Theorem 1 Suppose F,¯ G,¯ F andˇ G are pseudorandom functions such that,ˇ D¯, T¯, Dˇ and Tˇ are superpolynomially large: |D|¯ ,|T¯|,|D|ˇ ,|Tˇ|≥2ω(logλ). If T and¯ Tˇ are selectively secure and K is secure, then H is a secure MDHAE.
Proof 1 We use the same notations defined in Construction 1.
We defineAdvF¯(λ),AdvG¯(λ),AdvFˇ(λ)andAdvGˇ(λ)to be distinguishing advantages ofF(k¯ F¯,·), G¯(kG¯,·), Fˇ(kFˇ,·) and Gˇ(kGˇ,·) from random functions F¯′ :D →D¯, G¯′ :T →T¯, Fˇ′ :D →Dˇ and Gˇ′:T →Tˇ, respectively, for kF¯,kG¯,kFˇ,kGˇ←$ {0,1}λ.
We assume that there is an upper bound l¯=poly(λ) on the number of inputs of the admissible function.
Let A be any PPT adversary against H inGameMDHAEwith at most q queries for at most d different datasets. Then there are PPT adversaries B,˚ B˚′, B and¯ B with at most q, q, dˇ lq and d¯ lq queries,¯ respectively, such that
AdvMDHAEH,$H,A (λ)≤AdvF¯(λ) +AdvG¯(λ) +AdvFˇ(λ) +AdvGˇ(λ) + 2q2
!!D¯!!+2q2
!!Dˇ!!+2q2l¯2
!!T¯!! +2q2l¯2
!!Tˇ!! +AdvHEK,$K,B˚(λ) +AdvHEK,$K,B˚′(λ) +qAdvMDHAT,¯B¯ (λ) + (d+1)#lq+¯ 1$
AdvMDHAT,ˇBˇ (λ).
for some algorithms$Hand$K.
Suppose$Kbe an algorithm such thatAdvHEK,$K,B(λ)is negligible for any PPT algorithm B. Then, in the rest of the proof, we specify$Hwith respect to$K as follows:
• $H(sk,∆,τ,·): parse given secret key sk=ek˚+sk˚+sk¯+skˇ+kF¯+kG¯+kFˇ+kGˇ, let c˚←$K(sk,˚ ·), ∆¯ ← F(k¯ F¯,∆),τ¯←G(k¯ G¯,τ),∆ˇ ←F(kˇ Fˇ,∆),τˇ←G(kˇ Gˇ,τ),σ¯ ←T¯.Auth(sk,¯ ∆,¯ τ¯,c),˚ σˇ ←Tˇ.Auth(sk,ˇ ∆,ˇ τ,ˇ 0).
Output c:= (c,˚ σ¯,σˇ).
In short,$His the same as H.Encbut instead of K.Enc,$Huses$K.
Before constructing adversaries B,˚ B,˚ B and¯ B, we first switch PRFs with random functions usingˇ the games defined as follows:
Game0(λ):
The original security gameGameMDHAEH,$H,A(λ).
Game1(λ):
The security gameGameMDHAEH′,$′H′,A(λ)where H′ and$′H′ are the same as H and$H, respectively, except for the parts that use PRFs. In this game, H′.KeyGen(1λ)samples random functionsF¯′:D→D,¯ G¯′:T →T¯,Fˇ′:D→Dˇ andGˇ′:T →Tˇ, and lets sk:=ek+˚ sk+˚ sk++¯ sk+ˇ F¯′+G¯′+Fˇ′+Gˇ′as a secret key. Also, H′,Enc, H′,Decand$′H′ useF¯′,G¯′,Fˇ′andGˇ′instead ofF¯(kF¯,·),G(k¯ G¯,·),Fˇ(kFˇ,·)and G(kˇ Gˇ,·), respectively.
Using the security of the PRFs, we can bound
AdvGameA 0,Game1(λ)≤AdvF¯(λ) +AdvG¯(λ) +AdvFˇ(λ) +AdvGˇ(λ).
