Keywords

1 Introduction

Historically, a primitive like public key encryption (PKE) is often studied in a setting where a single key-pair is generated for an adversary to attack, often based on a single challenge ciphertext only [27]. Yet, in reality there will be many users, each generating their own key pairs, to be used repeatedly. To study the concrete security risk of having very many keys in play simultaneously, Bellare et al. [5] introduced the multi-user setting. They considered an adversary with access to n different public keys and the ability to challenge (in an indistinguishability fashion) each of them, and concluded that the security loss is at worst linear in the total number challenge queries. Loosely speaking, such a linear security loss implies that a scheme that is believed to offer, say, 128-bit security in the single user setting, may only guarantee 80-bit security if there are \(2^{20}\) users each receiving \(2^{28}\) messages (based on the same hardness assumption).

Unfortunately, there have been ample examples of schemes where practical attacks can indeed exploit the increased attack surface, demonstrating that these theoretical security losses can be realized. Consequently, the generic tightness losses to move from a single-user, single-challenge setting to a more realistic multi-user, multi-challenge setting are problematic as, conservatively, one would have to increase key sizes to compensate. Alternatively, a growing number of works have looked at schemes with tighter security guarantees, either if the number of users goes up, the number of challenge encryptions per key goes up, or both [2, 5, 12, 16, 21, 22, 28].

Moreover, in a system with many users, it is not inconceivable that some private keys eventually become available to an adversary, which can be modelled using key corruptions. An adversary learning a private key can obviously decrypt all ciphertexts that were encrypted under the corresponding public key, thus some care has to be taken to avoid trivial wins when allowing key corruptions. The two simplest mechanisms are either using independent challenge bits for each key or disallowing an adversary to both challenge and corrupt a single key. As we detail in Appendix A, both these mechanisms have been used, also in related contexts such as key encapsulation mechanisms (KEMs), authenticated encryption (AE), and authenticated key exchange (AKE), raising the inevitable question which notion should be the preferred one.

In the context of lower bounding tightness losses for multi-user AE, Jager et al. [25] employed a novel multi-key, multi-challenge-bit notion that generalizes both mechanisms; however, the main motivation of this generalized mechanism was universality of their impossibility result, allowing them to side-step the question which mechanism to focus on. Recently, in the context of AKE, Jager et al. [24] argued in favour of the single-bit notion, primarily as it composes more easily. For KEMs a similar argument holds, yet for PKE composition is arguably less relevant. Instead, a more direct interpretation of what the various notions entail might well be preferable.

Our Contribution. Both the single-bit and multi-bit approaches are implied by the single user notion at the cost of a tightness loss linear in the number of users. Consequently, the two multi-user notions are also within that linear factor in the number of user. As our goal is to avoid such tightness losses, we are interested in identifying the most suitable, general notion as possible, guaranteeing that there are no “hidden” linear losses in the choice of notion—an issue already pointed to by Jager et al. [24]

To this end, we adapt the multi-key, multi-bit notion of Jager et al. [25] to the PKE setting, slightly generalizing it in the process. We show how it tightly implies, and therefore unifies, the previous multi-user notions, and give novel interpretations of each (see Sect. 3).

We then shift our focus to how tightly the different notions relate to each other, with the goal of identifying the strongest, and therefore preferred, multi-user notions. We find that the answer depends on whether or not corruptions are present: in the absence of corruptions, we find that the single-challenge-bit notion is as strong or stronger than any of the other (see Sect. 4.2). Given that this notion is significantly simpler than the fully general game, this makes the single-bit notion the preferred one in the absence of corruptions. With corruptions, this relation breaks down, and the general “free-bit” game indeed seems the stronger, and therefore preferred, notion (see Sect. 4.3).

Finally, we fill some holes largely left as folklore until now regarding how the well-known factor-2 reduction from real-or-random to left-or-right indistinguishability, as shown by Bellare et al. [7] for the single-user, single-challenge setting, generalizes to the multi-user setting. We find that, as expected, the relation remains intact in the single-bit setting, regardless of whether corruptions are present (see Sect. 4.4). In contrast, with multiple challenge bits the best-known reductions turn lossy. Whether these losses are inevitable remains open; however, it reinforces the by now established notion that left-or-right indistinguishability is to be preferred over its real-or-random counterpart whenever possible.

The appendices contain much additional material: highlights include Appendix A giving context to the present work by presenting a more complete history of multi-user indistinguishability than that presented here, and Appendix F, illustrating the difficulty of achieving tight composition in multi-bit settings, as alluded to by Jager et al. [24], by giving an overview of how additional losses can appear in PKE schemes built using the widely used KEM/DEM paradigm.

