375 lines
23 KiB
TeX
375 lines
23 KiB
TeX
\section{Syntax and Definitions of Group Encryption} \label{GE-model}
|
|
|
|
We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}.
|
|
The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening
|
|
authority~(\textsf{OA}) which is capable of identifying ciphertexts' recipients.
|
|
|
|
In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a
|
|
relation $R$ as well as a tuple
|
|
$\GE=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
|
|
\mathcal{G}_r,R,\mathsf{sample}_{R}
|
|
\rangle,\mathsf{ENC},\mathsf{DEC},\mathsf{OPEN},\langle
|
|
\mathcal{P},\mathcal{V} \rangle \bigr)$ of algorithms or protocols.
|
|
In details, $\mathsf{SETUP}$ is a set of initialization procedures that all take (implicitly or explicitly) a security parameter $1^\lambda$ as input. We call them
|
|
$\mathsf{SETUP}_{\mathsf{init}}(1^\lambda)$,
|
|
$\mathsf{SETUP}_{\mathsf{GM}}(\param)$ and
|
|
$\mathsf{SETUP}_{\mathsf{OA}}(\param)$. The first one of these procedures
|
|
generates a set of public parameters $\param$ (like the KTY construction \cite{KTY07}, we rely on a common reference string even when using interaction between
|
|
provers and verifiers). The latter two procedures are used to produce key pairs
|
|
$(\pk_{\GM},\sk_{\GM})$, $(\pk_{\OA},\sk_{\OA})$ for the $\GM$ and the
|
|
$\OA$. In the following, $\param$ is incorporated in the inputs of all algorithms although we sometimes omit to explicitly write it.
|
|
|
|
$\mathsf{JOIN}=(\mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM})$ is an interactive protocol between the $\GM$ and the prospective user.
|
|
After the execution of $\mathsf{JOIN}$, the $\GM$ stores the public key $\pk$ and its certificate $\crt_{\pk}$ in a public directory
|
|
$\mathsf{database}$.
|
|
As in \cite{KY05}, we will restrict this
|
|
protocol to have minimal interaction and consist of only two messages: the first one is the user's public key $\pk$ sent by $\mathsf{J}_{\mathsf{user}}$ to $\mathsf{J}_{\GM}$
|
|
and the latter's response is a certificate $\crt_{\pk}$ for $\pk$ that makes the user's group membership effective. We do not require the user to prove
|
|
knowledge of his private key $\sk$ or anything else about it. In our construction, valid keys will be publicly recognizable and users will not have to prove
|
|
their validity. By avoiding proofs of knowledge of private keys, the security proof never has to
|
|
rewind the adversary to extract those private keys, which allows supporting concurrent joins as
|
|
advocated by Kiayias and Yung \cite{KY05}. If applications demand it, it is possible to add
|
|
proofs of knowledge of private keys in a modular way but our security proofs do not require
|
|
rewinding the adversary in executions of $\mathsf{JOIN}$. \\
|
|
\indent
|
|
Algorithm $\mathsf{sample}_{R}$ allows sampling pairs $(x,w)\in R$ (made of a public value $x$ and a witness $w$) using keys $(\pk_{R},\sk_{R})$ produced by
|
|
$\mathcal{G}_r(1^\lambda)$ which samples public/secret parameters for the relation $R$. Depending on the relation, $\sk_{R}$ may be the empty string (as in the scheme \cite{KTY07} and ours which both involve publicly samplable relations). The testing procedure $R(x,w)$ uses $\pk_{R}$ to
|
|
return $1$ whenever $(x,w)\in R$. To encrypt a witness $w$ such that $(x,w) \in R$ for some public $x$, the sender fetches the pair $(\pk,\crt_{\pk})$
|
|
from $\mathsf{database}$ and runs the randomized encryption algorithm. The latter takes as input $w$, a label $L$, the receiver's pair $(\pk,\crt_{\pk})$ as
|
|
well as public keys $\pk_{\GM}$ and $\pk_{\OA}$. Its output is a ciphertext
|
|
$\Psi \leftarrow \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$.
