Attribute-Based Key-Insulated Encryption *

Size: px

Start display at page:

Download "Attribute-Based Key-Insulated Encryption *"

Violet Emmeline Foster
5 years ago
Views:

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING (0) Attrbute-Based Key-Isulated Ecrypto JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN 3 Departmet of Computer Scece ad Egeerg Shagha Jao Tog Uversty Shagha 0040 P.R. Cha Schoool of Computer Egeerg Huay Isttute of Techology Huaa 3003 P.R. Cha 3 Natoal Laboratory of Moder Commucatos Chegdu 6004 P.R. Cha Attrbute-based ecrypto (ABE) s a exctg alteratve to publc-key ecrypto as ABE develops ecrypto systems wth hgh expressveess wthout the eed for a publc key frastructure (PKI) that makes publcly avalable the mappg betwee dettes (sets of attrbutes) publc keys ad valdty of the latter. Ay settg PKI or attrbute-based must provde a meas to revoke users from the system. To mtgate the lmtato of ABE wth regard to revocato we propose a attrbute-based key-sulated ecrypto (ABKIE) scheme whch s a ovel ABE scheme. I our ABKIE scheme a prvate key ca be reewed wthout havg to make chages to ts publc key (a set of attrbutes). The scheme s secure agast adaptve chose cphertext attacks. The formal proof of securty s preseted uder the Selectve-ID securty model.e. wthout radom oracles assumg the decso Blear Dffe-Hellma problem s computatoally hard. To the best of our kowledge ths s the frst ABKIE scheme up to ow. Further ths s also the frst cocrete ABE costructo wth regard to revocato. Keywords: attrbute based ecrypto key sulato selectve-id securty model revocato. INTRODUCTION Attrbute-based ecrypto (ABE) [] s a exctg alteratve to publc-key ecrypto whch develops ecrypto systems wth hgh expressveess wthout the eed for a publc key frastructure (PKI) that makes publcly avalable the mappg betwee dettes (sets of attrbutes) publc keys ad valdty of the latter. The ABE prmtve provdes some sort of error-tolerace.e. dettes are vewed as sets of attrbutes ad a user ca decrypt f t holds prvate keys for eough of (but ot ecessarly all) attrbutes a cphertext s ecrypted uder. At the same tme colludg users caot combe ther keys to decrypt a cphertext whch oe of them were able to decrypt depedetly. Ay settg PKI or Attrbute-based must provde a meas to revoke users from the system e.g. f ther prvate keys get compromsed. Revocato was frst studed the attrbute-based settg by Prrett et al. [] whch was refed by Boldyrev et al. [3]. I Receved Jue 009; revsed September 5 & November & February 00; accepted March 00. Commucated by Ch-Je Lu. Ths work was supported by the Natoal Natural Scece Foudato of Cha (No ) the Natoal Hgh Techology Research ad Developmet Program (863) of Cha (No. 009AA0Z48) the Natoal Basc Research Program (973) of Cha (No. 007CB30) ad the Foudato of NLMC (940C ). 437

2 438 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN the methods of [ 3] the authorty updates prvate keys correspodg to dettes (sets of attrbutes) perodcally. Ufortuately a cocrete revocable-abe costructo was t gve [ 3]. Further the settgs wth a large umber of users ad short (e.g. per day) reewal terval commucato ad computato overhead wll make the authorty sufferable due to frequet teracto wth the authorty. I 00 Dods et al. [4] troduced a key sulato mechasm whch ca protect prvate keys publc key cryptosystems. The frst key-sulated ecrypto scheme [4] was mproved by Bellare et al. [5]. The a parallel key-sulato mechasm [6] ad a threshold key-sulato mechasm [7] were gve for some specal stuatos. I detty-based scearos Haaoka et al. [8] put forward a detty-based key-sulated ecrypto (IBKIE) scheme. [7 9] exteded the threshold sulato ad the parallel sulato respectvely to detty-based settgs. To mtgate the lmtato of ABE wth regard to revocato we propose a attrbutebased key-sulated ecrypto (ABKIE) scheme. I our ABKIE scheme a user ca update hs prvate key wthout the help of the authorty ad wthout chagg hs detty (a set of attrbutes). We wat to remove the authorty from the process of key update ad sgfcatly mmze the work doe by the authorty. Frst we defe the ABKIE prmtve ad ts securty model that formalzes the possble threats. The model of course takes to accout all adversaral capabltes of the stadard ABE securty oto. The based o the ew model we gve a cocrete costructo. To the best of our kowledge ths s the frst ABKIE scheme up to ow. Further ths s also the frst cocrete ABE costructo wth regard to revocato. ABKIE ca be cosdered a geeralzato of IBKIE. Our AB- KIE (secure uder the Selectve-ID securty model.e. wthout radom oracles) s more secure ad more expressve tha Haaoka et al. s [8] IBKIE (secure the radom oracle model). Hgh expressveess s the mert we hert from ABE. We assume the lfetme of the system s dvded to N tme perods ad k deotes the umber of tme perods that may be compromsed by the adversary. Dods et al. [4] gave a (k N)-key-sulated ecrypto scheme. Ther scheme however scaled poorly havg cost proportoal to k. Bellare et al. [5] refed t ad put forward a strogly key-sulated ecrypto scheme wth optmal threshold. I Bellare et al. s scheme k eed ot be kow advace ad ca be as large as oe less tha the total umber of perods yet the cost of the scheme s ot mpacted. We follow the Bellare et al. s work. Thus our ABKIE scheme s also wth optmal threshold. Our proposed scheme s (N N)-key-sulated.e. eve f temporary prvate keys for up to N tme perods are compromsed a adversary s stll uable to derve ths user s temporary prvate key from the remag tme perod. Further t s strogly key-sulated.e. eve f the adversary exposes the secrets stored the helper there s stll o securty compromse. The rest of ths paper s orgazed as follows: I secto we provde some prelmares for a ABKIE scheme. Secto 3 gves the sytax defto ad securty otos of the scheme. The secto 4 we detal our ABKIE costructo ad the securty proof. Secto 5 s our cocluso.. PRELIMINARIES Throughout ths paper we let Z p deote the set {0 p } ad Z p deote Z p /0. For a fte set S x R S mea choosg a elemet x from S wth a uform dstrbuto.

3 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 439. Blear Pargs Let G ad G be two cyclc multplcatve groups wth the same prme order p. Let e: G G G be a parg whch satsfes the followg codtos: Blear: For all g g G ad for all a b Z p we have e(g a g b ) = e(g g ) ab. No-degeerate: There exsts g g G such that e(g g ). Computable: There s a effcet algorthm to compute e(g g ) for all g g G.. The DBDH Assumpto Defto The Decsoal Blear Dffe-Hellma (DBDH) Assumpto [ 0] s that o probablstc polyomal-tme algorthm B that outputs b {0 } ca dstgush the tuple (A = g a B = g b C = g c e(g g) abc ) from the tuple (g A = g a B = g b C = g c e(g g) z ) where a b c z R Z p. The advatage of B s Pr[B(g A B C e(g g) abc ) = 0] Pr[B(g A B C e(g g) z ) = 0]..3 PRF Before descrbg the applcato of Pseudoradom Fuctos (PRFs) our cocrete ABKIE scheme let us recall the defto [] of the pseudoradom collecto from whch PRFs are pcked. Defto Let I k deote the set of all k-bt strgs ad H k deote the set of all fuctos from I k to I k. We restrct ourselves to choose fuctos from a subset F k H k where the pseudoradom collecto F = {F k } has the followg propertes: Idexg: Each fucto F k has a uque k-bt dex assocated wth t. (Thus pckg radomly a fucto f F k s easy.) Poly-tme Evaluato: There exsts a polyomal tme Turg mache that gve a dex of a fucto f F k ad a put x computes f(x). Pseudoradomess: No probablstc algorthm that rus tme polyomal k ca dstgush the fuctos F k from the fuctos H k. 3. MODEL OF ABKIE A ABKIE scheme cossts of sx algorthms: Setup(d): Gve a threshold value d the authorty rus ths algorthm to output a master key MK ad a set of publc parameters PK. KeyGe(ω MK): Gve the user s detty ω as a set represetg a user s attrbutes ad the master-key MK the authorty rus ths algorthm to output a tal prvate key TK ω0 ad a helper key HK ω correspodg to ω. The helper key s kept by the helper ad the user wth detty ω keeps the tal prvate key. HelperUpt(t t ω HK ω PK): Gve perod dces t ad t a detty ω ts helper key