2 Preliminaries

2.1 Notation

For an integer n, we will write [n] for the set \(\{ 1, \dots , n \}\). We will also use the abbreviation \({\mathtt {X}}\overset{\cup }{\longleftarrow }x\) for the operation \({\mathtt {X}}\leftarrow {\mathtt {X}}\cup \{ x \}\). The event of an adversary \(\mathbbm {A}\) outputting 0 is denoted \(0\leftarrow \mathbbm {A}\). We use to denote the conditional probability of Event occurring when Code is executed, conditioned on Condition. We omit Code when it is clear from the context and Condition when it is not needed.

2.2 PKE Syntax

A public key encryption scheme \({\textsc {PKE}}\) consists of three algorithms: the probabilistic key generation algorithm \(\mathsf {Pk.Kg}\), which takes as input some system parameter \(\mathsf {pm}\) and outputs a public/private key pair \((\mathsf {pk}, \mathsf {sk}) \in (\mathcal {PK}, \mathcal {SK})\); the probabilistic encryption algorithm \(\mathsf {Pk.Enc}\), which on input a public key \(\mathsf {pk}\in \mathcal {PK}\) and a message \(m\in {\mathcal {M}}\), outputs a ciphertext c; and the deterministic decryption algorithm \(\mathsf {Pk.Dec}\), which on input of a secret key \(\mathsf {sk}\in \mathcal {SK}\) and a ciphertext c, outputs either the message m, or a special symbol \(\perp \) denoting failure.

We allow the message space \({\mathcal {M}}\) to depend on the parameters \(\mathsf {pm}\), but insist it is independent of the public key \(\mathsf {pk}\). We furthermore assume that there exists an equivalence relation \(\sim \) on the message space that partitions \({\mathcal {M}}\) into finite equivalence classes. For \(m\in {\mathcal {M}}\), we let \(\llbracket {m} \rrbracket \) denote its equivalence class, so \(\llbracket {m} \rrbracket = \{\tilde{m} \in {\mathcal {M}}: m \sim \tilde{m}\}\). Often \({\mathcal {M}}\) consists of arbitrary length bitstrings, or at least all bitstrings up to some large length (e.g. \(2^{64}\)), and two messages are equivalent iff they have the same length, so ; for other cryptosystems, such as ElGamal, messages are group elements that are essentially all equivalent, so \(\llbracket {m} \rrbracket ={\mathcal {M}}\). (Note that the case where \(\llbracket {m} \rrbracket = \{m \}\) for all m is degenerate and ‘security’ is often trivially satisfied.)

The scheme must satisfy \(\epsilon \)-correctness [20], namely that for any \(\mathsf {pm}\):

If \(\epsilon =0\) we speak of perfect correctness; the case \(\epsilon >0\) is especially useful to model decryption errors typical to lattice-based schemes.

Remark 1

The system parameters \(\mathsf {pm}\) are implicitly input to \(\mathsf {Pk.Enc}\) and \(\mathsf {Pk.Dec}\) as well; for concreteness, they can for instance be the description of an elliptic curve group with generator for an ECDLP-based system or the dimensions and noise sampling algorithm for an LWE-based system. When one is interested in re-phrasing our results in an asymptotic setting, the parameters \(\mathsf {pm}\) will be generated by a probabilistic, polynomial-time algorithm that only takes the security parameter as input.

2.3 Concrete Security

Indistinguishability. The standard notion of security for encryption systems has become that of indistinguishability. Here the adversary is given access to a challenge encryption oracle implementing one of two “worlds”; the adversary needs to find out which. Several choices appear regarding the exact nature of these worlds, leading to different notions of indistinguishability such as real-or-random and left-or-right. Henceforth we refer to those two notions \(\mathrm {ROR}\) and \(\mathrm {LOR}\), respectively, and we will refer to them collectively as \(\mathrm {IND}\). We will flesh out the details in Sect. 3.

Security definitions furthermore take into account the \(\mathrm {POWER}\) given to the adversary, for example that of chosen plaintext attacks (\(\mathrm {CPA}\)), or chosen ciphertext attacks (\(\mathrm {CCA}\)). The distinguishing advantage of an adversary \(\mathbbm {A}\) against a scheme relative to some notion will then be , see Definition 1. As randomly guessing a world is correct half of the time, the distinguishing advantage is of course suitably offset.

Definition 1

The distinguishing advantage of an adversary \(\mathbbm {A}\) against an encryption scheme \({\textsc {PKE}}\) is

Implications and Separations. Our main focus will be comparing different notions of security, especially showing that if security is met under one notion, then it is also met under another one. We will prove these implication using fully black box reductions [4, 31] that are furthermore simple [29]. A fully black box reduction works for all schemes and adversaries, and only accesses them in a black box manner. Moreover, if the reduction only runs its adversary once and without rewinding, then the reduction is simple.

To allow for black-box access to the scheme, we will add an auxiliary oracle for the PKE to operate on the message space and the key space. A simple fully-black box (SFBB) reduction has access to this auxiliary oracle, as well as to the oracles corresponding to the PKE’s algorithms, the oracles provided to the reduction by the game it is playing, and finally its single straight copy of the adversary. We will insist that the overhead of such a reduction, namely the number of oracle calls it makes more than the adversary it is running, is not undue: it can be upper bounded in terms of the parameters that define the security game(s) at hand, such as the number of keys in the system.

Definition 2

(Tightness). Let \(\mathrm {IND}_1\) and \(\mathrm {IND}_2\) be two indistinguishability notions for PKE schemes, let c be a positive real number, then iff there exists a simple fully-black box reduction \(\mathbbm {B}_{\mathrm {\MakeLowercase {1}}}\) such that for all PKE schemes \({\textsc {PKE}}\) and adversaries \(\mathbbm {A}_{\mathrm {\MakeLowercase {2}}}\),

$$ \mathrm {IND}_2(\mathbbm {A}_{\mathrm {\MakeLowercase {2}}}) \le c \cdot \mathrm {IND}_1(\mathbbm {B}_{\mathrm {\MakeLowercase {1}}}^{\mathbbm {A}_{\mathrm {\MakeLowercase {2}}},{\textsc {PKE}}}) $$

and the overhead of \(\mathbbm {A}_{\mathrm {\MakeLowercase {2}}}\) is not undue.

Refer also to Jager et al. [25] for a discussion on how to express tightness for more general reductions. They also formalize the folklore that simple reductions compose neatly; in our case if and then also .

If \(c=1\), the reduction is called tight; if \(c>1\) we call the reduction lossy. Note that our notion of tightness is stricter than in some other works where a constant factor of say 2 will still be considered tight [18]; our convention has the benefit of not depending on any (security) parameter. A natural question for lossy reductions is whether the loss is inevitable or not—if it is, the bound is called sharp. Questions of sharpness are not the focus of our work, although we do remark upon it in more detail in Appendix B.

3 A General Definition of PKE Multi-user Security

3.1 A General Game

In order to compare various flavours of multi-user notions for PKE, we take Jager et al.’s framework for multi-user AE notions [25] and port it to the PKE setting, using some slightly different game-mechanics in the process. A multi-user security game is parametrized by the number of keys \(\kappa \) and the number of bits \(\beta \). Usually one can imagine \(\beta \le \kappa \) and in fact Jager et al. only considered \(\beta =\kappa \). However, keeping \(\kappa \) and \(\beta \) distinct helps when expressing and interpreting security losses.

Given a public key encryption scheme \({\textsc {PKE}}\), let be the experiment given in Fig. 1, where \(\mathbbm {A}\) is the adversary. The corresponding distinguishing advantage (see Definition 1) is denoted by . The \(\kappa \) is slashed to denote the presence of a key corruption oracle; the corresponding notion without corruptions is . Without the decryption oracle the notion becomes a chosen-plaintext attack (\(\mathrm {CPA}\)) instead. Often our results are oblivious of whether the power is \(\mathrm {CPA}\) or \(\mathrm {CCA}\); we will then use \(\mathrm {CXA}\) to refer to them collectively.

Fig. 1.
figure 1

The generalised multi-user distinguishing experiment ; the adversary has access to either the left-or-right \({\mathcal {E}}_{\mathrm {LOR}}\) or the real-or-random \({\mathcal {E}}_{\mathrm {ROR}}\) challenge oracle.

Full size image

In the game, an adversary is given \(\kappa \) public keys, and a choice of \(\beta \) bits to try and attack through one of the two challenge oracles depending on the flavour of indistinguishability: for left-or-right indistinguishability, it gains access to \({\mathcal {E}}_\mathrm {LOR}\), whereas for real-or-random, it instead gains access to \({\mathcal {E}}_\mathrm {ROR}\). Both oracles have the usual interface, augmented by a key handle i and a bit handle j. For instance, for \({\mathcal {E}}_\mathrm {LOR}\) an adversary picks handles i and j as well as two equivalent messages \(m_0\) and \(m_1\) to receive the encryption of \(m_{b_j}\) under public key \(\mathsf {pk}_i\). For \({\mathcal {E}}_\mathrm {ROR}\) only a single message m is provided in addition to the two handles and, depending on the value of \(b_j\), \(\mathbbm {A}\) receives the encryption of either the message or of a uniformly chosen equivalent message.

The adversary has possible access to two additional powers: a decryption oracle \({\mathcal {D}}\) and a corruption oracle \({\mathcal {K}}\). The former takes as input a ciphertext c together with a key handle i, and returns the decryption of c under private key \(\mathsf {sk}_i\). The latter takes as input a key handle i and directly returns said \(\mathsf {sk}_i\).

The adversary has in principle unlimited adaptive access to the available oracles, necessitating some admin in the game to deal with trivial wins. Firstly, if \(m_0 \not \sim m_1\) for \({\mathcal {E}}_\mathrm {LOR}\), or if a challenge ciphertext is submitted to the decryption oracle under its handle of creation, then the adversary receives the special symbol instead. Secondly, once the adversary outputs a bit handle j and a guess \( \hat{b} _j\), the game checks through \({\mathtt {I}}^{\mathcal {E}}_j \cap {\mathtt {I}}^{\mathcal {K}}= \emptyset \) whether the challenge bit has become compromised by virtue of being challenged together with a corrupted key. If so, the game outputs the uniformly random bit \(\delta \), yielding the adversary no advantage; otherwise, the game outputs whether \( \hat{b} _j = b_j\).

Unlike Jager et al., we do not consider valid or invalid adversaries, but rather deal with bad behaviour in-game. Specifically, we want the adversary to be able to challenge on a key both before and after it becomes corrupted, but trying to win by attacking any of the corrupted challenge bits must of course be disallowed, regardless of the order of the queries. Thus, for problematic combinations of challenge/corrupt/target we necessarily had to wait until the adversary announced its target j before, if need be, penalizing. For bad decryption queries, penalizing at the end is discouraged [8], moreover it is easy to check on-the-fly.

Finally, we use \(q^{\mathcal {E}}_i\) to refer to the number of challenge queries on public key \(\mathsf {pk}_i\); \(q^{\mathcal {E}}_\varSigma \) for the total number of challenge oracle calls; and \(q^{\mathcal {E}}_\text {max}\) for the maximum number of challenge queries per key. Similarly, \(q^{\mathcal {D}}_i\) is the number of decryption calls on private key \(\mathsf {sk}_i\) and \(q^{\mathcal {K}}\) the number of corruption calls.

3.2 Notational Conventions

Jager et al. [25] introduced their unified game in order to show that, for authenticated encryption, tightness losses are inevitable in a multi-key with corruption setting, irrespective of certain definitional choices. Thus they can avoid having to choose one notion over the other. We are interested in finding out, for public key encryption, whether some notion is preferred over the other. To that end, we will introduce some notation to more easily identify known notions and express relationships between them.

One can visualize the experiment using a binary matrix of dimension \(\kappa \times \beta \), where an entry be set wherever a key and a bit may be called together. For the general game, the matrix has every entry filled (see the leftmost matrix of Fig. 2). We will refer to this as the free-bit notion. By restricting the matrix, we can easily express existing notions.

Bellare et al.’s original single-challenge-bit notion [5] corresponds to a \(\kappa \times \beta \)-matrix (for arbitrary \(\beta \)) with only a single set row to force all challenge queries to the same bit handle (see the middle matrix of Fig. 2). If \(\beta =1\), the notion matches the free-bit notion, so we may write \(\mathrm {IND}\text {-} \mathrm {CXA}^{\kappa , 1}\), or if corruptions are present, for the single-bit notion.

On the other hand, for the one-challenge-bit-per-key notion we have that \(\beta = \kappa \) and the restriction \(i = j\) for all challenge queries. These restrictions correspond to a square matrix in which only the diagonal is set (see the rightmost matrix of Fig. 2), inspiring us to refer to this notion as diagonal-bit, or just diagonal, and denote it by , or with corruptions.

The single-bit and diagonal-bit notions we will collectively refer to as the simple notions. Our notation and terminology differs from prior art, which is to some extent inevitable. The distinction between the various notions has only recently received explicit attention [24, 25] and no clear terminology has yet been set. For instance, we drop the prefix MU (for multi-user, to contrast with the older single user notions) as on the one hand we believe that these days multi-user security should be the default from which single user notions can be derived if needed, and on the other hand we wish to maintain a clean GOAL–POWER nomenclature: having multiple users to target primarily modifies an adversary’s power, not its goal.

Fig. 2.
figure 2

Matrices of allowed key/bit combinations in challenge oracle calls for the free-bit, single-bit, and diagonal-bit multi-user notion, respectively; circles mark allowed queries, while crosses mark disallowed ones. The visualization highlights that the free-bit notion is a strict generalization of the two other, simple notions.

Full size image

3.3 Interpretation

Both simple notions with corruptions have appeared in the literature, both in a PKE setting but also in related KEM, AKE, and to a lesser extent AE settings. One key question is which notion to opt for when. Establishing relationships between the notions, as in the next section, helps answer this question. Here, we want to address the meaning and usefulness of the notions as they are.

In the context of AKE, Jager et al. [24] discuss the difference between the single-bit notion (“single-bit guess”) and the diagonal notion (“multi-bit guess”). Earlier works on tight security for AKE focused on the diagonal setting [2], yet as Cohn-Gorden et al. [13, Section 3] point out, that notion does not lend itself very well for tight composition: when the keys produced by an AKE are subsequently used, in a proof it is convenient to swap out all keys from real to random in one fell swoop. The single-bit notion allows such a massive substitution, but the diagonal notion does not. Moreover, Jager et al. wonder whether the diagonal notion is meaningful, which would “provide a good intuition of what [it] tries to model”.

Whereas AKE and KEMs are primarily tools to set up symmetric keys for subsequent use, the situation for PKE is different as it is much closer to the end user. The difference is reflected in the kind of indistinguishability as well: for AKE and KEMs, a ROR-style notion is used where the adversary cannot even control the real world’s “message”, yet for PKE’s LOR-notion, an adversary has full control over the left-versus-right challenge messages. Thus, for PKE the diagonal-LOR notion does seem meaningful, as we explain below.

Suppose we interpret each key to correspond to a user and each challenge bit to correspond to a conversation. Then the different notions model different scenarios. For instance, the diagonal notion models a scenario where the users take part in independent conversations, and an adversary can decide which honest conversation to target after corrupting a number of other ones. In contrast, the single-bit notion models a scenario where all users are engaged in the same conversation. The latter scenario allows an adversary to accumulate information on the conversation across users, although none of the active parties may be corrupted.

Finally, the free-bit notion models a situation where there are a number of independent conversations, each with their own potentially overlapping set of users. The adversary can adaptively corrupt a number of users, and finally targets a conversation conducted by honest users only.

Of course, there are already existing notions that study PKE security in the presence of corruptions, under the term “selective opening attacks” (SOA, [9, 15]). There are various formalizations of SOA, the most relevant ones to our work are receiver SOA [19] where an adversary can corrupt private keys (as opposed to sender SOA, where an adversary learns how a ciphertext was created). Most of these SOA notions are considerably stronger than the notions we consider: our strongest notion is still implied by the customary single-user single-challenge LOR–CCA (just rather lossy), yet for SOA strong separations, and in some cases impossibility results, are known [23]. The link between multi-user security with corruptions on the one hand and SOA on the other has largely been ignored and appears worth expanding further.

We remark that the multi-bit notion also occurs naturally when studying multi-instance security [10], which has been studied in the context of PKE [1]. We leave the adaptation of our work, and specifically the general free-bit game to that setting as an enticing open problem.

4 Relations Between Indistinguishability Notions

In this section we investigate how tightly the various multi-user notions relate to each other, and how each relates to single-user notions. Some implications are known or folklore and others follow quite naturally from the literature, but not all. As expected, most of the notions are equivalent within a factor linear in the number of users. Yet, some notions turn out to be more, or less, tightly related.

There is for instance the surprising and completely tight reduction from \(\mathrm {LOR}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{\kappa , 1}\) to (Theorem 1). However, the proof technique breaks down for real-or-random indistinguishability and in notions with corruptions. Furthermore, for the latter, there doesn’t seem to be a way of relating the notions more tightly than by a linear loss. We conjecture this linear loss to be sharp, yet proving so we leave open.

Shorthand for Unified Implications. Given the large number of notions resulting from the various orthogonal definitional choices, we use shorthand, as presented in Table 1, to state various theorems. The shorthand serves as an implicit quantifier, so a theorem statement in shorthand essentially holds for all notions included in the shorthand. To avoid clutter, we will sometimes abbreviate \(\mathrm {IND}\text {-} \mathrm {CXA}^{u, c}\) to just \(\mathrm {IND}^{u, c}\), and let it be implied that the result holds for both \(\mathrm {CPA}\) and \(\mathrm {CCA}\). We will refer to single-user, multi-challenge notions by dropping the superscripts, e.g. \(\mathrm {IND}\).

As a concrete example, consider the trivial statement

$$\begin{aligned} \mathrm {IND}^{u, c} \implies \mathrm {IND}\, . \end{aligned}$$

This is then to be read as, “Both in the cpa and the cca setting, and regardless of the nature of the challenge oracle, the presence or absense of corruptions, or the number and structure of the challenge bits, security under a multi-user notion implies security under the corresponding single-user notion.” Written out in full, the statement becomes:

Lemma 1

For all \(\mathrm {IND}\in \{\mathrm {LOR}, \mathrm {ROR}\}\), \(\mathrm {CXA}\in \{\mathrm {CPA}, \mathrm {CCA}\}\), , and , there is a reduction \(\mathbbm {B}\) such that, for every adversary \(\mathbbm {A}\),

$$\begin{aligned} \mathrm {IND}\text {-} \mathrm {CXA}_{\textsc {PKE}}(\mathbbm {A}) \le \mathrm {IND}\text {-} \mathrm {CXA}^{u, c}_{\textsc {PKE}}(\mathbbm {B})\, , \end{aligned}$$

where \(\mathbbm {B}\) calls \(\mathbbm {A}\) once, with no undue overhead.

Table 1. A modular framework for multi-user security notions.
Full size table

Tight Implications From Strict Generalizations. Security under a multi-user notion tightly implies single-user security under the corresponding notion, and adding helper oracles (like decryption for \(\mathrm {CCA}\), or a corruption oracle) yields strictly more general notions; as does increasing the parameters (number of users/number of challenge bits), and for all notions, left-or-right security implies real-or-random security, as can be seen from Fig. 1. For completeness, we summarize these trivial implications in the full version.

4.1 Simple Multi-user Notions Versus Classical Single-Key Notions

Bellare et al. [5] used a hybrid argument to show that single-user single-challenge security implies \(\mathrm {LOR}^{\kappa , 1}\) with a security loss linear in the total number of challenge encryption queries. They phrased this total as the product of the number of users and the number of challenges per user. As all our notions are explicitly multi-challenge, we will ignore the number of challenge queries, meaning the loss simply becomes linear in the number of users (in line with the original claim).

Fig. 3.
figure 3

Known relations between single-user (but multi-challenge) indistinguishability and the two different generalizations to multi-user indistinguishability, with and without corruptions; refer to Table 1 for an overview of the shorthand. Recall that \(\mathrm {IND}\) without any superscripts means single-user notions. (Double arrows: trivially tight.)

Full size image

Bellare et al. did not consider the diagonal notion or corruption, however later, when Jager et al. [25] introduced the free-bit notion to the setting of AE, they also showed that the simple notions are implied by the single-user notion, again with a linear loss, even when corruptions are considered. For completeness, we reprove the relevant linear losses in our new PKE context in Appendix C. The resulting relations are summarized in Fig. 3.

As explained in Sect. 3.1, Jager et al. used slightly different game mechanics by prohibiting certain adversarial behaviour. In contrast, we allow such bad behaviour and just ignore the adversary’s output instead. We introduce a useful lemma (Lemma 3) that formalizes that, in the single-key setting, our mechanism is sound and corrupting that single-key yields no adversarial advantage. This single-key-with-corruptions game is often easier to use in reductions.

Existing sharpness results can be used to show that linear losses are inevitable, see Appendix B.2 for details.

4.2 Relationship Between Simple Multi-user Notions

Now that we have affirmed that the single-user notion implies any of the four simple multi-user notions with a loss linear in the number of users, a natural question is how the simple multi-user notions relate to each other. As the multi-user notions all tightly imply the single-user notion, one can always just go via the single-user notion. As already noted by Jager et al. [25], this strategy will again lead to a loss linear in the number of users. Lemma 2 formalizes this trivial loss and Fig. 4 provides an overview of the relations. One notable exception from the linear losses is the implication from the single-bit notion to the diagonal notion if there are no corruptions, which is tight for the case of left-or-right indistinguishability and almost tight for real-or-random indistinguishability. We will explain why this is in the next paragraph.

Lemma 2

( ). Let . Then, there is an SFBB reduction \(\mathbbm {B}\) such that, for every adversary \(\mathbbm {A}\),

$$\begin{aligned} \mathrm {IND}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{u', c'}(\mathbbm {A})&\le \kappa \cdot \mathrm {IND}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{u, c}(\mathbbm {B})\, . \end{aligned}$$

Proof

(sketch). Trivially, \(\mathrm {IND}^{\kappa , c} \implies \mathrm {IND}\). Meanwhile, Theorems 3 and 4 together say that . Combining (in the manner discussed in Sect. 2) gives .

Fig. 4.
figure 4

Relations between the simple multi-user notions, including the non-trivially tight relation between \(\mathrm {LOR}^{\kappa , \beta }\) and as captured by Corollaries 1 and 2 for \(\mathrm {LOR}\) and \(\mathrm {ROR}\), respectively. (Double arrows: trivially tight.)

Full size image

A Tight Relation: From Single-Bit to Multi-bit Without Corruptions. Surprisingly, left-or-right indistinguishability allows for a ‘bit-hiding’ argument that lets an adversary playing a single-bit multi-user game simulate the full free-bit game (and therefore also the diagonal-bit game), by simply exchanging the order in which it forwards its two messages. We formalize this argument in Theorem 1 and its proof. Consequently, \(\mathrm {LOR}^{\kappa , 1}\) tightly implies of (Corollary 1), whereas the implication in the other direction appears lossy, this clearly renders \(\mathrm {LOR}^{\kappa , 1}\) the preferred notion.

Theorem 1

(\(\mathrm {LOR}^{\kappa , 1} \implies \mathrm {LOR}^{\kappa , \beta }\)). There is an SFBB reduction \(\mathbbm {B}\) such that, for every adversary \(\mathbbm {A}\),

$$ \mathrm {LOR}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{\kappa , \beta }(\mathbbm {A}) \le \mathrm {LOR}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{\kappa , 1}(\mathbbm {B})\, , $$

where \(\mathbbm {B}\)’s overhead is limited to drawing \(\beta \) uniformly random bits.

Proof

The reduction \(\mathbbm {B}\), playing , simulates for \(\mathbbm {A}\) by drawing \(\beta \) fresh challenge bits, and simply exchanging the order of \( {m} _0\) and \( {m} _1\) in accordance to the value of the simulated challenge bit when forwarding to its own left-or-right oracle (see Fig. 5). Denoting the challenge bit of by b, the ciphertext that \(\mathbbm {A}\) receives upon the query \({\mathcal {E}}(i, j, m_0, m_1)\) will be an encryption of the message \( {m} _{b \oplus b_j}\) under \(\mathsf {pk}_i\); \(\mathbbm {B}\) then simply makes sure to undo this xor again before returning its final guess.    \(\square \)

Fig. 5.
figure 5

The adversary \(\mathbbm {B}\), playing while simulating for \(\mathbbm {A}\).

Full size image

Corollary 1

( ). There is an SFBB reduction \(\mathbbm {B}\) such that, for every adversary \(\mathbbm {A}\),

In the presence of a corruption oracle, the reduction breaks down as it is no longer able to simulate properly: it cannot both challenge on and corrupt the same key (a behaviour that is allowed in the diagonal and free-bit games). We will return to the free-bit game in the presence of corruptions below, but first we turn our attention to that other indistinguishability notion, real-or-random.

Extending the Argument to Real-or-Random. The proof of Theorem 1 makes use of the fact that the \(\mathrm {LOR}\) challenge oracle allows both a left and a right message to be input, enabling us to hide the bit in the ordering of the two messages. For \(\mathrm {ROR}\), the challenge oracle only accepts a single message, so hiding the bit as above is no longer possible.

However, when Bellare et al. [6] introduced the distinction between LOR versus ROR indistinguishability in the context of single-user probabilistic symmetric encryption, they also showed a factor-2 loss from ROR to LOR. As we will show in Theorem 5 (to be presented shortly), their proof technique is readily adapted to a relation between single-bit multi-user PKE notions. Theorems 1 and 5 can then be combined into the corollary below (which itself implies the equivalent of Corollary 1 for \(\mathrm {ROR}\), again with a factor 2 loss).

Corollary 2

( ). There is an SFBB reduction \(\mathbbm {B}\) such that, for every adversary \(\mathbbm {A}\),

$$ \mathrm {ROR}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{\kappa , \beta }(\mathbbm {A}) \le 2 \cdot \mathrm {ROR}\text {-} \mathrm {CXA}_{\textsc {PKE}}^{\kappa , 1}(\mathbbm {B})\, . $$

Proof

(Sketch). Theorem 5 states that , while trivially \(\mathrm {LOR}^{\kappa , \beta }\implies \mathrm {ROR}^{\kappa , \beta }\). Then, using Theorem 1, we get .

4.3 The Free-Bit Game with Corruptions

In the free-bit game, the adversary can both challenge on and corrupt keys, provided the final targeted bit remains uncorrupted. In the single-bit game, however, challenging on and corrupting a key are mutually exclusive, causing the bit-hiding argument, that tightly related \(\mathrm {LOR}^{\kappa , 1}\) to \(\mathrm {LOR}^{\kappa , \beta }\), to break down in the presence of corruptions. Seemingly, the best we can do is a standard bit-guessing argument, suffering a \(\beta \) loss, as formalized in Theorem 2 below (see Appendix E for a full proof).

Theorem 2

( ). There is an SFBB reduction \(\mathbbm {B}\) such that, for any adversary \(\mathbbm {A}\),

where \(\mathbbm {B}\)’s overhead consists of drawing \(\beta \) uniformly random bits.

Combining with (Theorem 3) yields an upper bound on the free-bit advantage as it relates to single-user advantage, see Corollary 3. Notably, when Jager et al. [25] introduced the free-bit notion (for AE), they observed that proving a linear loss was beyond them, yet they did not provide an alternative, looser bound instead. We therefore plug this gap in the literature. Figure 6 provides an overview of how the single-user and simple multi-user notions relate to the free-bit notions.

Corollary 3

( ). There is a reduction \(\mathbbm {B}\) such that, for any adversary \(\mathbbm {A}\),

\(\mathbbm {B}\) calls \(\mathbbm {A}\) once, and additionally uses the resources needed to draw \(\kappa \) fresh keypairs and \(\beta \) uniformly random bits.

Interestingly, Corollary 3 tightly implies Theorem 3, but not Theorem 4: setting \(\kappa = \beta \) in Corollary 3 yields a \(\kappa ^2\) loss. This gives some hope that a tighter relation than that of Corollary 3 might still be possible, one that would imply both Theorems 3 and 4. We leave this an open problem, although present some initial thoughts in Appendix B.

Fig. 6.
figure 6

Relations between different multi-user notions, without corruptions (left), and with corruptions (right).

Full size image

4.4 LOR Versus ROR, or When the Challenge Oracle Matters

Until now, we have for the most part treated the two flavours of indistinguishability as one. However, as we saw for Theorem 1, the choice of challenge oracle can sometimes make a difference. Of course, left-or-right indistinguishability always implies real-or-random indistinguishability. Furthermore, for single-user notions, it has been long been known that ROR implies LOR with only a factor 2 tightness loss [5]. However, for multi-instance security [10], the loss is known to blow up exponentially. Thus, it is a priori unclear what losses one should expect for the multi-user setting, both between corresponding LOR and ROR notions, but also between the ROR notions themselves.

Jager et al. [26, Theorem 21] showed a general result that a loss L in the single user setting can be turned into a loss \(L\kappa \) for the simple notions (for AE); the free-bit case is not addressed. We complement their results for the PKE setting, as summarized in Fig. 7 and formalized in Appendix D.

Some relations are worth highlighting. First, note that the same factor 2 reduction still lends itself to the single-bit multi-key setting (with or without corruptions). The argument is very similar to that of the single-user case: either the bit is “real”, in which case the simulated game is equivalent to the left-or-right one, or the bit is “random”, in which case the simulated challenge bit is information-theoretically hidden from the adversary; the main complication in going to a multi-key setting with corruptions being dealing with disallowed guesses. See Theorem 5. This contrasts to the diagonal-bit setting, in which the tightest known reduction loses a factor \(2\kappa \), as achieved via the single-user relation: .

Second, note that the fact that \(\mathrm {LOR}^{\kappa , 1}\implies \mathrm {LOR}^{\kappa , \beta }\) (Theorem 1) allows us to conclude that the factor 2 reduction still holds for the free-bit notion absent corruptions: . Compare with the situation in the presence of corruptions, where the corresponding implications yield .

As before, we leave the question of whether there exist tighter reductions, or these losses really are inevitable, as open questions. Nevertheless, these additional losses serve to reinforce the folklore that left-or-right notions should be preferred over real-or-random whenever possible.

Fig. 7.
figure 7

Relations between lor and ror for the different multi-user notions, without corruptions (left) and with corruptions (right). The placement of notions roughly translate to their relative strength, with stronger notions placed higher, (see Fig. 6 for the implications missing from the figure.) As before, double arrows indicate trivially tight.

Full size image

5 Conclusion

In this article, we surveyed several possible notions of multi-user security, showing how they relate to each other, and identifying a unified and general free-bit notion. We also conclusively answered the question of which canonical multi-user notion is the preferred one in the absence of corruptions, namely the single-bit left-or-right notion, as it is as strong or stronger than any of the others. In the presence of corruptions, the situation is less clear, particularly as it is not currently known whether the ability to both challenge and corrupt a key yields the adversary any additional power. What is known, however, is that the ability to challenge the same bit on several keys does give the adversary extra power. Until these questions have been definitively settled, we therefore suggest aiming for security under a free-bit notion whenever multi-user security with adaptive corruptions is to be considered.