Lecture 7. CS-PKE and CCA2 Security

💡
Decisional Diffie-Hellman, DDH Problem/Assumption. 令 X={Xκ},Y={Yκ}\mathcal{X}=\{\mathcal{X}_\kappa\},\mathcal{Y}=\{\mathcal{Y}_\kappa\},且
Xκ:={(G,q,g)G(1κ);a,b,cZq:(G,q,g,ga,gb,gc)}Yκ:={(G,q,g)G(1κ);a,bZq:(G,q,g,ga,gb,gab)}\mathcal{X}_\kappa:=\{(\mathbb{G},q,g)\leftarrow\mathcal{G}(1^\kappa);a,b,c\leftarrow\mathbb{Z}_q:(\mathbb{G},q,g,g^a,g^b,g^c)\} \\ \mathcal{Y}_\kappa:=\{(\mathbb{G},q,g)\leftarrow\mathcal{G}(1^\kappa);a,b\leftarrow\mathbb{Z}_q:(\mathbb{G},q,g,g^a,g^b,g^{ab})\}

DDH assumption: XcY\mathcal{X}\approx_c \mathcal{Y},即多项式敌手无法区分 X,Y\mathcal{X},\mathcal{Y}

AdvG,ADDH(κ)=Pr[A((G,q,g),gx,gy,gz)=1]Pr[A((G,q,g),gx,gy,gxy)=1]\begin{aligned}\textbf{Adv}_{\mathcal{G},\mathcal{A}}^\text{DDH}(\kappa)=\left|\text{Pr}[\mathcal{A}((\mathbb{G},q,g),g^x,g^y,g^z)=1]-\text{Pr}[\mathcal{A}((\mathbb{G},q,g),g^x,g^y,g^{xy})=1]\right|\end{aligned}

抗碰撞的哈希 (Collision Resistant Hashing). 一族函数 H={H:XY}\mathcal{H}=\{H:\mathcal{X}\rightarrow\mathcal{Y}\} 是抗碰撞的当且仅当对于任意 PPT 敌手 A\mathcal{A},下面的 advantage 是可忽略的:

AdvH,Acr(κ)=Pr[HH,(x,x)A(H):H(x)=H(x)xx]\textbf{Adv}_{\mathcal{H},\mathcal{A}}^\text{cr}(\kappa)=\text{Pr}[H\leftarrow\mathcal{H},(x,x')\leftarrow \mathcal{A}(H):H(x)=H(x')\wedge x\ne x']

构造抗碰撞的哈希. 令 G\mathcal{G} 为一个群生成算法,我们如下构造抗碰撞的哈希:

💡
如果 G\mathbb{G} 上的离散对数问题是困难的,那么上面构造的哈希是抗碰撞的。

【证明】

AdvH,Acr(κ)=Pr[(G,q,g,h)Gen(1κ)((x,y),(x,y))A(G,q,g,h):Hs(x,y)=Hs(x,y)(x,y)(x,y)]\begin{aligned}\textbf{Adv}_{\mathcal{H},\mathcal{A}}^\text{cr}(\kappa)=\text{Pr}\left[\begin{matrix}(\mathbb{G},q,g,h)\leftarrow\text{Gen}(1^\kappa)\\((x,y),(x',y'))\leftarrow\mathcal{A}(\mathbb{G},q,g,h)\end{matrix}:\begin{matrix}H_s(x,y)=H_s(x',y')\\\wedge (x,y)\ne(x',y')\end{matrix}\right]\end{aligned}

下面我们构造一个 PPT 敌手 A\mathcal{A}' 解决离散对数问题:给定 (G,q,g,h)(\mathbb{G},q,g,h),解 loggh\log_g h

容易发现,只要模拟 CR 实验给敌手 A\mathcal{A} 得到 (x,y),(x,y)(x,y),(x',y') 后,我们有

gxhy=gxhygxxhyy=1g^xh^y=g^{x'}h^{y'} \Longrightarrow g^{x'-x}h^{y'-y}=1

假设 h=gt,t=logghh=g^t, t = \log_g h,那么

g(xx)+t(yy)=1(xx)+t(yy)0 (mod q)g^{(x'-x)+t(y'-y)} =1 \Longrightarrow (x'-x)+t(y'-y) \equiv 0 \ (\text{mod } q)

于是,

loggh=t=xxyy mod q\log_g h=t=\frac{x'-x}{y-y'} \text{ mod }q

从而解决离散对数问题,即

AdvG,Adlp(κ)=AdvH,Acr(κ)\textbf{Adv}_{\mathbb{G},\mathcal{A}'}^\text{dlp}(\kappa)=\textbf{Adv}_{\mathcal{H},\mathcal{A}}^\text{cr}(\kappa)

规约完成。

CPA 安全的 Cramer-Shoup PKE (CS-PKE) 方案.

💡
如果关于 G\mathcal{G} 的 DDH 假设成立,那么CS-PKE 是 CPA 安全的。

【证明】安全规约。

Game 0. 即为 ExpPKE,ACCA2(κ)\textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{CCA2}(\kappa).

Game 1. 修改 Game 0 的 Enc\text{Enc} 中的表述为 sksk 表示的等价表述,见棕色部分;从敌手角度来看 Game 0 和 Game 1 完全相同.

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkz1,z2Zqh=g1z1g2z2pk=h,sk=(z1,z2)b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e)rZq;u1=g1r,u2=g2re=mbhr=mu1z1u2z2C=(u1,u2,e)A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=h,sk=(z_1,z_2)\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*)}{\longrightarrow}& \\\scriptsize r^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r^*},u_2^*=g_2^{r^*} \\\scriptsize e^*=m_b\cdot h^{r^*}{\color{brown}=m\cdot u_1^{*z_1}u_2^{*z_2}}\\\scriptsize C^*=(u_1^*,u_2^*,e^*)\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

Game 2. 观察发现,原来的 (g1=g,g2=ga,u1=g1r=gr,u2=g2r=gar)(g_1=g,g_2=g^a,u_1^*=g_1^{r^*}=g^{r^*},u_2^*=g_2^{r^*}=g^{ar^*}) 是一个 DDH couple,我们将这个 DDH couple 换回 random couple,即随机 r1,r2r_1^*, r_2^*,令 u1=g1r1,u2=g2r2u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*},得到新的 Game 2. 根据 DDH 假设,PPT 敌手应该无法分辨 Game 1 与 Game 2 (若可以分辨,那么就可以以不可忽略的概率解决 DDH 问题)。

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkz1,z2Zqh=g1z1g2z2pk=h,sk=(z1,z2)b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e)r1,2Zq;u1=g1r1,u2=g2r2e=mbu1z1u2z2C=(u1,u2,e)A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=h,sk=(z_1,z_2)\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*)}{\longrightarrow}& \\\scriptsize r_{1,2}^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*} \\\scriptsize e^*=m_b\cdot u_1^{*z_1}u_2^{*z_2}\\\scriptsize C^*=(u_1^*,u_2^*,e^*)\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

注意到,在 Game 2 中,敌人赢的概率是 1/2。因为若令 g1=g,g2=gag_1=g,g_2=g^a,那么有

e=mbg1r1z1g2r2z2=mbgr1z1+ar2z2loggemb=r1z1+ar2z2h=g1z1g2z2=gz1+az2loggh=z1+az2e^*=m_b\cdot g_1^{r_1^*z_1}g_2^{r_2^*z_2}=m_b\cdot g^{r_1^*z_1+ar_2^*z_2} \quad \Longrightarrow \quad \log_g \frac{e^*}{m_b}=r_1^*z_1+ar_2^*z_2 \\ h=g_1^{z_1}g_2^{z_2}=g^{z_1+az_2} \quad \Longrightarrow \quad \log_g h=z_1+az_2

由于加密所用的 r1r_1^* 大概率不等于 r2r_2^*,于是敌人眼中已有的信息 loggh\log_g h 不能提供任何有用的信息,且右边分布仍然保持均匀分布,因此敌人猜对的概率为 1/2。

于是,我们规约完成,即这样构造的 CS-PKE 具有 CPA 安全。

Game 0=Game 1DDHGame 2=12\text{Game 0}=\text{Game 1}\stackrel{\text{DDH}}{\approx}\text{Game 2}=\frac{1}{2}

CCA2 安全的 Cramer-Shoup PKE (CS-PKE).

💡
如果关于 G\mathcal{G} 的 DDH 假设成立,且 H\mathcal{H} 是抗碰撞的,那么CS-PKE 是 CCA2 安全的。

【证明】安全规约。

Game 0. 即为 ExpPKE,ACCA2(κ)\textbf{Exp}_{\text{PKE},\mathcal{A}}^\text{CCA2}(\kappa).

Game 1. 修改 Game 0 的 Enc\text{Enc} 中的表述为 sksk 表示的等价表述,见棕色部分;从敌手角度来看 Game 0 和 Game 1 完全相同.

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)rZq;u1=g1r,u2=g2re=mbhr=mu1z1u2z2α=H(u1,u2,e)v=crdαr=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize r^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r^*},u_2^*=g_2^{r^*} \\\scriptsize e^*=m_b\cdot h^{r^*}{\color{brown}=m\cdot u_1^{*z_1}u_2^{*z_2}} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=c^{r^*}d^{\alpha^*r^*}{\color{brown}=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*}} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

Game 2. 处理哈希碰撞,当哈希值相等时不做处理;此时 Game 1 和 Game 2 的差别可以被哈希的抗碰撞性 bound,即 Game 1CRGame 2\text{Game 1} \stackrel{CR}{\approx}\text{Game 2}.

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)rZq;u1=g1r,u2=g2re=mu1z1u2z2α=H(u1,u2,e)v=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if α=α then return if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize r^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r^*},u_2^*=g_2^{r^*} \\\scriptsize e^*=m\cdot u_1^{*z_1}u_2^{*z_2} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\\color{red}\scriptsize \text{if }\alpha=\alpha^*\text{ then return }\perp \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

Game 3. 将 DDH couple 换成随机 couple,参考 CPA 安全的 Game 2,类似的可以说明 Game 2DDHGame 3\text{Game 2} \stackrel{DDH}{\approx}\text{Game 3}.

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)r1,2Zq;u1=g1r1,u2=g2r2e=mu1z1u2z2α=H(u1,u2,e)v=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if α=α then return if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize \color{red}r_{1,2}^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*} \\\scriptsize e^*=m\cdot u_1^{*z_1}u_2^{*z_2} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\\scriptsize \text{if }\alpha=\alpha^*\text{ then return }\perp \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

Game 4 [Oracle]. 在解密时,如果不是 DDH couple,那么拒绝之(注意挑战者不一定需要 PPT,其可以是 oracle,因为后面没有规约了,都是信息论的角度)。从信息论意义上,敌手无法察觉这种改变,换句话说,就算在这个位置不添加拒绝条件,在下面检测 u1x1+αy1u2x2+αy2=vu_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}=v 时也会拒绝的

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/if logg1u1logg2u2 then return α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else m=eu1z1u2z2b{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)r1,2Zq;u1=g1r1,u2=g2r2e=mu1z1u2z2α=H(u1,u2,e)v=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if α=α then return A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \color{red}\text{if }\log_{g_1}u_1\ne\log_{g_2}u_2\text{ then return }\perp\\\scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } m=e\cdot u_1^{-z_1}u_2^{-z_2}\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize r_{1,2}^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*} \\\scriptsize e^*=m\cdot u_1^{*z_1}u_2^{*z_2} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\\scriptsize \text{if }\alpha=\alpha^*\text{ then return }\perp \\ \scriptsize \cdots\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

类似地,写成方程组的形式,敌人原来只有 c,d,vc,d,v 三个方程组,有 x1,x2,y1,y2x_1,x_2,y_1,y_2 四个未知数,解空间为 1 维大小为 qq

loggc=x1+ax2loggd=y1+ay2loggv=r1x1+r1αy1+ar2x2+ar2αy2\log_g c= x_1+ax_2 \\ \log_g d=y_1+ay_2 \\ \log_g v^*=r_1^*x_1+r_1^*\alpha^*y_1+ar_2^*x_2+ar_2^*\alpha^*y_2

[1a1ar1ar2r1αar2α][x1x2y1y2]=[loggcloggdloggv]\left[\begin{matrix}1& a \\ & & 1 &a \\ r_1^* & ar_2^* & r_1^*\alpha^*& ar_2^*\alpha^*\end{matrix}\right]\left[\begin{matrix}x_1\\x_2\\y_1\\y_2\end{matrix}\right]=\left[\begin{matrix}\log_g c \\ \log_g d \\ \log_g v^*\end{matrix}\right]

如果 r1=logg1u1logg2u2=r2r_1=\log_{g_1}u_1\ne \log_{g_2}u_2=r_2u1x1+αy1u2x2+αy2=vu_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}=v,那么就可以把这个方程组补充成 4 个,即

[1a1ar1ar2r1αar2αr1ar2r1αar2α][x1x2y1y2]=[loggcloggdloggvloggv]\left[\begin{matrix}1& a \\ & & 1 &a \\ r_1^* & ar_2^* & r_1^*\alpha^*& ar_2^*\alpha^* \\ r_1 & ar_2 & r_1\alpha & ar_2\alpha\end{matrix}\right]\left[\begin{matrix}x_1\\x_2\\y_1\\y_2\end{matrix}\right]=\left[\begin{matrix}\log_g c \\ \log_g d \\ \log_g v^*\\ \log_gv\end{matrix}\right]

系数矩阵的行列式满秩,就能解出来 x1,x2,y1,y2x_1,x_2,y_1,y_2;相当于在原来 1 维的解空间中直接猜到了答案,由于解空间大小 qq 很大,这样的概率是可忽略的;因此可以视为没有这种情况,进而添加这个判断后,敌手也察觉不到区别,即 Game 3Game 4\text{Game 3}\approx\text{Game 4}

Game 5 [Oracle]. 即然挑战者有无限的能力,我们自然可以不用私钥解密,直接解离散对数问题。显然从挑战者的角度来说 Game 4=Game 5\text{Game 4}=\text{Game 5}

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/if logg1u1logg2u2 then return α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else r=logg1u1;m=ehrb{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)r1,2Zq;u1=g1r1,u2=g2r2e=mu1z1u2z2α=H(u1,u2,e)v=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if α=α then return A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \text{if }\log_{g_1}u_1\ne\log_{g_2}u_2\text{ then return }\perp\\\scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \color{red}\text{else } r=\log_{g_1}u_1;m=e\cdot h^r\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize r_{1,2}^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*} \\\scriptsize e^*=m\cdot u_1^{*z_1}u_2^{*z_2} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\\scriptsize \text{if }\alpha=\alpha^*\text{ then return }\perp \\ \scriptsize\cdots\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

Game 6 [Oracle]. 观察到本来 ee^* 也是均匀分布的(由循环群的性质保证),因此将 ee^* 直接替换成均匀采样,敌手也无法识别,得到 Game 6。于是 Game 5Game 6\text{Game 5}\approx \text{Game 6};另外,在 Game 6 中,显然 Pr[A wins]=0.5\text{Pr}[\mathcal{A}\text{ wins}]=0.5(因为挑战者根本就没看 mbm_b)。

CAppSetup(1κ)(pk,sk)KeyGen(1κ)pp,pkx1,x2,y1,y2,z1,z2Zqc=g1x1g2x2,d=g1y1g2y2,h=g1z1g2z2pk=(c,d,h)sk=(x1,x2,y1,y2,z1,z2)C=(u1,u2,e,v)decryption queriesm/Dec(sk,C)m/if logg1u1logg2u2 then return α=H(u1,u2,e);if u1x1+αy1u2x2+αy2v then return else r=logg1u1;m=ehrb{0,1}(m0,m1)choose m0,m1CEnc(pk,mb)C=(u1,u2,e,v)r1,2Zq;u1=g1r1,u2=g2r2eGα=H(u1,u2,e)v=u1x1+y1αu2x2+y2αC=(u1,u2,e,v)C=(u1,u2,e,v)Cdecryption queriesm/Dec(sk,C)m/α=H(u1,u2,e);if α=α then return A wins iff b=bbcompute b\color{darkblue}\begin{matrix}\mathcal{C}& &\mathcal{A}\\pp\leftarrow \text{Setup}(1^\kappa)\\ (pk,sk)\leftarrow\text{KeyGen}(1^\kappa) & \stackrel{pp,pk}{\longrightarrow} \\\scriptsize x_1,x_2,y_1,y_2,z_1,z_2\leftarrow\mathbb{Z}_q\\\scriptsize c=g_1^{x_1}g_2^{x_2},d=g_1^{y_1}g_2^{y_2},h=g_1^{z_1}g_2^{z_2}\\\scriptsize pk=(c,d,h)\\\scriptsize sk=(x_1,x_2,y_1,y_2,z_1,z_2)\\ & \stackrel{C=(u_1,u_2,e,v)}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \text{if }\log_{g_1}u_1\ne\log_{g_2}u_2\text{ then return }\perp\\\scriptsize \alpha=H(u_1,u_2,e); \\ \scriptsize \text{if }u_1^{x_1+\alpha y_1}u_2^{x_2+\alpha y_2}\ne v \text{ then return }\perp \\ \scriptsize \text{else } r=\log_{g_1}u_1;m=e\cdot h^r\\b\leftarrow\{0,1\}& \stackrel{(m_0,m_1)}{\longleftarrow}& \text{choose }m_0,m_1\\ C^*\leftarrow \text{Enc}(pk,m_b)& \stackrel{C^*=(u_1^*,u_2^*,e^*,v^*)}{\longrightarrow}& \\\scriptsize r_{1,2}^*\leftarrow\mathbb{Z}_q;u_1^*=g_1^{r_1^*},u_2^*=g_2^{r_2^*} \\\color{red}\scriptsize e^*\leftarrow\mathbb{G} \\ \scriptsize\alpha^*=H(u_1^*,u_2^*,e^*)\\\scriptsize v^*=u_1^{*x_1+y_1\alpha^*}u_2^{*x_2+y_2\alpha^*} \\\scriptsize C^*=(u_1^*,u_2^*,e^*,v^*)\\ & \stackrel{C=(u_1,u_2,e,v)\ne C^*}{\longleftarrow}& \text{decryption queries}\\ m/\perp\leftarrow\text{Dec}(sk,C) & \stackrel{m/\perp}{\longrightarrow}\\ \scriptsize \alpha=H(u_1,u_2,e); \\\scriptsize \text{if }\alpha=\alpha^*\text{ then return }\perp \\ \scriptsize\cdots\\\mathcal{A}\text{ wins iff }b'=b & \stackrel{b'}{\longleftarrow} & \text{compute }b'\end{matrix}

综上,

Game 0=Game 1CRGame 2DDHGame 3Game 4=Game 5Game 6=12\begin{aligned}\text{Game 0}&=\text{Game 1}\stackrel{\text{CR}}{\approx}\text{Game 2}\stackrel{\text{DDH}}{\approx}\text{Game 3}\\&\approx\text{Game 4}=\text{Game 5}\approx\text{Game 6}=\frac{1}{2}\end{aligned}

即 CS-PKE 是 CCA2 安全的。