13.6. PROOF OF SOUNDNESS OF STATIC EQUIVALENCE: A SPECIAL CASE 183 Exercice 60
Assume that the encryption scheme is INDCPA and that u, v ∈ M_{0} are such that l(u, η) = l(v, η) and, for any name n not occuring inu, v, [[hu, ni]]_{η} ≈[[hu, ki]]_{η} and [[hv, ni]]_{η} ≈[[hv, ki]]_{η}. Prove then [[{u}^{r}_{k}]]η ≈[[{v}^{r}_{k}]]η for any name r not occurring in u, v, k.
Give an example of such u, v that do contain occurrences ofk.
13.6 Proof of soundness of static equivalence: a special case
As we saw above, we need some assumptions on the sequence of terms, ruling out situations such as a key encrypting itself.
Given a sequence of terms s_{1}, . . . , s_{n}, we define the relationk >_{s}_{1}_{,...,s}_{n} k^{0} between names, as the least transitive relation such that:
Ifk1 occurs inuand there is an indexiand a subterm{u}^{r}_{k}
2 ofsi, thenk2 >s1,...,sn k1
A random seed is a name that is used as a third argument of an encryption symbol.
Definition 13.6 A valid frame (resp. valid term sequence) is a frame (resp. term sequence) νn.{x_{1} 7→s1, . . . , xn7→sn} (resp. s1, . . . , sn), such that
1. s_{1}, . . . , s_{n}∈ M_{0}
2. n is the set of names occurring ins_{1}, . . . , s_{n} 3. ≥_{s}_{1}_{,...,s}_{n} is an ordering.
4. each random seed is used only once in s_{1}, . . . , s_{n} Example 13.1 The following are not valid term sequences
1. {k}^{r}_{k} 2. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
3,{{k_{2}}^{r}_{k}^{3}
1}^{r}_{k}^{4}
3
3. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
3,{{k_{1}}^{r}_{k}^{3}
3}^{r}_{k}^{4}
2
4. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
2,{{k_{2}}^{r}_{k}^{3}
3}^{r}_{k}^{4}
3
The main restriction imposed by the first condition is the use of names as keys: only atomic keys are considered.
The second condition is not a restriction: we may always bind all names and disclose ex plicitly the names that are supposed to be available to the attacker.
The third condition is a real (strong) restriction. Some restriction that rules out key cycles is necessary (with the current state of the art). The above condition rules out terms {{u}^{r}_{k}^{1}}^{r}_{k}^{2} in the frames. We will see in the section 13.7, that the condition can be slightly relaxed, allowing for such terms in the frames.
The last condition forbids several occurrences of the same ciphertext in the frames. This condition will also be relaxed in the section 13.7.
Theorem 13.1 Let νn.{x_{1} 7→ s1, . . . xn 7→ sn} and νn^{0}.{x_{1} 7→ t1, . . . , xn 7→ tn} be two valid frames.
νn.{x_{1} 7→s1, . . . xn7→sn} ∼νn^{0}.{x_{1} 7→t1, . . . , xn7→tn} ⇒ [[s1, . . . , sn]]η ≈[[t1, . . . , tn]]η
In other words, if the two frames are statically equivalent, then they are computationally indistinguishable.
In what follows, we drop the name binders and the variables, since all names are bound and the variable symbols can be inferred from the context. Furthermore, if P is a predicate symbol and u, v are valid recipes (terms that do not use any names in our case), we write s_{1}, . . . , s_{n}=P(u, v) insteand of (u{x_{1} 7→s_{1}, . . . , x_{n}7→s_{n}}, v{x_{1} 7→s_{1}, . . . , x_{n}7→s_{n}})∈P^{I}. Proof : We use an induction on s_{1}+· · ·+s_{n}+t_{1}+· · · t_{n} where s is the number of function symbols and names appearing in s(we do not count the constants). In each case, we leave to the reader the verification that the induction hypothesis is applied to valid sequences indeed.
Base case: s1, . . . , sn and t1, . . . , tn are constants. Since there is no names in the frames, si
is a valid recipe: s1, . . . , sn=EQ(xi, si) and therefore t1, . . . , tn =EQ(xi, si). It follows that, for everyi,s_{i} =t_{i}, hence the indistinguishability of the two sequences.
Induction case: We successively investigate cases. In each case, we assume that the previous cases do not apply.
1. If one of the two sequences contains a pair.
w.l.o.g., assume s_{1} = hs_{11}, s_{12}i. Then s_{1}, . . . , s_{n} = M(π_{1}(x_{1})), hence t_{1}, . . . , t_{n} = M(π1(x1)). This implies that there are termst11, t12∈ M_{0} such thatt1=pairt11t12. Then s_{11}, s_{12}, s_{2}, . . . , s_{n}∼t_{11}, t_{12}, t_{2}, . . . , t_{n}:
s_{11}, s_{12}, s_{2}, . . . , s_{n}=P(u, v) iff s_{1}, s_{2}, . . . , s_{n}=P(u, v){x_{11}7→π_{1}(x_{1}), x_{12}7→π_{2}(x_{1})}
iff t_{1}, t_{2}, . . . , t_{n}=P(u, v){x_{11}7→π_{1}(x_{1}), x_{12}7→π_{2}(x_{1})}
iff t11, t12, t2, . . . , tn=P(u, v) By induction hypothesis, [[s_{11}, s_{12}, s_{2}, . . . , s_{n}]]_{η} ≈[[t_{11}, t_{12}, t_{2}, . . . , t_{n}]].
We use then the following exercise:
Exercice 61
Let f be a function symbol, whose computational interpretation is a PPT function
[[f]]. Assume [[s_{1}, . . . s_{p}, s_{p+1}. . . , s_{n}]]_{η} ≈[[t_{1}, . . . , t_{p}, t_{p+1}, . . . , t_{n}]]_{η}andr /∈fn(s_{1}, . . . , s_{n}, t_{1}, . . . , t_{n}).
Prove that [[f(s1, . . . , sp r), sp+1, . . . , sn]]η ≈[[f(t1, . . . , tp r), tp+1, . . . , tn]]η (r is as sumed to be drawn according to a polynomial distribution).
With the pairing function forf and conclude that [[s_{1}, . . . , s_{n}]]_{η} ≈[[t_{1}, . . . , t_{n}]]_{η}. 2. If s_{i} =s_{j}(resp. t_{i} =t_{j}) for some i6=j and s_{i} is not a constant. Then s_{1}, . . . , s_{n}=
EQ(xi, xj), hencet1, . . . , tn=EQ(xi, xj), which impliesti =tj. Thens1, . . . , si−1, si+1, . . . , sn∼ t_{1}, . . . , ti−1, t_{i+1}, . . . , t_{n} and, by induction hypothesis, [[s_{1}, . . . , si−1, s_{i+1}, . . . , s_{n}]]_{η} ≈
[[t_{1}, . . . , ti−1, t_{i+1}, . . . , t_{n}]]_{η}, hence the result.
3. If some si ={u_{i}}^{r}_{k}^{i} (or some ti; this case is symmetric) where ui is not a constant and k is maximal w.r.t. ≥_{s}_{1}_{,...,s}_{n} and k /∈ {s_{1}, . . . , sn}. After possibly renumbering the terms, lets_{1} ={u_{1}}^{r}_{k}^{1}, . . . s_{p}={u_{p}}^{r}_{k}^{p} and s_{p+1}, . . . , s_{n} are not encryptions with k.
k does not occur inu_{1}, . . . , u_{p}, s_{p+1}, . . . , s_{n} since every s_{i} is either a name (different fromk), a constant, or a ciphertext (thanks to step 1) and, in the latter case,kdoes not occur ins_{i} by maximality of k.
Let σ ={x_{1} 7→s1, . . . , xn7→ sn} and σ^{0} ={x_{1} 7→s^{0}_{1}, . . . , xn 7→s^{0}_{n}} and let ρ be the replacement of s_{1}, . . . , s_{p} with {0^{l(u}^{1}^{,η)}}^{r}_{k}^{1}, . . . ,{0^{l(u}^{p}^{,η)}}^{r}_{k}^{p} respectively. We observe first that, for any recipeu,ρ(uσ↓) =uσ^{0}↓by consistency of use of the random seeds.
13.6. PROOF OF SOUNDNESS OF STATIC EQUIVALENCE: A SPECIAL CASE 185 If s_{1}, . . . , s_{n}=P(u, v), (uσ↓, vσ↓) ∈P^{I}. For P ∈ {M, EQ, EK, EL}, (u_{1}, u_{2}) ∈P^{I} iff (ρ(u_{1}), ρ(u_{2}))∈P^{I} (for instance, whenP =EL, this is thanks to the presevation of plaintexts lengths byρ). Hence
s_{1}. . . . , s_{n}=P(u, v) iff (ρ(uσ↓), ρ(vσ↓))∈P^{I} iff (uσ^{0}↓, vσ^{0}↓)∈P^{I} iff s^{0}_{1}, . . . , s^{0}_{n}=P(u, v)
s1, . . . , sn∼t1, . . . , tn therefore impliess^{0}_{1}, . . . , s^{0}_{n}∼t1, . . . , tn. Since, by assumption, at least one s_{i} is such that s_{i}{u_{i}}^{r}_{k}^{i} where u_{i} is not a constant and s^{0}_{i} ={0^{l(u}^{i}^{,η)}}^{r}_{k}^{i} has a sctritly smaller size, we may apply the induction hypothesis:
[[s^{0}_{1}, . . . , s^{0}_{n}]]η ≈[[t1, . . . , tn]]η
Then, thanks to our assumptions (validity of the sequences) and lemma 13.2, [[s1, . . . , sn]]η ≈ [[s^{0}_{1}, . . . , s^{0}_{n}]]_{η}.
We conclude [[s_{1}, . . . , s_{n}]]_{η} ≈[[t_{1}, . . . , t_{n}]].
4. If there are two indicesi, j such thats_{i}={u_{i}}^{r}_{s}^{i}
j. Assume w.l.o.gi= 1. s_{1}, . . . , s_{n}= M(dec(x1, xj)) implies t1, . . . , tn=M(dec(x1, xj)), hencet1 ={v_{1}}^{r}_{t}^{1}^{0}
j for somev1. We claim thatu1, s2, . . . , sn∼v1.t2, . . . , tn:
u1, s2. . . sn=P(w1, w2) iff s1, s2. . . , sn=P(w1{x_{1} 7→dec(x1, xj)}, w_{2}{x_{1} 7→dec(x1, xj)}) iff t1, . . . , tn=P(w1{x_{1} 7→dec(x1, xj)}, w_{2}{x_{1} 7→dec(x1, xj)}) iff v_{1}, t_{2}, . . . , t_{n}=P(w_{1}, w_{2})
By induction hypothesis, [[u1, s2, . . . , sn]]η ≈[[v1, t2, . . . , tn]]η. By exercise 61and since we assumed that each random seed is used only once, we conclude [[s_{1}, . . . , s_{n}]]_{η} ≈ [[t_{1}, . . . , t_{n}]]_{η}. (We sill see in the next section how to modify this part, to avoid the assumption on the unique use of random seeds).
5. Now we have only to consider sequencess1, . . . , sn, t1, . . . , tn that consist of encryp tions of constants, names that are not used as encryption keys, and constants. If one of the sequence contains at least one ciphertext, assume w.l.o.g. that this is s1: s1 = {c_{1}}^{r}_{k}^{1}. Let s1, . . . sp be all ciphertexts in the sequence s1, . . . , sn, whose encryption key isk: vsi ={c_{i}}^{r}_{k}^{i} for 1≤i≤p.
For every 1 ≤ i, j ≤ p, s1, . . . , sn =EK(xi, xj), hence t1, . . . , tp = EK(xi, xj): for i= 1, ..., p, ti = {c^{0}_{i}}^{r}_{k}^{0}^{i}0 for some constants c^{0}_{i}. Furthermore, thanks to EL, for every i = 1, ..., p, l(c_{i}, η) = l(c^{0}_{i}, η). It follows that [[s_{1}, . . . , s_{p}]]_{η} ≈ [[t_{1}, . . . , t_{p}]]_{η} by lemma 13.2.
The key kdoes not occur in the sequence sp+1, ldots, sn and, by symmetry, the key k^{0} does not occur in the sequencet_{p+1}, . . . , t_{n}. Then, by consistency of use of random seeds,
[[s_{1}, . . . , s_{n}]]_{η} = [[s_{1}, . . . , s_{p}]]_{η}×[[s_{p+1}, . . . , s_{n}]]_{η} and
[[t1, . . . , tp]]η×[[tp+1, . . . , tn]]η = [[t1, . . . , tn]]η
By induction hypothesis, and since s_{p+1}, . . . , s_{n} ∼ t_{p+1}, . . . , t_{n}, [[s_{p+1}, . . . , s_{n}]]_{η} ≈ [[tp+1, . . . , tn]]η. It follows that
[[s1, . . . , sn]]η = [[s1, . . . , sp]]η×[[s_{p+1}, . . . , sn]]η ≈[[t1, . . . , tp]]η×[[t_{p+1}, . . . , tn]]η = [[t1, . . . , tn]]η
6. We are left to a case wheres_{1}, . . . , s_{n},(andt_{1}, . . . t_{n}) are sequences of distinct names and constants. If there is at least one name in the sequence, say s_{1}, then t_{1} must also be a name (otherwise EQ(x1, t1) would be satisfied in the second sequence and not in the first one). By induction hypothesis, [[s_{2}, . . . , s_{n}]]_{η} ≈[[t_{2}, . . . , t_{n}]]_{η} and then
[[s1, . . . , sn]]η = [[s1]]η ×[[s2, . . . , sn]]η ≈[[t1]]η×[[t2, . . . , tn]]η = [[t1, . . . , tn]]η
Exercice 62
Give an example showing that the above proof does not work when a random seed may occur twice in a valid frame.
13.7 The proof in the general case
In this section, we prove exactly the same result as in the previous section, however relaxing two assumptions.
First, we relax the condition on keys occurences, in order to allow for instance terms{{u}^{r}_{k}}^{r}_{k}^{0} in the sequence. We define the relationv on terms (readsvtas “soccurs as plaintext int”) as the least symmetric and transitive relation such that:
• Ifuvu_{1} oruvu_{2}, thenuv hu_{1}, u_{2}i.
• Ifuvv then uv {v}^{r}_{k}.
Now,_{s}_{1}_{....,s}_{n}is redefined as the (more general) least transitive relation such that,k_{2}_{s}_{1}_{,...,s}_{n} l1 whenever there is a subterm {u}^{r}_{k}
2 of somesi such thatk1vu.
Definition 13.7 A sequence of terms s1, . . . , sn in M_{0} has no key cycle if _{s}
1,...,sn is an ordering. Dually, if there is a name k such that k_{s}_{1}_{,...,s}_{n} k, then s_{1}, . . . , s_{n} contains a key cycle.
Key cycles are defined now according to this new ordering.
Example 13.2 1. {k}^{r}_{k} contains a key cycle 2. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
3,{{k_{2}}^{r}_{k}^{3}
1}^{r}_{k}^{4}
3 contains a keycycle 3. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
3,{{k_{1}}^{r}_{k}^{3}
3}^{r}_{k}^{4}
2 does not contains a keycycle 4. {{k_{1}}^{r}_{k}^{1}
2}^{r}_{k}^{2}
2,{{k_{2}}^{r}_{k}^{3}
3}^{r}_{k}^{4}
3 does not contains a keycycle
Second, we relax the conditions on random seeds, allowing several copies of the same cipher text:
Definition 13.8 A sequences_{1}, . . . , s_{n} of terms uses the random seeds in a consistent way if 1. Any random seed occurring in s1, . . . , sn, only occurs in s1, . . . , sn as the third argument
of an encryption 2. If {u_{1}}^{r}_{k}
1 and {u_{2}}^{r}_{k}
2 are two subterms of s1, . . . , sn, then u1=u2 and k1 =k2. Definition 13.9 A sequence of terms (resp. a frame)s1, . . . , sn is weakly valid if
• it has no key cycle
• the sandom seeds are used in a consistent way
13.7. THE PROOF IN THE GENERAL CASE 187 Example 13.3 {{u}^{r}_{k}}^{r}_{k}^{0},{{u}^{r}_{k}}^{r}_{k}^{00}0,{k^{0}}^{r}_{k}^{000} is a weakly valid sequence, with kk^{0}.
Definition 13.10 A keykisdeduciblefrom a frameφ, if there is a recipeusuch thatuσ_{φ}↓=k.
Now we can generalize theorem 13.1 to:
Theorem 13.2 Let νn.{x_{1} 7→ s1, . . . xn 7→sn} and νn^{0}.{x_{1} 7→ t1, . . . , xn 7→ tn} be two weakly valid frames.
νn.{x_{1} 7→s1, . . . xn7→sn} ∼νn^{0}.{x_{1} 7→t1, . . . , xn7→tn} ⇒ [[s1, . . . , sn]]η ≈[[t1, . . . , tn]]η
The proof is basically the same as the proof of theorem 13.1. The only difference lies in points 3 and 4: at step 3, we need to replace ciphertexts{u}^{r}_{k} with{0^{l(u,η)}}^{r}_{k} at every position.
And, at step 4, we have to show that maximal keys for one sequence correspond to maximal keys for the other sequence.
The following two lemmas prepare these steps.
Again, we confuse the frames and the term sequences, as all names are assumed to be bound.
Lemma 13.3 Let v_{1}, . . . , v_{m} be a valid sequence of terms, let u∈ M_{0}, k, r be names such that k6vu, v1, . . . , vm, andr occurs in u, v1, . . . , vm only as a random seed in subterms{u}^{r}_{k}. Then
[[v1, . . . , vm]]η ≈[[v1[{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}], . . . , vm[{u}^{r}_{k} 7→ {0^{l(u,η)}}^{r}_{k}]]]η
and
(νn)v1, . . . , vm ∼(νn)v1[{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}], . . . , vm[{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}] Proof : We prove first the first claim of the lemma.
Letτ be a partial assigment of all names, except kand the random seedssthat are used in ciphertexts{w}^{s}_{k} occurring inv1, . . . vm. We prove actually
[[v1, . . . , vm]]^{τ}_{η} ≈[[v1[{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}], . . . , vm[{u}^{r}_{k} 7→ {0^{l(u,η)}}^{r}_{k}]]]^{τ}_{η} Assume thatA can distinguish the two above sequences with an advantage :
=P[k, R, r_{1}, . . . , r_{n}:A([[v_{1}, . . . , v_{m}]]^{τ}_{η}R) = 1]
−P[k, R, r_{1}, . . . , r_{n}:A([[v_{1}[{u}^{r}_{k} 7→ {0^{l(u,η)}}^{r}_{k}], . . . , v_{m}[{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}]]]^{τ}_{η}R) = 1]
We construct as follows an adversary B on INDCPA: let w_{1}, . . . , w_{n} be the set of terms w such that w vv1, . . . , vm. w1, . . . , wn are ordered in such a way that i < j whenever wi is a subterm ofw_{j}.
1. B stores in its memory a table associating the terms wi with their computational inter pretations: Fori= 1 to n,B
(a) ifw_{i} is a constant or a name (which is then in he domain ofτ), Bstores in its table [[wi]]^{τ}_{η}
(b) if w_{i} =hw_{j}, w_{k}i, then B retrieves the values of [[w_{j}]]^{τ}_{η}, [[w_{k}]]^{τ}_{η}, that are stored in its table, computes teh pair of them and stores the result in the table
(c) ifw_{i} ={w_{j}}^{r}_{k}^{0}0 where k^{0} 6=k, then B retreives [[w_{j}]]^{τ}_{η} and computes [[w_{i}]]^{τ}_{η} and stores the result
(d) ifw_{i} ={w_{j}}^{r}_{k}^{0}, withr6=r^{0}, thenB retrieves [[w_{j}]]^{τ}_{η} from its table, queries the encryp tion oracle with ([[w_{j}]]^{τ}_{η},[[w_{j}]]^{τ}_{η}) and stores the result.
(e) ifw_{i} ={u}^{r}_{k}, then B retrieves [[u]]^{τ}_{η} from its table and queries the encryption oracle with ([[u]]^{τ}_{η},0^{l(u,η)}) and strores the result
At the end of this (PTIME) procedure, B has stored in its table all the computational interpretations of the subterms ofv_{1}, . . . , v_{m}, if it was interacting with the leftoracle. Oth erwise, the stores contains the computational interpretation of the subterms ofv1[{u}^{r}_{k} 7→
{0^{l(u,η)}}^{r}_{k}], . . . , v_{m}[{u}^{r}_{k} 7→ {0^{l(u,η)}}^{r}_{k}], u.
2. Bsimulates Awith the inputs corresponding to the values stored at v_{1}, . . . , v_{m} locations.
It produces the same output asA.
The advantage of B is : if Adistinguishes the two sequences of terms with non negligible probability, thenB breaks INDCPA.
Now, remains to prove the second claim.
We let ρ be the replacement of {u}^{r}_{k} with {0^{l(u,η)}}^{r}_{k} and, for every i, v^{0}_{i} = ρ(v_{i}). The consistency of the use of random seeds implies that ρ is a bijection, whose inverse is ρ^{0}. We claim that v1, . . . , vn∼v_{1}^{0}, . . . , v^{0}_{n}. To see this, let σ={x_{1}7→v1, . . . , xn7→vn} andσ^{0} ={x_{1} 7→
v_{1}^{0}, . . . , x_{n} 7→ v^{0}_{n}}. Note first that there is no recipe w such that wσ↓=k, because k 6vv_{i} for everyi(and since, for every rewrite rule l→r,rσ =kimplies thatr vl).
By induction on m, we prove that, for any recipe t, tσ −^{m}→ s iff tσ^{0} −^{m}→ ρ(s). If m = 0 this is because none of the random seeds of v_{1}, . . . , v_{n} is occurring in t, hence ρ(tσ) = tσ^{0}. Otherwise, there is a position p in tσ, a rewrite rule l → r and a subsitution θ such that tσ_{p} =lθ and tσ[rθ]p
−−−→m−1 s. If l =πi(hx_{1}, x2i) and r = xi, ρ(lθ) = πi(hρ(x_{1}σ), ρ(x2σ)i). It follows that tσ^{0}_{p} = lθ^{0} and ρ(tσ[rθ]_{p}) =tσ^{0}[rθ^{0}]_{p} and we may apply the induction hypothesis.
If l=dec({x}^{r}_{k}^{1}
1, k1), then k1 6=k and ρ(lθ) = dec({ρ(xθ)}^{r}_{k}^{1}
1, k1). Again ρ(tσ[xθ]p) = tσ^{0}[xθ^{0}]p
and tσ^{0}−→ρ(uσ[rθ]p): we may apply the induction hypothesis.
Now,v_{1}, . . . , v_{n}=P(t_{1}, t_{2}) iff (t_{1}σ↓, t_{2}σ↓)∈P^{I}. As already observed, forP ∈ {M, EQ, EK, EL}, P^{I} is invariant by ρ (and ρ^{0}): (t1σ↓, t_{2}σ↓) ∈ P^{I} iff (ρ(t1σ↓), ρ(t_{2}σ↓)) ∈ P^{I}. Thanks to what we proved above, ρ(tiσ↓) = tiσ^{0}↓, hence v1, . . . , vn = P(t1, t2) iff (t1σ^{0}↓, t_{2}σ^{0}↓) ∈ P^{I} iff v_{1}^{0}, . . . , v^{0}_{n}=P(t_{1}, t_{2}). This concludes the proof of the second claim.
Lemma 13.4 Assume that (s_{1}, . . . , s_{n}),(t_{1}, . . . , t_{n}) are weakly valid term sequences such that
• (s1, . . . , sn)∼(t1, . . . , tn)
• for every t={u}^{r}_{k}∈ M_{0}, ifu /∈ W and toccurs in some si (resp. some ti), then there is a recipev such thatv{x_{1} 7→s_{1}, . . . , x_{n}7→s_{n}}↓=k (resp. v{x_{1} 7→t_{1}, . . . , x_{n}7→t_{n}}↓=k).
Then, for every j_{1} 6=j_{2},
sj1 ∈ W/ and sj1 vsj2 implies tj1 ∈ W/ and tj1 vtj2. Proof : We prove the lemma by induction ons_{j}_{2}.
In the base case, s_{j}_{2}= 1, then s_{j}_{1} =s_{j}_{2}. Using EQ, it follows that t_{j}_{1} =t_{j}_{2}. Now, for the induction step. If sj2 =
D s^{0}_{j}_{2}, s^{00}_{j}_{2}
E
, using M, tj2 must also be a pair tj2 = D
t^{0}_{j}
2, t^{00}_{j}
2
E and
(s1, . . . , sj2−1, s^{0}_{j}_{2}, s^{00}_{j}_{2}, sj2+1, . . . , sn)∼(t1, . . . , tj2−1, t^{0}_{j}_{2}, t^{00}_{j}_{2}, tj2+1, . . . , tn)
Moreover, eithersj1 vs^{0}_{j}_{2} or elsesj1 vs^{00}_{j}_{2}. By induction hypothesis,tj1 is a name andtj1 vt^{0}_{j}_{2} ort_{j}_{1} vt^{00}_{j}_{2}. In any case,t_{j}_{1} vD
t^{0}_{j}_{2}, t^{00}_{j}_{2}E .
13.7. THE PROOF IN THE GENERAL CASE 189 If s_{j}_{2} = {s^{0}_{j}
2}^{r}_{k}^{j}^{2}
j2, then s_{j}_{1} v s^{0}_{j}_{2} and s_{j}_{1} 6= k_{j}_{2} and s_{j}_{1} 6= r_{j}_{2} (because the sequences are weakly valid). In particular, s^{0}_{j}_{2} ∈ W, hence, by hypothesis, there is a recipe/ u such that u{x_{1} 7→ s_{1}, . . . , x_{n} 7→ s_{n}}↓ = k_{j}_{2}. Using M again, u{x_{1} 7→ t_{1}, . . . , x_{n} 7→ t_{n}}↓ = k^{0}_{j}
2
is a key and, considering the recipe dec(x_{j}_{2}, u), t_{j}_{2} must be {t^{0}_{j}
2}^{r}
0 j2
k^{0}_{j}
2
for some t^{0}_{j}_{2}. Now, s1, . . . , sj2−1, s^{0}_{j}_{2}, sj2+1, . . . , sn) ∼ (t1, . . . , tj2−1, t^{0}_{j}_{2}, tj2+1, . . . , tn) and, by induction hypothesis, s_{j}_{1} vs^{0}_{j}
2 impliest_{j}_{1} vt^{0}_{j}
2. It follows that t_{j}_{1} vt_{j}_{2}.
Proof of the theorem 13.2 : Again, we use an induction ons_{1}+· · ·+s_{n}+t_{1}+· · ·+t_{n} (where constants are not counted ins_{i},t_{i}). The base case and cases 1,2 are exactly the same as in the proof of theorem 13.1.
Let us assume now that the two sequences only consists of ciphertexts, constants and names.
• If in one of the two sequences, there is a subterm{u}^{r}_{k} such thatu is not a constant and kis not deducible.
Assume for instance that such a term occurs as a subterm in the sequence s_{1}, . . . , s_{n}. Consider a keyk, which is maximal w.r.t. _{s}
1,...,sn among the keys that are not deducible from s_{1}, . . . , s_{n} and that encrypt at least one nonconstant term.
We claim thatk6vs1, . . . , sn. If it was the case, saykvs1, we prove, by induction on s1, that eitherk is deducible from the sequence, or else there is a nondeducible key k^{0} such that k^{0} k. In the base case, s_{1} =k is deducible. Ifs_{1} =hs_{11}, s_{12}i, then either kvs_{11} or else k v s12 and, by induction hypothesis, k is deducible from s11, s12, s2, . . . , sn or else there is a non deducible key k^{0} such that k^{0} _{s}_{11}_{,s}_{12}_{,s}_{2}_{,...,s}_{n} k. In the first case, k is deducible from s_{1}, . . . , s_{n} (replacing x_{11} with π_{1}(x_{1}) and x_{12} with π_{2}(x_{1}) in the recipe) and, in the second case,k^{0} _{s}_{1}_{,...,s}_{n} k. Now, ifs1 ={s_{11}}^{r}_{k}0, then, by weak validity of the sequence,k6=k^{0}. Thenk^{0}_{s}_{1}_{,...,s}_{n} k. Either k^{0} is not deducible, and we are done, or else, there is a recipe u such that u{x_{1} 7→s_{1}, . . . , x_{n}7→s_{n}}↓ =k^{0}. Thendec(x_{1}, u) is a recipe yielding s_{11}. Since, in addition, k v s_{11}, by induction hypothesis, either k is deducible from s11, s2, . . . , sn, hence from s1, . . . , sn (replacing x1 with dec(x1, u) in the recipe) or there is a keyk^{0}, that is not deducible from s_{11}, . . . , s_{n}, such that k^{0}_{s}_{11}_{,s}_{2}_{,...,s}_{n} k. In the latter case, k^{0} is neither deducible from s_{1}, . . . , s_{n} and k^{0}_{s}_{1}_{,...,s}_{n} k, which concludes the proof of our claim.
Then, we may use the lemma 13.3: let, for everyi,s^{0}_{i} =s_{i}{{u}^{r}_{k}7→ {0^{l(u,η)}}^{r}_{k}}where{u}^{r}_{k} is any subterm of the sequence s1, . . . , sn such thatu is not a constant. (There is such a term by assumption). By lemma 13.3,
[[s1, . . . , sn]]η ≈[[s^{0}_{1}, . . . , s^{0}_{n}]]η
and s1, . . . , sn ∼ s^{0}_{1}, . . . , s^{0}_{n}. It follows that s^{0}_{1}, . . . , s^{0}_{n} ∼ t1, . . . , tn, hence, by induction hypothesis, [[s^{0}_{1}, . . . , s^{0}_{n}]]_{η} ≈[[t_{1}, . . . , t_{n}]]_{η} and, since [[s^{0}_{1}, . . . , s^{0}_{n}]]_{η} ≈[[s_{1}, . . . , s_{n}]]_{η}, we get the desired result: [[s1, . . . , sn]]η ≈[[t1, . . . , tn]]η.
• We assume now that all terms of both sequences are either names, constants or ciphertexts and that every ciphertext{u}^{r}_{k}occurring in the sequences is such that eitherkis deducible or elseu is a constant. Furthermore, none of the sequences contain two identical terms.
If one of the sequences contains a ciphertext {u}^{r}_{k} such that k is deducible: si = {u_{i}}^{r}_{k}^{i} and there is a recipev such that vσ↓=k whereσ ={x_{1} 7→s1, . . . , xn7→sn}.
After a possible renumbering, lets1 ={u_{1}}^{r}_{k}^{1} be a term in the sequence, whose encryption key k is deducible and which is maximal w.r.t. v. This implies that s1 has no other occurrence in the sequence (because the plaintext of encryptions with nondeducible keys are constant).
Since s_{1}, . . . , s_{n} =M(dec(x_{1}, v)), we must have t_{1}, . . . , t_{n} = M(dec(x_{1}, v)): t_{1} = {v_{1}}^{r}_{k}^{0}^{1}0
and k^{0} is a deducible key (using the recipe v). By lemma 13.4, t1 is also maximal w.r.t.
v, and, for the same reason as above, has no other occurrence in the sequence.
As before, u_{1}, s_{2}, . . . , s_{n} ∼ v_{1}, t_{2}, . . . , t_{n}. By induction hypothesis, we therefore have [[u1, s2, . . . , sn]]η ≈[[v1, t2, . . . , tn]]η. Then, by maximality w.r.t. vofs1, t1 and by the con sistency of use of random numbers,r has no other occurrence in the sequence s1, . . . , sn
and r^{0} has no other occurrence in the sequencet_{1}, . . . , t_{n}. From [[u_{1}, s_{2}, s_{2}, s_{3}, . . . , s_{n}]]_{η} ≈ [[v1, t2, t2, t3, . . . , tn]]η and exercice 61, it follows [[s1, . . . , sn]]η ≈[[t1, . . . , tn]]η.
Now, we can proceed with the last cases of the proof, as in the proof of theorem 13.1 and conclude.
Exercice 63
We say that frame (νn)s_{1}, . . . , s_{n} istransparent if:
• for every ciphertext {u}^{r}_{k} that occurs in s_{1}, . . . , s_{n}, either u is constant or else k is de ducible.
• The random seeds are used in a consistent way
Given a transparent frame φ= (νn).s_{1}, . . . , s_{n}, we define theflatened frameF(φ) by induc tion as follows:
• If there is an indexisuch thatsi =hs_{i1}, si2i, thenF(φ) =F((νn).s1, . . . , si−1, si1, si2, si+1, . . . , sn).
• If there is are indicesi, jsuch thats_{i} ={s_{i1}}^{r}_{s}^{i}
j, thenF(φ) =F((νn).s_{1}, . . . , si−1, s_{i1}, s_{i+1}, . . . , s_{n})
• Otherwise,F(φ) =φ.
1. Show that, if φ is a transparent frame, then F(φ) contains only names, constants and encryptions of constants with nondeducible keys.
2. Show that, ifφ, φ^{0} are two transparent frames (that may contain keycycles), thenF(φ)∼ F(φ^{0}) implies [[F(φ)]]_{η} ≈[[F(φ^{0})]]_{η}
3. Given two transparent frames φ, φ^{0}, show thatφ∼φ^{0} implies F(φ)∼F(φ^{0}).
4. Given two transparent framesφ, φ^{0} such thatφ∼φ^{0}, show that [[φ]]η ≈[[φ^{0}]]η iff [[F(φ)]]η ≈ [[F(φ^{0})]]η.
5. Prove an extension of the theorem 13.2, in which the frames may contain keycycles on deducible keys.
Exercice 64
If we allow arbitrary ground terms (not containing decryption or pairing symbols) as keys, show that the soundness of static equivalence does not hold.
More precisely, construct (from any INDCPA encryption scheme) another INDCPA en cryption scheme, for which, for two wellchosen terms t1, t2, {u}^{r}_{t}
1 ∼ {u}^{r}_{t}
2, none of the names occurring int_{1}, t_{2} occurs in u, and [[{u}^{r}_{t}
1]]_{η} 6≈[[{u}^{r}_{t}
2]]_{η}. Exercice 65
Assume here that the encryption scheme is not only INDCPA, but alsowhichkey concealing, which is defined as follows: for any PPT machineAthat has access to two oracles, and security parameterη, let
_{1}(A, η) = P h
k, k^{0} ← K(η), R←U :A^{O}^{1}^{k}^{,O}^{k}^{1}^{0}(0^{η} R) = 1 i
−P h
k← K(η), R←U :A^{O}^{2}^{k}^{O}^{2}^{k}(0^{η} R) = 1i

13.8. COMPLETENESS 191 WhereO_{k}^{1}(x, y) =E(x, k, r) and O^{2}_{k}(x, y) =E(y, k, r) ifx=y(and 0 otherwise).
The encryption scheme is whichkey concealing if, for every PPT machine A, _{1}(A, η) is negligible.
We consider a new definition of static equivalence∼_{1}, in which we do not have the predicate EK but, instead, a unary predicate Cipher, which is true exactly on terms that are inM_{0} and whose top symbol is an encryption.
1. Show that νk, k^{0}k^{00}, r, r^{0}.{k^{00}}^{r}_{k},{k^{00}}^{r}_{k}^{0}0 ∼_{1} νk, k^{0}, k^{00}, r, r^{0}.{k^{00}}^{r}_{k},{k^{00}}^{r}_{k}^{0}
2. Let u_{1}, . . . , u_{m} ∈ M_{0} be such that all names occurring in u_{1}, . . . , u_{m} are in the domain of τ and k, k_{1}, . . . , k_{m}, n_{1}, . . . , n_{m}∈/ Dom(τ). Assume the encryption scheme is whichkey concealing. Prove
[[{u_{1}}^{n}_{k}^{1}
1, . . . ,{u_{m}}^{n}_{k}^{m}
m]]^{τ}_{η} ≈[[{0^{l(u}^{1}^{,η)}}^{n}_{k}^{1}, . . . ,{0^{l(u}^{m}^{,η)}}^{n}_{k}^{m}]]^{τ}_{η}
3. Assume that (s_{1}, . . . , s_{n}) and (t_{1}, . . . , t_{n}) are two valid sequences of terms and that the encryption scheme is whichkey concealing, then prove
(νn)s1, . . . , sn∼_{1}(νm)t1, . . . , tn⇒[[s1, . . . , sn]]η ≈[[t1, . . . , tn]]η
13.8 Completeness
The completeness problem is the converse of theorem 13.2: given two sequences of terms that are computationally indistinguishable, are they statically equivalent ? In other words, completeness ensures that we did not give too much power to the symbolic attacker.
The main issue is to be sure that the distinguishing capabilities of the symbolic attacker, the predicates, can be implemented. That is what we consider first.
13.8.1 Predicate implementation
We assume a set of function symbols, all of which have a computational interpretation as a PPT algorithm. Then, ifMis the set of ground terms constructed using this set of function symbols and a set of names, for every mapping τ from names to bitstrings, [[ ]]^{τ}_{η} is the unique extension of τ as a homomorphism from M to {0,1}^{∗}. As before, we consider name distributions that are parametrized by a security parameter η ∈ N and, when τ is a partial interpretation only, [[ ]]^{τ}_{η} is the corresponding distribution.
Definition 13.11 A predicate P ∈ P of arity k is implementable if there is a PPT algorithm [[P]] such that:
∀s_{1}, . . . , sk∈ M,∃Q∈POL1,∃N ∈N,∀η > N.
P
(x_{1}, . . . , x_{k})←[[s_{1}, . . . , s_{k}]]_{η} : [[P]]^{A}(x_{1}, . . . , x_{k}) =P^{I}(s_{1}, . . . , s_{k})
> 1 2 + 1
Q(η) We will see later examples of predicate symbols that are (not) implementable.
Definition 13.12 Given a convergent rewrite system S on M, and an interpretation of the predicate symbols, a S,P^{I}computational structure is a computational interpretation of the function symbols and the predicate symbols such that
∀s, t∈ M,∀η ∈N,∀τ. (s=S t ⇒ [[s]]^{τ}_{η} = [[t]]^{τ}_{η}) and, for every P ∈ P, P is implementable.
Note here that we require not only indistinguishability, but true equality: τ is universally quantified over the assignments of appropriate lengths.
13.8.2 Completeness
Theorem 13.3 (completeness) For any computational structure,
[[s_{1}, . . . , s_{n}]]_{η} ≈[[t_{1}, . . . , t_{n}]]_{η} ⇒(νn)s_{1}, . . . , s_{n}∼(νm)t_{1}, . . . , t_{n}.
Proof : By definition, ifs_{1}, . . . , s_{n}6∼t_{1}, . . . , t_{n}, then there are recipesu_{1}, . . . , u_{k}and a predicate P ∈ P such that P^{I}(u_{1}σ↓, . . . , u_{k}σ↓) 6⇔ P^{I}(u_{1}σ^{0}↓, . . . , u_{k}σ^{0}↓). where σ ={x_{1} 7→ s_{1}, . . . , x_{n} 7→
sn} andσ^{0} ={x_{1}7→t1;. . . , xn7→tn}. For instance, assume w.l.o.g. that P^{I}(u1σ↓, . . . , u_{k}σ↓) = 1 andP^{I}(u_{1}σ^{0}↓, . . . , u_{k}σ^{0}↓) = 0.
Moreover, u_{1}, . . . , u_{k} do not contain any name, by a simple induction on the length of the rewrite sequence, there is a deterministic polynomial time Turing machine B, which, on input [[v_{1}, . . . , v_{n}]]^{τ}_{η}, computes [[P(u_{1}θ↓, . . . , u_{k}θ↓)]]^{τ}_{η}, whereθ={x_{1} 7→v_{1}, . . . , x_{n}7→v_{n}}. By definition, for everyη ∈N, for every assignmentτ of keys and random numbers occcurring inv_{1}, . . . , v_{n},
B([[v_{1}, . . . vn]]^{τ}_{η}) = [[P]]([[u1θ↓]]^{τ}_{η}, . . .[[u_{k}θ↓]]^{τ}_{η}) So,
P[(x_{1}, . . . , x_{n})←[[v_{1}, . . . , v_{n}]]_{η} :B(x_{1}, . . . , x_{n}) = 1] =
P[(y1, . . . , yk)←[[u1θ↓, . . . , u_{k}θ↓]]_{η} : [[P]](y1, . . . , yk) = 1]
On the other hand, according to the definition, there areQ1 and N1 such that, for all η > N1, P[(y_{1}, . . . , y_{k})←[[u_{1}σ↓, . . . , u_{k}σ↓]]_{η} : [[P]](y_{1}, . . . , y_{k}) = 1]> 1
2 + 1 Q_{1}(η) and there areQ_{2} and N_{2} such that, for all η > N_{2},
P
(y1, . . . , y_{k})←[[u1σ^{0}↓, . . . , u_{k}σ^{0}↓]]_{η} : [[P]](y1, . . . , y_{k}) = 0
> 1 2+ 1
Q_{2}(η) Altogether, if we let
(η) =
P[(x1, . . . , xn)←[[s1, . . . , sn]]η :B(x_{1}, . . . , xn) = 1]−
P[(x1, . . . , xn)←[[t1, . . . , tn]]η :B(x_{1}, . . . , xn) = 1]
,
Forη >max(N1, N2),
(η)>(1 2 + 1
Q_{1}(η))−(1 2− 1
Q_{2}(η)) = 1
Q_{1}(η) + 1 Q_{2}(η) It follows that ([[s1, . . . , sn]]η)η∈N6≈([[t1, . . . , tn]]η)η∈N.
13.8.3 Examples of computational structures
M, the predicate defining “valid messages” can be implemented if there is an algorithm, which can recognize when a message is a pair (which we always assume), an algorithm which can recognize when a message is a key, and also an algorithm, which decides when the decryption algorithm is used with a valid input.
More precisely, we assume a particular bitstring ⊥ (an error message), which is returned when π_{i} is applied on a bitstring, which is not a pair, or when there is an attempt to encrypt a message, which is not a key or when trying to decrypt something, which is not a ciphertext.
Following a strict interpretation, we also assume that any function applied to the error message⊥ returns⊥. This corresponds actually to a typing predicate, which we assume to be implemented deterministically, for instance using tags (it would also work with a probabilistic implementation of such predicates). Finally, we assumeconfusion freeness as defined below (a definition taken from [203], who also show that such a condition is necessary for completeness, and is not ensured by INDCPA):
13.8. COMPLETENESS 193 Definition 13.13 An encryption scheme is confusion free if, for every bitstring x,
P[k_{1}, k_{2}← K(η), r←U :D(E(x, k_{1}r), k_{2})6=⊥] =ν(η) is negligible.
In other words: it is very likely to get an error message when trying to decrypt with a wrong key.
Proposition 13.1 If the encryption scheme is confusionfree, then the predicates M, EQ are implementable.
Proof : Let us start with M. Let [[M]](x) = 1 iff x6=⊥.
Let s∈ M. We have to compute (s, η)^{def}= P
x←[[s]]_{η} :M^{I}(s)6= [[M]](x)
If s∈ M_{0}, then M^{I}(s) = 1 and [[M]](x) = 1 and therefore (s, η) = 0. So, we only have to consider the case M^{I}(s) = 0. We proceed by induction on s. Ifs is a constant, then the only possibility for not being accepted byM^{I} is s=⊥, in which case [[M]](x) = 0.
Otherwise, if s is a pair or an encryption with a valid key, then, since M^{I} has a strict interpretation, there must be a direct subterm ofswhich does not belong toM_{0}. Then, we use the induction hypothesis and the strictness of [[M]]: if s1, s2 are the direct subterms of s,
(s, η) = P[(x1, x2)←[[s1, s2]]η : [[M]](x1) = 1∧[[M]](x2) = 1]
≤ min(P[(x1, x2)←[[s1, s2]]η : [[M]](x1) = 1],P[(x1, x2)←[[s1, s2]]η : [[M]](x2) = 1])
= min(P[x_{1} ←[[s_{1}]]_{η} : [[M]](x_{1}) = 1],P[x_{2}←[[s_{2}]]_{η} : [[M]](x_{2}) = 1])
≤ min((s1, η), (s2, η))
Ifs={u}^{r}_{v} and vis not a valid key or ifsis a projection of a term which is not a pair, or if sis a decryptoin of a term which is not a ciphertext, then [[s]]_{η} is always⊥, by definition, hence [[M]](x) = 0 (for all x∈[[s]]_{η}).
Finally, if s=D({t}^{r}_{k}
1, k2), if{t}^{r}_{k}
1 is not inM^{I}, we are back to the previous computation.
Assume now that {t}^{r}_{k}
1 ∈ M^{I} and therefore that k_{2} 6= k_{1}. Then, by definition of confusion freeness,(s, η) =ν(η)
Next, [[EQ]](x, y) is defined as [[M]](x)∧[[M]](y)∧x=y, which is implementable, asM^{A} is implementable.
Now there are several symmetric encryption schemes that are proved to ensure confusion freeness. Typically, the encryption schemes that satisfy, additionally to INDCPA, some in tegrity properties. A discussion and constructions on such authenticated encryption schemes can be found in [54].
The converse of theorem 13.2 follows then from the theorem 13.3 and the implementability of EK, EL, which is satisfied by some (but not all) INDCPA encryption schemes.
Exercice 66
Given an INDCPA encryption scheme, construct another INDCPA encryption scheme for which the predicatesEK and ELare implementable.
Exercice 67
We extend here the definition of the computational interpretation of terms to terms that may contain decryption symbols. [[dec(s, t)]]^{τ}_{η} is defined by:
1. draw all names occurring in s, tand not inDom(τ),