Security and Communication Networks

Security and Communication Networks / 2020 / Article

Research Article | Open Access

Volume 2020 |Article ID 8823788 | https://doi.org/10.1155/2020/8823788

Huige Wang, Kefei Chen, Tianyu Pan, Yunlei Zhao, "Practical CCA-Secure Functional Encryptions for Deterministic Functions", Security and Communication Networks, vol. 2020, Article ID 8823788, 14 pages, 2020. https://doi.org/10.1155/2020/8823788

Practical CCA-Secure Functional Encryptions for Deterministic Functions

Academic Editor: Kaitai Liang
Received08 May 2020
Revised05 Jun 2020
Accepted20 Jul 2020
Published08 Sep 2020

Abstract

Functional encryption (FE) can implement fine-grained control to encrypted plaintext via permitting users to compute only some specified functions on the encrypted plaintext using private keys with respect to those functions. Recently, many FEs were put forward; nonetheless, most of them cannot resist chosen-ciphertext attacks (CCAs), especially for those in the secret-key settings. This changed with the work, i.e., a generic transformation of public-key functional encryption (PK-FE) from chosen-plaintext (CPA) to chosen-ciphertext (CCA), where the underlying schemes are required to have some special properties such as restricted delegation or verifiability features. However, examples for such underlying schemes with these features have not been found so far. Later, a CCA-secure functional encryption from projective hash functions was proposed, but their scheme only applies to inner product functions. To construct such a scheme, some nontrivial techniques will be needed. Our key contribution in this work is to propose CCA-secure functional encryptions in the PKE and SK environment, respectively. In the existing generic transformation from (adaptively) simulation-based CPA- (SIM-CPA-) secure ones for deterministic functions to (adaptively) simulation-based CCA- (SIM-CCA-) secure ones for randomized functions, whether the schemes were directly applied to CCA settings for deterministic functions is not implied. We give an affirmative answer and derive a SIM-CCA-secure scheme for deterministic functions by making some modifications on it. Again, based on this derived scheme, we also propose an (adaptively) indistinguishable CCA- (IND-CCA-) secure SK-FE for deterministic functions. The final results show that our scheme can be instantiated under both nonstandard assumptions (e.g., hard problems on multilinear maps and indistinguishability obfuscation (IO)) and under standard assumptions (e.g., DDH, RSA, LWE, and LPN).

1. Introduction

PKE is the most useful asymmetric encryption, which encrypted the plaintext using a public encryption key and decrypted the ciphertext using a private key only owned by the receiver. In particular, in this cryptosystem, without , nobody can get any sensitive information about plaintext. This type of cryptosystem does not work well in some special case where fine-grained access control functionality [1, 2] is needed to act on the decrypted plaintext. FE with this functionality was introduced by Boneh et al. [3]. Informally speaking, FE scheme [46] can encrypt a message into a ciphertext using a system public key. However, it can only recover a function value from the ciphertext with a private key associated with the function .

Security is a most important nature of functional encryption, among which indistinguishable chosen-plaintext attack (IND-CPA) security is the most common. IND-CPA security requires that an efficient adversary cannot distinguish the encryption of two different messages even if it allows the adversary to get some extra information such as allowing them access the private key oracle. Furthermore, according to the capability of the adversary, security can be classified into the selective mode and adaptive mode. In the former, the challenge message must be chosen before the public parameter and private key is generated, while in the latter, it may be chosen at any time.

Constructing FE for general functionalities with adaptive IND-CCA [7] security has been an open problem. Now, expressive functional encryptions with adaptive security have got rapid development. In 2015, Ananth et al. proposed an adaptively secure FE from the selective one [8]. The same year, Waters also presented an adaptively secure FE, but it relies on the strong IO assumption [911].

1.1. CCA Security

Although a wealth of results have been obtained on IND-CPA security, those schemes can only resist passive attacks. In order to resist active attacks, an IND-CCA security notion is required which is the same as IND-CPA but with exception that it additionally allows the adversary to access a decryption oracle. IND-CCA security in PKE settings has got richly studied by many researchers. Also, in the IBE [12] and ABE [13] settings, it also got extensively studied. Although IBEs and ABEs are subordinate to functional encryption, none of them could apply to general functions. Thus, studying FE with CCA security for arbitrary functions is necessary. In particular, although we allow the adversary to decrypt any ciphertext with private keys, it obtains by making key queries, and the security equipped with decryption oracle is still stronger than that without decryption oracle. The reason is, for any decryption query , the challenger can use the private key to decrypt , even conditioned on , but if without decryption oracle, the private key conditioned on is not allowed to obtain, and thus, cannot be decrypted with this key. Simulation-based CCA (SIM-CCA) is a stronger notion than IND-CCA, meaning that the reduction can be simulated via a probability polynomial time (PPT) simulator who only knows partial information and parameters that the system allows.

