ebook img

Fully Secure Anonymous HIBE and Secret-Key Anonymous IBE with Short Ciphertexts PDF

24 Pages·2010·0.35 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Fully Secure Anonymous HIBE and Secret-Key Anonymous IBE with Short Ciphertexts

Fully Secure Anonymous HIBE and Secret-Key Anonymous IBE with Short Ciphertexts Angelo De Caro∗ Vincenzo Iovino † Giuseppe Persiano ‡ Thursday 28th October, 2010 Abstract Lewko and Waters [Eurocrypt 2010] presented a fully secure HIBE with short ciphertexts. In this paper we show how to modify their construction to achieve anonymity. We prove the securityofourschemeunderstatic(andgenericallysecure)assumptionsformulatedincomposite order bilinear groups. In addition, we present a fully secure Anonymous IBE in the secret-key setting. Secret-Key AnonymousIBEwasimpliedbytheworkof[Shen-Shi-Waters-TCC2009]whichcanbeshown secureintheselective-idmodel. Nopreviousfullysecureconstructionofsecret-keyAnonymous IBE is known. ∗Dipartimento di Informatica ed Applicazioni, Universita` di Salerno, 84084 Fisciano (SA), Italy. †DipartimentodiInformaticaedApplicazioni,Universita`diSalerno,84084Fisciano(SA),Italy.. Workdonewhile visiting the Department of Computer Science of The Johns Hopkins University. ‡Dipartimento di Informatica ed Applicazioni, Universita` di Salerno, 84084 Fisciano (SA), Italy. 1 Contents 1 Introduction 3 2 Composite Order Bilinear Groups and Complexity Assumptions 4 2.1 Assumption 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Assumption 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Assumption 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 Public-Key Anonymous HIBE 5 3.1 Hierarchical Identity Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Security definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3 Our construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.4.1 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . . 9 Real Real(cid:48) 3.4.2 Indistinguishability of Game and Game . . . . . . . . . . . . . . . 9 Real(cid:48) Restricted 3.4.3 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . 10 Restricted 0 3.4.4 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . . . 10 k−1 k 3.4.5 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . . . 11 q Final0 3.4.6 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . 12 Final0 Final1 3.4.7 Game gives no advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Final1 4 Secret-Key Anonymous IBE 13 4.1 Secret Key Identity Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Security definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2.1 Ciphertext Security definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2.2 Key Security definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.3 Our construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4 Ciphertext Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.5 Key Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.5.1 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . 16 Real Restricted 4.5.2 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . 16 Restricted 0 4.5.3 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . . . 17 k−1 k 4.5.4 Indistinguishability of Game and Game . . . . . . . . . . . . . . . . . . . 