Identity-Set-based Broadcast Encryption supporting Cut-or-Select with Short Ciphertext

Size: px

Start display at page:

Download "Identity-Set-based Broadcast Encryption supporting Cut-or-Select with Short Ciphertext"

Rafe Casey
6 years ago
Views:

1 Identty-Set-based Broadcast Encrypton supportng Cut-or-Select wth Short Cphertext ABSTRACT Yan Zhu, Xn Wang, RuQ Guo Unversty of Scence and Technology Bejng In ths paper we present an dentty-set-based broadcast encrypton scheme wth three workng modes: set membershp (Include-mode), all member (All-mode), and negatve membershp (Exclude-mode) over the user dentty set, smultaneously. The core of our scheme s the mplementaton of cryptographc representaton of subset by usng two aggregaton functons: Zeros-based aggregaton and Poles-based aggregaton. These two aggregaton functons are capable of compressng any subset nto one element n a blnear map group for determnng the membershp between an element and a subset. Our scheme acheves the optmal bound of O()-sze for ether cphertext (consstng of just two elements) or decrypton key (one element) for an dentty set of large sze. We prove that our scheme s secure under the General Dffe-Hellman Exponent (GDHE) assumpton. Keywords Broadcast Encrypton, Cryptographc Membershp, Aggregaton Functon. INTRODUCTION Broadcast encrypton (BE) s a group-orented cryptosystem n whch a broadcaster encrypts messages and transmts them to a group of users U who are lstenng to a broadcast channel and use ther prvate keys to decrypt receved messages. [, 2, 3] One remarkable feature of broadcast encrypton s that each user has a unque prvate key. In the publc key settng for n = U users, ths feature means that broadcast encrypton has a one-to-many (or : n) publc/prvate key structure. In other words, many dfferent prvate keys correspond to one publc key. Ths knd of key structure s completely dfferent from tradtonal : publc/prvate key structure. The benefts ganed from ths : n key structure nclude addtonal functonaltes such as trator tracng [4], dynamc revocaton, and so on. Broadcast encrypton can be wdely used n many applcaton scenaros rangng from TV subscrpton servces, DVD copyrght protecton, and encrypted fle systems, to secure communcaton of socal networks, e.g., Emal, Blog, Web communtes. Exstng broadcast encrypton schemes can be roughly categorzed nto two groups (related work s dscussed n Secton 7): Category I: Broadcast for multple desgnated recevers where a broadcast message s sent securely to a small subset of users S and S n [2, 5]; Category II: Broadcast wthout multple revoked recevers where a broadcast message s sent to all BUT a small set of revoked users R and R n [6]. D Ma Unversty of Mchgan-Dearborn dmadma@umch.edu Usually, these two categores of broadcast encrypton do not replace each other when n s large, so they can be thought as two complementary approaches. There s lttle systematc work for ntegratng these two categores of broadcast encrypton nto a secure BE system [2, 7, 8] from lterature. The two mechansms, one-tme desgnaton or ncluson (of Category I) and revocaton or excluson (of Category II) for a subset of users, are extremely mportant for large-scale IT systems wth large-sze users. For example, n emal system or Blog stes, we often communcate wth several specfed frends, but also sometmes broadcast to almost users n communty. To sum up, we lst some desrable features for developng a practcal and flexble BE scheme:. The scheme should be able to support large-sze users and new user s jonng at an arbtrary tme; 2. Two broadcast mechansms, desgnaton and revocaton, should be supported smultaneously, and the cphertext sze should be ndependent on the number of desgnated or revoked users; 3. For easy-to-use, the user s dentty (smlar as denttybased encrypton) should be employed to memory and dstngush the dfferent users; Our Motvaton and Roadmap. In ths paper our goal s to develop a new group-orented encrypton whch supports two broadcast mechansms, desgnaton and revocaton, smultaneously. We beleve that the foundaton of constructng such an encrypton system s to acheve cryptographc decsonal problem of set membershp, that s, gven a subset S and an element e n U, determne whether or not e belongs to S (.e., e S or e S) n a secure (or nondeceptve) way. Obvously, our desred cryptosystem could be constructed by solvng the above problem Fgure : Example of cryptographc representaton of subset and aggregaton functon. Our approach of solvng the above problem s to realze the cryptographc representaton of any gven subset, and then desgn a secure aggregaton functon to compress the subset nto a constant-sze random element, whch would be

2 used to construct our desred encrypton system. Further, we show an example of our approach n Fgure, n whch such an approach can be realzed by four followng steps:. Gven a set U = {e,, e n}, we map each element e nto a random pont v n cryptographc space, where the partal nformaton of these ponts s publshed as the publc key mpk (see the red ponts n Fgure ); 2. Gven a subset S U, we construct a curve c(x) through all random ponts {v } ncluded n S (see t- wo curves n Fgure, each of whch was nterpolated from ponts); 3. We ntroduce a random secret γ and then the aggregaton functon s defned as the correspondng pont c(γ) n ths curve, that s, Aggregate(mpk, S) c(γ), where mpk s the publc cryptographc parameters (see the dashed blue lne and the ntersectons of ths lne and two curves); 4. We defne the securty feature of functon that ntend to ensure the securty of aggregaton under the malcous attacks (see Defnton?? and?? n Secton??). Fnally, we expect to use ths knd of aggregaton for developng our encrypton scheme. The prvacy and randomness of aggregaton pont c(γ) wll provde guarantee for the securty of our scheme. Moreover, the compresson property of aggregaton functon can ensure the O()-sze cphertext. Our Contrbutons. In ths paper we frst present a new dentty-set-based Broadcast Encrypton (SBE) based on cryptographc decsonal problem of set membershp. By supportng both desgnaton and revocaton smultaneously, our scheme allows a nce property of Cut-or-Select. That s, a broadcaster s able to send a message to some selected users or to all but some revoked ones. In detal, our work s lsted as follows: We propose a new approach to solve cryptographc decsonal problem of set membershp by desgnng two aggregaton functons: Zeros-based aggregaton and Poles-based aggregaton. Two correspondng fast algorthms are developed to compress any subset quckly nto a constant-sze element for desgnaton and revocaton mechansms. We present the constructon of a SBE scheme wth three operaton modes over the set of user denttes: set-membershp, all member, negatve membershp for any subset of users, smultaneously. Moreover, our scheme acheve the optmal bound of O()-sze for ether cphertexts or decrypton keys. We prove the securty of two aggregaton functons and provde a complete securty proof of our SBE scheme based on general Dffe-Hellman exponent (GDHE) assumpton. Our scheme s secure for arbtrarly large colluson of corrupted users. Moreover, our experments show that our SBE scheme s smple, easy-tomplement and hgh performance, as well as short (28- byte) and constant-sze cphertext for any sze subset. Organzaton. The prelmnares and defnton of SBE are provded n Secton 2. We propose an effectve soluton for cryptographc set membershp n??. Our ISBE scheme n Secton 3. We present the securty and performance analyss n Secton 4, 5, and 6. Related work s presented n Secton 7 and Secton 8 concludes the Lab. 2. OUR DEFINITION OF SBE We now gve a formal defnton of dentty-set-based Broadcast Encrypton (SBE) wth key encapsulaton mechansm [2], whch s made up of four algorthms, shown as follows: Setup(S): takes as nput a blnear map group system S. It outputs a publc key mpk and a master secret key msk, where mpk contans a lst of user s profles pp. KeyGen(msk, ID k ): takes as nput msk and a user s dentty ID k. It outputs the user s secret key sk k and adds a user s profle pp k to pp,.e., pp = pp {pp k }. Encrypt(mpk, S, mode): takes as nput mpk, a set of user s denttes S, and a mode of operaton mode, where mode belongs to one of three modes n {u S, u ALL, u S}. It outputs a cphertext C and a random sesson key ek, where (S, mode) s ncluded n C. Decrypt(mpk, sk k, C): takes as nput mpk, a cphertext C, and a user s secret key sk k. If ths user satsfes the access mode mode then the algorthm wll decrypt the cphertext C and return a sesson key ek. In SBE scheme, the user s profle ncludes the dentty of ths user and a publc parameter generated n regstry. Our scheme makes use of these profles to realze encrypton and decrypton for a subset of users. As a group-orented cryptosystem, we employ a lst of profles to realze the management of membershps. Accordng to the dfferent of operatons, the set of users S wll be used n three cases: Include-mode (u S): used to specfy multple recevers, where S denotes a set of specfed users, such that the user u S wll be authorzed to decrypt the message. All-mode (u ALL): used to specfy all recevers, and all users s specfed to decrypt the message. Exclude-mode (u S): used to revoke multple recevers, where S denotes a set of revoked users, such that the user u S wll be authorzed to decrypt the message. Consder all possble mpk from Setup(S) (mpk, msk), a vald cphertext C from Encrypt(mpk, S, mode) (C, ek) and KeyGen(msk, ID k ) sk k. If the user s dentty ID k satsfes the operaton mode (S, mode) n C, then the decrypton algorthm wll retreve the sesson key ek,.e., [ ] Decrypt(mpk, skk, C) = ek : Pr =, mode(id k, S) = where mode(id k, S) = denotes the boolean judgment over mode := {u S, u ALL, u S} for a certan ID k and a set of user s denttes S. We now descrbe a game-based securty defnton of our SBE scheme. We defne a selectve-set model for provng the securty of SBE under chosen plantext attack (CPA). Gven a challenge cphertext C wth (S, mode), the attacker can repeatedly ask for secret keys R = {(ID, sk )} correspondng to a gven mode used n C, but we have mode(id, S) = 0 for all possble ID n the corrupted keys R, where s a user counter. The securty game follows.

3 Setup. Gven a mode and a set S, the challenger runs the Setup algorthm and gves mpk to the adversary. Learnng. The adversary makes n tmes repeated prvate keys queres for a user s dentty ID. The challenger returns KeyGen(MK, φ) (sk, pp ) f mode(id, S ) = 0. Otherwse, t merely returns a publc profle pp, where t s the number of all corrupted secret keys and S = n t. Challenge. The challenger completes Encrypt(mpk, S, mode) = (C, ek), and then flps a random con b = {0, } and sets ek b = ek and ek b to a random element of G T. The cphertext (C, ek 0, ek ) s gven to the adversary. Guess. The adversary outputs a guess b of b. The advantage of an adversary A n ths game s defned as Adv IND,mode SBE,A (n, t) = Pr[b = b] /2 for three modes. A SBE scheme s (n, t)-secure aganst colluders [3, 9] f all polynomal tme adversares have at most a neglgble advantage n the above game. 3. OUR CONSTRUCTION 3. Aggregaton Functons of Subsets In ths secton, we llustrate our basc dea to desgn cryptographc constructon for set membershp. In our dea, the core noton s cryptographc representaton of subset based on aggregaton functons. Gven a set U, an aggregaton functon s a cryptographc functon to compress the nformaton of any subset S U nto a constant-sze value. The output of aggregaton functon s called the cryptographc representaton of subset. The defnton of ths functon s stated as follows: Defnton (Aggregate functon). Let PK denote the publc key space over a group G and U = {e,, e n} be a set of elements, the functon Aggregate : PK 2 U G s a determnstc polynomal tme algorthm satsfyng: Aggregate(mpk, S) = R S, () where mpk s the publc key n PK, a subset S U, and R S s a random enough element n G to avod guessng. Ths knd of aggregaton functon s our core n our SBE scheme and foundaton of cryptographc decsonal problem of set membershp (see Secton ). In ths paper, we use ths knd of functon to buld membershp and negatve membershp. More mportantly, the constant sze cphertext can be mplemented n our SBE scheme only f the compresson property can be effcently realzed. Based on the presented approach n Secton, we present two aggregate functons, ZerosAggr and PolesAggr, that realze the decson over set membershp and negatve membershp, respectvely. Before our aggregaton functons are ntroduced, we frst gve the defnton of zeros and poles n a functon as follows: Defnton 2 (Zeros and Poles). A ratonal polynomal functon has the form H(x) = P (x) that s the quotent Q(x) of two polynomal P (x) and Q(x). We say the value z s a zero of H(x) f P (z) = 0, and z s a pole of H(x) f Q(z) = 0. Next, we propose two aggregaton functons, ZerosAggr and PolesAggr, for u {v } and u {v } as below. gven a secret γ and a subset S, we propose the defnton of aggregaton functon that can aggregate the nformaton of S nto the constant-sze value g f S (γ) based on the above polynomal f S(x). We call t the Zeros-based Aggregaton (n short, ZerosAggr) functon snce the hash values of all elements n S are used for the (negatve) zeros n the polynomal f S(x). The algorthm s defned as follows: Defnton 3 (Zeros-based Aggregaton). Gven a subset S = {e,, e m} U and a cyclc group G, an algorthm s called Zeros-based Aggregaton functon f there exsts a polynomal-tme algorthm ZerosAggr that outputs G S = ZerosAggr(mpk, S) = g γ e S (γ+x ), (2) where, mpk = {g = g γ } [, U ] s the publc parameter, g s a generator n G, x = hash(e ) and γ s a secret. Defnton 4 (Poles-based Aggregaton). Gven a subset R = {e,, e m} U and a cyclc group G, an algorthm s called Poles-based Aggregaton functon f there exsts a polynomal-tme algorthm P olesaggr that outputs H R = PolesAggr(mpk, R) = h e R (γ+x ), (3) γ+x where, mpk = {h = h } e U s the publc parameter, h s a generator n G, x = hash(e ) and γ s a secret. 3.2 Our Constructon We now present our SBE scheme wth three modes, such as Include, ALL, and Exclude. In ths scheme, we assume that each user has a unque dentty ID (e.g., emal address) and all users n cryptosystem make up a full set U = {ID,, ID n}, where the sze of U s not restrcted. Gven a subset of users S n U, we now present the SBE provdng two basc access control mechansms: set membershp decson over u S and negatve membershp decson over u S, smultaneously. Our SBE scheme s llustrated n Fgure 4. In ths scheme, we choose the blnear map system S = (p, G, G 2, G T, e(, )) of prme order p and two generators g and h n G and G 2, respectvely [0, ], where p s the order of groups. Addtonally, the algorthm wll employ a hash functon hash : {0, } Z p, mappng any dentty ID descrbed as a bnary strng to a random element x Z p, that s, x = hash(id ). Setup: we redefne two random elements G and H as the generators n G and G 2, respectvely. We requre G g and G s a secret. Let m be the maxmum number of aggregated users n the ZerosAggr algorthm. Usually, we set m n/2 because the sender can use Include-mode when the sze of S s greater than n/2. In addton, the publc profle pp s used to lst all users n system and ther publc tags,.e., {(ID, H )}. The ntal status s defned as. As a group-orented cryptosystem, the parameter pp s usually shared through publc meda, e.g., web, facebook, where each user can search hs frends profles n a convenent way. Note that, we must keep two values, G and G, secret because of the followng reasons:

4 Setup(S): chooses two elements G R G, H R G 2, and two exponents γ, R Z p. And then set R = e(g, H) and sets G k = G γk for k [, m]. The master key s outputted as msk = (γ,, G, G ) and the publc key s mpk = { S, H, R, {G k } k [,m], pp = φ }. KeyGen(msk, ID k ): Gven an user s dentty ID k, defnes x k = hash(id k ) and computers the k-th user s secret key sk k = G x k γ+x k, and H k = H γ+x k, where, pp k = (ID k, H k ) s appended to pp,.e., pp = pp {pp k }. Encrypt(mpk, S, mode): pcks a random s R Z p and executes the followng process: Case mode := (u S): nvokes PolesAggr(mpk, S) H S = H e S γ+x, then computes C = H s, and C 2 = (H S) s. Case mode := (u S): nvokes ZerosAggr(mpk, S) G S = G γ e S (γ+x ), then computes C = H s, and C 2 = (G S) s Fnally, the cphertext s publshed as C = (S, mode, C, C 2). The corresponded sesson key s ek = R s. Decrypt(mpk, sk k, C): chooses one acton from two followng cases accordng to the mode n C: Case mode := (u S): checks whether ID k s a member of S, that s, ID k S. If true, t sets S = S \ {ID k } and nvokes ZerosAggr(mpk, S ) G S = G γ e S (γ+x ). Next t retreves the sesson key ek = e(sk k, C ) e(g S, C 2). (4) Case mode := (u S): checks whether ID k satsfes the relaton ID k S. If true, t sets S + = S {ID k } and nvokes PolesAggr(mpk, S +) H S+ = H e S + (γ+x ). Next, t also retreves the sesson key ek = e(sk k, C ) e(c 2, H S+ ). (5) Fgure 2: The full constructon of set-based broadcast encrypton (SBE). When the adversary knows the value G, the decrypton s executed by usng e(g, C ) = e(g, H s ) = e(g, H) s = ek. When the adversary knows G and a sub-cphertext s C 2 = H γ+x, the decrypton s mplemented by e(g G x, C 2) = e(g γ+x, H γ+x ) = e(g, H) s = ek. We verfy that the decrypton works correctly as follows: s KeyGen: gven a unque dentty ID k, the user s secret key sk k s only an element n G. In addton, the new user s profle pp k s also appended nto pp. The Case mode := (u S): when ID k S, we have S = S \ e scheme allows addng new members nto the system {e k } and G S = G S,e e (γ+x k ) can be computed anytme, and the total number of users s unlmted n from the ZerosAggr algorthm. Based on ths value, the system. we check whether the trple (C, C 2) n cphertext Encrypt: matches the prvate key sk k by usng the sender may select one of Include and Exclude mechansms to mplement secure broadcast, where there s no lmt for the number of cut-or- e(sk k, C ) e(g S, C 2) secton users. These two mechansms employ two Aggregate functons, ZerosAggr for Exclude-mode and PolesAggr for Include-mode, whch can aggregate all nformaton of user s denttes n S nto two group elements G S and H S, respectvely. We wll ntroduce ths algorthm n detal n Secton 3.4. And then, the par (H, G S) or (H, H S) s used to generate the cphertext (C, C 2) = { (H s, (G S) s ) for (u S) (H s, (H S) s ) for (u S) Note that, a sgnfcant feature of our scheme s short and constant-sze cphertext. Decrypt: ths process only needs two steps for a successful decrypton: frstly, the recever nvokes two Aggregate functons, ZerosAggr for Include-mode and PolesAggr for Exclude-mode, taken as nput S or S +, respectvely. Secondly, the above result wll be used to decrypt the cphertext by usng two blnear maps. = e (G x k γ+x k, H s) e x k s ( G = e(g, H) γ+x k e(g, H) γ γ+x k γs γ+x k (γ+x ) e S, H s e S ) γ+x = e(g, H) s = R s = ek. Case mode := (u S): when ID k S, we have S + = S γ+x {e k } and H S+ = H k e S (γ+x ) can be computed from the P olesaggr algorthm. Based on ths value, we check whether the trple (C, C 2) n cphertext

5 matches the prvate key sk k by usng e(sk k, C ) e(c 2, H S+ ) ( = e (G x k γ+x k, H s) e G x k s = e(g, H) γ+x k e(g, H) sγ (γ+x ) e S γs γ+x k, H γ+x k ) γ+x e k S = e(g, H) s = R s = ek. In summary, our scheme s easy-to-understand and the cphertexts and decrypton keys are constant sze. 3.3 Constructon for ALL-mode We provde a soluton for mode u ALL, that means that all users can be authorzed only f everyone of them holds a vald key. Ths mode s usually realzed based on Includemode wth S = U, but t need to provde a complete lst of all users. A more effectve method s to consder ALLmode as a specal case of Exclude-mode wth S =, where denotes the empty set. The reason s that u ALL s logcally equvalent to u. In ths case, the work mode s defned as u. We provde ths process as follows: Encrypt(mpk,, u ALL): pcks a random nteger s Z p and computes the followng cpertext C = (, u ALL, C, C 2), where C = H s, C 2 = G s. The corresponded sesson key s ek = R s. Decrypt(mpk, sk k, C): When the mode u ALL n C s found, t makes use of sk k and the correspondng publc profle H k to recover ek ek = e(sk k, C 2) e(c, H k ) ( x k ) ( = e G γ+x k, H s e G sγ, H x k s γs ) γ+x k = e(g, H) γ+x k e(g, H) γ+x k = e(g, H) s = R s. In contrast wth Include-mode wth S = U, our constructon does not requre to nvoke the aggregaton functon. Moreover, the broadcaster does not need to provde (or know) a lst of all users denttes, such that the total number of recevers s unlmted n one tme broadcast. 3.4 Constructon of Aggregaton Functons Gven a subset S, the aggregate functons defned n E- quaton (2) and (3) are used repeatedly n our constructons, such that t s crucal to compute the output values (G S, H S) from the publc key mpk n an effcent way. We provde a fast recursve method to realze them as follows: 3.4. Implement of ZerosAggr functon To mplement fast ZerosAggr, we frst extract the related nformaton {G = G γ } [,m] from mpk, where γ s an unknown secret. Let S = t and we requre t < m. We provde a fast recursve way to realze the ZerosAggr functon: gven all {x = hash(e )} e S, we defne the polynomal of X as f S(X) = v S (X + x) = t k=0 a kx k (mod p) and compute the coeffcent a k Z p for all k [0, t]. We can use the recursve process to obtan these coeffcents. Let denote the value of a at the j-th cycle for j =,, t a (j) and = 0,, j. For each cycle, a new x k s appended nto the polynomal. After an ntal coeffcent s set as a (0) 0 =, the coeffcents can be computed repeatedly n each cycle as a (k) k = a (k ) k (k ) a (k) k = a (k ) k 2 + a (k ) k x k (k 2) a (k) = a (k ) 0 + a (k ) x k (k 2) a (k) 0 = a (k ) 0 x k (k ) After t cycles runnng, the value a (t) 0,, a(t) t are outputed as a 0,, a t. It s obvous that the output of ZerosAppr s G S = G γ f S (γ). In face, although γ s unknown, we make use of (G,, G m) and t < m to compute G S as followng G S = G γ f S (γ) = G γ v S (γ+x ) = G t+ k= a k γ k = t+ k= Ga k. k. (6) Note that, when S = and t = 0, the output of ths algorthm s ZerosAggr(mpk, S) = G. Ths value s used to realze the broadcast for ALL users. Algorthm ZerosAggr(mpk, S) Begn B[] = ; for s = to t do B[s + ] = B[s]; for r = s downto 2 do B[r] = B[r ] + B[r] x s; end for B[] = B[] x s; end for sum = 0; for k = to t + do sum = sum pow(g k, B[k]); end for Return sum; Fgure 3: The zeros-based aggregaton functon. Based on the above crecursve process, we present a fast algorthm, call ZoresAggr, show n Fgure 3. In ths algorthm, we desgn a double-loop structure for computng the coaffcents of F S(X), where B[] = a 0,, B[t + ] = a t. And then, the fnal result s computed by accumulatng all G a k k for k =,, t +. In ths process, the functon pow( ) s nvoked to obtan the power of element n G, that s, pow(g k, B[k]) = G B[k] k = G a k k Implement of PolesAggr functon To mplement fast aggregaton, we frst extract the related nformaton {(x, γ+x H = H )} e S from mpk. Gven H and H j, t s easy to obtan the aggregaton equaton x (H j/h ) x j = (H γ+x j γ+x /H x ) x j = H (γ+x )(γ+x j ), where x x j s a prerequste for ths equaton. The value x x j modulo p can be computed by usng extended Eucldean algorthm (called xgcd) n Z p. Next, we expand ths equaton to mult-value cases. We defne the followng denotaton B s,r, where s < r t, and B s,r =

6 rk=s (γ+x H k). In the same way, we can compute B s,r+ = (B s,r/b s+,r+) = (H = (H = H x r+ xs rk=s r+ (γ+x k) /H k=s+ (γ+x k ) x ) r+ xs (γ+xs) (γ+x x /H r+) ) r+ xs rk=s+ (γ+x k ) (γ+xs)(γ+x r+ ) rk=s+ (γ+x k ) = H r+ k=s (γ+x k ). Fnally, the output value H S = B,t can be completed by computng sequentally B s,r for s = [, t ] and r = [, t s], as well as the nducton B r,r = H r r [, t], B s,r+ = (B s,r/b s+,r+) x r+ x s, (7) s [, t ], r [, t s], where B r,r s the ntal nput H r for r = [, t]. Algorthm PolesAggr(mpk, S) Begn for r = to t do B[r] = H r end for for s = to t do for r = to t s do f x r+s = x r then Return 0. end f tmp = x r x r+s ; tmp 2 = nvert(tmp, p); tmp 3 = B[r + ]/B[r]; B[r] = pow(tmp 3, tmp 2 ); end for end for Return B[]; Fgure 4: The poles-based aggregaton functon. We provde the algorthm of the above recursve process, called PolesAggr, n Fgure 4. Ths fast algorthm s derved from Equaton (7). In the aggregaton process, double loops are used to compute the value of B[r] = B r,r+s for s =,, t and r =,, t s, repeatedly. In each cycle, the output value 0 denotes the error f there exst two equvalent values x r+s and x r. Ths means that two denttes are dentcal or a hash collson occurred, but t- wo denttes ID r+s and ID r are equvalent wth neglgble probablty accordng to the property of cryptographc hash functon. Next, two functons, nvert( ) and pow( ), are used to compute the nverse element and the power of element, that s, tmp 2 = /tmp (mod p) and B[r] = tmp tmp 2 3 G SECURE ANALYSIS 4. Securty Analyss for Our SBE Scheme We prove the semantc securty of our system by relyng on the General Dffe-Hellman Exponent (GDHE) framework n [3, 5]. We overvew the GDHE framework n Appendx A. We wll not analyze ALL-mode because ths mode can be realzed as a specal case of Exclude-mode, that s, S =. We start by defnng the followng computatonal problem. Accordng to constructon of two aggregaton functons, we assume f(x) and g(x) be two known random polynomals of respectve degree t and n t wth parwse dstnct roots, { f(x) = t = (X + x) = t =0 a X, g(x) = n t = (X + x ) = n t =0 b X. Moreover, h(x, y, z) = f(x)g(x)yz be a three-varable polynomal n a blnear group system S = (p, G, G 2, G T, e(, )). Based on these two polynomals, we provde a new computatonal problem, called GDHE problem, whch s used to prove the semantc securty of our SBE scheme for Includemode (u S). Ths problem s defned as follows: Theorem ((n, t)-gdhe Problem). Let γ, ς, Z p be three secret random varables, f(x) and g(x) are two polynomals descrbed above, and Ĝ, Ĥ be generators of S. Gven the values n (F, F 2, F 3)-GDHE problem wth F (γ, ς, ) = Ĝ, Ĝγ,, Ĝγt, Ĝγf(γ),, Ĝγm f(γ) Ĥ F 2 (γ, ς, ) =, Ĥγ,, Ĥγn, Ĥ f(γ)g(γ),, Ĥςf(γ)g(γ), Ĥςf(γ) F 3 (γ, ς, ) = e(ĝ, Ĥ)f 2 (γ)g(γ), and T R G T, decde whether e(ĝ, Ĥ)ς f 2 (γ) g(γ) = T. For any algorthm A that makes a total of at most q queres to the oracles computng the group operaton and the blnear parng, the advantage of A s AdvGDHE IND,A(n, t) (q+2s+2) 2 d, where s = n + t + m + 4 and d = 2n. 2p We provde the proof of ths theorem n Appendx B. In ths proof, we reduce ths problem to the weakest case G = G 2 = G, so that the polynomals (F, F 2, F 3, T ) n blnear map group are converted to three polynomals (P, Q, h) n blnear map group. Then we prove that h s ndependent of (P, Q) and complete the fnal proof based on Theorem 4 n Appendx. In fact, we also show the securty of ths assumpton based on the followng analyss: Consderng that ς only appears n Ĥςf(γ) and Ĥςf(γ)g(γ), we only pck them out for three followng cases: Case Ĥςf(γ) : we need to fnd Ĝf(γ)g(γ) to meet e(ĝf(γ)g(γ), Ĥ ςf(γ) ) = T. Let g(x) = n t = (x+x ) = n t =0 b x, where b 0 = x x 2 x n t 0 because all x 0. So that, ths polynomal f(x)g(x) s represented as f(x)g(x) = n t =0 a(x f(x)) = b 0f(x)+ n t, = b(x f(x)). But t s nfeasble for computng Ĝf(γ)g(γ) = (Ĝf(γ) ) b0 (Ĝγ f(γ) ) b because there dose not exst the tem Ĝf(x) from all known tems Ĝγf(γ),, Ĝγm f(γ). Case Ĥςf(γ)g(γ) : we need to fnd Ĝf(γ) to meet e(ĝf(γ), Ĥ ςf(γ)g(γ) ) = T and t s also nfeasble because f(x) = t = (x + x) = t =0 a x = t =0 a x + x t s a polynomal of degree t and a t =, such that Ĝf(γ) = t =0 (Ĝγ ) a Ĝ γt cannot be bult from all known Ĝ, Ĝγ,, Ĝγt. Lnear combnaton between Ĥςf(γ) and Ĥςf(γ)g(γ) : assume that there exst two coeffcents a, b to satsfy aγg(γ) e(ĝf(γ) γ+x bf(γ), Ĥςf(γ) ) e(ĝ γ+x, Ĥςf(γ)g(γ) ) = T aγ So that, we have + b γ+x γ+x =. To solve ths equaton, we have (a )γ 2 + (ax + b x x )γ + (bx

7 x x ) = 0. It s easy fnd that our soluton s a = and b = x = x, but t contradcts wth the assumpton of x x for all x and x n f(γ) and g(γ). Next, we provde another problem, called GDHE 2 problem, whch s used to prove the securty of our SBE scheme for negatve membershp (Exclude-mode on u S): Theorem 2 ((n, t)-gdhe 2 Problem). Let γ, ς, Z p be three secret random varables, f(x) and g(x) are two polynomals descrbed above, and Ĝ, Ĥ be generators of S. Gven the values n (F, F 2, F 3)-GDHE 2 problem wth Ĝ F (γ, ς, ) =, Ĝγ,, Ĝγt, Ĝ γf(γ),, Ĝγm f(γ), Ĝςγf 2, (γ) F 2 (γ, ς, ) = Ĥ, Ĥγ,, Ĥγn, Ĥ f(γ)g(γ),, Ĥςf(γ)g(γ) F 3 (γ, ς, ) = e(ĝ, Ĥ)f 2 (γ)g(γ), and T R G T, decde whether e(ĝ, Ĥ)ς f 2 (γ) g(γ) = T. For any algorthm A that makes a total of at most q queres to the oracles computng the group operaton and the blnear parng, the advantage of A s AdvGDHE IND 2,A(n, t) (q+2s+2) 2 d, where s = n + t + m + 4 and d = 2n. 2p We provde the proof of ths theorem n Appendx C. We here gve a smple comparson wth GDHE and GDHE 2 n Table. As seen from ths table, most of tems are shared between two problems except a slght dfferent: GDHE has a unque tem Ĝςγf 2 (γ) and GDHE 2 s Ĥςf(γ). Ths means that there s a strong correlaton between two problems. Table : Comparson wth GDHE and GDHE 2 Common Elements GDHE GDHE 2 Ĝ F, Ĝγ,, Ĝγt, Ĝ γf(γ),, Ĝγm f(γ) F 2 Ĥ, Ĥγ,, Ĥγn, Ĥ ςf(γ) Ĥ f(γ)g(γ), Ĥςf(γ)g(γ) F 3 e(ĝ, Ĥ)f 2 (γ)g(γ) Ĝ ςγf 2 (γ) We now prove the semantc securty of our SBE scheme based on the securty model n Secton 2, whch has the semantc securty aganst chosen plantext attacks (IND-CPA) wth colluders. Usually, we need two separate proofs that prove the securty of SBE scheme under two dfferent modes, Include-mode and Exclude-mode, respectvely. However, we found that these two proofs has too many smlartes accordng to the comparson result n Table. Therefore, we combne two proofs nto a full proof of our SBE scheme. Based on (n, t)-gtdhe and (n, t)-gtdhe 2, the securty of our SBE scheme satsfes the followng theorem: Theorem 3 (Securty of SBE Scheme). Our SBE scheme for both Include-mode and Exclude-mode s semantcally secure aganst chosen plantext attacks wth colluders assumng the (n, t)-gdhe and (n, t)-gdhe 2 problem s hard n S for 0 t n. The proof of ths theorem s presented n Appendx D. Note that, our scheme s secure for arbtrary large colluson of corrupted users because the number of corrupted users t s not restrcted n the above theorem. 5. PERFORMANCE EVALUATION 5. Parameter Gneraton Our scheme s constructed on the general blnear map group system S = (p, G, G 2, G T, e(, )) wth prme order p, where decsonal Dffe-Hellman s hard. We set up our systems usng blnear parngs ntroduced by Boneh and Frankln [0]. We defne the blnear parng takes the form e : E(F q) E(F q) F q 2 (The defnton gven here s from [, 2]), where p s a prme and k = 2 s the embeddng degree (or securty multpler). It turns out the total number of elements s E(F q) = q + and E(F q 2) = (q + ) 2. The order p s some prme factor of q +. We nvoke ths knd of parng drectly based on the Stanford s PBC lbrary. In order to ensure the securty of our scheme, we uses 256-bt base feld, whch s equvalent to 28-bt securty (κ=28- bt) for symmetrc encrypton [3]. 5.2 Performance Analyss We frst provde the performance analyss from two aspects: computaton costs and communcaton overheads. Here, we assume that t denotes the sze of ncluded or excluded subset and m denotes the manxum number of aggregated users. We present the computaton cost of our SBE scheme n Table 2. We use [E] to denote the computaton cost of an exponent operaton n G, namely, g x, where x s a postve nteger n Z p and g G or G T. We neglect the computaton cost of algebrac operatons and smple modular arthmetc operatons because they run fast enough [4]. The most complex operaton s the computaton of a blnear map e(, ) between two ellptc ponts (denoted as [B]). The symbols ZAgg(t) and P Agg(t) denote two aggregaton algorthms where t denotes the sze of subset. It s easy to fnd that the encrypton and decrypton costs are related to the performance of aggregaton algorthms, but f the aggregaton algorthms are excluded, all algorthms have the constant number of operatons after m, t are set. Table 2: Computaton overhead of our scheme. SBE ALL Include Exclude Setup ( + m)[e] + [B] KeyGen 2[E] Encrypt 3[E] PAgg(t)+3[E] ZAgg(t)+3[E] Decrypt 2[B] ZAgg(t)+2[B] PAgg(t)+2[B] Then, we analyze the storage and communcaton costs of our scheme. Ths means that the length of nteger s l 0 = q n Z p. Smlarly, we have l = l 2 = 2 q n G and G 2, and l T = 2 q n G T for the embeddng degree k = 2. The storage and communcaton costs of our scheme s shown n Table 3. We neglect the storage/communcaton cost of the subset of user s denttes because the sze of each dentty cannot too large as a easy-to-remember strng. It s also easy to fnd that the prvate key, the cphertext, and the sesson key has the constant and short sze (e.g., only 64-byte for a cphertext wth pont compresson) regardless of the sze of subset n cphertext. In short, our scheme has the advantages as follows: The computaton cost s low f there exst fast algorthms to realze the aggregaton of subset.

8 The tme comsumptons of Algorthm (s) Poles-based Aggregaton The number of elements n the subset The tme comsumptons of Algorthm (s) Zeros-based Aggregaton Fgure 5: Tme overheads of aggregaton functons. Table 3: The storage/communcaton overhead. Algorthm SBE Our system Setup PK l 2 + l T + ml + nl 2 (m+n+2)*64-byte mk l 0 + l T 92Byte KeyGen SK (k) l 64-Byte Encrypt C l + l 2 28-Byte Decrypt ek l T 64-Byte The sze of prvate key and cphertext s constant and short regardless of the sze of subset n cphertext. The sze of publc key s related to the sze of communty (or the total number of users). Ths s not a large problem n applcatons because the users have access to a large shared storage medum n whch the profles can be stored [2]. For example, we usually provde a on-lne search servce for - dentty query from the profle lst n publc key. In other applcatons, each user only needs to store part of profles, such as hs frends denttes, because encrypton and decrypton just need to nput a subset of specfed users rather than to know all users. 6. EXPERIMENTAL RESULTS Usng GMP and JPBC lbrares, we have developed a Java-language cryptographc lbrary upon whch our SBE cryptosystem can be constructed. Ths Java lbrary contans Parng-based algorthms on ellptc curves and has been tested on both Wndows and Mac OSX platforms. Our S- BE cryptosystem s a lghtweght software about 600 lnes of code bult on Eclpse. To evaluate the performance of our SBE cryptosystem, our experments are run n a Mac laptop wth 2.0GHz processor and 4G RAM Performance of Aggregaton Functons At frst, we evaluate the performance of two aggregaton functons. It s easy to analyze the computatonal costs of two functons from Secton 3.4: the ZeorsAggr functon needs O(t 2 ) tmes multplcaton operatons n Z p and O(t) tmes exponent operatons n G ; and the PolesAggr functon needs O(t 2 ) tmes exponent operatons n G 2 and O(t 2 ) tmes xgcd operatons n Z p. Hence, the computatonal costs of PolesAggr s far greater than (roughly t tmes as) that of ZerosAggr due to the cost of operatons n G and G 2 s much larger than that n Z p. We gve the result of experments for two aggregaton functons n Fgure 5, n whch tme consumptons of two functons are showed under the dfferent sze of subsets (from 0 to 00). From ths fgure, t s easy to fnd that the computatonal costs of ZerosAggr s proportonal to the sze of subset, and the costs of PolesAggr grows rapdly for the sustaned growth of subset szes. The memory overheads of two algorthms are proportonal to the sze of subset. These results are completely consstent wth our prevous theoretcal analyss. However, the tme consumpton s stll hgh for a large-sze subset, so that we can mprove the performance by usng parallel algorthm or fast ellptc curve algorthm Performance under Dfferent Modes We next analyze the performance of encrypton and decrypton processes accordng to three modes, ncludng ALL, Include, and Exclude n Fgure 6. The left sugfgure shows the tme consumpton of encrypton for these three modes n whch the encrypton overhead n Include-mode s greatest of all. The smlar result of decrypton s showed n the rght subfgure but the decrypton overhead n Excludemode s greatest of all nstead of Include-mode. When the system s not large, the users can choose Include-mode or Exclude-mode accordng to applcaton requrements, e.g., the Include-mode s used to reduce the overhead of decrypton for moble termnals wth lmted power (smart phone or sensor node) whle leavng heavy encrypton for hgh-power servers. In addton, the aggregaton functons could be preprocessed n some applcatons wth the fxed recevers, such that encrypton and decrypton can be acheved rapdly. The same results are lsted n Table 4. As seen from ths table, the overhead of encrypton or decrypton s constant n ALL-mode no matter how large the total number of users s n system. In Include-mode, the encrypton overhead s more hgher than that of decrypton due to the tme consumpton of PolesAggr s much larger than that of ZerosAggr. The smlar stuaton also appears n Exclude-mode where the decrypton overhead s more hgher than that of encrypton based on the same reason. However, no matter what mode we pck, the cphertext s only two ponts on an ellptc curve and the sze of cphertexts s constant for any mode Performance of SBE Cryptosystem Fnally, we provde the result of experments to llustrate the performance of our SBE cryptosystem. Our experments were mplemented by a test (and demo) routne about 000

9 The tme overheads of Encrypton Encrypton for ALL Mode Encrypton for Include Mode Encrypton for Exclude Mode The tme overheads of Decrypton Decrypton for ALL Mode Decrypton for Include Mode Decrypton for Exclude Mode The number of elements n subset The number of elements n subset Fgure 6: Tme overheads of dfferent modes. Table 4: Tme consumpton of encrypton and decrypton under the dfferent modes. Sze Encrypton Decrypton ALL Include Exclude ALL Include Exclude lnes of code. At frst, we tested the total overheads of encrypton and decrypton under the dfferent modes. As seen from left of Fgure 7, encrypton and decrypton n Includemode has the same overhead as Exclude-mode. Ths result s the same wth our theoretcal analyss. Next, we show tme consumpton of four functons, Setup, KeyGen, Encrypt and Decrypt, under dfferent sze of subsets (from 0 to 00) n rght of Fgure 7. In ths experment, we requre two functons, Setup and GenKey, deal wth all elements n a gven subsets. Ther overheads are proportonal to the subset sze but are stll small. From ths fgure, the overhead of Setup or KeyGen s far less than that of encrypton and decrypton. In summary, our experments show that our SBE scheme s smple, easy-to-mplement, and hgh performance. 7. RELATED WORK Fat and Naor [] were the frst to formally explore broadcast encrypton. They presented a prvate-key soluton whch was secure aganst a colluson of t users and has cphertext sze of O(t log 2 t log n). Naor et al. [6] presented a fully colluson secure BE system that s effcent for broadcastng to all, but a small set of revoked users. However that these systems do not support publc-key encrypton, the frst publc-key BE scheme was proposed by Dos et al. [9]. Boneh and Slverberg also show that n-lnear maps gve the ultmate fully colluson secure scheme wth constant publc key, prvate key, and cphertext sze. Soon after ths, the blnear maps became the bass for many subsequent proposals, ncludng Delerablée et al. [5] proposed dentty-based broadcast encrypton and gave a selectve CPA secure scheme. Exstng broadcast encrypton can be dvded nto two category: One category s broadcast wth multple revoked recevers, meanng that we broadcast to all but a small set of revoked users R and R n. The best known systems are the scheme of Delerablée et al.[5] whch acheves the optmal bound of O()-sze ether for cphertexts or decrypton keys for any subset of revoked users. More mportantly, several dynamc behavors, e.g., dynamc user jonng, key updatng, were supported by ther BE systems. Another category s broadcast for multple desgnated recevers, where message s sent to a small subset of users S, and S n. Untll now, the best known systems are the scheme of Boneh, Gentry and Waters [2] whch acheves O( n)-sze cphertexts and publc keys for any subset of recevers, where each user s prvate keys are of constant sze. Ther trval scheme where both cphertexts and prvate keys are of constant sze and publc key sze s lnear n total number of users s more effcent when S < O( n). However, ther upper bound on the number of possble users n must be chosen at ntalzaton tme, so that new users cannot jon dynamcally the system. In summary, these work gave us many mportant nspratons for our research. 8. CONCLUSION In ths paper we present a new group-orented cryptosystem, called set-based broadcast encrypton. Our man contrbuton s to gve the frst cryptographc constructons for the decson problem of set membershp and negatve membershp. for future work, we wll mprove the performance and apply our scheme nto some practcal applcatons, e.g., broadcastng, keyword searchng, and votng. 9. REFERENCES [] A. Fat and M Naor. Broadcast encrypton. In Advances n Cryptology (CRYPTO 93), volume 773 of LNCS, pages , 994. [2] Dan Boneh, Crag Gentry, and Brent Waters. Colluson resstant broadcast encrypton wth short cphertexts and prvate keys. In Advances n Cryptology (CRYPTO 2005), volume 362 of LNCS, pages , [3] Dan Boneh, Xaver Boyen, and Eu-Jn Goh. Herarchcal dentty based encrypton wth constant sze cphertext. In Advances n Cryptology (EUROCRYPT 2005), volume 3494 of LNCS, pages , [4] Dan Boneh and M Frankln. An effcent publc key trator tracng scheme. In Advances n Cryptology (CRYPTO 999), volume 666 of LNCS, pages , 999. [5] Cécle Delerablée. Identty-based broadcast encrypton wth constant sze cphertexts and prvate keys. In

10 The tme overheads of Encrypton&Decrypton 0 0. Encrypt&Decrypt for ALL Mode Encrypt&Decrypt for Include mode Encrypt&Decrypt for Exclude Mode The tme overheads of dfferent processes (s) Setup Functon GetKey Functon Encrypt&Decrypt for ALL Mode Encrypt&Decrypt for Include mode Encrypt&Decrypt for Exclude Mode The number of elements n subset The number of elements n subset Fgure 7: Tme overhead of Algorthms n SBE. Advances n Cryptology ASIACRYPT 2007, pages Sprnger, [6] D Naor, M. Naor, and J Lotspech. Revocaton and tracng schemes for stateless recevers. In Advances n Cryptology (Crypto 200), volume 239 of LNCS, pages 4 62, 200. [7] Duong Heu Phan, Davd Pontcheval, Samak Fayyaz Shahandasht, and Maro Strefler. Adaptve cca broadcast encrypton wth constant-sze secret keys and cphertexts. In ACISP, pages , 202. [8] Dan Boneh, Brent Waters, and Mark Zhandry. Low overhead broadcast encrypton from multlnear maps. In JuanA. Garay and Rosaro Gennaro, edtors, Advances n Cryptology C CRYPTO 204, volume 866 of Lecture Notes n Computer Scence, pages Sprnger Berln Hedelberg, 204. [9] Y. Dods and N. Fazo. Publc key broadcast encrypton for stateless receves. In Proceedngs of the Dgtal Rghts Management Workshop 2002, volume 2696 of LNCS, pages 6 80, [0] D. Boneh and M. Frankln. Identty-based encrypton from the wel parng. In Advances n Cryptology (CRYPTO 200), volume 239 of LNCS, pages , 200. [] Jean-Luc Beuchat, Ncolas Brsebarre, Jéréme Detrey, and Ej Okamoto. Arthmetc operators for parng-based cryptography. In CHES, pages , [2] Honggang Hu, Le Hu, and Dengguo Feng. On a class of pseudorandom sequences from ellptc curves over fnte felds. IEEE Transactons on Informaton Theory, 53(7): , [3] Bogdan Warnsch Gaven Watson Ngel P. Smart, Vncent Rjmen. Algorthms, key szes and parameters report. [4] Paulo S. L. M. Barreto, Steven D. Galbrath, Colm O Egeartagh, and Mchael Scott. Effcent parng computaton on supersngular abelan varetes. Des. Codes Cryptography, 42(3):239 27, APPENDIX A. GDHE ASSUMPTION We gve a rough overvew of the General Dffe-Hellman Exponent (GDHE) assumpton ntroduced by Boneh, Boyen and Goh [3] that wll be used to analyze our schemes. Let G, G T be groups of order p and e : G G G T be a nondegenerate blnear map. Defnton 5 (GDHE Problem). Let P, Q F p[x,, X m] s be two s-tuples of m-varate polynomals over F p and generators Ĝ, Ĥ G and G2, where s, m Z+. We wrte P = (p,, p s) and Q = (q,, q s). Gven a vector S = ( Ĝ P (x,,x m), e(ĝ, Ĥ)Q(x,,x m) ) G s G s T and T R G T, decde whether T = e(ĝ, Ĥ)h(x,,x m), where the polynomal h F p[x,, X m]. It s easy to fnd that almost prevous decsonal Dffe- Hellman assumptons can be reduced nto GDHE assumpton. We say that an algorthm A that outputs b {0, } has advantage n solvng the GDHE problem f AdvGDHE(A) IND = Pr[A(S, e(ĝ, Ĥ)h(x,,x m) ) = 0] Pr[A(S, T ) = 0] >. The followng theorem gves a lower bound on the advantage of a generc algorthm n solvng the decson (P, Q, h)- Dffe-Hellman problem. Theorem 4 ([3],Theorem A.2). Let P, Q F p[x,, X m] s be two s-tuples of m-varate polynomals over F p and h F p[x,, X m]. Let d = max(2d P, d Q, d h ), where d P (resp. d Q, d h ) denote the maxmal degree of elements of P (resp. of Q, h). If h s ndependent of (P, Q) then for any A that makes a total of at most q queres to the oracles (computng the group operaton n G, G T and the blnear parng e : G G G T ), one has AdvGDHE(A) IND (q+2s+2)3 d. 2p In ths theorem, we defne that a polynomal h s ndependent on the sets (P, Q) f there does not exst s 2 + s constant {a j} s,j=, {b k } s k=, such that h = s,j= ajppj + s k= b kq k. B. PROOF OF THEOREM Proof. We consder the weakest case G = G 2 = G and thus pose Ĥ = Ĝu, where u s a random varate. In the (F, F 2, F 3, T )-GDHE problem, f one replace γ by x, by v, and ς by y, we see that our problem s reformulated as (P, Q, h)-gdhe, where F, F 2 are ntegrated nto P, F 3 and

11 T correspond to Q and h, respectvely. Such that, we have, v, xv, x 2 v,, x t v, P (x, y, u, v) = xf(x),, x m f(x), uv, uvx,, uvx n, uf(x)g(x), uvyf(x), uyf(x)g(x) Q(x, y, u, v) = (, uvf 2 (x)g(x)) h(x, y, u, v) = uvyf 2 (x)g(x) where d = 2n, m = 4 and s = t + m + n + 4. Accordng to the analyss method n [3], we next show that the polynomal h s ndependent of (P, Q), that s, no coeffcents {a j} s,j=, {b k } s k= exst such that h = s,j= ajppj + s l= b lq l, where the polynomals p and q are the one lsted n P and Q above. Consderng that y only appears n (uvyf(x), uyf(x)g(x)), we must pck them out for all cases. A smple analyss method s to fnd the multples of uvy from all possble products of two polynomals (uvyf(x), uyf(x)g(x)) n P. The polynomals (uv, uvx,, uvx n ) can be excluded because (uvyf(x), uyf(x)g(x)) have contaned u. Further, the polynomals (v, xv, x 2 v,, x t v) also conflct wth uvyf(x) because they all contan v. So, we consder three cases: For the former uvyf(x), we need to fnd the polynomal h(x, y, u, v)/uvyf(x) = f(x)g(x). Let g(x) = n t = (x+ x ) = n t =0 b x, where b 0 = x x 2 x n t 0 because all x 0. So, f(x)g(x) s represented as f(x)g(x) = n t =0 a(x f(x)) = b 0f(x)+ n t = b(x f(x)). but t s nfeasble for computng t because there dose not exst the polynomal f(x) n P (x, y, u, v) even though we can get (xf(x),, x l f(x)) from P (x, y, u, v). For the latter uyf(x)g(x), we need to fnd the polynomal h(x, y, u, v)/uyf(x)g(x) = vf(x) and t s also nfeasble because the polynomal f(x) = t = (x+x) = t =0 a x = t =0 a x + x t, whch s a polynomal of t degree and a t =, cannot be bult from (v, xv,, x t v). For lnear combnaton between uvyf(x) and uyf(x)g(x), assume that there exst two coeffcents a, b to satsfy h(x, y, u, v) = a uvyf(x) p + b uyf(x)g(x) p 2. So that, we have vf(x)g(x) = avp + bg(x)p 2. To satsfy t, p s merely derved from (xf(x),, x l f(x)) and p 2 s from (v, xv,, x t v). Ths means xf(x) p. Next we have avp = g(x)(vf(x) bp 2), so we have g(x) p. These two results show xf(x)g(x) p. Snce p g(x)(vf(x) bp 2), we have xf(x) (vf(x) bp 2). However, we know p 2 s a polynomal of x wth at most degree t, so (vf(x) bp 2) s a polynomal of x wth degree t. Ths s a contradcton wth the fact that xf(x) has degree t +. Hence, no lnear combnaton among the polynomals from the known P, Q loads to h. Ths means that h s ndependent of (P, Q). Therefore, we obtan the advantage of the adversary AdvGDHE IND,A(n, t) (q+2s+2)3 d accordng to Theorem 2p (4). C. PROOF OF THEOREM 2 Proof. Ths proof s smlar to the prevous proof. We also consder the weakest case G = G 2 = G. We see that our problem (F, F 2, F 3, T )-GDHE s reformulated as (P, Q, h)- GDHE, where the result after converson s, v, xv, x 2 v,, x t v, P (x, y, u, v) = xf(x),, x m f(x), uv, uvx,, uvx n, uf(x)g(x), yxf 2 (x), uyf(x)g(x) Q(x, y, u, v) = (, uvf 2 (x)g(x)) h(x, y, u, v) = uvyf 2 (x)g(x) where d = 2n, m = 4 and s = n + t + m + 4. We show that the polynomal h s ndependent of (P, Q). Consderng that y only appears n (yxf 2 (x), uyf(x)g(x)), we must pck them out for all cases. Next, there only exst the polynomals, (uv, uvx,, uvx n ), whch contan uv, so we have the canddate combnaton between yxf 2 (x) and these polynomals, but the combnaton between uyf(x)g(x)) and them wll be excluded. Such that, we only need to consder three cases: For the former (yxf 2 (x), we need to fnd the polynomal h(x, y, u, v)/yxf 2 (x) = uvg(x)/x, but t s nfeasble for all (uv, uvx,, uvx n ) because g(x) = n t = (x + x ) s not dvsble by x when all x 0 for =,, n t. For the latter uyf(x)g(x)), we need to fnd the polynomal h(x, y, u, v)/uyf(x)g(x) = vf(x) and t s also nfeasble because f(x) = t = (x + x) = t =0 ax = x t + t =0 ax, whch s a polynomal of t degree, cannot be bult from (v, xv,, x t v). For lnear combnaton between yxf 2 (x) and uyf(x)g(x), assume that there exst two coeffcents a, b to satsfy h(x, y, u, v) = a(yxf 2 (x))(uv g(x) )+b(uyf(x)g(x))( vf(x) x+x x+x ). ax So that, we have + b x+x x+x =. To solve ths equaton, we have (a )x 2 + (ax + b x x )x + (bx x x ) = 0. It s easy fnd that our soluton s a = and b = x = x, but t contradcts wth the assumpton of x x for all x and x n f(x) and g(x). Hence, no lnear combnaton among the polynomals from P, Q loads to h. Ths also means that h s ndependent of (P, Q). Therefore, we obtan the advantage of adversary AdvGDHE IND 2,A(n, t) (q+2s+2)3 d accordng to Theorem 2p (4). D. PROOF OF THEOREM 3 Proof. Suppose there exsts an adversary A can break the securty of our SBE scheme wth the advantage Adv IND,mode SBE,A (n, t) for ether Include-mode or Exclude-mode. Our objectve s to buld a PPT algorthm B to solve the above (n, t)-gdhe or (n, t)-gdhe 2 problem by usng the advantage of A. S- nce there merely exsts a slght dfferent between GDHE and GDHE 2: Ĥ ςf(γ) les n GDHE but 2 Ĝςγf (γ) n GDHE 2 (see Table ), such that we merge them nto one complete proof, as follows: Intal. Accordng to the assumpton that B s gven as nput an (n, t)-gdhe or (n, t)-gdhe 2 nstance. From ths nstance, B does not know γ, ς, but knows 2n random ntegers x, x, a, b Z p n f(x) and g(x), where any parwse (x, x ) are not equal to each other. Frstly, B defnes a set of denttes U, and then requre A

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen