So the theorem that we are going prove
is that if the RSA assumption holds
so if this is true then
our scheme Pi is CPA secure
under the Random Oracle Model. So our
proof looks like the following:
if there exists Probabilist Polynomialtime
Adversary A
who breaks CPA security
of scheme Pi then
we are going to construct another Probabilistic 
Polynomialtime Adversary B that has
non-negligible advantage here in the RSA
assumption so it breaks the RSA
assumption and again this needs to be done
in the Random Oracle Model so B needs
to simulate Random Oracle
for A so let's start by
defining our adverseries. So outside
we will have adversary B, inside
we will have adversary A. Adversary A
is playing the CPA game for scheme Pi
so the CPA game for scheme Pi says
the adversary must be given the security
parameter together with the public key
pk
and then the adversary can
actually do the encryption queries
himself so there's no need for encryption
oracle access
At some point he will send us
two messages and M0 
and M1 from the message space, these
messages 
have same length. We will respond
with some Cb that should be a cyphertext
of one of these messages.
And eventually the adversary will output
its guess for this b which is some b prime.
Remember the adversary wins if
this be prime he's correctly guessing
which message we encrypted here.
On the other hand,
what's the game B is playing? B is
trying to break the RSA assumption.
The RSA assumption says
so some challenger outside
We can call this challenger C if we want,
runs this Gen
algorithm to obtain N, e and d
and the challenger also picks
some X that is from Z_N star
and the challenger gives
to B the security parameter so everything here
N, e
and x to the e
Ok, so these are given to B and B's goal
is to return X.
Now we have defined the games.
Remember since we are in the
Random Oracle Model
A also has an access
to the random oracle and
this can be any where, it can be here,
somewhere else doesn't matter.
So A will send some input z to the
random oracle,
expects some y back.
So since we're in the random oracle
model
this is the part of the interaction with A.
Now, our goal is to write the code for B.
So B's job initially is easy. Here
it will send the same security parameter
and it will set
the public key using the values it
received from its
challenger as N and e. Remember
B is trying to tie its inputs
to the adversary's inputs. Now 
adversary sends
two messages m0 and m1. Normally
B needs to pick one of them so
let me pick one of them randomly
and then B needs to
encrypt one of them m_b. 
How is the encryption working?
Normally B needs to do is needs to
pick a random value
r from Z_N* and to compute
r to the power e. Now B picks its
own random value and computes r
to the power e
then we are not tieing B's input
to A's input. Instead
we have x to the power e already given
to us for some random x.
So what we're going to do is we will
set c1
as x the power e that is given to us.
So we are simulating c1 perfectly
but we are using the input given to
us.
And we also need to simulate c2.
For c2, we need random oracle
of r 
which is x here. Now we don't know
x. Instead what we are going to do
is
we will pick y randomly from
the correct
range which is 0, 1 to the length of
messages and then we will compute c2
as y xor
m_b and then
eventually this c_b will have two parts
c1 and c2. This is what we sent
back.
So given m1 and m0, we do these
sent back.
Now here, the interesting part comes.
What if the adversary makes a
random oracle query?
So there
are three options.
The first option
is the following: if z
is equal to x then remember
the random oracle of x needs to be this y.
So we
return this
black ... so the the green y value
as the black way y value.
Now otherwise we have two options
as we do for a random oracle
we check that if we have already z
y combination in our database
then what we do is
we this green y we are going
to send
the adversary as this y value in our
database. Otherwise
so we have still don't have
anything related to z so it's the
first time we are
seeing z then we pick
y randomly from the correct range
which is 0, 1 to the l(m)
the length of the messages.
So we pick
let's say a blue y
we add to our database this
z, y combination so
this z, y is added to our database 
and this green y we are sending
the adversary is computed as this y.
So whenever a random oracle query arrives,
we had a initial database, what we do
is we do this.
Now there's one thing
that's important here, realize that
this B does not know x, it
only knows x to e mod. So
be cannot run this if condition but
what it can do
is it can compute z to the e
and compare it with x to the e.
B
is given e so it knows e, it can
compute z
to the e given z. It knows
x to the e. So it can compare
these and remember this
comparison essentially
means that z and x
are equivalent modulo N.
So we're not losing anything important
by changing this comparison.
Now we are going to analyze
the probabilities.
So I believe you will all agree that
this will be polynomial time
there will be polynomially many queries
here.
There's no problem, these are simple
things.
All of them can be done in
polynomial time.
Now we need to analyze the probabilities.
One thing we should realize is the
following. This
adversary is outputting
a single bit whereas
our job is to output some
Z_N* element so this is
much longer element, okey
around maybe 2N bits.
So given this one bit, this
2N bits, be
Our job is extremely hard here,
we cannot convert
this one bit information to 2N
bit information so
this is an interesting type of proof
in the sense that the adversaries 
output here
does not relate to
our output here and you can guess 
this because of
their sizes but instead
what happens is the following
There are two cases, OK, case 1
one of the queries of the adversary
is a z such that
z to the e is indeed equal to
x to the e. So z to the e mod n
equal x to the e
mod n. If that's the case
what we do is
we can output x
as z modulo n
So essentially
if the adversary ever queries 
for such a z
then B manages
to break the RSA
assumption. So it manages to
output
the x value that is required for.
The second option
is that there is never
such a query z such that
z to the e is equal to x to the e.
Now if A never queries
for a z such that z to the
e is equal to
x to the e or if it is easier for you to 
think you can say
A never queries for x
essentially then remember 
A has no idea
about this y. So if
A never queries for
x essentially, it has no idea 
about y because y was
chosen randomly. Now y
is chosen randomly
and A has no idea about y, this
is exactly one time pad. So
the probability that A wins
given that
A never queries for
x is exactly 1/2.
We know this through perfect security
of the one time pad and the 
fact that
for a random oracle, if A never 
queried the random oracle on that
value, A has no idea about the
corresponding output.
So if A never queried, he can only 
win with the probability 1/2.
On the other hand if
A ever manages to query for
let's say x or essentially z to the e
that is equivalent to x to the e,
then B is breaking the RSA assumption.
Now what does it mean
if A has non-negligible probability
of performing such a query
so if A has
non-negligible probability of
getting into case 1
then B will have non-negligible
probability
of returning to correct x so
B is going to break the RSA
assumption with that
non-negligible probability. 
If instead the
RSA assumption, remember we are
assuming it holds
so B can only break it with
negligible probability.
This means A must only have
negligible probability in
getting into this first case
so sending such a query
so overall, remember, A
wins if he manages to query because if
he manages
to query for that he gets the correct
y and then he can
decrypt and figure out which b
we used.
So overall the probability that 
A wins
would be this 1/2 here plus
this value here and if the RSA
assumption holds,
this value must be negligible
therefore
we showed both ways so for the 
theorem we showed
that if the RSA assumption holds in
the random oracle
the A's advantage in breaching CPA 
security of the
scheme must be 1/2 plus negligible.
Again
thinking the other way round if A
had 1/2 plus non-negligible
chance in
total since this part is 1/2 it means
this part
had to be non-negligible which means B
would have broken the RSA assumption
with non-negligible probability
So it corresponds to the contrapositive
and now we had done with the whole proof.
So it is not astandard style of proof 
that we are
used to.
This output has nothing to do with this
output
but in terms of the probabilities they
are closely related.
If A manages to make
a random oracle query that is going
to help him break the scheme
then we are going to break our
underlying assumption. If
A never makes such a random oracle
query that
can help him at all with breaking 
the scheme
then he wouldn't be able to break
the scheme and
overall that shows the security
that we are trying to prove here.