17 q Final 4.5.5 Game gives no advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Final 5 Conclusions and Open Problems 18 A Generic Security of Our Complexity Assumptions 22 2 1 Introduction Identity-Based Encryption (IBE) was introduced by [13] to simplify the public-key infrastructure. An IBE is a public-key encryption scheme in which the public-key can be set to any string inter- preted as one’s identity. A central authority that holds the master secret key can produce a secret key corresponding to a given identity. Anyone can then encrypt messages using the identity, and only the owner of the corresponding secret key can decrypt the messages. First realizations of IBE aredueto[2]whichmakesuseofbilineargroupsandto[8]whichusesquadraticresidues. Later, [9] introduced the more general concept of Hierarchical Identity-Based Encryption (HIBE) issuing a partial solution to it. An HIBE system is an IBE that allows delegation of the keys in a hierarchical structure. To the top of the structure there is the central authority that holds the master secret key, then several sub-authorities (or individual users) that hold delegated keys which can be used to decrypt only the messages addressed to the organization which the sub-authority belongs. In this paper we are interested in Anonymous HIBE that are a special type of HIBE with the property that ciphertexts hide the identity for which they were encrypted. Interest in Anonymous IBE and HIBE was spurred by the observation that it can be used to build Public-Key Encryption with Keyword Search [1]. As noticed by [4], the first construction of Anonymous IBE was implicit in [2] whose security relied on the random oracle assumption. Boneh and Waters [5] constructed Anonymous HIBE in the selective-id model. Recently, Lewko and Waters [11] used the Dual System Encryption methodology introduced by [16] to construct the first fully secure HIBE system with short ciphertexts. The construction given by [11] seems inherently non-anonymous. Another construction of Anonymous HIBE was given by [12] but their security proof is in the selective-ID model. We show that a slight modification of the HIBE of [11] gives the first fully secure Anonymous HIBE. Our construction has, like the non-anonymous one of [11], short ciphertexts; that is, a ciphertext consists of a constant (that is independent of the depth of the hierarchy) number of elements from the underlying bilinear group. The full security of our construction is based on static (that is, independent from the running time of the adversary and the size of hierarchy) and generically secure assumptions. Recently, afully-securehierarchicalpredicateencryptionsystemhasbeengivenby[10]. Anony- mous HIBE can be obtained as special case of the construction of [10] and, even though the con- struction of [10] is based on prime order gropus, the ciphertexts of the resulting Anonymous HIBE consist of O((cid:96)2) group elements and keys have O((cid:96)3) group elements. In [7] the authors constructed an Anonymous HIBE scheme based on hard lattice problems; in this construction the size of a ciphertext depends on the depth of the hierarchy. We also study Secret-Key Anonymous IBE and show that if our public key construction is used inthesecretkeysetting(thatis, thepublickeyiskeptsecret)thentheschemeenjoystheadditional property of key secrecy; that is, decryption keys for different identities are indistinguishable. We stress that key secrecy cannot be obtained in the public key setting as an adversary can test if a secret key Sk corresponds to identity ID by creating a cipertext Ct for ID (by using the public key) and then