The FEs with CCA security are presented in [14, 15]. In [14], Benhamouda et al. proposed a CCA-secure functional encryption (FE) that only solves the CCA security in FE based on the projective hash functions. In [15], Nandi and Pandit also solved this problem but with strong restrictions (e.g., needing restricted delegation or verifiability on the underlying IND-CPA FE). However, up to now, it is not known whether the underlying schemes with these special properties exist. Although the generic transformation of Naor and Yung’s [16] from IND-CPA to IND-CCA encryption scheme can be adapted to functional encryption, it is only applied to the nonadaptive case in the public-key setting. Of course, it may achieve unbounded collusions, but which is not the key point we focus on in this paper. In particular, in Naor and Yung’s generic transformation, the encryption needs to run the original PK-FE twice.

1.2. Our Contributions

To construct functional encryptions with CCA security, some nontrivial techniques will be needed. We propose two (adaptively) CCA-secure generic construction for FE with CCA security for deterministic generic functions where one is in PKE settings and the other is in private-key settings. These generic constructions first yield practical FE that can be instantiated in the standard assumptions.

We first construct an (adaptively) SIM-CCA-secure PK-FE for deterministic functions by making a small modification on Agrawal and Wu’s SIM-CCA-secure PK-FE for randomized functions. Then, using the PK-FE scheme together with a NIZK equipped with the property of extractabilities, we construct an (adaptively) IND-CCA-secure SK-FE scheme. Particularly, in our construction, SIM-CPA-secure PK-FE can be used in a black-box way. Thus, the constructed SK-FE can also be based on the same assumption as the underlying PK-FE scheme.

1.3. An Informal Description of Our Schemes

Our constructions are inspired by Agrawal and Wu’s generic transformation of PK-FE from deterministic functions to randomized functions [17]. Our solutions can work on standard assumptions and are more efficient than that by Naor and Yung’s generic transformation (since we only use the original primitive once rather than twice which is the case in Naor and Yung’s generic transformation). They are essentially optimal in communication size: in the derived PK-FE with SIM-CCA security, the public parameter and private key are almost equal to that in the underlying PK-FE, while the ciphertext consists of a PK-FE ciphertext and a NIZK proof. In the SK-FE with IND-CCA security, in addition to a PK-FE ciphertext and a NIZK proof, the final ciphertext also adds an SE ciphertext. In Agrawal and Wu’s generic CPA-to-CCA transformation from deterministic functions to randomized functions, they use a simulation-sound extractable NIZK to implement CPA-to-CCA transformation and a -RKA-secure PRF and a one-way permutation to implement deterministic-to-randomized function transformation. Concretely, in the decryption query, e.g., , where is a function, the simulator deals with the decryption by first employing the NIZK to extract a message from the ciphertext and then evaluating function on . Thus, the simulator can perfectly realize the decryption functionalities under the extractability of the NIZK. For the deterministic-to-randomized function transformation, the core idea is to use a PRF to remove randomization on the function. Specifically, the scheme transforms the encryption of to that of the pair with randomness under the SIM-CPA FE scheme where is a one-way permutation and is a hardcore function of . In the construction of the private key for a randomized function , the scheme first constructs a “derandomize” function and then computes a SIM-CPA FE private key for function . The decryption algorithm uses to recover from a ciphertext which encrypts the message . For our goals of deterministic functions, we remove the and one-way permutation used for implementing the deterministic-to-randomization function transformation and directly define the final private key as that of the SIM-CPA PK-FE for deterministic functions. Luckily, the removal operation does not affect the CPA-to-CCA transformation since the and does not participate in the transformation. In this way, we get a SIM-CCA-secure PK-FE scheme for deterministic functions.

