Regular Lossy Functions and Applications in Leakage-Resilient - PowerPoint PPT Presentation

Concrete Construction from the DDH Assumption DDH . . . . . . . e . e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n   2     g r n s 1 g r n s 2 g r n s m . . .

Concrete Construction from the DDH Assumption e . . . . . . . e . e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

Concrete Construction from the DDH Assumption . . . . . . . . . e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m )   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

Concrete Construction from the DDH Assumption . . . . . . . . . . To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

Concrete Construction from the DDH Assumption . To ensure invertible property . . . . . . . . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m input space is restricted to Z n 2 (a.k.a. { 0 , 1 } n ) column dimension m = n + 1

(ABO)-RLFs do not require invertible or even injective I . . . . Lemma 3 The above construction constitutes log -ABO-RLF. , rank Y and #(solution space) for every . is . , rank Y I and thus the image size is at most . Pseudorandomness of C V hidden lossy branch . 17 / 41 . . . . . . Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

(ABO)-RLFs do not require invertible or even injective I . . . . Lemma 3 The above construction constitutes log -ABO-RLF. , rank Y and #(solution space) for every . is . , rank Y I and thus the image size is at most . Pseudorandomness of C V hidden lossy branch . 17 / 41 . . . . . . Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V m ≪ n g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     ≫ Z n g r n s 1 g r n s 2 g r n s m . . . 2 DDH ⇒≈ c U G n × m

(ABO)-RLFs do not require invertible or even injective . Lemma 3 . . . . . . . . . . . 17 / 41 Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V m ≪ n g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     ≫ Z n g r n s 1 g r n s 2 g r n s m . . . 2 DDH ⇒≈ c U G n × m The above construction constitutes ( p n − m , log p ) -ABO-RLF. ∀ b ̸ = b ∗ , rank ( Y + b I ′ ) = m and #(solution space) for every y ∈ G m is p n − m . b = b ∗ , rank ( Y + b I ′ ) = 1 and thus the image size is at most p . Pseudorandomness of C = g V ⇒ hidden lossy branch

Summary and Comparison DDH 1 Exp DCR ABO-LF 1 Exp DCR DDH ABO-RLF 18 / 41 ABO-LTF[PW08] Input Effjciency Key We have a more effjcient and direct DCR-based construction ABO-LTF/RLF Assump. Lossiness Our DDH construction applies to extended DDH � generalize DDH, QR, DCR 2 n n − log p nm | G | nm Add p n ( n − 1) log p nm | G | nm (Exp+Add) | Z ∗ ABO-LTF[FGK + 13] N 2 log N N 3 | N 2 /4 | Z ∗ N 2 | log N

We show HPS Generic Construction from HPS dual HPS: HPS satisfjng strong property No effjcient ABO construction is known ABO-RLF exploit algebra property of the underlying SMP 19 / 41 Wee (Eurocrypt 2012): dual HPS ⇒ LTF

Generic Construction from HPS dual HPS: HPS satisfjng strong property No effjcient ABO construction is known exploit algebra property of the underlying SMP 19 / 41 Wee (Eurocrypt 2012): dual HPS ⇒ LTF We show HPS ⇒ ABO-RLF

1 Let 2 For each (Algebra) Subset Membership Problem The quotient group for , . constitute a partition of , the co-sets be a generator of for some two useful facts Algebraic properties is cyclic with order forms a subgroup of Task: distinguish forms an Abelian group, Algebra SMP (mild & natural) 20 / 41 U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ )

1 Let 2 For each (Algebra) Subset Membership Problem Algebraic properties for , . constitute a partition of , the co-sets be a generator of for some two useful facts 20 / 41 Task: distinguish Algebra SMP (mild & natural) U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ ) X forms an Abelian group, L forms a subgroup of X The quotient group H = X / L is cyclic with order p = | X | / | L |

(Algebra) Subset Membership Problem Task: distinguish Algebra SMP (mild & natural) 20 / 41 U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ ) X forms an Abelian group, L forms a subgroup of X The quotient group H = X / L is cyclic with order p = | X | / | L | Algebraic properties ⇒ two useful facts 1 Let ¯ a = aL for some a ∈ X \ L be a generator of H , the co-sets ( aL, 2 aL, . . . , ( p − 1) aL, paL = L ) constitute a partition of X . 2 For each x ∈ L , ia + x / ∈ L for 1 ≤ i < p

Hash Proof System Projective: . and is uniquely determined by , 21 / 41 L ⊂ X — language defjned by R L where SMP holds. HPS equips L ⊂ X with Gen , Priv , Pub . α (projection) Gen ( λ ) → ( pk, sk ) SK PK s.t. α ( sk ) = pk Priv ( sk, x ) X Λ sk ( x ) Π L SampR ( r ) Pub ( pk, x, w ) W

Hash Proof System 21 / 41 L ⊂ X — language defjned by R L where SMP holds. HPS equips L ⊂ X with Gen , Priv , Pub . α (projection) Gen ( λ ) → ( pk, sk ) SK PK s.t. α ( sk ) = pk Priv ( sk, x ) X Λ sk ( x ) Π L SampR ( r ) Pub ( pk, x, w ) W Projective: ∀ x ∈ L , Λ sk ( x ) is uniquely determined by x and pk ← α ( sk ) .

ABO-RLF from HPS for ASMP if . R where : Hidden lossy branch. For any ASMP lossy by the projective property if -regular -ABO-RLF under ASMP. log Img is . The above construction -regular for any is Assume Lemma 4 below: 22 / 41 Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba )

ABO-RLF from HPS for ASMP if . R where : Hidden lossy branch. For any ASMP lossy by the projective property -regular if Lemma 4 below: 22 / 41 Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba ) Assume g x ( sk ) := α ( sk ) || Λ sk ( x ) is v -regular for any x / ∈ L . The above construction is ( v, log | Img α | ) -ABO-RLF under ASMP.

ABO-RLF from HPS for ASMP Lemma 4 R 22 / 41 below: Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba ) Assume g x ( sk ) := α ( sk ) || Λ sk ( x ) is v -regular for any x / ∈ L . The above construction is ( v, log | Img α | ) -ABO-RLF under ASMP. ∈ L if b ̸ = b ∗ ⇒ v -regular ek + ba = x + ( b − b ∗ ) a / ek + ba = x + ( b − b ∗ ) a ∈ L if b = b ∗ ⇒ lossy by the projective property ASMP ⇒ Hidden lossy branch. For any b ∗ 0 , b ∗ 1 ∈ Z p : ( − b ∗ 0 a + x ) ≈ c ( b ∗ 0 a + u ) ≡ ( b ∗ 1 a + u ) ≈ c ( b ∗ 1 a + x ) ← − X . where u

Outline Concrete Construction Generic Construction Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM 23 / 41 1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs 4 Applications of RLFs

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption 24 / 41 x leak ( sk ) sk F ( sk, x )

Bounded Leakage Model In this work, we focus on a simple yet general leakage model called Bounded Leakage Model F 25 / 41 g i g i ( sk ) sk ∑ | g i ( sk ) | ≤ | sk |

Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41

Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ )

Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i

Leakage-Resilient OWFs Theorem 5 . log family of -leakage-resilient injective OWFs, for any constitutes a -RLFs (i.e., LFs) over domain The normal mode of 26 / 41 R ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ )

Leakage-Resilient OWFs Theorem 5 . log family of -leakage-resilient injective OWFs, for any constitutes a -RLFs (i.e., LFs) over domain The normal mode of 26 / 41 R ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ ) x x =? x ∗

Leakage-Resilient OWFs R Theorem 5 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ ) x x =? x ∗ The normal mode of (1 , τ ) -RLFs (i.e., LFs) over domain { 0 , 1 } n constitutes a family of ℓ -leakage-resilient injective OWFs, for any ℓ ≤ n − τ − ω ( log λ ) .

Game 0: real game Game 1: same as Game 0 except that: even w.r.t. unbounded adversary 27 / 41 R 1 Setup: CH generates f ← RLF . GenNormal ( λ ) , picks x ∗ − { 0 , 1 } n and sends ← ( f, y ∗ = f ( x ∗ )) to A . → g i , CH responds with g i ( x ∗ ) . 2 Leakage queries: A ֒ 3 Invert: A outputs x and wins if x = x ∗ . Adv A ( λ ) = Pr [ S 0 ] 1 Setup: CH generates f ← RLF . GenLossy ( λ ) . Security of RLFs ⇒ | Pr [ S 1 ] − Pr [ S 0 ] | ≤ negl ( λ ) In Game 1, ˜ H ∞ ( x ∗ | ( y ∗ , leak )) ≥ n − τ − ℓ . By the parameter choice, ˜ H ∞ ( x ∗ | ( y ∗ , leak )) ≥ ω ( log λ ) ⇒ Pr [ S 1 ] ≤ negl ( λ )

Leakage-Resilient MAC Setup Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41

Leakage-Resilient MAC Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ )

Leakage-Resilient MAC Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i

Leakage-Resilient MAC Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i )

Vefy Leakage-Resilient MAC Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i

Leakage-Resilient MAC Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k )

Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i )

Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i )

Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i ) One-time: A only makes one tag query

Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i ) One-time: A only makes one tag query Selective: A commits the target message before seeing pp

Construction Ingredient KeyGen ABORLF Gen R Tag - input - branch - output Vefy 29 / 41 ( v, τ ) -ABORLF

Construction Ingredient KeyGen R Tag - input - branch - output Vefy 29 / 41 ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ←

Construction R Vefy Tag Ingredient 29 / 41 KeyGen ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ← k - input m m - branch t - output t ← f ek,m ( k )

Construction R Vefy Ingredient Tag 29 / 41 KeyGen ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ← m k - input m t m - branch t - output t ← f ek,m ( k ) t =? f ek,m ( k )

Theorem 6 Game 0: (real game) R 30 / 41 The above MAC is ℓ -leakage-resilient seletively one-time sUF for any ℓ ≤ n − τ − log v − ω ( log λ ) . 1 Setup: A ↬ m ∗ , CH generates ek ← ABORLF . Gen ( λ, 0 d ) , picks k − { 0 , 1 } n , ← computes t ∗ ← f ek,m ∗ ( k ) and then sends ( ek, t ∗ ) to A . 2 Leakage queries: A ↬ g i , CH responds with g i ( k ) . 3 Forge: A → ( m, t ) and wins if m ̸ = m ∗ ∧ t = f ek,m ( k ) . Adv A ( λ ) = Pr [ S 0 ]

Game 1: same as Game 0 except that w.r.t. unbounded adversary. 31 / 41 1 Setup: CH generates ek ← ABORLF . Gen ( λ, m ∗ ) . Hidden lossy branch ⇒ | Pr [ S 1 ] − Pr [ S 0 ] | ≤ negl ( λ ) In Game 1, A ’s view includes ( ek, leak, t ∗ ) . We have: ˜ ˜ H ∞ ( t | ek, leak, t ∗ ) H ∞ ( t | view ) = ˜ ≥ H ∞ ( t | ek ) − ℓ − τ ˜ ≥ H ∞ ( k | ek ) − log v − ℓ − τ = n − log v − ℓ − τ By the parameter choice, ˜ H ∞ ( t | view ) ≥ ω ( log λ ) ⇒ Pr [ S 1 ] ≤ negl ( λ ) even

Leakage-Resilient CCA-secure KEM Setup Decaps Encap R R Pr negl 32 / 41

Leakage-Resilient CCA-secure KEM Decaps Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ )

Leakage-Resilient CCA-secure KEM Decaps Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i

Leakage-Resilient CCA-secure KEM Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i )

Encap Leakage-Resilient CCA-secure KEM R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i

Leakage-Resilient CCA-secure KEM Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i g i ( sk )

Leakage-Resilient CCA-secure KEM R negl Pr R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 }

Leakage-Resilient CCA-secure KEM R negl Pr R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 } β ′ β ′ = β

Leakage-Resilient CCA-secure KEM R R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 } β ′ β ′ = β | Pr [ β ′ = β ] − 1/2 | ≤ negl ( λ )

Construction ext or ext Priv Decaps authenticate & derive to: use R Ingredients Pub SampYes Encaps ABORLF Gen HPS Gen KeyGen strong extractor ABORLF HPS 33 / 41

Construction ext or ext Priv Decaps authenticate & derive to: use R Ingredients Pub SampYes Encaps KeyGen strong extractor ABORLF HPS 33 / 41 ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d )

Construction R or ext Priv Decaps Ingredients 33 / 41 Encaps KeyGen HPS ABORLF strong extractor ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d ) ek pk c = ( x, s, t ) use π to: ( x, w ) ← SampYes ( λ ) derive k & π ← Pub ( pk, x, w ) authenticate x || s − { 0 , 1 } d ← s t ← f ek,x || s ( π ) k ← ext ( π, s )

Construction Encaps Decaps Ingredients R 33 / 41 strong extractor KeyGen HPS ABORLF ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d ) ek pk sk c = ( x, s, t ) use π to: π ← Priv ( sk, x ) ( x, w ) ← SampYes ( λ ) derive k & t =? f ek,x || s ( π ) π ← Pub ( pk, x, w ) authenticate x || s k ← ext ( π, s ) or ⊥ − { 0 , 1 } d ← s t ← f ek,x || s ( π ) k ← ext ( π, s )

Theorem 7 Game 0: (real game) 34 / 41 Suppose SMP for L ⊂ { 0 , 1 } m is hard, HPS is ϵ 1 -universal 1 and n = log (1/ ϵ 1 ) , ABORLF is ( v, τ ) -regularly-lossy, ext is ( n − τ − ℓ, κ, ϵ 2 ) -strong extractor, then the above KEM is ℓ -LR CCA secure for any ℓ ≤ n − τ − log v − ω ( log λ ) . 1 Setup: CH generates ( pk, sk ) ← HPS . Gen ( λ ) , ek ← ABORLF . Gen ( λ, 0 m + d ) , sends ( pk, ek ) to A . 2 Leakage queries ⟨ g i ⟩ : CH responds with g i ( sk ) . 3 Challenge: CH picks β ∈ { 0 , 1 } , s ∗ ← { 0 , 1 } d , ( x ∗ , w ∗ ) ← SampYes ( λ ) , computes π ∗ ← Pub ( pk, x ∗ , w ∗ ) , t ∗ ← f ek,x ∗ || s ∗ ( π ∗ ) , k ∗ 0 ← ext ( π ∗ , s ∗ ) , picks 1 ← { 0 , 1 } κ , sends c ∗ = ( x ∗ , s ∗ , t ∗ ) and k ∗ k ∗ β to A 4 Decaps queries ⟨ c = ( x, s, t ) ̸ = c ∗ ⟩ : CH computes π ← Λ sk ( x ) , output k ← ext ( π, s ) if t = f ek,x || s ( π ) and ⊥ otherwise. Adv A ( λ ) = Pr [ S 0 ] − 1/2

35 / 41 . Defjne Pr Pr negl Game 5: directly rejects if : via SampNo rather than SampYes . makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr SMP samples Game 3: Game 4: ABORLF Gen . Hidden lossy branch Pr Pr negl computes Game 2: via Priv . Correctness of HPS Pr Pr . generates Game 1: CH samples ( x ∗ , w ∗ ) and s ∗ at Setup. Pr [ S 0 ] = Pr [ S 1 ]

35 / 41 Pr Pr Pr Pr . and but well-formed decaps queries, i.e., makes an invalid : . Defjne if directly rejects Game 5: negl Pr SMP via SampNo rather than SampYes . samples Game 4: . Pr Pr Correctness of HPS . via Priv computes Game 3: Game 1: CH samples ( x ∗ , w ∗ ) and s ∗ at Setup. Pr [ S 0 ] = Pr [ S 1 ] Game 2: CH generates ek ← ABORLF . Gen ( λ, x ∗ || s ∗ ) . Hidden lossy branch ⇒ | Pr [ S 2 ] − Pr [ S 1 ] | ≤ negl ( λ )