To boundAdvGameA 1(λ), we construct a PPT adversaryB against the challenger of the game˚ GameHEK,$K,B˚(λ) that runs A internally as follows (written in A’s perspective):
Initialization
The challenger generates (ek,˚ sk)˚ ←K.KeyGen(1λ) and sendek to˚ B. The challenger flips a coin˚ b←$ {0,1}. If b=0, then the challenger lets EK=K.Enc(sk˚,·). Otherwise, the challenger lets EK=$K(·). Then,B generates˚ (pk,¯ sk)¯ ←T¯.KeyGen(1λ), (pk,ˇ sk)ˇ ←Tˇ.KeyGen(1λ)and send ek=ek˚ +ek¯ +ek to A.ˇ B initializes a set S as˚ /0.
Queries
B responds to the queries of A as follows:˚
• For every encryption query(∆,τ,m)that A makes,B checks if˚ (∆,τ,·,·)∈S. If(∆,τ,·,·)∈S, thenB rejects the query. Otherwise,˚ B queries m to the challenger, and gets˚ c˚=EK(m)as the response. Then,B lets˚ ∆¯ =F¯′(∆),τ¯=G¯′(τ),∆ˇ =Fˇ′(∆),τˇ=Gˇ′(τ),σ¯ ←T¯.Auth(sk,¯ ∆,¯ τ¯,c)˚ andσˇ ←Tˇ.Auth(sk,ˇ ∆,ˇ τˇ,0), and sends c:= (c,˚ σ,¯ σˇ)to A.
• For every decryption query (∆,P,c) that A makes, B checks if the query is redundant. If˚ the query is redundant, B rejects the query. If the query is non-redundant,˚ B checks if˚ H′.Dec(sk,∆,P,c)∕=⊥using the knowledge ofF¯′,G¯′,Fˇ′,Gˇ′ek,˚ sk and¯ sk. If Hˇ ′.Dec(sk,∆,P,c)∕=
⊥, thenB outputs “Bad" and halts. Otherwise,˚ B sends˚ ⊥to A.
Finalization
A outputs a bit b′. Receiving b′,B also outputs b˚ ′.
Note thatB’s responses to A are identical to the responses of the challenger of˚ Game1(λ)until A makes a decryption query(∆,P,c)such thatB outputs “Bad" and halts (in other words, H˚ ′.Dec(sk,∆,P,c)∕=
⊥). We call such a query as abadquery. Also,B wins the game˚ GameHEK,$K,B˚(λ)if and only if A does not make any bad queries onB and outputs the winning bit b˚ ′=b in theFinalizationphase. Now, define two following events:
• EGame1={A makes a bad query onGame1(λ)}
• EB˚={A makes a bad query onB}˚ Then we see that
Pr[Game1(λ) =1]≤Pr(
EGame1)
+Pr*+
EGame1,∁- Pr
*
A outputs b′=b
!!
!! +
EGame1,∁-
=Pr( EB˚)
+Pr*+
EB˚,∁- Pr
*
GameHEK,$K,B˚(λ) =1
!!
!! +
EB˚,∁-
≤Pr( EB˚)
+AdvHEK,$K,B˚(λ)
=Pr(
EGame1)
+AdvHEK,$K,B˚(λ).
Note that Pr(
EGame1)
=Pr(
EGame1|b=0)
Pr[b=0] +Pr(
EGame1|b=1)
Pr[b=1]
≤1 2
!!
!!Pr(
EGame1|b=0)
−Pr(
EGame1|b=1)!!!!+Pr(
EGame1|b=1) .
To bound the probability 1 2
!!
!!Pr(
EGame1|b=0)
−Pr(
EGame1|b=1)!!!!,
we construct a PPT adversaryB˚′against the challenger of the gameGameHEK,$K,B˚′(λ). B˚′is the same as B except for the˚ Finalizationphase and theQueriesphase. In theFinalizationphase,B˚′always outputs 0 instead of outputting A’s output b′ asB. In˚ Queriesphase, when A makes a query(∆,P,c)such that H′.Dec(sk,∆,P,c)∕=⊥,B˚′ outputs 1 and halts instead of outputting “Bad” asB. In A’s perspective,˚ B˚ andB˚′are identical to each other. Therefore, we can write
AdvHEK,$K,B˚′(λ) =1 2
!!
!!Pr.B˚′ outputs 1|b=0/
−Pr.B˚′outputs 1|b=1/!!!!
=1 2
!!
!!Pr(
EGame1|b=0)
−Pr(
EGame1|b=1)!!!! Now, we need to boundPr[EGame1|b=1].
We first define Game2(λ), which is the same as Game1(λ)with slight changes. InGame2(λ), the challenger always sets b=1instead of choosing b randomly as in Game1(λ). Also, if A makes a bad query in theQueriesphase, the challenger returns 1 and the game ends. If A does not output any bad queries, then the challenger returns 0 and the game ends. From the definition ofGame2, we see thatPr[EGame1|b=1] =Pr[Game2(λ) =1]. When A outputs a bad query(∆∗,P∗,c∗), from the correctness ofT and¯ T , we see that Hˇ ′.Dec(sk,∆∗,P∗′,c∗)∕=⊥where P∗′is the fully bound sub-program of P∗. Also, if we let P∗′= (f∗,τ1∗, . . . ,τl∗), then the bad query(∆∗,P∗,c∗)falls into one of the following two case:
Type 1 bad query:
(∆∗,τi∗,·,·)∕∈S for at least one i∈[l].
Type 2 bad query:
For i∈[l],(∆∗,τi∗,m∗i,c∗i)∈S for some (unique) m∗i ∈M, c∗i ∈C, and c∗∕=c∗∗
where c∗∗←H′.Eval(ek,f∗,c∗1, . . . ,c∗l). Also, if the bad query(∆∗,P∗,c∗)is of Type 2, then it also falls into one of the following two cases:
Type ¯2 bad query:
(c˚∗,σ¯∗)∕= (c˚∗∗,σ¯∗∗) Type ˇ2 bad query:
σˇ∗∕=σˇ∗∗
where c∗= (c˚∗,σ¯∗,σˇ∗)and c∗∗= (c˚∗∗,σ¯∗∗,σˇ∗∗). If we let
Eˇ:={The first bad query of A is of Type 1 inGame2(λ)}∪
{The first bad query of A is of Type ˇ2inGame2(λ)}, E¯:={The first bad query of A is of Type ¯2inGame2(λ)}, then we see that
Pr[Game2(λ) =1]≤Pr[Eˇ] +Pr[E¯].
To boundPr[E¯], we construct a PPT adversaryB of the game¯ GameMDHAT¯,B¯ (λ)as follows:
Initialization
B generates¯ (ek,˚ sk)˚ ←K.KeyGen(1λ),(ek,ˇ sk)ˇ ←Tˇ.KeyGen(1λ), and prepares the selective queries as follows:
1. Sample q∗←$ [q]
2. Sample∆¯i←$ D,¯ ∆ˇi←$ Dˇ for i∈[d]andτ¯j←$ T¯,τˇj←$ Tˇ for j∈[lq]¯ 3. Computec˚i,j←$K(sk,˚ ·)for(i,j)∈[d]×[lq]¯
4. Submit##∆¯i,τ¯j,c˚i,j$$
(i,j)∈[d]×[lq]¯ to the challenger
If(∆¯i,τ¯j) = (∆¯i′,τ¯j′) for some(i,j)∕= (i′,j′), then the challenger rejects the query. Otherwise, the challenger generates(ek,¯ sk)¯ ←T¯.KeyGen(1λ), computesσ¯i,j ←T¯.Auth(sk,¯ ∆¯i,τ¯j,c˚i,j) for (i,j)∈[d]×[lq]¯ and sends(ek,S¯ T¯)to B where ST¯ :=0
(∆¯i,τ¯j,c˚i,j,σ¯i,j)1
(i,j)∈[d]×[lq]¯ . Then,B sends¯ ek:=ek+˚ ek+¯ ek to A and initializes a set S asˇ /0. B also programs¯ F¯′ :D →D,¯ Fˇ′ :D →D,ˇ G¯′:T →T¯,Gˇ′:T →Tˇ to be functions that output∆¯i,∆ˇi,τ¯i, τˇi, respectively for the ith new input.
Queries
Among the queries of A, let∆i∈D be the ith new dataset identifier andτj ∈T be the jth new data identifier.B handles queries of A as follows:¯
• For an encryption query(∆i,τj,mi,j)that A makes,B checks if¯ (∆i,τj,·,·)∈S. If(∆i,τj,·,·)∈ S, then B rejects the query. Otherwise,¯ B responds to the query¯ (∆i,τj,mi,j) with ci,j :=
(c˚i,j,σ¯i,j,σˇi,j) where σˇi,j←Tˇ.Auth(sk,ˇ ∆ˇi,τˇj,0) for ∆ˇi =Fˇ′(∆i) andτˇj=Gˇ′(τj) (also, B¯ asks∆iandτjtoF¯′andG¯′, respectively, to setF¯′(∆i) =∆¯iandG¯′(τj) =τ¯j). After respond- ing to the encryption query of A,B updates S with S¯ ←S∪0(∆i,τj,mi,j,ci,j)1
.
• For every decryption query (∆∗,P∗,c∗) that A makes, B checks if the query is redundant.¯ If the query (∆∗,P∗,c∗) is redundant, then B rejects the query. If the query¯ (∆∗,P∗,c∗) is non-redundant decryption query before the q∗th query, then B gives¯ ⊥as the response.
If the q∗th query is an encryption query or a rejected query, then B outputs nothing and¯ halts. If the q∗th query is the decryption query(∆∗,P∗,c∗), thenB parses c¯ ∗= (c˚∗,σ¯∗,σˇ∗) and finds P∗′:= (f∗,τ1∗, . . . ,τl∗), the fully bound sub-program of P∗. If(∆∗,τi∗,m∗i,c∗i)∈S for some (unique) m∗i ∈ M and c∗i ∈C for all i ∈[l] and (c˚∗,σ¯∗) ∕= (c˚∗∗,σ¯∗∗) where (c˚∗∗,σ¯∗∗,σˇ∗∗) =H′.Eval(ek,f∗,c∗1, . . . ,c∗l), thenB outputs¯ (∆¯∗,P¯∗′,c˚∗,σ¯∗)as a forgery at- tempt and halts where ∆¯∗=F¯′(∆∗), τ¯i∗=G¯′(τi∗) for i∈[l], f¯∗ is the bitwisely described circuit of the deterministic algorithm K.Eval(ek,f∗, . . .)andP¯∗′= (f¯∗,τ¯1∗, . . . ,τ¯l∗). Other- wise,B outputs nothing and halts.¯
Finalization
B does not reach this phase.¯
Note that If A makes a Type ¯2bad query on the q∗th query, thenB wins the game¯ GameMDHAT,¯B¯ (λ).
For simplicity of the definitions below, we first let prms=+
coins,(∆¯i)i∈[d],(∆ˇi)i∈[d],(τ¯j)j∈[lq]¯ ,(τˇj)j∈[lq]¯ ,rK,rT¯,rTˇ, (ei,j)(i,j)∈[d]×[lq]¯ ,(a¯i,j)(i,j)∈[d]×[lq]¯ ,(aˇi,j)(i,j)∈[d]×[lq]¯
,
For ease of comparison, we define the following two games:
• Game2(λ;prms): a deterministicGame2(λ)that samples PRFs asB with deterministic A using¯ randomness coins. More precisely, the challenger samples(∆¯i)i∈[d],(∆ˇi)i∈[d],(τ¯j)j∈[lq]¯ ,(τˇj)j∈[lq]¯
and programsF¯′:D→D,¯ Fˇ′:D→D,ˇ G¯′:T →T¯,Gˇ′:T →Tˇ to be functions that output∆¯i,
∆ˇi,τ¯i,τˇi, respectively, for the ith new input. To run algorithms K.KeyGen,T¯.KeyGen,Tˇ.KeyGen,
$K(sk,˚ ·),T¯.Auth(sk,¯ ∆¯i,τ¯j,·),Tˇ.Auth(sk,ˇ ∆ˇi,τˇj,0), the challenger uses the randomness rK, rT¯, rTˇ, ei,j,a¯i,j,aˇi,jfor(i,j)∈[d]×[lq¯ ].