In the construction of adaptive IND-CCA SK-FE, a similar methodology proposed by Elkind and Sahai in [18] is adopted. In their construction, the encryption scheme is designed by first constructing a “bare” oblivious-decryptor scheme (ODS) and then employing a designated-verifier NIZK to achieve adaptive CCA security. More specifically, their scheme first encrypted message under the ODS encryption into a ciphertext and then employed a designated-verifier NIZK to prove of .

Compared with their scheme, our work on IND-CCA security for SK-FE uses some seemingly different techniques. In our scheme, beyond a standard simulation-sound NIZK and a PK-FE scheme secure against SIM-CCA, we also use a semantically secure symmetric encryption (SE). The symmetric encryption is used to mask the message directly. Particularly, in order to enable decrypting, the SE ciphertext together with the symmetric key are reencrypted in a PK-FE ciphertext. A simulation-sound NIZK proof functions as a “well-formedness” condition on the symmetric ciphertext and is contained in the overall ciphertext. The underlying PK-FE scheme corresponds to the oblivious-decryptor scheme by Elkind and Sahai [18], whose SIM-CCA security together with the standard NIZK proof is used for rejecting ill-formed ciphertexts.

Note that simulation security is strong; in particular, it implies that we have to restrict ourselves to either secure against bounded collusion, which may hinder the practicability of the scheme, or to simple functionality (for example, IBE), for which the scheme cannot be simulation secure against bounded collusion. Although a weak notion, for example, an IND-CPA-secure SK-FE which may induce a more practical scheme or simple functionality, it is not applicable to our construction. This is because, when we directly use the weak scheme, during the decryption query phase, the master secret key encrypted in the underlying SK-FE ciphertext can be extracted out by the NIZK.

2. Preliminaries

2.1. Noninteractive Zero Knowledge (NIZK)

Here, we first explain several notions. a PPT binary relation which takes as input a statement and the corresponding witness and outputs a bit indicating whether belongs to the language .

Definition 1. A NIZK system with respect to a relation consists of three PPT algorithms .Setup: ), where denotes the common random string, which is public and can be accessed by anyone.Prove: , where denotes the proof which proves that it owns the secret witness of the statement .Verification: , where denotes the verifier “accept” and denotes “reject”.Perfect completeness: an argument system is perfectly complete if for all PPT adversaries , the following holds:Computational soundness: the computational soundness of the scheme is demonstrated as follows, where is a PPT algorithm:

Definition 2. (zero knowledge). A system is said to be computational zero-knowledge if is a PPT simulator s.t. for all PPT , the following holds:where the oracles and are demonstrated as follows:(i)The oracle takes as input a pair and outputs if ; o.w. outputs .(ii)The oracle is the simulator algorithm, which takes as input and outputs if ; o.w. outputs .

Definition 3. (simulation-sound extractability). Let be a NIZK with respect to a relation and be a PPT simulator. Then, satisfies the notion of simulation-sound extractability if is an extraction algorithm s.t.where is the set that contains all queries makes to and the answers from .

2.2. Symmetric Encryption and Semantic Security

Let be a symmetric encryption (SE), be the secret key space, and be the message space. These PPT algorithms work as follows: (1) the key-generation algorithm works as ; (2) the encryption algorithm works as ; and (3) the decryption algorithm works as .

Correctness of the scheme is obvious.

Definition 4. (semantic security). An is called semantic security (SS), if for all PPT in the game (see Figure 1) played by , the function is negligible in (security parameter), where .

3. PK-FE [8]

Let , , and , where each takes as input a string and outputs .

3.1. Definition of PK-FE

A PK-FE scheme , , , consists of the following four PPT algorithms:Setup: the setup algorithm works as , where denotes the master public key and denotes the master secret key.Private key generation: this algorithm works as , where denotes a deterministic function.Encryption: the encryption algorithm works as , where denotes a plaintext and denotes the generated ciphertext.Decryption: the decryption algorithm works as .Perfect correctness: for all sufficient large , , , and , the correct implies that

3.2. Simulation-Based Chosen-Ciphertext Security

For security, we give the definitions of simulation-based chosen-ciphertext (SIM-CCA) security and indistinguishability-based chosen-ciphertext (IND-CCA) security, respectively. We first give the definition of SIM-CCA security, where (see Figure 2) denotes the SIM-CCA game played by a PPT adversary .

Then, we define the advantage of the adversary in game as .

