From 644846cbf1dd02bdda6cb3c1ae1a98406027b4c4 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Wed, 2 May 2018 17:46:56 +0200 Subject: [PATCH] Beginning of group encryption part --- chap-GE-LWE.tex | 374 ++++++++++++++++++++++++++++++++++++++++++++++++ macros.tex | 1 + 2 files changed, 375 insertions(+) diff --git a/chap-GE-LWE.tex b/chap-GE-LWE.tex index e69de29..d3413fa 100644 --- a/chap-GE-LWE.tex +++ b/chap-GE-LWE.tex @@ -0,0 +1,374 @@ +\section{Syntax and Definitions of Group Encryption} \label{GE-model} + +We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}. +The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening +authority~(\textsf{OA}) which is capable of identifying ciphertexts' recipients. + +In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a +relation $R$ as well as a tuple +$\GE=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle + \mathcal{G}_r,R,\mathsf{sample}_{R} + \rangle,\mathsf{ENC},\mathsf{DEC},\mathsf{OPEN},\langle +\mathcal{P},\mathcal{V} \rangle \bigr)$ of algorithms or protocols. +In details, $\mathsf{SETUP}$ is a set of initialization procedures that all take (implicitly or explicitly) a security parameter $1^\lambda$ as input. We call them +$\mathsf{SETUP}_{\mathsf{init}}(1^\lambda)$, +$\mathsf{SETUP}_{\mathsf{GM}}(\param)$ and +$\mathsf{SETUP}_{\mathsf{OA}}(\param)$. The first one of these procedures +generates a set of public parameters $\param$ (like the KTY construction \cite{KTY07}, we rely on a common reference string even when using interaction between +provers and verifiers). The latter two procedures are used to produce key pairs +$(\pk_{\GM},\sk_{\GM})$, $(\pk_{\OA},\sk_{\OA})$ for the $\GM$ and the +$\OA$. In the following, $\param$ is incorporated in the inputs of all algorithms although we sometimes omit to explicitly write it. + +$\mathsf{JOIN}=(\mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM})$ is an interactive protocol between the $\GM$ and the prospective user. +After the execution of $\mathsf{JOIN}$, the $\GM$ stores the public key $\pk$ and its certificate $\crt_{\pk}$ in a public directory +$\mathsf{database}$. + As in \cite{KY05}, we will restrict this +protocol to have minimal interaction and consist of only two messages: the first one is the user's public key $\pk$ sent by $\mathsf{J}_{\mathsf{user}}$ to $\mathsf{J}_{\GM}$ +and the latter's response is a certificate $\crt_{\pk}$ for $\pk$ that makes the user's group membership effective. We do not require the user to prove +knowledge of his private key $\sk$ or anything else about it. In our construction, valid keys will be publicly recognizable and users will not have to prove +their validity. By avoiding proofs of knowledge of private keys, the security proof never has to +rewind the adversary to extract those private keys, which allows supporting concurrent joins as +advocated by Kiayias and Yung \cite{KY05}. If applications demand it, it is possible to add +proofs of knowledge of private keys in a modular way but our security proofs do not require +rewinding the adversary in executions of $\mathsf{JOIN}$. \\ +\indent +Algorithm $\mathsf{sample}_{R}$ allows sampling pairs $(x,w)\in R$ (made of a public value $x$ and a witness $w$) using keys $(\pk_{R},\sk_{R})$ produced by +$\mathcal{G}_r(1^\lambda)$ which samples public/secret parameters for the relation $R$. Depending on the relation, $\sk_{R}$ may be the empty string (as in the scheme \cite{KTY07} and ours which both involve publicly samplable relations). The testing procedure $R(x,w)$ uses $\pk_{R}$ to +return $1$ whenever $(x,w)\in R$. To encrypt a witness $w$ such that $(x,w) \in R$ for some public $x$, the sender fetches the pair $(\pk,\crt_{\pk})$ +from $\mathsf{database}$ and runs the randomized encryption algorithm. The latter takes as input $w$, a label $L$, the receiver's pair $(\pk,\crt_{\pk})$ as +well as public keys $\pk_{\GM}$ and $\pk_{\OA}$. Its output is a ciphertext +$\Psi \leftarrow \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$. +On input of the same elements, the certificate $\crt_{\pk}$, the ciphertext $\Psi$ and the random coins $coins_{\Psi}$ that were used to produce $\Psi$, the +non-interactive algorithm $\mathsf{PP}$ generates a proof $\pi_{\Psi}$ that there exists a certified receiver whose public key was registered in $\mathsf{database}$ and + who is able to decrypt $\Psi$ and obtain a witness $w$ such that $(x,w) \in R$. The verification algorithm $\mathcal{V}$ takes as input $\Psi$, $\pk_{\GM}$, +$\pk_{\OA}$, $\pi_{\Psi}$ and the description of $R$ and outputs $0$ or $1$. Given $\Psi$, $L$ and the receiver's private key $\sk$, the output of +$\mathsf{DEC}$ is either a witness $w$ such that $(x,w) \in R$ or a rejection symbol $\bot$. Finally, +$\mathsf{OPEN}$ takes as input a ciphertext/label pair $(\Psi,L)$ and the OA's secret key $\sk_{\OA}$ and returns a receiver's public key $\pk$.\\ +\indent +The model of \cite{KTY07} considers four properties termed correctness, message security, anonymity and soundness. +In the security definitions, stateful oracles capture the adversary's +interaction with the system. In the soundness game, the KTY model requires +that pk belongs to the language of valid public keys. Here, we are implicitly assuming that the space +of valid public keys is dense (all matrices are valid keys, as is the case in our scheme). + +In the upcoming definitions, we sometimes use the notation +\[ \langle \mathsf{output}_A |\mathsf{output}_B \rangle \allowbreak \leftarrow \langle A(\mathsf{input}_A),B(\mathsf{input}_B) \rangle (\mathsf{common\textrm{-}input}) \] +to denote the execution of a protocol between $A$ and $B$ obtaining their own outputs from their respective inputs. +\medskip + +\paragraph{Correctness.} + The correctness property +requires that the following experiment returns $1$ with overwhelming +probability. + +\begin{center} + \procedure{Experiment $\Expt^{\mathrm{correctness}}(\lambda)$}{ + \mathsf{param} \leftarrow + \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{R},\sk_{R}) + \gets \mathcal{G}_r (\lambda); (x,w) \leftarrow \mathsf{sample}_{R} + (\pk_{R},\sk_{R}); \\ + (\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}(\mathsf{param}); (\pk_{\OA},\sk_{\OA}) \leftarrow \mathsf{SETUP}_{\OA}(\mathsf{param}); \\ + \langle \pk,\sk,\crt_{\pk} | \pk,\crt_{\pk} \rangle \leftarrow \langle \mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM}(\sk_{\GM}) \rangle (\pk_{\GM}); \\ + \Psi \leftarrow + \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L);\\ + \pi_{\Psi} \leftarrow \mathcal{P}(\pk_{\GM},\pk_{\OA},\pk,\crt,w,L,\Psi,coins_{\Psi}); \\ + \pcif \bigl( (w \neq \mathsf{DEC}(\sk,\Psi,L)) \vee ( \pk \neq + \mathsf{OPEN}(\sk_{\OA},\Psi,L )) \\ \quad \qquad \vee (\mathcal{V}(\Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0) + \bigr) \pcthen\\ + \pcind \pcreturn 0\\ + \pcelse\\ + \pcind \pcreturn 1; + } +\end{center} + +\paragraph{Message Secrecy.} +The message secrecy property is defined by an experiment where the adversary has access to oracles +that may be stateful (and maintain a state across queries) or +stateless: +%These oracles are the following: +\begin{itemize} +\item[-] $\mathsf{DEC}(\sk)$: is a stateless oracle for the user decryption function +$\mathsf{DEC}$. When this oracle is restricted not to decrypt a + ciphertext-label pair $(\Psi,L)$, we denote it by +$\mathsf{DEC}^{\neg \langle \Psi, L \rangle}$. +\item[-] $\mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L)$: is a + real-or-random challenge oracle which is called \textit{once}. It +returns $(\Psi,coins_{\Psi})$ such that $\Psi \leftarrow +\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$ if $b=1$ +whereas, if $b=0$, $\Psi \leftarrow +\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w',L)$ encrypts a +random