trying to decrypt Ct by using Sk. We mention that the Secret-Key Predicate Encryption Schemeof[14]hasSecret-KeyAnonymousIBEasaspecialcasebutitssecurityisintheselective-id model. To the best of our knowledge, the concept of Secret-Key Hierarchical IBE has not been defined before and we defer its study to future work. Organization of the work. In Section 2, we present a brief introduction of bilinear groups and state 3 the complexity assumptions used to prove the security of our schemes. In Section 3 we present definitions and our construction for Public-key Anonymous HIBE. Finally, in Section 4, we present definitions and our construction for Secret-key Anonymous IBE. Due to lack of space the proof of security ofour assumptionsin thegeneric groupmodelis omittedand canbe found inthe extended version [6]. 2 Composite Order Bilinear Groups and Complexity Assumptions Composite order bilinear groups were first used in cryptographic construction in [3]. We use groups of order product of four primes and a generator G which takes as input security parameter λ and outputs a description I = (N = p p p p ,G,G ,e) where p ,p ,p ,p are distinct primes of Θ(λ) 1 2 3 4 T 1 2 3 4 bits, G and G are cyclic groups of order N, and e : G×G → G is a map with the following T T properties: 1. (Bilinearity) ∀ g,h ∈ G,a,b ∈ Z ,e(ga,hb) = e(g,h)ab. N 2. (Non-degeneracy) ∃ g ∈ G such that e(g,g) has order N in G . T WefurtherrequirethatthegroupoperationsinGandG aswellthebilinearmapearecomputable T indeterministicpolynomialtimewithrespecttoλ. Also,weassumethatthegroupdescriptionsofG andG includegeneratorsoftherespectivecyclicgroups. Furthermore,fora,b,c ∈ {1,p ,p ,p ,p } T 1 2 3 4 we denote by G the subgroup of order abc. From the fact that the group is cyclic it is simple abc to verify that if g and h are group elements of different order (and thus belonging to different subgroups), then e(g,h) = 1. This is called the orthogonality property and is a crucial tool in our constructions. We now give our complexity assumptions. 2.1 Assumption 1 For a generator G returning bilinear settings of order N product of four primes, we define the following distribution. First pick a random bilinear setting I = (N = p p p p ,G,G ,e) by 1 2 3 4 T running G(1λ) and then pick g ,A ← G ,A ,B ← G ,g ,B ← G ,g ← G ,T ← G ,T ← G 1 1 p1 2 2 p2 3 3 p3 4 p4 1 p1p2p3 2 p1p3 and set D = (I,g ,g ,g ,A A ,B B ). We define the advantage of an algorithm A in breaking 1 3 4 1 2 2 3 Assumption 1 to be: AdvA (λ) = |Prob[A(D,T ) = 1]−Prob[A(D,T ) = 1]|. A1 1 2 Assumption 1 We say that Assumption 1 holds for generator G if for all probabilistic polynomial- time algorithms A AdvA (λ) is a negligible function of λ. A1 2.2 Assumption 2 For a generator G returning bilinear settings of order N product of four primes, we define the following distribution. First pick a random bilinear setting I = (N = p p p p ,G,G ,e) by 1 2 3 4 T running G(1λ) and then pick α,s,r ← Z , g ← G , g ,A ,B ← G , g ← G , g ← G , T ← G N 1 p1 2 2 2 p2 3 p3 4 p4 2 T 4 and set T = e(g ,g )αs and D = (I,g ,g ,g ,g ,gαA ,gsB ,gr,Ar). We define the advantage of 1 1 1 1 2 3 4 1 2 1 2 2 2 an algorithm A in breaking Assumption 2 to be: AdvA (λ) = |Prob[A(D,T ) = 1]−Prob[A(D,T ) = 1]|. A2 1 2 Assumption 2 We say that Assumption 2 holds for generator G if for all probabilistic polynomial time algorithm A AdvA (λ) is a negligible function of λ. A2 2.3 Assumption 3 For a generator G returning bilinear settings of order N product of four primes, we define the following distribution. First pick a random bilinear setting I = (N = p p p p ,G,G ,e) by 1 2 3 4 T running G(1λ) and then pick rˆ,s ← Z , g ,U,A ← G , g ,A ,B ,D ,F ← G , g ← G , N 1 1 p1 2 2 2 2 2 p2 3 p3 g ,A ,B ,D ← G , A ,B ,D ← G , T ← G 4 4 4 4 p4 24 24 24 p2p4 2 p1p2p4 and set T = AsD and D = (I,g ,g ,g ,g ,U,UsA ,Urˆ,A A ,ArˆA ,grˆB , gsB ). We define 1 1 24 1 2 3 4 24 1 4 1 2 1 2 1 24 the advantage of an algorithm A in breaking Assumption 3 to be: AdvA (λ) = |Prob[A(D,T ) = 1]−Prob[A(D,T ) = 1]|. A3 1 2 Assumption 3 We say that Assumption 3 holds for generator G if for all probabilistic polynomial time algorithm A AdvA (λ) is a negligible function of λ. A3 3 Public-Key Anonymous HIBE 3.1 Hierarchical Identity Based Encryption A Hierarchical Identity Based Encryption scheme (henceforth abbreviated in HIBE) over an al- phabet Σ is a tuple of five efficient and probabilistic algorithms: (Setup, Encrypt, KeyGen, Decrypt, Delegate). Setup(1λ,1(cid:96)): takes as input security parameter λ and maximum depth of an identity vector (cid:96) and outputs public parameters Pk and master secret key Msk. KeyGen(Msk,ID = (ID ,...,ID )): takes as input master secret key Msk, identity vector ID ∈ Σj 1 j with j ≤ (cid:96) and outputs a private key Sk . ID Delegate(Pk,ID,Sk ,ID ): takes as input public parameters Pk, secret key for identity vector ID j+1 ID = (ID ,...,ID ) of depth j < (cid:96), ID ∈ Σ and outputs a secret key for the depth j +1 1 j j+1 identity vector (ID ,...,ID ,ID ). 1 j j+1 Encrypt(Pk,M,ID): takes as input public parameters Pk, message M and identity vector ID and outputs a ciphertext Ct. Decrypt(Pk,Ct,Sk): takes as input public parameters Pk, ciphertext Ct and secret key Sk and outputs the message M. We make the following obvious consistency requirement. Suppose ciphertext Ct is obtained by running the Encrypt algorithm on public parameters Pk, message M and identity ID and that Sk is a secret key for identity ID obtained through a sequence of KeyGen and Delegate calls using the same public parameters Pk. Then Decrypt, on input Pk,Ct and Sk, returns M except with negligible probability. 5 3.2 Security definition We give complete form of the security definition following [15]. Our security definition captures semantic security and ciphertext anonymity by means of the following game between an adversary A and a challenger C. Setup. The challenger C runs the Setup algorithm to generate public parameters Pk which it gives to the adversary A. We let S denote the set of private keys that the challenger has created but not yet given to the adversary. At this point, S = ∅. Phase 1. A makes Create, Delegate, and Reveal key queries. To make a Create query, A specifies an identity vector ID of depth j. In response, C creates a key for this vector by calling the key generation algorithm, and places this key in the set S. C only gives A a reference to this key, not the key itself. To make a Delegate query, A specifies a key Sk in the set S ID and ID ∈ Σ. In response, C appends ID to ID and makes a key for this new identity j+1 j+1 by running the delegation algorithm on ID,Sk and ID . C adds this key to the set S and ID j+1 again gives A only a reference to it, not the actual key. To make a Reveal query, A specifies an element of the set S. C gives this key to A and removes it from the set S. We note that A needs no longer make any delegation queries for this key because it can run delegation algorithm on the revealed key for itself. Challenge. A gives two pairs of message and identity (M ,ID(cid:63)) and (M ,ID(cid:63)) to C. We require 0 0 1 1 that no revealed identity in Phase 1 is a prefix of either ID(cid:63) or ID(cid:63). C chooses random 0 1 β ∈ {0,1}, encrypts M under ID(cid:63) and sends the resulting ciphertext to A. β β Phase 2. This is the same as Phase 1 with the added restriction that any revealed identity vector must not be a prefix of either ID(cid:63) or ID(cid:63). 0 1 Guess. A must output a guess β(cid:48) for β. The advantage of A is defined to be Prob[β(cid:48) = β]− 1. 2 Definition 3.1 An Anonymous Hierarchical Identity Based Encryption scheme is secure if all polynomial time adversaries achieve at most a negligible (in λ) advantage in the previous security game. 3.3 Our construction In this section we describe our construction for an Anonymous HIBE scheme. Setup(1λ,1(cid:96)): The setup algorithm chooses random description I = (N = p p p p ,G,G ,e) and 1 2 3 4 T random Y ,X ,u ,...,u ∈ G ,Y ∈ G ,X ,Y ∈ G and α ∈ Z . The public parameters 1 1 1 (cid:96) p1 3 p3 4 4 p4 N are published as: Pk = (N,Y ,Y ,Y ,t = X X ,u ,...,u ,Ω = e(Y ,Y )α). 1 3 4 1 4 1 (cid:96) 1 1 The master secret key is Msk = (X ,α). 1 6 KeyGen(Msk,ID = (ID ,...,ID )): The key generation algorithm chooses random r ,r ∈ Z and, 1 j 1 2 N fori ∈ {1,2},randomR ,R ,R ,...,R ∈ G . ThesecretkeySk = (K ,K ,E , i,1 i,2 i,j+1 i,(cid:96) p3 ID i,1 i,2 i,j+1 ...,E ) is computed as i,(cid:96) K = Yr1R , K = Yα(cid:16)uID1···uIDjX (cid:17)r1R 1,1 1 1,1 1,2 1 1 j 1 1,2 E = ur1 R , ..., E = ur1R , 1,j+1 j+1 1,j+1 1,(cid:96) (cid:96) 1,(cid:96) K = Yr2R , K = (cid:16)uID1···uIDjX (cid:17)r2R 2,1 1 2,1 2,2 1 j 1 2,2 E = ur2 R , ..., E = ur2R . 2,j+1 j+1 2,j+1 1,(cid:96) (cid:96) 2,(cid:96) Noticethat,Sk iscomposedbytwosub-keys. Thefirstsub-key,(K ,K ,E ,...,E ), ID 1,1 1,2 1,j+1 1,(cid:96) isusedbythedecryptionalgorithmtocomputetheblindingfactor,thesecond,(K ,K ,E , 2,1 2,2 2,j+1 ...,E ), is used by the delegation algorithm and can be used also to verify that the identity 2,(cid:96) vector of a given ciphertext matches the identity vector of the key. Delegate(Pk,ID,Sk ,ID ): GivenakeySk = (K(cid:48) ,K(cid:48) ,E(cid:48) ,...,E(cid:48) )forID = (ID ,...,ID ), ID j+1 ID i,1 i,2 i,j+1 i,(cid:96) 1 j the delegation algorithm creates a key for (ID ,...,ID , ID ) as follows. It chooses random 1 j j+1 r˜,r˜ ∈ Z and, for i ∈ {1,2}, random R ,R ,R ,...,R ∈ G . The secret key 1 2 N i,1 i,2 i,j+2 i,(cid:96) p3 (K ,K ,E ,...,E ) is computed as i,1 i,2 i,j+2 i,(cid:96) K = K(cid:48) (K(cid:48) )r˜1R ,K = K(cid:48) (K(cid:48) )r˜1(E(cid:48) )IDj+1(E(cid:48) )r˜1IDj+1R , 1,1 1,1 2,1 1,1 1,2 1,2 2,2 1,j+1 2,j+1 1,2 E = E(cid:48) ·(E(cid:48) )r˜1R ,...,E = E(cid:48) ·(E(cid:48) )r˜1R . 1,j+2 1,j+2 2,j+2 1,j+2 1,(cid:96) 1,(cid:96) 2,(cid:96) 1,(cid:96) and K = (K(cid:48) )r˜2R , K = (K(cid:48) )r˜2 ·(E(cid:48) )r˜2IDj+1R , 2,1 2,1 2,1 2,2 2,2 2,j+1 2,2 E = (E(cid:48) )r˜2R ,...,E = (E(cid:48) )r˜2R . 2,j+2 2,j+2 2,j+2 2,(cid:96) 2,(cid:96) 2,(cid:96) We observe that the new key has the same distributions as the key computed by the KeyGen algorithm on (ID ,...,ID ,ID ) with randomness r = r(cid:48) +(r(cid:48) ·r˜) and r = r(cid:48) ·r˜. 1 j j+1 1 1 2 1 2 2 2 Encrypt(Pk,M,ID = (ID ,...,ID )): The encryption algorithm chooses random s ∈ Z and ran- 1 j N dom Z,Z(cid:48) ∈ G . The ciphertext (C ,C ,C ) for the message M ∈ G is computed as p4 0 1 2 T (cid:16) (cid:17)s C = M ·e(Y ,Y )αs, C = uID1···uIDjt Z, C = YsZ(cid:48). 0 1 1 1 1 j 2 1 Decrypt(Pk,Ct,Sk): The decryption algorithm assumes that the key and ciphertext both corre- spond to the same identity (ID ,...,ID ). If the key identity is a prefix of this instead, then 1 j the decryption algorithm starts by running the key delegation algorithm to create a key with identity matching the ciphertext identity exactly. The decryption algorithm then computes the blinding factor as: e(Y ,Y )αse(cid:16)uID1···uIDjX ,Y (cid:17)r1s e(K1,2,C2) = 1 1 1 j 1 1 = e(Y ,Y )αs. e(K1,1,C1) e(cid:16)Y ,uID1···uIDjX (cid:17)r1s 1 1 1 1 j 1 7 By comparing our construction with the one of [11], we notice that component t of the public key and components C and C of the ciphertext have a G part. This addition makes the system 1 2 p4 anonymous. Indeed, if we remove from our construction the G parts of t and C and C (and p4 1 2 thus obtain the scheme of [11]) then it is possible to test if ciphertext (C ,C ,C ) is relative to 0 1 2 identity (ID ,...,ID ) for public key (N,Y ,Y ,Y ,t,u ,...,u ,Ω) by testing e(C ,t·(uID1···uID(cid:96))) 1 j 1 3 4 1 (cid:96) 2 1 (cid:96) and e(C ,Y ) for equality. 1 1 3.4 Security Following Lewko and Waters [11], we define two additional structures: semi-functional ciphertexts and semi-functional keys. These will not be used in the real scheme, but we need them in our proofs. Semi-functional Ciphertext. Weletg denoteageneratorofG . Asemi-functionalciphertext 2 p2 iscreatedasfollows: first,weusetheencryptionalgorithmtoformanormalciphertext(C(cid:48),C(cid:48),C(cid:48)). 0 1 2 We choose random exponents x,z ∈ Z . We set: c N C = C(cid:48), C = C(cid:48)gxzc, C = C(cid:48)gx. 0 0 1 1 2 2 2 2 Semi-functional Keys. To create a semi-functional key, we first create a normal key (K(cid:48) , i,1 K(cid:48) ,E(cid:48) ,...,E(cid:48) ) using the key generation algorithm. We choose random exponents z,γ,z ∈ i,2 i,j+1 i,(cid:96) k Z and, for i ∈ {1,2}, random exponents z ,...,z ∈ Z . We set: N i,j+1 i,(cid:96) N K = K(cid:48) ·gγ,K = K(cid:48) ·gγzk,(E = E(cid:48) ·gγz1,i)(cid:96) , 1,1 1,1 2 1,2 1,2 2 1,i 1,i 2 i=j+1 and K = K(cid:48) ·gzγ,K = K(cid:48) ·gzγzk,(E = E(cid:48) ·gzγz2,i)(cid:96) . 2,1 2,1 2 2,2 2,2 2 2,i 2,i 2 i=j+1 Wenotethatwhenthefirstsub-keyofasemi-functionalkeyisusedtodecryptasemi-functional ciphertext, the decryption algorithm will compute the blinding factor multiplied by the additional term e(g2,g2)xγ(zk−zc). If zc = zk, decryption will still work. In this case, we say that the key is nominallysemi-functional. Ifthesecondsub-keyisusedtotesttheidentityvectoroftheciphertext, then the decryption algorithm computes e(g2,g2)xzγ(zk−zc) and if zc = zk, the test will still work. To prove security of our Anonymous HIBE scheme, we rely on the static Assumptions 1,2 and 3. Foraprobabilisticpolynomial-timeadversaryAwhichmakesq keyqueries, ourproofofsecurity will consist of the following sequence of q+5 games between A and a challenger C. Game : is the real Anonymous HIBE security game. Real Game : is the same as the real game except that all key queries will be answered by fresh calls Real(cid:48) to the key generation algorithm, (C will not be asked to delegate keys in a particular way). Game : is the same as Game except that A cannot ask for keys for identities which are Restricted Real(cid:48) prefixes of one of the challenge identities modulo p . We will retain this restriction in all 2 subsequent games. Game : for k from 0 to q, we define Game like Game except that the ciphertext given to k k Restricted A is semi-functional and the first k keys are semi-functional. The rest of the keys are normal. 