Theorem 8.

6 Let AE = (K , E , D ) be an asymmetric encryption scheme, let

s , and transmit
svia
under
to
get
a to
ciphertext
C s , such
and C
transmit
(C a , C s ).(C a , C s ).
under K
thesK
toscheme
get a ciphertext
Cget
(Cs ,a ,and
C s ).transmit
via
the symmetric
scheme
ascheme
ciphertext
SEvia
= (K
, symmetric
Eunder
, Dsthe
)K
besymmetric
ascheme
stateless
symmetric
encryption
that
s , and transmit (C a , C s ).
a, a
aciphertext
a ) be anC asymmetric
under K This
viaTheorem
the
symmetric
scheme
to
get
8.6
Let
AE
=
(K
E
,
D
encryption
scheme,
let
This
is
called
hybrid
encryption.
is called hybrid
Thisencryption.
is called hybrid
encryption.
Keys(SE)
Plaintexts(pk)
sencryption.
s , D s ) be a stateless symmetric
This isscalled
hybrid
SE
= (Kprecisely,
, EMore
scheme
such
that
precisely,
hybrid encryption
is a transform
that
given
asymmetric
More
hybrid
encryption
is a encryption
transform
that
any
asymmetric
More
precisely,
hybrid
encryption
is agiven
transform
thatany
given
any asymmetric
depicted in Fig. 8.4. It gets a lr-encryption oracleMore
EK (LR(,
,
b))
based
on
a
hidden
precisely,
hybrid
encryption
is
a
transform
that
givenletencryption
any
asymmetric
for
every
pk
that
might
be
output
by
Kaencryption
, and
AE
= (Kaassociates
,to
E, them
D) be
the
hybrid
scheme
and
any and
symmetric
scheme
them
a new
encryptionencryption
schemeencryption
and
any symmetric
encryption
scheme
associates
ato
new
scheme
any
symmetric
scheme
associates
to
them a new
Keys(SE)

Plaintexts(pk)
key K and challenge bit b. It picks a pair of public
andscheme
secret
keys
running
the to AE,
encryption
and
anyby
symmetric
encryption
to them
a new
encryption
scheme
associated
SE asassociates
per Scheme
8.5. Let
k denote the length
asymmetric
encryption
scheme:scheme
asymmetric
encryption
scheme:
asymmetric
encryption
scheme:
a , and let AE = (Ka , E, D) be the hybrid
s
for
every
pk
that
might
be
output
by
K
asymmetric encryption
key-generation
algorithm of the asymmetric encryption
scheme.
It thenbypicks
an BHybrid
of keys scheme:
output
K . Let
be an ind-cpa-adversary
Hybrid
encryption
encryptionattacking AE. Then there
encryption
scheme adversaries
associated
to
AE,
as per
Scheme
8.5. and
Let kandenote
the length
a,,SE
a11,10
a)
exist
ind-cpa
A
A
attacking
adversary
A attacking
a8.5
a=
a )AE
a
00,01
index i at random, and initializes a counter j to 0. Scheme
Next
it Scheme
defines
a
subroutine
8.5
Let
AE
(K
E
,
D
be
encryption
scheme,
and let and let
8.5
Let
AE
=
(K
,
E
,
D
be
an
asymmetric
encryption
scheme,
and
let and
Scheme
Let
=
(K
,
E a ,an
Daasymmetric
) AE,
be
anencryption
asymmetric
encryption
scheme,
Let by
an asymmetric
scheme
such
a , EK
a ,sD
of Let
keys
output
. asLet
Banbeasymmetric
anbe
ind-cpa-adversary
attacking
AE.
Then
there
Scheme
8.5
AE
=
(K
)
be
encryption
scheme,
and
let
SE,
that
s
s
uses)number-theoretic
operations
and
s
s
s
s
s
s
Asymmetric encryptionOE(,
SE
=
(K
,
E
,
D
)
be
a
stateless
symmetric
encryption
scheme
such
that
Keys(SE)

that takes input a pair of messages and returns

a
ciphertext,
and
runs
B,
SE
=
(K
,
E
,
D
)
be
a
stateless
symmetric
encryption
scheme
such
that
Keys(SE)

SE
=
(K
,
E
,
D
)
be
a
stateless
symmetric
encryption
scheme
such
that
Keys(SE)

let
be
a
symmetric
encryption
scheme,
s.t.
adversaries
A00,01 ,encryption
A11,10 attacking
AE,
andthat
an adversary
A
SE = (Ks , E sexist
, Ds )ind-cpa
be
a stateless
symmetric
scheme
such
Keys(SE)
attacking
a . The
is slower than symmetric encryption that often uses block
a . The encryption
Plaintexts(pk)
for
every
pkSE
that
might
bemight
output
by
Khybrid
for
every
that
output
byspace
Khybrid
hybrid encryption
Plaintexts(pk)
for Plaintexts(pk)
every
pk
thatfor
might
bepk
output
by
K a .bemessage
The
encryption
ind
cpa
the
set
of
keys
is
always
in
the
of
AE.
replying to the latters oracle queries via the subroutine.
The
subroutine
increments
SE,
such
that
a
Adv
(B)be output by K . The hybrid encryption a
Plaintexts(pk) for every
pk
that
might
a , E, D) a
ciphers.
AE
scheme
toisAE,
theSE
asymmetric
encryption
scheme
scheme
associated
to isAE,
isencryption
the asymmetric
scheme
= (K , E, D)
sassociated
scheme
associated
to
AE,
SE
the SE
asymmetric
schemeencryption
= (K AE
, E,=
D)(KAE
a ,AE
the counter j at each call, and computes the symmetric
component
CSE
of
the
cipherThen
hybrid
scheme
iswhose
as encryption
scheme associated
to
AE,
isthe
theassociated
asymmetric
encryption
scheme
AE
= (K
E,ind
D)
ind
cpa
ind
cpa
ind
cpa
cpa
whose
key-generation
algorithm
is
the
same
as
that
of
AE
and
key-generation
algorithm
is the
same
as
that ofencryption
AE
and
whose
encryption
whose key-generation
algorithm
is 00,01
the )same
as that
of
AE
and
whose
AdvAEwhose
(B)

Adv
(A
+
Adv
(A
)
+
Adv
(A)
.
(8.8)
11,10
AE
AE and whose encryption
SE
long messages.
text differently
depending on how the counter jwhose
compares
to theand
parameter
In
onealgorithms
key-generation
algorithm
isi.algorithms
the
same
as
of AE
Also we often want to encrypt
follows:
decryption
arethat
as
follows:
and ind
decryption
are
defined
as follows:
and decryption
algorithms
are defined
asdefined
follows:
cpa
ind
cpa
ind
cpa
s
s
and decryption
algorithms
are defined
follows:
Adv
(Aas
) +time
Advcomplexity
(A11,10at
) +most
Advt,
(A)at. most
(8.8)
case, namely when j = i, it computes C by calling
the given
EK (LR(,
,AEb)) oracle
00,01
AE
SE made
suppose
B
had
q queries
In practice one usuallyon inputs M , M . Notice that A makes only one call to its Furthermore,
as required.
Algorithm
) E pk (M
Algorithm
) totalling
Algorithm
E pk (M
) E pk (Moracle,
Algorithm
Dskbits
(C) inDlength.
Algorithm
Algorithm
D
(C)
oracle,
sk (C) Then
sk
to
its
left-or-right
encryption
these
at
most
0
1
Algorithm
E
(M
)
$
$
Algorithm
D
(C)
pk
$
$
$
$
s
s
s
aq, Cqueries
s
Furthermore,
suppose
had
time
complexity
most
t, Parse
atParse
s
sks (M
s ;K
s
sK
a ,C
smost
KEK
; (M
C)
) Eat
KsE;KC(M
C as
(C a , C s )
K11,10
$Keach
CBhave

Parse
asmade
(C
C as
) (C
A$ 00,01
t sand
make
at
most
q )left-or-right
s (M
a), C
1. encrypts a randomly chosen symmetric key K using an

Ks ,; A
Cs
Edistributed
)s =time-complexity
Parsetotalling
Cat
asKmost
(Cat
C
toKitsis
left-or-right
encryption
oracle,
these
most
abits
length.
a in
a ) a Then
s =
a)
s =
a )(C
K
For the analysis, regard I as a random variable whose value
uniformly
If
C

then
return
K
D
(C
If
C

then
return

D
(C
If
C

then
return

D
)
sk
encryption
oracle
queries,
each
query
being
k
bits
long.
Also
A
has
time-complexity
sk
a (C a )
sk
asymmetric encryption algorithm and then
C ,s A=11,10
then
$ a a $ a K
most
Dsk
AIf
each
have
time-complexity
at
tsand amake
at =
most
q left-or-right
00,01
$ return
a
a
a
s
a
a
s
If
K

then
return
in {1, . . . , q}. Then notice that for any i {1, . . . , q}
If K
=oracle.
thenreturn
C
E
) (C= ,C then
If
K
return
C(K)
;query
E,C
(K)
; its
C, C
) encryption
Ct,
Epk
(K)
; only
C
(C
C
) (C
at$ most
and
makes
one
to
left-or-right
pk
a oracle
encryption
queries,
k bits
long.return
Also
A
has stime-complexity
If K =
then

Ca
Epk
(K) ; C
(C aeach
, Cpks )query being
s) s
2. encrypts a message using a symmetric encryption
sM
s
D
(C
M

D
(C s )
M

D
(C
)
Return
C
Return
C
K
Return
C only one query to
s (C s )
K
!
"
atReturn
most t,Cand
makes
encryption
oracle. K
Mits
left-or-right
DK
algorithm and K.
ind-cpa-1
Return
M
Return
Return
Mif AE and
TheoremM8.6
is that
SE areMeach assumed
Pr ExpSE
(A) = 1 | I = i = P (i) Thequalitative interpretation of Return
This is called hybrid encryption
to
be
secure
against
chosen-plaintext
attack,
then
AE
is
also
secure
against chosenThe
qualitative
interpretation
of
Theorem
8.6
is
that
if
AE
and
SE
are
each
assumed
!
"
Note
that
the
hybrid
scheme
is can
an (asymmetrically)
asymmetric
encryption
Under
this
hybrid
encryption
scheme,
one
encrypt
message
hybrid
Under
this
hybrid
encryption
scheme,
one can
(asymmetrically)
encrypt
any message
Under this
encryption
scheme,
one
can (asymmetrically)
encrypt
any
message
-cpa-0 (A) = 1 | I =Under
plaintext
attack.
On
the
quantitative
note
advantage
of AEany
against
this hybrid
encryption
scheme,
one
can
(asymmetrically)
encrypt
any
message
to(ibe
secure
against
chosen-plaintext
attack,front,
then AE
isthat
also the
secure
against chosenPr Expind
i
=
P

1)
.
that
is
in
the
plaintext-space
of
the
underlying
symmetric
encryption
scheme.
SE
scheme
M
that
is
in
the
plaintext-space
of
the
underlying
symmetric
encryption
scheme.
M thatan
isM
in
the
plaintext-space
of
the
underlying
symmetric
encryption
scheme.
attack
q lr-encryption
queries
isencryption
upper
bounded
as AE
a function
attack.involving
On of
thethe
quantitative
note that
the advantage
of
against of the
M that is inplaintext
the plaintext-space
underlyingfront,
symmetric
scheme.
advantage
of
SE
against
an
attack
involving
only
a
single
lr-encryption
query.
This
an attack involving q lr-encryption queries is upper bounded as a function of the
Hybrid
encryption
is numerous
used
for
numerous
reasons.
The
one
is yet
cost.
The
Hybrid
encryption
is used
for
numerous
reasons.
The
principal
one
cost. The
Thus
Hybrid
encryption
is used
for
reasons.
principal
one
isquery.
cost.
The
means
the
symmetric
encryption
scheme
used
may
beprincipal
very
weak
and
theis
advantage
ofthat
SEfor
against
an
attack
involving
a The
single
lr-encryption
This
Hybrid ENCRYPTION
encryption
is used
numerous
reasons.
Theonly
principal
one
is cost.
The
12
ASYMMETRIC ENCRYPTION
12
ASYMMETRIC
number-theoretic
operations
underlying
common
asymmetric
encryption
schemes schemes
number-theoretic
operations
underlying
common
asymmetric
encryption
Bellare and Rogaway
13
number-theoretic
operations
underlying
common
asymmetric
encryption
schemes
hybrid
asymmetric
encryption
scheme
will
be
secure.
For
example,
the
encryption
means
that
the
symmetric
encryption
scheme
used
may
be
very
weak
and
yet
the
ASYMMETRIC ENCRYPTION
number-theoretic operations underlying common asymmetric encryption schemes
-cpa (A)
are
computationally
costlyto
relative
to
the operations
on block
ciphers
that
underly
arethe
computationally
costly
relative
to
the
operations
on
block
ciphers
arehybrid
computationally
costly
the
on
block
ciphers
underly
Advind
algorithm
symmetric
encryption
scheme
could
apply
a that
pseudorandom
bitthat underly
asymmetric
encryption
willoperations
be
secure.
For
example,
the
encryption
are computationally
costly of
relative
torelative
the scheme
operations
on
block
ciphers
that
underly
SE
common
symmetric
encryption
schemes.
In one
practice
one
wants
minimize
the
common
symmetric
encryption
schemes.
In
practice
onetothe
wants
to minimize
the
common
symmetric
encryption
schemes.
In
practice
wants
to
minimize
the
!
"
!
"
generator
to
the
key
to
get
an
output
of
|M
|
bits
and
XOR
this
with
message
algorithm
of
the
symmetric
encryption
scheme
could
apply
a
pseudorandom
bit
common ind
symmetric
encryption schemes. In practice one wants to minimize the
ind-cpa-1
cpa-0 amount
1
of
data
to
which
these
number-theoretic
operations
are
applied.
Accordamount
of
data
to
which
these
number-theoretic
operations
are
applied.
amount
of
data
to
which
these
number-theoretic
operations
are
applied.
Accord= Pr ExpSE
(A) = 1 Pr
Expof
1these
to
get
the
ciphertext.
particular,
encryption
scheme
could be 2 Accordgenerator
to=
the
key number-theoretic
to get anInoutput
ofoperations
|M the
| bitssymmetric
and
this Accordwith the
message
SEdata
amount
to(A)
which
are XOR
applied.
ingly,
rather
than
encrypt
the
possibly
long message
M under
directly
under
pkunder
via the
ingly,
rather
than
encrypt
the
possibly
long message
Mcould
directly
pk via the
ingly,
rather
than
encrypt
possibly
long
message
directly
via be
the
tothan
get
ciphertext.
Inthe
particular,
the
symmetric
encryption
s
s s ).ingly, rather
sthe
the
possibly
long
message
M
directlyM
under
pk scheme
via thepk
under K vias the symmetric
scheme
to symmetric
get a ciphertext
(C a , C
under K
scheme
to, and
get atransmit
ciphertext
(C a ,deterministic.
C encrypt
).
qsomeC
avia
sthe
!delicate
" given
given
asymmetric
scheme,
one
uses
hybrid
The
costly
number-theoretic
weget
state
and proveCthem
separately
because
the proof has#
issues
and C , and transmit
given
scheme,
one
usesencryption.
hybrid
encryption.
The
costly number-theoretic
asymmetric
scheme,
one
uses
hybrid
encryption.
The
costly
number-theoretic
14asymmetric
ASYMMETRIC
ENCRYPTION
tric scheme to
a ciphertext
,
and
transmit
(C
,
C
).
deterministic.
ind
cpa
1
given
asymmetric
scheme,
one
uses
hybrid
encryption.
The
costly
number-theoretic
This is called hybrid encryption.
Thisanisincremental
called hybridapproach.)
encryption.
=
Pr ExpSE
(A) = 1 | I = i Pr
[I = i]operations
are thusonly
applied
only
to data
length
kand
is fixed
and
not and
dependent
operations
are
thus
applied
only whose
to data
whose
length
is fixed
not dependent
ideas and is best understood via
operations
are thus
applied
to data
whose
k is
fixeddependent
not kdependent
ryption.
operations
are thus
applied
only
to data
whose
length
k islength
fixed and
not
More precisely, hybrid
encryption
a transform
that given
any asymmetric
Proof
of Theorem
constructions
are not
as straightforward as some
More
precisely,is hybrid
encryption
is a transform
that given
any asymmetric
on the
oflength
M8.6:
. of These
i=1
M.
on Proof
the
length
of length
Mon
. the8.6:
rid encryption is a transform
that
given
any
asymmetric
of
Theorem
These
constructions
are
not
as
straightforward
as
some
on
the
length
of
M
.
encryption scheme and
any
symmetric
scheme associates
to them
a new
have seen in the past. We will need to isolate the asymmetric and symmetric
encryption
schemeencryption
and any symmetric
encryption
scheme
associates to them awe
new
a, D
a ) be
Thistells
context
tells
us that
when
we
design
asymmetric
encryption
schemes,
we
This
context
tells
us
when
weasymmetric
design
asymmetric
encryption
schemes,
we
q
Let AE
= (Kato
, Ethem
scheme,
let
any symmetricTheorem
encryption8.6
scheme
associates
a newan asymmetric encryption
This
context
us that
when
we
design
asymmetric
encryption
schemes,
we
!
"components
#
we
have
seen
in the
past.
We
will
need
to that
isolate
the
symmetric
This context
tells
us that
design
asymmetric
encryption
we
asymmetric
encryption
scheme: encryption scheme:
ofwhen
AE
inwe
such
a way
that
an attack
on thisschemes,
schemeand
can
be broken down
asymmetric
ind-cpa-0
s
s
s
can
typically
assume
that
the
message
space
consists
ofbe
short
strings.
This
willThis will
can
typically
assume
that
the
message
space
consists
of
short
strings.
SE = (K , E , D ) be a statelessHybrid
symmetricencryption
encryption scheme such
cheme:
can
typically
assume
that
the
message
space
consists
of
short
strings.
This
will
Proof.
The
proof
will
use
a
hybrid
argument.
We
will
define
a
that
Pr ExpSE
(A)
=
1
|
I
=
i

Pr
[I
=
i]

components
of
AE
in
such
a
way
that
an
attack
on
this
scheme
can
broken
down
can typically assume
that the
message
short
strings.
This
into attacks
on for
thebits
component
schemes.
To
do be
this
wecase
will
use will
a hybrid argument.
,space
{0,consists
1}, thenofit
will
the
that
14
ASYMMETRIC
facilitate
ourcomponent
constructions.
facilitate
our
constructions.
facilitate
our
constructions.
sequence
ofB
4aexperiments
with
B ENCRYPTION
a , Plaintexts(pk)
i=1
attacks
on
the
schemes. of
Toexperiments
doassociated
this we will
use
a hybrid
argument.
ourinto
constructions.
We
associate
to
sequence
Scheme
8.5 Let
Let AEKeys(SE)
= (Ka , E
DaLet
) be
beAE
an
asymmetric
scheme, and
letfacilitate
Scheme
8.5
(Ka , E a , Daencryption
) be
an asymmetric
encryption
scheme,
and
letwill
Theorem.
an=
asymmetric
encryption

!
" we
a
a
a
However,
before
we
adopt
the
hybrid
paradigm
weknow
need
to know
that
However,
before
adopt
theencryption
hybrid
encryption
need to
know that
(K , E , D ) be an asymmetrics encryption
and
However,
before
we
adopt
the
hybrid
encryption
paradigm
to
that
ind
-need
cpa-that
1paradigm
We
will we
associate
B
a sequence
of we
experiments
s , D s ) be scheme,
s , symmetric
slet
s ) be a
q symmetric
q
However,
before
adopt to
the
hybrid
we11Pr
need
towe
know
00 encryption
01paradigm
10 (B) = 1
SE
=
(K
,
E
a
stateless
encryption
scheme
such
that
Keys(SE)

P
(1,
0)
=
Exp
(8.11)
a
a
SE
=
(K
E
,
D
stateless
encryption
scheme
such
that
Keys(SE)

#
#
scheme
and
let
be
a
symmetric
encryption
Exp
(B)
,
Exp
(B)
,
Exp
(B)
,
Exp
(B)
(8.9) encryption,
for every
pk that
mightsuch
be output
by K ,and let AE = (K , E,a D) be the hybrid
AE
it
works,
meaning
that
it
is
secure.
In
assessing
the
strength
of
hybrid
it
works,
meaning
that
it
is
secure.
In
assessing
the
strength
ofencryption,
hybrid

tateless symmetric
encryption
scheme
that Keys(SE)
it
works,
meaning
that
is
secure.
assessing
of
hybrid
AE strength
AE
AE encryption,
00 itAE
01 In the
11theofstrength
10
a
it
works,
meaning
that
it
is
secure.
In
assessing
hybrid
encryption,
14
ASYMMETRIC
ENCRYPTION
=
P
(i)

Pr
[I
=
i]

P
(i

1)

Pr
[I
=
i]
!
"(8.9)
Plaintexts(pk)
for
every
pk
that
might
be
output
by
K
.
The
hybrid
encryption
Exp
(B)
,
Exp
(B)
,
Exp
(B)
,
Exp
(B)
Plaintexts(pk)
for
every
pk
that
might
be
output
by
K
.
The
hybrid
encryption
scheme,
s.t.
the
set
of
keys
for
SE
is
always
in
the
message
a
AE
AE
AE
AE
encryption
scheme
to AE,
SE as per Scheme 8.5. Let k denote the length a
ind
cpa
-0 (B)
we
usethe
asifwe
usual
provable-security
and
A
as usual
the provable-security
philosophy
and
approach.
hybrid encryption
pk that might
be output
by K associated
. The hybrid
encryption
we use
as
usual
provable-security
and=approach.
A-hybrid
encryption
such
that,
weuse
letthe
(0,philosophy
Expapproach.
=hybrid
1 . Aencryption
(8.12)
a ,the
provable-security
philosophyphilosophy
and P
approach.
APr
hybrid
encryption
schemeby
associated
AE, SE associated
is
the asymmetric
encryption
scheme
AEencryption
= (K i=1
, E, scheme
D)we use
i=1
scheme
to AE, SE
is the asymmetric
AEas=usual
(K
E,that,
D)
s . Letto
!0)a base
"asymmetric
a , E,
and
define
such
if we
letbuilt
of keys output
attacking
AE.
Then
there
scheme
isscheme
from
two
components:
encryption
scheme
and
a and a
isthen
built
from
two
components:
a encryption
baseAE
encryption
scheme
, SE is the asymmetric
encryption
scheme
(Kind-cpa-adversary
D) be the associated
space
ofKAE.
LetBAEbe=an
hybrid
asymmetric
scheme
is
built
from
two
components:
a
base
asymmetric
scheme
and
a
!
"
for
bits
,

{0,
1},
it
will
be
the
case
that
scheme
is
built
from
two
components:
a
base
asymmetric
encryption
scheme
and
a
P (, ) = Pr ExpAE (B) = 1
(8.10)
whose key-generationwhose
algorithm
is the samealgorithm
as that of
AE
and
whose
encryption
key-generation
is
the
same
as
that
of
AE
and
whose
encryption
q
exist
ind-cpa
adversaries
A00,01
, A11,10
AE,slide.
and 1an
adversary
A attacking
base symmetric
encryption
scheme.
The
question
to
askwill
istocorrespond
whether
#
base
encryption
scheme.
The
appropriate
ask is whether
gorithm is the
same
asscheme
that
of AE
and
whose
encryption
PThe
(,
)appropriate
=the
Prfirst
Exp
(B)appropriate
= to
1question
(8.10)
base symmetric
scheme.
The
toour
asksequence
isquestion
whether
Insymmetric
other
words,
and
to the
as defined
theattacking
previous
Then
forasany
base symmetric
encryptionencryption
scheme.
question
ask
whether
! appropriate
" is in
AElast experiments
and decryption
algorithms
are
defined
as follows:
andon
decryption
algorithms
follows:
= are defined
P (i)
P (i 1)
ind-cpa
-1 (B)
the security
assumed
security
of
the
components
suffices
to
guarantee
security
of the
hybrid
such that
the
assumed
security
ofsuffices
the components
suffices
to
guarantee
security
of the hybrid
ms are definedSE,
as follows:
the
assumed
of
the
components
to
guarantee
security
of
the
hybrid
world
0
and
world
1
experiments,
respectively,
in
Definition
8.2.
If
so,
Definition
8.2
P
(1,
0)
=
Pr
Exp
=
1
(8.11)
adversary B there exist adversaries A00,01
,
A
,
A
s.t.
the
assumed
security
of
the
components
suffices
to
guarantee
security
of
the
hybrid
q 00,01
AE
scheme
on
them.
It
turns
outdoes,
thatthat
it does,
and
moreover
for under
security
under under
scheme
them.
It
turns
out
that
and
moreover
for security
forbased
bits
,
based
be
{0,
1},
then
it
will
beand
case
tells
us
thaton
!the
"it does,
scheme
on
them.
Itbased
turns
out
that
it
and
moreover
forunder
security
Algorithm E pk (M ) Algorithm E pkAlgorithm
(M ) i=1D sk (C) Algorithm D sk (C)
scheme
based
on
them.
It
turns
out
that
it
does,
moreover
for
security
It
will
the
case
that
ind
cpa
ind
cpa
0
Algorithm
k (M )
ind-cpa
P (0, 0)
Prand
Exp
(B)
= 1 .atttacks.
(8.12)8.6
AdvAE D(B)
$
both chosen-plaintext
and=chosen-ciphertext
atttacks.
Theorem
8.6
addresses
bothand
chosen-plaintext
chosen-ciphertext
below addresses
sk (C)$
$
s (M ) $
a , C schosen-plaintext
chosen-ciphertext
atttacks.
Theorem
8.60)below
addresses
1 EKs (M
AE
(B)
= P "(1,
PTheorem
(0,
0)below
.
! Adv
K
Kss ; C s
EK
and chosen-ciphertext
atttacks.
Theorem
below
addresses
Parse
C )as (C a , C s ) Parse C as (Cboth
K Ks ; C s
) both chosen-plaintext
$
Parse
s (M )
a, C
AE-cpa-8.6
ind
1
Cs
EK
C as
(C
)
=

[P
(1,
1)

P
(0,
1)]
.
the
first
case,
and
Theorem
8.7
the
second.
(Although
the
latter
implies
the
former,
the
first
case,
and
Theorem
8.7
the
second.
(Although
the
latter
implies
the former,
s
a
a
P
(1,
0)
=
Pr
Exp
(B)
=
1
(8.11)
s
a
a
the
first
case,
and
Theorem
8.7
the
second.
(Although
the
latter
implies
the
former,
indIf
cpa
ind
cpa
ind
cpa )
C
=

then
return

the
first
case,
and
Theorem
8.7
the
second.
(Although
the
latter
implies
the
former,
K

D
(C
If
C
=

then
return
Now
comes
a
trick.
We
throw
into
the
expression
P
(1,
0)

P
(0,
0)
a
bunch of extra
K

D
(C
)
AE
q
a (C a ) (A00,01 ) + Adv
sk
Adv
(A) .
(8.8) sk
In other words, the first and last experiments
in our sequence will
correspond to the
11,10 ) + AdvSE
then return
K
Dsk
AE a $ a
AE a $(A
!
"
s
a
a
a
s

terms
that sum to zero and hence
dont
the value of the expression, and then
= (C
then
C
Epk (K)
C E)pk (K) If
-0 (B) change
C ,
; CK
, C )returnIfK = then return
world 0 and world
1 experiments,
in-cpa
Definition
If K = then
return
; C (C
P (0, 0) =respectively,
Pr Expind
=8.2.
1 .If so, Definition 8.2
(8.12)
K) ; C (C a , C s )
s (C s )
s
s
AE
we regroup,
like this:
M
DEquation
M D
Return
s (C
s ) had C
In theReturn
lastatstep
used
Re-arranging
terms,tells
we us
getthat
Equation
(8.14).
C wet,
Furthermore,
suppose
B
time complexity
most
made
most q(8.17).
queries
Kat
K (C )
M

D
and A00,01K, A10,11 have time complexity of Return
B, make
the
same
ind-cpa
M in length. Return
to its left-or-right
oracle, This
these completes
totalling at the
mostproof.
bits
Then M
(B) = P (1, 0)inour
P (0,
0) .
andwords,
thusthe firstAdv
Return encryption
M
In other
and
sequence
will correspond to the
AElast
P (1,
0) experiments
P (0, 0)
of queries, each of length k (symmetric key length),
A00,01 , Anumber
11,10 each have time-complexity at most t and make at most q left-or-right
Now comes
trick. 1We
throw into the
expressioninP Definition
(1, 0) P (0,8.2.
0) aIfbunch
of extra 8.2
world
0 andaworld
experiments,
respectively,
so, Definition
Under
this
hybrid
encryption
scheme,
one
can
(asymmetrically)
encrypt
any
message
Under
hybrid
encryption
scheme,
one
can (asymmetrically)
encrypt any message
A has
timeencrypt
complexity
of
Bk and
makes
only
one
query
.
= P (1,
0)
P (1, 1)
P (1, 1)
Pexpression,
(0, 1) + P (0,
1)then
P (0, 0)
oracle
queries,
each
query
being
bits
long.
Also
A has
time-complexity
ption scheme, encryption
one can and
(asymmetrically)
anythis
message
termsusthat
dont
change
the+value
of the
and
tells
thatsum to zero and hence
M that is in the plaintext-space
ofthe
theplaintext-space
underlying symmetric
encryptionsymmetric
scheme. encryption scheme.
that
is in
of thechosen-ciphertext
underlying
ind
cpa
we regroup,
this: isAdv
xt-space of the
symmetric
encryption
scheme.
We
now
proceedencryption
to the
attack case. The
schemelikeitself
unatunderlying
most t, and
makes only
oneMquery
to
its
left-or-right
oracle.
= [P (1,(B)
0) =P (1,
1)]0)+[PP(1,
P (1,
(0,1)0). P (0, 1)] + [P (0, 1) P (0, 0)] .
Collorary. If the components are IND-CPA, then the
AE
changed,
we now
claim
that
if the
base
components
areNow
secure
against
chosencomes
a0)trick.
We
throw into the expression P (1, 0) P (0, 0) a bunch of extra
associated
hybrid
scheme
is alsobut
IND-CPA.
Hybrid
encryption
is
used
for
numerous
reasons.
The
principal
one
is
cost.
The
Hybrid
encryption
is
used
for
numerous
reasons.
The
principal
one
is
cost.
The
P
(1,

P
(0,
0)
ed for numerous
The
principal one
cost. The
We have now written the ind-cpa-advantage of B as a sum of the differences that
The reasons.
qualitative
interpretation
of is
Theorem
8.6 is that
if AE and SE
assumed
ciphertext
attack,
soare
is each
the
hybrid
encryption
scheme.
terms that sum to zero and hence dont change the value of the expression, and then
number-theoretic
operations
underlyingoperations
common then
asymmetric
encryption
schemes
number-theoretic
underlying
common
asymmetric
encryption
schemes
adjacent
experiments
inour
experiment
sequence
ions underlying
asymmetric
encryption
schemes
= P (1,
0) P (1,
1) + P (1, 1)
P (0,
1) + P (0, 1)
P (0, 0)return 1. We will then construct
to becommon
secure against
chosen-plaintext
attack, then AE is also secure against chosenwe regroup, like this:
are computationally
costly
relative
to the costly
operations
on block
thaton
underly
arethat
computationally
relative
to theciphers
operations
block ciphers that underly
the adversaries A01,00 , A, A10,11 such that
tly relative toplaintext
the operations
block
underly
attack.onOn
the ciphers
quantitative
front, note that the advantage of AE against
=
[P
(1,
0)

P
(1,
1)]
+
[P
(1,
1)

P
(0,
1)]
+
[P
(0,
1) P (0, 0)] .
symmetric
encryption
schemes.
In practiceschemes.
one wants
minimize
common
symmetric
encryption
In to
practice
onethe
wants to minimize the
ryption schemes.
In common
practice
one
to
minimize
theis upper
an attack
involving
q wants
lr-encryption
queries
bounded as a function of the 3
P (1, 0) P (0, 0)
ind-cpa
4
amount
of
data
to
which
these
number-theoretic
operations
are
applied.
Accordamount
of
data
to
which
these
number-theoretic
operations
are
applied.
AccordP (0, 1)
of
Adv
(A01,00that
)
(8.13)
h these number-theoretic
Accord- only a single lr-encryption query. This
We have now written the ind-cpa-advantage
of PB(0,
as0)a sum
theAEdifferences
advantage of operations
SE againstare
an applied.
attack involving
ingly,
rather
than
encrypt
the
possibly
long
message
M
directly
under
pk
via
the
ingly,
rather
than
encrypt
the
possibly
long
message
M
directly
under
pk
via
the
=
P
(1,
0)

P
(1,
1)
+
P
(1,
1)

P
(0,
1)
+
P
(0,
1)

P
(0,
0)
indthen
cpa construct
pt the possibly
long that
message
M directly encryption
under pk via
the used may be very weak and yet the
adjacent experiments in our experiment
sequence
return
1.
We
will
means
the symmetric
scheme
P (1, 1) P (0, 1) AdvSE
(A)
(8.14)
givenone
asymmetric
scheme,
one usesThe
hybrid
encryption.
The costly number-theoretic
given asymmetric
uses hybrid
encryption.
costly
number-theoretic
e, one uses hybrid
encryption.
The
costlyscheme,
number-theoretic
the adversaries
A(1,
such
that
01,00
= [P
0), A,
A
P10,11
(1, 1)]
+ [P
(1, 1) P (0, 1)] + [P (0, 1)ind
-cpa
P (0, 0)] .
hybrid
asymmetric
encryption
scheme
will
be
secure.
For
example,
the
encryption
operations
are
thus
applied
only
to
data
whose
length
k
is
fixed
and
not
dependent
operations
are
thus
applied
only
to
data
whose
length
k
is
fixed
and
not
dependent
P
(1,
0)

P
(1,
1)

Adv
(A
)
.
(8.15)
10,11
ied only to data
whose length
is fixed andencryption
not dependent
AE
algorithm
of theksymmetric
scheme could apply a pseudorandom bit
ind-cpa

1
0
1
Recall that B0 has access
to an oracle that takes
input
a pair of messages and returns
C s = then
return

If Definition
C s = then
return
the ind-cpa-advantage
aIfciphertext.
In the
experiments
of
8.2 that
define
$
$
a
a (pk,
ofCB,
this
oracleK
is1either
E pk (LR(,
1))
E pk (LR(,
E a (pk,
)
C a,
Eor
K0 ), 0)), depending on the world
inC which
(C aB, Ciss )placed. Our hybrid
C experiments
(C a , C s ) will involve executing B not only
with these oracles, but with others that we will define. Specifically, we will define a
Return C
Return C
We now define the 4 experiments that use different oracles
sequence of oracles

= P (1, 0) P (1, 1) + P (1, 1) P (0, 1) + P (0, 1) P (0, 0)

= [P (1, 0) P (1, 1)] + [P (1, 1) P (0, 1)] + [P (0, 1) P (0, 0)] .

We have now written the ind-cpa-advantage of B as a sum of the differences that
adjacent experiments in our experiment sequence return 1. We will then construct
We will construct
A00,01, A, A00,01 s.t.
the adversaries
A01,00 , A, Aadversaries
10,11 such that
-cpa (A
P (0, 1) P (0, 0) Advind
01,00 )
AE
ind-cpa
P (1, 1) P (0, 1) Adv
(A)

Bellare and Rogaway

00
01
11
10
HE pk
(, ) , HE pk
(, ) , HE pk
(, ) , HE pk
(, ) .

(8.16)

(8.13)Figure 8.2: Hybrid lr-encryption oracles used in the proof of Theorem 8.6.

Each oracle will take input a pair M0 , M1 of messages and return a ciphertext. Now,
For
allwe
possible
to each pair , of
bits,
associatebits
the !,
(,")define
hybrid experiment defined as follows:

(8.14)

SE

-cpa (A
P (1, 0) P (1, 1) Advind
10,11 ) .
AE

15

(8.15)

Experiment Exp
(B)
AE

Equation
follows.
and (8.8)
the theorem
statement will follow.
The template above is pretty generic. What we need to do now is to actually specify
the hybrid experiments of Equation (8.9) in such a way that Equations (8.11)
(8.12) are true and we are able to construct adversaries A01,00 , A, A10,11 such that
Equations (8.13)(8.15) are true.

(pk, sk)
$

Ka

HE pk
(,)

dB
Return d

(pk)

00
Oracle HE pk
(M0 , M1 )
$

K0

Ks

; K1

Ks

01
Oracle HE pk
(M0 , M1 )

0 , M0 )
If C s = then return

Cs

E s (K

$
Ca
E a (pk, K0 )
C (C a , C s )
Return C

This defines our experiments in terms of the oracles, and, finally, the oracles them-

$
$
K0
Ks ; K1
Ks

$
Cs
E s (K0 , M0 )
If C s = then return
$
Ca
E a (pk, K1 )
C (C a , C s )
Return C

Recall that B has access to an oracle that takes input a pair of messages and returns
11 paramterized by
10
selves are specified in Fig. 8.2. Each hybrid lr-encryptionOracle
oracle
HEis
Oracle HE pk
(M0 , M1 )
0 , M1 )
pk (M
a ciphertext. In the experiments of Definition 8.2 that define the ind-cpa-advantage
$
$
$
$
s; K
s
s; K
a
pair
(,
)
of
bits
and
takes
input
a
pair
M
,
M
of
messages.
Examining
the
K

K
K

K
Ks
0
1
0
1
0
1
of B, this oracle is either E pk (LR(, , 1)) or E pk (LR(, , 0)), depending on the world
$
$
s
s
s
s
you will see that they are mostly identical, different
in0 ,the
C only
E (K
M1 quantities
)
C E (K0 , M1 )
in which B is placed. Our hybrid experiments will involve executing B notoracles,
only
Cs =

If C s = then return
thatahave been boxed. Each oracle picks not one but twoIf keys
Kthen
with these oracles, but with others that we will define. Specifically, we will define
0 , Kreturn
1 , indepen$
a
a (pk, K )
sequence of oracles
C
E
dently at random, for symmetric encryption. It then encrypts M under 1K0 via the C a $ E a (pk, K0 )
(C a , C s )K under the C (C a , C s )
symmetric
encryption scheme to get a ciphertext C s , and itCencrypts
(8.16)
a
Return C
Return C
Each oracle will take input a pair M0 , M1 of messages and return a ciphertext. public
Now, key via the asymmetric encryption scheme to get a ciphertext C . It returns
a
s
the
pair
(C
,
C
).
to each pair , of bits, we associate the (, ) hybrid experiment defined as follows:
00
01
11
10
HE pk
(, ) , HE pk
(, ) , HE pk
(, ) , HE pk
(, ) .

Note oracles
ASYMMETRIC ENCRYPTION

6
Figure 8.2: Hybrid lr-encryption oracles used in the proof of Theorem
8.6.

00
10
HE pk
(, ) and HE pk
(, ) do not actually use K1 . We have asked these
oracles to pick K1 only to highlight the common template underlying all four oracles.

14

Experiment Exp (B)

for
bits ,that
{0, 1}, then it will be the case that
Check
!

-cpa-1 (B) = 1
P (1, 0) = Pr Expind
AE
!

00
AE
Observe that oracle HE pk
(, ) and oracle E pk (LR(, , 0)) are equivalent in the sense
$
sk)
Ka
that their responses to any particular query are identically distributed. (pk,
Similarly

HE pk
(,)
10
dB
(pk)
16 (LR(, , 1)) are equivalent. This means that
ASYMMETRIC
ENCRYPTION
oracle HE pk
(, ) and oracle E pk
EquaReturn d
tions (8.11) and (8.12) are true, which is the first requirement of a successful hybrid

"
"

-cpa-0 (B) = 1 .
P (0, 0) = Pr Expind
AE

(8.11)

We now construct adversaries A00,01, A10,11

This defines our experiments in terms of the oracles, and, finally, the oracles them-

(8.12)

selves
are specified in Fig. 8.2. Each
hybrid lr-encryption oracle is paramterized by
a (LR(,,b))
a (LR(,,b))
Epk
Epk
Adversary A01,00
(pk)
a pair (,(pk)
) of bits Adversary
and takesAinput
M0 , M1 of messages. Examining the
10,11 a pair
they are mostly
different 17
only in the quantities
Subroutineoracles,
OE(M0you
, M1will
) see that
Subroutine
OE(M0identical,
, M1 )
Bellare and Rogaway
$ that
$ been
$
$ not
boxed. Each
s
K0
Ks ; Khave
K0 oracle

Ks ; picks
K1
Ks one but two keys K0 , K1 , indepen1K
at random, for symmetric
It then encrypts M under
K0 via the
Bellare and Rogaway
17
$ dently
$ encryption.
Cs
E s (K0 , M0 )
Cs
E s (K0 , M1 )
symmetric encryption scheme to
get a ciphertext C s , and it encrypts K under the
s = then return
If C s =public
then
return

If
C
a
key via the asymmetric encryption scheme to get a ciphertext C . It returns
$
$
a
a (LR(K , K , b))
Ca
Ethe
K a, sb))
Ca
Epk
0, a
1
pair (C
).
pk (LR(K
is in world 0, meaning its
oracle
is ,E1C
C0a computed by
pk (LR(, , 0)), the ciphertext
a
s
a
s
(C , oracles
C ) of
Return
00
10 (C , C )
HEKpk
(,
)
and
HE
(,
)
do
not
actually
use K1 . We have asked these
subroutine OE(, )Return
is an Note
encryption
,
and
thus
subroutine
OE(,
) is equivalent
0 a
is in world 0,
meaning
oracle
Epk to
(LR(,
, pk
0)),the
thecommon
ciphertext
C a computed
byall four oracles.
End
Subroutine
oraclesits
to pick
K1isonly
highlight
template
underlying
to oracle HE 00End
(, ).Subroutine
Hence

In other words, the first and last experiments in our sequence will correspond to the
world 0 and world 1 experiments, respectively, in Definition 8.2. If so, Definition 8.2
tells us that
Advind-cpa (B) = P (1, 0) P (0, 0) .
AE

Now comes a trick. We throw into the expression P (1, 0) P (0, 0) a bunch of extra
terms that sum to zero and hence dont change the value of the expression, and then
we regroup, like this:
P (1, 0) P (0, 0)

= P (1, 0) P (1, 1) + P (1, 1) P (0, 1) + P (0, 1) P (0, 0)

= [P (1, 0) P (1, 1)] + [P (1, 1) P (0, 1)] + [P (0, 1) P (0, 0)] .

We have now written the ind-cpa-advantage of B as a sum of the differences that
adjacent experiments in our experiment sequence return 1. We will then construct
the adversaries A01,00 , A, A10,11 such that
-cpa (A
P (0, 1) P (0, 0) Advind
01,00 )
AE
ind-cpa
P (1, 1) P (0, 1) Adv
(A)
P (1, 0) P (1, 1)

(8.13)7
(8.14)

SE

-cpa (A
Advind
10,11 )
AE

(8.15)

pk $
subroutine
)(pk)
is an encryption of Kd00
thus(pk)
subroutine OE(, ) is equivalent
OE(,)
OE(,)
0 , $and
d OE(,
B00
that oracle" HE pk
(, B
)! and oracle
E pk (LR(,
, 0)) are equivalent in the sense
"
to oracle !HE pk
(,Observe
). Hence
ind-cpa-1
01
Return
d
Return
d
responses
query
Pr ExpAEthat their
(A01,00
) = 1 to
= any
Prparticular
ExpAE (B)
= 1are identically distributed. Similarly
10
!oracle HE (, ) and oracle
" E pk (LR(,
! , 1)) are equivalent.
"
This means that Equa!
"
!
"
pk-1
ind-cpa
01
Check that
Pr
(A01,00
) =are
= which
Pr00Exp
(B) =requirement
ind-Exp
cpa-0AE
AE
(8.11)
true,
is the
of a successful hybrid
Pr Adversaries
Exp
(A01,00and
)AE
=(8.12)
1constructed
= 1 Pr
Exp
(B)
=
1Theorem
. 1 8.6.
Figure 8.3:
attacking
for
theAEproof
of first
AEtions
!
"
!
"
ind-cpa-0
00
Pr ExpAE
(A01,00 ) = 1 = Pr Exp (B) = 1 .
Subtracting, and remembering the notation of Equation (8.10),AEwe get
ind-cpa
argument.
Subtracting, and
remembering
Adv
(A01,00the
) =notation
P (0, 1)ofEquation
P (0, 0) , (8.10), we get
AE
ind-cpawe introduce may seem rather bizarre at first
Thejustifies
new hybrid
lr-encryption
oracles
Adv
(A
)
=
P
(0,
1) P (0, 0) ,
which
Equation
(8.13).
01,00
AE
Similarly
since they dofor
not A
necessarily
return valid ciphertexts. For example, oracle (0, 1) will
10,11
which
justifies
Equation
(8.13).
a
s
s
We return
leave to
the reader(Cthe
of verifying
Equation
(8.15)
on the construca ciphertext
, Ctask
) in which
C is the
encryption
of Mbased
0 under a key K0 , but
tionCofa isA
in Fig.
and
now
toEquation
thedefinition
construction
the
ind-cpa
not
angiven
encryption
of 8.3,
K0the
as
ittask
ought
to
be under
the
of based
AE,ofbut
11,10
We
leave
to the
reader
of proceed
verifying
(8.15)
onrather
the
construc- 8
adversary
Aofattacking
base
symmetric
encryption
is the
encryption
athe
random,
unrelated
K1proceed
. Thus, scheme.
intothe
tion
A11,10ofgiven
in Fig.
8.3, andkey
now
thecorresponding
constructionhybrid
of the ind-cpa
experiment,
B is not gettingthe
thebase
typessymmetric
of responses
it expects.
But nonetheless, a
adversary
encryption
scheme.
The intuition
hereAisattacking
that the (0, 1)
and (1, 1) hybrid
experiments
both compute C

being an algorithm with access to an oracle, B will execute and eventually return

as an
encryption
of key
in1)unclear,
which
message
theyexperiments
symmetrically
1is, but
The
intuition
here
that
the
and (1,
1) hybrid
compute
Ca
a bit.
The
meaning
ofKthis
bitdiffer
may(0,
be
but
we will
see
that this both
doesencrypt
not
under
Kas0 , an
and
thus the of
difference
(0,which
1) and
P (1, 1)they
measures
the ability
encryption
key K1 , between
but differPin
message
symmetrically
encrypt
matter.

AEbase A
AEbase symmetric
adversary AE
A attackingadversary
the
symmetric
scheme. encryption scheme.
attackingencryption
the

d B encryption
(pk) of M0 regardless of the value of the counter
input M0 , M1 is a symmetric

j. This means that oracles

HE pk
Return
d(, ) and HE pk (, ) are equivalent. Similarly, oracles
Again we associate to any i {0, . . . , q} an oracle and an experiment, as indicated
qa
The intuition here is that
the (0, 1) here
and (1,
1) hybrid
experiments
both
compute
Ca
11
The intuition
is that
the (0,
1) and (1, 1)
hybrid
experiments
both computeHECpk
(, ) and HE pk
(, ) are equivalent. Hence
in Fig. 8.4. The
oracle
associated
to
i
is
stateful,
maintaining
a
counter
j
that
is
as an encryption of key
but differ in
they symmetrically encrypt
as K
an1 ,encryption
of which
key Kmessage
1 , but differ in which message they symmetrically encrypt
P (0, 1) = P (0) and P (1, 1) = P (q) .
initially 0 andunder
is incremented
each
time
the oracle
is invoked.
The
oracle
behaves ability
Figure 8.4: Hybrid oracles and experiments related to the construction of ind-cpa
K0 , and thus
the
difference
between
P (0,
1) and
Pbetween
(1,
1) measures
under
K0 , and
thus the
difference
P (0, 1) the
and P (1, 1) measures the ability
Soadversary A in the proof of Theorem 8.6.
stoencrypts
differently depending
on how its
j
compares
its
defining
parameter
i.
If
s
of the adversary
to counter
tell
which
message
C
under
K
.
This
is
something
of the adversary to tell which message 0C encrypts under K0 . This is something
j i it symmetrically
encrypts,
K
right
message
M
, and
otherwise
it
we
relate
solely under
to
security
of
the to
base
symmetric
scheme.
The
0 ,Athe
wethe
can
relate
solely
the
security
ofencryption
the
base symmetric
encryption scheme. The
Wecan
now
construct
A.
As
can
make
only
1 1query,
the
P (1, 1) P (0, 1)
symmetrically construction
encrypts,
under
K0 ,construction
the left
message
Msequence
The
asymmetric
however
will
require
ahowever
little
more
work,
introducing
another
0 .will
require
a hybrid
littlecomponent
more
work,sequence
introducing another sequence
construction
will
require
another
of
arguments
a
= P (q) P (0)
of encryption
hybrid experiments.
time
there will be
q+
1 of there
them, willENCRYPTION
C 18
is always an
of K1 .of This
ASYMMETRIC
hybrid
experiments.
This
time
be q + 1 of them,
0

01

q
0
q
= P (q) P (q 1) + P (q 1) P (1) + P (1) P (0)
0 . . . , Exp 1(B) .
ExpAE
(B) , Exp1AE (B)
Exp, AE
(B) , Exp
AEAE (B) , . . . , ExpAE (B) .
!
"
q
!
Again
we associate toAgain
any i we
{0,
oracle
indicated
i . . . , q} an
associate
{0, an
. . . experiment,
, q} an oracleasand
an experiment, as indicated
Define
P (i) = Pr
Exp
(B) = to
1 any
. i and
=
[P (i) P (i 1)] .
(8.17)
AE to i is stateful, maintaining a counter j that is
in Fig. 8.4. The oracle
associated
in Fig. 8.4. The oracle associated to i is stateful, maintaining a counter j that is
i=1
i
s
0 and
incremented
the oracle
invoked.
Theoracle
oracle
Now, suppose initially
i=
0. In
that
the
Ctime
byiseach
oracle
) onisbehaves
i is case,
i HEthe
initially
0each
and
iscomputed
incremented
time
invoked. The oracle behaves
Oracle
HE
) value
Experiment
Exp
(B)pk (,
pk (M0 , M
Our ind-cpa adversary A attacking the base symmetric encryption scheme SE is
differently
depending
on1howofits
counter
j compares
tocounter
itsAEdefining
parameter
i. defining
If
input M0 , M1 is
a symmetric
encryption
Mdepending
theits$value
of
the
counter
0 regardless
differently
on of
how
j
compares
to its
parameter i.
If
a
Bellare and Rogaway
19
j

j
+
1
0
01
(pk,
sk)

K
i oracles
it symmetrically
encrypts,
under
K
,
the
right
message
M
,
and
otherwise
it
ASYMMETRIC
ENCRYPTION
0
1
j. 18
This means jthat
HE
(,
)
and
HE
(,
)
are
equivalent.
Similarly,
oracles
j
i it symmetrically
encrypts,i under K0 , the right message M1 , and otherwise it
pk
pk
$
$
s
s
symmetrically
encrypts,
under
K
,
the
left
message
M
.
The
asymmetric
component
HE
(,)
q
0
0
K Hence encrypts,
11K0 K ; K1symmetrically
under
left message M0 . The asymmetric component
d
B Kpk0 , the
(pk)
HE pk (, ) and HE
(, ) are equivalent.
C a ispkalways
of K1 .
If j ian encryption
C a is always
an encryption
of dK1 .
Return
P (0, 1) = P $(0) and P (1, 1) = P (q) .
For i = 0, then
...,qC
wes
let E s (K , M )
For i =0 0, . . .1, q we
s (LR(, , b)) based on a hidden
! let
"
depicted in Fig. 8.4. It gets a lr-encryption oracle EK
So
!
"
i
i .
$ ) s P (i) = Pr Expi (B) = 1
Oracle HEelse
Exp
(B)
i
1 E (K0 , M0 Experiment
key
K
and
challenge
bit
b.
It
picks
a
pair
of
public
and secret keys by running the
pk (M
C0s, M

)
AE P (i) AE
= Pr ExpAE (B) = 1 .
$
a
key-generation algorithm of the asymmetric encryption scheme. It then picks an
j

j
+
1
i
s
(pk,
sk)

K
EndIf
In that case, the value C computed by oracle sHE pk (, ) on
P (1,Now,
1) suppose
P $(0, 1) i = 0.$ Now,
i
suppose i = 0. InHE
that
case, the value C computed by oracle HE pk
(, )index
on i at random, and initializes a counter j to 0. Next it defines a subroutine
i
s
s s=
K0M
K
Ka1then
Kreturn
pk (,) (pk)of the value of the counter
input
,M
symmetric
encryption
of
M
0C
1 ;is
0 regardless
If

B
OE(, ) that takes input a pair of messages and returns a ciphertext, and runs B,
input M00, M1 is a symmetric
encryption of M0 regardless of the value of the counter
01
j. This
that oracles HE pk (, ) and
HE pk (,
) are
oracles
If j means

a i$ a
0 equivalent. Similarly,
01
replying to the latters oracle queries via the subroutine. The subroutine increments
dHE
K1This
) means thatReturn
j.
oracles
q C E (pk,
pk (, ) and HE pk (, ) are equivalent. Similarly, oracles
$ 11 (,
sHE
s (K
HE pk
(,then
) and
)
are
equivalent.
Hence
the counter j at each call, and computes the symmetric component C s of the cipherq
pk
11
C

E
,
M
)
) are equivalent.
Hence
Check
that
C (C a , C s )HE0pk (, )1 and HE pk (,
text differently depending on how the counter j compares to the parameter i. In one
$
(0,
1) = P (0) and P (1, 1) = P (q) .
else C sC
E sP
(K
s (LR(, , b)) oracle
0 , M0 )
Return
P (0, 1) = P (0) and P (1, 1) = P (q) .
case, namely when j = i, it computes C s by calling the given EK
So EndIf
on inputs M0 , M1 . Notice that A makes only one call to its oracle, as required.
So
If C s = then return

9
For the analysis, regard I as a random variable whose value is uniformly distributed
s (LR(,,b))
E
P
(1,
1)

P
K (0, 1)
$
a
in {1, . . . , q}. Then notice that for any i {1, . . . , q}
CAdversary
E a (pk, AK1 )
P (1, 1) P (0, 1)
$
$
a; j 0; I
a
s
!
"
(pk,
sk)

K
{1,
.
.
.
,
q}
C (C , C )
-cpa-1 (A) = 1 | I = i = P (i)
Pr Expind
SE
Subroutine
OE(M
,
M
)
0
1
Return C
!
"

For i = 0, . . . , q we let

j j+1

AdversaryKA K ; K
s
s
0 EK (LR(,,b)) 1
$

-cpa-0 (A) = 1 | I = i
Pr Expind
SE

Ks

Thus

s $ $E s (K , M ) EndIf
If j$ < aI then
j 0C; I
{1, . 0. . , q} 1
$
s (LR(M , M , b)) EndIf
If j =OE(M
I then
C s1 )
EK
Subroutine
0
1
0, M

(pk,and
sk)Rogaway
K ;
Bellare

$ a lr-encryption oracle E s (LR(, , b)) based on a hidden

depictedIf in
Fig.
ItCgets
s
a
jC<
I$ 8.4.
then
E a (pk,
KE s)(K0 , M1 ) EndIf K
key K and challenge bit b. $It1 picks a pair of public and secret keys by running the
a ,sC
s s (LR(M , M , b)) EndIf
If jReturn
= Ialgorithm
then
(C C
0
1 encryption scheme. It then picks an
K asymmetric
key-generation
of)E
the
$
s
index End
i Ifatj random,
j to 0. Next it defines a subroutine
>
I thenand
C initializes

E s (K0a, counter
M0 ) EndIf
Subroutine
OE(, )Ifthat
input return
a pair of
$C s takes
OE(,)
=
then
messages and returns a ciphertext, and runs B,
d

B
(pk)
replying to the
latters oracle queries via the subroutine. The subroutine increments
$
Ca
Edaeach
(pk,call,
K1and
) computes the symmetric component C s of the cipherReturn
the counter
j at
text differently
Return depending
(C a , C s ) on how the counter j compares to the parameter i. In one
s (LR(, , b)) oracle
case,
namely
when j = i, it computes C s by calling the given EK
End
Subroutine
Figure 8.4: Hybrid
oracles
experiments
related
ind-cpa
on inputs
M
that A makes
only to
onethe
callconstruction
to its oracle, asofrequired.
0 , Mand
1 . Notice
$
OE(,)

=
=
=

= P (q) P (q 1) + PSE(q 1) P (1) + P (1) P (0)

q

i=1

[P (i) P (i 1)] .
-cpa (A)
Advind
SE

(8.17)

= P (q) P (q 1) +! P (q 1) P"(1) +!P (1) P (0)

"

-cpabase
-1 (A) =
ind-cpa-0
Our ind-cpa adversary A=attacking
the
symmetric
encryption
SE is
Pr Expind
1 Pr Exp
(A)scheme
=1
SE
SE
q
!

"

q
#
i=1

"

"

-cpa-0 (A) = 1 | I = i Pr [I = i]
Pr Expind
SE

P (i) Pr [I = i]

q
1 #

P (i) P (i 1)
q i=1

q
#
i=1

P (i 1) Pr [I = i]

1
[P (1, 1) P (0, 1)] .
q

In the last step we used Equation (8.17). Re-arranging terms, we get Equation (8.14).
This completes the proof.

"

Pr ExpSE
(A) = to
1 | Ithe
= iconstruction
= P (i) of ind-cpa
that
Figure 8.4: Hybrid
related
=Check
Poracles
(q)
Pand
(0) experiments
!
"
adversary A in the proof of Theorem
8.6.
ind-cpa-0
Pr Exp
(A) = 1 | I = i = P (i 1) .

= P (q) P (0)

q
#
i=1

in {1, . . . , q}. Then notice that for any i {1, . . . , q}

-cpa-1 (A) = 1 | I = i Pr [I = i]
Pr Expind
SE

Return d

!
Thus

q
#
i=1

d proof
B of (pk)
adversary A inForthe
Theorem
the analysis,
regard I as8.6.
a random variable whose value is uniformly distributed
ind-cpa-1

"

-cpa-1 (A) = 1 Pr Expind-cpa-0 (A) = 1

= Pr Expind
SE
SE

$
j
If jj +>1I then C s
E s (K0 , M0 ) EndIf
$ ss
$
s
K0IfCK =; K
K return
1then

= P (i 1) .

Analyzing A we get
-cpa (A)
Advind
SE

19

10

11

We now proceed to the chosen-ciphertext attack case. The scheme itself is unchanged, but we now claim that if the base components are secure against chosenciphertext attack, then so is the hybrid encryption scheme.

12

Note that a symmetric encryption scheme can satisfy a

definition weaker than IND-CPA (as in the proof A makes only
one query to the LR oracle.)

In particular, the symmetric scheme can be deterministic

This is because a new symmetric key is picked for each
message

An analogues theorem can be stated and proved for the case

of chosen-ciphertext attacks (if the components are IND-CCA
secure, then the hybrid scheme is IND-CCA secure).

13