plaintext of +length $O(\lambda)$ uniformly sampled in the plaintext space. In both cases, $coins_{\Psi}$ denote the random +coins used to generate $\Psi$. +\item[-] +$\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi})$: +is a stateful oracle that can be invoked a polynomial number times. If $b=1$, it replies by running the real prover $\mathsf{PP}$ on the inputs to +create an actual proof $\pi_{\Psi}$. If $b=0$, the oracle runs a +simulator $\mathsf{PP}'$ that uses the same inputs as $\mathsf{PP}$ except witness +$w,coins_{\Psi}$ and generates a simulated proof. +\end{itemize} +These oracles are used in an experiment where the adversary controls +the $\GM$, the $\OA$ and all members except the honest receiver. The +adversary $\adv$ embodies the dishonest $\GM$ that certifies the honest +receiver in an execution of $\mathsf{JOIN}$. It is granted access to an oracle $\mathsf{DEC}$ which decrypts on behalf of that receiver. In the +challenge phase, it transmits a state information $\mathsf{aux}$ to itself and invokes the challenge oracle for a label and a +pair $(x,w) \in R$ of its choice. After the challenge phase, it +can also query the $\mathsf{PROVE}$ oracle many times +and finally attempts to guess the challenger's bit $b$.\\ +\indent As pointed out in \cite{KTY07,CLY09}, designing an efficient +simulator $\mathsf{PP}'$ (for executing $\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(.)$ +when $b=0$) is part of the security proof. +\begin{definition} \label{security-def} + A $\GE$ scheme satisfies \textit{message security} +if, for any PPT adversary $\adv$, the experiment below returns $1$ +with probability at most $1/2 + \mathsf{negl}(\lambda)$. + +\begin{center} +\procedure{Experiment $\Expt_{\adv}^{\mathrm{sec}}(\lambda)$}{ + \param \leftarrow \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\mathsf{aux},\pk_{\GM},\pk_{\OA}) \leftarrow \adv(\param); \\ + \langle \pk,\sk,\crt_{\pk} | \mathsf{aux} \rangle + \leftarrow \langle \mathsf{J}_{\mathsf{user}},\adv(\mathsf{aux}) \rangle + (\pk_{\GM}); \\ + (\mathsf{aux},x,w,L,\pk_{R}) \leftarrow + \adv^{\mathsf{DEC}(\sk,.)}(\mathsf{aux});\\ + \pcif (x,w) \not\in R \pcthen\\ + \pcind\pcreturn 0;\\ + b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L) ; \\ + b' \leftarrow + \adv^{\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi}),\mathsf{DEC}^{\neg + \langle \Psi, L \rangle}(\sk,.)}(\mathsf{aux},\Psi) ; \\ + \pcif b=b' \pcthen\\ \pcind\pcreturn 1 \\\pcelse\\ \pcind \pcreturn 0; +} +\end{center} +\end{definition} + +\paragraph{Anonymity.} +In the experiment modeling the anonymity property, the adversary +controls the entire system except the opening authority and two well-behaved users. + The challenger thus introduces two honest users' public keys $\pk_0,\pk_1$ in $\mathsf{database}$ and thus obtains certificate for both $\pk_0,\pk_1$ from the adversarially-controlled $\GM$. + For a pair $(x,w) \in R$ of its choice, the adversary obtains an encryption of $w$ under $\pk_b$ for some $b\in \bit$ chosen by the challenger. + The adversary is provided with decryption oracles w.r.t. both keys $\pk_0,\pk_1$. In addition, it has the following oracles at disposal: +\begin{itemize} +\item[-] $\mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L)$: is a + challenge oracle that is only queried once by the adversary. It +returns a pair $(\Psi,coins_{\Psi})$ consisting of a ciphertext +$\Psi \leftarrow +\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},w,L)$ and the +coin tosses $coins_{\Psi}$ that were used to generate $\Psi$. +\item[-] +$\mathsf{USER}(\pk_{\GM})$: is a stateful oracle that obtains certificates from the adversary by simulating two +executions of $\mathsf{J}_{\mathsf{user}}$ to introduce two honest users +in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\crt_{\pk_0})$, $(\pk_1,\sk_1,\crt_{\pk_1})$ of honest users + are written as long as the