4 440 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN HK ω ad the publc parameters PK the helper rus ths algorthm to output the key-update formato UI ωt t for ω from perod t to perod t. UserUpt(t t ω TK ωt UI ωt t PK): Gve perod dces t ad t a detty ω the temporary prvate key TK ωt correspodg to ω ad t the key-update formato UI ωt t for ω from perod t to perod t ad the publc parameters PK the user wth detty ω rus ths algorthm to output the temporary prvate key TK ωt correspodg to ω ad t. Ecrypto(t M ω PK): The Ecrypto algorthm s ru by a user to ecrypt a message M wth a target detty ω perod t ad the publc parameters PK. It outputs a cphertext E ecrypted uder ω ad t. Decrypto(E ω ω TK ωt PK): The Decrypto algorthm s ru by a user wth detty ω ad the temporary prvate key TK ωt to attempt to decrypt a cphertext E uder detty ω ad perod t. If the set overlap ω ω d the algorthm wll output the decrypted message M. The securty otos for ABKIE schemes are based o the securty deftos key-sulated ecrypto [4 5] ad ABE systems []. 3. Key-sulated Securty We frst cosder the basc (.e. o-strogly) key-sulated securty for ABKIE. For oe thg as stadard ABE systems the key geerato queres should be cosdered. For aother as tradtoal key-sulated ecrypto schemes the temporary prvate key exposure should be addressed. A ABKIE scheme s sad to be secure agast chose platext attacks (CPA) the sese of key-sulato f o probablstc polyomal-tme adversares have o-eglgble advatage the followg game. It The adversary declares the detty ad the tme perod dex t that he wshes to be challeged upo. Setup The challeger rus the setup phase of the algorthm ad tells the adversary the publc parameters. Phase The adversary adaptvely ssues a set of queres as below: Key Geerato Query : The challeger frst rus algorthm KeyGe to obta the tal prvate key TK 0 ad the helper key HK correspodg to detty. It the seds these results to the adversary. Temporary Prvate Key Query t: The challeger rus algorthm UserUpt to obta the temporary prvate key for detty ad perod dex t. It the seds ths result to the adversary. Challege The adversary submts two equal legth messages M 0 M. The challeger flps a radom co b ad ecrypts M b wth ad t. The cphertext s passed to the adversary. Phase Phase s repeated.

5 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 44 Guess The adversary outputs a guess b of b. For coveece we gve the defto of a restrcted detty as below: the set overlap betwee a restrcted detty ad the challege detty s at least d. The advatage of a adversary A ths game s defed as Pr[b = b]. We refer to the above game as a IND-A&KI-CPA game. I the above game t s madated that the followg codtos are smultaeously satsfed: () A s dsallowed to ssue key geerato queres for the restrcted dettes; () A s dsallowed to ssue temporary prvate key queres for the restrcted dettes ad the challeged tme perod t. Remark : For those o-restrcted dettes Temporary Prvate Key Query s of o help for A sce he ca derve the temporary prvate key for ay of these dettes by ssug key geerato queres. Thus wthout loss of geeralty we requre that A should oly ssue temporary prvate key queres for the restrcted dettes. 3. Strogly Key-sulated Securty The strogly key-sulated securty for key-sulated ecrypto systems meas that f a adversary does ot compromse ay prvate key exposure of the helper key does ot eable the adversary to decrypt a vald cphertext for ay tme perod. The word strogly does t mea our strogly key-sulated securty s more strog securty tha our keysulated securty. We hert the oto of strogly key-sulated securty from [4 5] ad develop t the attrbute based scearo. To model ths securty oto for ABKIE systems we allow the adversary to compromse the helper key. A ABKIE scheme s sad to be secure agast chose platext attacks (CPA) the sese of strog key-sulato f o probablstc polyomal-tme adversares have o-eglgble advatage a IND- A&SKI-CPA game. The IND-A&SKI-CPA game s almost the same as the IND-A&KI- CPA game except Phase. Phase The adversary adaptvely ssues a set of queres as below: Key Geerato Query : the same as the IND-A&KI-CPA game. Helper Key Query : The challeger rus algorthm KeyGe to geerate HK ad seds t to the adversary. The advatage of a adversary A ths game s defed as Pr[b = b]. I the above game t s madated that the followg codto s satsfed: A s dsallowed to ssue key geerato queres for the restrcted dettes. Remark : For those o-restrcted dettes Helper Key Query s of o help for A because he ca derve the helper key for ay of these dettes by ssug key geerato queres. Thus wthout loss of geeralty we requre that A should oly ssue helper key queres for the restrcted dettes.

6 44 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN 4. Descrpto of Our Scheme 4. OUR PROPOSED ABKIE SCHEME Our proposed ABKIE scheme s based o Saha-Waters large uverse ABE costructo []. We frst gve a bref revew of Saha-Waters costructo to show the dfferece betwee t ad our ABKIE costructo. Let G ad G be two groups wth prme order p of sze κ ad let g be a geerator of G. Addtoally let e: G G G deote the blear map. We restrct ecrypto dettes to be of legth for some fxed. x j We defe the Lagrage coeffcet Δ S ( x) = j S j j for Z p ad a set S of elemets Z p. Idettes wll be sets of elemets of Z p. Wth some mor modfcatos to our scheme whch we omt for smplcty we ca ecrypt to all dettes of sze. Note that here we assocate each elemet wth a uque teger Z p whle practce a attrbute wll be assocated wth each elemet so that dettes wll have some sematcs. We ca also descrbe a detty as a collecto of strgs of arbtrary legth ad hash strgs to members of Z p usg a collso-resstat hash fucto H: {0 } Z p. Saha- Waters ABE scheme cossts of the followg algorthms: Setup: The authorty pcks y R Z p g R G sets g = g y pcks v v + R G lets + x ΔN ( x) N be the set { + } ad defes a fucto V as V( x) = g v. We ca = vew V as the fucto g xg h(x) for some degree polyomal h. The publc parameters are publshed as PK = (g g v v + ) ad the master secret key s MK = y. KeyGe: To geerate the prvate key for detty ω the authorty frst chooses a d degree polyomal q(x) radomly such that q(0) = y. The for all ω t pcks r R Z p ad computes the prvate key SK ω = ({D } ω {d } ω ) = ({g q() V() r }) ω g r } ω ). Ecrypto: To ecrypt a message M G wth the publc key ω a user pcks s R Z p ad publshes the cphertext as E = (ω E = Me(g g ) s E = g s {E = V() s } ω ). Decrypto: Suppose that a cphertext E s ecrypted wth detty ω ad we have a prvate key for detty ω where ω ω d. Choose a arbtrary d-elemet subset S of ω ω. The decrypto algorthm terpolates a polyomal the expoet usg Shamr s [] secret sharg method. For each ω the user wth detty q() r ed ( E ) ( ( ) s eg V g) ω ad prvate key SK ω computes a temporary value A = ed ( E) = r ( s = eg V ( ) ) q() s r ( ) ( ( ) s eg g ev g) r ( s = e(g g eg V ( ) ) ) q()s. Usg polyomal terpolato the algorthm recovers the value e(g g ) ys ad dvdes t out by computg: A Δ S E E E E = = = = M. (0) qs ( ) (0) q(0) s ys eg ( g) Δ eg ( g) eg ( g) S S S Attrbute-based ecrypto [] whch corporates attrbutes as puts to ts cryptographc prmtves s a geeralzato of detty-based ecrypto. As a cosequece t s atural to exted Haaoka et al. [8] s IBKIE scheme to attrbute-based scearo. Tempo-

7 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 443 rary prvate key update s eve more dffcult attrbute systems gve that each attrbute s cocevably possessed by multple dfferet users whereas publc/prvate key pars are uquely assocated wth a sgle user. Hece costructg a ABKIE scheme by extedg IBKIE s t so straghtforward. We base our cocrete scheme o Saha-Waters ABE costructo. We otce that addg key sulato mechasm to ABE costructo s ot trval. I Saha-Waters costructo t s requred by provable securty that expoets temporary prvate keys should be radom umbers. O the other had the radomess of expoets temporary prvate keys makes the user of the curret tme perod uable to derve the radom expoets of the tme perods before. Cosequetly t s very dffcult to mplemet temporary prvate key update algorthm. To solve ths problem spred by the cryptographc applcatos of pseudo-radom fuctos (PRFs) [3] we use a PRF famly F such that gve a κ-bt seed (dex) s ad a κ-bt argumet (put) x t outputs a κ-bt strg F s (x). I our cocrete ABKIE scheme dettes wll be sets of elemets of Z p ad perod dces wll be elemets of Z p. The proposed ABKIE scheme cossts of the followg algorthms: Setup: The authorty pcks y R Z p g h R G sets g = g y pcks v v + R G + x ΔN ( x) lets N be the set { + } ad defes a fucto V as V( x) = g v. We = ca vew V as the fucto g x g h(x) for some degree polyomal h. For clarty we defe H w : Z p G to be the fucto H w (x) = g x h. The publc parameters are publshed as PK = (g g h v v + ) ad the master secret key s MK = y. KeyGe: To geerate the helper key ad the tal prvate key for detty ω the authorty frst pcks a helper key HK ω R {0 } κ computes k ω0 = F HKω (0) ad chooses a d degree polyomal q(x) radomly such that q(0) = y. Note that f the legth of the put for F s less tha κ we ca add some 0 s as the prefx to meet the legth requremet. The for all ω t pcks r R Z p ad computes the tal prvate key TK ω0 = ({D 0} ω D ω 0 {d } ω ) = ({g q() V() r H w (0) k ω0 } ω g k ω0 {g r } ω ). The helper key s kept by the helper ad the user wth detty ω keeps the tal prvate key. HelperUpt: Ths algorthm frst computes k ωt = F HKω (t) ad k ωt = F HKω (t ). The t defes ad returs the key-update formato for detty ω from perod t to perod t as UI ωt t = (UI ω t t UI ω t t ) = (H w (t) k ωt /H w (t ) k ωt gk ωt ). UserUpt: Ths algorthm frst parses the temporary prvate key for detty ω ad perod t as TK ωt = ({D t } ω D ω t {d } ω ) ad parses the key-update formato for detty ω from perod t to perod t as UI ωt t = (UI ω t t UI ω t t ). The t sets the temporary prvate key for detty ω ad perod t as TK ωt = ({D t} ω D ω t {d } ω ) = ({D t UI ω t t } ω UI ω t t {d } ω ) deletes TK ωt ad UI ωt t ad returs TK ωt. Note that tme perod t TK ωt s always set to be ({D t } ω D ω t {d } ω ) = ({g q() V() r H w (t) k ωt } ω g k ωt {g r } ω ). Ecrypto: I tme perod t to ecrypt a message M G wth the publc key ω a user pcks s R Z p ad publshes the cphertext as E = (t ω E = Me(g g ) s E = g s E = H w (t) s {E = V() s } ω ). Decrypto: Suppose that a cphertext E s ecrypted wth detty ω ad perod dex t whle we have a temporary prvate key for detty ω ad perod dex t where ω ω d. Choose a arbtrary d-elemet subset S of ω ω. The the cphertext ca be decrypted as

8 444 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN ω ed ( E) ed ( t E ) Δ (0) M = E ( ) S S ed ( t E ) r s kω t s s eg ( V ())( eg Hw()) t ΔS (0) = Me( g g ) ( ) q () r k ω t s S eg ( V ( ) Hw( t) g) r s kω t s s eg ( V ())( eg Hw()) t = Me( g g ) q () s r s kω t s S e( g g ) e( V( ) g ) e( Hw( t) g ) ys = Me( g g ) = M. qs () ΔS (0) eg ( g) 4.3 Securty S ( ) ΔS (0) Theorem Our ABKIE scheme s IND-A&KI-CPA secure the Selectve-ID model assumg that the DBDH assumpto holds groups (G G ) ad F s a famly of PRFs. Cocretely f there exsts a IND-A&KI-CPA adversary A agast our scheme the a smulator B ca be costructed to dstgushes a DBDH tuple from a radom tuple. Proof: Suppose a polyomal-tme adversary A ca w the IND-A&KI-CPA game wth advatage ε. We buld a smulator B that ca dstgush a BDH tuple from a radom tuple wth advatage ε. The challeger frst sets the groups G ad G wth a effcet blear map e ad a geerator g. The the challeger pcks a b c z R Z p μ R {0 }. If μ = 0 the DBDH challeger sets (A B C Z) = (g a g b g c e(g g) abc ); otherwse t sets (A B C Z) = (g a g b g c e(g g) z ). Let g = A ad g = B. The challeger the gves (g A B C Z) to B. B ow plays the role of challeger the IND-A&KI-CPA game. It Durg ths phase B receves the challege detty (a elemet set of members of Z p) ad the challege perod dex t. Setup B chooses a radom degree polyomal f(x) ad calculates a degree polyomal u(x) such that u(x) = x for all x ad where u(x) x for some other x. Sce x ad u(x) are two degree polyomals they wll ether agree o at most pots or they are the same polyomal. Our costructo assures that x u(x) = x f ad oly f x. The for from to + B sets v = g u() g f(). Note that sce f(x) s a radom degree polyomal all v wll be chose depedetly at radom as the costructo ad we mplctly have V(x) = g x +u(x) g f(x). I addto B pcks β R Z p ad defes h = g -t g β. Fally B gves A the publc parameters PK = (g g v v + ). Observe that from the perspectve of A the dstrbutos of these publc parameters are detcal to the real costructo. As before we defe H w : Z p G to be the fucto H w (x) = g x h = g x -t g β. Phase A ssues a seres of queres as the defto of the IND-A&KI-CPA game. Key Geerato Queres: B matas a lst HK lst whch s tally empty. Suppose A requests a helper key ad a tal prvate key for detty. B frst checks whether HK lst has cotaed a tuple for ths put. If yes the predefed value s retured to A.

9 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 445 Otherwse t pcks HK R {0 } κ. Next t adds tuple ( HK ) to lst HK lst ad returs HK to A. We set Γ = let Γ be ay set such that Γ Γ ad Γ = d k 0 t 0 ad set S = Γ {0}. B computes k 0 = F HK (0) sets D 0 = g g ad sets k 0 = b k 0 k 0. The we have D 0 = g ad 0 t β β β 0t k t k 0 ab 0 t k 0 ab 0 (0) t β β ( ) ( ) t w bβ b 0 k k a t β b 0 ( ) t a t β t β = g g g g g = g( g g ) ( g g ) t b k 0 a 0t β 0 a k 0 g( g g ) t = = gh w (0). g H = g g g = g g g g g () For Γ B pcks r λ R Z p sets β λ r k λ r a k r () t = w(0) = () w( ) d = D g V g H g V g H 0 g. () For Γ B sets f () β () λ jδ j S + u() + u() f ( ) r Δ 0 () S 0 t k 0 0 = w D ( g )( g ( g g ) ) g H (0) + u() r Δ () 0 S d = ( g g ). (3) The value + u() wll be o-zero for all whch cludes all Γ. Ths follows from our costructo of u(x). Observe that f let r = ( r a ) Δ () 0 S( ) the + u tal prvate key compoets Eq. (3) have the same form as those Eq. (). To see ths let q(x) deote the (d )-degree polyomal such that q(0) = a ad q() = λ for each Γ. Besdes for each Γ we let q() deote λ. The for each Γ we have f () β λ () jδ j S + u() + u() f r Δ0 S () k 0 ( ) 0 0 ( )( ( ) ) t w(0) f () λ () jδ j S + u() + u () f () r Δ 0 S () a k 0 = ( g )( g ( g g ) ) g Hw(0) af () λ () jδ js + u() + u() f () r Δ0 S () k a 0 = ( g )( g ( g g ) ) g Hw(0) a λ () jδ j S a + u() f () + u() + u() f () r Δ 0 S () a = ) a r λ () jδ j S a + u() f () + u() Δ0 S () a k 0 = ( g )( g( g g ) ) ghw(0) D = g g g g g H k 0 ( g )( g ( g g ) ( g g ) g H (0) w (4)

10 446 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN r Δ () aδ0 ( j) + u() f () + u() Δ () a k 0 λ q () r a k λ r a g V ghw = g V ghw a r () () + u r Δ S () S() + u Δ r = ( = j j S S 0 S = ( g )( g )(( g g ) ) g H (0) 0 k 0 = () (0) () (0) 0 0 d = ( g g ) g ) g. Temporary Prvate Key Queres: Suppose A requests a temporary prvate key for detty ad tme perod t. We defe Γ Γ ad S the same way as Key Geerato Queres. B pcks k t R Z p. Note that sce F s a PRF famly ad A does ot kow the correspodg seed HK the expoets k t s dstgushable from the real costructo t t k t A s vew ad B ca freely defe k t hmself. B sets D t = g g ad sets k t = k t b k t. The we have D tt t = g β t t k t. Smlarly wth Eq. () we have g Hw() t = a k t g H () t. For Γ B pcks r λ R Z p ad sets w β λ r t t k t λ r k a t t = w = () w() D g V() g H () t g V g H t For Γ B sets a w r d = g. (5) f () β () λ jδ j S + u() + u() f ( ) r Δ 0 S () k t ( )( ( ) t t t = w( ) D g g g g ) g H t + u() r Δ () 0 S d = ( g g ). (6) Smlarly wth Eq. (4) the temporary prvate key compoets Eq. (5) have the same form as those Eq. (6). Challege A wll submt two challege messages M ad M 0 to the smulator. The smulator flps a far bary co ν ad returs a ecrypto of M ν. The cphertext s E = (t E = M ν Z E = C E = C β {E = C f() } ). If μ = 0 the Z = e(g g) abc. The cphertext s E = (t E = M ν e(g g) abc E = g c E = C β = (g β ) c = (g t-t g β ) = H w (t ) c {E = (g c ) f() = (V()) c } ). Ths s a vald cphertext for the message M ν uder detty ad perod dex t. Otherwse f μ = the Z = e(g g) z ad E = M ν e(g g) z. Sce z s radom E wll be a radom elemet of G from the adversares vew ad the message cotas o formato about M ν. Phase The smulator acts exactly as t dd Phase. Guess A wll produce a guess ν of ν. If ν = ν B aswers DBDH the DBDH game to dcate that t was gve a BDH-tuple. Otherwse B aswers radom to dcate t was gve a radom 4-tuple. If Z = e(g g) abc E s a vald cphertext whch case the advatage of A s ε. As a

11 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 447 result Pr[B DBDH μ = 0] = Pr[B DBDH Z = e(g g) abc ] = Pr[ν = ν Z = e(g g) abc ] = + ε. Sce B guesses μ = 0 whe ν = ν we have Pr[μ = μ μ = 0] = + ε. If Z = e(g g) z the E s completely radom from the vew of A. Hece Pr[B radom μ = ] = Pr[B radom Z = e(g g) z ] = Pr[ν ν Z = e(g g) z ] =. Sce B guesses μ = whe ν ν we have Pr[μ = μ μ = ] =. The overall advatage of B the DBDH game s Pr[ μ = μ μ = 0] + Pr[ μ = μ μ = ] = ( + ε ) + = ε. Theorem Our ABKIE scheme s IND-A&SKI-CPA secure the Selectve-ID model assumg that the DBDH assumpto holds groups (G G ) ad F s a famly of PRFs. Cocretely f there exsts a IND-A&SKI-CPA adversary A agast our scheme the a smulator B ca be costructed to dstgushes a DBDH tuple from a radom tuple. Proof: The proof of Theorem s almost the same as Theorem except Phase. Phase A ssues a seres of queres as the defto of the IND-A&SKI-CPA game. Helper Key Queres: B matas a lst HK lst whch s tally empty. O recevg a helper key query B frst checks whether HK lst has cotaed a tuple for ths put. If yes the predefed value s retured to A. Otherwse t pcks HK R {0 } κ. Next t adds tuple ( HK ) to lst HK lst ad returs HK to A. Key Geerato Queres: The same as Theorem except that B ssues Helper key queres o to obta HK ad computes k 0 = F HK (0). 4.4 Chose-Cphertext Securty Smlarly to [] we ca acheve the chose-cphertext securty by applyg the techque of usg smulato-soud NIZK proofs to acheve chose-cphertext securty [4]. We ca also use other methods [5-7] to acheve greater effcecy. 5. CONCLUSION We devsed the frst ABKIE scheme a ovel ABE scheme to deal wth the lmtato of ABE wth regard to revocato. The scheme s secure agast adaptve chose cphertext attacks uder the Selectve-ID securty model. ACKNOWLEDGMENTS We thak aoymous revewers for ther valuable commets. REFERENCES. A. Saha ad B. Waters Fuzzy detty-based ecrypto Proceedgs of EURO-

12 448 JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN CRYPT o Advaces Cryptology LNCS pp M. Prrett P. Trayor P. McDael ad B. Waters Secure attrbute-based systems Proceedgs of ACM Coferece o Computer ad Commucatos Securty 006 pp A. Boldyreva V. Goyal ad V. Kumar Idetty-based ecrypto wth effcet revocato 4. Y. Dods J. Katz S. Xu ad M. Yug Key-sulated publc-key cryptosystems Proceedgs of EUROCRYPT o Advaces Cryptology LNCS pp M. Bellare ad A. Palaco Protectg agast key exposure: Strogly key-sulated ecrypto wth optmal threshold 6. G. Haaoka Y. Haaoka ad H. Ima Parallel key-sulated publc key ecrypto Proceedgs of Iteratoal Coferece o Publc Key Cryptography LNCS pp J. Weg S. Lu K. Che D. Zheg ad W. Qu Idetty-based threshold key-sulated ecrypto wthout radom oracles Proceedgs of the Cryptographers Track at the RSA Coferece LNCS pp Y. Haaoka G. Haaoka J. Shkata ad H. Ima Idetty-based herarchcal strogly key-sulated ecrypto ad ts applcato Proceedgs of ASIACRYPT o Advaces Cryptology LNCS pp J. Weg S. Lu K. Che ad C. Ma Idetty-based parallel key-sulated ecrypto wthout radom oracles: securty otos ad costructo Proceedgs of the 7th Iteratoal Coferece o Cryptology Ida LNCS pp D. Boeh ad X. Boye Effcet selectve-id secure detty based ecrypto wthout radom oracles Proceedgs of EUROCRYPT o Advaces Cryptology LNCS pp O. Goldrech S. Goldwasser ad S. Mcal How to costruct radom fuctos Joural of the ACM Vol pp A. Shamr How to share a secret Commucatos of the ACM Vol. 979 pp O. Goldrech S. Goldwasser ad S. Mcal O the cryptographc applcatos of radom fuctos Proceedgs of EUROCRYPT o Advaces Cryptology LNCS pp A. Saha No-malleable o-teractve zero kowledge ad adaptve chose-cphertext securty Proceedgs of IEEE Symposum o Foudatos of Computer Scece 999 pp R. Caett S. Halev ad J. Katz Chose-cphertext securty from detty-based ecrypto Proceedgs of EUROCRYPT o Advaces Cryptology LNCS pp D. Boeh ad J. Katz Improved effcecy for CCA-secure cryptosystems bult usg detty-based ecrypto Proceedgs of the Cryptographers Track at the RSA Coferece LNCS pp X. Boye Q. Me ad B. Waters Drect chose cphertext securty from detty based techques Proceedgs of ACM Coferece o Computer ad Commucatos Securty 005 pp

ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 449 Ja-Hog Che ( ) receved hs M.S. ad B.S. degrees Computer Scece ad Egeerg from Uversty of Scece ad Techology Laog Asha Cha 00 ad 994 respectvely.

Yog-Tao Wag ( ) receved hs M.S. degree Computer Scece ad Egeerg from Xhua Uversty Cheg-du Cha 007. He s curretly a Ph.D.

D. degree from Justus Lebg Uversty Gesse Germay 994.

13 ATTRIBUTE-BASED KEY-INSULATED ENCRYPTION 449 Ja-Hog Che ( ) receved hs M.S. ad B.S. degrees Computer Scece ad Egeerg from Uversty of Scece ad Techology Laog Asha Cha 00 ad 994 respectvely. He s curretly a Ph.D. caddate at Shagha Jao Tog Uversty. Hs research terests clude publc key cryptosystem ad parg based cryptosystem. Yog-Tao Wag ( ) receved hs M.S. degree Computer Scece ad Egeerg from Xhua Uversty Cheg-du Cha 007. He s curretly a Ph.D. caddate at Shagha Jao Tog Uversty. Hs research terests clude publc key cryptosystem ad key agreemet protocol. Ke-Fe Che ( ) receved hs Ph.D. degree from Justus Lebg Uversty Gesse Germay 994. Sce 996 he came to Shagha Jao Tog Uversty ad became the Professor at the Departmet of Computer Scece ad Egeerg. Hs areas of research clude classcal ad moder cryptography theory of etwork securty etc.

Pseudo-random Functions

Pseudo-random Functions Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom