On Enabling Attribute-Based Encryption to Be Traceable against Traitors
Size: px
Start display at page:

Download "On Enabling Attribute-Based Encryption to Be Traceable against Traitors"

Transcription

1 On Enablin Attribute-Based Encryption to Be Traceable aainst Traitors Zhen Liu 1 and Duncan S. Won 2 1 Shanhai Jiao Ton University, China. liuzhen@sjtu.edu.cn 2 CryptoBLK. duncanwon@cryptoblk.io Abstract. Attribute-Based Encryption ABE is a versatile one-to-many encryption primitive which enables fine-rained access control over encrypted data. Due to its promisin applications in practice, ABE has been attractin much attention in the community and schemes with better security, access policy expressivity, and efficiency have been continuously emerin. On the other hand, due to the nature of ABE, namely, different users may share some common decryption privilees and a malicious user may leak some common decryption privilees for financial ain or other incentives, bein able to identify such malicious users i.e. traitor tracin is crucial towards the practicality of an ABE system. For some existin ABE schemes with appealin properties e.. full security, lare universe, the correspondin traceable counterparts have been proposed. However, these works are proceeded case by case, and there are still many appealin ABE schemes not havin the traceable counterparts. Furthermore, when any new ABE scheme emeres and we want to apply it in practice, it will take sinificant workload to investiate and propose its traceable counterpart. In this paper, we propose a framework to transform existin and possibly future ABE schemes to their traceable counterparts in a eneric manner. In particular, by specifyin some requirements on the structure of the ABE constructions, we propose an ABE template, and show that any ABE scheme satisfyin this template can be transformed to a fully collusion-resistant blackbox traceable ABE scheme in a eneric manner, at the cost of sublinear overhead, while keepin the appealin properties, such as fine-rained access control on encrypted data, hihly expressive access policy, short ciphertext, and so on. We prove the security in the framework all in the standard model, and we present a couple of existin ABE schemes with appealin properties as examples that do satisfy our ABE template. Keywords: Attribute-Based Encryption, Traitor Tracin, Framework 1 Introduction Attribute-Based Encryption ABE, introduced by Sahai and Waters [29], is a versatile one-to-many encryption primitive which enables fine-rained access control over encrypted data. Due to its promisin applications in practice, ABE has been attractin much attention in the community and underoin a sinificant development. Amon the recently proposed ABE schemes [29,13,5,10,12,30,18,27,14,3,19,31,15,28,16,1], proress has been made on the schemes security, access policy expressivity, and efficiency. For example, Lewko et al. [18] proposed the first fully secure ABE schemes, Lewko and Waters [19] proposed a new proof technique for achievin full security for ABE, Attrapadun et al. [3] proposed the first expressive Key-Policy ABE KP- ABE with constant-size ciphertexts, Rouselakis and Waters [28] proposed the first lare universe ABE 3 schemes which impose no limitations on the attribute sets or the access policies, Waters [31] proposed the first ABE scheme supportin reular lanuaes to be the access policy while the previous works support at most boolean formulas, and Attrapadun [1] proposed a series of fully secure ABE schemes which support reular lanuaes, constant size ciphertexts, or lare universe. 3 In a lare universe ABE scheme, the attribute universe can be exponentially lare, any strin can be used as an attribute, and attributes do not need to be pre-specified durin setup.

2 As security, access policy expressivity, and efficiency are the three preliminary directions for ABE research, traitor tracin is a compulsory requirement for practical ABE schemes. In particular, usin Ciphertext- Policy ABE CP-ABE [13,5] as an example, ciphertext access policies do not have to contain any receivers identities, and more commonly, a CP-ABE policy is role-based and attributes are shared between multiple users. For example, the user with attributes {Bob, Mathematics, PhD Student} and the user with attributes {Carl, Mathematics, PhD Student} are sharin the attributes {Mathematics, PhD Student} and both of them can decrypt the ciphertext with policy Mathematics AND PhD Student OR Alumni. In practice, a malicious user, with attributes shared with multiple other users, miht leak a decryption blackbox/device, which is made of the user s decryption key, for the purpose of financial ain or some other forms of incentives, as the malicious user has little risk of bein identified out of all the users who can build a decryption blackbox with identical decryption capability. Bein able to identify this malicious user refer to as traitor is crucial towards the practicality of an ABE system. With a series of work [21,20,22,23,25,24], Liu et al. formalized the problem of traitor tracin for ABE well and proposed the counterparts supportin traitor tracin for some existin appealin ABE schemes. For example, [20,23] add fully collusion-resistant blackbox traceability to the fully secure CP-ABE scheme in [18], and [24] adds fully collusion-resistant blackbox traceability to the lare universe CP-ABE scheme in [28]. Note that the schemes in [20,22,23,25,24] achieve fully collusion-resistant blackbox traceability 4 at the cost of sublinear i.e, linear in the square root of the number of users in the system overhead, which is the most efficient level to date. While Liu et al. [21,20,22,23,25,24] transformed several existin appealin ABE schemes to their traceable counterparts, there are still many other appealin ABE schemes for which no traceable counterparts are proposed, for example, the fully secure ABE schemes in [1] which support reular lanuaes, lare universe, or constant size ciphertexts. Furthermore, we believe that in the future more and newer ABE schemes with better security, expressivity, efficiency and other appealin features will appear, and to be practical, these existin and future ABE schemes also need to be traceable aainst traitors. Investiatin these schemes and proposin the traceable counterparts one by one will be a heavy workload. In this paper, we make an attempt to propose a framework to transform existin and future ABE schemes to their traceable counterparts in a eneric manner. In particular, by specifyin some requirements on the structure of the ABE constructions, we propose an ABE template, and show that any ABE scheme satisfyin this template can be transformed to a fully collusion-resistant blackbox traceable ABE scheme in a eneric manner, at the cost of sublinear overhead, while keepin the appealin properties of the underlyin ABE schemes, such as fine-rained access control on encrypted data, hihly expressive access policy, short ciphertext, and so on. The contributions of this framework are two folds: For the existin ABE schemes satisfyin the template, the traceable counterparts can be iven directly by applyin the transformation framework. And we indeed show that the appealin ABE schemes in [1], which are fully secure and support reular lanuaes, constant size ciphertexts, or lare universe, do satisfy this template. In addition, we also show that the lare universe CP-ABE scheme by Rouselakis and Waters [28] also satisfies this template. For the existin ABE schemes not satisfyin the template and the potential future ABE schemes, this framework provides a taret which they can try to achieve and then also be transformed to a traceable one. 1.1 Our Results First, as shown in 1. Definition of Fi. 1, we define Traceable ABE by extendin the definition of Conventional non-traceable ABE, i.e., a predefinin the number of users in the system, b indexin the users with unique indexes, and c addin a tracin alorithm. As predefinin the number of users in the system is a necessary settin for achievin blackbox traceability and does not undermine the capacity of ABE, i.e. 4 Fully collusion-resistant traceability means that the number of colludin users in constructin a decryption device is not limited and can be arbitrary. 2