adversarially-supplied certificates $\{\crt_{\pk_d}\}_{d=0}^1$ are valid w.r.t. $\pk_{\GM}$ (i.e., invalid certificates are ignored +by the oracle and no entry is introduced in $\mathsf{keys}$ for them). +\item[-] +$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates +the opening algorithm and, on input of a $\GE$ +ciphertext, returns the receiver's public key. +\end{itemize} + + The reason why +the $\mathsf{USER}$ oracle is needed is that both honest users' public keys $\pk_0, \pk_1$ must have been properly +certified by the adversarially-controlled $\mathsf{GM}$ before the challenge phase because the adversary subsequently obtains +proofs generated using $(\pk_b,\crt_{\pk_b})$. + +\begin{definition} \label{anonymity-def} + A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$ +with a probability not exceeding $1/2 + \mathsf{negl}(\lambda)$. +\begin{center} + \procedure{Experiment $\Expt_{\adv}^{\mathrm{anon}}(\lambda)$}{ + \param \leftarrow + \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{\OA},\sk_{\OA}) + \leftarrow \mathsf{SETUP}_{\mathsf{OA}}( \param); \\ + (\mathsf{aux},\pk_{\GM}) \leftarrow \adv(\param,\pk_{\OA}); + \mathsf{aux} \leftarrow + \adv^{\mathsf{USER}(\pk_{\GM}),\mathsf{OPEN}(\sk_{\OA},.)} + (\mathsf{aux}) ; \\ + \pcif \mathsf{keys} \neq (\pk_0,\sk_0,\crt_{\pk_0},\pk_1,\sk_1,\crt_{\pk_1})(\mathsf{aux}) \pcthen\\ + \pcreturn 0;\\ + (\mathsf{aux},x,w,L,\pk_{R}) \leftarrow + \adv^{\mathsf{OPEN}(\sk_{\OA},.), + \mathsf{DEC}(\sk_0,.),\mathsf{DEC}(\sk_1,.)}(\mathsf{aux}); \\ + \pcif (x,w) \not\in R \pcthen\\ + \pcind \pcreturn 0; \\ + b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L) ; \\ + b' \leftarrow + \adv^{\mathcal{P}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},x,w,\Psi,L,coins_{\Psi},} + \\ ^{\mathsf{OPEN}^{\neg \langle \Psi,L \rangle + }(\sk_{\OA},.),\mathsf{DEC}^{\neg \langle \Psi, L + \rangle}(\sk_0,.),\mathsf{DEC}^{\neg + \langle \Psi, L \rangle}(\sk_1,.))}(\mathsf{aux},\Psi) ; \\ + \pcif b=b' \pcthen\\ + \pcind \pcreturn 1\\ + \pcelse\\ + \pcind \pcreturn 0; + } +\end{center} +\end{definition} + +\paragraph{Soundness.} +Here, the adversary creates the group of receivers by interacting with the honest GM. +Its goal is to produce a ciphertext $\Psi$ and a convincing proof +that $\Psi$ is valid w.r.t. a relation $R$ of its choice but +either: (1) The opening of $\Psi$ reveals a receiver's public key $\pk$ that +does not belong to any group member; (2) The output $\pk$ of +$\mathsf{OPEN}$ is not a valid public key (\textit{i.e.}, $\pk \not\in +\mathcal{PK}$, where $\mathcal{PK}$ is the language of valid public keys); (3) The ciphertext $C$ is not in the space +$\mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}$ of valid +ciphertexts. This notion is formalized by a game where the adversary +is given access to a user registration oracle +$\mathsf{REG}(\sk_{\GM},.)$ that simulates $\mathsf{J}_{\GM}$. This oracle +maintains a list $\mathsf{database}$ where registered public keys and +their certificates are stored. + +\begin{definition} \label{soundness-def} + A $\GE$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$ + with negligible probability. + \begin{center} + \procedure{Experiment $\Expt_{\adv}^{\mathrm{soundness}}(\lambda)$}{ + \param \leftarrow + \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{\OA},\sk_{\OA}) + \leftarrow \mathsf{SETUP}_{\OA}( \param); \\ + (\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}( \param); \\ + (\pk_{R},x,\Psi,\pi_{\Psi},L,\mathsf{aux}) \leftarrow + \adv^{\mathsf{REG}(\sk_{\GM},.)}(\param,\pk_{\GM},\pk_{\OA},\sk_{\OA}); + \\ + \pcif \mathcal{V}( \Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0 \pcthen\\ + \pcind \pcreturn 0; \\ + \pk \leftarrow \mathsf{OPEN}(\sk_{\OA},\Psi,L); \\ + \pcif \big( (\pk \not\in \mathsf{database} ) \vee (\pk \not \in \mathcal{PK}) + \vee (\Psi \not \in + \mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}) \big)\pcthen\\ + \pcind \pcreturn 1\\ + \pcelse \\ + \pcind \pcreturn 0; + } + \end{center} +\end{definition} + +The model of Kiayias \textit{et al.