8 Game : is the same as Game , except that the challenge ciphertext is a semi-functional encryp- Final0 q tion with C random in G (thus the ciphertext is independent from the messages provided 0 T by A). Game : is the same as Game , except that the challenge ciphertext is a semi-functional Final1 Final0 encryption with C random in G (thus the ciphertext is independent from the identity 1 p1p2p4 vectors provided by A). It is clear that in this last game, no adversary can have advantage greater than 0. We will show these games are indistinguishable in the following lemmata. 3.4.1 Indistinguishability of Game and Game Real Real(cid:48) Lemma 3.2 For any algorithm A, AdvA = AdvA . GameReal GameReal(cid:48) Proof. We note that the keys are identically distributed whether they are produced by the key delegation algorithm from a previous key or from a fresh call to the key generation algorithm. Thus, in the attacker’s view, there is no difference between these games. (cid:50) 3.4.2 Indistinguishability of Game and Game Real(cid:48) Restricted Lemma 3.3 Suppose that there exists a PPT algorithm A such that AdvA −AdvA = (cid:15). Then there exists a PPT algorithm B with advantage ≥ (cid:15) in breakingGAamsseuRemal(cid:48)ption 1G.ameRestricted 3 Proof. Suppose that A has probability (cid:15) of producing an identity vector ID = (ID ,...,ID ), 1 k that is a prefix of one of the challenge identities ID(cid:63) = (ID(cid:63),...,ID(cid:63)) modulo p . That is, there 1 j 2 exists i and j ∈ {0,1} such that that ID (cid:54)= ID(cid:63) modulo N and that p divides ID −ID(cid:63) and thus i j,i 2 i j,i a = gcd(ID −ID(cid:63) ,N) is a nontrivial factor of N. We notice that p divides a and set b = N. The i j,i 2 a following three cases are exhaustive and at least one occurs with probability at least (cid:15)/3. 1. ord(Y ) | b. 1 2. ord(Y ) (cid:45) b and ord(Y ) | b. 1 4 3. ord(Y ) (cid:45) b, ord(Y ) (cid:45) b and ord(Y ) | b. 1 4 3 Suppose case 1 has probability at least (cid:15)/3. We describe algorithm B that breaks Assumption 1. B receives (I,g ,g ,g ,A A ,B B ) and T and constructs Pk by running the Setup algorithm 1 3 4 1 2 2 3 with the only exception that B sets Y = g ,Y = g , and Y = g . Notice that B has the master 1 1 3 3 4 4 secret key Msk associated with Pk. Then B runs A on input Pk and uses knowledge of Msk to answer A’s queries. At the end of the game, for all IDs for which A has asked for the key and for ID(cid:63) ∈ {ID(cid:63),ID(cid:63)}, B computes a = gcd(ID −ID(cid:63),N). Then, if e((A A )a,B B ) is the identity 0 1 i i 1 2 2 3 element of G then B tests if e(Tb,A A ) is the identity element of G . If this second test is T 1 2 T successful, then B declares T ∈ G . If it is not, B declares T ∈ G . It is easy to see that if p1p3 p1p2p3 p divides a and p = ord(Y ) divides b, then B’s output is correct. 2 1 1 The other two cases are similar. Specifically, in case 2, B breaks Assumption 1 in the same way except that Pk is constructed by setting Y = g ,Y = g , and Y = g (this has the effect of 1 4 3 3 4 1 exchanging the roles of p and p ). Instead in case 3, B constructs Pk by setting Y = g ,Y = g , 1 4 1 3 3 1 and Y = g (this has the effect of exchanging the roles of p and p ). (cid:50) 4 4 1 3 9 3.4.3 Indistinguishability of Game and Game Restricted 0 Lemma 3.4 Suppose that there exists a PPT algorithm A such that AdvA −AdvA = (cid:15). GameRestricted Game0 Then there exists a PPT algorithm B with advantage (cid:15) in breaking Assumption 1. Proof. B receives (I,g ,g ,g ,A A ,B B ) and T and simulates Game or Game with 1 3 4 1 2 2 3 Restricted 0 A depending on whether T ∈ G or T ∈ G . p1p3 p1p2p3 B sets the public parameters as follows. B chooses random exponents α,a ,..., a ,b,c ∈ Z 1 (cid:96) N and sets Y = g ,Y = g ,Y = g , X = Yc,X = Yb and u = Yai for i ∈ [(cid:96)]. B sends 1 1 3 4 4 3 4 4 1 1 i 1 Pk = (N,Y ,Y ,Y ,t = X X ,u ,...,u ,Ω = e(Y ,Y )α) to A. Notice that B knows the master 1 3 4 1 4 1 (cid:96) 1 1 secret key Msk = (X ,α) associated with Pk and thus can answer all A’s queries. 1 Atsomepoint,AsendsBtwopairs,(M ,ID(cid:63) = (ID(cid:63) ,...,ID(cid:63) ))and(M ,ID(cid:63) = (ID(cid:63) ,...,ID(cid:63) )). 0 0 0,1 0,j 1 1 1,1 1,j B chooses random β ∈ {0,1} and computes the challenge ciphertext as follows: C0 = Mβ ·e(T,Y1)α, C1 = Ta1ID(cid:63)β,1+···+ajID(cid:63)β,j+b, C2 = T. We complete the proof with the following two observations. If T ∈ G , then T can be writ- p1p3 ten as Ys1Ys3. In this case (C ,C ,C ) is a normal ciphertext with randomness s = s ,Z = 1 4 0 1 2 1 Ys3a1ID(cid:63)β,1+···+ajID(cid:63)β,j+b and Z(cid:48) = Ys3. If T ∈ G , then T can be written as Ys1gs2Ys3 and this 4 4 p1p2p3 1 2 4 case(C ,C ,C )isasemi-functionalciphertextwithrandomnesss = s ,Z = Ys3a1ID(cid:63)β,1+···+ajID(cid:63)β,j+b, 0 1 2 1 4 Z(cid:48) = Ys3, γ = s and z = a ID(cid:63) +···+a ID(cid:63) +b. (cid:50) 4 2 c 1 β,1 j β,j 3.4.4 Indistinguishability of Game and Game k−1 k Lemma 3.5 Suppose there exists a PPT algorithm A such that AdvA −AdvA = (cid:15). Then, Game Game k−1 k there exists a PPT algorithm B with advantage (cid:15) in breaking Assumption 1. Proof. B receives (I,g ,g ,g ,A A ,B B ) and T and simulates Game or Game with A 1 3 4 1 2 2 3 k−1 k depending on whether T ∈ G or T ∈ G . p1p3 p1p2p3 B sets the public parameters by choosing random exponents α,a ,...,a ,b,c ∈ Z and setting 1 (cid:96) N Y = g ,Y = g ,Y = g ,X = Yc,X = Yb andu = Yai fori ∈ [(cid:96)]. B sendsthepublicparameters 1 1 3 3 4 4 4 4 1 1 i 1 Pk = (N,Y ,Y ,Y ,t = X X ,u ,...,u , Ω = e(Y ,Y )α) to A. Notice that B knows the master 1 3 4 1 4 1 (cid:96) 1 1 secret key Msk = (X ,α) associated with Pk. Let us now explain how B answers the i-th key query 1 for identity (ID ,...,ID ). i,1 i,j For i < k, B creates a semi-functional key by choosing random exponents r ,r ,f,z,w ∈ Z 1 2 N and, for i ∈ {1,2}, random w ,w ,...,w ∈ Z and setting: i,2 i,j+1 i,(cid:96) N K = Yr1 ·(B B )f, K = Yα·(B B )w(cid:16)uIDi,1···uIDi,jX (cid:17)r1Yw1,2, 1,1 1 2 3 1,2 1 2 3 1 j 1 3 E = ur1 ·(B B )w1,j+1,...,E = ur1 ·(B B )w1,(cid:96). 1,j+1 j+1 2 3 1,(cid:96) (cid:96) 2 3 and K = Yr2 ·(B B )zf, K = (B B )zw(cid:16)uIDi,1···uIDi,jX (cid:17)r2Yw2,2, 2,1 1 2 3 2,2 2 3 1 j 1 3 E = ur2 ·(B B )w2,j+1,...,E = ur2 ·(B B )w2,(cid:96). 2,j+1 j+1 2 3 2,(cid:96) (cid:96) 2 3 By writing B as gφ, we have that this is a properly distributed semi-functional key with γ = φ·f 2 2 and γ ·z = φ·w. k 10

Description:
A central authority that holds the master secret key can produce a secret . Assumption 1 We say that Assumption 1 holds for generator G if for all
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.