\section{Problem 2}
\begin{proof}
    We prove that the given public-key encryption scheme is semantic secure under the DDH assumption and the security of the private-key encryption scheme (Enc', Dec'). We prove it using a hybrid argument.
    \begin{itemize}
        \item $\mathbf{H}_0:$ $(pk, \mathtt{Enc}(pk, m_0)) = (p, q, g, g^a, g^b, \mathtt{Enc}'(g^{ab}, m_0))$.
        \item $\mathbf{H}_1:$ $(p, q, g, g^a, g^b, \mathtt{Enc}'(R, m_0))$, where $R$ is uniformly random from $\mathcal{K}_n$.
        \item $\mathbf{H}_2:$ $(p, q, g, g^a, g^b, \mathtt{Enc}'(R, m_1))$, where $R$ is uniformly random from $\mathcal{K}_n$.
        \item $\mathbf{H}_3:$ $(p, q, g, g^a, g^b, \mathtt{Enc}'(g^{ab}, m_1))=(pk, \mathtt{Enc}(pk, m_1))$.
    \end{itemize}
    We will show that $\mathbf{H_0}\approx_{c}\mathbf{H_1}\approx_c\mathbf{H_2}\approx_c \mathbf{H_3}$, which implies 
    $$(pk, \mathtt{Enc}(pk, m_0))\approx_c (pk, \mathtt{Enc}(pk, m_1)).$$
    That is, the encryption scheme $(\mathtt{Gen}, \mathtt{Enc}, \mathtt{Dec})$ is semantic secure.
    
    \paragraph{Step 1: $\mathtt{H_0}\approx_c \mathtt{H_1}$ under the DDH assumption.}
    Suppose that there is a p.p.t adversary $\mathcal{A}$ that distinguishes $\mathbf{H_0}$ and $\mathbf{H_1}$ with non-negligible advantage, then there is a p.p.t adversary $\mathcal{B}$ that breaks the DDH assumption. The construction of $\mathcal{B}$ is as follows:
    \begin{enumerate}
        \item Receive challenge $(g,g^a,g^b,X)$, where $X=g^{ab}$ if $\beta=0$, $X=R$ if $\beta=1$.
        \item Set $pk=(p,q,g,g^a)$, where $p,q$ are the DDH parameters.
        \item Compute $ct=(g^b,\mathtt{Enc}'(X,m_0))$.
        \item Simulate $\mathcal{A}$ with input $(pk,c^t)$, output a guess $\beta'$.
    \end{enumerate}

\end{proof}
\fi
\section{Problem 2}
We prove that the given public-key encryption scheme is CPA-secure under the DDH assumption and the security of the private-key encryption scheme $(\text{Enc}', \text{Dec}')$.

\paragraph{Proof Structure}

We use a hybrid argument with three distributions:
\begin{itemize}
    \item \textbf{H}$_0$: $(\text{pk}, \text{Enc}(\text{pk}, m_0)) = (p, q, g, g^a, g^b, \text{Enc}'(g^{ab}, m_0))$
    \item \textbf{H}$_1$: $(p, q, g, g^a, g^b, \text{Enc}'(R, m_0))$, where $R$ is uniformly random from $\mathcal{K}_n$
    \item \textbf{H}$_2$: $(p, q, g, g^a, g^b, \text{Enc}'(R, m_1))$, where $R$ is uniformly random from $\mathcal{K}_n$
    \item \textbf{H}$_3$: $(\text{pk}, \text{Enc}(\text{pk}, m_1)) = (p, q, g, g^a, g^b, \text{Enc}'(g^{ab}, m_1))$
\end{itemize}

We will show: $H_0 \approx_c H_1 \approx_c H_2 \approx_c H_3$.

\paragraph{Step 1: $H_0 \approx_c H_1$ (DDH Assumption)}

\textbf{Claim}: $H_0$ and $H_1$ are computationally indistinguishable under the DDH assumption.

\begin{proof}
    
Suppose there exists a PPT adversary $A$ that distinguishes $H_0$ and $H_1$ with non-negligible advantage $\epsilon(n)$. We construct a PPT adversary $B$ that breaks the DDH assumption.

\textbf{Adversary $B$}:
\begin{itemize}
    \item \textbf{Input}: DDH challenge $(g, g^a, g^b, X)$, where $X = g^{ab}$ or $X = g^c$ for random $c$
    \item \textbf{Goal}: Determine whether $X = g^{ab}$ or $X = g^c$
\end{itemize}

\textbf{$B$'s Algorithm}:
\begin{enumerate}
    \item Receive challenge $(g, g^a, g^b, X)$
    \item Set $\text{pk} = (p, q, g, g^a)$ (where $p, q$ are from the DDH setup)
    \item Compute $\text{ct}' = \text{Enc}'(X, m_0)$
    \item Send $(\text{pk}, (g^b, \text{ct}'))$ to adversary $A$
    \item Output whatever $A$ outputs
\end{enumerate}

\textbf{Analysis}:
\begin{itemize}
    \item If $X = g^{ab}$, then $B$ simulates $H_0$ perfectly.
    \item If $X = g^c$ (random), then $B$ simulates $H_1$ perfectly (since $g^c$ is uniformly random in $\mathcal{K}_n$).
    \item Therefore: 
    \[
    \left|\Pr[B(g, g^a, g^b, g^{ab}) = 1] - \Pr[B(g, g^a, g^b, g^c) = 1]\right| = \epsilon(n)
    \]
\end{itemize}

This contradicts the DDH assumption, so $H_0 \approx_c H_1$.
\end{proof} 
\paragraph{Step 2: $H_1 \approx_c H_2$ (Security of Private-Key Encryption)}

\textbf{Claim}: $H_1$ and $H_2$ are computationally indistinguishable under the security of $(\text{Enc}', \text{Dec}')$.

\begin{proof}
    
Suppose there exists a PPT adversary $A$ that distinguishes $H_1$ and $H_2$ with non-negligible advantage $\delta(n)$. We construct a PPT adversary $B$ that breaks the CPA-security of $(\text{Enc}', \text{Dec}')$.

\textbf{Adversary $B$}:
\begin{itemize}
    \item \textbf{Input}: Access to encryption oracle for $(\text{Enc}', \text{Dec}')$
    \item \textbf{Goal}: Break CPA-security of $(\text{Enc}', \text{Dec}')$
\end{itemize}

\textbf{$B$'s Algorithm}:
\begin{enumerate}
    \item Generate $(p, q, g) \leftarrow G(1^n)$ and sample $a, b \leftarrow \mathbb{Z}_q$
    \item Set $\text{pk} = (p, q, g, g^a)$
    \item Send challenge messages $(m_0, m_1)$ to the private-key encryption challenger
    \item Receive $\text{ct}^* = \text{Enc}'(k^*, m_b)$ for random key $k^* \in \mathcal{K}_n$ and random $b \in \{0,1\}$
    \item Send $(\text{pk}, (g^b, \text{ct}^*))$ to adversary $A$
    \item If $A$ outputs 1, output 0; otherwise output 1
\end{enumerate}

\textbf{Analysis}:
\begin{itemize}
    \item When the challenger uses $m_0$: $B$ simulates $H_1$.
    \item When the challenger uses $m_1$: $B$ simulates $H_2$.
    \item $B$'s advantage is $\frac{1}{2} + \frac{1}{2}\delta(n)$, which is non-negligible.
\end{itemize}

This contradicts the security of $(\text{Enc}', \text{Dec}')$, so $H_1 \approx_c H_2$.
\end{proof} 
\paragraph{Step 3: $H_2 \approx_c H_3$ (DDH Assumption)}

By symmetry with Step 1, we can show $H_2 \approx_c H_3$ using the same DDH-based argument, but with $m_1$ instead of $m_0$.

\paragraph{Conclusion}

By the hybrid argument:
\[
H_0 \approx_c H_1 \approx_c H_2 \approx_c H_3
\]

Therefore:
\[
(\text{pk}, \text{Enc}(\text{pk}, m_0)) \approx_c (\text{pk}, \text{Enc}(\text{pk}, m_1))
\]

This proves that $(\text{Gen}, \text{Enc}, \text{Dec})$ is CPA-secure, completing the proof.