Selective-Opening Security for Public-Key Encryption in the Presence of Parameter Subversion

Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai 200062, China Guangxi Key Laboratory of Cryptography and Information Security, Guilin, Guangxi 541000, China Engineering Research Center of Software/Hardware Co-Design Technology and Application, Ministry of Education, East China Normal University, Shanghai 200062, China Peng Cheng Laboratory, Shenzhen 518000, China


Introduction
Public-key encryption (PKE) is a fundamental cryptographic primitive to achieve confidential communication from a sender to a receiver [1]. Traditional security requirement of PKE is indistinguishability under chosen plaintext/ciphertext attack (IND-CPA/CCA) security and only considers the single sender case, i.e., the communication is between a single sender and a single receiver. Whereas, many application scenarios, e.g., secure multiparty computation, secret sharing, cloud computing, are often multisender case [1][2][3][4][5][6].
ese scenarios usually require a set of senders to generate their own messages (possibly correlated) encrypted with the same receiver's public key and may suffer from some special attacks. One of the mostly studied attacks is selective opening attacks (SOA) [7][8][9][10][11][12][13][14][15][16][17][18], in which an attacker may corrupt a subset of the senders to open their ciphertexts as well as the corresponding random bits used in the encryption algorithm. Under such an attack, the requirement to guarantee the security of the unopened ciphertexts is beyond the capability of traditional IND-CPA/CCA security [14,15,19]. SOA security [7] is a commonly secure property to capture the above attack.
Commonly, the security of PKE schemes depends on some honestly generated public system parameters, e.g., security parameter, primes, elliptic curves, and common reference string [20][21][22][23][24]. In fact, public system parameters are often specified in some standards [20,23], e.g., NIST FIPS 186-4 (2013) [25,26]. It is timesaving for the implementations of PKE systems to use the public system parameters. However, recent research results show that PKE schemes may suffer from parameter subversion attacks (PSA) which allow adversaries to fully control the public system parameters [20,23,[27][28][29][30][31] and hence compromise the security of the corresponding PKE schemes. For instance, the elliptic curve cryptosystem specified in NIST FIPS 186-4 standard has been analyzed to be insecure due to the malicious manipulation of the elliptic curves [23]. us, PKE schemes resistant to PSA should be developed. at is, a PKE scheme should provide usual security with trusted system parameters, but retain as much security as possible when the parameters are maliciously generated.
1.1. Related Work. SOA security was originally discussed by Dwork et al. [17] and first formalized by Bellare et al. [7]. In [7], SOA security was further classified into simulationbased SOA security (SIM-SO security) and the indistinguishability-based SOA security (IND-SO security) [7]. e formal requires that there exists a simulator which can compute the same output as the adversary without ever seeing any ciphertext at all. For IND-SO security, it requires that any adversary who is given a vector of ciphertexts and an opened subset of these ciphertexts cannot distinguish the unopened messages from fresh messages which are resampled from a message distribution [7]. According to whether a condition of the message distribution for the fresh messages is needed, there are weak IND-SO security where the message distribution is efficiently conditionally resamplable and full IND-SO security where the message distribution is an arbitrary one [14]. At present, few full IND-SO secure schemes are proposed. In the following, when we mention IND-SO security, it refers to the weak one. In [7], Bellare et al. showed that SIM-SO security is stronger than the weak IND-SO security. Whereas, it is showed that SIM-SO security is significantly harder to achieve [11,18]. us, in this paper, we focus on the IND-SO security. e existing PKE schemes which satisfy IND-SO security are realized based on lossy trapdoor function (LTF) which is firstly studied in [32] and originally motivated to construct PKE schemes secure against CCA attacks. e primal LTFs in [32] are all-but-one LTFs (ABO-LFT) and only suite for the settings in which there is no more than one challenge ciphertext. PKE schemes secure against SOA usually involve multiple challenge ciphertexts. All-but-N LTF (ABN-LTF) [16] allows N challenge ciphertexts. However, N has to be fixed at the construction time. In SOA security, an adversary may observe many ciphertexts (arbitrary number of challenge ciphertexts) and may open arbitrary number of them. All-but-many LTF (ABM-LTF) introduced by Hofheinz [33] could be viewed as a generalization of both ABO-LFT and ABN-LTF and may meet the above requirement.
Beside the SOA, PKE schemes also suffer from PSA. Such an attack is initially studied in [20,21]. In [20], the security notion called indistinguishable encryptions under parameter subversion attacks (IND-PSA) is introduced to capture PSA, which guarantees that even though the public system parameter of a PKE scheme is chosen maliciously, the resulting ciphertext should be indistinguishable [20]. Based on a security tool referred to as an efficient embedding group (EG), a PKE scheme satisfying IND-PSA is proposed as well. Whereas, their scheme was only considered in the single sender case. In other words, the construction of the PKE scheme secure against the PSA in SOA setting is out of their consideration.

Our Contributions.
Although there are already some research results for the SOA and PSA, so far, they are only considered separately. Our aim is to construct a PKE scheme secure against both of these attacks simultaneously.
To achieve this goal, we formalize a new security notion called indistinguishability under selective opening attacks and parameter subversion attacks (IND-SO-PSA). IND-SO-PSA security captures indistinguishability under parameter subversion attacks, selective opening attacks, and chosen ciphertext attacks. It guarantees that even though the system parameter of the PKE scheme is chosen maliciously and the adversary is allowed to open a subset of the challenge ciphertexts (i.e., seeing the corresponding plaintexts and randomness used during the encryption), the remainder of the plaintexts should be indistinguishable from freshly resampled ones.
PKE achieving IND-SO security and PKE satisfying IND-PSA are now independently realized based on ABM-LTFs and EGs, respectively. However, the existing ABM-LTFs are only designed for PKE secure against SOA and not applicable for the construction of a PKE scheme secure against PSA. On the contrary, it seems that it is not a trivial task to extend existing EGs to prevent SOA. erefore, it would be interesting if we can merge these two tools so that the SOA and PSA can be prevented simultaneously. In order to achieve this intention, we define the lossy trapdoor function and all-but-many lossy trapdoor function in the presence of PSA (LTF-PSA and ABM-LTF-PSA correspondingly) and propose an instantiation with the efficiently-embeddable group (EG). With these new primitives and instantiation, we construct a novel PKE scheme that is proven to satisfy the IND-SO-PSA security.

Paper Organization.
e rest of this paper is organized as follows. Some preliminaries are given in Section 2. e definitions of LTF-PSA and ABM-LTF-PSA primitives and security model of IND-SO-PSA are stated in Section 3. In Section 4, we propose the instantiation of ABM-LTF-PSA from an efficiently-embeddable group family. LTF-PSA can be similarly instantiated. Based on the newly constructed LTF-PSA and ABM-LTF-PSA, we construct a new PKE scheme and prove its security in Section 5 and Section 6, respectively. Section 7 is the conclusion.

Notions and Definitions.
roughout this paper, we use k to denote the security parameter. Let X be a finite set and A be an algorithm. We denote by x⟵ $ X the random selection of an element x from X and by y⟵ $ A(x 1 , . . . ; r) the running of algorithm A with inputs (x 1 , . . . ; r) and output y. If a probabilistic algorithm's running time is polynomial in k, we call it probabilistic polynomial-time (PPT). For a string α, we denote by |α| the bit length of α. For a nonnegative integer n, we denote by [n] the set 1, . . . , n { }.
Assume x � (x (1) , . . . , x (n) ) is an n-array vector, we denote by x (i) its ith component and by |x| its length. Define X n×n to be an n × n matrix, Rank(X) to be the rank of X, X T to be the transpose of X, and X i,j is the element of ith row and jth column, 1 ≤ i and j ≤ n. For two n × n matrixes A and B, let (A|B) (i.e., an n × 2n matrix) be the concatenation of A and B.
Let G be an embedding cyclic group generated by generator g with order q. Given an n × n matrix X for X i,j ∈ Z q , the operation Y � g X is defined by computing Y i,j � g X i,j and setting the matrix Y to be (Y i,j ) n×n . For two random variables X and Y over finite set S, their statistical distance is Definition 1 (universal hash function). Let l 1 � l 1 (k), l 2 � l 2 (k) and l 3 � l 3 (k). A family of functions UHF s : Lemma 1 (adapted from [34]). Let X and Y are random variables such that X ∈ 0, 1 { } l 1 and the average min-entropy of X given Y is at last k. Let UHF s : 0, 1 Definition 3 (efficiently re-sampling). Let n � n(k) and D be a joint distribution over ( 0, 1 { } k ) n . We say that D is efficiently re-sampling if there is an algorithm Resamp D such that, for any I ⊆ [n] and any partial vector

Efficiently-Embeddable Group
Family. An efficientlyembeddable group family EG � (EG.P, EG.G, EG.S, EG.E, EG.I) consists of following algorithms [20]. Parameter generation algorithm EG.P(1 k ) inputs the security parameter k and returns a public system parameter π. Group generation algorithm EG.G(1 k , π) inputs k and π and returns a tuple G � (G, q, g), where G is a cyclic group of prime order q and g is a generator of G. Sampling algorithm EG.S(1 k , π, G) is used to sample exponents for the group generator. It returns an exponent y ∈ Z q . Embedding algorithm EG.E(1 k , π, G, g y ) is used to embed group elements into EG.ES(k, π), where EG.ES(k, π) is a finite set called the embedding space [20]. at is, the output σ ⟵ $ EG.E(1 k , π, G, g y ) (i.e., an embedding) is in EG.ES(k, π). For such a construction, refer to [20] for the details. Inversion algorithm EG.I(1 k , π,G, σ) is a deterministic algorithm which is used to invert the embedding. It returns ψ⟵EG.
As noted in [20], EG � (EG.P, EG.G, EG.S, EG.E, EG.I) should satisfy the embedding pseudorandomness under parameter subversion attack (EPR-PSA). We review the definition of it below: Definition 4 (embedding pseudorandomness [20]). EG holds embedding pseudorandomness under parameter subversion attack, if for any PPT adversary A against EG, A's advantage We note that, in G EPR−PSA EG,A (k), A may query the INIT oracle for only once with a parameter π * chosen by himself. For a randomly-chosen coin b⟵ $ 0, 1 { } chosen by C, A wins the game, if he can distinguish σ * is generated by running algorithms EG.S and EG.E, or sampled uniformly from the embedding space EG.ES(k, π * ). In other words, A wins the game, if its guess b ′ is equal to b.

Public-Key Encryption.
Let M be a message space, C be a ciphertext space, PK be a public key space, SK be a secret key space, and R be a randomness space. A public-key encryption (PKE) scheme PKE � (PKE.P, PKE.Kg, PKE.Enc, PKE.Dec) consists of following algorithms. e parameter generation algorithm PKE.P takes as input 1 k and returns a public system parameter π. e key generation algorithm PKE.Kg takes as input 1 k , π and returns a pair of public key and a secret key (pk, sk) ∈ PK × SK.
e encryption algorithm PKE.Enc takes as input (1 k , π, pk, m; r) to encrypt a message m ∈ M under pk, π and randomness r ∈ R, and outputs a ciphertext c ∈ C. e decryption algorithm PKE.Dec is a deterministic algorithm. It takes as input (1 k , π, sk, c) and outputs a message m or an error symbol ⊥ which means the ciphertext is invalid. We require that, for all m ∈ M and (pk, sk) ∈ PK × SK, it holds that PKE.Dec(1 k , π, sk, (PKE.Enc(1 k , π, pk, m; r)) � m. e above definition of PKE is suitable for single user (single message) encryption. In this paper, we consider the public-key encryption scheme in selective opening scenarios, i.e., the encryption in multiuser settings (multiple messages). We have to use the notion of vector-valued encryption [1,35,36].
To capture parameter subversion attacks, Auerbach et al. [20] formulated a new security notion called indistinguishability under parameter subversion attack (IND-PSA). IND-PSA is a different security notion from traditional IND-CCA security and guarantees that the ciphertexts are indistinguishable even when the system parameter is generated maliciously. We introduce the IND-PSA security below.
Definition 5 (IND-PSA security [20]). PKE holds indistinguishability under parameter subversion attack, if for any PPT adversary A against PKE, A's advantage of winning the security game In game G IND−PSA PKE,A (k), the challenger C will toss a coin to determine a challenge bit b ∈ 0, 1 { }. en, A may query INIT oracle with a system parameter π * chosen by himself to initialize a public-private key pair, and the public key pk is returned to A. e ENC oracle may be queried with two challenge plaintexts m 0 , m 1 (|m 0 | � |m 1 |) and return the challenge ciphertext c * to A. If b � 0, c * is an encryption for m 0 ; otherwise, it is the encryption for m 1 . e DEC oracle is not allowed for the challenge ciphertext c * . We note that the INIT and ENC oracle can be queried for only once. Given the public key and challenge ciphertext, A outputs a guess bit b ′ . If b ′ � b, we say A wins the game, and the game will output 1 in this case. e standard IND-CCA security of the public-key encryption scheme also does not generalize the security under selective opening attacks. To capture the security of the public-key encryption scheme under the selective opening attacks, new security notion called indistinguishability against selective opening attacks and chosen ciphertext attack (IND-SO-CCA) is proposed [16]. IND-SO-CCA security guarantees that any adversary cannot distinguish the messages corresponding to the unopened ciphertexts from a freshly re-sampled one according to a re-samplable distribution D conditioned on the opened messages. We introduce the IND-SO-CCA security below.
Definition 6 (IND-SO-CCA security [20]). PKE holds indistinguishability against selective opening attacks and chosen ciphertext attacks (IND-SO-CCA), if for any PPT adversary A against PKE, A's advantage of winning the security game Figure 4 is negligible.
At the beginning of the game G IND−SO−CCA PKE,A (k), the challenger C firstly tosses a coin to determine a challenge bit b ∈ 0, 1 { }. en, A firstly queries the INIT oracle. C will run the algorithms PKE.P and PKE.Kg to generate the public system parameter π and public-secret key pair (pk, sk) correspondingly and returns the public key pk to A. A will output a message distribution D as well as a re-sampling algorithm ReSamp D to C after adaptively querying the DEC oracle. Subsequently, C uniformly samples a message vector m 0 from D and a randomness vector r � (r (i) ) i∈[n] from a randomness space (R) n . C returns the challenge ciphertext c � (c (i) ) i∈[n] to A. After receiving c, A adaptively queries the DEC oracle and chooses an arbitrary subset I ⊆ [n] to indicate which ciphertexts he wants to open. I is given to C. Notice that any element of the challenge ciphertext c is not allowed for DEC oracle. After receiving I, C will re-sample a message m 1 we say A wins the game, and the game will output 1 in this case.

Chameleon Hash Function.
A chameleon hash function CHF � (CHF.Kg, CHF.Eval, CHF.Equ) with domain CHF.Dom consists of the following algorithms.
e key generation algorithm CHF.Kg takes as input 1 k and outputs a public key pk chf and a trapdoor td chf . e evaluation algorithm CHF.Eval(pk chf , x; R) takes as input a public key pk chf , a preimage x ∈ CHF.Dom, and a randomness R ∈ R chf where R chf is the randomness space of CHF and returns an image y � CHF.Eval(pk chf , x; R) ∈ CHF.Ran, where CHF.Ran is the range of CHF. e equivocation algorithm CHF.Equ(td chf , x, x ′ ; R) takes a trapdoor td chf , R, x, and x ′ as input and outputs a randomness R ′ ∈ R chf such that CHF.Eval(pk chf , x; R) � CHF.Eval (pk chf , x ′ ; R ′ ). We require that, for any x, x ′ ∈ CHF.Dom, if R is uniformly distributed, then so is R ′ ∈ R chf . A secure chameleon hash function CHF � (CHF.Kg, CHF.Eval, CHF.Equ) should satisfy the collision resistance property, which is introduced below.
Collision Resistance. Given a public key pk chf , it is difficult for any PPT adversary to find ( Moreover, for any LTF, the following property requirements should be satisfied.

Lossiness. A lossy trapdoor function is
Indistinguishability. Let A be any PPT adversary against LTF. LTF holds indistinguishability if A cannot distinguish the injective evaluation key ek from the lossy evaluation key lk, i.e., A's advantage  is negligible, where (ek, ik)⟵ $ LTF.IKg(1 k ) and lk⟵ $ LTF.LKg(1 k ).

All-but-Many Lossy Trapdoor Function.
We now recall the definition of all-but-many lossy trapdoor function (ABM-LTF) which is originally introduced by Hofheinz [33]. In the following definition, we keep the same mechanism of tags as in [33]. In other words, each tag of ABM-LTF consists of two parts: the core part which is also called the primary part, and the auxiliary part which is commonly a random string. In addition, we note that we maintain the same definition of tag space introduced in [34]. at is, the tag space of ABM-LTF is divided into three disjoint subsets: a lossy tag set, an injective tag set, and an invalid tag set. We will give the concrete definition of ABM-LTF in the following. An all-but-many lossy trapdoor function ABM.LTF � (ABM.Kg, ABM.Eval, ABM.Inv, ABM.LTg) with domain ABM.Dom consists of the following algorithms.
(i) ABM.Kg(1 k ): this is a key generation algorithm. On input 1 k , it outputs an injective evaluation key ek abm , an inversion key ik abm , and a tag key tk abm .
With the evaluation key ek abm , we define a set T � T p × T a which is a tag space. We note that the tag space T consists of three disjoint sets: the lossy tags T los , the injective tags T inj , and the invalid tags T inv . It is easy to find that each of them is a subset of T, i.e., T los ⊆ T, T inj ⊆ T and T inv ⊆ T. Each tag is defined in the term of t � (t p , t a ), where t p ∈ T p is the core part and t a ∈ T a is the auxiliary part.
(ii) ABM.Eval(ek abm , t, x): this is the evaluation algorithm. It takes the evaluation key ek abm , the tag t, and a preimage x ∈ ABM.Dom as input and returns y � ABM.Eval(ek abm , t, x) ∈ ABM.Ran, where ABM.Dom and ABM.Ran denote the domain and the range of ABM.LTF, respectively. (iii) ABM.Inv(ik abm , t, y): this is the inversion algorithm. It takes an inversion key ik abm , a tag t, and an image y as input and outputs x ∈ ABM.Dom. (iv) ABM.LTg(tk abm ): this is the lossy tag generation algorithm. It takes the tag key tk abm as input and outputs a lossy tag t � (t p , t a ).
Moreover, for any ABM-LTF, the following property requirements should be satisfied.
is property is also referred to as invertibility.
Lossiness. ABM.LTF is l-lossy if the size of the image set ABM.Eval(ek abm , t, ABM.Dom) is at most |ABM.Dom|/2 l , for all possible (ek abm , ik abm , tk abm )⟵ $ ABM.Kg(1 k ) and lossy tag t ∈ T los . l is called the lossiness of ABM.LTF.
Indistinguishability. Let A be any PPT adversary against ABM.LTF. ABM.LTF holds the indistinguishability between multiple lossy tags and random tags if A's advantage is negligible, where (ek abm , tk abm )⟵ $ ABM.Kg(1 k ). e call to oracle ABM.LTg(tk abm , ·) returns a lossy tag, and O T (·) is a random oracle which returns a uniform and independent tag from T.

Evasiveness.
is property requires that it is hard to compute noninjective tags for any adversary, even though it has been given multiple lossy tags. Let A be any PPT adversary against ABM.LTF. ABM.LTF holds the evasiveness if A's advantage is negligible, where (ek abm , tk abm )⟵ $ ABM.Kg(1 k ), and the oracle O(·) is queried by A with input t which returns the answers "lossy/invalid" and "injective" which indicate the type of t.

Definitions of New Primitives and IND-SO-PSA Security
In this section, for both LTF and ABM-LTF, we extend their definitions to the PSA setting. We introduce the primitive of (i) LTF.P ′ (1 k ): this is the system parameter generation algorithm. On input 1 k , it outputs a system parameter π. (ii) LTF.IKg ′ (1 k , π): this is the injective key generation algorithm. On input 1 k and π, it outputs an injective evaluation key ek ′ and a inversion key ik ′ for an injective function. (iii) LTF. LKg ′ (1 k , π): this is the lossy key generation algorithm. On input 1 k and π, it outputs a lossy evaluation key lk ′ for a lossy function. In this case, there is no inversion key. (iv) LTF.Eval ′ (ek ′ , x): this is the evaluation algorithm.
It takes the evaluation key ek ′ and a preimage x ∈ LTF.Dom ′ as input and returns an image y � LTF.Eval ′ (ek ′ , x) ∈ LTF.Ran ′ , where LTF.Dom ′ and LTF.Ran ′ denote the domain and range of LTF ′ , respectively.
(v) LTF.Inv ′ (ik ′ , y): this is the inversion algorithm. It takes as input the inversion key ik ′ and an image y ∈ LTF.Ran ′ and outputs x ∈ LTF.Dom ′ .
In the following, we will give the formal definitions of security requirements for LTF ′ . e correctness and lossiness are almost the same as that of LTF. In particular, we introduce the notions of indistinguishability under PSA (IND-PSA2) for LTF ′ .
Indistinguishability under PSA. Let A be any PPT adversary against LTF ′ . LTF ′ holds indistinguishability under PSA if A cannot distinguish of the injective evaluation key ek ′ from the lossy evaluation key lk ′ , i.e., A's advantage is negligible, where (ek ′ , ik ′ )⟵ $ LTF.LKg ′ (1 k , π * ) and lk ′ ⟵ $ LTF.IKg ′ (1 k , π * ), where π * is chosen by A rather than from the LTF.P ′ algorithm. Lossiness. A lossy trapdoor function is l-lossy if for all possible π⟵ $ LTF.P ′ (1 k ) and lk ′ ⟵ $ LTF. LKg ′ (1 k , π), the image set LTF.Eval ′ (lk ′ , LTF.Dom ′ ) is of size at most |LTF.Dom ′ |/2 l . (i) ABM.P ′ (1 k ): this is the system parameter generation algorithm. On input 1 k , it outputs a system parameter π. (ii) ABM. Kg ′ (1 k , π): on input 1 k and π, it outputs an injective evaluation key ek abm ′ , an inversion key ik abm ′ , and a tag key tk abm ′ . We note that it has the tag space T ′ � T inj ′ × T los ′ × T inv ′ . Similar to that of ABM.LTF, the term of each tag for ABM.LTF ′ is also as t ′ � (t p ′ , t a ′ ), where t p ′ ∈ T p ′ is the core part and t a ′ ∈ T a ′ is the auxiliary part. We give the formal definitions of security requirements for the all-but-many lossy trapdoor function in the presence of PSA in the following. e correctness and lossiness are almost the same as that of ABM.LTF. In particular, we introduce the notions of indistinguishability under PSA (IND-PSA3) and evasiveness under PSA (EVA-PSA) for ABM.LTF′.
is property is also referred to as invertibility.
Indistinguishability under PSA. Let A be any PPT adversary against ABM.LTF ′ . We say ABM.LTF ′ holds the indistinguishability under PSA between multiple lossy tags and random tags if A's the advantage Security and Communication Networks is negligible, where (ek abm ′ , tk abm ′ )⟵ $ ABM.Kg ′ (1 k , π * ), π * is chosen by A rather than from the ABM.P ′ algorithm. e call to oracle ABM.LTg ′ (tk abm ′ ,·) returns a lossy tag, and O T′ (·) is a random oracle returns a uniform and independent tag from T ′ .
Evasiveness under PSA. is property requires that it is hard to compute noninjective tags for any adversary, even though it has been given multiple lossy tags. Let A be any PPT adversary against ABM.LTF ′ . ABM.LTF ′ holds the evasiveness under PSA if A's advantage is negligible, where (ek abm ′ , tk abm ′ )⟵ $ ABM.Kg ′ (1 k , π * ), π * is chosen by A itself. e oracle O(·) is queried by A with input t ′ which returns the answers "lossy/invalid" and "injective" which indicate the type of t ′ . (k), the challenger C firstly tosses a coin to determine a challenge bit b ∈ 0, 1 { }. en, A firstly queries the INIT oracle with the public system parameter π * chosen by himself. C runs the algorithm PKE.Kg to generate public-secret key pair (pk, sk). pk is given to the adversary A. A will output a message distribution D as well as a re-sampling algorithm ReSamp D after adaptively querying the DEC oracle. Subsequently, C samples uniformly a message vector m 0 from D and a randomness vector r � (r (i) ) i∈[n] from a randomness space (R) n . C returns the challenge ciphertext c � (c (i) ) i∈ [n] to A. After receiving c, A adaptively queries the DEC oracle and chooses an arbitrary subset I ⊆ [n] to indicate which ciphertexts he wants to open. I is given to C. Notice that any element of the challenge ciphertext c is not allowed for DEC oracle. After receiving I, C will re-sample a message m 1 ⟵ $ Resamp D (m I ) conditioned on the (m (i) ) i∈I of m 0 . C will send (m b , (m (i) , r (i) ) i∈ [I] ) to A. Finally, A outputs a guess bit b ′ , and if b ′ � b, we say A wins the game, and the game will output 1 in this case.

Construction of ABM-LTF-PSA
In this section, based on the embeddable group that was introduced by Auerbach et al. in [20], we construct an ABM-LTF-PSA and prove that it satisfies the IND-PSA3 as well as the EVA-PSA without the random oracle. e formal guarantees that a lossy tag is computationally indistinguishable from a random one, even when the adversary is given access to the lossy tag generation oracle and could choose the system parameter by himself. e latter prevents the adversary who could choose the system parameter by himself from generating lossy tags. We note that ABM-LTF-PSA can be seen as a generic LTF-PSA, which means that it could be used as LTF-PSA. On the contrary, LTF-PSA could be constructed with the same way as the construction of ABM-LTF-PSA. us, we will not reconsider the instantiation of LTF-PSA here.

ABM-LTF-PSA from Embeddable Group Family.
Let CHF � (CHF.Kg, CHF.Eval, CHF.Equ) be a chameleon hash function, H 1 : G ⟶ 0, 1 { } * be a hash function, and EG � (EG.P, EG.G, EG.S, EG.E, EG.I) be an embeddable group family (we have recalled in the Section 2.2) [20]. We assume that the multiplication and addition operations hold on EG.ES. In addition, we note that the algorithm EG.E of EG is deterministic as the instantiations of EG in [20]. An ABM-LTF-PSA based on the embeddable group family is a tuple of algorithms ABM.LTF ′ � (ABM.P ′ , ABM.Kg ′ , ABM.Eval ′ , ABM.Inv ′ , ABM.LTg ′ ) that specified as following.
(i) ABM.P ′ (1 k ): taking as input the security parameter k, it runs the EG.P(1 k ) algorithm of EG to generate a system parameter π. (ii) ABM. Kg ′ (1 k , π): the key generation algorithm does the following steps: (1) Generate a public key pk chf and the corresponding trapdoor td chf of the CHF using 8
We note that k should be kept secret and k ′ could be public.
Sample a matrix H n×n from the embedding space EG.ES(k, π), and we use h i to denote the ith row of H. (8) Set the public evaluation key ek abm ′ � (C, E 1 , E 2 , pk chf , k ′ , s, H, G), private inversion key ik abm ′ � (C, S 1 , S 2 , k, s, H, G), and lossy tag generation key tk abm ′ � (E 3 , k, s, H, td chf , G).
We say that t ′ is an injective tag if the rank of matrix U is n, i.e., Rank(U) � n; else, if U � 0, we say that t ′ is a lossy tag; particularly, if the rank of matrix U is out of the above two cases, i.e., Rank(U) ≠ n and Rank(U) ≠ 0, we say that t ′ is an invalid tag.
(vi) ABM.LTg ′ (tk abm ′ ): the lossy tag generation algorithm is given the lossy tag generation key tk abm ′ . It does the following steps to compute a lossy tag t ′ � (t p ′ , t a ′ ): (1) Randomly choose a tag t ′ � ((D, R chf ), t a ′ ) ∈ T ′ , and then, compute the value φ � CHF.Eval(pk chf , (D, t a ′ ), R chf ). (2) Solve for an appropriate n × n matrix D ∈ EG.ES(k, π) n×n such that the equation and output a tag t ′ � ((D, R chf ), t a ′ ). It is easy to check that the tag t ′ output by this algorithm is indeed a lossy one.
Correctness. We note that the correctness of the above ABM-LTF-PSA instantiation holds due to the following equation: Lossiness. For any lossy tag t ′ ∈ T los ′ in the above ABM-LTF-PSA instantiation, we note that its lossiness l � log 2 (q n /(n 2 |EG.ES(k, π)|)). When t ′ ∈ T los ′ , the matrix U is equal to 0, i.e., U � 0, we have at most n 2 possible values of M � (E|U) ∈ EG.ES(k, π) n×2n . us, the image set ABM.Eval ′ (ek abm ′ , t ′ , ABM.Dom ′ ) has size n 2 |EG.ES(k, π)|. Meanwhile, the size of domain ABM.Dom ′ of the ABM.Eval ′ is q n because the preimage of ABM.LTF ′ is x ∈ Z 1×n q . According to the definition of lossiness for ABM.LTF ′ , we could obtain the lossiness of the above construction is l � log 2 (q n /(n 2 |EG.ES(k, π)|)).

Proofs of Security
Lemma 2. Let n is polynomial in k and q is exponential in the security parameter k. A matrix X randomly sampled from Z n×n q will have Rank(X) � n with all but negligible probability in k. Proof.
e probability of Rank(X) � n is equal to the probability that n columns of X are linearly independent.
is means that there are q n − 1 possibilities (i.e., the zero vector is removed) for the sample of the first column vector. For the sample of the second column vector, there are q n − q possibilities (i.e., the q vectors linearly dependent on the first vector should be removed). e rest may be deduced by analogy. us, the probability of Rank(X) � n is where func(k) is a function satisfying that 0 < func (k) ≤ n(1 + 1/q + · · · + 1/q n ). Because q is exponential in k, (1/q)func(k) is negligible in k. So, we could finally obtain that this probability is overwhelming.
Proof. We proceed with the proof by describing a sequence of games, i.e., Game 1 to Game 3. Let S i be the event that the output of adversary A is 1 in Game i. In Game 1, all algorithms work exactly the same as the real scheme. A interacts with ABM.LTg ′ (tk abm ′ , ·), and the algorithm outputs lossy tags for adversary A. We emphasis that the system parameter π * involved in this game is chosen by A. So, we obtain In Game 2, we modify the way of generating the public evaluation key ek abm ′ � (C, E 1 , E 2 , pk chf , k ′ , s, H, G). Specially, we choose the matrixes E 1 and E 2 and the vector k ′ uniformly at random from EG.ES(k, π * ). Since E 1 , E 2 , and k ′ do not influence the output distribution of ABM.LTg ′ , by the EPR-PSA assumption of EG, this modification will not be noticed by A. So, for an EPR-PSA adversary A 1 , we obtain In Game 3, the proceeding of algorithm ABM.LTg ′ is changed. Particularly, in the 2nd step of algorithm ABM.LTg ′ , we randomly select a matrix F⟵ $ EG.ES(k, π * ) n×n instead of computing a matrix F � (f 1 , f 2 , . . . , f n ) T , in which f i � PRF(κ (i) , UHF s (φ)) · h i with uniformly random φ for 1 ≤ i ≤ n, as in Game 2. According to the PRF security (defined in Figure 1) of the pseudorandom function, for a PPT adversary A 2 against PRF, we could obtain On the contrary, in Game 3, the matrix D of t p ′ is the solution of equation DE 3 � F mod q with random F. If the rank of matrix E 3 is n, then D will be random. According to Lemma 2 (same result holds for EG.ES(k, π) n×n ), we indeed have Rank(E 3 ) � n. is means that D is random. us, we could obtain result that the primary part t p ′ � (D, R chf ) of tag t ′ is random. erefore, all tags generated in Game 3 are random tags. So, we obtain Summing up, we find that the advantage Proof. We proceed with the proof by describing a sequence of games, Game 1 to Game 4. Let S i be the event that the output of adversary A is a lossy or invalid tag in Game i. We consider the following two types of tags output by A. Specifically, for a tag t ′ � ((D * , R * chf ), t ′ * a ), (i) Type 1: if φ * � CHF.Eval(pk chf , (D * , t ′ * a ); R * chf ) is also the chameleon hash output of some previously generated tag, then we refer to t ′ � ((D * , R * chf ), t ′ * a ) as a Type 1 tag. (ii) Type 2: if φ * � CHF.Eval(pk chf , (D * , t ′ * a ); R * chf ) is not the chameleon hash output of any previously generated tag, then we refer to t ′ � ((D * , R * chf ), t ′ * a ) as a Type 2 tag.
We make an assumption, without loss of generality, that A obtains n � n(k) lossy tags by querying the ABM.LTg ′ (tk abm ′ ) oracle. Let (t i ′ ) i∈[n] � ((D i , R chf i ), t ai ′ ) i∈[n] denote these lossy tags. en, A adaptively comes up with n ′ � n ′ (k) tags (t ′ * i ) i∈[n′] � ((D * i , R * chfi ), t ′ * ai ) i∈ [n′] by querying the oracle O T′ and gets answers "invalid" or "injective." In Game 1, all algorithms work exactly the same as the real scheme. In particular, we note that the system parameter π * involved in this game is chosen by A. So, we have Adv EVA−PSA ABM.LTF′,A (k) � Pr S 1 .
In Game 2, we modify the way of generating the public evaluation key ek abm ′ � (C, E 1 , E 2 , pk chf , k ′ , s, H, G). Specially, we choose the matrixes E 1 and E 2 and the vector k ′ uniformly at random from EG.ES(k, π * ). Since E 1 , E 2 , and k ′ do not influence the output distribution of ABM.LTg ′ , by the EPR-PSA assumption of EG, this modification will not be noticed by A. So, for an EPR-PSA adversary A 1 , we obtain Pr S 2 − Pr S 1 ≤ 2n 2 + n Adv EPR−PSA EG,A 1 (k).
In Game 3, we change the algorithm ABM.LTg ′ . In particular, in the 2nd step of ABM.LTg ′ , we randomly select a matrix F⟵ $ EG.ES(k, π * ) n×n for any φ, instead of computing a matrix F � (f 1 , f 2 , . . . , f n ) T , in which f i � PRF(κ (i) , UHF s (φ)) · h i . For all queries (t ′ * i ) i∈ [n′] to the O T′ oracle, we return the answer "injective." In the following context, we will use the mathematical methods of induction to prove that the distinguishability of Game 2 and Game 3 implies that there is an adversary A 2 against the pseudorandom function PRF.
In Game 4, the trapdoor td chf ′ of chameleon hash function CHF is not available. Each primary part of tag t ′ is sampled uniformly at random, i.e., (D, R chf )⟵ $ (EG.ES(k, π * ) n×n × R chf ).
us, it holds that Pr[S 4 ] � Pr[S 3 ]. In addition, for any fresh φ, we randomly select a matrix F⟵ $ EG.ES(k, π * ) n×n , that is, there is not an adversary that will output Type 2 tags with at most a negligible probability neg 2 (k), so we could get Pr[S 4 , 2] ≤ neg 2 (k). e Type 1 outputs will break the collision resistance of the chameleon hash function CHF, so we have Pr[S 4 , 1] ≤ Adv COLL A 3 (k) for some adversary A 3 . erefore, we could obtain Pr[S 4 ] ≤ neg 2 (k)+ Adv COLL CHF,A 3 (k). Summing up, let neg(k) � neg 1 (k) + neg 2 (k), and we find that the advantage of adversary A is