE scheme PKFE is a tuple of four PPT algorithms (Setup,KG,Enc,Dec).
Below, let X, Y, and F be the plaintext, output, and function spaces of PKFE, respectively.
Setup(1λ)→(pk,msk):
The setup algorithm takes a security parameter 1λ and outputs a public key pk and master secret key msk.
KG(msk,f)→skf:
The key generation algorithm KG takes a master secret key msk and a function f∈F, and outputs a functional decryption key skf.
Enc(pk,x)→ct:
The encryption algorithm takes a public key pk and a message x∈X, and outputs a ciphertext ct.
Dec(skf,ct)→y:
The decryption algorithm takes a functional decryption key skf and a ciphertext ct, and outputs y∈{⊥}∪Y.
Correctness:
We require
we have that
[TABLE]
Definition 2.18 (Adaptive Security for PKFE).
We formalize the experiment Exp\mathpzcAada\mbox−ind(1λ,coin) between an adversary \mathpzcA and a challenger for PKFE scheme for X,Y, and F as follows:
The challenger runs (pk,msk)←Setup(1λ) and sends pk to \mathpzcA.
2. 2.
\mathpzcA* sends arbitrary key queries. That is, \mathpzcA sends function fi∈F to the challenger and the challenger responds with skfi←KG(msk,fi) for the i-th query fi.*
3. 3.
At some point, \mathpzcA sends (x0,x1) to the challenger. If fi(x0)=fi(x1) for all i, the challenger generates a ciphertext ct∗←Enc(pk,xcoin). The challenger sends ct∗ to \mathpzcA.
4. 4.
Again, \mathpzcA can sends function queries fi such that fi(x0)=fi(x1).
5. 5.
\mathpzcA* outputs a guess coin′ for coin.*
6. 6.
The experiment outputs coin′.
We say that PKFE is adaptively secure if, for any QPT \mathpzcA, it holds that
[TABLE]
If \mathpzcA can send only q key queries in ExpPKFE,\mathpzcAada\mbox−ind where q is a bounded polynomial, we say that PKFE is q-bounded adaptively secure.
If there exists IND-CPA secure PKE, there exists q-bounded adaptively secure PKFE for P/poly.
Remark 2.20.
We defined FE as key-policy FE (KPFE) here. There is another type of FE called ciphertext-policy FE (CPFE). Since we use CPFE only as a building block of the CoIC-KLA secure PKE scheme in Section 4, we defer its definition to Section 4.1.
2.2 Useful Lemmata
The following lemma is taken verbatim from [BZ13, Lemma 2.1].
Let \mathpzcA be a quantum algorithm, and let Pr[x] be the probability that \mathpzcA outputs x. Let
\mathpzcA′ be another quantum algorithm obtained from \mathpzcA by pausing \mathpzcA at an arbitrary stage of execution, performing a partial measurement that obtains one of k outcomes, and then resuming \mathpzcA. Let Pr′[x]
be the probability \mathpzcA′ outputs x. Then Pr′[x]≥Pr[x]/k.
We will also need the quantum Goldreich-Levin lemma established by [CLLZ21] based on [AC02].
There exists a QPT algorithm \mathpzcExt that satisfies the following.
Let n∈N, x∈{0,1}n, ϵ∈[0,1/2], and \mathpzcA be a quantum algorithm with a quantum auxiliary input \mathpzcaux such that
[TABLE]
*Then, we have
*
[TABLE]
*where [\mathpzcA] means the description of \mathpzcA. *
3 Public Key Encryption with Secure Key Leasing
In this section, we define the notion of public key encryption with secure key leasing (PKE-SKL) and its various security notions. Then we show several general relationships among those security notions.
3.1 Definitions
The syntax of PKE-SKL is defined as follows.
Definition 3.1 (PKE with Secure Key Leasing).
A PKE-SKL scheme SKL is a tuple of four algorithms (\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy).
Below, let X be the message space of SKL.
\mathpzcKG(1λ)→(ek,\mathpzcdk,vk):
The key generation algorithm takes a security parameter 1λ, and outputs an encryption key ek, a decryption key \mathpzcdk, and a verification key vk.
Enc(ek,m)→ct:
The encryption algorithm takes an encryption key ek and a message m∈X, and outputs a ciphertext ct.
\mathpzcDec(\mathpzcdk,ct)→m~:
The decryption algorithm takes a decryption key \mathpzcdk and a ciphertext ct, and outputs a value m~.
\mathpzcVrfy(vk,\mathpzcdk)→⊤/⊥:
The verification algorithm takes a verification key vk and a (possibly malformed) decryption key \mathpzcdk, and outputs ⊤ or ⊥.
Decryption correctness:
For every m∈X, we have
[TABLE]
Verification correctness:
We have
[TABLE]
Remark 3.2.
We can assume without loss of generality that a decryption key of a PKE-SKL scheme is reusable, i.e., it can be reused to decrypt (polynomially) many ciphertexts. In particular, we can asusme that
for honestly generated ct and \mathpzcdk, if we decrypt ct by using \mathpzcdk, the state of the decryption key after the decryption is negligibly close to that before the decryption in terms of trace distance.
This is because the output of the decryption is almost deterministic by decryption correctness, and thus such an operation can be done without almost disturbing the input state by the gentle measurement lemma [Win99].
A similar remark applies to all variants of PKE-SKL (IBE, ABE, and FE with SKL) defined in this paper.
Remark 3.3.
Though we are the first to define PKE with secure key leasing, SKFE with secure key leasing was already defined by Kitagawa and Nishimaki [KN22a].
The above definition is a natural adaptation of their definition with the important difference that we do not require classical certificate of deletion.
We define several security notions for PKE-SKL.
The first is a natural indistinguishability security definition, which is our primary taget.
Definition 3.4 (IND-KLA Security).
We say that a PKE-SKL scheme SKL with the message space X is IND-KLA secure, if it satisfies the following requirement, formalized from the experiment ExpSKL,\mathpzcAind\mbox−kla(1λ,coin) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC* runs (ek,\mathpzcdk,vk)←\mathpzcKG(1λ) and sends ek and \mathpzcdk to \mathpzcA.*
2. 2.
Throughout the experiment, \mathpzcA can access the following (stateful) verification oracle O\mathpzcVrfy where V is initialized to be ⊥:
** O\mathpzcVrfy(\mathpzcdk):**
*It runs d←Vrfy(vk,\mathpzcdk) and returns d.
If V=⊥ and d=⊤, it updates V:=⊤.
*
3. 3.
\mathpzcA* sends (m0∗,m1∗)∈X2
to \mathpzcC. If V=⊥, \mathpzcC output [math] as the final output of this experiment. Otherwise, \mathpzcC generates ct∗←Enc(ek,mcoin∗) and sends ct∗ to \mathpzcA.*
4. 4.
\mathpzcA* outputs a guess coin′ for coin. \mathpzcC outputs coin′ as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
*We say that SKL is 1-query IND-KLA secure if the above holds for any QPT \mathpzcA that makes at most one query to O\mathpzcVrfy. *
Remark 3.5.
When we consider a 1-query adversary, we can assume that its query is made before receiving the challenge ciphertext ct∗ without loss of generality. This is because otherwise the experiment always outputs [math].
Remark 3.6.
By a standard hybrid argument, one can show that IND-KLA security implies multi-challenge IND-KLA security where the adversary is allowed to request arbitrarily many challenge ciphertexts. Thus, if we have an IND-KLA secure PKE-SKL scheme for single-bit messages, we can extend the plaintext length to an arbitrary polynomial by bit-by-bit encryption.
We also define the one-way variant of the above security.
Definition 3.7 (OW-KLA Security).
We say that a PKE-SKL scheme SKL with the message space X is OW-KLA secure, if it satisfies the following requirement, formalized from the experiment ExpSKL,\mathpzcAow\mbox−kla(1λ) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC*
runs (ek,\mathpzcdk,vk)←\mathpzcKG(1λ) and sends ek and \mathpzcdk to \mathpzcA.*
2. 2.
Throughout the experiment, \mathpzcA can access the following (stateful) verification oracle O\mathpzcVrfy where V is initialized to be ⊥:
** O\mathpzcVrfy(\mathpzcdk):**
It runs d←Vrfy(vk,\mathpzcdk) and returns d.
If V=⊥ and d=⊤, it updates V:=⊤.
3. 3.
\mathpzcA* sends RequestChallenge
to \mathpzcC. If V=⊥, \mathpzcC outputs [math] as the final output of this experiment. Otherwise, \mathpzcC
chooses m∗←X,
generates ct∗←Enc(ek,m∗) and sends ct∗ to \mathpzcA.*
4. 4.
\mathpzcA* outputs m. \mathpzcC outputs 1 if m=m∗ and otherwise outputs [math] as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
We say that SKL is 1-query OW-KLA secure if the above holds for any QPT \mathpzcA that makes at most one query to O\mathpzcVrfy.
Similar to normal PKE, IND-KLA security implies OW-KLA security if ∣X∣ is super-polynomial in λ.
Finally, we define a security notion which we call one-more unreturnability (OMUR), which requires that an adversary given a single copy of the decryption key cannot pass the verification more than once. Though this does not seem very meaningful by itself, this is a useful intermediate tool for our final goal of constructing IND-KLA secure scheme.
Definition 3.8 (One-More Unreturnability).
We say that a PKE-SKL scheme SKL with the message space X satisfies One-More UnReturnability (OMUR), if it satisfies the following requirement, formalized from the experiment ExptSKL,\mathpzcAomur(1λ) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC*
runs (ek,\mathpzcdk,vk)←\mathpzcKG(1λ) and sends ek and \mathpzcdk to \mathpzcA.*
2. 2.
Throughout the experiment, \mathpzcA can access the following (stateful) verification oracle O\mathpzcVrfy where count is initialized to be [math]:
O\mathpzcVrfy(\mathpzcdk):
It runs d←Vrfy(vk,\mathpzcdk) and
returns d.
It updates count:=count+1 if d=⊤.
3. 3.
\mathpzcA* sends Finish
to \mathpzcC. If count≥2, \mathpzcC outputs 1 and [math] otherwise
as the final output of this experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
3.2 Relationships among Security Notions
We show several relationships among different security notions for PKE-SKL. In particular,
we show the following theorem.
Theorem 3.9.
*If there exists a 1-query OW-KLA secure PKE-SKL scheme, there exists an IND-KLA secure PKE-SKL scheme. *
This theorem simplifies our task: For constructing a (poly-query) IND-KLA secure scheme, it suffices to construct a 1-query OW-KLA secure scheme.
We construct a 1-query OW-KLA secure scheme in Section 5.
We prove Theorem 3.9 in the following three steps.
Give a conversion to add OMUR to any 1-query OW-KLA secure scheme (Lemma 3.10).
2. 2.
Convert a 1-query OW-KLA secure scheme that satisfies OMUR to a 1-query IND-KLA secure scheme that satisfies OMUR (Lemma 3.12).
3. 3.
Show that any 1-query IND-KLA secure scheme that satisfies OMUR is IND-KLA secure (Lemma 3.14).
If there exists a 1-query OW-KLA secure PKE-SKL scheme, then there exists a 1-query OW-KLA secure PKE-SKL scheme that satisfies OMUR.
Remark 3.11.
This lemma is actually not needed for the purpose of this paper since our construction of a 1-query OW-KLA secure PKE-SKL scheme in Section 5 already satisfies OMUR as mentioned in Remark 5.7. We include this lemma in the paper because this general reduction may be useful in future works.
Let OW=(OW.\mathpzcKG,OW.Enc,OW.\mathpzcDec,OW.\mathpzcVrfy) be a 1-query OW-KLA secure PKE-SKL scheme with the message space X.
We assume that a decryption key of OW is reusable in the sense of Remark 3.2
and vk contains ek
without loss of generality.
Then we consider a modified PKE-SKL scheme OW′=(OW′.\mathpzcKG,OW′.Enc,OW′.\mathpzcDec,OW′.\mathpzcVrfy) with the same message space X defined as follows.
The algorithms OW′.\mathpzcKG, OW′.Enc, and OW′.\mathpzcDec are identical to OW.\mathpzcKG, OW.Enc, and OW.\mathpzcDec, respectively. The algorithm OW′.\mathpzcVrfy works as follows:
OW′.\mathpzcVrfy(vk,\mathpzcdk):
On input a verification key vk and a (possibly malformed) decryption key \mathpzcdk, do the following:
Decryptability verification:
Choose m←X and run ct←Enc(ek,m) and m′←Dec(\mathpzcdk,ct). If m′=m, return ⊥.
Original verification:
Otherwise, let \mathpzcdk′ be the state of the decryption key after running the decryption algorithm.
Run OW.\mathpzcVrfy(vk,\mathpzcdk′) and return whatever OW.\mathpzcVrfy returns.
Correctness.
The decryption correctness of OW′ follows from that of OW because the only difference between these schemes is the verification algorithm, which is irrelevant to the decryption correctness.
The verification correctness of OW′ follows from that of OW because we assume that OW has reusable decryption keys and thus \mathpzcdk′ in OW′.\mathpzcVrfy has a negligible trace distance from \mathpzcdk, which passes OW.\mathpzcVrfy except for a negligible probability by the verification correctness of OW.
1-query OW-SKL security.
The 1-query OW-SKL security of OW′ follows from that of OW by a straightforward reduction. Specifically, let \mathpzcA be an QPT adversary that breaks the 1-query OW-SKL security of OW′. Then, we construct a QPT adversary \mathpzcB that breaks the 1-query OW-SKL security of OW as follows:
\mathpzcB(ek,\mathpzcdk):
Run \mathpzcA(ek,\mathpzcdk) until \mathpzcA makes a verification query \mathpzcdk. For simulating the verification oracle to \mathpzcA,
choose m←X, run ct←Enc(ek,m) and m′←Dec(\mathpzcdk,ct), and let \mathpzcdk′ be the state of the decryption key after running the decryption algorithm.
If m′=m, output [math] and immediately halt. Otherwise, query \mathpzcdk′ to its own verification oracle, and forward the response to \mathpzcA.
When \mathpzcA sends RequestChallenge, forward it to the external challenger to receive ct∗ and forward it to \mathpzcA. Run \mathpzcA until it halts and output whatever \mathpzcA outputs.
We can see that the experiment which \mathpzcB plays outputs 1 if and only if the (simulated) experiment which \mathpzcA plays outputs 1. Therefore, \mathpzcB breaks the 1-query OW-SKL security of OW. Thus, the 1-query OW-SKL security of OW′ follows from that of OW.
OMUR.
In the following, we show that OW′ satisfies OMUR. Let \mathpzcA be a QPT adversary against the OMUR of OW′ that makes Q=poly(λ) verification queries. Then we consider the following sequence of hybrids.
Hyb0:
This is identical to the experiment ExptOW′,\mathpzcAomur(1λ) as defined in Definition 3.8.
Note that we have
[TABLE]
Hyb1:
This is identical to Hyb0 except that the challenger uniformly chooses integers 1≤i1<i2≤Q at the beginning of the experiment and outputs 1 if and only if i1-th and i2-th verification queries are the first two queries to which the verification oracle returned ⊤.
Whenever Hyb0 returns 1, there are at least 2 verification queries accepted by the verification oracle.
Therefore, when we uniformly choose 1≤i1<i2≤Q, the probability that i1-th and i2-th queries are the first two queries to be accepted is (2Q)−1=Q(Q−1)2. Therefore we have
[TABLE]
Hyb2:
This is identical to Hyb1 except that the verification oracle just returns ⊥ without running the verification algorithm
to i-th query for all i∈[i2−1]∖{i1} and the experiment halts right after running the verification oracle for the i2-th query where it outputs 1 if and only if the verification oracle returned ⊤ to both i1-th and i2-th queries.
When Hyb1 returns 1, the verification oracle returns ⊥ to i-th query for all i∈[i2−1]∖{i1} since otherwise i1-th and i2-th queries cannot be the first 2 queries to be accepted. Therefore, these hybrids are identical until \mathpzcA makes i2-th query when Hyb1 returns 1.999 Note that there is a superficial difference that the verification oracle of Hyb1 runs the verification algorithm to i-th query for all i∈[i2−1]∖{i1} in Hyb1 but it does not in Hyb2. However since these query registers are not used at all for generating the output of Hyb2, the difference of if measurements are applied on them cannot affect the probability to output 1.
Moreover, Hyb2 outputs 1 whenever Hyb1 outputs 1 if we run the rest of \mathpzcA to complete Hyb1. Therefore, we have
[TABLE]
Hyb3:
This is identical to Hyb2 except that the experiment outputs 1 if and only if i1-th query is accepted and i2-th query passes the “Decryptability verification" part of OW′.\mathpzcVrfy, i.e., m=m′ in the notation of the description of OW′.\mathpzcVrfy.
Since the condition to output 1 is just relaxed, we have
[TABLE]
Below, we prove
[TABLE]
To prove this, we consider the following QPT adversary \mathpzcB against the 1-query OW-SKL security of OW that works as follows:
\mathpzcB(ek,\mathpzcdk):
Uniformly choose integers 1≤i1<i2≤Q and run \mathpzcA(ek,\mathpzcdk) until it makes i2-th query where the response by the verification oracle to \mathpzcA’s i-th query for i∈[i2−1] is simulated as follows: If i=i1, return ⊥ as the response from the verification oracle. If i=i1, forward the query to its own verification oracle and forward the response to \mathpzcA. Let \mathpzcdki2 be \mathpzcA’s i2-th verification query.
Send RequestChallenge to the external challenger to receive ct∗. Run m′←OW.Dec(ct∗,\mathpzcdk) and output m′.
By the definitions of Hyb3 and \mathpzcB, we can see that
[TABLE]
Thus, we have Pr[Hyb3=1]=negl(λ) by the 1-query OW-SKL security of OW.
Combining the above, we have AdvOW′,\mathpzcAomur(λ)=negl(λ), which means that OW satisfies OMUR. This completes the proof of Lemma 3.10.
∎
Lemma 3.12.
If there exists a 1-query OW-KLA secure PKE-SKL scheme, then there exists a 1-query IND-KLA secure PKE-SKL scheme. Moreover, if the base scheme satisfies OMUR, then then the resulting scheme satisfies OMUR.
Proof.
Let OW=(OW.\mathpzcKG,OW.Enc,OW.\mathpzcDec,OW.\mathpzcVrfy) be a 1-query OW-KLA secure PKE-SKL scheme with the message space {0,1}n that satisfies OMUR. Then, we construct an IND-KLA secure PKE-SKL scheme IND=(IND.\mathpzcKG,IND.Enc,IND.\mathpzcDec,IND.\mathpzcVrfy) with the message space {0,1} as follows.
IND.\mathpzcKG(1λ)→(ek,\mathpzcdk,vk):
On input the security parameter 1λ,
run (ek,\mathpzcdk,vk)←OW.\mathpzcKG(1λ) and output (ek,\mathpzcdk,vk).
IND.Enc(ek,m)→IND.ct:
On input an encryption key ek and a message m∈{0,1},
choose r,x←{0,1}n,
generate OW.ct←OW.Enc(ek,x),
set b:=(x⋅r)⊕m,
and output a ciphertext IND.ct:=(OW.ct,r,b).
IND.\mathpzcDec(\mathpzcdk,IND.ct)→m~:
On input a decryption key \mathpzcdk and a ciphertext IND.ct=(OW.ct,r,b),
compute x~←OW.\mathpzcDec(\mathpzcdk,OW.ct)
and output m~:=(x~⋅r)⊕b.
IND.\mathpzcVrfy(vk,\mathpzcdk)→⊤/⊥:
On input a verification key vk and a (possibly malformed) decryption key \mathpzcdk, run OW.\mathpzcVrfy(vk,\mathpzcdk) and
output whatever OW.\mathpzcVrfy outputs.
The decryption correctness and verification correctness of IND immediately follow from those of OW.
The OMUR of IND immediately follows from that of OW since their key generation and verification algorithms are identical and the definition of OMUR only depends on these algorithms.
In the following, we prove that IND is IND-KLA secure assuming that OW is OW-KLA secure.
Toward contradiction, suppose that IND is not IND-KLA secure. Then, there is a QPT adversary \mathpzcA such that AdvIND,\mathpzcAind\mbox−kla(λ) is non-negligible. Without loss of generality, we assume that
[TABLE]
for a non-negligible ϵ(λ). Since IND is a bit encryption, we assume that the challenge message pair (m0,m1) is (0,1) without loss of generality.
We divide \mathpzcA into the following two stages \mathpzcA0 and \mathpzcA1:
This is identical to \mathpzcA0. Specifically, run \mathpzcstA←\mathpzcA0O\mathpzcVrfy(ek,\mathpzcdk) and output \mathpzcstA.
\mathpzcB1(\mathpzcstA,OW.ct)→x:
Upon receiving
\mathpzcstA from \mathpzcB0, send RequestChallenge to \mathpzcC and receive
OW.ct from \mathpzcC.
Then set \mathpzcaux:=(\mathpzcstA,OW.ct) and define an algorithm \mathpzcA′ as follows.
\mathpzcA′(\mathpzcaux,r):
On input \mathpzcaux=(\mathpzcstA,OW.ct) and r∈{0,1}n, choose b←{0,1},
set IND.ct=(OW.ct,r,b),
run coin′←\mathpzcA1(\mathpzcstA,IND.ct), and output coin′⊕b.
Run x←\mathpzcExt([\mathpzcA′],\mathpzcaux), and output x where
\mathpzcExt is the algorithm as in Lemma 2.22 and
[\mathpzcA′] is the description of \mathpzcA′.
In the following, we show that \mathpzcB breaks OW-KLA security of OW.
Let \mathpzcG be an algorithm that works as follows.
\mathpzcG(1λ):
Generate (ek,\mathpzcdk,vk)←OW.\mathpzcKG(1λ),
\mathpzcstA←\mathpzcA0O\mathpzcVrfy(ek,\mathpzcdk),
x←{0,1}n, and
OW.ct←OW.Enc(ek,x).
Let V:=⊤ if the response to \mathpzcA0’s query (which is assumed to be made once) is ⊤ and V:=⊥ otherwise.
Output (V,\mathpzcstA,OW.ct,x).
By Equation 33 and a standard averaging argument,
for at least 2Pr[V=⊤]ϵ(λ)-fraction of (V,\mathpzcstA,OW.ct,x) generated by \mathpzcG(1λ) conditioned on V=⊤, we have
[TABLE]
where coin←{0,1},
r←{0,1}n,
b:=(x⋅r)⊕coin, and
IND.ct=(OW.ct,r,b).
Therefore, for at least 2ϵ(λ)-fraction of (V,\mathpzcstA,OW.ct,x) generated by \mathpzcG(1λ), we have
[TABLE]
where coin←{0,1},
r←{0,1}n,
b:=(x⋅r)⊕coin, and
IND.ct=(OW.ct,r,b).
For such (V,\mathpzcstA,OW.ct,x), if we let \mathpzcaux=(\mathpzcstA,OW.ct), Equation 35 directly implies
Since Equation 37andV=⊤ hold at the same time for at least 2ϵ(λ)-fraction of (V,\mathpzcstA,OW.ct,x), we have
[TABLE]
By the definitions of \mathpzcB=(\mathpzcB0,\mathpzcB1) and \mathpzcG and the assumption that ϵ(λ) is non-negligible, this implies that \mathpzcB breaks OW-KLA security of OW.
∎
Remark 3.13 (On Multiple-Query Case).
In the above reduction, it is important that \mathpzcA1 can be assumed to not make any verification query because otherwise we cannot apply the quantum Goldreich-Levin theorem (Lemma 2.22). In the 1-query setting, this can be assumed without loss of generality by Remark 3.5. In the multiple-query setting, we cannot assume it in general. If we assume that the base scheme satisfies OMUR, we can assume it without loss of generality because post-challenge verification queries are useless for such schemes. However, we do not know how to resolve the issue in the multiple-query setting without relying on OMUR.
Lemma 3.14.
If a PKE-SKL scheme is 1-query IND-KLA secure and satisfies OMUR, then it is IND-KLA secure.
Proof.
Let SKL=(\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy) be an IND-KLA secure PKE-SKL scheme that satisfies OMUR.
For a QPT adversary \mathpzcA against IND-KLA security of SKL that makes Q=poly(λ) verification queries and coin∈{0,1}, we consider the following sequence of hybrids.
Hyb0coin:
This is identical to ExpSKL,\mathpzcAind\mbox−kla(1λ,coin).
Note that our goal is to prove
[TABLE]
Hyb1coin:
This is identical to Hyb0coin except that the verification oracle returns ⊥ to all queries made after it returns ⊤ once.
By the OMUR of SKL, we have
[TABLE]
for coin∈{0,1}.
Hyb2coin:
This is identical to Hyb1coin except that the challenger chooses i∗←[Q] at the beginning of the game, the verification oracle just returns ⊥ without running the verification algorithm to i-th query for i=i∗, and the experiment returns [math] if the verification oracle returns ⊥ to i∗-th query.
Note that there is exactly one verification query to be accepted in Hyb1coin whenever it returns 1. If i∗ is the correct guess for such query, which occurs with probability Q1, then Hyb2coin is identical to Hyb1coin.111111A similar remark to Footnote 9 applies here.
Moreover, Hyb2coin outputs [math] when the guess is incorrect.
Therefore, we have
[TABLE]
Below, we prove
[TABLE]
To prove this, we consider a QPT adversary \mathpzcB against 1-query IND-KLA security of SKL that works as follows.
\mathpzcB(ek,\mathpzcdk):
Choose i∗←[Q] and
run \mathpzcA(ek,\mathpzcdk) where the i∗-th query is forwarded to its own verification oracle and responded according to the response from the oracle while all the other queries are responded by ⊥.
When \mathpzcA sends (m0∗,m1∗), forward it to the external challenger, receive ct∗ from the challenger, and forward it to \mathpzcA.
Finally, output whatever \mathpzcA outputs.
By the definitions of \mathpzcB and Hyb2coin, one can see that
In this section, we introduce a new security notion called CoIC-KLA security for PKE, and construct a PKE scheme that satisfies it based on any IND-CPA secure PKE scheme. Looking ahead, it is used as a building block of our construction of PKE-SKL in Section 5.
4.1 Tools
We first introduce some tools used in this section.
Measurement Implementation.
We review some notions related to measurement implementations used in the definition and the security proof of CoIC-KLA security.
Definition 4.1 (Projective Implementation).
Let:
•
D* be a finite set of distributions over an index set I.*
•
P={Pi}i∈I* be a positive operator valued measure (POVM).*
•
E={ED}D∈D* be a projective measurement with index set D.*
We consider the following measurement procedure.
Measure under the projective measurement E and obtain a distribution D.
2. 2.
Output a random sample from the distribution D.
We say E is the projective implementation of P, denoted by ProjImp(P), if the measurement process above is equivalent to P.
Any binary outcome POVM P=(P,I−P) has a unique projective implementation ProjImp(P).
Definition 4.3 (Shift Distance).
For two distributions D0,D1, the shift distance with parameter ϵ, denoted by ΔShiftϵ(D0,D1), is the smallest quantity δ such that for all x∈R:
[TABLE]
For two real-valued measurements M and N over the same quantum system, the shift distance between M and N with parameter ϵ is
[TABLE]
Definition 4.4 (Mixture of Projetive Measurement [Zha20]).
Let D:R→I where R and I are some sets.
Let {(Pi,Qi)}∈I be a collection of binary projective measurement.
The mixture of projective measurements associated to R, I, D, and {(Pi,Qi)}∈I is the binary POVM PD=(PD,QD) defined as follows.
Let D be any probability distribution and P={(Πi,I−Πi)}i be a collection of binary outcome projective measurements. For any 0<ϵ,δ<1, there exists an algorithm of measurement \mathpzcAPIP,Dϵ,δ that satisfies the following.
•
ΔShiftϵ(\mathpzcAPIP,Dϵ,δ,ProjImp(PD))≤δ.
•
\mathpzcAPIP,Dϵ,δ* is (ϵ,δ)-almost projective in the following sense. For any quantum state ∣ψ⟩, we apply \mathpzcAPIP,Dϵ,δ twice in a row to ∣ψ⟩ and obtain measurement outcomes x and y, respectively. Then, Pr[\absolutevaluex−y≤ϵ]≥1−δ.*
•
\mathpzcAPIP,Dϵ,δ* is (ϵ,δ)-reverse almost projective in the following sense. For any quantum state ∣ψ⟩, we apply \mathpzcAPIP,Dϵ,δ and \mathpzcAPIPrev,Dϵ,δ in a row to ∣ψ⟩ and obtain measurement outcomes x and y, respectively, where Prev={(I−Πi,Πi)}i. Then, Pr[\absolutevalue(1−x)−y≤ϵ]≥1−δ.*
•
The expected running time of \mathpzcAPIP,Dϵ,δ is TP,D⋅poly(1/ϵ,log(1/δ)) where TP,D is the combined running time of D, the procedure mapping i→(Pi,I−Pi), and the running time of measurement (Pi,I−Pi).
Let \mathpzcq be an efficiently constructible, potentially mixed state, and D0,D1 efficiently sampleable distributions.
If D0 and D1 are computationally indistinguishable, for any inverse polynomial ϵ and any function δ, we have ΔShift3ϵ(\mathpzcAPIP,D0ϵ,δ(\mathpzcq),\mathpzcAPIP,D1ϵ,δ(\mathpzcq))≤2δ+negl(λ).
Definition 4.7 (Quantum Program with Classical Inputs and Outputs [ALL*+*21]).
A quantum program with classical inputs is a pair of quantum state \mathpzcq and unitaries {Ux}x∈[N] where [N] is the domain, such that the state of the program evaluated on input x is equal to Ux\mathpzcqUx†. We measure the first register of Ux\mathpzcqUx† to obtain an output. We say that {Ux}x∈[N] has a compact classical description U when applying Ux can be efficiently computed given U and x.
Ciphertext-Policy Functional Encryption.
We review the definition of ciphertext-policy functional encryption (CPFE) that we use as the building block of our CoIC-KLA secure PKE scheme.
A CPFE scheme for the circuit space C and the input space X is a tuple of algorithms (Setup,KG,Enc,Dec).
•
The setup algorithm Setup takes as input a security parameter 1λ, and outputs a master public key MPK and master secret key MSK.
•
The key generation algorithm KG takes as input the master secret key MSK and x∈X, and outputs a decryption key skx.
•
The encryption algorithm Enc takes as input the master public key MPK and C∈C, and outputs a ciphertext ct.
•
The decryption algorithm Dec takes as input a functional decryption key skx and a ciphertext ct, and outputs y.
Decryption Correctness:
We require Dec(KG(MSK,x),Enc(MPK,C))=C(x) for every C∈C, x∈X, and (MPK,MSK)←Setup(1λ).
Next, we introduce 1-bounded security for CPFE schemes.
Definition 4.9 (1-Bounded Security).
Let CPFE be a CPFE scheme. We define the game Expt\mathpzcA,CPFE1-bounded(λ,coin) as follows.
The challenger generates (MPK,MSK)←Setup(1λ) and sends MPK to \mathpzcA.
\mathpzcA sends x∈X to the challenger. The challenger generates skx←KG(MSK,x) and sends skx to \mathpzcA.
2. 2.
\mathpzcA* outputs (C0,C1) such that C0(x)=C1(x) and C0 and C1 have the same size. The challenger picks coin←{0,1}, generates ct←Enc(MPK,Ccoin), and sends ct to \mathpzcA.*
3. 3.
\mathpzcA* outputs coin′∈{0,1}.*
We say that CPFE is 1-bounded secure if for every QPT \mathpzcA, we have
If there exists IND-CPA secure PKE, there exists 1-bounded secure CPFE for P/poly.121212Though [GVW12] present their construction as KPFE instead of CPFE, it is easy to see that they implicitly give CPFE.
4.2 Definitions of CoIC-KLA Security
We introduce definitions of CoIC-KLA security.
In addition to normal CoIC-KLA security needed to realize our PKE-SKL, we also define what we call strong CoIC-KLA security.
We can prove that strong CoIC-KLA security implies CoIC-KLA security.
The reason we introduce strong CoIC-KLA is that it is more compatible to our construction strategy in Section 4.3 that uses watermarking technique by Kitagawa and Nishimaki [KN22b].
Definition 4.11 (CoIC-KLA Security).
We say that a PKE scheme PKE with the message space X is CoIC-KLA secure, if it satisfies the following requirement, formalized from the experiment ExpPKE,\mathpzcAcoic\mbox−kla(1λ) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC* runs (ek0,dk0)←KG(1λ) and (ek1,dk1)←KG(1λ), and generates \mathpzcdk:=21(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩). \mathpzcC sends ek0, ek1, and \mathpzcdk to \mathpzcA. \mathpzcA can get access to the following oracle only once.*
O(\mathpzcdk):
On input a possibly malformed decryption key \mathpzcdk, it applies a binary-outcome measurement (I−Πvrfy,Πvrfy), where Πvrfy is the projection to the right decryption key, i.e.,
[TABLE]
It returns the measurement outcome (indicating whether the state was projected onto Πvrfy or not).
2. 2.
\mathpzcA* sends (m0∗,m1∗)∈X2 to \mathpzcC. \mathpzcC generates a,b←{0,1} and generates ct0∗←Enc(ek0,ma∗) and ct1∗←Enc(ek1,ma⊕b∗). \mathpzcC sends ct0∗ and ct1∗ to \mathpzcA.*
3. 3.
\mathpzcA* outputs a guess b′ for b. \mathpzcC outputs 1 if b=b′ and [math] otherwise as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
Definition 4.12 (Strong CoIC-KLA Security).
We say that a PKE scheme PKE with the message space X is ϵ-strong CoIC-KLA secure, if it satisfies the following requirement, formalized from the experiment ExpPKE,\mathpzcAs\mbox−coic\mbox−kla(1λ,ϵ) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC* runs (ek0,dk0)←KG(1λ) and (ek1,dk1)←KG(1λ), and generates \mathpzcdk:=21(∣0⟩∣dk0⟩+∣1⟩∣dk1⟩). \mathpzcC sends ek0, ek1, and \mathpzcdk to \mathpzcA.*
2. 2.
\mathpzcA* sends (m0∗,m1∗)∈X2 and a quantum circuit \mathpzcD=(\mathpzcq,U), where \mathpzcD is a quantum program with classical inputs and one-bit outputs and U is a compact classical description of {Uct0,ct1}ct0,ct1 to \mathpzcC.*
3. 3.
Let D be the following distribution.
D:
Generate a,b←{0,1} and ct0←Enc(ek0,ma) and ct1←Enc(ek1,ma⊕b). Output (b,ct0,ct1).
We also let P=(Pb,ct0,ct1,Qb,ct0,ct1)b,ct0,ct1 be a collection of binary outcome projective measurements, where
[TABLE]
Moreover, we let MD=(PD,QD) be binary outcome POVMs, where
[TABLE]
Note that R is the random coin space of D and PD(r)=Pb,ct0,ct1, where (b,ct0,ct1)←D(r).131313The random coin r for D consists of random bits a,b and encryption coins of two ciphertexts.\mathpzcC applies the measurement ProjImp(MD) to \mathpzcq, and obtain a value p.
\mathpzcC outputs 1 if p≥21+ϵ and [math] otherwise.
For any QPT \mathpzcA, it holds that
[TABLE]
Theorem 4.13.
If PKE is ϵ-strong CoIC-KLA secure for any inverse polynomial ϵ, then PKE is CoIC-KLA secure.
Proof.
Assume there exists \mathpzcA that breaks CoIC-KLA security of PKE. Without loss of generality, we assume that \mathpzcA correctly guesses the bit b with probability 21+γ for some inverse polynomial γ.
Then, consider the following experiment using \mathpzcA.
Execute ExpPKE,\mathpzcAcoic\mbox−kla(1λ) until the point \mathpzcA outputs (m0∗,m1∗).
2. 2.
Construct a quantum program with classical inputs and outputs \mathpzcD=(\mathpzcq,U), where \mathpzcq is the inner quantum state of \mathpzcA and U is a compact description of {Uct0,ct1}ct0,ct1 and Uct0,ct1 is a unitary that performs the rest of \mathpzcA’s computations on input (ct0,ct1).
3. 3.
Obtain p by applying ProjImp(MD) to \mathpzcq, where the measurement MD and the distribution D are defined in Definition 4.12.
Then, from the definition of ProjImp and the fact that \mathpzcA’s advantage is 21+γ, we have E[p]=21+γ.
By the averaging argument, we obtain Pr[p≥21+2γ]≥2γ.
Consider the following adversary \mathpzcB that attacks 2γ-strong CoIC-KLA security of PKE.
Given, ek0, ek1, and \mathpzcdk, \mathpzcB executes ExpPKE,\mathpzcAcoic\mbox−kla(1λ) until the point \mathpzcA outputs (m0∗,m1∗). When \mathpzcA makes a query to O, \mathpzcB returns a random bit.
2. 2.
\mathpzcB constructs a quantum program with classical inputs and outputs \mathpzcD=(\mathpzcq,U), where \mathpzcq is the inner quantum state of \mathpzcA, U is a compact description of {Uct0,ct1}ct0,ct1, and Uct0,ct1 is a unitary that performs the rest of \mathpzcA’s computations on input (ct0,ct1).
\mathpzcB outputs (m0∗,m1∗) and \mathpzcD.
\mathpzcB correctly answers to \mathpzcA’s query to O and correctly simulates ExpPKE,\mathpzcAcoic\mbox−kla for \mathpzcA with probability 21.141414\mathpzcB does not apply the verification procedure to the queried state differently from ExpPKE,\mathpzcAcoic\mbox−kla. This is not a problem since from the view of \mathpzcA, the experiment simulated by \mathpzcB is the same as the experiment where the verification process is applied to the queried state, but the result is ignored and a random bit is returned.
Moreover, from the above discussion, under the condition that \mathpzcB correctly answers to \mathpzcA’s query to O, \mathpzcB wins with probability 2γ.
Overall, AdvPKE,\mathpzcBs\mbox−coic\mbox−kla(λ)≥4γ, which contradicts 2γ-strong CoIC-KLA security of PKE.
This completes the proof.
∎
4.3 Strong CoIC-KLA Secure PKE from CPFE
We construct a strong CoIC-KLA secure PKE PKE=(Gen,Enc,Dec) using a CPFE scheme CPFE=(CPFE.Setup,CPFE.KG,CPFE.Enc,CPFE.Dec) as a building block.
Gen(1λ):
•
Generate (MPK,MSK)←CPFE.Setup(1λ).
•
Generate x←{0,1}λ and skx←CPFE.KG(MSK,x).
•
Output ek:=MPK and dk:=skx.
Enc(ek,m):
•
Parse ek=MPK.
•
Let C[m] be a constant circuit that outputs m on any input. C is padded so that it has the same size as the circuit C∗ appeared in the security proof.
•
Output ct←CPFE.Enc(MPK,C[m]).
Dec(dk,ct):
•
Parse dk=skx.
•
Output m′←CPFE.Dec(skx,ct).
The decryption correctness of PKE follows from that of CPFE.
We also have the following theorems.
Theorem 4.14.
If CPFE is a 1-bounded secure CPFE scheme, then PKE is a ϵ-strong CoIC-KLA secure PKE scheme for any inverse polynomial ϵ.
Proof.
We show that if there exists a QPT adversary \mathpzcA that breaks ϵ-strong CoIC-KLA security for some inverse polynomial ϵ, then we can construct a QPT adversary \mathpzcB that contradicts the following lemma.
Lemma 4.15.
Consider the following experiment ExptCPFE,\mathpzcBBZ(1λ) between an adversary \mathpzcB and a challenger \mathpzcC.
\mathpzcC* generates (MPK0,MSK0)←CPFE.Setup(1λ), (MPK1,MSK1)←CPFE.Setup(1λ), x0,x1←{0,1}λ, skx0←CPFE.KG(MSK0,x0), and skx1←CPFE.KG(MSK1,x1). \mathpzcC gives MPK0, MPK1, and 21(∣0⟩∣skx0⟩+∣1⟩∣skx1⟩) to \mathpzcB.*
2. 2.
\mathpzcB* outputs x0′ and x1′. \mathpzcC outputs 1 if x0′=x0 and x1′=x1 and [math] otherwise.*
Then, for any QPT adversary \mathpzcB, we have AdvCPFE,\mathpzcBBZ(1λ)=Pr[ExptCPFE,\mathpzcBBZ(1λ)=1]=negl(λ).
Let ϵ be some inverse polynomial. Assume there exits a QPT \mathpzcA such that AdvPKE,\mathpzcAs\mbox−coic\mbox−kla(λ,ϵ)=γ for some inverse polynomial γ.
We construct the following adversary \mathpzcB.
Given MPK0, MPK1, and \mathpzcdk, \mathpzcB sets ek0:=MPK0 and ek1:=MPK1. \mathpzcB sends ek0, ek1, and \mathpzcdk to \mathpzcA.
2. 2.
When \mathpzcA outputs (m0∗,m1∗) and \mathpzcD=(\mathpzcq,U), \mathpzcB outputs (x0′,x1′)←\mathpzcExtract(MPK0,MPK1,m0∗,m1∗,\mathpzcD,ϵ), where \mathpzcExtract is described below.
Let P be defined in the same way as that in Definition 4.12 and D0,i and D1,i be the following distributions for every i∈[λ].
D0,i:
Generate a,b←{0,1}. Generate ct0←CPFE.Enc(MPK0,C∗[a,b,m0,m1,i]), where C∗[a,b,m0,m1,i] is a circuit that takes x as input and outputs ma⊕b⊕x[i]. Generate ct1←CPFE.Enc(MPK1,C[ma]). Output (b,ct0,ct1).
D1,i:
Generate a,b←{0,1}. Generate ct1←CPFE.Enc(MPK0,C∗[a,b,m0,m1,i]), where C∗[a,b,m0,m1,i] is a circuit that takes x as input and outputs ma⊕b⊕x[i]. Generate ct0←CPFE.Enc(MPK1,C[ma]). Output (b,ct0,ct1).
•
Let D be the distribution defined in the same way as that in Definition 4.12. Compute p~0←\mathpzcAPIP,Dϵ′,δ′(\mathpzcq). If p~0<21+ϵ−4ϵ′, return ⊥. Otherwise, let \mathpzcq0,0 be the post-measurement state, go to the next step.
•
For all i∈[λ], do the following.
1.
Compute p~0,i←\mathpzcAPIP,D0,iϵ′,δ′(\mathpzcq0,i−1). Let \mathpzcq0,i be the post-measurement state.
2. 2.
If p~0,i>21+ϵ−4(i+1)ϵ′, set x0′[i]=0. If p~0,i<21−ϵ+4(i+1)ϵ′, set x0′[i]=1. Otherwise, exit the loop and output ⊥.
•
Let \mathpzcq1,0 be \mathpzcq0,λ. For all i∈[λ], do the following.
1.
Compute p~1,i←\mathpzcAPIP,D1,iϵ′,δ′(\mathpzcq1,i−1). Let \mathpzcq1,i be the post-measurement state.
2. 2.
If p~1,i>21+ϵ−4(λ+i+1)ϵ′, set x1′[i]=0. If p~1,i<21−ϵ+4(λ+i+1)ϵ′, set x1′[i]=1. Otherwise, exit the loop and output ⊥.
•
Output x0′=x0′[1]∥⋯∥x0′[λ] and x1′=x1′[1]∥⋯∥x1′[λ].
We will estimate AdvCPFE,\mathpzcBBZ(1λ).
We define the events BadDec, and BadExt0,i and BadExt1,i for every i∈[λ].
BadDec:
When \mathpzcB runs \mathpzcExtract(MPK0,MPK1,m0∗,m1∗,\mathpzcD,ϵ), p~0<21+ϵ−4ϵ′ holds.
BadExt0,i:
When \mathpzcB runs \mathpzcExtract(MPK0,MPK1,m0∗,m1∗,\mathpzcD,ϵ), the following conditions hold.
•
p~0≥21+ϵ−4ϵ′ holds.
•
x0′[j]=x0[j] holds for every j∈[i−1].
•
x0′[i]=x0[i] holds.
BadExt1,i:
When \mathpzcB runs \mathpzcExtract(MPK0,MPK1,m0∗,m1∗,\mathpzcD,ϵ), the following conditions hold.
•
p~0≥21+ϵ−4ϵ′ holds.
•
x0′[j]=x0[j] holds for every j∈[λ].
•
x1′[j]=x1[j] holds for every j∈[i−1].
•
x1′[i]=x1[i] holds.
From the assumption that AdvPKE,\mathpzcAs\mbox−coic\mbox−kla(λ)=γ, for p~0 computed in \mathpzcExtract, p~0≥21+ϵ−ϵ′ holds with probability γ−negl(λ) due to the first item of Theorem 4.5.
This means that Pr[BadDec]≤1−γ+negl(λ). Then, we have
[TABLE]
Estimation of Pr[BadExt0,i] for every i∈[λ].
We first estimate Pr[BadExt0,1].
We first consider the case of x0[1]=0.
From the first item of the event, we have p~0>21+ϵ−4ϵ′.
Let p~0′←\mathpzcAPIP,Dϵ′,δ′(\mathpzcq0,0).
From the almost-projective property of \mathpzcAPI, we have
[TABLE]
Lemma 4.16.
When x0[1]=0, D0,1 is computationally indistinguishable from D.
Proof.
The difference between D0,1 and D is that ct0 is generated as ct0←CPFE.Enc(MPK0,C∗[a,b,m0,m1,1]) in D0,1 and it is generated as ct0←CPFE.Enc(MPK0,C[ma⊕b]) in D.
From the condition that x0[1]=0, we have C∗[a,b,m0,m1,1](x0)=C[ma⊕b](x0)=ma⊕b.
Thus, from the 1-bounded security of CPFE, D0,1 and D are computationally indistinguishable when x0[1]=0.
∎
This means that Pr[BadExt0,1]=negl(λ) when x0[1]=0.
We next consider the case of x0[1]=1.
We define the following distribution Drev.
Drev:
Generate (b,ct0,ct1)←D. Output (1⊕b,ct0,ct1).
That is, the first bit of the output is flipped from D.
Then, for any random coin r, we have (PDrev(r),QDrev(r))=(QD(r),PD(r)).
This is because we have Qb,ct0,ct1=I−Pb,ct0,ct1=P1⊕b,ct0,ct1 for any tuple (b,ct0,ct1).
Therefore, \mathpzcAPIP,Drevϵ′,δ′ is exactly the same process as \mathpzcAPIPrev,Dϵ′,δ′, where Prev=(Qb,ct0,ct1,Pb,ct0,ct1)b,ct0,ct1.
Let p~0′←\mathpzcAPIP,Drevϵ′,δ′(\mathpzcq0,0).
From, the reverse-almost-projective property of \mathpzcAPI, we have
[TABLE]
Lemma 4.17.
When x0[1]=1, D0,1 is computationally indistinguishable from Drev.
Proof.
We see that Drev is identical to the following distribution.
•
Generate a,b←{0,1} and ct0←Enc(ek0,ma) and ct1←Enc(ek,ma⊕1⊕b). Output (b,ct0,ct1).
Then, the difference between D0,1 and Drev is that ct0 is generated as ct0←CPFE.Enc(MPK0,C∗[a,b,m0,m1,1]) in D0,1 and it is generated as ct0←CPFE.Enc(MPK0,C[ma⊕1⊕b]) in Drev.
From the condition that x0[1]=1, we have C∗[a,b,m0,m1,1](x0)=C[ma⊕1⊕b](x0)=ma⊕1⊕b.
Thus, from the 1-bounded security of CPFE, D0,1 and Drev are computationally indistinguishable when x0[1]=1.
∎
This means that Pr[BadExt0,1]=negl(λ) when x0[1]=1.
Overall, Pr[BadExt0,1]=negl(λ) regardless of the value of x0.
We can similarly show that Pr[BadExt0,i]=negl(λ) for i∈{2,⋯,λ} using the fact that D0,i is computationally indistinguishable from D if x0[i]=0 and it is computationally indistinguishable from Drev if x0[i]=1.
We omit the details.
Estimation of Pr[BadExt1,i] for every i∈[λ].
We estimate Pr[BadExt1,1].
We first consider the case of x0[λ]=0 and x1[1]=0.
From the second item of the event, we have p~0,λ>21+ϵ−4(λ+1)ϵ′.
Let p~0,λ′←\mathpzcAPIP,D0,λϵ′,δ′(\mathpzcq0,λ).
From, the almost-projective property of \mathpzcAPI, we have
[TABLE]
Lemma 4.18.
When x0[λ]=x1[1]=0, D0,λ and D1,1 are computationally indistinguishable.
Proof.
We can show that D0,λ is computationally indistinguishable from D when x0[λ]=0 similarly to Lemma 4.16.
We see that D is identical to the following distribution.
•
Generate a,b←{0,1} and ct0←Enc(ek0,ma⊕b) and ct1←Enc(ek,ma). Output (b,ct0,ct1).
Then, the difference between D1,1 and D is that ct1 is generated as ct1←CPFE.Enc(MPK1,C∗[a,b,m0,m1,1]) in D1,1 and it is generated as ct1←CPFE.Enc(MPK1,C[ma⊕b]) in D.
From the condition that x1[1]=0, we have C∗[a,b,m0,m1,1](x1)=C[ma⊕b](x1)=ma⊕b.
Thus, from the 1-bounded security of CPFE, D1,1 and D are computationally indistinguishable when x0[1]=0.
This means that D0,λ and D1,1 are computationally indistinguishable when x0[λ]=x1[1]=0.
∎
This means that Pr[BadExt1,1]=negl(λ) when x0[λ]=0 and x1[1]=0.
We next consider the case of x0[λ]=0 and x1[1]=1.
We define the following distribution D0,λrev.
That is, the first bit of the output is flipped from D0,λ.
Then, for any random coin r, we have (PD0,λrev(r),QD0,λrev(r))=(QD0,λ(r),PD0,λ(r)).
(Again, this is because we have Qb,ct0,ct1=I−Pb,ct0,ct1=P1⊕b,ct0,ct1 for any tuple (b,ct0,ct1).)
Therefore, \mathpzcAPIP,D0,λrevϵ′,δ′ is exactly the same process as \mathpzcAPIPrev,D0,λϵ′,δ′, where Prev=(Qb,ct0,ct1,Pb,ct0,ct1)b,ct0,ct1.
Let p~0,λ′←\mathpzcAPIP,D0,λrevϵ′,δ′(\mathpzcq0,λ).
From, the reverse-almost-projective property of \mathpzcAPI, we have
[TABLE]
Lemma 4.19.
When x0[λ]=0 and x1[1]=1, D0,λrev and D1,1 are computationally indistinguishable.
Proof.
We can show that both D0,λrev and D1,1 are computationally indistinguishable from Drev when x0[λ]=0 and x1[1]=1.
The proof is similarly to those for Lemmata 4.16, 4.17 and 4.18, thus we omit the details.
∎
This means that Pr[BadExt1,1]=negl(λ) when x0[λ]=0 and x1[1]=1.
Similarly, we can show that Pr[BadExt1,1]=negl(λ) holds when (x0[λ],x1[1])=(1,0) and (x0[λ],x1[1])=(1,1).
Moreover, we can show that Pr[BadExt1,i]=negl(λ) holds for i∈{2,⋯,λ}.
From the above discussion, we have AdvCPFE,\mathpzcBBZ(1λ)≥γ−negl(λ) for some inverse polynomial γ, which contradicts Lemma 4.15.
This completes the proof of Theorem 4.14.
∎
5 Construction of PKE with Secure Key Leasing
In this section, we prove the following theorem:
Theorem 5.1.
If there is an IND-CPA secure PKE scheme, then there is an IND-KLA secure PKE-SKL scheme.
By Theorem 3.9, it suffices to construct 1-query OW-KLA secure PKE-SKL scheme. In the rest of this section, we construct such a scheme. To build our scheme, we rely on a PKE scheme satisfying CoIC-KLA security, which is constructed from any IND-CPA secure PKE scheme in Section 4.
Let cPKE=(cPKE.KG,cPKE.Enc,cPKE.Dec) be a PKE scheme satisfying CoIC-KLA security with message space {0,1}ℓ where ℓ=ω(logλ). We note that CoIC-KLA security implies OW-CPA security when ℓ=ω(logλ). (See Appendix B for the proof.) Then, we construct a PKE-SKL scheme (SKL.\mathpzcKG,SKL.Enc,SKL.\mathpzcDec,SKL.\mathpzcVrfy) with message space {0,1}λℓ as follows.
SKL.\mathpzcKG(1λ):
•
Generate (cPKE.eki,b,cPKE.dki,b)←cPKE.KG(1λ) for i∈[λ] and b∈{0,1}.
•
Output an encryption key
[TABLE]
a decryption key
[TABLE]
and a verification key
[TABLE]
For convenience, we write {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i}}} to mean the registers of \mathpzcdk that contains 21(∣0⟩∣cPKE.dki,0⟩+∣1⟩∣cPKE.dki,1⟩) for i∈[λ].
SKL.Enc(ek,m):
•
Parse ek={cPKE.eki,b}i∈[λ],b∈{0,1} and m=m1∥…∥mλ where mi∈{0,1}ℓ for each i∈[λ].
•
Generate
cPKE.cti,b←cPKE.Enc(cPKE.eki,b,mi) for i∈[λ] and b∈{0,1}.
•
Output ct:={cPKE.cti,b}i∈[λ],b∈{0,1}.
SKL.\mathpzcDec(\mathpzcdk,ct):
•
Parse \mathpzcdk=⨂i∈[λ]\mathpzcdki and ct={cPKE.cti,b}i∈[λ],b∈{0,1}.
•
Let Udec be a unitary such that for all cPKE.dk′, cPKE.ct0′, and cPKE.ct1′:
[TABLE]
Note that such a unitary can be computed in quantum polynomial-time since we assume that cPKE.Dec is a deterministic classical polynomial-time algorithm.
•
For all i∈[λ],
generate
[TABLE]
measure the rightmost register, and let mi′ be the measurement outcome.
•
Output m′:=m1′∥…∥mλ′.
SKL.\mathpzcVrfy(vk,\mathpzcdk):
•
Parse vk={cPKE.dki,b}i∈[λ],b∈{0,1}.
•
Apply a binary-outcome measurement (I−Πvrfyvk,Πvrfyvk) on \mathpzcdk where Πvrfyvk is the projection onto the right decryption key, i.e.,
[TABLE]
If the measurement outcome is 1 (indicating that the state was projected onto Πvrfyvk), output ⊤ and otherwise output ⊥.
The correctness of SKL easily follows from that of
cPKE.
Below, we show that SKL is 1-query OW-KLA secure.
Theorem 5.2.
If cPKE is CoIC-KLA secure, then SKL is 1-query OW-KLA secure.
Proof.
Let \mathpzcA be a QPT adversary against 1-query OW-KLA security of SKL.
By Remark 3.5,
we assume that \mathpzcA makes the verification query before receiving the challenge ciphertext without loss of generality.
We consider the following sequence of hybrids.
Hyb0:
This is the same as ExpSKL,\mathpzcAow\mbox−kla(1λ). More specifically, it works as follows.
1.
The challenger generates (cPKE.eki,b,cPKE.dki,b)←cPKE.KG(1λ) for i∈[λ] and b∈{0,1},
sets
ek:={cPKE.eki,b}i∈[λ],b∈{0,1} and
\mathpzcdk:=⨂i∈[λ]21(∣0⟩∣cPKE.dki,0⟩+∣1⟩∣cPKE.dki,1⟩),
and sends ek and \mathpzcdk to \mathpzcA.
2. 2.
\mathpzcA queries \mathpzcdk
to the verification oracle.
The challenger applies a binary-outcome measurement (I−Πvrfyvk,Πvrfyvk) on \mathpzcdkwhere Πvrfyvk is the projection defined in the description of SKL.\mathpzcVrfy. If the measurement outcome is [math] (indicating that the state was projected onto I−Πvrfyvk), the challenger outputs [math] as the final outcome of this experiment.151515In the description of the OW-KLA experiment in Definition 3.7, the oracle returns ⊥ even if the decryption key does not pass the verification. However, in the 1-query setting, if the first (and only) query is rejected, the experiment finally outputs [math]. Thus, we terminate the experiment at this point when the query is rejected.
Otherwise, the challenger returns ⊤ to \mathpzcA as the response from the oracle.
3. 3.
The challenger chooses mi∗←{0,1}ℓ for i∈[λ],
generates
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi∗) for i∈[λ] and b∈{0,1}, and sends ct∗:={cPKE.cti,b∗}i∈[λ],b∈{0,1} to \mathpzcA.161616Since \mathpzcA makes only one verification query, we can assume that \mathpzcA requests the challenge ciphertext immediately after finishing the first verification query without loss of generality.
4. 4.
\mathpzcA outputs m′=m1′∥…∥mλ′. The challenger outputs 1 if mi′=mi∗ for all i∈[λ] and otherwise [math] as the final outcome of this experiment.
Note that we have Pr[Hyb0=1]=AdvSKL,\mathpzcAow\mbox−kla(1λ). Our goal is to prove Pr[Hyb0=1]=negl(λ).
Hyb1:
This is identical to Hyb0 except for the following modifications:
•
The challenger chooses mi,b∗←{0,1}ℓ for i∈[λ] and b∈{0,1} (instead of choosing mi∗←{0,1}ℓ for i∈[λ]) and ai←{0,1} for i∈[λ].
•
cPKE.cti,b∗ is generated as
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi,ai∗) for i∈[λ] and b∈{0,1}. We emphasize that \mathsf{m}^{*}_{i,\color[rgb]{1,0,0}\underline{a_{i}}} is encrypted for both cases of b=0 and b=1 and mi,ai⊕1∗ is not used in this step.
•
In Step 4, the challenger outputs 1 if mi′∈{mi,0∗,mi,1∗} for all i∈[λ].
By considering mi,ai∗ in Hyb1 as mi∗ in Hyb0, these hybrids are identical from the view of \mathpzcA except that the winning condition (i.e., the condition that the challenger returns 1) is just relaxed in Hyb1. Therefore, we trivially have Pr[Hyb0=1]≤Pr[Hyb1=1].
Hyb2:
This is identical to Hyb1 except that cPKE.cti,b∗ is generated as
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi,ai⊕b∗) for i∈[λ] and b∈{0,1}. We remark that the way of generating cPKE.cti,1∗ is changed but that of cPKE.cti,0∗ is unchanged (because ai⊕0=ai).
By the CoIC-KLA security of cPKE and a standard hybrid argument, we have
\absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ). See Lemma 5.3 for the detail.
Hyb3:
This is identical to Hyb2 except that
the challenger quits choosing ai←{0,1} for i∈[λ] and
cPKE.cti,b∗ is generated as
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi,b∗) for i∈[λ] and b∈{0,1}.
This modification is just conceptual and we have
Pr[Hyb2=1]=Pr[Hyb3=1].
Hyb4:
This is identical to Hyb3 except for a conceptual modification that the measurement of the returned key \mathpzcdk is deferred until the end of the experiment. For clarity, we give the full description of this experiment.
1.
The challenger generates (cPKE.eki,b,cPKE.dki,b)←cPKE.KG(1λ) for i∈[λ] and b∈{0,1},
sets
ek:={cPKE.eki,b}i∈[λ],b∈{0,1} and
\mathpzcdk:=⨂i∈[λ]21(∣0⟩∣cPKE.dki,0⟩+∣1⟩∣cPKE.dki,1⟩),
and sends ek and \mathpzcdk to \mathpzcA.
2. 2.
\mathpzcA queries \mathpzcdk
to the verification oracle. The challenger returns ⊤ to \mathpzcA as the response from the oracle.
3. 3.
The challenger chooses mi,b∗←{0,1}ℓ for i∈[λ] and b∈{0,1} generates
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi,b∗) for i∈[λ] and b∈{0,1}, and sends ct∗:={cPKE.cti,b∗}i∈[λ],b∈{0,1} to \mathpzcA.
4. 4.
\mathpzcA outputs m′=m1′∥…∥mλ′.
The challenger outputs [math] as the final outcome of this experiment if mi′∈/{mi,0∗,mi,1∗} for some i∈[λ].
5. 5.
Otherwise,
the challenger applies a binary-outcome measurement (I−Πvrfyvk,Πvrfyvk) on \mathpzcdkwhere Πvrfyvk is the projection defined in the description of SKL.\mathpzcVrfy.
the challenger outputs the outcome of the measurement as the final outcome of this experiment.
By the deferred measurement principle, we have Pr[Hyb3=1]=Pr[Hyb4=1].
Hyb5:
This is identical to Hyb4 except that
the challenger measures the returned key \mathpzcdk in the computational basis instead of applying the projective measurement (I−Πvrfyvk,Πvrfyvk) in Step 5, and the condition to output 1 is modified as follows:
•
Let {bi,cPKE.dki}i∈[λ] be the outcome of the measurement of \mathpzcdk in the computational basis.
If there is i∈[λ] such that cPKE.dki=cPKE.dki,bi, the challenger outputs [math] as the final outcome of this experiment.
Otherwise, define b=b1∥…∥bλ∈{0,1}λ in such a way that mi′=mi,bi∗ for i∈[λ]. Note that such b must exist since this step is invoked only when the challenger does not output [math] in Step 4.171717If mi,0∗=mi,1∗ (which happens with a negligible probability), then we
set bi:=0.
If there is i∈[λ] such that bi=bi, the challenger outputs 1 and otherwise [math] as the final output of the experiment.
We prove that
if Pr[Hyb5=1]=negl(λ), then it holds that Pr[Hyb4=1]=negl(λ).
The intuition is as follows: If we have bi=bi with overwhelming probability, then
\mathpzcdk has a negligible amplitude on ⨂i∈[λ]∣bi′⟩∣cPKE.dkbi′⟩ for all b′=b.
In this case, the probability that \mathpzcdk is projected onto Πvrfyvk is negligible since the right key \mathpzcdk has an exponentially small amplitude on ⨂i∈[λ]∣bi⟩∣cPKE.dkbi⟩.
See Lemma 5.4 for the detail.
Hyb6:
This is identical to Hyb5 except that the challenger chooses i∗←[λ] at the beginning of the experiment and the condition to output 1 is modified to that
bi∗=bi∗ holds for the a priori chosen i∗ instead of for some i∈[λ].
Whenever there is i such that bi=bi, the probability that i∗←[λ] satisfies bi∗=bi∗ is at least λ1. Thus, we have Pr[Hyb6=1]≥λ1Pr[Hyb5=1].
Hyb7:
This is identical to Hyb6 except that challenger measures the register {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i^{*}}}} of the decryption key \mathpzcdk in the computational basis before giving \mathpzcdk to \mathpzcA. (See the description of SKL.\mathpzcKG for the definition of register {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i^{*}}}}.)
Note that the measurement of {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i^{*}}}} in the computational basis yields either (0,cPKE.dki∗,0) or (1,cPKE.dki∗,1). In particular, there are only two possible outcomes.
Thus, by Lemma 2.21,
we have Pr[Hyb7=1]≥21Pr[Hyb6=1].
Hyb8:
This is identical to Hyb7 except that the collapsing caused by measuring {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i^{*}}}} is simulated by classical randomness. That is, the challenger chooses b∗←{0,1} at the beginning and sets
[TABLE]
It is easy to see that Hyb7 and Hyb8 are identical from the view of \mathpzcA, and thus we have Pr[Hyb7=1]=Pr[Hyb8=1]. In Lemma 5.6, we prove that Pr[Hyb8=1]=negl(λ) by using the OW-CPA security (which is implied by CoIC-KLA security) of SKL.
By combining the above, we have Pr[Hyb0=1]=negl(λ). This means that SKL is OW-KLA secure.
We are left to prove Lemmata 5.3, 5.4 and 5.6
Lemma 5.3.
It holds that \absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ) if cPKE is CoIC-KLA secure.
Proof.
We define additional hybrids Hyb1.j for j∈[λ+1] as follows.
Hyb1.j:
This is identical to Hyb1 except that cPKE.cti,b∗ is generated as
[TABLE]
for i∈[λ].
Clearly, we have Hyb1=Hyb1.1 and Hyb2=Hyb1.λ+1. Thus, it suffices to prove that
Pr[Hyb1.j+1=1]−Pr[Hyb1.j=1]=negl(λ).
Remark that the only difference between Hyb1.j+1 and Hyb1.j is the way of generating cPKE.ctj,1∗.
To show that Pr[Hyb1.j+1=1]−Pr[Hyb1.j=1]=negl(λ),
we construct \mathpzcB against CoIC-KLA security of cPKE as follows.
\mathpzcB(cPKE.ek0∗,cPKE.ek1∗,\mathpzcdk∗):
It works as follows.
1.
Generate (cPKE.eki,b,cPKE.dki,b)←cPKE.KG(1λ) for i∈[λ]∖{j} and b∈{0,1} and
set
cPKE.ekj,b:=cPKE.ekb∗
for b∈{0,1}.
Set
ek:={cPKE.eki,b}i∈[λ],b∈{0,1} and
[TABLE]
This implicitly defines vk:={cPKE.dki,b}i∈[λ],b∈{0,1} where cPKE.dkj,b is the decryption key corresponding to cPKE.dkj,b chosen by the external challenger for b∈{0,1} (but \mathpzcB cannot know vk).
2. 2.
Send ek and \mathpzcdk to \mathpzcA and receives the verification query \mathpzcdk from \mathpzcA.
3. 3.
Apply a binary-outcome measurement (I−Πvrfyvk,Πvrfyvk) on \mathpzcdk.
This is possible by simulating the projection on \{{\color[rgb]{.5,.5,.5}{\mathsf{DK}_{i}}}\}_{i\neq j} by itself while forwarding {\color[rgb]{.5,.5,.5}{\mathsf{DK}_{j}}} to its own verification oracle.
If the outcome is [math], output [math]. Otherwise, return ⊤ to \mathpzcA as the response from the oracle.
4. 4.
Choose mi,b∗←{0,1}ℓ for i∈[λ] and b∈{0,1} and ai←{0,1} for i∈[λ]∖{j}, send (mj,0∗,mj,1∗) to the external challenger, and receive (cPKE.ct0∗,cPKE.ct1∗) from the challenger.
This implicitly defines aj←{0,1} and β←{0,1} where the challenger generates
cPKE.ct0∗:=cPKE.Enc(cPKE.ekj,mj,aj∗)
and
cPKE.ct1∗:=cPKE.Enc(cPKE.ekj,mj,aj⊕β∗) (but \mathpzcB cannot know aj or β).181818Here, β plays the role of b in the experiment ExpcPKE,\mathpzcBcoic\mbox−kla(1λ) in Definition 4.11. This is because b is used in another meaning in this section.
5. 5.
Generate
cPKE.cti,b∗←,cPKE.Enc(cPKE.eki,b,mi,ai⊕b∗) for i∈[λ]∖{j} and b∈{0,1}, set
cPKE.ctj,b∗:=cPKE.ctb∗ for b∈{0,1},
send ct∗:={cPKE.cti,b∗}i∈[λ],b∈{0,1} to \mathpzcA, and receive m′=m1′∥…∥mλ′ from \mathpzcA.
6. 6.
Output 1 if mi′∈{mi,0∗,mi,1∗} for all i∈[λ] and otherwise output [math].
We have
[TABLE]
where (cPKE.ek0∗,cPKE.dk0∗)←cPKE.KG(1λ),
(cPKE.ek1∗,cPKE.dk1∗)←cPKE.KG(1λ), and
\mathpzcdk∗:=21(∣cPKE.dk0∗⟩+∣cPKE.dk1∗⟩).
Thus, Pr[Hyb1.j+1=1]−Pr[Hyb1.j=1]=negl(λ) by the CoIC-KLA security of cPKE.
This completes the proof of Lemma 5.3.
∎
Lemma 5.4.
If Pr[Hyb5=1]=negl(λ), then it holds that Pr[Hyb4=1]=negl(λ).
Proof.
Let ϵ:=Pr[Hyb4=1].
For
vk={cPKE.dki,b}i∈[λ],b∈{0,1} and
b=b1∥…∥bλ∈{0,1}λ, let Ebvk be the event that
vk is chosen as a verification key and
mi′=mi,bi∗ for all i∈[λ]. Let \mathpzcdkbvk be the state of the returned key conditioned on Ebvk.
Clearly, we have
[TABLE]
Let Good be a subset defined as
[TABLE]
Then, by a standard averaging argument, it holds that
[TABLE]
For vk={cPKE.dki,b}i∈[λ],b∈{0,1} and b=b1∥…∥bλ, let Π=bvk be a projection defined as follows:
[TABLE]
Then, by the definition of Hyb5, one can see that
where 0<pj≤1, ∑j=1Npj=1, and ∣⟨ψj∣∣ψj⟩∣=1.
For each j∈[N], it holds that
[TABLE]
where the inequalities in the third and fourth lines follow from Cauchy–Schwarz inequality.
Then, it holds that
[TABLE]
Since we assume (vk,b)∈Good, it holds that \Tr(Πvrfyvk\mathpzcdkbvk)≥2ϵ.
By combining the above, Proposition 5.5 is proven.
∎
Then, we have
[TABLE]
where the second inequality follows from Proposition 5.5 and the third inequality follows from Eq. 74.
Recalling that ϵ=Pr[Hyb4=1], the above inequality implies Lemma 5.4.
∎
Lemma 5.6.
It holds that Pr[Hyb8=1]=negl(λ) if cPKE is OW-CPA secure.
Proof.
For clarity, we give the full description of Hyb8 below.
Hyb8:
It works as follows:
1.
The challenger chooses i∗←[λ] and b∗∈{0,1},
generates (cPKE.eki,b,cPKE.dki,b)←cPKE.KG(1λ) for i∈[λ] and b∈{0,1},
sets
ek:={cPKE.eki,b}i∈[λ],b∈{0,1} and
[TABLE]
and sends ek and \mathpzcdk to \mathpzcA.
2. 2.
\mathpzcA queries \mathpzcdk
to the verification oracle. The challenger returns ⊤ to \mathpzcA as the response from the oracle.
3. 3.
The challenger chooses mi,b∗←{0,1}ℓ for i∈[λ] and b∈{0,1}, generates
cPKE.cti,b∗←cPKE.Enc(cPKE.eki,b,mi,b∗) for i∈[λ] and b∈{0,1}, and sends ct∗:={cPKE.cti,b∗}i∈[λ],b∈{0,1} to \mathpzcA.
4. 4.
\mathpzcA outputs m′=m1′∥…∥mλ′.
The challenger outputs [math] as the final output of the experiment if mi′∈/{mi,0∗,mi,1∗} for some i∈[λ].
5. 5.
Otherwise, the challenger measures \mathpzcdk in the computational basis, and let {bi,cPKE.dki}i∈[λ] be the outcome.
If there is i∈[λ] such that cPKE.dki=cPKE.dki,bi, the challenger outputs [math] as the final outcome of this experiment.
Otherwise, define b=b1∥…∥bλ∈{0,1}λ in such a way that mi′=mi,bi∗ for i∈[λ]. Note that such b must exist since this step is invoked only when the challenger does not output [math] in Step 4.191919If mi,0∗=mi,1∗ (which happens with a negligible probability), then we
set bi:=0.
If bi∗=bi∗, the challenger outputs 1 and otherwise [math] as the final output of the experiment.
Suppose that we simulate Hyb8 for \mathpzcA while embedding a problem instance of the OW-CPA security of cPKE into cPKE.eki∗,b∗⊕1 and cPKE.cti∗,b∗⊕1∗. Remark that this is possible without knowing cPKE.dki∗,b∗⊕1.
Suppose that Hyb8=1 occurs in the simulated execution. Then, we in particular have mi∗′=mi∗,bi∗∗, cPKE.dki∗=cPKE.dki∗,bi∗, and bi∗=bi∗.
We consider the following two sub-cases.
If bi∗=b∗, then we have
bi∗=b∗⊕1. This implies cPKE.dki∗=cPKE.dki∗,b∗⊕1. Then we can decrypt cPKE.cti∗,b∗⊕1 by honestly running the decryption algorithm with cPKE.dki∗,b∗⊕1. This contradicts the OW-CPA security of cPKE.
2. 2.
If bi∗=b∗, then we have mi∗′=mi∗,b∗⊕1∗, which is the message encrypted in cPKE.eki∗,b∗⊕1. This means that we can break the OW-CPA security of cPKE.
Neither of them occurs with a non-negligible probability assuming the OW-CPA security of cPKE.
Thus, Pr[Hyb8=1]=negl(λ). This completes the proof of Lemma 5.6. ∎
We can show that SKL constructed above also satisfies OMUR. Since there is a generic conversion to add OMUR as shown in Lemma 3.10 anyway, we only give a proof sketch.
We reduce OMUR to 1-key OW-KLA security. Suppose that there is an adversary that breaks OMUR, i.e., passes the verification twice. Then roughly speaking, we can use it to break 1-key OW-KLA security by sending one of them to the verification oracle and using the other one to decrypt the challenge message. There is an issue that the reduction algorithm may make only one verification query while the adversary against OMUR may make arbitrarily many verification queries. To resolve this issue, we can use a similar idea to that used in the proof of Lemma 3.10. The reduction algorithm guesses the first two queries to be accepted. Conditioned on that the guess is correct, the reduction algorithm can simulate the verification oracle by simply returning ⊥ to all queries except for the two queries that are guessed to be accepted until the adversary make the second guessed query.
The guess is correct with probability (2Q)−1 where Q is the number of queries. Thus, the reduction works with a polynomial security loss.
Since we already proved that SKL is 1-query OW-KLA secure (Theorem 5.2), the above reduction shows that it satisfies OMUR.
6 Attribute-Based Encryption with Secure Key Leasing
6.1 Definitions
Definition 6.1 (ABE with Secure Key Leasing).
An ABE-SKL scheme ABE-SKL is a tuple of six algorithms (Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcCert,Vrfy).
Below, let X={Xλ}λ, Y={Yλ}λ, and R={Rλ:Xλ×Yλ→{0,1}}λ be the ciphertext space, the key attribute space, and the associated relation of ABE-SKL, respectively.
Setup(1λ)→(pk,msk):
The setup algorithm takes a security parameter 1λ, and outputs a public key pk and master secret key msk.
\mathpzcKG(msk,y)→(\mathpzcusk,vk):
The key generation algorithm takes a master secret key msk and a key attribute y∈Y, and outputs a user secret key \mathpzcusk and a verification key vk.
Enc(pk,x,m)→ct:
The encryption algorithm takes a public key pk, a ciphertext attribute x∈X, and a plaintext m, and outputs a ciphertext ct.
\mathpzcDec(\mathpzcusk,x,ct)→z:
The decryption algorithm takes a user secret key \mathpzcusk, a ciphertext attribute x, and a ciphertext ct and outputs a value z∈{⊥}∪{0,1}ℓ.
\mathpzcVrfy(vk,\mathpzcusk′)→⊤/⊥:
The verification algorithm takes a verification key vk and a quantum state \mathpzcusk′, and outputs ⊤ or ⊥.
Decryption correctness:
For every x∈X and y∈Y satisfying R(x,y)=1, we have
[TABLE]
Verification correctness:
For every y∈Y, we have
[TABLE]
Definition 6.2 (Adaptive Indistinguishability against Key Leasing Attacks).
We say that an ABE-SKL scheme ABE-SKL for relation R:X×Y→{0,1} is secure against adaptive indistinguishability against key leasing attacks (Ada-IND-KLA), if it satisfies the following requirement, formalized from the experiment Exp\mathpzcA,ABE-SKLada\mbox−ind\mbox−kla(1λ,coin) between an adversary \mathpzcA and a challenger:
At the beginning, the challenger runs (pk,msk)←Setup(1λ)
and initialize the list L\mathpzcKG to be an empty set.
Throughout the experiment, \mathpzcA can access the following oracles.
O\mathpzcKG(y):
Given y, it finds an entry of the form (y,vk,V) from L\mathpzcKG. If there is such an entry, it returns ⊥.
Otherwise, it generates (\mathpzcusk,vk)←\mathpzcKG(msk,y), sends \mathpzcusk to \mathpzcA, and adds (y,vk,⊥) to L\mathpzcKG.
O\mathpzcVrfy(y,\mathpzcusk′):
*Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG. (If there is no such entry, it returns ⊥.)
It then runs d:=\mathpzcVrfy(vk,\mathpzcusk′) and returns d to \mathpzcA.
If V=⊥, it updates the entry into (y,vk,d).
*
2. 2.
When \mathpzcA sends (x∗,m0,m1) to the challenger, the challenger checks if for any entry (y,vk,V) in L\mathpzcKG such that R(x∗,y)=1, it holds that V=⊤. If so, the challenger generates ct∗←Enc(pk,x∗,mcoin) and sends ct∗ to \mathpzcA. Otherwise, the challenger outputs [math].
3. 3.
\mathpzcA* continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
However, \mathpzcA is not allowed to send a key attribute y such that R(x∗,y)=1 to O\mathpzcKG.*
4. 4.
\mathpzcA* outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
Remark 6.3.
In Definition 6.2, the key generation oracle returns ⊥ if the same y is queried more than once. To handle the situation where multiple keys for the same attribute y are generated, we need to manage indices for y such as (y,1,vk1,V1),(y,2,vk2,V2). Although we can reflect the index management in the definition, it complicates the definition and prevents readers from understanding the essential idea.
Thus, we use the simplified definition above.
We also consider relaxed versions of the above security notion.
Definition 6.4 (Selective indistinguishability against key leasing attacks).
We consider selective indistinguishability against key leasing attacks (Sel-IND-KLA). For doing so, we consider the same security game as that for Ada-IND-KLA except that the adversary \mathpzcA should declare its target x∗ at the beginning of the game (even before it is given pk).
We then define the advantage AdvABE-SKL,\mathpzcAsel\mbox−ind\mbox−kla(λ) for the selective case similarly. We say ABE-SKL is secure against selective indistinguishability against key leasing attack if for any QPT adversary \mathpzcA, AdvABE-SKL,\mathpzcAsel\mbox−ind\mbox−kla(λ) is negligible.
We also consider the following security notion where we introduce additional restriction that the number of distinguishing keys that are issued (and eventually returned) before ct∗ is generated is bounded by some predetermined parameter q.
Here, distinguishing key refers to a key that can decrypt the challenge ciphertext if it is not returned.
Definition 6.5 (Bounded Distinguishing Key Ada-IND-KLA/Sel-IND-KLA for ABE).
For defining bounded distinguishing key Ada-IND-KLA security, we consider the same security game as that for Ada-IND-KLA (i.e., Exp\mathpzcA,ABE-SKLada\mbox−ind\mbox−kla(1λ,coin)) except that we change the step 2 in Definition 6.2 with the following:
2’
When \mathpzcA sends (x∗,m0,m1) to the challenger, the challenger checks if there are at most q entries (y,vk,V) in L\mathpzcKG such that R(x∗,y)=1 and for all these entries, V=⊤. If so, the challenger generates ct∗←Enc(pk,x∗,mcoin) and sends ct∗ to \mathpzcA. Otherwise, the challenger outputs [math].
We then define the advantage \mathsf{Adv}_{\mathsf{ABE}\textrm{-}\mathsf{SKL},\mathpzc{A},{\color[rgb]{1,0,0}{q}}}^{\mathsf{ada}\mbox{-}\mathsf{ind}\mbox{-}\mathsf{kla}}(\lambda) similarly to AdvABE-SKL,\mathpzcAada\mbox−ind\mbox−kla(λ).
We say ABE-SKL is q-bounded distinguishing key Ada-IND-KLA secure if for any QPT adversary \mathpzcA, AdvABE-SKL,\mathpzcA,qada\mbox−ind\mbox−kla(λ) is negligible.
We also define q-bounded distinguishing key Sel-IND-KLA security analogously by enforcing the adversary to output its target x∗ at the beginning of the game.
We emphasize that while the number of distinguishing keys that the adversary can obtain in the game is bounded by a fixed polynomial, the number of non-distinguishing keys (i.e., keys for y with R(x∗,y)=0) can be unbounded.
6.2 1-Bounded Distinguishing Key Construction
We construct an ABE-SKL scheme 1ABE=(Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy) for relation R:X×Y→{0,1} with 1-bounded distinguishing key Ada-IND-KLA/Sel-IND-KLA security whose message space is {0,1}ℓ
by using the following building blocks.
•
IND-KLA secure PKE-SKL SKL.(\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy).
Without loss of generality,
we assume that skl.ek∈{0,1}ℓek and the randomness space used by SKL.Enc is {0,1}ℓrand for some ℓek(λ) and ℓrand(λ).
We also assume that the message space of SKL is {0,1}ℓ.
•
Adaptively/Selectively secure ABE ABE.(Setup,KG,Enc,Dec) for relation R with message space {0,1}λ.
•
A garbling scheme GC=(Grbl,GCEval).
Without loss of generality, we assume that the labels of GC are in {0,1}λ.
Setup(1λ):
•
For i∈[ℓek] and b∈{0,1}, run (abe.pki,b,abe.mski,b)←ABE.Setup(1λ).
Run abe.cti,b←ABE.Enc(abe.pki,b,x,labi,b)
for i∈[ℓek] and b∈{0,1}.
•
Output ct:=({abe.cti,b}i∈[ℓek],b∈{0,1},E).
\mathpzcDec(\mathpzcusk,x,ct):
•
Parse \mathpzcusk=({abe.ski}i∈[ℓek],skl.ek,skl.\mathpzcdk) and ct=({abe.cti,b}i∈[ℓek],b∈{0,1},E).
•
Compute labi←ABE.Dec(ABE.ski,x,abe.cti,skl.ek[i]) for i∈[ℓek].
•
Compute skl.ct=GCEval(E,{labi}i∈[ℓek]).
•
Compute and output m′←SKL.\mathpzcDec(skl.\mathpzcdk,skl.ct).
\mathpzcVrfy(vk,\mathpzcusk′):
•
Parse vk=skl.vk and \mathpzcusk′=({abe.ski}i∈[ℓek],skl.ek′,skl.\mathpzcdk′).
•
Compute and output SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcdk′).
We show that the scheme satisfies decryption correctness. To see this, we first observe that the decryption algorithm correctly recovers labels of E corresponding to the input skl.ek by the correctness of ABE. Therefore, skl.ct recovered by the garbled circuit evaluation equals to SKL.Enc(skl.ek,m;R) by the correctness of GC. Then, the message m is recovered in the last step by the correctness of SKL.
We can also see that the verification correctness follows from that of SKL.
Theorem 6.6.
If ABE is adaptively (resp., selectively) secure, GC is secure, and SKL is IND-KLA secure, then 1ABE above is 1-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) secure.
Here, we first focus on the proof for the case of Ada-IND-KLA and later mention the necessary modifications for the case of Sel-IND-KLA. Let Q be the upper bound on the number of key queries to O\mathpzcKG before the challenge phase.
We define a sequence of hybrid games.
Hyb0:
This is the same as Exp1ABE,\mathpzcA,1ada\mbox−ind\mbox−kla(1λ,0). More specifically, it is as follows.
1.
The challenger generates (abe.pki,b,abe.mski,b)←ABE.Setup(1λ)
for i∈[ℓek] and b∈{0,1} and sends pk:={abe.pki,b}i,b to the adversary \mathpzcA.
The challenger then initializes the list L\mathpzcKG to be an empty set.
\mathpzcA can access the following oracles.
O\mathpzcKG(y(j)):
Given the j-th query y(j) with j∈[Q], if there is an entry of the form (y(j),vk,V), it outputs ⊥. Otherwise, it generates (skl.ek(j),skl.\mathpzcdk(j),skl.vk(j))←SKL.\mathpzcKG(1λ) and abe.ski(j)←ABE.KG(abe.mski,skl.ek(j)[i],y(j)) for i∈[ℓek],
where skl.ek(j)[i] is the i-th bit of the binary string skl.ek(j).
It then sends \mathpzcusk(j):=({abe.ski(j)}i,skl.\mathpzcdk(j)) to \mathpzcA and adds (y(j),skl.vk(j),⊥) to L\mathpzcKG.
O\mathpzcVrfy(y,\mathpzcusk′):
Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG and parse \mathpzcusk′=({abe.ski′}i,skl.\mathpzcusk′). (If there is no such entry, it returns ⊥.)
It then parses vk=skl.vk
and returns d:=SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcdk′) to \mathpzcA. It finally updates the entry into (y,vk,d) if V=⊥.
2. 2.
When \mathpzcA sends (x∗,m0,m1) to the challenger, the challenger checks whether there is at most one entry (y,vk,V) in L\mathpzcKG such that R(x∗,y)=1 and for that entry V=⊤ holds.
If so, the challenger generates ({labi,b}i∈[ℓek],b∈{0,1},E)←Grbl(1λ,E[m0,R])
and computes abe.cti,b←ABE.Enc(abe.pki,b,x∗,labi,b) for i∈[ℓek] and b∈{0,1}.
It then sends ct∗:=({abe.cti,b}i,b,E) to \mathpzcA.
Otherwise (i.e., if there are multiple entries with R(x∗,y)=1 or if there is an entry with R(x∗,y)=1 and V=⊥), it aborts the game and outputs [math].
3. 3.
\mathpzcA continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
However, \mathpzcA is not allowed to send a key attribute y such that R(x∗,y)=1 to O\mathpzcKG.
4. 4.
\mathpzcA outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.
Hyb1:
This game is the same as Hyb0 except that the challenger chooses random j~←[Q] at the beginning of the game.
Then, right before it computes the challenge ciphertext,
the challenger finds an index j∗∈[Q] such that R(x∗,y(j∗))=1.
If there is no such a query, we define j∗:=1.202020Note that if there are multiple indices j∗ satisfying the above, the challenger aborts and outputs [math] as specified in the previous game.
Therefore, there is at most one such j∗.
The challenger then checks whether j~=j∗.
If so, the challenger continues the game until \mathpzcA outputs its guess.
Otherwise, it aborts the game and outputs [math] as the outcome of the game.
Since the choice of j~ is independent from the view of \mathpzcA and the outcome of the game is 1 only when j~=j∗,
we can easily see that
Pr[Hyb1=1]=Pr[Hyb0=1]/Q.
Hyb2:
This game is the same as Hyb1 except for the way {abe.cti,b}i,b is generated.
Namely, we generate abe.cti,b as
abe.cti,b←ABE.Enc(abe.pki,b,labi,skl.ek(j∗)[i])
for i∈[ℓek] and b∈{0,1}.
We observe that the labels being encrypted are changed only for positions of the form (i,1⊕labi,skl.ek(j∗)[i]).
The adversary \mathpzcA cannot notice the change since it is not given any secret key that can decrypt the ABE ciphertexts for these positions.
To check this, recall that there is at most one index j∗ such that R(x∗,y(j∗))=1 and for the corresponding key query, the adversary is given ABE secret keys for positions of the form (i,labi,skl.ek(j∗)[i]), but not for (i,labi,1⊕skl.ek(j∗)[i]).
Hence, we obtain \absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ) by the adaptive security of ABE.
See Lemma 6.7 for the detail.
Hyb3:
This game is the same as Hyb2 except for the way ct∗ is generated.
In particular, to generate ct∗, we first run
({labi}i∈[ℓek],E)←Sim.GC(1λ,SKL.Enc(skl.ek(j∗),m0;R))
and then compute
abe.cti,b←ABE.Enc(abe.pki,b,labi)
for i∈[ℓek] and b∈{0,1}.
We claim that this game is indistinguishable from the previous one.
To see this, it suffices to show that
({labi,skl.ek(j∗)[i]}i,E)
computed by ({labi,b}i,b,E)←Grbl(1λ,E[m0,R])
and
({labi}i∈[ℓek],E)
computed by
({labi}i∈[ℓek],E)←Sim.GC(1λ,SKL.Enc(skl.ek(j∗),m0;R))
are computationally indistinguishable.
This immediately follows from the security of the garbled circuit, since we have
[TABLE]
by the definition of E.
Hence, we obtain \absolutevaluePr[Hyb2=1]−Pr[Hyb3=1]=negl(λ).
Hyb4:
This game is the same as Hyb3 except that the challenger
chooses ({labi}i,E) by ({labi}i∈[ℓek],E)←Sim.GC(1λ,SKL.Enc(skl.ek(j∗),m1;R))
instead of
({labi}i∈[ℓek],E)←Sim.GC(1λ,SKL.Enc(skl.ek(j∗),m0;R)).
To show that \absolutevaluePr[Hyb3=1]−Pr[Hyb4=1]=negl(λ), it suffices to show that SKL.Enc(skl.ek(j∗),m0;R) is indistinguishable from SKL.Enc(skl.ek(j∗),m1;R) for \mathpzcA, if it makes O\mathpzcVrfy output ⊤ on input (y(j∗),\mathpzcusk′) for some \mathpzcusk′
before the challenge ciphertext is given to \mathpzcA.
The indistinguishability follows from the security of SKL,
since the fact that \mathpzcA passes the verification O\mathpzcVrfy implies that \mathpzcA submitted skl.\mathpzcdk′ such that SKL.\mathpzcVrfy(skl.vk(j∗),skl.\mathpzcdk′)=⊤
before it is given the challenge ciphertext and therefore it has no longer the ability to decrypt the ciphertext.
To turn this intuition into a formal reduction, we have to embed the public key of SKL into the answer to the j∗-th key generation query.
Since the reduction algorithm does not know j∗ until \mathpzcA submits (x∗,m0,m1), it can only guess it.
The change in Hyb1 is introduced in order to incorporate the guess into the game so that the reduction is possible.
We refer to Lemma 6.8 for the formal proof for \absolutevaluePr[Hyb3=1]−Pr[Hyb4=1]=negl(λ).
Hyb5:
This is the same as Exp1ABE,\mathpzcA,1ada\mbox−ind\mbox−kla(1λ,1).
From the above discussion, we have
[TABLE]
We then observe that Hyb5 (resp., Hyb4) is the same as Hyb0 (resp., Hyb3) except that m1 is used for the encryption instead of m0. Therefore, we obtain
\absolutevalueQPr[Hyb4=1]−Pr[Hyb5=1]≤negl(λ)
analogously to Eq. (98) by considering similar sequence of the games with m0 being replaced by m1 in reverse order.
We therefore have
\absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ)* if ABE is adaptively secure.*
Proof.
This can be reduced to the adaptive security of ABE by a standard hybrid argument where we modify the way of generating ABE.cti,1⊕skl.ek(j∗)[i] for each i∈[ℓek] one by one.
More precisely, the reduction works as follows.
We define additional hybrids Hyb1.k for k∈[ℓek] as follows.
Hyb1.k:
This is identical to Hyb1 except that abe.cti,1⊕skl.ek(j∗)[i] is generated as
[TABLE]
for i∈[λ].
Clearly, we have Hyb1=Hyb1.1 and Hyb2=Hyb1.ℓek+1. Thus, it suffices to prove that
∣Pr[Hyb1.k+1=1]−Pr[Hyb1.k=1]∣=negl(λ)
for all k∈[ℓek].
Remark that the only difference between Hyb1.k+1 and Hyb1.k is the way of generating abe.ctk,1⊕skl.ek(j∗)[i].
To show that ∣Pr[Hyb1.k+1=1]−Pr[Hyb1.k=1]∣=negl(λ),
we construct \mathpzcB against adaptive security of ABE as follows.
\mathpzcB(abe.pk):
It works as follows.
1.
It chooses j~←[Q] and (skl.ek(j),skl.\mathpzcdk(j),skl.vk(j))←SKL.\mathpzcKG(1λ)
for j∈[Q].
2. 2.
Generate (abe.pki,b,abe.mski,b)←ABE.KG(1λ) for (i,b)∈[ℓek]×{0,1}\{(k,1⊕skl.ek(j~)[k])}.
Set
abe.pkk,1⊕skl.ek(j~)[k]:=abe.pk
and send pk:={abe.pki,b}i,b to \mathpzcA.
3. 3.
\mathpzcB initializes the list L\mathpzcKG to be an empty set and
simulates the following oracles for \mathpzcA.
O\mathpzcKG(y(j)):
Given the j-th query y(j) with j∈[Q], if there is an entry of the form (y(j),vk,V), it outputs ⊥. Otherwise, it generates abe.ski(j)←ABE.KG(abe.mski,skl.ek(j)[i],y(j)) for i∈[ℓek]\{k}.
To simulate abe.skk(j), \mathpzcB preceeds as follows.
If skl.ek(j)[k]=1⊕skl.ek(j~)[k],
it queries y(j) to its challenger.
The challenger runs
[TABLE]
and returns it to \mathpzcB.
\mathpzcB then sets abe.skk(j):=abe.sk.
Otherwise (i.e., if skl.ek(j)[k]=skl.ek(j~)[k]), it runs abe.skk(j)←ABE.KG(abe.mskk,skl.ek(j)[k],y(j)).
It then sends \mathpzcusk(j):=({abe.ski(j)}i,skl.\mathpzcdk(j)) to \mathpzcA and adds (y(j),skl.vk(j),⊥) to L\mathpzcKG.
O\mathpzcVrfy(y,\mathpzcusk′):
Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG and parse \mathpzcusk′=({abe.ski′}i,skl.\mathpzcusk′). (If there is no such entry, it returns ⊥.)
It then parses vk=skl.vk
and returns d:=SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcdk′) to \mathpzcA. It finally updates the entry into (y,vk,d) if V=⊥.
4. 4.
When \mathpzcA sends (x∗,m0,m1) to the challenger, \mathpzcB checks whether there are multiple entries (y,vk,V) in L\mathpzcKG such that R(x∗,y)=1 or there is an entry (y,vk,V) in L\mathpzcKG with R(x∗,y)=1 and V=⊤.
If so, \mathpzcB aborts the game and outputs [math] as its guess.
Otherwise, \mathpzcB defines j∗∈[Q] as in Hyb1.
It then aborts and outputs [math] if j∗=j~.
Otherwise, \mathpzcB computes ct∗ as follows.
It first chooses R←{0,1}ℓrand and
computes ({labi,b}i∈[ℓek],b∈{0,1},E)←Grbl(1λ,E[m0,R]).
It then computes
abe.cti,b
for (i,b)∈[ℓek]×{0,1}\{(k,1⊕skl.ek(j∗)[k])}
as in Equation 99.
\mathpzcB then submits (labk,skl.ek(j∗)[k],labk,1⊕skl.ek(j∗)[k]) to its challenger.
Then, the challenger runs
[TABLE]
and gives abe.ct to \mathpzcB,
where coin∈{0,1} is the coin chosen by the challenger.
Then, \mathpzcB sets abe.ctk,1⊕skl.ek(j∗)[k]:=abe.ct and gives
ct∗:=({abe.cti,b}i,b,E) to \mathpzcA.
5. 5.
\mathpzcA then continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
\mathpzcB answers the queries in the same manner as before the challenge query.
6. 6.
\mathpzcA finally outputs its guess.
\mathpzcB outputs the same bit as its guess.
We first argue that \mathpzcB does not make any prohibited key query.
To see this, we first observe that for every key query y that \mathpzcB makes,
there exists j such that y=y(j).
We then observe that R(x∗,y(j))=0 for j=j∗ and \mathpzcB does not make a key query for y(j∗) in the above simulation.
We have
[TABLE]
where the probabilities are taken over the randomness used in the respective games. Thus, ∣Pr[Hyb1.k+1=1]−Pr[Hyb1.k=1]∣=negl(λ) by the adaptive security of ABE.
This completes the proof of Lemma 6.7.
∎
Lemma 6.8.
\absolutevaluePr[Hyb3=1]−Pr[Hyb4=1]=negl(λ)* if SKL is IND-KLA secure.*
Proof.
This can be reduced to the IND-KLA security security of SKL.
To do so, we construct an adversary \mathpzcB against IND-KLA security of the scheme with advantage \absolutevaluePr[Hyb3=1]−Pr[Hyb4=1] as follows.
\mathpzcB(skl.ek,skl.\mathpzcdk):
It works as follows.
1.
It chooses j~←[Q] and (skl.ek(j),skl.\mathpzcdk(j),skl.vk(j))←SKL.\mathpzcKG(1λ)
for j∈[Q]\{j~}.
It then sets (skl.ek(j~),skl.\mathpzcdk(j~)):=(skl.ek,skl.\mathpzcdk).
It then generates (abe.pki,b,abe.mski,b)←ABE.Setup(1λ)
for i∈[ℓek] and b∈{0,1} and sends pk:={abe.pki,b}i,b to the adversary \mathpzcA.
2. 2.
\mathpzcB initializes the list L\mathpzcKG to be an empty set and
simulates the following oracles for \mathpzcA.
O\mathpzcKG(y(j)):
Given the j-th query y(j) with j∈[Q], if there is an entry of the form (y(j),vk,V), it outputs ⊥. Otherwise, it generates abe.ski(j)←ABE.KG(abe.mski,skl.ek(j)[i],y(j)) for i∈[ℓek].
It then returns \mathpzcusk(j):=({abe.ski(j)}i,skl.\mathpzcdk(j)) to \mathpzcA and adds (y(j),skl.vk(j),⊥) to L\mathpzcKG.
O\mathpzcVrfy(y,\mathpzcusk′):
Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG and parses \mathpzcusk′=({abe.ski′}i,skl.\mathpzcdk′). (If there is no such entry, it returns ⊥.)
If y=y(j) for j=j~, \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vk(j),skl.\mathpzcdk′) to \mathpzcA.
Otherwise (i.e., if y=y(j~)), \mathpzcB submits skl.\mathpzcdk′ to its verification oracle.
Then,
[TABLE]
is computed and returned to \mathpzcB.
\mathpzcB then returns d to \mathpzcA.
It finally updates the entry into (y,vk,d) if V=⊥.
3. 3.
When \mathpzcA sends (x∗,m0,m1) to the challenger,
\mathpzcB checks whether there are multiple entries (y,vk,V) in L\mathpzcKG such that R(x∗,y)=1 or there is an entry (y,vk,V) in L\mathpzcKG with R(x∗,y)=1 and V=⊤.
If so, \mathpzcB aborts the game and outputs [math] as its guess.
Otherwise, \mathpzcB defines j∗∈[Q] as in Hyb1.
It then aborts and outputs [math] if j∗=j~.
Otherwise, \mathpzcB computes ct∗ as follows.
It first submits (m0,m1) to its challenger.
Then, the challenger runs
[TABLE]
and returns it to \mathpzcB, where coin∈{0,1} is the coin chosen by the challenger.
\mathpzcB then runs ({labi}i∈[ℓek],E)←Sim.GC(1λ,skl.ct) and computes
abe.cti,b←ABE.Enc(abe.pki,b,labi)
for i∈[ℓek] and b∈{0,1}.
Then, \mathpzcB sets ct∗:=({abe.cti,b}i,b,E) and gives it to \mathpzcA.
4. 4.
\mathpzcA then continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
\mathpzcB answers the queries in the same manner as before the challenge query.
5. 5.
\mathpzcA finally outputs its guess.
\mathpzcB outputs the same bit as its guess.
We then have
[TABLE]
where the probabilities are taken over the randomness used in the respective games. Thus, ∣Pr[Hyb3=1]−Pr[Hyb4=1]∣=negl(λ) by the security of SKL.
This completes the proof of Lemma 6.8.
∎
This completes the proof of Theorem 6.6 for the case of adaptive security.
The proof for selective security.
The statement for selective security can be obtained immediately by considering the same sequence of games as adaptive security case with natural adaptations. In particular, we modify the reduction algorithm in Lemma 6.7 so that it outputs x∗ at the beginning of the game right after given x∗ from \mathpzcA.
An alternative option is to consider a simpler proof that is tailored to selective setting. This is possible because the proof obtained by adapting the adaptive setting to the selective setting includes a redundant step.
In particular, we consider a sequence of games without Hyb1. The reason why Hyb1 is not necessary is that in the selective setting, the reduction algorithm obtains x∗ at the beginning of the game and can use this information throughout the game.
In particular, whenever \mathpzcA makes a key query y(j), the reduction algorithm can check whether j∗=j holds or not by computing the value of R(x∗,y(j)) and there is no need to guess it.
By introducing this change, we can improve the reduction cost to be independent of Q.
∎
6.3 Q-Bounded Distinguishing Key Construction
We construct an ABE-SKL scheme qABE=(Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy) for relation R:X×Y→{0,1} with q-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) security
from an ABE-SKL scheme 1ABE=1ABE.(Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy) for the same relation R with 1-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) security.
We note that the construction here is essentially the same as [ISV*+*17], which converts a single collusion secure ABE scheme into a q-bounded collusion secure ABE.
However, our proof is more complex reflecting the fact that the adversary is allowed to make unbounded number of key queries (though the number of distinguishing keys is bounded).
The following construction uses parameters v:=v(λ) and w:=w(λ).
We will set the parameters in Theorem 6.9.
Setup(1λ):
•
For i∈[v] and j∈[w], run (1abe.pki,j,1abe.mski,j)←1ABE.Setup(1λ).
Run (1abe.vki,1abe.\mathpzcuski)←1ABE.\mathpzcKG(1abe.mski,ji,y)
for i∈[v].
•
Output \mathpzcusk:={ji,1abe.\mathpzcuski}i∈[v] and vk:={1abe.vki}i∈[v].
Enc(pk,x,m):
•
Choose μ1,…,μv−1←{0,1}ℓ and set
μv:=(⊕i∈[v−1]μi)⊕m, where ⊕ denotes bit-wise XOR here.
•
Run 1abe.cti,j←1ABE.Enc(1abe.pki,j,x,μi)
for i∈[v] and j∈[w].
•
Output ct:={1abe.cti,j}i∈[v],j∈[w].
\mathpzcDec(\mathpzcusk,x,ct):
•
Parse \mathpzcusk:={ji,1abe.\mathpzcuski}i∈[v] and ct:={1abe.cti,j}i∈[v],j∈[w].
•
Compute μi′←1ABE.Dec(1abe.\mathpzcuski,x,1abe.cti,ji) for i∈[v].
•
Compute and output m′:=⊕i∈[v]μi′.
\mathpzcVrfy(vk,\mathpzcusk′):
•
Parse vk={1abe.vki}i∈[v] and \mathpzcusk′:={ji,1abe.\mathpzcuski′}i∈[v].
•
Compute di←1ABE.\mathpzcVrfy(1abe.vki,1abe.\mathpzcuski′)
for i∈[v].
•
If di=⊤ for all i∈[v], output ⊤. Otherwise, output ⊥.
It is straightforward to see that the decryption correctness and the verification correctness of the above scheme follow from those of 1ABE.
Theorem 6.9.
Assuming 1ABE is 1-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) secure, qABE is q-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) secure if we set the parameters as follows:
•
For the adaptive case, we assume that the size of the ciphertext attribute space ∣Xλ∣ is bounded by 2n(λ) for some polynomial function n(λ).
We then set v=2(λ+n) and w=q2.
Here, we first focus on the proof for the case of q-bounded distinguishing key Ada-IND-KLA and later mention the difference for the case of q-bounded distinguishing key Sel-IND-KLA.
We define a sequence of hybrid games.
Hyb0:
This is the same as ExpqABE,\mathpzcA,qada\mbox−ind\mbox−kla(1λ,0). More specifically, it is as follows.
1.
The challenger generates (1abe.pki,j,1abe.mski,j)←1ABE.Setup(1λ)
for i∈[v] and j∈[w] and sends pk:={1abe.pki,j}i,j to the adversary \mathpzcA.
The challenger then initializes the list L\mathpzcKG to be an empty set.
\mathpzcA can access the following oracles.
O\mathpzcKG(y(k)):
Given the k-th query y(k) with k∈[Q], if there is an entry of the form (y(k),vk,V), it outputs ⊥. Otherwise, it chooses ji(k)←[w] for i∈[v] and runs (1abe.vki(k),1abe.\mathpzcuski(k))←1ABE.\mathpzcKG(1abe.mski,ji,y(k)) for i∈[v]. It then returns \mathpzcusk(k):={ji(k),1abe.\mathpzcuski(k)}i∈[v] and vk(k):={1abe.vki(k)}i∈[v] to \mathpzcA and adds (y(k),vk(k),⊥) to L\mathpzcKG.
O\mathpzcVrfy(y,\mathpzcusk′):
Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG and parses \mathpzcusk′={ji,\mathpzcuski′}i. (If there is no such entry, it returns ⊥.)
It then computes di:=1ABE.\mathpzcVrfy(1abe.vki,\mathpzcuski′) for i∈[v] and checks if di=⊤ for all i∈[v].
If so, it returns d:=⊤ to \mathpzcA.
Otherwise, it returns d:=⊥ to \mathpzcA.
It finally updates the entry into (y,vk,d) if V=⊥.
2. 2.
When \mathpzcA sends (x∗,m0,m1) to the challenger, the challenger computes the set Kx∗:={k∈[Q1]:R(x∗,y(k))=1}, where Q1≤Q is the number of key queries made by \mathpzcA so far.
If we have V=⊤ for all entries of the form (y(k),vk,V) in L\mathpzcKG with k∈Kx∗ and ∣Kx∗∣≤q,
the challenger chooses μ1,…,μv−1←{0,1}ℓ, sets μv:=(⊕i∈[v−1]μi)⊕m0, and computes 1abe.cti,j←1ABE.Enc(1abe.pki,j,x∗,μi) for i∈[v] and j∈[w].
It then sends ct∗:={1abe.cti,j}i,j to \mathpzcA.
Otherwise (i.e., if ∣Kx∗∣>q or if there is an entry of the form (y(k),vk,⊥) for some k∈Kx∗), it aborts the game and outputs [math].
3. 3.
\mathpzcA continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
However, \mathpzcA is not allowed to send a key attribute y such that R(x∗,y)=1 to O\mathpzcKG.
4. 4.
\mathpzcA outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.
Hyb1:
This game is the same as Hyb0 except for the way ct∗ is generated.
In particular, when \mathpzcA submits (x∗,m0,m1), the challenger aborts the game and outputs [math] as the outcome of the game if there is no i∗ such that {ji∗(k)}k∈Kx∗ are all distinct.
Otherwise, the challenger continues the game as specified in Hyb0 .
We observe that unless there is no such i∗, the game is the same as the previous one.
We bound the probability of this occuring.
Let us first consider the case where \mathpzcA fixes its target x∗ at the beginning of the game (i.e., selective security setting).
In this case, by simple probability calculation, we can show that the probability that i∗ does not exist is exponentially small in the parameter v.
However, in the adaptive case, the adversary can adaptively choose x∗ dependent on the values of {ji(k)}i∈[v],k∈[Q] and the proof for the selective case no longer works. To deal with the added flexibility given to the adversary, we use the
union bound over all x∈X and then use the above bound for each fixed x. This requires the parameter v to grow dependent on the size of log∣Xλ∣ so that the sum of the probabilities is still small enough even after taking the union bound.
Based on the above discussion, we can prove \absolutevaluePr[Hyb0=1]−Pr[Hyb1=1]=negl(λ).
We refer to Lemma 6.10 for the detail.
Hyb2:
This game is the same as Hyb1 except that the challenger chooses random i~←[v] at the beginning of the game. Then, right before the challenger computes ct∗, it checks whether i~=i∗, where i∗ is the smallest index such that {ji∗(k)}k∈Kx∗ are all distinct.
212121Note that i∗ is not defined until \mathpzcA chooses x∗.
If so, the challenger continues the game until \mathpzcA outputs its guess.
Otherwise, it aborts the game and outputs [math] as the outcome of the game.
Since the choice of i~ is independent from the view of \mathpzcA and the outcome of the game is 1 only when i~=i∗,
we can easily see that Pr[Hyb2=1]=Pr[Hyb1=1]/v.
Hyb3:
This is the same as Hyb2 except for how μ1,…,μv are generated.
In particular, \mathpzcA first chooses μ1,…,μv←{0,1}ℓ and discards μi∗.
It then sets μi∗:=(⊕i∈[v]\{i∗})⊕m0.
It can be easily seen that the distribution of μ1,…,μv is unchanged from the previous game and thus we have Pr[Hyb2=1]=Pr[Hyb3=1].
Hyb4:
This is the same as Hyb3 except that μi∗ is set as μi∗:=(⊕i∈[v]\{i∗}μi)⊕m1.
We claim that this change is not noticed by \mathpzcA by the security of the underlying 1ABE.
To show this, we first observe that the game differs from the previous one only in how {1abe.cti∗,j}j∈[w] are generated.
We then change each plaintext encrypted in {1abe.cti∗,j}j one by one by using the security of the underlying 1ABE.
This is possible since for each 1ABE instance with index (i∗,j),
\mathpzcA is given only at most one distinguishing key by the change we introduced in Hyb1 and thus we can use the security of 1ABE for such instances.
We therefore have \absolutevaluePr[Hyb3=1]−Pr[Hyb4=1]=negl(λ).
We refer to Lemma 6.11 for the detail.
Hyb5:
This is the same as ExpqABE,\mathpzcA,qada\mbox−ind\mbox−kla(1λ,1).
From the above discussion, we have
[TABLE]
We then observe that Hyb5 (resp., Hyb4) is the same as Hyb0 (resp., Hyb3) except that m1 is used for the encryption instead of m0. Therefore, we obtain
\absolutevaluevPr[Hyb4=1]−Pr[Hyb5=1]≤negl(λ)
analogously to Eq. (105) by considering similar sequence of games with m0 being replaced by m1 in a reverse order.
We therefore have
\absolutevaluePr[Hyb0=1]−Pr[Hyb1=1]=negl(λ)* holds both for selective and adaptive settings.*
Proof.
We first show the statement for the selective case.
The proof for this case is the same as [ISV*+*17, Lemma 1], but we provide the proof here for completeness.
In the selective case, the probability that {ji(k)}k∈Kx∗ are not all distinct for some fixed i is
[TABLE]
Therefore, the probability that there is no i∗ satisfying the requirement is at most
[TABLE]
which is negligible when v=λ and w=q2 since
[TABLE]
We then consider the adaptive case.
We have
[TABLE]
where the probabilities are taken over all randomness used in the game.
In the above, third line follows from the same analysis as the selective case and the forth and the fifth lines follow from our parameter setting.
∎
Lemma 6.11.
If 1ABE is 1-bounded distinguishing key Ada-IND-KLA, \absolutevaluePr[Hyb3=1]−Pr[Hyb4=1]=negl(λ).
Proof.
This can be reduced to the 1-bounded distinguishing key Ada-IND-KLA security of 1ABE by a standard hybrid argument, where we modify the plaintext encrypted in 1abe.cti∗,j for each j∈[w] one by one.
More precisely, the reduction works as follows.
We define additional hybrids Hyb3.k for k∈[w] as follows.
In the following, let ξb:=(⊕i∈[v]\{i∗}μi)⊕mb for b∈{0,1}.
Hyb3.τ:
This is identical to Hyb3 except that 1abe.cti∗,j is generated as
[TABLE]
for j∈[λ].
Clearly, we have Hyb3=Hyb3.1 and Hyb4=Hyb3.w+1. Thus, it suffices to prove that
∣Pr[Hyb3.τ+1=1]−Pr[Hyb3.τ=1]∣=negl(λ)
for all τ∈[w].
Remark that the only difference between Hyb3.τ+1 and Hyb3.τ is the way of generating 1abe.cti∗,τ.
To show that ∣Pr[Hyb3.τ+1=1]−Pr[Hyb3.τ=1]∣=negl(λ),
we construct \mathpzcB against the security of 1ABE as follows.
\mathpzcB(1abe.pk):
It works as follows.
1.
It first chooses random i~←[v].
2. 2.
The challenger generates (1abe.pki,j,1abe.mski,j)←1ABE.Setup(1λ)
for (i,j)∈([v]×[w])\{(i~,k)}.
It then sets 1abe.pki~,k:=1abe.pk
and sends pk:={1abe.pki,j}i,j to the adversary \mathpzcA.
It then initializes the list L\mathpzcKG to be an empty set.
\mathpzcB then simulates the following oracles for \mathpzcA.
O\mathpzcKG(y(k)):
Given the k-th query y(k) with k∈[Q] from \mathpzcA, \mathpzcB returns ⊥ to \mathpzcA if there is an entry of the form (y(k),vk,V). Otherwise, it chooses ji(k)←[w] for i∈[v] and runs (1abe.vki(k),1abe.\mathpzcuski(k))←1ABE.\mathpzcKG(1ABE.mski,ji,y(k)) for i∈[v]\{i~}.
If ji~(k)=τ,
it sends y(k) to its key generation oracle and is given
[TABLE]
Then, it sets 1abe.\mathpzcuski~(k):=1abe.\mathpzcusk.
Otherwise (i.e., if ji~(k)=τ), it runs
(1abe.vki~(k),1abe.\mathpzcuski~(k))←ABE.\mathpzcKG(1ABE.mski~,ji~,y(k)) by itself.
Finally, \mathpzcB returns \mathpzcusk(k):={ji(k),1abe.\mathpzcuski(k)}i∈[v] to \mathpzcA and adds (y(k),vk(k),⊥) to L\mathpzcKG, where vk(k):={1abe.vki(k)}i∈[v].
O\mathpzcVrfy(y,\mathpzcusk′):
Given (y,\mathpzcusk′), it finds an entry (y,vk,V) from L\mathpzcKG and parses \mathpzcusk′={ji,\mathpzcuski′}i. (If there is no such entry, it returns ⊥.)
It then computes di:=1ABE.\mathpzcVrfy(1abe.vki,\mathpzcuski′) for i∈[v].
If ji~=τ, \mathpzcB makes a query to its own verification oracle to obtain
[TABLE]
Otherwise, \mathpzcB runs di~:=1ABE.\mathpzcVrfy(1abe.vki~,τ,\mathpzcuski~′) by itself.
Finally, it checks if di=⊤ for all i∈[v].
If so, it returns d:=⊤ to \mathpzcA.
Otherwise, it returns d:=⊥ to \mathpzcA.
It finally updates the entry into (y,vk,d) if V=⊥.
3. 3.
When \mathpzcA sends (x∗,m0,m1) to the challenger,
\mathpzcB aborts and outputs [math]
if either ∣Kx∗∣>q or there is an entry of the form (y(k),vk,⊥) for some k∈Kx∗.
It also aborts and outputs [math] if i∗=i~, which includes the case that there is no i∗ satisfying the properties we defined in Hyb1.
Otherwise, it chooses μ1,…,μv←{0,1}ℓ and sets
ξ0:=(⊕i∈[v]\{i∗}μi)⊕m0 and ξ1:=(⊕i∈[v]\{i∗}μi)⊕m1.
It then computes 1abe.cti,j←1ABE.Enc(1abe.pki,j,x∗,μi) for i∈[v]\{i∗} and j∈[w]
and
1abe.cti∗,j for j∈[w]\{τ} as
Equation 106.
It then submits (ξ0,ξ1) to its challenger.
Then,
[TABLE]
is run and 1abe.ct is returned to \mathpzcB, where coin is the random bit chosen by \mathpzcB’s challenger.
Finally, \mathpzcB sets 1abe.cti∗,τ:=1abe.ct
and sends ct∗:={1abe.cti,j}i,j to \mathpzcA.
4. 4.
\mathpzcA continues to make queries to O\mathpzcKG(⋅) and O\mathpzcVrfy(⋅,⋅).
However, \mathpzcA is not allowed to send a key attribute y such that R(x∗,y)=1 to O\mathpzcKG.
5. 5.
\mathpzcA outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.
We first argue that \mathpzcB does not make more than two distinguishing key queries.
This is because \mathpzcB aborts and outputs [math] before it makes a challenge query if there is no i∗ with the required conditions.
For such i∗, we have that {ji∗(k)}k∈Kx∗ are all distinct and thus in particular, \mathpzcB needs to simulate only single distinguishing key for the (i∗,τ)-th instance, to which the reduction algorithm embeds the 1ABE instance.
We then have
[TABLE]
where the probabilities are taken over the randomness used in the respective games. Thus, ∣Pr[Hyb3=1]−Pr[Hyb4=1]∣=negl(λ) by the adaptive security of 1ABE.
This completes the proof of Lemma 6.11.
∎
This completes the proof of Theorem 6.9 for the case of adaptive security.
The proof for selective security.
The proof for selective security can be obtained immediately by considering the same sequence of games as adaptive security case with natural adaptations.
There are two main differences.
The proof for Lemma 6.10 requires different parameters for selective and adaptive cases. We refer to the proof of the lemma for the detail.
Another difference is that we modify the reduction algorithm in Lemma 6.11 so that it outputs x∗ at the beginning of the game right after given x∗ from \mathpzcA.
∎
6.4 Instantiations
Here, we explain new schemes that can be obtained by applying the conversions that we showed in Sections 6.2 and 6.3 to existing IBE/ABE schemes.
Our constructions are fully generic and can upgrade almost all ABE schemes222222
Our conversion in Section 6.3 for the adaptive security case poses the restriction that the size of the cipheretxt attribute space of the ABE should be bounded by 2poly(λ) for some polynomial poly(λ).
This means that we cannot apply the conversion for adaptively secure ABE for DFA for example,
since the ciphertext attribute is of unbounded length and there is no such bound for the size of the ciphertext attribute space.
However, we do not know any concrete ABE scheme from standard assumptions for which we cannot apply our conversion.
into the one with the security against key leasing attacks with the help of IND-KLA secure PKE-SKL scheme, which can be instantiated from any (post quantum) PKE.
Here, we mention some instantiations, all of which are obtained from the standard LWE assumption.
•
If we start from selectively secure ABE scheme for circuits [GVW13, BGG*+*14] and apply the conversions in Sections 6.2 and 6.3,
we obtain an ABE-SKL scheme for circuits with q-bounded distinguishing key Sel-IND-KLA security for any q=poly(λ).
•
If we start from adaptively secure ABE for inner products over the integer [KNYY20] and apply the conversions in Sections 6.2 and 6.3, we obtain an ABE-SKL scheme for the same predicate with q-bounded distinguishing key Ada-IND-KLA security for any q=poly(λ).
We note that the conversion in Section 6.3 for adaptive security case can be applied for the scheme, since the size of the ciphertext attribute space is bounded by 2poly(λ) for the primitive.
Similar implications can be obtained for adaptively secure t-CNF formulae for t=O(1) [Tsa19] and fuzzy IBE for small universe [KNYY20].
•
If we start from adaptively (resp., selectively) secure IBE [ABB10, CHKP10] and apply the conversion in Section 6.2, we obtain IBE-SKL scheme with 1-bounded distinguishing key Ada-IND-KLA (resp., Sel-IND-KLA) security.
We note that 1-bounded distinguishing key security for the case of IBE is a more natural security notion than that for the case of ABE with other relations since there is only one attribute that is eligible for decrypting a ciphertext in the case of IBE (i.e., the identity that is associated with the ciphertext), whereas there can be exponentially many such attributes in general.
7 Public-Key Functional Encryption with Secure Key Leasing
7.1 Definitions
Definition 7.1 (PKFE with Secure Key Leasing).
A PKFE-SKL scheme PKFE-SKL is a tuple of six algorithms (Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcCert,Vrfy).
Below, let X, Y, and F be the plaintext, output, and function spaces of PKFE-SKL, respectively.
Setup(1λ)→(pk,msk):
The setup algorithm takes a security parameter 1λ, and outputs a public key pk and master secret key msk.
\mathpzcKG(msk,f)→(\mathpzcfsk,vk):
The key generation algorithm takes a master secret key msk and a function f∈F, and outputs a functional decryption key \mathpzcfsk and a verification key vk.
Enc(pk,x)→ct:
The encryption algorithm takes a public key pk and a plaintext x∈X, and outputs a ciphertext ct.
\mathpzcDec(\mathpzcfsk,ct)→x:
The decryption algorithm takes a functional decryption key \mathpzcfsk and a ciphertext ct, and outputs a value x~.
\mathpzcVrfy(vk,\mathpzcfsk′)→⊤/⊥:
The verification algorithm takes a verification key vk and a quantum state \mathpzcfsk′, and outputs ⊤ or ⊥.
Decryption correctness:
For every x∈X and f∈F, we have
[TABLE]
Verification correctness:
For every f∈F, we have
[TABLE]
Remark 7.2.
Although Kitagawa and Nishimaki [KN22a] require SKFE-SKL to have classical certificate generation algorithm for deletion, we do not since it is optional.
If there exists a PKE-SKL scheme that has a classical certificate generation algorithm, our PKFE-SKL scheme in Section 7.2 also has a classical certificate generation algorithm.
Definition 7.3 (Adaptive Indistinguishability against Key Leasing Attacks).
We say that a PKFE-SKL scheme PKFE-SKL for X,Y, and F is an adaptively indistinguishable secure against key leasing attacks (Ada-IND-KLA), if it satisfies the following requirement, formalized from the experiment Exp\mathpzcA,PKFE-SKLada\mbox−ind\mbox−kla(1λ,coin) between an adversary \mathpzcA and a challenger:
At the beginning, the challenger runs (pk,msk)←Setup(1λ).
Throughout the experiment, \mathpzcA can access the following oracles.
O\mathpzcKG(f):
Given f, it finds an entry (f,vk,V) from L\mathpzcKG. If there is such an entry, it returns ⊥. Otherwise, it generates (\mathpzcfsk,vk)←\mathpzcKG(msk,f), sends \mathpzcfsk to \mathpzcA, and adds (f,vk,⊥) to L\mathpzcKG.
O\mathpzcVrfy(f,\mathpzcfsk′):
*Given (f,\mathpzcfsk′), it finds an entry (f,vk,V) from L\mathpzcKG. (If there is no such entry, it returns ⊥.) It computes d←\mathpzcVrfy(vk,\mathpzcfsk′) and sends d to \mathpzcA. If V=⊤, it does not update L\mathpzcKG. Else if V=⊥, it updates the entry by setting V:=d.
*
2. 2.
When \mathpzcA sends (x0∗,x1∗) to the challenger, the challenger checks if for any entry (f,vk,V) in L\mathpzcKG such that f(x0∗)=f(x1∗), it holds that V=⊤. If so, the challenger generates ct∗←Enc(pk,xcoin∗) and sends ct∗ to \mathpzcA. Otherwise, the challenger outputs [math]. Hereafter, \mathpzcA is not allowed to send a function f such that f(x0∗)=f(x1∗) to O\mathpzcKG.
3. 3.
\mathpzcA* outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.*
For any QPT \mathpzcA, it holds that
[TABLE]
Remark 7.4.
Definition 7.3 assumes that the adversary does not get more than one decryption key for the same f for simplification as Remark 6.3.
7.2 Constructions
We describe our PKFE-SKL scheme in this section.
We construct a PKFE-SKL scheme PKFE-SKL=(Setup,\mathpzcKG,Enc,\mathpzcDec,\mathpzcVrfy) by using the following building blocks.