|
|
On input of the same elements, the certificate $\crt_{\pk}$, the ciphertext $\Psi$ and the random coins $coins_{\Psi}$ that were used to produce $\Psi$, the
|
|
non-interactive algorithm $\mathsf{PP}$ generates a proof $\pi_{\Psi}$ that there exists a certified receiver whose public key was registered in $\mathsf{database}$ and
|
|
who is able to decrypt $\Psi$ and obtain a witness $w$ such that $(x,w) \in R$. The verification algorithm $\mathcal{V}$ takes as input $\Psi$, $\pk_{\GM}$,
|
|
$\pk_{\OA}$, $\pi_{\Psi}$ and the description of $R$ and outputs $0$ or $1$. Given $\Psi$, $L$ and the receiver's private key $\sk$, the output of
|
|
$\mathsf{DEC}$ is either a witness $w$ such that $(x,w) \in R$ or a rejection symbol $\bot$. Finally,
|
|
$\mathsf{OPEN}$ takes as input a ciphertext/label pair $(\Psi,L)$ and the OA's secret key $\sk_{\OA}$ and returns a receiver's public key $\pk$.\\
|
|
\indent
|
|
The model of \cite{KTY07} considers four properties termed correctness, message security, anonymity and soundness.
|
|
In the security definitions, stateful oracles capture the adversary's
|
|
interaction with the system. In the soundness game, the KTY model requires
|
|
that pk belongs to the language of valid public keys. Here, we are implicitly assuming that the space
|
|
of valid public keys is dense (all matrices are valid keys, as is the case in our scheme).
|
|
|
|
In the upcoming definitions, we sometimes use the notation
|
|
\[ \langle \mathsf{output}_A |\mathsf{output}_B \rangle \allowbreak \leftarrow \langle A(\mathsf{input}_A),B(\mathsf{input}_B) \rangle (\mathsf{common\textrm{-}input}) \]
|
|
to denote the execution of a protocol between $A$ and $B$ obtaining their own outputs from their respective inputs.
|
|
\medskip
|
|
|
|
\paragraph{Correctness.}
|
|
The correctness property
|
|
requires that the following experiment returns $1$ with overwhelming
|
|
probability.
|
|
|
|
\begin{center}
|
|
\procedure{Experiment $\Expt^{\mathrm{correctness}}(\lambda)$}{
|
|
\mathsf{param} \leftarrow
|
|
\mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{R},\sk_{R})
|
|
\gets \mathcal{G}_r (\lambda); (x,w) \leftarrow \mathsf{sample}_{R}
|
|
(\pk_{R},\sk_{R}); \\
|
|
(\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}(\mathsf{param}); (\pk_{\OA},\sk_{\OA}) \leftarrow \mathsf{SETUP}_{\OA}(\mathsf{param}); \\
|
|
\langle \pk,\sk,\crt_{\pk} | \pk,\crt_{\pk} \rangle \leftarrow \langle \mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM}(\sk_{\GM}) \rangle (\pk_{\GM}); \\
|
|
\Psi \leftarrow
|
|
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L);\\
|
|
\pi_{\Psi} \leftarrow \mathcal{P}(\pk_{\GM},\pk_{\OA},\pk,\crt,w,L,\Psi,coins_{\Psi}); \\
|
|
\pcif \bigl( (w \neq \mathsf{DEC}(\sk,\Psi,L)) \vee ( \pk \neq
|
|
\mathsf{OPEN}(\sk_{\OA},\Psi,L )) \\ \quad \qquad \vee (\mathcal{V}(\Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0)
|
|
\bigr) \pcthen\\
|
|
\pcind \pcreturn 0\\
|
|
\pcelse\\
|
|
\pcind \pcreturn 1;
|
|
}
|
|
\end{center}
|
|
|
|
\paragraph{Message Secrecy.}
|
|
The message secrecy property is defined by an experiment where the adversary has access to oracles
|
|
that may be stateful (and maintain a state across queries) or
|
|
stateless:
|
|
%These oracles are the following:
|
|
\begin{itemize}
|
|
\item[-] $\mathsf{DEC}(\sk)$: is a stateless oracle for the user decryption function
|
|
$\mathsf{DEC}$. When this oracle is restricted not to decrypt a
|
|
ciphertext-label pair $(\Psi,L)$, we denote it by
|
|
$\mathsf{DEC}^{\neg \langle \Psi, L \rangle}$.
|
|
\item[-] $\mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L)$: is a
|
|
real-or-random challenge oracle which is called \textit{once}. It
|
|
returns $(\Psi,coins_{\Psi})$ such that $\Psi \leftarrow
|
|
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$ if $b=1$
|
|
whereas, if $b=0$, $\Psi \leftarrow
|
|
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w',L)$ encrypts a
|
|
random plaintext of
|
|
length $O(\lambda)$ uniformly sampled in the plaintext space. In both cases, $coins_{\Psi}$ denote the random
|
|
coins used to generate $\Psi$.
|
|
\item[-]
|
|
$\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi})$:
|
|
is a stateful oracle that can be invoked a polynomial number times. If $b=1$, it replies by running the real prover $\mathsf{PP}$ on the inputs to
|
|
create an actual proof $\pi_{\Psi}$. If $b=0$, the oracle runs a
|
|
simulator $\mathsf{PP}'$ that uses the same inputs as $\mathsf{PP}$ except witness
|
|
$w,coins_{\Psi}$ and generates a simulated proof.
|
|
\end{itemize}
|
|
These oracles are used in an experiment where the adversary controls
|
|
the $\GM$, the $\OA$ and all members except the honest receiver. The
|
|
adversary $\adv$ embodies the dishonest $\GM$ that certifies the honest
|
|
receiver in an execution of $\mathsf{JOIN}$. It is granted access to an oracle $\mathsf{DEC}$ which decrypts on behalf of that receiver. In the
|
|
challenge phase, it transmits a state information $\mathsf{aux}$ to itself and invokes the challenge oracle for a label and a
|
|
pair $(x,w) \in R$ of its choice. After the challenge phase, it
|
|
can also query the $\mathsf{PROVE}$ oracle many times
|
|
and finally attempts to guess the challenger's bit $b$.\\
|
|
\indent As pointed out in \cite{KTY07,CLY09}, designing an efficient
|
|
simulator $\mathsf{PP}'$ (for executing $\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(.)$
|
|
when $b=0$) is part of the security proof.
|
|
\begin{definition} \label{security-def}
|
|
A $\GE$ scheme satisfies \textit{message security}
|
|
if, for any PPT adversary $\adv$, the experiment below returns $1$
|
|
with probability at most $1/2 + \mathsf{negl}(\lambda)$.
|
|
|
|
\begin{center}
|
|
\procedure{Experiment $\Expt_{\adv}^{\mathrm{sec}}(\lambda)$}{
|
|
\param \leftarrow \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\mathsf{aux},\pk_{\GM},\pk_{\OA}) \leftarrow \adv(\param); \\
|
|
\langle \pk,\sk,\crt_{\pk} | \mathsf{aux} \rangle
|
|
\leftarrow \langle \mathsf{J}_{\mathsf{user}},\adv(\mathsf{aux}) \rangle
|
|
(\pk_{\GM}); \\
|
|
(\mathsf{aux},x,w,L,\pk_{R}) \leftarrow
|
|
\adv^{\mathsf{DEC}(\sk,.)}(\mathsf{aux});\\
|
|
\pcif (x,w) \not\in R \pcthen\\
|
|
\pcind\pcreturn 0;\\
|
|
b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L) ; \\
|
|
b' \leftarrow
|
|
\adv^{\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi}),\mathsf{DEC}^{\neg
|
|
\langle \Psi, L \rangle}(\sk,.)}(\mathsf{aux},\Psi) ; \\
|
|
\pcif b=b' \pcthen\\ \pcind\pcreturn 1 \\\pcelse\\ \pcind \pcreturn 0;
|
|
}
|
|
\end{center}
|
|
\end{definition}
|
|
|
|
\paragraph{Anonymity.}
|
|
In the experiment modeling the anonymity property, the adversary
|
|
controls the entire system except the opening authority and two well-behaved users.
|
|
The challenger thus introduces two honest users' public keys $\pk_0,\pk_1$ in $\mathsf{database}$ and thus obtains certificate for both $\pk_0,\pk_1$ from the adversarially-controlled $\GM$.
|
|
For a pair $(x,w) \in R$ of its choice, the adversary obtains an encryption of $w$ under $\pk_b$ for some $b\in \bit$ chosen by the challenger.
|
|
The adversary is provided with decryption oracles w.r.t. both keys $\pk_0,\pk_1$. In addition, it has the following oracles at disposal:
|
|
\begin{itemize}
|
|
\item[-] $\mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L)$: is a
|
|
challenge oracle that is only queried once by the adversary. It
|
|
returns a pair $(\Psi,coins_{\Psi})$ consisting of a ciphertext
|
|
$\Psi \leftarrow
|
|
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},w,L)$ and the
|
|
coin tosses $coins_{\Psi}$ that were used to generate $\Psi$.
|
|
\item[-]
|
|
$\mathsf{USER}(\pk_{\GM})$: is a stateful oracle that obtains certificates from the adversary by simulating two
|
|
executions of $\mathsf{J}_{\mathsf{user}}$ to introduce two honest users
|
|
in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\crt_{\pk_0})$, $(\pk_1,\sk_1,\crt_{\pk_1})$ of honest users
|
|
are written as long as the adversarially-supplied certificates $\{\crt_{\pk_d}\}_{d=0}^1$ are valid w.r.t. $\pk_{\GM}$ (i.e., invalid certificates are ignored
|
|
by the oracle and no entry is introduced in $\mathsf{keys}$ for them).
|
|
\item[-]
|
|
$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates
|
|
the opening algorithm and, on input of a $\GE$
|
|
ciphertext, returns the receiver's public key.
|
|
\end{itemize}
|
|
|
|
The reason why
|
|
the $\mathsf{USER}$ oracle is needed is that both honest users' public keys $\pk_0, \pk_1$ must have been properly
|
|
certified by the adversarially-controlled $\mathsf{GM}$ before the challenge phase because the adversary subsequently obtains
|
|
proofs generated using $(\pk_b,\crt_{\pk_b})$.
|
|
|
|
\begin{definition} \label{anonymity-def}
|
|
A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
|
|
with a probability not exceeding $1/2 + \mathsf{negl}(\lambda)$.
|
|
\begin{center}
|
|
\procedure{Experiment $\Expt_{\adv}^{\mathrm{anon}}(\lambda)$}{
|
|
\param \leftarrow
|
|
\mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{\OA},\sk_{\OA})
|
|
\leftarrow \mathsf{SETUP}_{\mathsf{OA}}( \param); \\
|
|
(\mathsf{aux},\pk_{\GM}) \leftarrow \adv(\param,\pk_{\OA});
|
|
\mathsf{aux} \leftarrow
|
|
\adv^{\mathsf{USER}(\pk_{\GM}),\mathsf{OPEN}(\sk_{\OA},.)}
|
|
(\mathsf{aux}) ; \\
|
|
\pcif \mathsf{keys} \neq (\pk_0,\sk_0,\crt_{\pk_0},\pk_1,\sk_1,\crt_{\pk_1})(\mathsf{aux}) \pcthen\\
|
|
\pcreturn 0;\\
|
|
(\mathsf{aux},x,w,L,\pk_{R}) \leftarrow
|
|
\adv^{\mathsf{OPEN}(\sk_{\OA},.),
|
|
\mathsf{DEC}(\sk_0,.),\mathsf{DEC}(\sk_1,.)}(\mathsf{aux}); \\
|
|
\pcif (x,w) \not\in R \pcthen\\
|
|
\pcind \pcreturn 0; \\
|
|
b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L) ; \\
|
|
b' \leftarrow
|
|
\adv^{\mathcal{P}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},x,w,\Psi,L,coins_{\Psi},}
|
|
\\ ^{\mathsf{OPEN}^{\neg \langle \Psi,L \rangle
|
|
}(\sk_{\OA},.),\mathsf{DEC}^{\neg \langle \Psi, L
|
|
\rangle}(\sk_0,.),\mathsf{DEC}^{\neg
|
|
\langle \Psi, L \rangle}(\sk_1,.))}(\mathsf{aux},\Psi) ; \\
|
|
\pcif b=b' \pcthen\\
|
|
\pcind \pcreturn 1\\
|
|
\pcelse\\
|
|
\pcind \pcreturn 0;
|
|
}
|
|
\end{center}
|
|
\end{definition}
|
|
|
|
\paragraph{Soundness.}
|
|
Here, the adversary creates the group of receivers by interacting with the honest GM.
|
|
Its goal is to produce a ciphertext $\Psi$ and a convincing proof
|
|
that $\Psi$ is valid w.r.t. a relation $R$ of its choice but
|
|
either: (1) The opening of $\Psi$ reveals a receiver's public key $\pk$ that
|
|
does not belong to any group member; (2) The output $\pk$ of
|
|
$\mathsf{OPEN}$ is not a valid public key (\textit{i.e.}, $\pk \not\in
|
|
\mathcal{PK}$, where $\mathcal{PK}$ is the language of valid public keys); (3) The ciphertext $C$ is not in the space
|
|
$\mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}$ of valid
|
|
ciphertexts. This notion is formalized by a game where the adversary
|
|
is given access to a user registration oracle
|
|
$\mathsf{REG}(\sk_{\GM},.)$ that simulates $\mathsf{J}_{\GM}$. This oracle
|
|
maintains a list $\mathsf{database}$ where registered public keys and
|
|
their certificates are stored.
|
|
|
|
\begin{definition} \label{soundness-def}
|
|
A $\GE$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
|
|
with negligible probability.
|
|
\begin{center}
|
|
\procedure{Experiment $\Expt_{\adv}^{\mathrm{soundness}}(\lambda)$}{
|
|
\param \leftarrow
|
|
\mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{\OA},\sk_{\OA})
|
|
\leftarrow \mathsf{SETUP}_{\OA}( \param); \\
|
|
(\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}( \param); \\
|
|
(\pk_{R},x,\Psi,\pi_{\Psi},L,\mathsf{aux}) \leftarrow
|
|
\adv^{\mathsf{REG}(\sk_{\GM},.)}(\param,\pk_{\GM},\pk_{\OA},\sk_{\OA});
|
|
\\
|
|
\pcif \mathcal{V}( \Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0 \pcthen\\
|
|
\pcind \pcreturn 0; \\
|
|
\pk \leftarrow \mathsf{OPEN}(\sk_{\OA},\Psi,L); \\
|
|
\pcif \big( (\pk \not\in \mathsf{database} ) \vee (\pk \not \in \mathcal{PK})
|
|
\vee (\Psi \not \in
|
|
\mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}) \big)\pcthen\\
|
|
\pcind \pcreturn 1\\
|
|
\pcelse \\
|
|
\pcind \pcreturn 0;
|
|
}
|
|
\end{center}
|
|
\end{definition}
|
|
|
|
The model of Kiayias \textit{et al.} \cite{KTY07} requires
|
|
that $\pk$ belongs to the language of valid public keys, so that the adversary is considered to defeat the soundness property when
|
|
$(\Psi,L)$ opens to a key outside the language (i.e.,
|
|
$\pk \not \in \mathcal{PK}$). In our scheme, we will assume that the space
|
|
of valid public keys is dense in that all matrices of a given dimension are valid public keys, which have an underlying private key.
|
|
We nevertheless use the same definition as \cite{KTY07} in order to emphasize that we are not relaxing the model in any way.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Building Blocks}
|
|
|
|
|
|
|
|
|
|
\subsection{The Agrawal-Boneh-Boyen IBE Scheme} \label{ap:ABB-IBE}
|
|
|
|
\subsubsection{Identity-Based Encryption.} \label{ap:IBE}
|
|
|
|
An IBE scheme is a tuple of efficient algorithms $(\mathsf{Setup}, \mathsf{Extract}_\mathsf{PP}, \mathsf{Encrypt}_\mathsf{PP},$ $\mathsf{Decrypt}_\mathsf{PP})$ such that
|
|
\begin{description}
|
|
\item[\textsf{Setup}$(1^\lambda)$:] On security parameter $\lambda$, this algorithm outputs public parameters $\mathsf{PP}$ and a master secret key $\textsf{msk}$.
|
|
\item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Takes as input a master secret key $\textsf{msk}$ and an identity $\ID$ and outputs a secret key $\sk_\ID$.
|
|
\item[\textsf{Encrypt}$_\mathsf{PP}(\ID, M)$:] Given an identity $\ID$ and a message $M$, it outputs a ciphertext $C$.
|
|
\item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, C)$:] Given a secret key $\sk_\ID$ and a ciphertext $C$, outputs either a decryption error symbol $\bot$, or a message $M$.
|
|
\end{description}
|
|
|
|
\noindent Correctness requires that, for any pair $(\mathsf{PP}, \textsf{msk}) \gets \Setup(1^\lambda)$, any $\ID$ and any message $M$, we have
|
|
$\mathsf{Decrypt}_\mathsf{PP}\bigl(\textsf{Extract}_\mathsf{PP}(\textsf{msk}, \ID), \mathsf{Encrypt}_\mathsf{PP}(\ID, M)\bigr) = M.$
|
|
Our proofs rely on the semantic security of the scheme against selective adversaries (\textsf{IND-sID-CPA})
|
|
but also on the stronger property of ciphertext pseudo-randomness. %in Lemma~\ref{ABB-deux}.
|
|
Informally, this notions demands that the adversary be unable to distinguish an
|
|
encryption of a message of its choice from a random element of the ciphertext space $\mathcal{C}$. Notice that this property implies \textsf{IND-sID-CPA} security.
|
|
|
|
\begin{definition}
|
|
\label{de:pseudorand-cipher}
|
|
An IBE scheme has pseudo-random-ciphertexts if no PPT adversary $\adv$ with access to private key extraction oracle \textsf{Extract$_\mathsf{PP}(\textsf{msk}, \cdot)$} has non-negligible advantage
|
|
$ \advantage{\mathrm{ROR}}{\adv}{\lambda} = | \Pr\bigl[ \mathbf{Expt}_{\adv}^\mathrm{ROR} = 1 \bigr] - \frac 1 2 | $ in the game described in Figure~\ref{fig:expt-ror}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\procedure{Experiment $\Expt^{\mathrm{ROR}}_{\adv}(\lambda)$}{
|
|
\ID^\star \gets \adv(\textsf{id}, \lambda); (\mathsf{PP}, \textsf{msk}) \gets \mathsf{Setup}(1^\lambda);~\\
|
|
M \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}_\textsf{Ch}(\mathsf{PP});\\
|
|
b \sample U(\bit);\\
|
|
\pcif b = 1 \pcthen\\
|
|
\pcind C^\star \gets \mathsf{Encrypt}_\mathsf{PP}(M, \ID^\star) \\
|
|
\pcelse\\
|
|
\pcind C^\star \gets U(\mathcal{C});\\
|
|
b' \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}(\textsf{guess},C^\star);\\
|
|
\pcif b = b' \pcthen\\
|
|
\pcind \pcreturn 1\\
|
|
\pcelse \\
|
|
\pcind \pcreturn 0
|
|
}
|
|
\caption{Security experiment for the pseudo-random-ciphertext property for an IBE}
|
|
\label{fig:expt-ror}
|
|
\end{figure}
|
|
\end{definition}
|
|
|
|
|
|
\subsubsection{The ABB System.} \label{ap:ABB-desc}
|
|
|
|
Agrawal, Boneh and Boyen described~\cite{ABB10} a compact IBE scheme in the standard model which allows encrypting multi-bit messages.
|
|
%In
|
|
%the description hereunder, algorithms \textsf{Extract}, \textsf{Encrypt} and \textsf{Decrypt} have implicit access to the public param
|
|
%eters $\mathsf{PP}$ defined in the \textsf{Setup} algorithm.
|
|
|
|
\begin{description}
|
|
\item[\textsf{Setup}$(1^\lambda)$:] Given a security parameter $\lambda$, choose parameters
|
|
$q, n, \sigma, \alpha$ and define $k =\lfloor \log q \rfloor$, $\bar{m}= nk$, $m = 2 \bar{m}$ and choose a noise distribution $\chi$ for $\LWE$.
|
|
\begin{enumerate}
|
|
\item Compute $(\bar{\mathbf A}, \mathbf{T}_{\bar{\mathbf{A}}}) \gets \TrapGen(1^n, 1^m, q)$.
|
|
\item Define $\mathbf{G} = \mathbf{I}_n \otimes [1|2|\ldots |2^{k-1}] \in \ZZ_q^{n \times \bar{m}}$. Sample matrices $\mathbf B \sample U(\ZZ_q^{ n \times \bar{m}}) $,
|
|
$ \mathbf U \sample U(\Zq^{n \times m})$.
|
|
\item Let $\mathsf{FRD}: \Zq^n \to \Zq^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}.
|
|
\end{enumerate} Output
|
|
$
|
|
\mathsf{PP}= \bigl(\bar{\mathbf A}, \mathbf B, \mathbf U \bigr)$ and $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$.
|
|
|
|
\item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Given $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$ and an identity $\ID \in \Zq^n$, do as follows: \smallskip
|
|
\begin{enumerate}
|
|
\item Define the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
|
|
%\item Use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the dual lattice of the matrix $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right]$.
|
|
\item Let $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right] \in \ZZ_q^{n \times (m + \bar{m})}$, use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the lattice $\Lambda^\perp(\mathbf B_{\mathbf A, \ID})$.
|
|
\item Use $\mathbf T_\ID$ to sample a small-norm matrix $\mathbf E_\ID \in \ZZ^{(m+ \bar{m}) \times m}$ satisfying the equality $\mathbf B_{\mathbf A, \ID} \cdot \mathbf E_\ID = \mathbf U \bmod q$.
|
|
\item Output $\sk_\ID = \mathbf E_\ID \in \ZZ^{(m+ \bar{m}) \times m}$. \smallskip \smallskip
|
|
\end{enumerate}
|
|
\item[\textsf{Encrypt}$_\mathsf{PP}(\ID,\mathbf m)$:] Given an identity $\ID$ and a message $\mathbf m \in \bit^m$, \smallskip
|
|
\begin{enumerate}
|
|
\item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
|
|
Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
|
|
$\mathbf z = \mathbf R^\top \cdot \mathbf y \in \ZZ^m$.
|
|
\item Compute
|
|
\begin{equation} \label{eq:ABB-c}
|
|
\begin{cases}
|
|
\mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\
|
|
\mathbf c^{(2)} = \mathbf B_\ID^\top \cdot \mathbf s + \mathbf z \bmod q,\\
|
|
\mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
|
|
\end{cases}
|
|
\end{equation}
|
|
\item Output $\mathbf c = \bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$. \smallskip \smallskip
|
|
\end{enumerate}
|
|
\item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, \mathbf c)$:] Given $\sk_\ID = \mathbf E_\ID$ and $\mathbf c=\bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$, compute and output
|
|
% \begin{equation} \label{eq:ABB-dec}
|
|
$ \mathbf m' = \left\lfloor \left( \mathbf c^{(3)} - \mathbf E_\ID \cdot \begin{bmatrix} \mathbf c^{(1)} \\ \mathbf c^{(2)} \end{bmatrix} \right) \cdot \left\lfloor \dfrac{q}{2} \right\rfloor^{-1} \right\rceil \in \bit^m .$
|
|
% \end{equation}
|
|
\end{description}
|
|
\smallskip
|
|
|
|
|
|
|
|
\begin{theorem}[{\cite[Th. 23]{ABB10}}] \label{ABB-pseudorand-prop}
|
|
The ABB IBE scheme has pseudo-random ciphertexts if the $\LWE_{n,q,\chi}$ assumption holds.
|
|
\end{theorem}
|
|
|
|
|
|
%**************************************************
|
|
|