• GameB(λ¯ ;prms): a partially deterministic gameGameMDHAT,¯B¯ (λ)with deterministic A using ran- domness coins. More precisely, except for the choice of q∗∈[q], the other parts of B and the¯ challenger of this game are deterministic. In A’s perspective, the simulated challenger, consisting
ofB and the challenger of this game, samples¯ (∆¯i)i∈[d],(∆ˇi)i∈[d],(τ¯j)j∈[lq]¯ ,(τˇj)j∈[lq]¯ and programs F¯′:D→D,¯ Fˇ′:D→D,ˇ G¯′:T →T¯,Gˇ′:T →Tˇ to be functions that output∆¯i,∆ˇi,τ¯i,τˇi, re- spectively for the ith new input. To run algorithms K.KeyGen,T¯.KeyGen,Tˇ.KeyGen,$K(sk,˚ ·), T¯.Auth(sk,¯ ∆¯i,τ¯j,·), Tˇ.Auth(sk,ˇ ∆ˇi,τˇj,0), the simulated challenger uses the randomness rK, rT¯, rTˇ, ei,j,a¯i,j,aˇi,j for(i,j)∈[d]×[lq¯ ].
SinceGame2(λ;prms)isGame2(λ)with certain implementation of PRFs,Pr[E¯] =Pr[E¯′]where E¯′:=0
prms|The first bad query that A outputs is of Type ¯2inGame2(λ;prms)1 .
Let
Coll:=0
prms|∆¯i=∆¯i′ or∆ˇi=∆ˇi′ for some i∕=i′orτ¯j=τ¯j′ orτˇj =τˇj′ for some j∕= j′1 .
Then for any fixed prms∈Coll∁∩E¯′, suppose A made the first bad query on the q∗∗th query inGame2(λ;prms). If q∗=q∗∗,Game2(λ;prms)becomes the same asGameB(λ¯ ;prms)in A’s perspective andB wins the¯ gameGameMDHAT¯,B¯ (λ). Therefore,
1 qPr(
Coll∁∩E¯′)
≤Pr(
GameMDHAT,¯B¯ (λ) =1)
=AdvMDHAT,¯B¯ (λ) and
Pr.E¯′/
=Pr.
Coll∩E¯′/ +Pr(
Coll∁∩E¯′)
≤Pr[Coll] +qAdvMDHAT,¯B¯ (λ)
≤ q2
!!D¯!!+ q2
!!Dˇ!!+q2l¯2
!!T¯!!+q2l¯2
!!Tˇ!!+qAdvMDHAT,¯B¯ (λ).
To boundPr[Eˇ], we construct a PPT algorithmB of the gameˇ GameMDHAT,ˇBˇ (λ)as follows:
Initialization
B generatesˇ (sk,˚ sk)˚ ←K.KeyGen(λ),(sk,¯ sk)¯ ←T¯.KeyGen(λ)and prepares the selective queries as follows:
1. Sample q∗←$ [q], i∗←$ [d+1], and j∗←$ [lq¯ +1]
2. Sample∆¯i←$ D,¯ ∆ˇi←$ Dˇ for i∈[d]andτ¯j←$ T¯,τˇj←$ Tˇ for j∈[lq]¯
3. For i∈[d]and j ∈[lq¯ ] such that(i,j)∕= (i∗,j∗), let bi,j =0. If (i,j) = (i∗,j∗), then let bi∗,j∗ =bi,j=1
4. Submit#
(∆ˇi,τˇj,bi,j)$
(i,j)∈[d]×[lq]¯ to the challenger
If(∆ˇi,τˇj) = (∆ˇi′,τˇj′) for some(i,j)∕= (i′,j′), then the challenger rejects the query. Otherwise, the challenger generates (ek,ˇ sk)ˇ ←Tˇ.KeyGen(1λ), computesσˇi,j←Tˇ.Auth(sk,ˇ ∆ˇi,τˇj,bi,j) for (i,j)∈[d]×[lq]¯ and sends (ek,ˇ STˇ) to B where Sˇ Tˇ :=0
(∆ˇi,τˇj,bi,j,σˇi,j)1
(i,j)∈[d]×[lq]¯ . B sendsˇ ek:=ek+˚ ek+¯ ek to A and initializes a set S asˇ /0. B also programs¯ F¯′ :D →D,¯ Fˇ′ :D →D,ˇ G¯′:T →T¯,Gˇ′:T →Tˇ to be functions that output∆¯i,∆ˇi,τ¯i, τˇi, respectively for the ith new input.
Queries
Among the queries of A, let∆i∈D be the ith new dataset identifier andτj ∈T be the jth new data identifier.B handles queries of A as follows:ˇ
• For an encryption query(∆i,τj,mi,j)that A makes,B checks ifˇ (∆i,τj,·,·)∈S. If(∆i,τj,·,·)∈ S, thenB rejects the encryption query. Otherwise,ˇ B responds the queryˇ (∆i,τj,mi,j) with ci,j:= (c˚i,j,σ¯i,j,σˇi,j)wherec˚i,j←$K(sk,˚ ·)andσ¯i,j←T¯.Auth(sk,¯ ∆¯i,τ¯j,c˚i,j)for∆¯i=F¯′(∆i), τ¯j=G¯′(τj)(B asksˇ ∆iandτjtoFˇ′andGˇ′, respectively, to setFˇ′(∆i) =∆ˇiandGˇ′(τj) =τˇj).
After responding the encryption query of A,B updates S with Sˇ ←S∪0(∆i,τj,mi,j,ci,j)1
• For every decryption query (∆∗,P∗,c∗) that A makes, B checks if the query is redundant.ˇ If the query(∆∗,P∗,c∗) is redundant, thenB rejects the query. If the queryˇ (∆∗,P∗,c∗) is non-redundant decryption query before the q∗th query, thenB returnsˇ ⊥as the response. If the q∗th query is an encryption query or a rejected query, thenB outputs nothing and halts.ˇ If the q∗th query is the decryption query (∆∗,P∗,c∗), B parses cˇ ∗= (c˚∗,σ¯∗,σˇ∗)and com- putes P∗′:= (f∗,τ1∗, . . . ,τl∗), the fully bound sub-program of P∗. If(∆∗,τi∗,m∗i,c∗i)∈S for some (unique) m∗i ∈M and c∗i ∈C for all i∈[l]and σˇ∗ ∕=σˇ∗∗ where (c˚∗∗,σ¯∗∗,σˇ∗∗) = H′.Eval(ek,f∗,c∗1, . . . ,c∗l), then B outputsˇ (∆ˇ∗,Pˇ∗′,0,σˇ∗) as a forgery attempt and halts where Pˇ∗′ = (fˇ∗,τˇ1∗, . . . ,τˇl∗), ∆ˇ∗ =Fˇ′(∆∗), τˇi∗ =Gˇ′(τi∗) for i∈[l], fˇ∗ is the boolean cir- cuit obtained by replacing each unary gate of f∗ with the identity gate, and each binary gate of f∗ with the OR gate as defined in the beginning of the Section VI. If there is at least one i∈[l] such that (∆∗,τi∗,·,·) ∈/ S, then let l∗ be the smallest number in the set {i∈[l]|(∆∗,τi∗,·,·)∕∈S}. If ∆∗=∆i∗ and τl∗∗ =τj∗, then B outputsˇ (∆ˇ∗,Pˇ∗′,0,σˇ∗) as a forgery attempt and halts where∆ˇ∗andPˇ∗′are defined as above. For other cases,B outputsˇ nothing and halts.
Finalization
B does not reach this phase.ˇ
Note that on q∗th query, if A makes a Type 1 bad query while∆∗=∆i∗ andτl∗∗ =τj∗, or a Type ˇ2bad query, thenB wins the gameˇ GameMDHATˇ,Bˇ (λ).
Let prms be the tuple of randomness as defined above. For ease of comparison, we define the following game:
• GameB(λˇ ;prms): a partially deterministic gameGameMDHAT,ˇBˇ (λ)with A using randomness coins.
More precisely, except for the choices of q∗∈[q], i∗∈[d+1], j∗∈[lq¯ +1], the other parts ofBˇ and the challenger of this game are deterministic. In A’s perspective, the simulated challenger, consisting ofB and the challenger of this game, samplesˇ (∆¯i)i∈[d],(∆ˇi)i∈[d],(τ¯j)j∈[lq]¯ ,(τˇj)j∈[lq]¯ and programsF¯′:D→D,¯ Fˇ′:D→Dˇ,G¯′:T →T¯,Gˇ′:T →Tˇ to be functions that output∆¯i,∆ˇi, τ¯i, τˇi, respectively for the ith new input. To run algorithms K.KeyGen, T¯.KeyGen,Tˇ.KeyGen,
$K(sk,˚ ·),T¯.Auth(sk,¯ ∆¯i,τ¯j,·),Tˇ.Auth(sk,ˇ ∆ˇi,τˇj,·), the simulated challenger uses the randomness rK, rT¯, rTˇ, ei,j,a¯i,j,aˇi,jfor(i,j)∈[d]×[lq].¯
If we define eventsEˇ′,Eˇ1′,Eˇ2′as Eˇ′=0
prms|The first bad query that A outputs is of Type 1 or Typeˇ2inGame2(λ;prms)1 , Eˇ1′=0
prms|The first bad query that A outputs is of Type 1 inGame2(λ;prms)1 , Eˇ2′=0
prms|The first bad query that A outputs is of Type ˇ2inGame2(λ;prms)1 , then we see thatEˇ′=Eˇ1′∪Eˇ2′,Eˇ1′∩Eˇ2′=/0andPr[Eˇ] =Pr[Eˇ′].
For a fixed prms∈Coll∁∩Eˇ1′, suppose A made, inGame2(λ;prms), the first bad (Type 1) query (∆∗,P∗,c∗) on the q∗∗th query where P∗′ = (f∗,τ1∗, . . . ,τl∗) is the fully bound sub-program of P∗. If q∗=q∗∗, ∆∗=∆i∗ andτl∗∗ =τj∗ where l∗ is the smallest integer in the set{i∈[l]|(∆∗,τi∗,·,·)∕∈S}, thenGame2(λ;prms)becomes the same asGameB(λˇ ;prms)in A’s perspective andB wins the gameˇ GameBˇ(λ;prms). On the other hand, for fixed prms∈Coll∁∩Eˇ2′, suppose A made the first bad (Typeˇ2) query on the q∗∗th query. If q∗=q∗∗, i∗=d+1and j∗=lq¯ +1, thenGame2(λ;prms)becomes the same asGameB(λˇ ;prms)in A’s perspective andB wins the gameˇ GameB(λˇ ;prms). In other words, if prms∈Coll∁∩Eˇ′, thenGame2(λ;prms)andGameB(λˇ ;prms)acts the same in A’s perspective with probability greater than, or equal to (d+1)1(lq+1¯ ). Therefore,
1
(d+1)#lq¯ +1$Pr(
Coll∁∩Eˇ′)
≤Pr[GameMDHAT,ˇBˇ (λ) =1] =AdvMDHAT,ˇBˇ (λ) and
Pr( Eˇ′)
=Pr(
Coll∩Eˇ′) +Pr(
Coll∁∩Eˇ′)
≤Pr[Coll] + (d+1)#lq¯ +1$
AdvMDHAT,ˇBˇ (λ)
≤!!qD¯2!!+ q2
!!Dˇ!!+q!!T2¯l¯2!!+q2l¯2
!!Tˇ!!+ (d+1)#lq¯ +1$
AdvMDHAT,ˇBˇ (λ).
In conclusion, we can write
AdvMDHAEH,$H,A (λ)≤AdvF¯(λ) +AdvG¯(λ) +AdvFˇ(λ) +AdvGˇ(λ) +!!2qD¯2!!+2q2
!!Dˇ!!+2q!!T2¯l¯!!2+2q2l¯2
!!Tˇ!! +AdvHEK,$K,B˚(λ) +AdvHEK,$K,B˚′(λ) +qAdvMDHAT,¯B¯ (λ) + (d+1)#lq+¯ 1$
AdvMDHAT,ˇBˇ (λ).
!
VII An MDHA scheme and a generic construction for bitwisely evaluable MDHA
In this section, we propose a selectively secure multi-dataset (leveled) fully homomorphic authenticator scheme and a generic construction for a selectively secure BE-MDHA. Our MDFHA scheme, Construc- tion 2, can be directly used as ˇTin Construction 1. The generic construction we propose, Construction 3, can be used to construct a selectively secure BE-MDHA using a selectively secure MDHA such as Con- struction 2. Also, the result of Construction 3 can be used as ¯T in Construction 1.
Like other (leveled) fully homomorphic authenticator schemes, our scheme is based on the first fully homomorphic signature scheme [4]. Our scheme is a slightly modified version of the first fully homo- morphic signature [4], but our scheme supports multiple datasets without any additional transformation.
7.1 A selectively secure multi-dataset fully homomorphic authenticator scheme