3.2.1. Oracles

(i)Real Game. In this game, both oracles and invoke the algorithm when makes key queries to and copyright has been updated in VTW, please repush task to validation. Oracle acts as the decryption oracle, i.e., when makes a decryption query , the oracle first invokes to obtain and then computes for all , where and outputs the ordered set . In this game, an ordered set is used to denote the functions that the adversary made queries to and used to denote the answers of the oracle .(ii)Ideal Game. In the ideal game, oracles and denote the simulator algorithms and . Simulator takes a key query as input and outputs a key for function . For simulator , besides given as input, it is also allowed to access an oracle , which inputs a function and returns for all . The (ordered) set denotes the functions that the adversary had made key queries to oracles and . Taking as input, oracle invokes the simulator to obtain or for each . Next, for each , if , then set ; otherwise, compute . Finally, it outputs the ordered set . For convenience, we abbreviate as .

Here, we give a further restriction on decryption queries. First, we give an equivalence relation notation functioning on ciphertext space . We say that any two ciphertexts satisfy, if for all , and so that one of the following conditions holds:(i) or .(ii).

Next, we give the restriction on decryption queries, namely, for each decryption query , whether in ideal game or real game, we require that, for all and , then , and for all , , and the challenge ciphertext , it must hold .

Definition 5. (SIM-CCA). We say that a PK-FE scheme for deterministic functions is -simulation-based chosen-ciphertext secure (-SIM-CCA secure) if for any efficient adversary where and make at most and key-generation queries, respectively, there exists an over ciphertext space () and a PPT simulator s.t. the advantage is negligible.
One thing in particular to note is that, in the SIM-CCA security game, if we disallow the adversary to query decryption oracles and , then the game becomes SIM-CPA game.

3.3. Indistinguishable-Based Chosen-Ciphertext Security

For the IND-CCA security, (see Figure 3) denotes the IND-CCA game played by a PPT adversary . We define the advantage function as .

In the above game, we require that if the ordered set denotes all key queries and denotes all challenge message pairs delivered by the adversary , then the distributions and are identical. Now, we give the definitions of oracles below.

3.3.1. Oracles

(i) denotes a key-generation oracle which, on inputting a function , invokes the key-generation algorithm to obtain a key for function .(ii) denotes a decryption oracle which, on taking as input a tuple such that , first invokes the key-generation algorithm to obtain a key and then computes and outputs .

Note that the above definition is secure, and it is easily modified to the nonadaptive security by requiring the adversary to specify two challenge messages before obtaining the master public key and function keys. In this paper, we only pay attention to the security.

Definition 6. (IND-CCA for PK-FE). We say that a PK-FE scheme for deterministic functions is adaptively indistinguishable chosen-ciphertext secure (-IND-CCA secure) if for any PPT adversary where and make at most and key-generation queries, respectively, and we have that the function value is negligible.
In particular, as remarked in [19], the above definition can be trivially extended to multiple challenge message security, i.e., adaptive -IND-CCA security where , , and are polynomials in . Particularly, we stress that the SIM-CCA security described in Section 3.2 implies IND-CCA security.

Lemma 1. Assume that a PK-FE scheme is adaptively SIM-CCA secure, then is also adaptively IND-CCA secure.

The proof is described in Appendix A.

4. Private-Key Functional Encryption

Here, we give the definition of SK-FE for deterministic functions. Let  = , , , and be an SK-FE scheme defined over function space and message space , respectively. The detailed definition is given as follows:Setup: the setup algorithm computes , where denotes the system public parameter , denotes the system master secret key, and the public parameter is implied in the following algorithms:Key generation: the key-generation algorithm computes , where denotes the generated private key.Encryption: the encryption algorithm computes , where denotes the being encrypted message and denotes the generated ciphertext.Decryption: the decryption algorithm computes , where denotes the final decrypted result.

Here, we give the perfect correctness of scheme SK-FE, which says that, for all sufficient large , , , and , it holds that .

4.1. Indistinguishable-Based Chosen-Ciphertext

Here, we review the IND-CCA of the SK-FE from [8]. In Figure 4, denotes the IND-CCA game played by a PPT adversary . The advantage function is defined as .

In the above game, we require that all challenge messages that the adversary delivers in the encryption queries to oracle satisfy for all the functions that the adversary makes queries to the key-generation oracle , where and denote the challenge message that the adversary delivers in the challenge phase. In the following, we define the functionalities of the oracles.

4.1.1. Oracles

(i) denotes the key-generation oracle which means that when the adversary makes a function query , the oracle invokes the algorithm to get a private key .(ii) denotes an encryption oracle. On taking as input two messages , it invokes to obtain for a random bit . We denote all challenge ciphertexts as .(iii) denotes a decryption oracle which, on taking as input a tuple such that , invokes the algorithm to obtain a private key and outputs .

Note that the above definition is secure and is easily modified to the nonadaptively security by requiring the adversary to make encryption queries before key queries.

Definition 7. (IND-CCA for SK-FE). We say that an SK-FE scheme for deterministic functions is adaptively indistinguishability-based chosen-ciphertext secure (adaptively IND-CCA secure) if for all PPT , the advantage is negligible in .

5. Construction of SIM-CCA-Secure PK-FE

In this section, we modify Agrawal and Wu’s generic transformation [17] to the setting of deterministic functions.

The modified scheme needs the following building blocks:(i)A NIZK argument  = (, , ) with simulation-sound extractability.(ii)An (adaptively) SIM-CPA-secure PK-FE scheme  = (, , , ).

A SIM-CCA-secure PK-FE scheme  =  (, , , ) is constructed as follows:(i)The setup algorithm: . This algorithm first runs and and then sets and and releases in public.(ii)The key-generation algorithm: . This algorithm first parses and then runs and sets .(iii)The encryption algorithm: on taking as input and a message , this algorithm first samples a randomness and runs to get and then computes , where , the witness , and . The relation and language satisfy the following equation:The final ciphertext is set as .(iv)The decryption algorithm: on taking as input a private key and a ciphertext , the decryption algorithm first verifies whether , where ; if so, it computes and outputs ; otherwise, it outputs .

It is easy to see that the correctness of the scheme follows from the completeness of and the correctness of .

Theorem 1. If is a simulation-sound extractable noninteractive zero-knowledge argument, is perfectly correct -SIM-CPA-secure PK-FE scheme for deterministic function class , then is -SIM-CCA-secure functional encryption scheme for the same function class.

Like [17], our definition also requires that the equivalence relation over the ciphertext space is satisfied, i.e., given any two ciphertexts , , the equivalence relation holds, if .

To prove Theorem 1, we will construct an ideal-world simulator for the scheme . Let be the simulator for the scheme and and be the simulator and extractor for the scheme , respectively.

5.1. Simulator

The setup simulator proceeds as follows. On taking as input , it first runs and then invokes , where denotes a common random string, denotes a simulation trapdoor, and denotes an extraction trapdoor. It finally sets and and outputs .

5.2. Simulator

The prechallenge key-generation query simulator proceeds as follows. On taking as input and , it runs . Then, it outputs the key and a fresh state .

5.3. Simulator

simulates the challenge ciphertext query procedure. On taking as input a statement and a function value set , proceeds as follows. It first computes ; then for each , it computes argument with the statement described as follows:where are the challenge messages that the adversary delivers. At the end of the simulation, it outputs a challenge ciphertext set and an updated state , where .

5.4. Simulator

simulates the postchallenge key-generation queries with the help of the oracle . Once getting input and , it first computes with the help of oracle and then outputs and , where the oracle is defined as follows: for any input function , it returns for all .

5.5. Simulator

The decryption query simulator takes as input and , and it parses and . Define the statement as

If , it stops and outputs ; otherwise, it computes . Finally, it outputs the massage and state .

5.6. Hybrid Games

For Theorem 1, we prove it via 4 hybrid games where the first game is the real-world game and the last game is the simulator game. Each game contains the following phases:Setup: in this phase, the challenger generates the system public key .Prechallenge queries: in this procedure, is allowed to issue the key-generation queries and decryption query such that for all decryption queries and any , and , it holds that .Challenge: when the adversary submits a vector of messages to the challenger, the challenger replies with .Postchallenge queries: in this procedure, the adversary is again allowed to issue key-generation and decryption queries but with a further restriction that decryption query can be only allowed to contain queries such that , where for and is the challenge ciphertext for .Output: finally, the adversary outputs a guess of the challenge bit .Each of the hybrid games is described in detail as follows:Hybrid : this is the game in the real settings where the challenger interacts with the adversary.Hybrid : same as except that the way that the common random string in the setup phase and the arguments in the challenge ciphertexts are generated. Specifically, in the setup phase, the challenger uses . In the challenge phase, the challenger uses the simulator to generate the challenge argument in the challenge ciphertexts. Let be the challenge messages. It samples and computes and for , where the statement is described as in equation (1). Finally, the challenger sets and and sends and to the adversary .Hybrid : same as except that the challenger answers the decryption queries by extracting the message-randomness pair from the noninteractive zero-knowledge argument . Specifically, in the setup phase, the procedure is same as hybrid except that the challenger computes . In the prechallenge phase, the key-generation queries are dealt with as in , while the decryption queries are processed as follows: for query , where and for , and let be the statement as described in equation (2). If , set ; otherwise, it invokes the extractor to obtain a witness and sets . Finally, is sent to .Hybrid : same as but with the difference that the challenger uses the simulator to interact with the adversary. Specifically, in the setup phase, the challenger computes . In the prechallenge phase, the decryption queries are dealt with as in hybrid , while the key generation is handled as follows: for each query , it runs to obtain private key . In the challenge phase, let be the function that the adversary has made queries in the key-generation phase and be the challenge messages that the adversary queries. It computes for all and and invokes the simulator to obtain . In the postchallenge queries, the decryption queries are processed as in hybrid , but the key-generation queries are processed differently as below: the challenger invokes under the help of the oracle to obtain the private key .

Claim 1. If is a computationally noninteractive zero-knowledge argument system, then hybrids and are computationally indistinguishable.

Proof. The hybrid games and are different in that, in , the challenger uses the NIZK simulator to compute the CRS and arguments. It is easy to see that the claim follows from the computational zero-knowledge of NIZK.
Concretely, let be an efficient adversary distinguishing hybrid games and . is used to construct an algorithm that tries to distinguish the real and simulated distributions of the NIZK. takes as input and is allowed to access to an argument oracle. In the setup, computes and sets and . It then sends to . In the challenge phase, when delivers challenge message , the algorithm samples and computes for each . Let be the statement in equation (2). delivers to its challenger and obtains an argument . Finally, obtains and .
The rest steps are processed in the same way as in and . Finally, outputs whatever outputs. Obviously, if the CRS and NIZK arguments are computed honestly, then simulates the settings of ; otherwise, it simulates the settings of . Thus, the lemma follows.

Claim 2. If is simulation-sound extractable and is perfectly correct, then hybrids and are computationally indistinguishable.

Proof. Hybrids and are identical but only with the difference in the way the challenger responds to decryption queries. Conditioned on the simulation-sound extractability of and perfect correctness of , the two games are computationally indistinguishable. Let be the decryption query pair that the adversary makes, where and .
The procedure can be classified into two cases. If can pass the verification, the challenger sets in both and . Otherwise, it is easy to see that the adversary cannot submit any challenge ciphertexts in the decryption queries. Thus, was not generated by the challenger using . Thus, by simulation-sound extractability, with probability at least , the extraction algorithm on and will produce a witness to make hold. Furthermore, by perfect correctness of , is the only pair corresponding to .
In addition, in , the challenger first computes and then sets . By the underlying PK-FE scheme , , which is exactly the output in after is extracted. Therefore, with probability , the distributions in both and are identical.

Claim 3. If is a -SIM-CPA-secure FE scheme for deterministic function family , then hybrids and are computationally indistinguishable.

Proof. Suppose is a distinguisher for hybrids and . is used to construct an algorithm that distinguishes and . Then, the detailed simulation procedure is processed as follows.

5.7. The Construction of

On taking as input which is generated by or , the setup and prechallenge queries are simulated as follows:: in this phase, the adversary first computes a simulated tuple . It then sets and sends to .: in this phase, when makes a function key query , the adversary queries its prechallenge key-generation oracle to obtain a key which is generated by or , while the decryption queries are the same as in and .

5.8. Adversary

On taking as input and a state from , the adversary simulates the challenge phase and postchallenge queries as follows:: in this procedure, when the adversary outputs a challenge message vector , the adversary queries its challenge oracle to obtain challenge ciphertext set for . It then computes and sets for each , where is described as in equation (1). It finally sends to .: the simulation of this procedure is the same as prechallenge procedure, except that queries his postchallenge key-generation oracle with the help of oracle to obtain a key which is generated by or .

At the end, outputs what outputs. Obviously, if takes part in the game