} \cite{KTY07} requires +that $\pk$ belongs to the language of valid public keys, so that the adversary is considered to defeat the soundness property when +$(\Psi,L)$ opens to a key outside the language (i.e., +$\pk \not \in \mathcal{PK}$). In our scheme, we will assume that the space +of valid public keys is dense in that all matrices of a given dimension are valid public keys, which have an underlying private key. + We nevertheless use the same definition as \cite{KTY07} in order to emphasize that we are not relaxing the model in any way. + + + + + + + + + + + +\section{Building Blocks} + + + + +\subsection{The Agrawal-Boneh-Boyen IBE Scheme} \label{ap:ABB-IBE} + +\subsubsection{Identity-Based Encryption.} \label{ap:IBE} + +An IBE scheme is a tuple of efficient algorithms $(\mathsf{Setup}, \mathsf{Extract}_\mathsf{PP}, \mathsf{Encrypt}_\mathsf{PP},$ $\mathsf{Decrypt}_\mathsf{PP})$ such that +\begin{description} + \item[\textsf{Setup}$(1^\lambda)$:] On security parameter $\lambda$, this algorithm outputs public parameters $\mathsf{PP}$ and a master secret key $\textsf{msk}$. + \item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Takes as input a master secret key $\textsf{msk}$ and an identity $\ID$ and outputs a secret key $\sk_\ID$. + \item[\textsf{Encrypt}$_\mathsf{PP}(\ID, M)$:] Given an identity $\ID$ and a message $M$, it outputs a ciphertext $C$. + \item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, C)$:] Given a secret key $\sk_\ID$ and a ciphertext $C$, outputs either a decryption error symbol $\bot$, or a message $M$. +\end{description} + +\noindent Correctness requires that, for any pair $(\mathsf{PP}, \textsf{msk}) \gets \Setup(1^\lambda)$, any $\ID$ and any message $M$, we have +$\mathsf{Decrypt}_\mathsf{PP}\bigl(\textsf{Extract}_\mathsf{PP}(\textsf{msk}, \ID), \mathsf{Encrypt}_\mathsf{PP}(\ID, M)\bigr) = M.$ +Our proofs rely on the semantic security of the scheme against selective adversaries (\textsf{IND-sID-CPA}) +but also on the stronger property of ciphertext pseudo-randomness. %in Lemma~\ref{ABB-deux}. +Informally, this notions demands that the adversary be unable to distinguish an +encryption of a message of its choice from a random element of the ciphertext space $\mathcal{C}$. Notice that this property implies \textsf{IND-sID-CPA} security. + +\begin{definition} + \label{de:pseudorand-cipher} + An IBE scheme has pseudo-random-ciphertexts if no PPT adversary $\adv$ with access to private key extraction oracle \textsf{Extract$_\mathsf{PP}(\textsf{msk}, \cdot)$} has non-negligible advantage + $ \advantage{\mathrm{ROR}}{\adv}{\lambda} = | \Pr\bigl[ \mathbf{Expt}_{\adv}^\mathrm{ROR} = 1 \bigr] - \frac 1 2 | $ in the game described in Figure~\ref{fig:expt-ror} + + \begin{figure} + \centering + \procedure{Experiment $\Expt^{\mathrm{ROR}}_{\adv}(\lambda)$}{ + \ID^\star \gets \adv(\textsf{id}, \lambda); (\mathsf{PP}, \textsf{msk}) \gets \mathsf{Setup}(1^\lambda);~\\ + M \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}_\textsf{Ch}(\mathsf{PP});\\ + b \sample U(\bit);\\ + \pcif b = 1 \pcthen\\ + \pcind C^\star \gets \mathsf{Encrypt}_\mathsf{PP}(M, \ID^\star) \\ + \pcelse\\ + \pcind C^\star \gets U(\mathcal{C});\\ + b' \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}(\textsf{guess},C^\star);\\ + \pcif b = b' \pcthen\\ + \pcind \pcreturn 1\\ + \pcelse \\ + \pcind \pcreturn 0 + } + \caption{Security experiment for the pseudo-random-ciphertext property for an IBE} + \label{fig:expt-ror} + \end{figure} +\end{definition} + + +\subsubsection{The ABB System.