Adaptively single-ciphertext function private SKFE SKFE=SKFE.(Setup,KG,Enc,Dec).
•
Pseudorandom-secure SKE SKE=SKE.(Enc,Dec).
•
Puncturable PRF PRF=(PRF.Gen,F,Puncture).
We set ℓpad:=\absolutevalueskfe.ct−\absolutevaluex and ℓske:=\absolutevalueske.ct, where \absolutevaluex is the input length of PKFE-SKL, \absolutevalueskfe.ct is the ciphertext length of SKFE, and \absolutevalueske.ct is the ciphertext length of SKE.
Output \mathpzcfsk:=(fe.skW,skl.\mathpzcsk) and vk:=skl.vk.
Enc(pk,x):
•
Choose K←PRF.Gen(1λ).
•
Compute fe.ct←FE.Enc(fe.pk,(x∥0ℓpad,⊥,K)).
•
Output ct:=fe.ct.
\mathpzcDec(\mathpzcfsk,ct):
•
Parse \mathpzcfsk=(fe.sk,skl.\mathpzcsk) and ct=fe.ct.
•
Compute skl.ct←FE.Dec(fe.sk,fe.ct).
•
Compute and output y←SKL.\mathpzcDec(skl.\mathpzcsk,skl.ct).
\mathpzcVrfy(vk,\mathpzcfsk′):
•
Parse vk=skl.vk and \mathpzcfsk′=(fe.sk′,skl.\mathpzcsk′).
•
Compute and output SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcsk′).
Correctness.
The decryption correctness of PKFE-SKL follows from the correctness of FE and the decryption correctness of SKL.
The verification correcntess of PKFE-SKL follows from the verification correcntess of SKL.
7.3 Security Proofs
We prove the security of PKFE-SKL.
Theorem 7.5.
If PKFE is adaptively secure, SKFE is adaptively single-ciphertext function private, PRF is a secure punctured PRF, and SKE has the ciphertext pseudorandomness, then PKFE-SKL above is Ada-IND-KLA.
Theorem 7.6.
If PKFE is q-bounded adaptively secure, SKFE is adaptively single-ciphertext function private, PRF is a secure punctured PRF, and SKE has the ciphertext pseudorandomness, then PKFE-SKL above is q-bounded Ada-IND-KLA.
The proof of Theorem 7.6 is almost the same as that of Theorem 7.5. Hence, we focus on the proof of Theorem 7.5.
We can also consider a simulation-based security for q-bounded security as Kitagawa and Nishimaki [KN22a] and believe that we can achieve it using a similar technique. However, it is out of scope of this work.
In the proof, we embed an SKFE ciphertext skfe.ct←SKFE.Enc(skfe.msk,(x,⊥,K,0,⊥)) into the challenge ciphertext.
More specifically, we generate fe.ct←PKFE.Enc(fe.pk,(skfe.ct,ske.sk,⊥)) and ske.ct←SKE.Enc(ske.sk,SKFE.KG(skfe.msk,T[f,skl.ek])), where T[f,skl.ek] is described in Figure 2.
By using this embedding, we can use the function privacy of SKFE and can alter both plaintexts and functions in the proof.
Let q be the total number of key queries to O\mathpzcKG. In the collusion-resistant setting, q is an unbounded polynomial. Note that even if q is an unbounded polynomial, we need only poly(λ) bits to describe q as an integer.
We assume that the adversary does not send the same f to O\mathpzcKG more than once without loss of generality.
We define a sequence of hybrid games.
Hyb0:
This is the same as ExpPKFE-SKL,\mathpzcAada\mbox−ind\mbox−kla(1λ,0). More specifically, it is as follows.
1.
The challenger generates (fe.pk,fe.msk)←FE.Setup(1λ) and sends pk:=fe.pk to \mathpzcA.
\mathpzcA can access the following oracles.
O\mathpzcKG(fi):
Given fi, it generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ), ske.cti←{0,1}ℓske, and fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]), sends \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcA, and adds (fi,vki,⊥) to L\mathpzcKG.
O\mathpzcVrfy(fi,\mathpzcfski′):
Given (fi,\mathpzcfski′), it finds an entry (fi,vki,Vi) from L\mathpzcKG and parse \mathpzcfski′=(fe.ski′,skl.\mathpzcski′). (If there is no such entry, it returns ⊥.) It returns d:=SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcsk′). If Vi=⊤, it does not update the entry. Otherwise, it updates the entry by setting Vi:=d.
2. 2.
When \mathpzcA sends (x0∗,x1∗) to the challenger, the challenger checks if for any entry (f,vk,V) in L\mathpzcKG such that f(x0∗)=f(x1∗), it holds that V=⊤. If so, the challenger generates K←PRF.Gen(1λ) and fe.ct∗←FE.Enc(fe.pk,(xcoin∗∥0ℓpad,⊥,K)) and sends ct∗:=fe.ct∗ to \mathpzcA. Otherwise, the challenger outputs [math]. Hereafter, \mathpzcA is not allowed to send a function f such that f(x0∗)=f(x1∗) to O\mathpzcKG.
3. 3.
\mathpzcA outputs a guess coin′ for coin. The challenger outputs coin′ as the final output of the experiment.
Hyb1:
This is the same as Hyb0 except that for all i∈[q], we generate ske.cti←SKE.Enc(ske.sk,skfe.ski), where skfe.ski←SKFE.KG(skfe.msk,T[fi,skl.eki]) and (skl.eki,skl.\mathpzcski,skl.vki)←SKL.KeyGen(1λ). Note that the SKE secret key ske.sk never appears in the view of \mathpzcA. Hence, we obtain \absolutevaluePr[Hyb0=1]−Pr[Hyb1=1]=negl(λ) by the security of SKE.
Hyb2:
This is the same as Hyb1 except that we generate fe.ct∗←PKFE.Enc(fe.pk,(skfe.ct∗,ske.sk,⊥)), where skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,⊥,K,0,⊥)). By the definition of W described in Figure 1, if we decrypt fe.ct∗ by fe.ski, we obtain
•
SKL.Enc(skl.eki,f(x0∗);FK(skl.eki)) in Hyb1 since the plaintext in fe.ct∗ is (x0∗∥0ℓpad,⊥,K),
•
zi=SKFE.Dec(skfe.ski,skfe.ct∗) in Hyb2 since ske.ct is a ciphertext of skfe.ski and the plaintext in fe.ct∗ is (skfe.ct∗,ske.sk,⊥), where skfe.ct∗=SKFE.Enc(skfe.msk,(x0∗,⊥,K,0,⊥)). By the correctness of SKFE, zi=SKL.Enc(skl.eki,f(x0∗);FK(skl.eki)).
That is, for all i∈[q], it holds that W[fi,skl.eki,ske.cti](x0∗∥0ℓpad,⊥,K)=W[fi,skl.eki,ske.cti](skfe.ct∗,ske.sk,⊥). Hence, we can use the security of PKFE and obtain \absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ). See Lemma C.1 for the detail.
After this game, we can focus on SKFE.
Hyb3:
This is the same as Hyb2 except that we generate skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,0,⊥)) and skfe.ski←SKFE.KG(skfe.msk,Thyb[fi,skl.eki,i]), where Thyb[fi,skl.eki,i] is described in Figure 3. Since i∈[q], it holds that Thyb[fi,skl.eki,i](x0∗,x1∗,K,0,⊥)=T[fi,skl.eki](x0∗,⊥,K,0,⊥) for all i∈[q].
Hence, by the adaptively single-ciphertext function privacy of SKFE, we obtain \absolutevaluePr[Hyb2=1]−Pr[Hyb3=1]=negl(λ). See Lemma C.2 for the detail.
Hyb3j:
This is the same as Hyb3 except that we generate skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,j,⊥)). Apparently, Hyb30 is the same as Hyb3. We show it holds that \absolutevaluePr[Hyb3j−1=1]−Pr[Hyb3j=1]=negl(λ) for j∈[q] in Lemma 7.7.
Hyb4:
This is the same as Hyb3q except that we generate skfe.ski←SKFE.KG(skfe.msk,T[fi,skl.eki]) and skfe.ct∗←SKFE.Enc(skfe.msk,(x1∗,⊥,K,0,⊥)).
Recall that in Hyb3q, we use skfe.ski←SKFE.KG(skfe.msk,Thyb[fi,skl.eki,i]) and skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,q,⊥)). By the definition of Thyb and T, it holds that for all i∈[q],
[TABLE]
Hence, we can use the adaptively single-ciphertext function privacy of SKFE and obtain \absolutevaluePr[Hyb3q=1]−Pr[Hyb4=1]=negl(λ). See Lemma C.3 for the detail.
Now, we use x1∗ instead of x0∗ and erased x0∗ in the challenge ciphertext. Hence, we focus on PKFE again and undo the changes from Hyb1 to Hyb2 and from Hyb0 to Hyb1.
Hyb5:
This is the same as Hyb4 except that we generate fe.ct∗←PKFE.Enc(fe.pk,(x1∗∥0ℓpad,⊥,K)). This is the reverse transition from Hyb1 to Hyb2, so we obtain \absolutevaluePr[Hyb4=1]−Pr[Hyb5=1]=negl(λ) by the security of PKFE as the proof of Lemma C.1.
Hyb6:
This is the same as Hyb5 except that we generate ske.cti←{0,1}ℓ. As the transition from Hyb0 to Hyb1, we obtain \absolutevaluePr[Hyb5=1]−Pr[Hyb6=1]=negl(λ) by the ciphertext pseudorandomness of SKE.
It is easy to see that Hyb6 is the same as ExpPKFE-SKL,\mathpzcAada\mbox−ind\mbox−kla(1λ,1).
For all j∈[q], it holds that \absolutevaluePr[Hyb3j−1=1]−Pr[Hyb3j=1]=negl(λ) if SKFE is fully function private, SKL is IND-KLA, and PRF is a puncturable PRF.
Proof.
We define a sequence of hybrid games.
G0:
This is the same as Hyb3j−1. That is, skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,j−1,⊥)) and skfe.ski←SKFE.KG(skfe.msk,Thyb[fi,skl.eki,i]).
G1:
This is the same as G0 except that we generate skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,j,skl.ct∗)), where skl.ct∗←SKL.Enc(skl.ekj,fj(x0∗);FK(skl.ekj)) and skfe.ski←SKFE.KG(skfe.msk,Temb[fi,skl.eki,i]), where Temb[fi,skl.eki,i] is described in Figure 4.
By the definitions of Thyb and Temb, it holds that
[TABLE]
for all i∈[q] since skl.ct∗ is an encryption of fj(x0∗).
Hence, by the adaptively single-ciphertext function privacy of SKFE, we obtain \absolutevaluePr[G0=1]−Pr[G1=1]=negl(λ). See Lemma C.4 for the detail.
G2:
This is the same as G1 except that we use a punctured PRF key K=skl.ekj=Puncture(K,skl.ekj). By the functionality of punctured PRF keys, it holds that
[TABLE]
for all i∈[q]. Note that Temb directly uses skl.ct∗ instead of computing SKL.Enc(skl.ekj,fj(x0∗);FK(skl.ekj)), so K=skl.ekj is sufficient for the functional equivalence. The only difference between the two games is whether the PRF key is K or K=skl.ekj. Hence, we can use the adaptively single-ciphertext function privacy of SKFE and obtain \absolutevaluePr[G1=1]−Pr[G2=1]=negl(λ). We omit the proof since it is easy.
G3:
This is the same as G2 except that we generate skl.ct∗←SKL.Enc(skl.ekj,fj(x0∗)). That is, we use uniform randomness for generating skl.ct∗. By the punctured pseudorandomness of PRF, we obtain \absolutevaluePr[G2=1]−Pr[G3=1]=negl(λ). We omit the proof since it is easy.
G4:
This is the same as G3 except that we generate skl.ct∗←SKL.Enc(skl.ekj,fj(x1∗)).
We consider two cases.
•
If (fj,vkj,⊥) is recorded in L\mathpzcKG, that is, valid \mathpzcfskj is not returned, it must hold that fj(x0∗)=fj(x1∗) by the requirement of Ada-IND-KLA security. In this case, the distribution of skl.ct∗←SKL.Enc(skl.ekj,fj(x0∗)) is trivially the same as that of skl.ct∗←SKL.Enc(skl.ekj,fj(x1∗)). Hence, we obtain Pr[G3=1]=Pr[G4=1].
•
If (fj,vkj,⊤) is recorded in L\mathpzcKG, that is, it is certified that the adversary returned valid \mathpzcfskj, it could hold that fj(x0∗)=fj(x1∗) by the requirement of Ada-IND-KLA security. In this case, we use IND-KLA security of SKL since skl.\mathpzcskj was returned. We have that skl.ct∗←SKL.Enc(skl.ekj,fj(x0∗)) is computationally indistinguishable from skl.ct∗←SKL.Enc(skl.ekj,fj(x1∗)). Hence, we obtain \absolutevaluePr[G3=1]−Pr[G4=1]=negl(λ) in this case. See Lemma C.5 for the detail.
Hence, we obtain \absolutevaluePr[G3=1]−Pr[G4=1]=negl(λ) in either cases.
G5:
This is the same as G4 except that we undo the change in G3. That is, we use FK(skl.ekj) for the randomness of skl.ct∗. We obtain \absolutevaluePr[G4=1]−Pr[G5=1]=negl(λ) by the punctured pseudorandomness of PRF. We omit the proof since it is easy.
G6:
This is the same as G5 except that we undo the change in G2. That is, we use a unpunctured PRF key K. We obtain \absolutevaluePr[G1=1]−Pr[G2=1]=negl(λ) by the adaptively single-ciphertext function privacy as the transition from G1 to G2. So, we omit the proof.
G7:
This is the same as G6 except that we undo the change in G1, but the index is still j. That is, we use skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K,j,⊥)) and skfe.ski←SKFE.KG(skfe.msk,Thyb[fi,skl.eki,i]). We obtain \absolutevaluePr[G6=1]−Pr[G7=1]=negl(λ) by the adaptively single-ciphertext function privacy of SKFE. The proof is similar to that of Lemma C.4. So, we omit the proof.
It is easy to see that G7 is the same as Hyb3j. Therefore, we complete the proof.
∎
If there exists single-key selective-message-function secure242424The adversary must select the target plaintext pair and function at the beginning of the game. This is the same as weakly selective security by Garg and Srinivasan [GS16]. and weakly compact PKFE for P/poly, there exists Ada-IND-KLA PKFE for P/poly.
Acknowledgement
We thank Jiayu Zhang for pointing out a technical similarity to [Zha21, Zha22], Prabhanjan Ananth for discussions on the relationship between our work and their concurrent work [APV23], and anonymous reviewers of QIP 2023 and Eurocrypt 2023 for their valuable comments.
This work was supported in part by the DST “Swarnajayanti” fellowship, Cybersecurity Center of Excellence, IIT Madras, National Blockchain Project and the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of sponsors.
The fourth author was partially supported by JST AIP Acceleration Research JPMJCR22U5 and JSPS KAKENHI Grant Number 19H01109, Japan.
Appendix A SDE Implies PKE-SKL
In this section, we discuss the relationship between SDE and PKE-SKL.
There are many incomparable security definitions for SDE in the literature.
Coladangelo et al. [CLLZ21] defined two incomparable security definitions called CPA-style anti-piracy and random challenge anti-piracy.252525They actually also defined stronger variants of them called strong anti-piracy security and strong anti-piracy against random plaintexts. See [CLLZ21, Definition 6.11 and D.4 in the full version] for the detail. All constructions of SDE in [CLLZ21] are shown to satisfy both CPA-style anti-piracy and random challenge anti-piracy.
Georgiou and Zhandry [GZ20] defined yet another security definition, which is similar to but slightly different from CPA-style anti-piracy of [CLLZ21].262626We note that [GZ20] appeared before [CLLZ21]. Though we do not see any relationships between security notions in [GZ20] and [CLLZ21], it seems possible to prove that the construction given in [GZ20] satisfies both CPA-style anti-piracy and random challenge anti-piracy of [CLLZ21] because it is very similar to one of the schemes given in [CLLZ21].272727Here, we are referring to the construction of SDE based on one-shot signatures and extractable witness encryption in [GZ20, Section 5].
For proving that the scheme satisfies the security notions of [CLLZ21], we will need to go trough the “strong” variants of them similarly to [CLLZ21].
In the following, we show that SDE with random challenge anti-piracy implies IND-KLA secure PKE-SKL. This means that all known constructions of SDE can be used to construct PKE-SKL.
The definitions of SDE and its random challenge anti-piracy are given below.
The syntax of SDE is identical to that of PKE except that the key generation and decryption algorithms are quantum and the decryption key is quantum.
Definition A.1 (Single-Decryptor Encryption).
A single-decryptor encryption (SDE) scheme SDE is a tuple of three algorithms (\mathpzcKG,Enc,\mathpzcDec).
Below, let X be the message space of SDE.
\mathpzcKG(1λ)→(ek,\mathpzcdk):
The key generation algorithm takes a security parameter 1λ, and outputs an encryption key ek and a decryption key \mathpzcdk.
Enc(ek,m)→ct:
The encryption algorithm takes an encryption key ek and a message m∈X, and outputs a ciphertext ct.
\mathpzcDec(\mathpzcdk,ct)→m~:
The decryption algorithm takes a decryption key \mathpzcdk and a ciphertext ct, and outputs a value m~.
Correctness:
For every m∈X, we have
[TABLE]
In the following definition of random challenge anti-piracy, we use the notion of quantum programs with classical inputs and outputs as defined in Definition 4.7.
Definition A.2 (Random Challenge Anti-Piracy).
We say that an SDE scheme SDE with the message space X satisfies random-challenge anti-piracy, if it satisfies the following requirement, formalized from the experiment ExpSDE,\mathpzcArand\mbox−chal(1λ) between an adversary \mathpzcA and a challenger \mathpzcC:
\mathpzcC*
runs (ek,\mathpzcdk)←\mathpzcKG(1λ) and sends ek and \mathpzcdk to \mathpzcA.*
2. 2.
\mathpzcA* sends two (possibly entangled) quantum programs (\mathpzcD0,\mathpzcD1) with classical inputs and outputs to \mathpzcC.*
3. 3.
For b∈{0,1},
\mathpzcC
chooses mb∗←X, generates ctb∗←Enc(ek,mb∗), and runs \mathpzcDb on input ctb∗ to obtain an output mb.
\mathpzcC outputs 1 if mb=mb∗ for b∈{0,1} and otherwise outputs [math] as the final output of the experiment.
For any QPT \mathpzcA, it holds that
[TABLE]
We prove the following theorem.
Theorem A.3.
If there exists an SDE scheme that satisfies random challenge anti-piracy, there exists an IND-KLA secure PKE-SKL scheme.
Proof.
Let SDE=(SDE.\mathpzcKG,SDE.Enc,SDE.\mathpzcDec) be an SDE scheme that satisfies random challenge anti-piracy.
By Theorem 3.9, it suffices to construct a one-query OW-KLA secure PKE-SKL scheme.
We construct a one-query OW-KLA secure PKE-SKL scheme SKL=(SKL.\mathpzcKG,SKL.Enc,SKL.\mathpzcDec,SKL.\mathpzcVrfy) as follows.
SKL.\mathpzcKG(1λ):
Run (sde.ek,sde.\mathpzcdk)←SDE.\mathpzcKG(1λ)
and output skl.ek:=sde.ek, skl.\mathpzcdk:=sde.\mathpzcdk, and skl.vk:=sde.ek.
SKL.Enc(skl.ek,m):
This is identical to SDE.Enc.
SKL.\mathpzcDec(\mathpzcdk,ct):
This is identical to SDE.\mathpzcDec.
SKL.\mathpzcVrfy(skl.vk,skl.\mathpzcdk):
Parse skl.vk=sde.ek,
choose m∗←X,
run ct∗←SDE.Enc(sde.ek,m∗) and m←SDE.\mathpzcDec(skl.\mathpzcdk,ct∗),
and output ⊤ if and only if m=m∗.
Suppose that SKL is not one-query OW-KLA secure. Let \mathpzcA be a QPT adversary that breaks the one-query OW-KLA security of SKL. We construct a QPT adversary \mathpzcB that breaks the random challenge anti-piracy of SDE as follows.
\mathpzcB(sde.ek,sde.\mathpzcdk):
Set skl.ek:=sde.ek, skl.\mathpzcdk:=sde.\mathpzcdk, and skl.vk:=sde.ek and sends (skl.ek,skl.\mathpzcdk,skl.vk) to \mathpzcA.
When \mathpzcA makes a verification query skl.\mathpzcdk, \mathpzcB returns 1 to \mathpzcA as the response from the oracle. Let \mathpzcD0 be the quantum program with classical inputs and outputs that takes ct as input and outputs m←SDE.\mathpzcDec(skl.\mathpzcdk,ct).
When \mathpzcA sends RequestChallenge, let \mathpzcD1 be the quantum program with classical inputs and outputs, in which \mathpzcA’s internal state is hardwired, that takes ct as input, runs the rest of \mathpzcA on the challenge ciphertext ct, and outputs \mathpzcA’s output m.
Output (\mathpzcD0,\mathpzcD1).
By the construction of \mathpzcB and the deferred measurement principle, it is immediate to see that
AdvSDE,\mathpzcBrand\mbox−chal(λ)=AdvSKL,\mathpzcAow\mbox−kla(λ). Thus, \mathpzcB breaks the random challenge anti-piracy of SDE, which is contradiction. Therefore, SKL is one-query OW-KLA secure.
∎
Remark A.4 (On CPA-Style Anti-Piracy).
We do not know if SDE with CPA-style anti-piracy implies PKE-SKL. On the other hand, it seems possible to show that SDE with the “strong” variant of CPA-style anti-piracy (called strong anti piracy [CLLZ21, Definition 6.11 in the full version]) implies PKE-SKL.
In the single-bit encryption setting, the security roughly means that the adversary given one decryption key cannot generate two “good” distinguishers that distinguish encryptions of [math] and 1. Then our idea is to construct a PKE-SKL scheme whose verification algorithm accepts if a returned decryption key gives a “good” distinguisher. Then the strong anti piracy ensures that if the adversary passes the verification, then it cannot keep a “good” distinguisher, which in particular means that it cannot distinguish encryptions of [math] and 1. Thus, the PKE-SKL scheme is one-query IND-KLA secure.
Appendix B OW-CPA from CoIC-KLA
We show the following lemma.
Lemma B.1.
If a PKE scheme with a super-polynomial-size message space is CoIC-KLA secure, then it is OW-CPA secure.
Proof.
Let PKE=(KG,Enc,Dec) be a CoIC-KLA secure PKE scheme with the message space X such that ∣X∣ is super-polynomial in λ. Toward contradiction, suppose that it is not OW-CPA secure. Let \mathpzcA be an adversary that breaks OW-CPA security of PKE. Then we construct \mathpzcB that breaks CoIC-KLA security of PKE as follows.
\mathpzcB(ek0,ek1,\mathpzcdk):
Measure \mathpzcdk to get (β,dkβ) for β∈{0,1}.
Choose (m0∗,m1∗)←X2 and send (m0∗,m1∗) to the challenger (without making any oracle query). Upon receiving (ct0∗,ct1∗) from the challenger,
run mβ′←Dec(dkβ,ctβ∗) and mβ⊕1′←\mathpzcA(ekβ⊕1,ctβ⊕1∗) and output [math] if m0′=m1′ and 1 otherwise.
Note that the challenger implicitly chooses a,b←{0,1} and generates
ct0∗←Enc(ek0,ma∗) and ct1∗←Enc(ek1,ma⊕b∗).
\mathpzcB’s goal is to guess b.
If b=0,
by the correctness of PKE, we have Pr[mβ′=ma∗]=1−negl(λ).
By the assumption that \mathpzcA breaks OW-CPA security, Pr[mβ⊕1′=ma∗] is non-negligible.
In particular, Pr[\mathpzcB(ek0,ek1,\mathpzcdk)→0∣b=0] is non-negligible.
If b=1,
by the correctness of PKE, we have Pr[mβ′=ma+β∗]=1−negl(λ).
On the other hand, ctβ⊕1∗ contains no information of ma⊕β∗. Therefore, Pr[mβ⊕1′=ma⊕β∗]≤1/∣X∣=negl(λ).
Thus, Pr[\mathpzcB(ek0,ek1,\mathpzcdk)→0∣b=1]=negl(λ).
Thus, ∣2Pr[\mathpzcB(ek0,ek1,\mathpzcdk)→b]−1∣=∣Pr[\mathpzcB(ek0,ek1,\mathpzcdk)→0∣b=0]−Pr[\mathpzcB(ek0,ek1,\mathpzcdk)→0∣b=1]∣ is non-negligible. This contradicts the assumed CoIC-KLA security. Thus, PKE is OW-CPA secure.
∎
Appendix C Deferred Proofs for PKFE-SKL
In this section, we present the deferred proofs in Section 7.
Lemma C.1.
If PKFE is adaptively secure, it holds that \absolutevaluePr[Hyb1=1]−Pr[Hyb2=1]=negl(λ).
Proof.
We construct an adversary \mathpzcB for PKFE by using the distinguisher \mathpzcD for these two games.
\mathpzcB is given fe.pk and sends pk:=fe.pk to \mathpzcD. \mathpzcB also generates ske.sk←{0,1}λ and skfe.msk←SKFE.Setup(1λ).
2. 2.
When \mathpzcD sends fi to O\mathpzcKG, \mathpzcB generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ), skfe.ski←SKFE.KG(skfe.msk,V[fi,skl.eki]), and ske.cti←SKE.Enc(ske.sk,skfe.ski). Then, \mathpzcB sends W[fi,skl.eki,ske.cti] to its challenger and receives fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]). \mathpzcB returns \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcD and adds (fi,skl.vki,⊥) to L\mathpzcKG.
3. 3.
When \mathpzcD sends (fi,\mathpzcfski′) to O\mathpzcVrfy, \mathpzcB finds an entry (fi,skl.vki,Vi) from L\mathpzcKG and parses \mathpzcfski′=(fe.ski′,skl.\mathpzcski′). \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vki,skl.\mathpzcski′). If Vi=⊤, \mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vi:=d.
4. 4.
When \mathpzcD sends (x0∗,x1∗), \mathpzcB generates K←PRF.Gen(1λ), skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,⊥,K,0,⊥)). \mathpzcB sets X0∗:=(x0∗∥0ℓpad,⊥,K) and X1∗:=(skfe.ct∗,ske.sk,⊥), sends (X0∗,X1∗) to its challenger, and receives fe.ct∗. \mathpzcB passes ct∗:=fe.ct∗ to \mathpzcD.
5. 5.
\mathpzcB outputs what \mathpzcD outputs.
By the definition of W described in Figure 1, if we decrypt fe.ct∗ by fe.skW,i, we obtain
•
SKL.Enc(skl.eki,f(x0);FK(skl.eki)) if fe.ct∗ is generated from X0∗,
•
zi=SKFE.Dec(skfe.ski,skfe.ct∗) if fe.ct∗ is generated from X1∗ since ske.cti is a ciphertext of skfe.ski, where skfe.ct∗=SKFE.Enc(skfe.msk,(x0∗,⊥,K,0,⊥)). By the correctness of SKFE and the definition of T[fi,skl.eki], it holds that zi=SKL.Enc(skl.eki,f(x0∗);FK(skl.eki)).
That is, for all i∈[q], it holds that W[fi,skl.eki,ske.cti](X0∗)=W[fi,skl.eki,ske.cti](X1∗), and \mathpzcB is a valid adversary of PKFE.
It is easy to see that if fe.ct∗ is an encryption of X0∗ and X1∗, \mathpzcB perfectly simulates Hyb1 and Hyb2, respectively. This completes the proof.
∎
Lemma C.2.
If SKFE is adaptively single-ciphertext function private, it holds that \absolutevaluePr[Hyb2=1]−Pr[Hyb3=1]=negl(λ).
Proof.
We construct an adversary \mathpzcB for SKFE by using the distinguisher \mathpzcD for these two games.
\mathpzcB generates (fe.pk,fe.msk)←FE.Setup(1λ) and ske.sk←{0,1}λ, and sends pk:=fe.pk to \mathpzcD.
2. 2.
When \mathpzcD sends fi to O\mathpzcKG, \mathpzcB generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ), sends a key query (F0,i,F1,i):=(T[fi,skl.eki],Thyb[fi,skl.eki,i]) to its challenger, and receives skfe.ski. \mathpzcB also generates ske.cti←SKE.Enc(ske.sk,skfe.ski) and fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]). \mathpzcB returns \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcD and adds (fi,skl.vki,⊥) to L\mathpzcKG.
3. 3.
When \mathpzcD sends (fi,\mathpzcfski′) to O\mathpzcVrfy, \mathpzcB finds an entry (fi,skl.vki,Vi) from L\mathpzcKG and parses \mathpzcfski′=(fe.ski′,skl.\mathpzcski′). \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vki,skl.\mathpzcski′). If Vi=⊤, \mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vi:=d.
4. 4.
When \mathpzcD sends (x0∗,x1∗), \mathpzcB generates K←PRF.Gen(1λ), sets X0∗:=(x0∗,⊥,K,0,⊥) and X1∗:=(x0∗,x1∗,K,0,⊥), sends an encryption query (X0∗,X1∗) to its challenger, and receives skfe.ct∗. \mathpzcB also generates fe.ct∗←FE.Enc(fe.pk,(skfe.ct∗,ske.sk,⊥)) and passes ct∗:=fe.ct∗ to \mathpzcD.
5. 5.
\mathpzcB outputs what \mathpzcD outputs.
Since i∈[q], it holds that Thyb[fi,skl.eki,i](x0∗,x1∗,K,0,⊥)=T[fi,skl.eki](x0∗,⊥,K,0,⊥) for all i∈[q]. That is, F0,i(X0∗)=F1,i(X1∗) for all i∈[q] and \mathpzcB is an valid adversary for SKFE.
If skfe.ct∗ is an encryption of X0∗ and skfe.ski is a functional decryption key for F0,i, \mathpzcB perfectly simulate Hyb2. If skfe.ct∗ is an encryption of X1∗ and skfe.ski is a functional decryption key for F1,i, \mathpzcB perfectly simulate Hyb3. This completes the proof.
∎
Lemma C.3.
If SKFE is adaptively single-ciphertext function private, it holds that \absolutevaluePr[Hyb3q=1]−Pr[Hyb4=1]=negl(λ).
Proof.
We construct an adversary \mathpzcB for SKFE by using the distinguisher \mathpzcD for these two games.
\mathpzcB generates (fe.pk,fe.msk)←FE.Setup(1λ) and ske.sk←{0,1}λ, and sends pk:=fe.pk to \mathpzcD.
2. 2.
When \mathpzcD sends fi to O\mathpzcKG, \mathpzcB generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ), sends a key query (F0,i,F1,i):=(Thyb[fi,skl.eki,i],T[fi,skl.eki]) to its challenger, and receives skfe.ski. \mathpzcB also generates ske.cti←SKE.Enc(ske.sk,skfe.ski) and fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]). \mathpzcB returns \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcD and adds (fi,skl.vki,⊥) to L\mathpzcKG.
3. 3.
When \mathpzcD sends (fi,\mathpzcfski′) to O\mathpzcVrfy, \mathpzcB finds an entry (fi,skl.vki,Vi) from L\mathpzcKG and parses \mathpzcfski′=(fe.ski′,skl.\mathpzcski′). \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vki,skl.\mathpzcski′). If Vi=⊤, \mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vi:=d.
4. 4.
When \mathpzcD sends (x0∗,x1∗), \mathpzcB generates K←PRF.Gen(1λ), sets X0∗:=(x0∗,x1∗,K,q,⊥) and X1∗:=(x1∗,⊥,K,0,⊥), sends an encryption query (X0∗,X1∗) to its challenger, and receives skfe.ct∗. \mathpzcB also generates fe.ct∗←FE.Enc(fe.pk,(skfe.ct∗,ske.sk,⊥)) and passes ct∗:=fe.ct∗ to \mathpzcD.
5. 5.
\mathpzcB outputs what \mathpzcD outputs.
By the definition of Thyb and T, it holds that for all i∈[q],
[TABLE]
That is, F0,i(X0∗)=F1,i(X1∗) for all i∈[q] and \mathpzcB is an valid adversary for SKFE.
If skfe.ct∗ is an encryption of X0∗ and skfe.ski is a functional decryption key for F0,i, \mathpzcB perfectly simulate Hyb3q. If skfe.ct∗ is an encryption of X1∗ and skfe.ski is a functional decryption key for F1,i, \mathpzcB perfectly simulate Hyb4. This completes the proof.
∎
Lemma C.4.
If SKFE is adaptively single-ciphertext function private, it holds that \absolutevaluePr[G0=1]−Pr[G1=1]=negl(λ).
Proof.
We construct an adversary \mathpzcB for SKFE by using the distinguisher \mathpzcD for these two games.
\mathpzcB generates (fe.pk,fe.msk)←FE.Setup(1λ) and ske.sk←{0,1}λ, and sends pk:=fe.pk to \mathpzcD.
2. 2.
When \mathpzcD sends fi to O\mathpzcKG, \mathpzcB generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ), sends a key query (F0,i,F1,i):=(Thyb[fi,skl.eki,i],Temb[fi,skl.eki,i]) to its challenger, and receives skfe.ski. \mathpzcB also generates ske.cti←SKE.Enc(ske.sk,skfe.ski) and fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]). \mathpzcB returns \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcD and adds (fi,skl.vki,⊥) to L\mathpzcKG.
3. 3.
When \mathpzcD sends (fi,\mathpzcfski′) to O\mathpzcVrfy, \mathpzcB finds an entry (fi,skl.vki,Vi) from L\mathpzcKG and parses \mathpzcfski′=(fe.ski′,skl.\mathpzcski′). \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vki,skl.\mathpzcski′). If Vi=⊤, \mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vi:=d.
4. 4.
When \mathpzcD sends (x0∗,x1∗), \mathpzcB generates K←PRF.Gen(1λ) and skl.ct∗←SKL.Enc(skl.ekj,fj(x0∗);FK(skl.ekj)), sets X0∗:=(x0∗,x1∗,K,j−1,⊥) and X1∗:=(x0∗,x1∗,K,j,skl.ct∗), sends an encryption query (X0∗,X1∗) to its challenger, and receives skfe.ct∗. \mathpzcB generates fe.ct∗←FE.Enc(fe.pk,(skfe.ct∗,ske.sk,⊥)) and passes ct∗:=fe.ct∗ to \mathpzcD.
5. 5.
\mathpzcB outputs what \mathpzcD outputs.
By the definitions of Thyb and Temb, it holds that
[TABLE]
for all i∈[j,q] since skl.ct∗ is an encryption of fj(x0).
it also holds that
[TABLE]
for all i∈[1,j−1]. Hence, for all i∈[q], it holds that F0,i(X0∗)=F1,i(X1∗) and \mathpzcB is an valid adversary for SKFE. If skfe.ct∗ is an encryption of X0∗ and skfe.ski is a functional decryption key for F0,i, \mathpzcB perfectly simulate G0. If skfe.ct∗ is an encryption of X1∗ and skfe.ski is a functional decryption key for F1,i, \mathpzcB perfectly simulate G1. This completes the proof.
∎
Lemma C.5.
If SKL IND-KLA, it holds that \absolutevaluePr[G3=1]−Pr[G4=1]=negl(λ).
Proof.
We focus on the case where the adversary returns a valid \mathpzcfskj=(fe.skW,j,skl.\mathpzcskj), which is the answer to the j-th key query, since fj(x0∗)=fj(x1∗) must hold if \mathpzcfskj is not returned.
Hence fj(x0∗)=fj(x1∗) is allowed in this case.
We construct an adversary \mathpzcB for SKL by using the distinguisher \mathpzcD for these two games.
\mathpzcB is given (skl.ek∗,skl.\mathpzcsk∗) and sets (skl.ekj,skl.ekj):=(skl.ek∗,skl.\mathpzcsk∗).
2. 2.
\mathpzcB generates (fe.pk,fe.msk)←FE.Setup(1λ), skfe.msk←SKFE.Setup(1λ), and ske.sk←{0,1}λ, and sends pk:=fe.pk to \mathpzcD.
3. 3.
When \mathpzcD sends the i-th query fi to O\mathpzcKG, if i=j, \mathpzcB generates (skl.eki,skl.\mathpzcski,skl.vki)←SKL.\mathpzcKG(1λ). For all i∈[q], \mathpzcB generates skfe.ski←SKFE.KG(skfe.msk,Temb[fi,skl.eki,i]), ske.cti←SKE.Enc(ske.sk,skfe.ski), and fe.skW,i←FE.KG(fe.msk,W[fi,skl.eki,ske.cti]), and returns \mathpzcfski:=(fe.skW,i,skl.\mathpzcski) to \mathpzcD. Note that skl.\mathpzcskj=skl.\mathpzcsk is given from the challenger. If i=j, \mathpzcB adds (fi,skl.vki,⊥) to L\mathpzcKG.
If i=j, \mathpzcB adds (fj,⊥,⊥) to L\mathpzcKG.
4. 4.
When \mathpzcD sends (fi,\mathpzcfski′) to O\mathpzcVrfy, \mathpzcB finds an entry (fi,skl.vki,Vi) from L\mathpzcKG and parses \mathpzcfski′=(fe.ski′,skl.\mathpzcski′).
•
If fi=fj, \mathpzcB returns d:=SKL.\mathpzcVrfy(skl.vki,skl.\mathpzcski′) since skl.vki=⊥. If Vi=⊤\mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vi:=d.
•
Else if fi=fj, \mathpzcB sends skl.\mathpzcskj′ to its challenger (OSKL.\mathpzcVrfy of IND-KLA), receives the result dj, and passes dj to \mathpzcD. If Vj=⊤, \mathpzcB does not update the entry. Otherwise, \mathpzcB updates the entry by setting Vj:=dj.
5. 5.
When \mathpzcD sends (x0∗,x1∗), \mathpzcB generates K←PRF.Gen(1λ) and K=skl.ekj=Puncture(K,skl.ekj), sends (x0∗,x1∗) to its challenger, and receives skl.ct∗←SKL.Enc(skl.ekj,fj(xcoin∗)). \mathpzcB generates skfe.ct∗←SKFE.Enc(skfe.msk,(x0∗,x1∗,K=skl.ekj,j,skl.ct∗)) and fe.ct∗←FE.Enc(fe.pk,(skfe.ct∗,ske.sk,⊥)) and passes ct∗:=fe.ct∗ to \mathpzcD.
6. 6.
\mathpzcB outputs what \mathpzcD outputs.
It is easy to see that \mathpzcB perfectly simulates G3 and G4 if coin=0 and coin=1, respectively.
This completes the proof.
∎
Bibliography56
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[Aar 09] Scott Aaronson. Quantum copy-protection and quantum money. In 2009 24th Annual IEEE Conference on Computational Complexity , pages 229–242. IEEE, 2009.
2[ABB 10] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H)IBE in the standard model. In Henri Gilbert, editor, EUROCRYPT 2010 , volume 6110 of LNCS , pages 553–572. Springer, Heidelberg, May / June 2010.
3[ABSV 15] Prabhanjan Ananth, Zvika Brakerski, Gil Segev, and Vinod Vaikuntanathan. From selective to adaptive security in functional encryption. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II , volume 9216 of LNCS , pages 657–677. Springer, Heidelberg, August 2015.
4[AC 02] Mark Adcock and Richard Cleve. A quantum goldreich-levin theorem with cryptographic applications. In Helmut Alt and Afonso Ferreira, editors, STACS 2002, 19th Annual Symposium on Theoretical Aspects of Computer Science, Antibes - Juan les Pins, France, March 14-16, 2002, Proceedings , volume 2285 of Lecture Notes in Computer Science , pages 323–334. Springer, 2002.
5[AC 12] Scott Aaronson and Paul Christiano. Quantum money from hidden subspaces. In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC , pages 41–60. ACM Press, May 2012.
6[AGKZ 20] Ryan Amos, Marios Georgiou, Aggelos Kiayias, and Mark Zhandry. One-shot signatures and applications to hybrid quantum/classical authentication. In Konstantin Makarychev, Yury Makarychev, Madhur Tulsiani, Gautam Kamath, and Julia Chuzhoy, editors, 52nd ACM STOC , pages 255–268. ACM Press, June 2020.
7[AK 21] Prabhanjan Ananth and Fatih Kaleoglu. Unclonable encryption, revisited. In Kobbi Nissim and Brent Waters, editors, TCC 2021, Part I , volume 13042 of LNCS , pages 299–329. Springer, Heidelberg, November 2021.
8[AKL + 22] Prabhanjan Ananth, Fatih Kaleoglu, Xingjian Li, Qipeng Liu, and Mark Zhandry. On the feasibility of unclonable encryption, and more. In Yevgeniy Dodis and Thomas Shrimpton, editors, CRYPTO 2022, Part II , volume 13508 of LNCS , pages 212–241. Springer, Heidelberg, August 2022.