CSA E0 235: Cryptography April 6, 2015

Lecture 11

Instructor: Arpita Patra Submitted by: Dheeraj Ram

1 A CCA Secure KEM Scheme

In Lecture 10, we have already seen a KEM scheme called El-Gamal like KEM which isCPA secure if Hash-Diffie Hellman assumption (HDH Assumption) holds. We are goingto state that the El-Gamal like KEM is CCA secure if another assumption called OracleDiffie-Hellman Assumption holds.

1.1 Oracle Diffie-Hellman Assumption

Definition 1 We say The Oracle Diffie-Hellman problem is hard relative to a Group (G,o) and a Hash function H : G → {0, 1}m if no PPT Adversary A can distinguish H(gxy)from a random string r ∈R {0, 1}m with more than negligible probability, given gx, gy andan Oracle Service Oy(X) := H(Xy) with permission to query anything except gx.

Mathematically,∣∣∣Pr [AOy(.)(G, o, q, g, gx, gy, H(gxy)) = 1]− Pr

[AOy(.)(G, o, q, g, gx, gy, r) = 1

]∣∣∣ ≤ negl

Oracle Diffie-Hellman Assumption (ODH) says there exists such a Group G and a Hashfunction H such that Oracle Diffie-Hellman problem is hard relative to (G,H). ♦

1.2 Security of El-Gamal like KEM scheme

We say a KEM scheme is CCA Secure, if no PPT adversary has negligibly more than 12

probabililty of success in the following experiment of key distinguishability. That is, ifΠ = (Gen,Encaps,Decaps) is a CCA secure KEM scheme then

Pr[KEMcca

A,Π (n) = 1]≤ 1

2+ negl

11-1

Theorem 1 El-Gamal like KEM scheme is CCA secure if ODH Assumption holds.

Proof We are going to prove it by reduction. Let’s call the El-Gamal like KEM Schemeas Π. First we will assume that there exists a PPT Adversary A which can break theCCA security of Π. Then we can construct a distinguisher D which can break the ODHAssumption. As Π is a public key encryption scheme, we don’t need to explicitly providethe encryption scheme, as A can compute that itself with public key. But the differencecomes in the decryption oracle service.

11-2

As our A can break the CCA security of KEM,

Pr[KEMcca

A,Π (n) = 1]≥ 1

2+

1

p(n)

The distinguisher D outputs the same bit returned by the Adversary A. So

Pr [D(1) = 1]− Pr [D(0) = 1] = Pr[outD = 1 ∧ b′ = 1

]− Pr

[outD = 1 ∧ b′ = 0

]= Pr

[b′ = 1

]· Pr

[outD = 1 | b′ = 1

]− Pr

[b′ = 0

]· Pr

[outD = 1 | b′ = 0

]=

1

2· Pr

[outA = 1|b′ = 1

]− 1

2· Pr

[outA = 1|b′ = 0

]

=1

2· Pr

[outA = 1|b′ = 1

]− 1

2·(1− Pr

[outA = 0|b′ = 0

])

=

(1

2· Pr

[outA = 1|b′ = 1

]+

1

2· Pr

[outA = 0|b′ = 0

])− 1

2

=(Pr[b′ = 1

]· Pr

[outA = 1|b′ = 1

]+ Pr

[b′ = 0

]· Pr

[outA = 0|b′ = 0

])− 1

2

=(Pr[KEMcca

A,Π (n) = 1])− 1

2

≥(

1

2+

1

p(n)

)− 1

2

=1

p(n)

This violates our ODH assumption. We succeeded to make a distinguisher D for ODHproblem, using a CCA breaking adversary A for Π. So no PPT adversary can break theCCA security of Π while ODH assumption holds. This completes our proof.

11-3

2 Diffie-Hellman Integrated Encryption Scheme (DHIES) -ISO/IEC 18033-2

Here we only discuss about the construction, and leave the security proof to be covered byone of the term paper presentations. DHIES is a CCA secure hybrid encryption schemewhich uses the El Gamal like KEM, CPA secure SKE, and a strong CMA secure MAC. Theoverall picture is like this: If PK is the public key and SK is the secret key of the receiver,Encaps(PK) from the sender’s side generates a (c,k) pair. k, a 2n bit length key, is splitto two n bit keys k1 and k2 and encrypts message m as ccpa = Enck1(m). Now using keyk2, a tag t is generated on ccpa by t = Mack2(ccpa). Now we send (c, ccpa, t) over the channel.

On the receiver end, having the private key SK, Decaps(SK, c) generates the same key k.Now with the second half of bits k2, we first verify the tag t by checking Vrfyk2(ccpa, t) is 1 ornot. Only if the tag is verified (output is 1), then we decrypt the message asm = Deck1(ccpa).

We are going to represent the same using figures. The KEM we use in DHIES is ElGamal like KEM. But the MAC and SKE can be any schemes that meets the requirements.

• Πkem := (Gen,Encaps,Decaps) - CCA Secure (We use El Gamal like KEM )

• Πske := (Genske,Encske,Decske) - CPA Secure

• Πmac := (Genmac,Mac,Vrfy) - sCMA secure

And we are going to generate a ΠHyb = (GenHyb,EncHyb,DecHyb) using the above. Here weassume that the Hash function associated with Gen is of the form H : G→ {0, 1}2n

2.1 Construction of DHIES

In GenHyb, we use Gen algorithm of El-Gamal like KEM scheme to generate Public Key(PK) and Secret Key (SK).

Algorithm 1: GenHyb

Data: 1n

Result: PKHyb, SKHyb

1. (G, o, q, g, h=gx, H, x) := Gen(1n) ;

2. PKHyb := (G, o, q, g, h, H);

3. SKHyb := x;

11-4

The encryption EncHyb is performed using Encaps, Encske and Mac.

Similarly, the decryption DecHyb is performed using Decaps, Decske and Vrfy.

11-5

3 Cramer-Shoup Encryption Scheme

Cramer-Shoup Encryption Scheme is the first efficient CCA-secure public-key encryptionscheme not relying on the random-oracle model was shown by Cramer and Shoup [1] basedon the DDH assumption.

Let’s first look at a different interpretation of DDH Assumption. DDH Assumptionstates, if (G, o, q, g) is a group of prime order q, no PPT adversary (A) can distinguish gxy

from gz for a random z with more than negligible probability, given gx and gy. Mathemat-ically,

| Pr [ A(g, gx, gy, gxy) = 1 ] − Pr [ A(g, gx, gy, gz) = 1 ] | ≤ negl

Let’s call the generator g as g0, gx as g1. Now the gy becomes gy0 , gxy becomes gy1 and gz

becomes gy′

0 where y′ is the power of the generator to obtain the group element gz. Let’srewrite the equation, by calling y as a random number r, and y’ as r’.

∣∣∣ Pr [ A(g0, g1, gr0, g

r1) = 1 ] − Pr

[A(g0, g1, g

r0, g

r′1 ) = 1

] ∣∣∣ ≤ negl

where r and r’ as random numbers as x and y were in DDH Assumption. From now on, weuse these notations; x and y which will be used in the following part, have no relation withthese notations. We denote gr0 as h0 and gr1 (or gr

′1 , depends on the situation) as h1.

Let’s define u := gx0 · g

y1 and v := hx

0 · hy1 for two random elements x and y from Zq. Ob-

viously, we have to analyse the two cases of whether or not h1 has the same exponent withrespect to g1 as the h0 with respect to g0.

Case 1: h1 = gr1

It is clear that ur = v if h1 = gr1. We can simply prove it as follows.

ur = (gx0 · gy1)r

= grx0 · gry1

= (gr0)x · (gr1)y

= hx0 · hy1

= v

Case 2: h1 = gr′

1

Claim 2 An all powerful adversary A can guess v with probability at most 1|G| , even given

(g0, g1, h0, h1, u)

11-6

Proof Assume A can find the discrete logarithm of any group element. Therefore A cancompute r, r′, α and R (where g1 = gα0 , u = gR0 ).

u = gR0 = (gx0 · gy1) = gx+αy

0

⇒ R = x+ αy (1)

A, who doesn’t know the values of x and y, can only find a linear relationship with x andy. As h1 = gr

′1 , v will be possessing the following form (Assume R’ is the discrete log of v)

v = hx0 · hy1 = grx0 · g

r′y1 = grx+αr′y

0

Adversary A can’t compute R’, as x + αy is linearly independant of rx + αr′y. In otherwords, if we assume a particular value for R’, x+αy = R and rx+αr′y = R′ becomes twonon-parallel lines lines in X-Y plane. So we can always find out an (x, y) pair that satisfiesthose two equations. This implies A can’t guess the v with a better probability than 1

|G| ,which is choosing a random element from the group.

4 Cramer-Shoup Encryption: The Construction

We are going to use the fact that no PPT adversary can distinguish gr1 and gr′

1 even ifg0, g1, g

r0 are given. We construct a CPA secure scheme first, then update it to CCA1 secure

scheme and finally reach a CCA secure scheme which is the Cramer-Shoup Encryptionscheme.

4.1 Constructing a CPA Secure Scheme

Let’s call the following scheme as Π.

Algorithm 2: Gen

Data: 1n

Result: PK = (G, o, q, g0, g1, u), SK = (x, y)

1. Generate a prime ordered Group (G, o, q, g);2. Assign g0 := g;3. Choose a random element g1 ∈R G;4. Choose random x and y from Zq;5. Assign u := gx0 · g

y1 ;

6. PK := (G, o, q, g0, g1, u);7. SK := (x, y);

11-7

Algorithm 3: Enc

Data: PK = (G, o, q, g0, g1, u),mResult: Ccpa = (h0, h1, c)

1. Choose a random r from Zq;2. Assign h0 := gr0 , h1 := gr1;3. Assign c := ur ·m(= v ·m);4. Ccpa := (h0, h1, c)

Algorithm 4: Dec

Data: SK = (x, y), Ccpa := (h0, h1, c)Result: m

1. Assign v := hx0 · hy1;

2. Assign m := c/v;

Theorem 3 If DDH problem is hard, then Π is a CPA secure scheme.

Proof We will prove it by reduction. Assume the Π is not a CPA secure scheme. Sothere exists an adversary A which can break the CPA distinguishability game of Π withprobability significantly better than half. i.e. for some polynomial p(n),

Pr[PubKcpaA,Π (n) = 1

]≥ 1

2+

1

p(n)

We are going to use this adversary to build a distinguisher D the DDH problem.

11-8

We say the challenger gives Non-DDH pair if challenger gives (G, o, q, g0, g1, h0 = gr0, h1 =gr′

1 ) for r 6= r′ and DDH pair if challenger gives (G, o, q, g0, g1, h0 = gr0, h1 = gr1). If thechallenger gives DDH pair, then the game between D and A is indeed Π. Probability ofsuccess of A in that case is atleast 1

2 + 1p(n) . But if challenger gives a non-DDH pair (let’s

call the game as Π), then hx0 ·hy1 will be a random element from the group as r’ is chosen at

random. So probability that m0 being encrypted as c is same as m1 as c. So on randomlychosen x, y, r and r’, probability of success of A will be exactly 1

2 . Therefore,

Pr [D(1) = 1]− Pr [D(0) = 1] = Pr[A wins ∧ b′ = 1

]− Pr

[A wins ∧ b′ = 0

]= Pr

[b′ = 1

]· Pr

[A wins | b′ = 1

]− Pr

[b′ = 0

]· Pr

[A wins | b′ = 0

]=

1

2· Pr

[A wins | b′ = 1

]− 1

2· Pr

[A wins | b′ = 0

]

=1

2· Pr [A wins | DDH pair]− 1

2· Pr [A wins | Non-DDH pair]

=1

2· Pr

[PubKcpaA,Π (n) = 1

]− 1

2· Pr

[PubKcpaA,Π (n) = 1

]

≥ 1

2

(1

2+

1

p(n)− 1

2

)

=1

2p(n)

This violates the DDH Assumption. So all the PPT adversaries for CPA distinguishabilityexperiment with encryption scheme Π, has only atmost negligibly more probability thanhalf, to win. This completes the proof.

Note that we cannot use El-Gamal for building a CCA secure encryption scheme, aswe cannot provide the decryption oracle service (DO) to the adversary in the proof byreduction. The secret key ’x’ will be with the challenger. As we cannot provide DO serviceto adversary, we can’t prove the CCA security.

4.2 Constructing a CCA Secure Scheme

Let’s look at whether the above CPA secure scheme Π is a CCA secure scheme or not. Werestrict the adversary to ask any decryption queries except the challenge cyphertext. Buthe can query 2c to the DO service and obtain 2m. So with probability 1, an adversary canbreak the CCA security without violating any assumption. The reason why Π is not CCAsecure, is it is malleable.

11-9

4.2.1 Is Π a CCA-1 Secure Scheme?

The above encryption scheme (Π) is not even CCA-1 secure. (CCA-1 secure means, adver-sary will get DO service only till the challenge phase). We can show that with a counterexample which uses just one decryption query. We are assuming that the adversary is pow-erful, so has the ability to find the discrete logarithm of an element.

A general decryption query will be of the form DO : (h0, h1, c) and the challenger shouldreturn a message m as a response. Assume an all-powerful adversary A for Π exists. Notethat he couldn’t calculate v if there were no decryption service (shown in CPA part). Nowhe computes R, α which are DLogs of u and g1 (u = gR0 , g1 = gα0 ). We already know that,

u = gR0 = gx0gy1

= gx+αy0

⇒ R = x+ αy (2)

If A queries (h0 = gr0, h1 = gr1, c) then the challenger replies with some m. If we calculate vas c

m ,

v =c

m= gR

′0 = hx0h

y1

= grx+αry0

⇒ R′ = rx+ αry (3)

This is a redundant information. Because it is linearly dependant with the previous equa-tion R = x + αy. In other words, these two represents same line in an X-Y plane. So Acan’t deduce at the (x,y) pair, which is the secret key. But if A queries (h0 = gr0, h1 = gr

′1 , c)

for some r′ 6= r, then with the response m we can compute x and y as follows.

v =c

m= gR

′0 = hx0h

y1

= grx+αr′y0

⇒ R′ = rx+ αr′y (4)

11-10

This is linearly independant with the equation R = x+ αy. They both represent two non-parallel lines in X-Y plane so there exists a unique point of intersection (x,y) which satisfiesboth the equations. That point will represent the secret key. So the scheme Π extendedwith DO service even only before challenge phase, is not CCA1 secure.

4.3 Constructing a CCA-1 Secure Scheme

The above scheme Π fails to become a CCA1 secure just because we don’t identify andbehave differently if the adversary is giving an invalid decryption query. The solution is weshould have a mechanism to check the exponent used is same, for calculating h0 and h1.Let’s look at this scheme of (GenEnc,Dec) described in algorithm 5, 6 and 7.

Algorithm 5: Gen

Data: 1n

Result: PK = (G, o, q, g0, g1, u, e), SK = (x, y, x′, y′)

1. Generate a prime ordered Group (G, o, q, g);2. Assign g0 := g;3. Choose a random element g1 ∈R G;4. Choose random x, y, x’ and y’ from Zq;5. Assign u := gx0 · g

y1 ;

6. Assign e := gx′

0 · gy′

1 ;7. PK := (G, o, q, g0, g1, u, e);8. SK := (x, y, x′, y′);

Algorithm 6: Enc

Data: PK = (G, o, q, g0, g1, u, e),mResult: Ccpa = (h0, h1, c, f)

1. Choose a random r from Zq;2. Assign h0 := gr0 , h1 := gr1;3. Assign c := ur ·m(= v ·m);4. Assign f := er;5. Ccpa := (h0, h1, c, f)

Clearly, the above attack with invalid decryption query doesn’t work here, as we arechecking the exponent used is same for calculating h0 and h1. In fact we can prove thatthis scheme is CCA1 secure. Let’s call this new as scheme Π.

Claim 4 An unbounded powerful adversary computes (x,y) except with neg. probability.Therefore it can guess bit b with probability no better than 1

2 + negl(.)

Proof Let’s assume adversary A can compute DLog of u, e, and g1 as R, S, α.

u = gR0 = gx0gy1

11-11

Algorithm 7: Dec

Data: SK = (x, y, x′, y′), Ccpa := (h0, h1, c, f)Result: m

if(f = hx

′0 h

y′

1

)then

1. Assign v := hx0 · hy1;

2. m := c/v;

else1. Return ⊥

end

= gx+αy0

⇒ R = x+ αy (5)

Similarly,

e = gS0 = gx′

0 gy′

1

= gx′+αy′

0

⇒ S = x′ + αy′ (6)

from (5) and (6) we got two equations, each with 2 unknowns. Assume if somehow A was

able to calculate f such that f = hx′

0 hy′

1 (with h1 = gr′

1 ), then,

f = gS′

0 = hx′

0 hy′

1

= grx′+αr′y′

0

⇒ S′ = rx′ + αr′y′ (7)

equations (6) and (7) forms two linear independant equations on x’ and y’. Now, if he doa decryption query (h0, h1, c, f), then indeed he will be accepted, and gets a message m.

c/m = v = gR′

0 = hx0hy1

= grx+αr′y0

⇒ R′ = rx+ αr′y (8)

Equation (8) and (5) will be linearly independant, so we can compute x and y. Then theadversary can beat the challenge with probability 1. This means if A succeeds to calculatea valid f (where h1 = gr

′1 ), then this scheme is not CCA1. We now look at the probability

that A finds a valid f.

Note that f = hx0hy1 is uniformly random for A even given (g0, g1, h0 = gr0, h1 = gr1, e).

Anyway, he ask with a random group element f ′. So the probability the guess of A is a

11-12

valid f for the corrupted decryption query is 1|G| . For the second query it is 1

|G|−1 as he can

exclude the previous possibility. Assuming polynomially many (say, t) decryption queriescan be asked, the probability of succeeding any one of the t queries is ≤ t

|G|−t , which isnegligible, as the size of the group is exponentially large. This implies

Pr[PubKcca1

A,Π (n) = 1]≤ 1

2+ negl

This completes the proof.

4.4 Constructing a CCA Secure Scheme

The above scheme is not a CCA secure scheme. We can just show it with a counter examplewhich uses just one post-challenge decryption query to win the CCA indistinguishabilityexperiment. It is as follows.

Like in the previous case, adversary can calculate discrete logarithm of u, g1 and e. Sothe equations (5) and (6) follows. Now consider the case where the challenger of DDH gamegives the distinguisher a non-DDH tuple (g0, g1, h0 = gr0, h1 = gr

′1 ). Now when the A gives

the distinguisher m0,m1 distinguisher will do the following:

1. Choose random (x, y, x’, y’) from Zq2. b ∈R {0, 1}3. u = gx0g

y1

4. c∗ = h0xh1

y ·mb

5. f∗ = h0x′h1

y′

A receives (h0, h1, c∗, f∗) in the challenge phase of CCA game. As he can compute the

discrete logarithm,

f∗ = gS∗

0 = hx′

0 hy′

1

= grx′+αr′y′

0

⇒ S∗ = rx′ + αr′y′ (9)

Now equation (7) and (9) are independant equations on x’ and y’. Adversary can computethe x’ and y’. So in the subsequent decryption query adversary can forge an acceptable f(but an illegal h0, h1 pair along with c) and get an m. Just like in the previous case whereanother linear independant equation on x and y and combining with equation (5) will givethe adversary both x and y. Then with probabililty 1, A can win the CCA experiment.What we have to make sure is that adversary should not be able to make illegal querieseven after seeing challenge ciphertext.

11-13

Algorithm 8: Gen

Data: 1n

Result: PK = (G, o, q, g0, g1, u, e, k), SK = (x, y, x′, y′, x′′, y′′)

1. Generate a prime ordered Group (G, o, q, g);2. Assign g0 := g;3. Choose a random element g1 ∈R G;4. Choose random x, y, x’ and y’ from Zq;5. Assign u := gx0 · g

y1 ;

6. Assign e := gx′

0 · gy′

1 ;

7. Assign k := gx′′

0 · gy′′

1 ;8. PK := (G, o, q, g0, g1, u, e, k);9. SK := (x, y, x′, y′, x′′, y′′);

Algorithm 9: Enc

Data: PK = (G, o, q, g0, g1, u, e, k),mResult: Ccpa = (h0, h1, c, f, l)

1. Choose a random r from Zq;2. Assign h0 := gr0 , h1 := gr1;3. Assign c := ur ·m(= v ·m);4. Assign f := er;5. Assign l := kr;6. Ccpa := (h0, h1, c, f, l)

Let’s look into the following scheme:The scheme Π = (Gen,Enc,Dec) from algorithms(8 ,9 and 10) will not help as you will getequivalent number of linearly independant equations from the challenge ciphertext. Justincreasing number of variables is not enough. Let’s slightly modify the Enc and Dec fromalgorithm 9 and 10.

The scheme Π = (Gen,Enc,Dec) from algorithms 8 , 11 and 12 will also doesn’t help inthis scenario, as we can consider (x’+x”) and (y’+y”) as just two variables. Now we cometo the last modification. This time, we use a Collision Resistant hash function H.

4.5 Cramer-Shoup Encryption Scheme

The following is the Cramer-Shoup Encryption Scheme which is obtained from a slightmodification of the last varient of CCA-1 but not yet CCA scheme (Algorithms 13 , 14 and15).Let’s look at whether an adversary can make an illegal query. As usual, we assume theadversary has the ability to compute the discrete logarithm. Adversary will have access tou, e and k at the start of the experiment itself, and will obtain f∗ at the challenge phase.Assume the discrete logarithms of these variables are R, S, T and S’. We take α as the

11-14

Algorithm 10: Dec

Data: SK = (x, y, x′, y′, x′′, y′′), Ccpa := (h0, h1, c, f, l)Result: m

if(f = hx

′0 h

y′

1 ANDl = hx′′

0 hy′′

1

)then

1. Assign v := hx0 · hy1;

2. m := c/v;

else1. Return ⊥

end

Algorithm 11: Enc

Data: PK = (G, o, q, g0, g1, u, e, k),mResult: Ccpa = (h0, h1, c, f)

1. Choose a random r from Zq;2. Assign h0 := gr0 , h1 := gr1;3. Assign c := ur ·m(= v ·m);4. Assign f := erkr;5. Ccpa := (h0, h1, c, f)

discrete logarithm of g1. Then these equations follow:

u = gR0 = (gx0gy1) = gx+αy

0 ⇒ x+ αy = R (10)

e = gS0 = (gx′

0 gy′

1 ) = gx′+αy′

0 ⇒ x′ + αy′ = S (11)

k = gT0 = (gx′′

0 gy′′

1 ) = gx′′+αy′′

0 ⇒ x′′ + αy′′ = T (12)

f∗ = gS′

0 = gr(x′+βx′′)+r′α(y′+βy′′)0 ⇒ r(x′ + βx′′) + r′α(y′ + βy′′) = S′ (13)

From equations (11), (12) and (13), A can compute (x′ + βx′′) and (y′ + βy′′). But tomake an illegal query, he needs to find a collision for the value β. (Because otherwise hehas to query same (h0, h1, c) as decryption query which is not allowed as it is the challengeciphertext).

4.6 Security of Cramer-Shoup Encryption Scheme

Let’s call the scheme as Π

Theorem 5 If DDH is hard, and H is a collision resistant hash function, then Π is a CCAsecure scheme.

Proof We prove it by reduction. We will construct a distinguisher for DDH problemusing the adversary for Π. This follows the similar figure in the CPA security of our first

11-15

Algorithm 12: Dec

Data: SK = (x, y, x′, y′, x′′, y′′), Ccpa := (h0, h1, c, f, l)Result: m

if(f = hx

′+x′′

0 hy′+y′′

1

)then

1. Assign v := hx0 · hy1;

2. m := c/v;

else1. Return ⊥

end

Algorithm 13: Gen

Data: 1n

Result: PK = (G, o, q, g0, g1, u, e, k), SK = (x, y, x′, y′, x′′, y′′)

1. Generate a prime ordered Group (G, o, q, g);2. Assign g0 := g;3. Choose a random element g1 ∈R G;4. Choose random x, y, x’ and y’ from Zq;5. Assign u := gx0 · g

y1 ;

6. Assign e := gx′

0 · gy′

1 ;

7. Assign k := gx′′

0 · gy′′

1 ;8. Choose a CR hash function H 9. PK := (G, o, q, g0, g1, u, e, k,H);10. SK := (x, y, x′, y′, x′′, y′′);

scheme, except that there is an additional computation of f, and two more elements (e, k)are in public key. The adversary also have DO service of (h0, h1, c, f) and we reject it allthe time. It is because there is only negligible chance that an adversary can come up with avalid decryption query which satisfies the condition on parameter f. There are 3 cases whichexplain why we reject all the time: (Assume the challenge ciphertext is (h∗0, h

∗1, c∗, f∗))

1. If (h0, h1, c) = (h∗0, h∗1, c∗) and f∗ 6= f , then D will reject. (condition on f is dissatisfied)

2. If (h0, h1, c) 6= (h∗0, h∗1, c∗) and f∗ = f [i.e. H(h0, h1, c) = H(h∗0, h

∗1, c∗) ], then A has

found collision but since H is CR, this happens with negl probability.

3. If H(h0, h1, c) 6= H(h∗0, h∗1, c∗), there is a small probability that this ciphertext becomes

a valid one.

The probability that the third case happens is atmost 1|G| . Because, we need 4 independant

constraints on x’,y’,x” and y”. Now, we will get 3 out of 4 from the equation of (e), (k)and from challenge ciphertext. The only way to get a 4th equation is by getting back adecrypted message for a decryption query, after the challenge. But it happens only if thevalidation of f is satisfied. So that happens with probability 1

|G| if we choose f as a random

11-16

Algorithm 14: Enc

Data: PK = (G, o, q, g0, g1, u, e, k),mResult: Ccpa = (h0, h1, c, f)

1. Choose a random r from Zq;2. Assign h0 := gr0 , h1 := gr1;3. Assign c := ur ·m(= v ·m);4. Assign β := H(h0, h1, c);

5. Assign f := erkβr;6. Ccpa := (h0, h1, c, f)

Algorithm 15: Dec

Data: SK = (x, y, x′, y′, x′′, y′′), Ccpa := (h0, h1, c, f, l)Result: m

1. β := H(h0, h1, c);

if(f = hx

′+βx′′

0 hy′+βy′′

1

)then

1. Assign v := hx0 · hy1;

2. m := c/v;

else1. Return ⊥

end

element.

So, just rejecting all the decryption queries will ’simulate the challenger’ for game Πwith 1 − negl probability if the challenger for DDH problem gives DDH tuple. If it is anon-DDH tuple, the probability is 1

2 as the c will be random. So the distinguisher D canwin the DDH problem with a non-negligible probability if the adversary A wins in CCAexperiment with significantly more probability than 1

2 . This completes the proof.

11-17

References

[1] R. Cramer and V. Shoup. Design and analysis of practical public-key encryptionschemes secure against adaptive chosen ciphertext attack. SIAM Journal on Comput-ing, 33(1):167226, 2003.

11-18