} \label{ap:ABB-desc} + + Agrawal, Boneh and Boyen described~\cite{ABB10} a compact IBE scheme in the standard model which allows encrypting multi-bit messages. +%In +%the description hereunder, algorithms \textsf{Extract}, \textsf{Encrypt} and \textsf{Decrypt} have implicit access to the public param +%eters $\mathsf{PP}$ defined in the \textsf{Setup} algorithm. + +\begin{description} + \item[\textsf{Setup}$(1^\lambda)$:] Given a security parameter $\lambda$, choose parameters + $q, n, \sigma, \alpha$ and define $k =\lfloor \log q \rfloor$, $\bar{m}= nk$, $m = 2 \bar{m}$ and choose a noise distribution $\chi$ for $\LWE$. + \begin{enumerate} + \item Compute $(\bar{\mathbf A}, \mathbf{T}_{\bar{\mathbf{A}}}) \gets \TrapGen(1^n, 1^m, q)$. + \item Define $\mathbf{G} = \mathbf{I}_n \otimes [1|2|\ldots |2^{k-1}] \in \ZZ_q^{n \times \bar{m}}$. Sample matrices $\mathbf B \sample U(\ZZ_q^{ n \times \bar{m}}) $, + $ \mathbf U \sample U(\Zq^{n \times m})$. + \item Let $\mathsf{FRD}: \Zq^n \to \Zq^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}. + \end{enumerate} Output + $ + \mathsf{PP}= \bigl(\bar{\mathbf A}, \mathbf B, \mathbf U \bigr)$ and $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$. + + \item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Given $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$ and an identity $\ID \in \Zq^n$, do as follows: \smallskip + \begin{enumerate} + \item Define the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$. +%\item Use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the dual lattice of the matrix $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right]$. + \item Let $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right] \in \ZZ_q^{n \times (m + \bar{m})}$, use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the lattice $\Lambda^\perp(\mathbf B_{\mathbf A, \ID})$. + \item Use $\mathbf T_\ID$ to sample a small-norm matrix $\mathbf E_\ID \in \ZZ^{(m+ \bar{m}) \times m}$ satisfying the equality $\mathbf B_{\mathbf A, \ID} \cdot \mathbf E_\ID = \mathbf U \bmod q$. + \item Output $\sk_\ID = \mathbf E_\ID \in \ZZ^{(m+ \bar{m}) \times m}$. \smallskip \smallskip + \end{enumerate} + \item[\textsf{Encrypt}$_\mathsf{PP}(\ID,\mathbf m)$:] Given an identity $\ID$ and a message $\mathbf m \in \bit^m$, \smallskip + \begin{enumerate} + \item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$. + Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute + $\mathbf z = \mathbf R^\top \cdot \mathbf y \in \ZZ^m$. + \item Compute + \begin{equation} \label{eq:ABB-c} + \begin{cases} + \mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\ + \mathbf c^{(2)} = \mathbf B_\ID^\top \cdot \mathbf s + \mathbf z \bmod q,\\ + \mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor. + \end{cases} + \end{equation} + \item Output $\mathbf c = \bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$. \smallskip \smallskip + \end{enumerate} + \item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, \mathbf c)$:] Given $\sk_\ID = \mathbf E_\ID$ and $\mathbf c=\bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$, compute and output + % \begin{equation} \label{eq:ABB-dec} + $ \mathbf m' = \left\lfloor \left( \mathbf c^{(3)} - \mathbf E_\ID \cdot \begin{bmatrix} \mathbf c^{(1)} \\ \mathbf c^{(2)} \end{bmatrix} \right) \cdot \left\lfloor \dfrac{q}{2} \right\rfloor^{-1} \right\rceil \in \bit^m .$ + % \end{equation} +\end{description} + \smallskip + + + +\begin{theorem}[{\cite[Th. 23]{ABB10}}] \label{ABB-pseudorand-prop} + The ABB IBE scheme has pseudo-random ciphertexts if the $\LWE_{n,q,\chi}$ assumption holds. +\end{theorem} + + +%************************************************** + diff --git a/macros.tex b/macros.tex index af12d67..57319e6 100644 --- a/macros.tex +++ b/macros.tex @@ -19,6 +19,7 @@ \newcommand{\QANIZK}{\textsf{QA-NIZK}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\OT}{\textsf{OT}\xspace} +\newcommand{\GE}{\textsf{GE}\xspace} %% Common \newcommand{\Setup}{\ensuremath{\mathsf{Setup}}\xspace} \newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace}