Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption
Table 2
Brief description of the security proof of Theorem 24.
Changes between adjacent games
Assumptions
The original -KDM-CCA security game.
—
DECRYPT: reject if for some .
INITIALIZE: sample secret keys with .
ENCRYPT: use the secret keys to run KEM.Encrypt and .Encrypt.
ENCRYPT: when ENCRYPT oracle encrypts affine function of secret keys, .c is computed with instead of . ENCRYPT does not use any more if is carefully chosen.
by
ENCRYPT:kem.ct () of KEM.Encrypt is computed with instead of . Now KEM.Encrypt encapsulates four keys but is the key used in AIAE.Encrypt.
by
ENCRYPT: sample for . Now KEM.Encrypt encapsulates four keys but is the key used in AIAE.Encrypt.
DECRYPT: use and secret keys to answer decryption queries.
DECRYPT: add an additional rejection rule. Reject if or happens. and can be detected by using . Now only the part of secret keys and are used in DECRYPT. The randomness of perfectly hides in ENCRYPT, thus is uniform. is the key used in AIAE.Encrypt. may lead to a fresh successful forgery for .
if neither nor happens. due to weak INT--RKA security of
INITIALIZE: sample an independent random tuple . ENCRYPT: use in AIAE.Encrypt.
to the adversary
ENCRYPT: encrypt zeros instead of the affine function of secret keys. happens with negligible probability, since in DECRYPT. Adversary wins with probability 1/2.