3 Conventional non-traceable ABE 1. Definition a. Predefine the number of users in the system b. Index the users with unique indexes c. Add a tracin alorithm Traceable ABE a Appealin properties of ABE b Blackbox traceability 2. Generic Construction/Transformation 2-3. Generic Transformation a. Define an ABE template for conventional nontraceable ABE b. Propose a eneric framework that transforms the ABE template to Aumented ABE, which will imply Traceable ABE. c. Enumerate a serial of existin ABE schemes as the instances of the ABE template Aumented ABE a Messae-hidin b Index-hidin 2-1. Definition a. Modify Encrypt alorithm to take one more parameter, an encryption index b. Define messae-hidin and index-hidin properties 2-2. Transformation An Aumented ABE scheme with messae-hidin and index-hidin properties implies a Traceable ABE scheme with blackbox traceability. A conventional non-traceable ABE scheme complyin with our ABE template can be transformed to a Traceable ABE scheme by the transformation in 2-3 and then 2-2. Fi. 1. Outline enablin fine-rained access control on encrypted data, the Traceable ABE has the appealin properties of conventional ABE and additionally supports blackbox traceability. This part is proceeded in Sec. 2. The aim of this work is to transform existin even some future conventional non-traceable ABE schemes to traceable counterparts, i.e. proposin a eneric framework that enables ABE schemes to be traceable, as shown in 2. Generic Construction/Transformation of Fi. 1. This aim is achieved by two steps. First, as shown in 2-1 Definition and 2-2 Transformation of Fi. 1, we define a simpler primitive called Aumented ABE or AuABE for short and show that an Aumented ABE implies a Traceable ABE. This part is proceeded in Sec. 3. Then, as shown in 2-3 Generic Transformation of Fi. 1, we propose a eneric framework to transform Conventional non-traceable ABE to Aumented ABE. This part is proceeded in Sec. 4. Thus, for the conventional non-traceable ABE schemes that satisfy the proposed ABE template, the 2-3 Generic Transformation will transform them to Aumented ABE counterparts, then the 2-2 Transformation will transform those Aumented ABE schemes to correspondin Traceable ABE schemes, which will keep the appealin properties of the correspondin conventional non-traceable ABE schemes and additionally support blackbox traceability. More specifically, in Sec. 2.1, we present a eneral ABE definition which covers a variety of ABE systems, includin CP-ABE, KP-ABE, ABE supportin boolean formula, ABE supportin reular lanuae, etc., and has a potential for supportin blackbox traceability. Namely, we define a functional ABE system, which is identical to conventional non-traceable ABE, except that each user/decryption key is assined and identified by a unique index k {1,..., K} K is the number of users in the system. Note that predefinin the number of users K in the system is a necessary settin for achievin blackbox traceability, and in practice this should not incur much concern, and does not undermine the capacity of ABE, i.e. enablin fine-rained access control on encrypted data. In other words, except this necessary settin, the functional ABE has all the appealin properties of conventional ABE, and additionally, as each user/decryption key is uniquely indexed, this functional ABE can support blackbox traceability and is referred to as Traceable ABE, as defined in Sec In Sec. 3.1, we define Aumented ABE by modifyin the definition of Traceable ABE. In particular, Aumented ABE has four alorithms Setup A, KeyGen A, Encrypt A, Decrypt A, where the setup, key eneration, 3

4 and decryption alorithms, i.e., Setup A, KeyGen A, and Decrypt A, are the same as that of the Traceable ABE. The encryption alorithm Encrypt A takes one more parameter k {1,..., K + 1} than the oriinal one in Traceable ABE, and the decryption criteria in Aumented ABE is chaned in such a way that an encrypted messae usin ciphertext ta Y and encryption index k can be recovered usin a decryption key SK k,x, which is identified by index k {1,..., K} and associated with a key ta X, only if X matches Y k k, where X matches Y is the standard decryption criteria for conventional ABE and k k is an additional requirement incurred by encryption index k. We define the messae-hidin and encryption- index-hidin properties of Aumented ABE in Sec. 3.1, and in Sec. 3.2 we show that a messae-hidin and index-hidin Aumented ABE scheme, say Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A, will imply a secure Traceable ABE scheme Σ = Setup A, KeyGen A, Encrypt, Decrypt A, where the encryption alorithm Encrypt is derived from Encrypt A by always settin the encryption index to be 1, and the tracin alorithm Trace is built on Encrypt A by producin ciphertexts with index k {1, K} and feedin these ciphertexts to the decryption blackbox. The messae-hidin property of Aumented ABE will uarantee the security of the derived Traceable ABE and the index-hidin property of Aumented ABE will uarantee the traceability of the derived Traceable ABE. The definitions of Traceable ABE in Sec. 2, the definitions of Aumented ABE in Sec. 3.1, and the reduction of Traceable ABE to Aumented ABE in Sec. 3.2 are similar to precious work in [20,22,23,25,24]. While [20,23,25,24] focus on CP-ABE and [22] focuses on KP-ABE, this paper formalizes the definitions of Traceable ABE and Aumented ABE and the reduction of Traceable ABE to Aumented ABE in a most eneric manner, which covers all kinds of ABE, includin CP-ABE, KP-ABE, ABE supportin boolean formulas, ABE supportin reular lanuaes, etc. While re-formalizin these preliminaries is a necessary part, the major contribution of this paper lies in the eneric transformation of Conventional non-traceable ABE to Aumented ABE i.e. the 2-3 part in Fi. 1. In particular, We define an ABE template for Conventional non-traceable ABE. The template represents a type of ABE construction techniques, so that this template covers not only many existin important ABE schemes with appealin properties, but also some possible ABE schemes in the future, which consider this template and correspondin construction techniques when desined. We propose a eneric framework that transforms the ABE template to Aumented ABE. This means that all the ABE schemes fallin in the template can be transformed to their traceable counterparts, enjoyin their oriinal appealin properties and additional fully collusion-resistant blackbox traceability. The overhead for the transformation i.e. the overhead for the fully collusion-resistant blackbox traceability is linear in K, i.e. the resultin Traceable ABE schemes achieve the most efficient level to date for fully collusion-resistant blackbox traceable systems. We prove the messae-hidin and index-hidin properties of the resultin Aumented ABE in the standard model. The outline for the security analysis is iven later in Fi. 2. We show some existin appealin ABE schemes, i.e. the ones in [1] which are fully secure and support reular lanuaes, constant size ciphertexts, and lare universe, satisfy our ABE template. That is, we can obtain the traceable counterparts for these appealin ABE schemes, by applyin our eneric transformation framework. To cover the appealin ABE schemes in [1], the template, as well as the eneric transformation and the proof, are described on composite order roups. To be more eneral, we show that the template, the transformation, and the proof also work well for the schemes on prime order roups, and present the lare universe CP-ABE scheme Rouselakis and Waters [28] as an example. We do not want to oversell our asymptotic result. Our method/framework considers and works for a subset of pairin-based ABE schemes, namely, those ABE schemes complyin with our non-traceable ABE template, rather than ALL the ABE schemes. For example, our framework is not applicable to the latticebased ABE schemes e.. [9]. Actually, as so far there is not known results on lattice-based ABE schemes with traitor tracin. We would like to view our asymptotic result mainly as a steppin stone towards buildin practical ABE schemes. In particular, in retrospect, the ABE schemes by Waters [30], Lewko et al. [18], Lewko and Waters [19], Attrapadun [1], and so on, represent one of the main branches of ABE development, as well as a branch 4

5 of pairin-based ABE desin/construction method, and it is reasonable to believe that new ABE schemes in this branch will be proposed in future. While these ABE schemes have been ettin better security, policy expressivity, and/or efficiency, they did not consider or support traitor tracin, and this seriously limits their applicability in practice. Our asymptotic result makes the ABE schemes followin this branch to have traitor tracin functionality, while leavin it as future work to further reduce the overhead incurred by traitor tracin functionality and make other types of ABE schemes e.. the lattice-based ones to support traitor tracin. 2 ABE and Blackbox Traceability In this section, we define a functional ABE and its security, which are similar to Conventional nontraceable ABE e.. [19,28], except that we explicitly assin and identify users usin unique indices. Then we formalize the fully collusion-resistant traceability for this functional ABE. To be as eneral as possible, in the definitions of this functional ABE, we use the terms ciphertext ta and key ta, rather than access policy and attributes. When the ciphertext ta is an attribute set and the key ta is a Boolean formula, it is a KP-ABE supportin Boolean formula as policy; when ciphertext ta is a Deterministic Finite Automata DFA and the key ta is a strin, it is a CP-ABE supportin DFA as policy, an so on. 2.1 Attribute-Based Encryption and its Security Attribute-Based Encryption Syntax. Given inteers a and b where a b, let [a, b] be the set {a, a + 1,..., b}. Also, we use [b] to denote the set {1, 2,..., b}. Let relation Γ : X Y {0, 1} is a predicate function that maps a pair of key ta in a space X and ciphertext ta in a space Y to {0, 1}. An Attribute- Based Encryption ABE scheme for predicate Γ consists of followin alorithms: Setupλ, Γ, K PP, MSK. The alorithm takes as input a security parameter λ, a predicate Γ, and the number of users in the system K, runs in polynomial time in λ, and outputs a public parameter PP and a master secret key MSK. KeyGenPP, MSK, X SK k,x. The alorithm takes as input PP, MSK, and a key ta X X, and outputs a secret key SK k,x correspondin to X. The secret key is assined and identified by a unique index k [K]. EncryptPP, M, Y CT Y. The alorithm takes as input PP, a messae M, and a ciphertext ta Y Y, and outputs a ciphertext CT Y. Y is included in CT Y. DecryptPP, CT Y, SK k,x M or. The alorithm takes as input PP, a ciphertext CT Y, and a secret key SK k,x, and outputs a messae M or indicatin the failure of decryption. Correctness. For all X X, Y Y, and messaes M, suppose PP, MSK Setupλ, Γ, K, SK k,x KeyGenPP, MSK, X, CT Y EncryptPP, M, Y. If Γ X, Y = 1 then DecryptPP, CT Y, SK k,x = M. Security. The security of an ABE scheme for predicate Γ is defined usin the followin messae-hidin ame, which is a typical semantic security ame and is similar to that for conventional ABE [19,28] security. Game MH. The messae-hidin ame is defined between a challener and an adversary A as follows: Setup. The challener runs Setupλ, Γ, K and ives the public parameter PP to A. Phase 1. For i = 1 to Q 1, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y EncryptPP, M b, Y to A. Phase 2. For i = Q to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. 5

6 Guess. A outputs a uess b {0, 1} for b. A wins the ame if b = b under the restriction that none of the queried {k i, X ki } Q i=1 Γ X ki, Y = 1. The advantae of A is defined as MHAdv A = Pr[b = b] 1 2. can satisfy Definition 1. A K-user ABE scheme for predicate Γ is secure if for all probabilistic polynomial time PPT adversaries A, MHAdv A is neliible in λ. We say that a K-user ABE scheme for predicate Γ is selectively secure if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. Remark: As pointed out in previous work [20,22,23,25,24], 1 althouh the KeyGen alorithm is responsible for determinin/assinin the index of each user s secret key, to capture the security that an adversary can adaptively choose secret keys to corrupt, the above model allows A to specify the index when queryin for a key, i.e., for i = 1 to Q, A submits pairs of k i, X ki for secret keys with key tas correspondin to X ki, and the challener will assin k i to be the index of the correspondin secret key, where Q K, k i [K], and k i k j 1 i j Q this is to ensure that each user/key can be uniquely identified by an index. 2 For k i k j it does not require X ki X kj, i.e., different users/keys may have the same key ta. 2.2 Blackbox Traceability A ciphertext-ta-specific decryption blackbox D is described by a ciphertext ta Y D and a noticable probability value ɛ i.e. ɛ = 1/fλ for some polynomial f, and this blackbox D can decrypt ciphertexts enerated under Y D with probability at least ɛ. Such a blackbox can reflect most practical scenarios, which include the key-like decryption blackbox for sale and decryption blackbox found in the wild, which are discussed in [20,23]. In particular, once a blackbox is found bein useful, i.e. bein able to decrypt ciphertexts reardless of how this is found, for example, an explicit description of the blackbox s decryption ability is iven, or the law enforcement aency finds some clue, we can reard it as a ciphertext-ta-specific decryption blackbox with the correspondin ciphertext ta which is associated to the ciphertext that it can decrypt. We now define the tracin alorithm and traceability aainst ciphertext-ta-specific decryption blackbox. Trace D PP, Y D, ɛ K T [K]. Trace is an oracle alorithm that interacts with a ciphertext-ta-specific decryption blackbox D. By iven the public parameter PP, a ciphertext ta Y D, and a probability value ɛ, the alorithm runs in time polynomial in λ and 1/ɛ, and outputs an index set K T [K] which identifies the set of malicious users. Note that ɛ has to be polynomially related to λ, i.e. ɛ = 1/fλ for some polynomial f. Traceability. The followin tracin ame captures the notion of fully collusion-resistant traceability aainst ciphertext-ta-specific decryption blackbox. In the ame, the adversary tarets to build a decryption blackbox D that can decrypt ciphertexts under some ciphertext ta Y D. The tracin alorithm, on the other side, is desined to extract the index of at least one of the malicious users whose decryption keys have been used for constructin D. Game TR. The tracin ame is defined between a challener and an adversary A as follows: Setup. The challener runs Setupλ, Γ, K and ives the public parameter PP to A. Key Query. For i = 1 to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Decryption Blackbox Generation. A outputs a decryption blackbox D associated with a ciphertext ta Y D and a non-neliible probability value ɛ. Tracin. The challener runs Trace D PP, Y D, ɛ to obtain an index set K T [K]. Let K D = {k i 1 i Q} be the index set of secret keys corrupted by the adversary. We say that A wins the ame if the followin two conditions hold: 6

7 1. Pr[DEncryptPP, M, Y D = M] ɛ, where the probability is taken over the random choices of messae M and the random coins of D. A decryption blackbox satisfyin this condition is said to be a useful ciphertext-ta-specific decryption blackbox. 2. K T =, or K T K D, or Γ X kt, Y D 1 k t K T. We denote by TRAdv A the probability that A wins. Remark: For a useful ciphertext-ta-specific decryption blackbox D, the traced K T must satisfy K T K T K D k t K T s.t. Γ X kt, Y D = 1 for traceability. 1 K T K T K D captures the preliminary traceability that the tracin alorithm can extract at least one malicious user and the coalition of malicious users cannot frame any innocent user. 2 k t K T s.t. Γ X kt, Y D = 1 captures the stron traceability that the tracin alorithm can extract at least one malicious user whose secret key enables D to have the decryption ability correspondin to Y D. We refer to [17,20] for why stron traceability is desirable. Note that, as of [7,8,11,17,20], we are modelin a stateless resettable decryption blackbox such a blackbox is just an oracle and maintains no state between activations. Also note that we are modelin public traceability, namely, the Trace alorithm does not need any secrets and anyone can perform the tracin. Definition 2. A K-user ABE scheme for predicate Γ is traceable aainst ciphertext-ta-specific decryption blackbox if for all PPT adversaries A, TRAdv A is neliible in λ. We say that a K-user ABE scheme for predicate Γ is selectively traceable aainst ciphertext-ta-specific decryption blackbox if we add an Init stae before Setup where the adversary commits to the ciphertext ta Y D. 3 Aumented Attribute-Based Encryption As outlined in Sec. 1.1, we now define Aumented ABE or AuABE for short from the ABE above and formalize its messae-hidin and index-hidin notions, then show that a messae-hidin and index-hidin AuABE can be transformed to a secure ABE with blackbox traceability. 3.1 Definitions An AuABE scheme has four alorithms: Setup A, KeyGen A, Encrypt A, and Decrypt A. The setup alorithm Setup A and key eneration alorithm KeyGen A are the same as that of ABE, respectively. For the encryption alorithm, it takes one more parameter k [K + 1] as input, and is defined as follows. Encrypt A PP, M, Y, k CT Y. The alorithm takes as input PP, a messae M, a ciphertext ta Y, and an index k [K + 1], and outputs a ciphertext CT Y. Y is included in CT Y, but the value of k is not. The decryption alorithm Decrypt A is also defined in the same way as that of ABE. However, the correctness definition is chaned to the followin. Correctness. For all X X, Y Y, k [K + 1], and messaes M, suppose PP, MSK Setup A λ, Γ, K, SK k,x KeyGen A PP, MSK, X, CT Y Encrypt A PP, M, Y, k. If Γ X, Y = 1 k k then Decrypt A PP, CT Y, SK k,x = M. Note that durin decryption, as lon as Γ X, Y = 1, the decryption alorithm outputs a messae, but only when k k, the output messae is equal to the correct messae, that is, k k is an additional condition and if and only if Γ X, Y = 1 k k, can SK k,x correctly decrypt a ciphertext under Y, k. If we always set k = 1, the functions of AuABE are identical to that of ABE. In fact, the idea behind transformin an AuABE to a traceable ABE, that we will show shortly, is to construct an AuABE with index-hidin property, and then always sets k = 1 in normal encryption, while usin k [K + 1] to enerate ciphertexts for tracin. Security. We define the security of AuABE in three ames. The first ame is a messae-hidin ame and says that a ciphertext created usin index 1 is unreadable to the users whose key tas do not satisfy 7

8 the ciphertext ta. The second ame is a messae-hidin ame and says that a ciphertext created usin index K + 1 is unreadable by anyone. The third ame is an index-hidin ame and captures the intuition that a ciphertext created usin index k reveals no non-trivial information about k. Game A MH 1. The messae-hidin ame Game A MH 1 is similar to Game MH except that the Challene phase is Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M b, Y, 1 to A. A wins the ame if b = b under the restriction that none of the queried {k i, X ki } Q i=1 Γ X ki, Y = 1. The advantae of A is defined as MH A 1 Adv A = Pr[b = b] 1 2. can satisfy Definition 3. A K-user Aumented ABE scheme for predicate Γ is Type-I messae-hidin if for all PPT adversaries A the advantae MH A 1 Adv A is neliible in λ. We say that an Aumented ABE scheme for predicate Γ is selectively Type-I messae-hidin if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. Game A MH 2. The messae-hidin ame Game A MH 2 is similar to Game MH except that the Challene phase is Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M b, Y, K + 1 to A. A wins the ame if b = b. The advantae of A is defined as MH A 2 Adv A = Pr[b = b] 1 2. Definition 4. A K-user Aumented ABE scheme for predicate Γ is Type-II messae-hidin if for all PPT adversaries A the advantae MH A 2 Adv A is neliible in λ. Game A IH. The index-hidin ame defines that, for any ciphertext ta Y, without a secret key such SK k,x k that Γ X k, Y = 1, an adversary cannot distinuish between a ciphertext under Y, k and Y, k + 1. The ame proceeds as follows: Setup. The challener runs Setup A λ, Γ, K and ives the public parameter PP to A. Key Query. For i = 1 to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Challene. A submits a messae M and a ciphertext ta pair Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M, Y, k + b to A. Guess. A outputs a uess b {0, 1} for b. A wins the ame if b = b under the restriction that none of the queried pairs {k i, X ki } Q i=1 k i = k Γ X ki, Y = 1. The advantae of A is defined as IH A Adv A [ k] = Pr[b = b] 1 2. can satisfy Definition 5. A K-user Aumented ABE scheme for predicate Γ is index-hidin if for all PPT adversaries A the advantaes IH A Adv A [ k] for k = 1,..., K are neliible in λ. We say that an Aumented ABE scheme for predicate Γ is selectively index-hidin if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. 3.2 The Reduction of Traceable ABE to Aumented ABE Let Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A be an AuABE, define EncryptPP, M, Y = Encrypt A PP, M, Y, 1, then Σ = Setup A, KeyGen A, Encrypt, Decrypt A is an ABE derived from Σ A. In the followin, we show that if Σ A is Type-I messae-hidin, then Σ is secure w.r.t. Def. 1. Furthermore, we propose a tracin alorithm Trace for Σ and show that if Σ A is Type-II messae-hidin and index-hidin, then Σ equipped with Trace is traceable w.r.t. Def. 2. 8

9 3.2.1 ABE Security Theorem 1. If Σ A is Type-I messae-hidin resp. selectively Type-I messae-hidin, then Σ is secure resp. selectively secure. Proof. The proof is similar to that in [20,23]. Due to the pae limitation, we omit the details here ABE Traceability We now propose a tracin alorithm Trace, which uses a eneral tracin method previously used in [6,26,7,8,11,20], and show that equipped with Trace, Σ is traceable w.r.t. Def. 2. Trace D PP, Y D, ɛ K T [K]: Given a ciphertext-ta-specific decryption blackbox D associated with a ciphertext ta Y D and probability ɛ > 0, the tracin alorithm works as follows: 1. For k = 1 to K + 1, do the followin: a Repeat the followin 8λN/ɛ 2 times: i. Sample M from the messae space at random. ii. Let CT YD Encrypt A PP, M, Y D, k. iii. Query oracle D on input CT YD, and compare the output of D with M. b Let ˆp k be the fraction of times that D decrypted the ciphertexts correctly. 2. Let K T be the set of all k [K] for which ˆp k ˆp k+1 ɛ/4k. Output K T as the index set of the decryption keys of malicious users. Theorem 2. If Σ A is Type-II messae-hidin and index-hidin resp. selectively index-hidin, then Σ is traceable resp. selectively traceable. Proof. The proof is similar to that in [20,23]. Due to the pae limitation, we omit the details here. 4 Transform a Non-Traceable ABE to an Aumented ABE In this section, we first formailze the notation of Pair Encodin Scheme in Sec. 4.1, which is the core components of the conventional non-traceable ABE template we propose in Sec Then in Sec. 4.3 we propose the eneric transformation from the ABE template to the Aumented ABE and in Sec. 4.4 prove the security of the resultin Aumented ABE. Note that the ABE template, the transformation, and the proof in this section are described in composite order bilinear roups, but as shown later in Sec. 5, all these also work well in prime order bilinear roups. 4.1 Pair Encodin Scheme: Syntax The notion of Pair Encodin Scheme here is inspired by the work of Attrapdun [1]. Attrapdun [1] proposed the notion of Pair Encodin Scheme, includin syntax and security definitions, and proved the full security of some Functional Encryption schemes based on the security of correspondin Pair Encodin Scheme instantiations. Here we borrow the term of Pair Encodin Scheme, and actually we only use the syntax to abstract the structures of the non-traceable ABE schemes which we aim to transform to AuABE, while not considerin or usin the security properties of Pair Encodin Scheme. A Pair Encodin Scheme for predicate Γ consists of four deterministic alorithms iven by SysParam, KeyParam, CiperParam, DecPair: SysParamΓ d, d 0. It takes as input a predicate Γ : X Y {0, 1} and outputs two inteers d and d 0. d is used to specify the number of common variables in KeyParam and CiperParam, and d 0 d will be used to specify the requirements of the ABE template. For the default notation, let α and β = β 1,..., β d denote the list of common variables. 9

10 KeyParamX, N φ = φ 0, φ 1,..., φ dk, d δ. It takes as inputs N N and a key ta X X, and outputs a sequence of polynomials φ = φ 0, φ 1,..., φ dk with coefficients in Z N and an inteer d δ that specifies the number of its own variables. Let δ = δ 1,..., δ dδ be the variables, we require that each polynomial φ z 0 z d k is a linear combination of monomials α, δ i, δ i β j, where α, β = β 1,..., β d are the common variables. For simplicity, we write φα, β, δ = φ 0 α, β, δ, φ 1 α, β, δ,..., φ dk α, β, δ. CiperParamY, N ψ = ψ 1,..., ψ dc, d π. It takes as inputs N N and a ciphertext ta Y Y, and outputs a sequence of polynomials ψ = ψ 1,..., ψ dc with coefficients in Z N and an inteer d π that specifies the number of its own variables. Let π = π, π 1,..., π dπ be the variables, we require that each polynomial ψ z 1 z d c is a linear combination of monomials π, π i, πβ j, π i β j, where β = β 1,..., β d are the common variables. For simplicity, we write ψβ, π = ψ 1 β, π,..., ψ dc β, π. DecPairX, Y, N E. It takes as inputs N N, a key ta X X, and a ciphertext ta Y Y, and output E Z d k+1 d c N. Correctness. The correctness requirement is defined as follows. First, for any N N, X X, Y Y, let φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N, ψ = ψ 1,..., ψ dc, d π CiperParamY, N, and E DecPairX, Y, N, if Γ X, Y = 1, then for any α, β = β 1,..., β d, δ = δ 1,..., δ dδ, π = π, π 1,..., π dπ, we have φα, β, δeψβ, π T = απ, where the equality holds symbolically. Note that since φα, β, δeψβ, π T = i [0,d k ],j [1,d E c] i,jφ i ψ j, this correctness amounts to check if there is a linear combination of φ i ψ j terms summed up to απ. Second, for p that divides N, if we let KeyParamX, N φ = φ 0, φ 1,..., φ dk, d δ and KeyParamX, p φ = φ 0, φ 1,..., φ d k, d δ, then it holds that φ mod p = φ. The requirement for CiperParam is similar. Remark. We mandate that the variables used in KeyParam and those in CiperParam are different except only the common variables α and β. We remark that in the syntax, all variables are only symbolic: no probability distributions have been assined to them yet. We will assin these in the later ABE template constcution. Note that d δ, d k, can depend on X and d π, d c can depend on Y. We also remark that each polynomial in φ, ψ has no constant terms. 4.2 A Template for Non-traceable ABE Constructions Below, we first review the Composite Order Bilinear Groups and some notations. Then, from a Pair Encodin Scheme, by addin some additional requirements, we define a template for Conventional non-traceable ABE constructions, which works on composite order bilinear roups. We would like to point out, as shown later in Sec. 5, the template can be easily chaned to one on prime order bilinear roups, and the transformation from the non-traceable ABE template to Aumented ABE, as well as the proof, work well on prime order bilinear roups. Composite Order Bilinear Groups. Let G be a roup enerator, which takes a security parameter λ and outputs p 1, p 2, p 3, G, G T, e where p 1, p 2, p 3 are distinct primes, G and G T are cyclic roups of order N = p 1 p 2 p 3, and e : G G G T a map such that: 1 Bilinear, h G, a, b Z N, e a, h b = e, h ab, 2 Non-Deenerate G such that e, has order N in G T. Assume that roup operations in G and G T as well as the bilinear map e are computable in polynomial time with respect to λ. Let G p1, G p2 and G p3 be the subroups of order p 1, p 2 and p 3 in G, respectively. These subroups are orthoonal to each other under the bilinear map e: if h i G pi and h j G pj for i j, then eh i, h j = 1 the identity element in G T. Notations. For a iven vector v = v 1,..., v d Z d N and G, by v we mean the vector v1,..., v d G d. For two vectors V = V 1,..., V d, W = W 1,..., W d G d, by V W we mean the vector V 1 W 1,..., V d W d G d, i.e. it performs component-wise multiplication. Furthermore, by e d V, W we mean d k=1 ev k, W k. Particularly, for v = v 1,..., v d, w = w 1,..., w d Z d N, we have v w = v+w, and e d v, w = d k=1 ev k, w k = e, vw, where v w is the inner product of v and w. Sometimes we omit the subscribe d of e d V, W. For a vector V = V 1,..., V d G d and a matrix A = A i,j d t Z d t N, by V A we mean n i=1 V Ai,1 n i, i=1 V Ai,2 n i,..., i=1 V Ai,t i G t. 10

11 Non-traceable ABE template. The template consists of four alorithms as follows: Setup NT λ, Γ PP, MSK. Run N, p 1, p 2, p 3, G, G T, e Gλ. Pick enerators G p1, X 3 G p3. Run d, d 0 SysParamΓ, where 1 d 0 d. Pick random β = β 1,..., β d Z d N. Pick random α Z N. The public parameter is PP = N, G, G T, e,, β, X 3, e, α. The master secret key is MSK = α. KeyGen NT PP, MSK, X SK X. Upon input a key ta X, run φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N. Pick random δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1. Output a secret key SK X as p 3 SK X = X, K = φα,β,δ R. To satisfy the template, it is required that for any key ta X and variables δ = δ 1,..., δ dδ, 1. d k d for z [2, d k ], φ z α, β, δ does not contain α or β 1 δ 1. For simplicity, we write them as φ z β, δ, as they do not contain α. 3. φ 1 α, β, δ = δ 1, φ 0 α, β, δ = α + β 1 δ 1 + d 0 β d=2 dφ dβ, δ. That is, 5 SK X = d 0 X, K 0 = α β1δ1 β d φ d β,δ R 0, K 1 = δ1 R 1, d=2 K 2 = φ2β,δ R 2,..., K dk = φ d k β,δ R dk. Encrypt NT PP, M, Y CT Y. Upon input a ciphertext ta Y, run ψ = ψ 1,..., ψ dc, d π CiperParamY, N. Pick random π = π, π 1,..., π dπ Z dπ+1 N. Set P = ψβ,π. Output a ciphertext CT Y as CT Y = Y, P, C = M e, απ. Note that P can be computed from β and π since ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j. To satisfy the template, it is required that for any ciphertext ta Y and variables π = π, π 1,..., π dπ, 1. ψ 1 β, π = π. 2. ψ 2 β, π = β 2 π,..., ψ d0 β, π = β d0 π. That is, the first d 0 components of P are P 1 = π, P 2 = β2π,..., P d0 = β d 0 π. Decrypt NT PP, CT Y, SK X M or. Obtain X, Y from SK X, CT Y. Suppose Γ X, Y = 1 if Γ X, Y 1, output. Run E DecPairX, Y, N. Compute e, απ = ek E, P, and output M C/e, απ. To satisfy the template, it is required that there are two alorithms DecPair 1 and DecPair 2 such that: For any N N, X X, Y Y, let φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N, ψ = ψ 1,..., ψ dc, d π CiperParamY, N, for any variables α, β = β 1, β 2,..., β d, δ = δ 1, δ 2,..., δ dδ, π = π, π 1,..., π dπ, let E 1 DecPair 1 X, Y, N, E 2 DecPair 2 X, Y, N, if Γ X, Y = 1 we have that φe 1 ψ T = β 1 δ 1 π and φe 2 ψ T = β 1 δ 1 π + απ. Note that e, απ can be computed by e, απ = ek E2, P /ek E1, P. Later we will show there are a series of ABE schemes with appealin features complyin with this template. 5 Note that to cover as many ABE schemes as possible, we only specify the necessary requirements which we may use in the constructions and proofs of our eneric transformation framework. Here we do not require φ dβ, δ for d = 2 to d 0 to contain only linear combination of monomials δ i. Actually, if φ dβ, δ contained β j, K 0 could still be computed, by puttin β in MSK. 11

12 4.3 Aumented ABE Transformed from Non-traceable ABE Notations. Suppose that the number of users K in the system equals to m 2 for some m. In practice, if K is not a square, we can add some dummy users until it pads to the next square. We arrane the users in an m m matrix and uniquely assin a tuple i, j, where i, j [1, m], to each user. A user at position i, j of the matrix has index k = i 1 m + j. For simplicity, we directly use i, j as the index where i, j ī, j means that i > ī i = ī j j. The use of pairwise notation i, j is purely a notational convenience, as k = i 1 m + j defines a bijection between {i, j i, j [1, m]} and [1, K]. Given a bilinear roup order N, one can randomly choose r x, r y, r z Z N, and set χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. Let span{χ 1, χ 2 } = {ν 1 χ 1 + ν 2 χ 2 ν 1, ν 2 Z N } be the subspace spanned by χ 1 and χ 2. We can see that χ 3 is orthoonal to the subspace span{χ 1, χ 2 } and Z 3 N = span{χ 1, χ 2, χ 3 } = {ν 1 χ 1 + ν 2 χ 2 + ν 3 χ 3 ν 1, ν 2, ν 3 Z N }. For any v span{χ 1, χ 2 }, χ 3 v = 0, and for random v Z 3 N, χ 3 v 0 happens with overwhelmin probability. Below we propose our AuABE construction, which is transformed from the Conventional Non-traceable ABE template in above Sec Note that the parts written in the box are the same as the Conventional Non-traceable ABE template, and we add/modify some additional parts to form our eneric AuABE construction. Setup A λ, Γ, K = m 2 PP, MSK. Run N, p 1, p 2, p 3, G, G T, e Gλ. Pick enerators G p1, X 3 G p3. Run d, d 0 SysParamΓ, where 1 d 0 d. Pick random β = β 1,..., β d Z d N. Pick random {α i, r i, z i Z N } i [m], {c j Z N } j [m]. The public parameter is PP = N, G, G T, e,, h = β, X 3, {E i = e, αi, G i = ri, Z i = zi } i [m], {H j = cj } j [m]. The master secret key is MSK = α 1,..., α m, r 1,..., r m, c 1,..., c m. A counter ctr = 0 is implicitly included in MSK. KeyGen A PP, MSK, X SK i,j,x. Upon input a key ta X, run φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N. Pick random δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1 p 3. Pick random R 0 G p3. Set ctr = ctr + 1 and then compute the correspondin index in the form of i, j where 1 i, j m and i 1 m + j = ctr. Output a secret key SK i,j,x as SK i,j,x = i, j, X, K = φricj+αi, β, δ R, K 0 = Z δ1 i R 0, Note the requirements stated in KeyGen NT, we have SK i,j,x = d 0 i, j, X, K 0 = ricj+αi β1δ1 β d φ d β,δ R 0, K 1 = δ1 R 1, d=2 K 2 = φ2β,δ R 2,..., K dk = φ d k β,δ R dk, K 0 = Z δ1 i R 0. Encrypt A PP, M, Y, ī, j CT Y. 1. Upon input a ciphertext ta Y, run ψ = ψ 1,..., ψ dc, d π CiperParamY, N. Pick random π = π, π 1,..., π dπ Z dπ+1 N. Set P = ψβ,π. Note that P can be computed from β and π since ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j. 2. Pick random κ, τ, s 1,..., s m, t 1,..., t m Z N, 12

13 v c, w 1,..., w m Z 3 N. Pick random r x, r y, r z Z N, and set χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. Pick random v i Z 3 N i {1,..., ī}, For each row i [m]: if i < ī: randomly choose ŝ i Z p, and set v i span{χ 1, χ 2 } i {ī + 1,..., m}. if i ī: set R i = vi, R i = κvi, Q i = si, Q i,1 = β1 si Z ti i β1 π, Q i,2 = β2 si,..., Q i,d0 = β d 0 s i, Q i = ti, T i = Eŝi i. R i = G sivi i, R i = G κsivi i, Q i = τsivivc, Q i,1 = β1 τsivivc Z ti i β1 π, Q i,2 = β2 τsivivc,..., Q i,d0 = β d 0 τs iv iv c, Q i = ti, T i = M E τsivivc i. For each column j [m]: if j < j: randomly choose µ j Z N, and set C j = H τvc+µjχ3 j κwj, C j =. wj if j j: set C j = H τvc j κwj, C j =. wj 3. Output the ciphertext CT Y as CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1. Decrypt A PP, CT Y, SK i,j,x M or. Parse CT Y to CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1 and SK i,j,x to SK i,j,x = i, j, X, K = K 0,..., K dk, K 0. Obtain Y, X from CTY, SK i,j,x. Suppose Γ X, Y = 1 if Γ X, Y 1, output. 1. Run E 1 Pair 1 X, Y, N. Compute D P ek E1, P. 2. Compute ek 0, Q i ek D I 0, Q i ek 1, Q i,1 d 0 ek d=2 d, Q e3r i, C j e i, d 3 R i, C j. 3. Computes M T i /D P D I as the output messae. Suppose that the ciphertext is enerated from messae M and encryption index ī, j, it can be verified that only when i > ī or i = ī j j, M = M. This is because for i > ī, we have v i χ 3 = 0 since v i span{χ 1, χ 2 }, and for i = ī, we have that v i χ 3 0 happens with overwhelmin probability since v i is randomly chosen from Z 3 N. The correctness is referred to Appendix A. 4.4 Aumented ABE Security Let Σ NT = Setup NT, KeyGen NT, Encrypt NT, Decrypt NT be a non-traceable ABE scheme satisfyin the template in Sec. 4.2, and Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A be an Aumented ABE scheme derived from Σ NT as shown in Sec As shown in Fi. 2, Theorem 3, Theorem 4, and Theorem 5 state that the AuABE proposed above is Type-I messae-hidin, Type-II messae-hidin, and selectively index-hidin, respectively. Below we prove Theorem 3 and Theorem 4 in a framework manner. For the Theorem 5, we prove it in a framework manner partially, namely, we prove Claim 1 in a framework manner, while provin Lemma 1 case by case for the concrete underlyin conventional non-traceable ABE schemes, and the proof of Claim 2 will be identical to that of Lemma 1. 13

14 Fi. 2. Outline for Security Analysis Theorem 3. If Σ NT is secure resp. selectively secure, then Σ A is Type-I messae-hidin resp. selectively Type-I messae-hidin. Proof. Suppose there is a PPT adversary A that can break Σ A in Game A MH 1 with non-neliible advantae MH A 1 Adv A, we construct a PPT alorithm B to break Σ NT with advantae Adv B Σ NT, which equals to MH A 1 Adv A. Setup. B receives the public parameter PP NT = N, G, G T, e, β, X 3, E = e, α from the challener, where G p1 and X 3 G p3 are the enerators of subroups G p1 and G p3 respectively, β = β 1,..., β d Z d N for d, d 0 SysParamΓ and α Z N are randomly chosen. B picks random {α i, r i, z i Z N } i [m], {c j Z N } j [m], then ives A the public parameter PP: PP = N, G, G T, e,, β, X 3, {E i = E e, α i, Gi = ri, Z i = zi } i [m], {H j = cj } j [m]. Note that B implicitly chooses {α i Z N } i [m] such that {α + α i α i mod p 1 } i [m]. Phase 1. To respond to A s query for i, j, X i,j, B submits X i,j to the challener, and receives a secret key SK NT X i,j = X i,j, K 0 = α β1δ1 d 0 d=2 β d φ d β,δ R 0, K1 = δ1 R 1, K 2 = φ2β,δ R 2,..., Kdk = φ d k β,δ R dk, where φ = φ 0, φ 1,..., φ dk, d δ KeyParamX i,j, N, δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1 p 3. 14

15 B picks random R 0 G p3, then responses A with a secret key SK i,j,xi,j as SK i,j,xi,j = i, j, X i,j, K 0 = K 0 ricj+α i, K1 = K 1, K 2 = K 2,..., K dk = K dk, K 0 zi = K R 1 0. Note that such a secret key has the same distribution as the secret key in the real Aumented ABE scheme, i.e. SK i,j,xi,j = i, j, X i,j, K = φricj+αi,β,δ R, K 0 = Z σi,j i R 0, where R 0 = R zi R 1 0. Challene. A submits to B a ciphertext ta Y and two equal lenth messaes M 0, M 1. B submits Y, M 0, M 1 to the challener, and receives the challene ciphertext in the form of CT NT = Y, P = ψβ, π, C = M e, α π, where ψ = ψ 1,..., ψ dc, d π CiperParamY, N, π = π, π 1,..., π dπ Z dπ+1 N. Note that ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j, and the first d 0 components of P are P 1 = π, P 2 = β2 π,..., P d0 = β d π 0. B creates a challene ciphertext for ī, j = 1, 1 as follows: 1. B picks random π = π, π 1,..., π d π Z dπ+1 N, then sets P = ψβ,π P 1.. Note that ψβ, π contains only linear combinations of monomials Here P means P 1,..., P d c π, π i, πβ j, π i β j, we have P 1 = ψβ, π. Note that ψβ, π contains only linear combinations of monomials π, π i, π β j, π i β j, we have that P = ψβ,π π. 2. B picks random κ, τ, s 1,..., s m, t 1,..., t m Z N, v c, w 1,..., w m Z 3 N. B picks random r x, r y, r z Z N, and sets χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. B picks random v 1 Z 3 N, v i span{χ 1, χ 2 } i {2,..., m}. For each row i [m]: note that i ī since ī = 1, B sets R i = G s i vi i Q i = τs i vivc P1, r i τv ivc vi P 1, R i = G κs i vi P i r i κ τv vi ivc 1, Q i,1 = β1 τs i vivc Z ti i β1 π, Q i,2 = β2 τs i vivc P 2,..., Q i,d0 = β d 0 τs i vivc P d0, Q i = ti, T i = C e α i, P1 E τs i vivc i. For each column j [m]: note that j j since j = 1, B sets C j = H τvc j κwj, C j = wj. 3. B outputs the ciphertext CT Y as CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1. Note that this CT Y is a well-formed ciphertext for ciphertext ta Y and encryption index ī, j = 1, 1, with implicitly settin s 1,..., s m Z N and π = π, π 1,..., π dπ Z dπ+1 N by s i + Phase 2. Same with Phase 1. π τv i v c s i mod p 1 i {1,..., m}, π π π mod p 1. Guess. A ives B a b. B ives b to the challener. Note that the distributions of the public parameter, secret keys and challene ciphertext that B ives A are same as the real scheme, we have Adv B Σ NT = MH A 1 Adv A. 15

16 Theorem 4. Σ A is Type-II messae-hidin. Proof. The arument for messae-hidin in Game A MH 2 is straihtforward since an encryption to index K + 1 i.e. m + 1, 1 contains no information about the messae. The simulator simply runs Setup A and KeyGen A and encrypts M b under the challene ciphertext ta Y and index m + 1, 1. Since for all i = 1 to m, T i = Eŝi i contains no information about the messae, the bit b is perfectly hidden and MH A Adv A = 0. Now we investiate the Theorem 5 where we prove the index-hidin property. As shown in Fi. 2, Theorem 5 follows Lemma 1 and Lemma 2, and we need to prove Lemma 1 case by case. Here we use Assumption X to represent the assumptions that Lemma 1 is based on, and we will present the concrete assumptions when we prove Lemma 1 concretely. Theorem 5. Suppose that the Assumption X, the D3DH, and the DLIN Assumption hold. 6 Then no PPT adversary can selectively win Game A IH with non-neliible advantae. Proof. It follows Lemma 1 and Lemma 2 below. Lemma 1. If the Assumption X hold, then for j < m, no PPT adversary can selectively distinuish between an encryption to ī, j and ī, j + 1 in Game A IH with non-neliible advantae. Proof. In Game A IH with index ī, j, let Y be the challene ciphertext ta, the restriction is that the adversary A does not query a secret key for index, key ta pair i, j, X i,j such that i, j = ī, j Γ Xi,j, Y = 1. Under this restriction, there are two ways for A to take: Case I: In Key Query phase, A does not query a secret key with index ī, j. Case II: In Key Query phase, A queries a secret key with index ī, j. Let X ī, j be the correspondin key ta. The restriction requires that Γ X ī, j, Y 1. Case I is easy to handle as the adversary does not query a secret key with the challene index ī, j. Case II captures the index-hidin requirement in that even if a user has a key with index ī, j he cannot distinuish between an encryption to Y, ī, j and Y, ī, j + 1, if the correspondin key ta does not satisfies Γ X ī, j, Y = 1. This is the most challenin part of achievin stron traceability. Actually, this is the only part where we cannot handle in a framework manner, and we have to prove this lemma for different schemes case by case. Lemma 2. If the Assumption X, the D3DH, and the DLIN Assumption hold, then for 1 ī m, no PPT adversary can selectively distinuish between an encryption to ī, m and ī + 1, 1 in Game A IH with non-neliible advantae. Proof. Similar to the proof of Lemma 6.3 in [11], to prove this lemma we define the followin hybrid experiment: H 1 : encrypt to ī, j = m; H 2 : encrypt to ī, j = m + 1; and H 3 : encrypt to ī + 1, 1. This lemma follows Claim 1 and Claim 2 below. Claim 1. If the Assumption X holds, then no PPT adversary can selectively distinuish between experiment H 1 and H 2 with non-neliible advantae. Proof. The proof is identical to that for Lemma 1. Claim 2. If the D3DH and the DLIN hold, then no PPT adversary can distinuish between experiment H 2 and H 3 with non-neliible advantae. 6 Here D3DH and DLIN are the abbreviation of the widely accepted Decision 3-Party Diffie Hellman Assumption and Decisional Linear Assumption, respectively. we refer to [11] for the details of these two assumptions. 16

Similar documents

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,

More information

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)

More information

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

Efficient Identity-based Encryption Without Random Oracles

Efficient Identity-based Encryption Without Random Oracles Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random

More information

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas

More information

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters University of Texas at Austin bwaters@csutexasedu Abstract We present a new methodology

More information

REMARKS ON IBE SCHEME OF WANG AND CAO

REMARKS ON IBE SCHEME OF WANG AND CAO REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com

More information

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of

More information

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 7: Boneh-Boyen Proof & Waters IBE System CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

Notes for Lecture 17

Notes for Lecture 17 U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,

More information

Identity-based encryption

Identity-based encryption Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric

More information

G Advanced Cryptography April 10th, Lecture 11

G Advanced Cryptography April 10th, Lecture 11 G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems

More information

5.4 ElGamal - definition

5.4 ElGamal - definition 5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is

More information

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Allison Lewko The University of Texas at Austin alewko@csutexasedu Abstract In this paper, we explore a general

More information

Attribute-Based Encryption Optimized for Cloud Computing

Attribute-Based Encryption Optimized for Cloud Computing ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional

More information

Advanced Cryptography 03/06/2007. Lecture 8

Advanced Cryptography 03/06/2007. Lecture 8 Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,

More information

Lecture 9 - Symmetric Encryption

Lecture 9 - Symmetric Encryption 0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,

More information

Constrained Pseudorandom Functions and Their Applications

Constrained Pseudorandom Functions and Their Applications Constrained Pseudorandom Functions and Their Applications Dan Boneh dabo@cs.stanford.edu Brent Waters bwaters@cs.utexas.edu September 9, 2013 Abstract We put forward a new notion of pseudorandom functions

More information

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction

More information

Shorter Identity-Based Encryption via Asymmetric Pairings

Shorter Identity-Based Encryption via Asymmetric Pairings Shorter Identity-Based Encryption via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences

More information

Applied cryptography

Applied cryptography Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

Lightweight Symmetric-Key Hidden Vector Encryption without Pairings

Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology Kharagpur sikhar.patranabis@iitkgp.ac.in,

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).

More information

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen

More information

Secure and Practical Identity-Based Encryption

Secure and Practical Identity-Based Encryption Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.

More information

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu

More information

Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext

Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext University of Wollongong esearch Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 05 Adaptively secure identity-based broadcast encryption

More information

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of

More information

Lecture 17: Constructions of Public-Key Encryption

Lecture 17: Constructions of Public-Key Encryption COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,

More information

Simple SK-ID-KEM 1. 1 Introduction

Simple SK-ID-KEM 1. 1 Introduction 1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented

More information

Lectures 2+3: Provable Security

Lectures 2+3: Provable Security Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security

More information

Efficient Identity-Based Encryption Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first

More information

An Introduction to Probabilistic Encryption

An Introduction to Probabilistic Encryption Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic

More information

Attribute-Based Encryption Schemes with Constant-Size Ciphertexts

Attribute-Based Encryption Schemes with Constant-Size Ciphertexts Attribute-Based Encryption Schemes with Constant-Size Ciphertexts Nuttapong Attrapadung 1, Javier Herranz 2, Fabien Laguillaume 3, Benoît Libert 4, Elie de Panafieu 5, and Carla Ràfols 2 1 Research Center

More information

Attribute-based Encryption & Delegation of Computation

Attribute-based Encryption & Delegation of Computation Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key

More information

A Strong Identity Based Key-Insulated Cryptosystem

A Strong Identity Based Key-Insulated Cryptosystem A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China

More information

A New Paradigm of Hybrid Encryption Scheme

A New Paradigm of Hybrid Encryption Scheme A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida

More information

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations Hua Deng a, Qianhong Wu* b, Bo Qin c, Josep Domingo-Ferrer d, Lei Zhang

More information

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks SECURITY AND COMMUNICATION NETWORKS Security Comm Networks 26; 9:47 434 Published online 2 February 26 in Wiley Online Library (wileyonlinelibrarycom) DOI: 2/sec429 RESEARCH ARTICLE Efficient chosen ciphertext

More information

Contribution to functional encryption through encodings

Contribution to functional encryption through encodings University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2016 Contribution to functional encryption through encodings Jongkil

More information

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain

More information

Unbounded HIBE and Attribute-Based Encryption

Unbounded HIBE and Attribute-Based Encryption Unbounded HIBE and ttribute-based Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work, we present

More information

White-Box Security Notions for Symmetric Encryption Schemes

White-Box Security Notions for Symmetric Encryption Schemes White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013 Outline 1 What

More information

Matrix multiplication: a group-theoretic approach

Matrix multiplication: a group-theoretic approach CSG399: Gems of Theoretical Computer Science. Lec. 21-23. Mar. 27-Apr. 3, 2009. Instructor: Emanuele Viola Scribe: Ravi Sundaram Matrix multiplication: a roup-theoretic approach Given two n n matrices

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

From Social Trust Assisted Reciprocity (STAR) to Utility-Optimal Mobile Crowdsensing

From Social Trust Assisted Reciprocity (STAR) to Utility-Optimal Mobile Crowdsensing From ocial Trust Assisted eciprocity (TA) to Utility-Optimal Mobile Crowdsensin Xiaowen Gon, Xu Chen, Junshan Zhan, H. Vincent Poor chool of Electrical, Computer and Enery Enineerin Arizona tate University,

More information

Advanced Topics in Cryptography

Advanced Topics in Cryptography Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,

More information

Property Preserving Symmetric Encryption Revisited

Property Preserving Symmetric Encryption Revisited Property Preserving Symmetric Encryption Revisited Sanjit Chatterjee 1 and M. Prem Laxman Das 2 1 Department of Computer Science and Automation, Indian Institute of Science sanjit@csa.iisc.ernet.in 2 Society

More information

Anonymous Proxy Signature with Restricted Traceability

Anonymous Proxy Signature with Restricted Traceability Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy

More information

Equivocating Yao: Constant-Rounds Adaptively Secure Multiparty Computation in the Plain Model

Equivocating Yao: Constant-Rounds Adaptively Secure Multiparty Computation in the Plain Model Equivocatin Yao: Constant-Rounds Adaptively Secure Multiparty Computation in the Plain Model Ran Canetti Oxana Poburinnaya Muthuramakrishnan Venkitasubramaniam December 30, 2016 Abstract Yao s arblin scheme

More information

Adaptive Security of Compositions

Adaptive Security of Compositions emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper

More information

A Fully Collusion Resistant Broadcast, Trace and Revoke System

A Fully Collusion Resistant Broadcast, Trace and Revoke System A Fully Collusion Resistant Broadcast, Trace and Revoke System Dan Boneh Brent Waters Abstract We introduce a simple primitive called Augmented Broadcast Encryption (ABE) that is sufficient for constructing

More information

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:

More information

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary

More information

Authentication. Chapter Message Authentication

Authentication. Chapter Message Authentication Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,

More information

Multiparty Computation

Multiparty Computation Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:

More information

Functional Encryption for Cascade Automata

Functional Encryption for Cascade Automata Functional Encryption for Cascade Automata by Dan Brownstein, Shlomi Dolev, Niv Gilboa The Lynne and William Frankel Center for Computer Science Department of Computer Science, Ben-Gurion University, Beer

More information

Shorter IBE and Signatures via Asymmetric Pairings

Shorter IBE and Signatures via Asymmetric Pairings Shorter IBE and Signatures via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

CSA E0 312: Secure Computation September 09, [Lecture 9-10] CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Multi-Input Functional Encryption

Multi-Input Functional Encryption Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted

More information

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,

More information

Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings

Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings Jongkil Kim, Willy Susilo, Fuchun Guo, and Man Ho Au 2 Centre for Computer and Information Security Research School

More information

Cryptographically Enforced RBAC

Cryptographically Enforced RBAC Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science

More information

Positive Results and Techniques for Obfuscation

Positive Results and Techniques for Obfuscation Positive Results and Techniques for Obfuscation Benjamin Lynn Stanford University Manoj Prabhakaran Princeton University February 28, 2004 Amit Sahai Princeton University Abstract Informally, an obfuscator

More information

6.892 Computing on Encrypted Data October 28, Lecture 7

6.892 Computing on Encrypted Data October 28, Lecture 7 6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling

More information

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

On the security of Jhanwar-Barua Identity-Based Encryption Scheme On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In

More information

CS 395T. Probabilistic Polynomial-Time Calculus

CS 395T. Probabilistic Polynomial-Time Calculus CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Efficient Selective Identity-Based Encryption Without Random Oracles

Efficient Selective Identity-Based Encryption Without Random Oracles Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

2 Message authentication codes (MACs)

2 Message authentication codes (MACs) CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from

More information

Functional Encryption for Regular Languages

Functional Encryption for Regular Languages Functional Encryption for Regular Languages Brent Waters 1 The University of Texas at Austin bwaters@cs.utexas.edu Abstract. We provide a functional encryption system that supports functionality for regular

More information

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger Johns Hopkins University susan@cs.hu.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu November

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

Disjunctions for Hash Proof Systems: New Constructions and Applications

Disjunctions for Hash Proof Systems: New Constructions and Applications Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by

More information

On Black-Box Reductions between Predicate Encryption Schemes

On Black-Box Reductions between Predicate Encryption Schemes On Black-Box Reductions between Predicate Encryption Schemes Vipul Goyal Virendra Kumar Satya Lokam Mohammad Mahmoody February 20, 2012 Abstract We prove that there is no black-box construction of a threshold

More information

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption

More information

On the (Im)possibility of Projecting Property in Prime-Order Setting

On the (Im)possibility of Projecting Property in Prime-Order Setting On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know

More information

Unbounded Inner Product Functional Encryption from Bilinear Maps

Unbounded Inner Product Functional Encryption from Bilinear Maps nbounded Inner Product Functional Encryption from Bilinear Maps Junichi Tomida and Katsuyuki Takashima 2 NTT tomida.junichi@lab.ntt.co.jp 2 Mitubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu

More information

CS259C, Final Paper: Discrete Log, CDH, and DDH

CS259C, Final Paper: Discrete Log, CDH, and DDH CS259C, Final Paper: Discrete Log, CDH, and DDH Deyan Simeonov 12/10/11 1 Introduction and Motivation In this paper we will present an overview of the relations between the Discrete Logarithm (DL), Computational

More information

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and

More information

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback