A Posteriori Openable Public Key Encryption

. We present a public key encryption primitive called A Pos-teriori Openable Public Key Encryption ( APO-PKE ). In addition to conventional properties of public key cryptosystems, our primitive allows each user, who has encrypted messages using diﬀerent public keys, to create a special decryption key. A user can give this key to a judge to open all messages that have been encrypted in a chosen time interval with the public keys of the receivers. We provide a generic eﬃcient construction, in the sense that the complexity of the special key generation algorithm and this key size are independent of the number of ciphertexts. We give security models for our primitive against chosen plaintext attack and analyze its security in the random oracle model.


Introduction
Since the emergence of the Internet, email communication is accessible to anyone.Email privacy is an important computer security topic.Without public key encryption schemes, plaintext messages are sent and stored by the mail server without any protection.Fortunately, there exist many straightforward to use softwares that allow everyone to encrypt and sign emails using public key cryptography, such as the well known GnuPG 3 tool.Unfortunately, these softwares are rarely used [27], consequently encrypted emails may be considered as a suspect behavior.Hence as P. Zimmermann, the designer of PGP, said:"If privacy is outlawed, only outlaws will have privacy".We hope that in a near future everybody can privately exchange emails.Then our motivation is based on the following scenario, where Alice is implied in a court case.To find some clues, the judge needs to read emails that Alice has sent during a specified time period.The judge uses his power to obtain from Alice's email server all emails sent by Alice (including dates of dispatch and receiver identities).If the messages are not encrypted then the judge can read emails without relation to the investigation, which is a privacy violation.On the other hand, if messages are encrypted with the receiver public key then the judge can suspect Alice to hide crucial information for the investigation.Moreover, without the receivers' private keys, Alice has no solution to prove her innocence and cannot reveal his correspondence to the judge.
To solve this problem, Alice needs a mechanism to give to the judge a possibility to open all messages sent during a specified time period.Using our solution Alice can construct such a special key called an interval-key.With this key, the judge can only read the encrypted messages sent during this specific interval of time, because this key does not allow him to open other encrypted messages stored on the email server.Nowadays, to the best of our knowledge, there is no efficient cryptographic solution that offers such functionality to the users.The goal of this paper is to propose a practical and efficient solution to this problem.
In many public key cryptosystems, when a ciphertext is generated, it is possible to create a special key that allows a person to decrypt it, without knowing the corresponding secret key.For example, in ElGamal [13], C = (C 1 , C 2 ) = (g r , g x•r • m) is the ciphertext of the message m with the public key g x and a random element r (for g a generator of G a group of prime order).Knowing the random element r, the public key of Bob g x and the ciphertext C a third party can compute C 2 /(g x ) r = m to recover the plaintext.Using this property it is possible to construct a naïve solution by giving n random elements to a third party to decrypt n ciphertexts.However, this method presents an inherent limitation when the number n is large and the user has to store all the random elements used to encrypt all the messages during an interval of time.The aim of this paper is to allow a user to construct an interval-key to decrypt several consecutive messages in a time interval where the size of the key, the stored information and the key generation complexity are constant and do not increase with the number of ciphertexts.

Contributions:
We first present the notion of Random Coin Decryptable Public Key Encryption (RCD-PKE).The idea of RCD-PKE is that one can open a ciphertext with the secret key and also use the random coin used during the encryption to open a cipher.We show that several existing schemes in the literature satisfy this notion, e.g.[1,10,14].We use the RCD-PKE property to construct a scheme that allows a user to generate an interval-key for a judge to open all the messages he sent during a period of time.This scheme, called A Posteriori Openable Public Key Encryption (APO-PKE), allows the judge to open all messages sent between two given dates.The number of ciphertexts is potentially infinite but the judge decryption capability is limited to the a posteriori chosen interval.It contains, like a standard public key encryption, a key generation function, an encryption function and a decryption function.It also has an extraction function that, given two ciphertexts and a secret value, generates an interval-key for the judge.Using this interval-key he can then open all messages encrypted by different public keys between the two ciphertexts for which the key has been created.Our scheme is generic since it only relies on any IND-CPA secure RCD-PKE and hash functions.
Performances: Our scheme has reasonable encryption and decryption execution time overhead comparing to the PKE we use, because the size of ciphertexts generated by our scheme is approximately the double of the size of the PKE encryption.Moreover the generation of the interval-key, its size and the stored information are also independent of the number of messages contained in the interval of time.Finally, there is no restriction neither about the total number of generated ciphertexts nor about the number of ciphertexts in a time interval.
Security: We provide the security models to prove the security of our schemes in the Random Oracle Model (ROM).We prove that the judge colluding with some users cannot learn more than the messages for which he received the interval-key.We also show that several users cannot collude in order to learn information about plaintexts contained in an interval of ciphertexts with the judge interval-key.We also demonstrate that the judge gets the same plaintext as the one received by the owners of the secret keys.This means that it is not possible to forge fake messages that the judge can open and not the owners of the secret keys, and vice-versa.
Our construction allows us to use the extraction algorithm only once per judge (or per set of encrypted mails).Our security model captures this situation.It is not going against our motivation as long as we consider that two judges having an interval key in two different court cases (for the same set of mails) do not collude.To avoid this drawback, we need to reinitialize the secret values stored by a user after the generation of an interval-key, in order to be able to produce new interval-key on the next encrypted data.We leave the construction of an APO-PKE with constant interval key generation complexity and constant interval key size allowing several interval key generations for the same judge and the same set of encrypted mails as an open problem.
Related work: Functional encryption [26] is a public-key encryption primitive that allows a user to evaluate a function on the plaintext message using a key and a ciphertext.This cryptographic primitive was formalized in [5].It generalizes many well know cryptographic primitives such identity based encryption [4] or attribute based encryption [26].Moreover, some schemes that evaluate an arbitrary function have been proposed in [17,18].A posteriori openable encryption can be seen as a functional encryption, where all ciphertexts (resp.plaintexts) that are encrypted by one user correspond to a unique large ciphertext (resp.plaintext).Then the interval-keys allow a user to find only some parts of the corresponding plaintext.Our proposal scheme is an efficient solution for this kind of functional encryption.
Deniable encryption [7,22] is an encryption system that allows to encrypt two messages (original and hidden messages) in the same ciphertext.Using his secret key, the receiver can retrieve the original message.Using another shared secret key, the receiver can also decrypt the hidden message.It is not possible for the sender to prove that his encryption does not contain an hidden encrypted message.In our a posteriori openable encryption, the judge is only convinced that the plaintext that he decrypts is the same message that the plaintext decrypted by the secret key of the receiver.This notion differs from undeniability since the judge is convinced that a message he decrypts using interval key has actually been sent and received, but does not deal with message from another channel that the given encryption system (including different way to encrypt or decrypt a message in the same ciphertext).Some cryptographic primitives deal with time in decryption mechanism or rights delegation.Timed-Release Encryption (TRE), first proposed in [24], is a public key encryption where encrypted messages cannot be opened before a release-time chosen by the person who encrypted the messages.In this primitive, it is generally a time server that allows the receiver to decrypt the message in the future at a given date.Several TRE with diverse security properties have been proposed [3,8,9].More recently, an extension of TRE, called Time-Specific Encryption (TSE), has been proposed in [25] and deals with time intervals.Somehow these primitive are close to our because APO-PKE allows somebody to give decryption capabilities in the future, after that encrypted messages has been sent.However, TRE and TSE cannot be used to achieve APO-PKE, because TRE ciphertext are intended to only one user and decryption capabilities cannot be delegated to another party.Moreover, in TRE, time of decryption capability must be chosen during the encryption phase, while in our primitive it can be chosen at any time (a posteriori ).
It is interesting to note that some TRE possess a pre-open mechanism [21] that allows the sender to give decryption capabilities before the pre-specified release-time.In this case, a security requirement (called binding property) ensures that the decrypted message from the pre-open mechanism is the message decrypted by the receiver after the release-time [11].For our primitive, we define a similar property, called integrity, since we require that decrypted messages using an interval key must be equal to the messages decrypted by the legitimate receivers.
Finally, Key-Insulated Encryption (KIE) [12,20,23] is a public key encryption primitive where messages are encrypted from a tag corresponding to a time period and a public key.At each time period corresponds a partial secret key computed from a master key and the previous partial secret key.Moreover, the public key is never changed.The motivation of this primitive is to provide secret keys that can be stored in an untrusted device without compromising the master key.Indeed, the leakage of a secret key compromises only messages received in a specified time interval, and future encryptions remain secure.In the motivation of [12], the authors give another interesting use of this primitive based on [16].They provide a secure delegation of decryption rights in a time period.However, this type of delegation allows them to delegate decryption rights only on predefined time period.For example, if the time period corresponds to one month then right delegation cannot be restricted to the last week of a month and the first week of the following month without revealing all messages of these two months.Moreover, delegator must give a different secret key to each time period, so the decryption keys are proportional to the number of time periods contained in the interval.Our goal is to propose decryption delegation capabilities to the sender, while KIE only focuses on receiver decryption right delegation.Thus this primitive cannot solve our problem.
Outline: In the next section, we introduce some cryptographic tools and define the notion of RCD-PKE.In Section 3, we present a generic A Posteriori Openable Public Key Encryption.Then in Section 4, we provide security models and analyze the security of our scheme before concluding in the last section.All the proofs of our security results are given in the full version of this paper [6].

