Score:1

Prove CPA security

eg flag

Assume $(Gen, Enc, Dec)$ is a public-key encryption scheme with message space M that is CPA-secure. Prove that the encryption scheme $(Gen^2, Enc^2, Dec^2)$ is CPA-secure.

$Gen^2=(pk_0, sk_0) \leftarrow Gen, (pk_1, sk_1)\leftarrow Gen$ output: $pk=(pk_0,pk_1)$ and $sk=(sk_0,sk_1)$

$Enc^2(pk, (m_0,m_1))=(Enc(pk_0,m_0),Enc(pk_1,m_1))$

$Dec^2(sk, (c_0,c_1))=(Dec(sk_0,c_0),Dec(sk_1,c_1))$

I've studied Introduction to Modern Cryptography and some other books but I don't know where to start to prove this. Can anyone give me some hint?

kelalaka avatar
in flag
The usual approach is this; consider adversary $A$ has a non-negligible advantage on the CPA-security of the second scheme then show that the first scheme cannot be CPA-secure, too, and derive a contradiction.
kelalaka avatar
in flag
To loose CPA security you may assume one of the encryption fails or both..
Score:1
cn flag

For the sake of readability we adjust the notation somewhat. Let $\Pi=(Gen,Enc,Dec)$ be a $\mathsf{CPA}$-secure public-key encryption scheme with message space $\mathcal{M}$. We wish to prove that $\Pi^2=(Gen^2,Enc^2,Dec^2)$, with message space $\mathcal{M}\times\mathcal{M}$ is also $\mathsf{CPA}$-secure, where

$\underline{(pk,sk)\gets Gen^2(1^n)}$:

  • $(pk_\alpha,sk_\alpha)\gets Gen(1^n)$
  • $(pk_\beta,sk_\beta)\gets Gen(1^n)$
  • $(pk,sk):= \big((pk_\alpha,pk_\beta),(sk_\alpha,sk_\beta)\big)$

$\underline{c\gets Enc^2(pk,m)}$:

  • $(pk_\alpha,pk_\beta) := pk$
  • $(m_\alpha,m_\beta) := m$
  • $c_\alpha \gets Enc(pk_\alpha,m_\alpha)$
  • $c_\beta \gets Enc(pk_b,m_\beta)$
  • $c:=(c_\alpha,c_\beta)$

$\underline{m := Dec^2(sk,c)}$:

  • $(sk_\alpha,sk_\beta) := sk$
  • $(c_\alpha,c_\beta) := c$
  • $m_\alpha := Dec(sk_\alpha, c_\alpha)$
  • $m_\beta := Dec(sk_\beta, c_\beta)$
  • $m := (m_\alpha,m_\beta)$.

We can prove the following claim by proving the contrapositive, i.e

$\underline{Claim:}$ \begin{align*} &\Pi\text{ is $\mathsf{CPA}$-secure}\implies\Pi^2\text{ is $\mathsf{CPA}$-secure} \\ \iff &\Pi^2\text{ is $\lnot\mathsf{CPA}$-secure}\implies\Pi\text{ is $\lnot\mathsf{CPA}$-secure}. \end{align*}

$\underline{Proof:}$

To prove the contrapositive, we assume there exists an adversary $\mathcal{A}^2$ against $\Pi^2$, such that $$\Pr[\mathsf{PubK}^{\mathsf{CPA}}_{\mathcal{A}^2,\Pi^2}(n)=1]>\frac{1}{2}+\mathsf{negl}(n).$$ In other words, $\mathcal{A}^2$ can win against $\Pi^2$ in the $\mathsf{CPA}$ game with non-negligible advantage.

We will now use $\mathcal{A}^2$ to construct an adversary $\mathcal{A}$ against $\Pi$ in the $\mathsf{CPA}$ game.

The $\mathsf{CPA}$ game proceeds as follows:

  1. $Gen(1^n)$ is run to obtain keys $(pk_\alpha, sk_\alpha)$.
  2. Adversary $\mathcal{A}$ is given $pk_\alpha$ as well as oracle access to $Enc(pk_\alpha,\cdot)$. Next, $\mathcal{A}$ runs $Gen(1^n)$ to obtain $(pk_\beta, sk_\beta)$.
  3. Adversary $\mathcal{A}^2$ is given $pk:=(pk_\alpha,pk_\beta)$ as well as oracle access to $Enc^2(pk,\cdot)$.
  4. $\mathcal{A}^2$ outputs a pair of distinct messages $m_0:=(m_{0_\alpha},m_{0_\beta}), m_1:=(m_{1_\alpha},m_{1_\beta}) \in\mathcal{M}\times\mathcal{M}$ with $m_{0_\beta} = m_{1_\beta}$ and $|m_0|=|m_1|$. In other words, the messages $m_0$, $m_1$ are different, but the second half is the same.
  5. After receiving $m_0$ and $m_1$ from $\mathcal{A}^2$, the adversary $\mathcal{A}$ forwards only the first parts $m_{0_\alpha}$,$m_{1_\alpha}$ to the $\mathsf{CPA}$ game.
  6. The game chooses a random bit $b \in \{0, 1\}$, and the challenge ciphertext $c_\alpha \gets Enc(pk_\alpha, m_{b_\alpha})$ is computed and given to $\mathcal{A}$. $\mathcal{A}$ continues to have access to $Enc(pk_\alpha,\cdot)$.
  7. Now $\mathcal{A}$ computes the second half of the challenge ciphertext as $c_\beta \gets Enc(pk_\beta, m_{0_\beta}=m_{1_\beta})$. Note that $\mathcal{A}$ doesn't need to know the challenge bit $b$. Then, $\mathcal{A}$ sends the challenge ciphertext \begin{align*} c&:=(c_\alpha,c_\beta)\\&:=\big(Enc(pk_\alpha, m_{b_\alpha}),Enc(pk_\beta, m_{0_\beta}=m_{1_\beta})\big)\end{align*} to $\mathcal{A}^2$. $\mathcal{A}^2$ continues to have access to $Enc^2(pk,\cdot)$.
  8. $\mathcal{A}^2$ returns a guess bit $b''$ to $\mathcal{A}$.
  9. $\mathcal{A}$ sets its own guess bit $b':=b''$, and returns $b'$ to the $\mathsf{CPA}$ game.
  10. The output of the game is defined to be $1$ if $b'= b$, and $0$ otherwise.

From the reduction it follows that, \begin{align*} \Pr[\mathsf{PubK}^{\mathsf{CPA}}_{\mathcal{A},\Pi}(n)=1]&=\Pr[\mathsf{PubK}^{\mathsf{CPA}}_{\mathcal{A}^2,\Pi^2}(n)=1] \\&>\frac{1}{2}+\mathsf{negl}(n). \end{align*} Here, the last inequality follows from our assumptions that $\mathcal{A}^2$ can win against $\Pi^2$ in the $\mathsf{CPA}$ game with non-negligible advantage.
Finally, this proves the initial claim that $\Pi\text{ is $\mathsf{CPA}$-secure}\implies\Pi^2\text{ is $\mathsf{CPA}$-secure}$. $\;\blacksquare$

kelalaka avatar
in flag
We don't answer to HW questions as [our current homework policy](https://crypto.meta.stackexchange.com/a/1117). We only provide hints to them in the comments. It is better to be deleted.
kelalaka avatar
in flag
Not as spoiler, to be deleted.
Maarten Bodewes avatar
in flag
As an exception we've let the answer stand, as it was probably posted without knowing our homework policy, but please note that this is the exception, not the norm. Thanks for the effort :)
kelalaka avatar
in flag
@MaartenBodewes Could you act for deletion? P4i11ip, you are welcome to contribute, however, this is a community and some community agreements on the [meta]. If you don't agree on it you can downvote on the [meta] without losing any point at all.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.