Random Coin Decryptable Public Key Encryption
We first recall the definition of probabilistic public key encryption.
Definition 1 (Probabilistic Public Key Encryption (PKE)).A probabilistic PKE is a triplet of polynomial time algorithms (Gen, Enc, Dec) such that Gen(1 k ) returns a public/private key pair (pk, sk), Enc pk (m; σ) returns a ciphertext c from the public key pk, the message m and the random coin σ, and Dec sk (c) returns a plaintext m or a bottom symbol ⊥ from a secret key sk and a ciphertext c.Moreover the following equation holds: A PKE scheme Π is said indistinguishable under chosen-plaintext attack (IND-CPA) [19] if for any polynomial time adversary A, the difference between 1  2 and the probability that A wins the IND-CPA experiment described in Fig. 1 is negligible.
We introduce the notion of Random Coin Decryptable PKE (RCD-PKE).A public key encryption scheme is said RCD-PKE, if there exists a second way to decrypt the ciphertext with the random coin used to construct the ciphertext.This primitive is a kind of PKE with double decryption mechanism (DD-PKE) which is defined in [15].Actually RCD-PKE is a DD-PKE where the second secret key is the random coin and is used once.Definition 2 (Random Coin Decryptable PKE (RCD-PKE)).A probabilistic PKE is Random Coin Decryptable if there exists a polynomial time algorithm CDec such that for any public key pk, any message m, and any coin σ, the following equation holds: For instance, ElGamal encryption scheme is RCD-PKE.It is possible, from a ciphertext c = Enc pk (m; σ) = (c 0 , c 1 ) = (g σ , pk σ • m) to use the algorithm CDec σ (c, pk) that computes c 1 /pk σ to retrieve the plaintext message m.Many probabilistic encryption schemes in the literature are RCD-PKE, e.g.[1,10,14].Algorithms CDec of these two cryptosystems PKE are given in the full version of this paper [6].We also introduce the concepts of valid key pair and of verifiable key PKE.Definition 3 (Verifiable Key PKE (VK-PKE)).We say that a key pair (pk, sk) is valid for PKE = (Gen, Enc, Dec) when for any message m and any random coin σ the equation Dec sk (Enc pk (m; σ)) = m holds.We say that a probabilistic PKE is verifiable-key (VK) when there exists an algorithm Ver such that Ver(pk, sk) = 1 if and only if (pk, sk) is valid for PKE.
In many probabilistic public key cryptosystems, the public key is generated from the secret key by a deterministic algorithm.For example, the ElGamal public key is the value g x computed from the secret key x.In this case, it suffices to check that g sk = pk in order to be convinced that a key pair (pk, sk) is valid.It is easy to see that [1,10] are also VK-PKE.

A Posteriori Openable Public Key Encryption
An APO-PKE is a public key encryption scheme, where Alice can use receiver public keys to send them encrypted messages that can be opened thanks to the corresponding secret keys.The goal of an APO-PKE is to allow Alice to keep enough information to be able to construct a key to a posteriori open a sequence of messages that she had encrypted during an interval of time.We do not consider real time but a sequence of n successive ciphertexts {C x } 1≤x≤n that have been encrypted by Alice with possibly different public keys.Then with an APO-PKE, it is possible for Alice to extract a key for a judge that opens all ciphertexts between the message C i and the message C j where 1 ≤ i < j ≤ n.We call this key an interval-key denoted by K pko i→j where pko is the public key of the opener (here the judge).Moreover before encrypting her first message with a public key, Alice needs to initialize a secret global state denoted st.The goal of st is to keep all required information to generate an interval-key and to encrypt a new message.Naturally each time Alice encrypts a message with a public key, st is updated (but has a constant size).Finally an APO-PKE, formally described in Definition 4, contains an algorithm that opens all ciphertexts in a given interval of time thanks to the interval-key forged by Alice.
Note that all key pairs come from the same algorithm APOgen.However, for the sake of clarity, we denote by pko and sko (for opener public key and opener secret key) the keys of an interval-key recipient, e.g. a judge that can open some messages, denoted by O (for opener) in the rest of the paper.APOext st pko (C i , C j ): This algorithm generates an interval-key K pko i→j that allows the owner O of the public key pko to decrypt all messages {C x } i≤x≤j using algorithm APOpen.APOpen sko (K pko i→j , {C x } i≤x≤j , {pk x } i≤x≤j ): Inputs of this algorithm contain a ciphertext set {C x } i≤x≤j and all the associated public keys {pk x } i≤x≤j .This algorithm allows a user to decrypt all encrypted messages sent during an interval using his secret key sk and the corresponding interval-key K pko i→j .It returns a set of plaintexts {m x } i≤x≤j or ⊥ in case of error.
In Scheme 1, we give a generic construction of APO-PKE based on an IND-CPA secure RCD-PKE and three hash functions.
Scheme 1 (Generic APO-PKE (G-APO)) Let k be a security parameter, E = (Gen, Enc, Dec) be a RCD and VK PKE scheme, R be the set of possible random coins of E and F : {0, 1} * → {0, 1} k , G : {0, 1} * → R and H : {0, 1} * → {0, 1} 2k be three universal hash functions.Our generic APO-PKE is defined by the following six algorithms where ⊕ denotes the exclusive-or, |x| denotes the bit size of message x and y||z the concatenation of y with z: APOgen(1 k ): This algorithm generates (pk, sk) with Gen and returns it.
The encryption algorithm APOenc separates the plaintext m in two parts using xor operation such that m = m ⊕ m.We generate two random coins σ and σ.Using the two previous coins σ N and σ N in the state st, we encrypt into two different ciphertexts C and C the following two messages m||( σ ⊕ F( σ N )) and m||( σ N ⊕ F( σ)).Finally we hide the usefull random elements with H(K|| C|| C).
Knowing the secret key it is possible to recover m and m and then to obtain the plaintext m thanks to the algorithm APOdec.
An interval-key for the owner O of a public key pko is constructed using the algorithm APOext.It is simply the encryption with pko of σ N and σ.At each encryption, the values σ i−1 and σ i are masked by a "one time pad" with the digest H(K|| C i || C i ) in D i .Then with the ciphertexts C i , C j and the secret value K we can construct an interval-key that contains these values σ i−1 and σ j .
Using an interval-key K pko i→j it is possible to open all ciphertexts encrypted during an interval of time with the algorithm APOpen: thanks to the RCD property, someone who knows values σ N and σ for one ciphertext can open each part C and C of it in order to recover σ and σ N , and m and m, hence m.We also notice that with σ i it is possible to decrypt all ciphertexts in { C x } (i+1)≤x≤N .In the other hand, with σ j it is possible to decrypt all ciphertexts in { C x } 1≤x≤j .Then it is possible to recover all messages between C i and C j .Thus, it is possible to decrypt all messages between C i and C j with the knowledge of σ i−1 and σ j .
If the interval always contains the first message, we give a more efficient algorithm.The idea is to only keep one part of the ciphertext, by consequence we do not need to split into two the message m.Hence the size of the ciphertext is smaller.Similarly if the algorithm always ends with the last encrypted message, we can also drop one half of the ciphertext and the tag value following the same idea.These simpler schemes are given in the full version of this paper [6].

Model and Security
We present the security properties of an APO-PKE scheme and we analyze the security of our G-APO scheme.The first security property corresponds to a chosen-plaintext attack scenario where the adversary has access to interval-keys on intervals that do not contain the challenge.We next introduce the notion of indistinguishability under chosen sequence of plaintext attack security (IND-CSPA) that corresponds to a chosen-plaintext attack scenario where the challenge is an interval of ciphertexts and the corresponding interval-key generated for a given judge public key.The last property is integrity, and captures the integrity of messages decrypted by APOpen algorithm.All security proofs are detailed in [6].

IND-CPA security
It concerns the resistance of an APO-PKE against a collusion of adversaries that have access to interval-keys in a chosen-plaintext attack scenario.For example, if we consider a judge who receives an interval-key to open a sequence of ciphertexts and who colludes with ciphertext recipients; then it ensures that they cannot deduce any information about messages that are not in the sequence.Indeed, he cannot request an interval-key for an interval containing the challenge.We define the OT-IND-CPA security when only one interval-key can be asked during the experiment.Our scheme is proved secure in this model.

Definition 5 (OT-IND-CPA experiment).
Let Π be an APO-PKE, let k be a security parameter, and let A = (A 0 , A 1 ) be a pair of polynomial time algorithms.We define the one-time indistinguishability under interval opener chosenplaintext attack (OT-IND-CPA) experiment as follows: The adversaries A 0 and A 1 have access to the following oracles: We also define the IND-CPA experiment as the same as the OT-IND-CPA experiment except that the adversary can ask the oracle APOext several times.

Definition 6 (OT-IND-CPA advantage). The advantage of the adversary A
against OT-IND-CPA is defined by: We define the advantage on OT-IND-CPA experiment by: Similarly, we then prove that no adversary can win using the oracle in an interval of next ciphertexts of the challenge.Finally, using this two results, we show that our scheme is OT-IND-CPA in any case.

IND-CSPA security
A sequence of ciphertexts coupled with an interval-key can be seen as an unique ciphertext that encrypts a sequence of plaintexts because the open algorithm allows a judge to decrypt all the messages of the sequence with the knowledge of any secret key.Thus, we define a security model where the adversary must distinguish the sequence of plaintexts used to produce a challenge sequence of ciphertexts associated to an interval-key.The IND-CSPA security captures this security property.In this model, the adversary is a collusion of users that must distinguish the sequence of plaintexts used to produce a sequence of ciphertexts given the corresponding interval-key generated for the judge.
Definition 7 (IND-CSPA φ experiment).Let Π be an APO-PKE, let k be a security parameter, and let A = (A 0 , A 1 ) be a pair of polynomial time algorithms.We define the indistinguishability under chosen sequence of plaintext attack (IND-CSPA φ ) experiment as follows, where n denotes the number of calls to the encryption oracle during the first phase and φ denotes the number of calls to the generation oracle: In the first phase The challenger generates (pko * , sko * ) from APOgen(1 k ) and a state st * from APOini(1 k ).He sends the public key pko * to the adversary.The challenger initializes a counter n that counts number of calls to the oracle O CSPA enc during this phase.Finally, the adversary sends to the challenger values (q, {m 0 x } n<x≤(n+q) , {m 1 x } n<x≤(n+q) , {pk x } n<x≤n+q , state).In second phase, the challenger computes a sequence of ciphertexts from the adversary's output.He encrypts messages of one of the two sequences.The sequence of produced ciphertexts forms the challenge.More formally, the challenger picks two random bits b and d.Then, ∀ x ∈ {n + 1, n + 2, ..., n + q}, if pk x corresponds to an honest user (i.e.Proof idea: In [2] authors prove that any IND-CPA PKE is still secure in multiuser setting, i.e.where the adversary can ask several challenges for several different public keys.Without interval-key oracle, the IND-CSPA security of our scheme can be reduced to the IND-CPA of the PKE in multi-user setting since the challenge corresponds to ciphertexts of several messages from several public keys.Moreover, since the interval-keys from the oracle are encrypted, then the adversary must break the IND-CPA security of PKE to use it.It is possible to prove that no adversary can efficiently break the IND-CSPA of our scheme using these two arguments.

Integrity
The last security property for APO-PKE is the integrity.This property is similar to binding property of TRE defined in [11].The judge must be sure that the messages he decrypts with APOpen algorithm are the sent messages.
Definition 9 (Integrity experiment).Let Π a APO-PKE, let k be a security parameter, and let A a polynomial time algorithm.We define the integrity experiment as follows: The challenger generates (pko * , sko * ) from APOgen(1 k ) and sends the public key pko * to the adversary.The adversary A sends to the challenger an integer N , an ordered set of N ciphertexts {C x } 1≤x≤N and an ordered set of N public keys {pk x } 1≤x≤N .The adversary then sends two integers i and j and the corresponding interval-key K pko * i→j .He finally sends the integer l and the secret key sk l corresponding to pk l .If (pk l , sk l ) is not a valid key pair then the challenger aborts and returns 0. The challenger then computes {m x } i≤x≤j ← APOpen sko * (K pko * i→j , {C x } i≤x≤j , {pk x } i≤x≤j ).If m l = APOdec sk l (C l ) then the challenger returns 1, else he returns 0.
Proof idea: Since the judge has all the random coins and all the public keys used to encrypt all the opened messages, he can use them to re-encrypt these messages.Thus, if the ciphertexts that he opens correspond to the ciphertexts that he encrypts by himself, then he can conclude that the opened messages are the same as the messages decrypted by the recipient secret keys.

Conclusion
We introduce the notion of RCD-PKE.Based on this notion, we propose an a posteriori openable PKE (APO-PKE) scheme.Our scheme allows a user to prove his innocence by showing to a judge the content of his encrypted communication with several PKE during a period of time.Our construction preserves the privacy of the others communications, meaning that the judge cannot learn any information concerning the other encrypted messages.Moreover the receivers of the encrypted messages cannot collude in order to learn more information that is contained in the received messages.Our construction is proven secure in the Random Oracle Model and is generic because it only requires RCD-PKE and hash functions.
In the future, we aim at proving that is not possible to have a secure construction that supports several generations of interval key with constant size interval-key and stored data (state).Another future work is to design a security model for chosen-ciphertext security of APO-PKE and to provide a generic construction that achieves this higher security.Finally, it may be interesting to design such a scheme in the standard model.

Definition 4 (
A Posteriori Openable Public Key Encryption (APO-PKE)).An APO-PKE is defined by: APOgen(1 k ): This algorithm generates a key pair for a user.It returns a public/private key pair (pk, sk).APOini(1 k ): This algorithm initializes a global state st and returns it.APOenc st pk (m): This algorithm encrypts a plain-text m using a public key pk and a global state st.It returns a ciphertext C and st updated.APOdec sk (C): This algorithm decrypts a ciphertext C using the secret key sk.It returns a plaintext m or ⊥ in case of error.

O 1 .
CPA enc : On the first call to this oracle, it initializes the following values l = 1 and n = This oracle takes as input a public key pk and a message m.It returns C l = APOenc st * pk (m).It increments the counter l.Only in the first phase, it increments the value n that counts the number of calls to the encryption oracle before the generation of the challenge.O CPA ext : The adversary can ask this oracle only one time during the experiment.This oracle takes a public key pko and two ciphertexts C a and C b .In the second phase, if there exists C i = C a and C j = C b such that i ≤ n ≤ j then the oracle rejects the query.Else, if C a = C n or C b = C n , it rejects the query.Else it returns APOext st * pko (C a , C b ).

}
for all A ∈ poly(k).The advantages on IND-CPA experiment are similar to those of OT-IND-CPA.We say that a APO-PKE schemeΠ is OT-IND-CPA (resp.IND-CPA) secure when Adv OT-IND-CPA Π (k) (resp.Adv IND-CPA Π (k)) is negligible.Our construction is not IND-CPA since if a judge has two interval-keys for two different intervals of time given by the same user and computed with the same secret value then he can open all messages between the two extreme dates.Theorem 1.Let E be an IND-CPA secure RCD-PKE, then G-APO based on E is OT-IND-CPA secure in the random oracle model.Proof idea: To prove the OT-IND-CPA security, we show first that no polynomial adversary wins the experiment with non negligible probability using the oracle O CPA ext in an interval of previous ciphertexts of the challenge.The interval-key allows to open the part C * of the challenge C * , but since the PKE is IND-CPA then the interval-key gives no information about the part of the challenge encrypted in the part C * .
pk x comes from oracle O CSPA gen ) then he computes C * x = APOenc st * pk x (m b x ) else if pk x corresponds to a dishonest user (i.e.pk x comes from the adversary), he computes C * x = APOenc st * pk x (m d x ).Finally, he computes K pko * (n+1)→(n+q) = APOext st * pko * (C n+1 , C n+q ) and he sends (state, {C * x } n<x≤(n+q) , K pko * (n+1)→(n+q) ) to the adversary A 1 .During the guess phase, the adversary returns the bit b .If b = b then A wins.
else 0 The adversaries A 0 and A 1 have access to the following oracles: O CSPA gen : At the first call, the oracle creates a keys' list K that contains (pko * , sko * ).At each call, it generates values (pk, sk) from APOgen(1 k ) and adds it to K. Then it returns pk.This oracle can be called only φ times.O CSPA enc : This oracle takes as inputs a public key pk and a message m.Only in the first phase, it increments the value n that counts the number of calls to the encryption oracle before the generation of the challenge.In the two phases, it returns APOenc st * pk (m).O CSPA ext : This oracle takes as input two ciphertexts C i and C j .It returns the interval-key K