On Enabling Attribute-Based Encryption to Be Traceable against Traitors
|
|
- Elwin Daniel
- 5 years ago
- Views:
Transcription
1 On Enablin Attribute-Based Encryption to Be Traceable aainst Traitors Zhen Liu 1 and Duncan S. Won 2 1 Shanhai Jiao Ton University, China. liuzhen@sjtu.edu.cn 2 CryptoBLK. duncanwon@cryptoblk.io Abstract. Attribute-Based Encryption ABE is a versatile one-to-many encryption primitive which enables fine-rained access control over encrypted data. Due to its promisin applications in practice, ABE has been attractin much attention in the community and schemes with better security, access policy expressivity, and efficiency have been continuously emerin. On the other hand, due to the nature of ABE, namely, different users may share some common decryption privilees and a malicious user may leak some common decryption privilees for financial ain or other incentives, bein able to identify such malicious users i.e. traitor tracin is crucial towards the practicality of an ABE system. For some existin ABE schemes with appealin properties e.. full security, lare universe, the correspondin traceable counterparts have been proposed. However, these works are proceeded case by case, and there are still many appealin ABE schemes not havin the traceable counterparts. Furthermore, when any new ABE scheme emeres and we want to apply it in practice, it will take sinificant workload to investiate and propose its traceable counterpart. In this paper, we propose a framework to transform existin and possibly future ABE schemes to their traceable counterparts in a eneric manner. In particular, by specifyin some requirements on the structure of the ABE constructions, we propose an ABE template, and show that any ABE scheme satisfyin this template can be transformed to a fully collusion-resistant blackbox traceable ABE scheme in a eneric manner, at the cost of sublinear overhead, while keepin the appealin properties, such as fine-rained access control on encrypted data, hihly expressive access policy, short ciphertext, and so on. We prove the security in the framework all in the standard model, and we present a couple of existin ABE schemes with appealin properties as examples that do satisfy our ABE template. Keywords: Attribute-Based Encryption, Traitor Tracin, Framework 1 Introduction Attribute-Based Encryption ABE, introduced by Sahai and Waters [29], is a versatile one-to-many encryption primitive which enables fine-rained access control over encrypted data. Due to its promisin applications in practice, ABE has been attractin much attention in the community and underoin a sinificant development. Amon the recently proposed ABE schemes [29,13,5,10,12,30,18,27,14,3,19,31,15,28,16,1], proress has been made on the schemes security, access policy expressivity, and efficiency. For example, Lewko et al. [18] proposed the first fully secure ABE schemes, Lewko and Waters [19] proposed a new proof technique for achievin full security for ABE, Attrapadun et al. [3] proposed the first expressive Key-Policy ABE KP- ABE with constant-size ciphertexts, Rouselakis and Waters [28] proposed the first lare universe ABE 3 schemes which impose no limitations on the attribute sets or the access policies, Waters [31] proposed the first ABE scheme supportin reular lanuaes to be the access policy while the previous works support at most boolean formulas, and Attrapadun [1] proposed a series of fully secure ABE schemes which support reular lanuaes, constant size ciphertexts, or lare universe. 3 In a lare universe ABE scheme, the attribute universe can be exponentially lare, any strin can be used as an attribute, and attributes do not need to be pre-specified durin setup.
2 As security, access policy expressivity, and efficiency are the three preliminary directions for ABE research, traitor tracin is a compulsory requirement for practical ABE schemes. In particular, usin Ciphertext- Policy ABE CP-ABE [13,5] as an example, ciphertext access policies do not have to contain any receivers identities, and more commonly, a CP-ABE policy is role-based and attributes are shared between multiple users. For example, the user with attributes {Bob, Mathematics, PhD Student} and the user with attributes {Carl, Mathematics, PhD Student} are sharin the attributes {Mathematics, PhD Student} and both of them can decrypt the ciphertext with policy Mathematics AND PhD Student OR Alumni. In practice, a malicious user, with attributes shared with multiple other users, miht leak a decryption blackbox/device, which is made of the user s decryption key, for the purpose of financial ain or some other forms of incentives, as the malicious user has little risk of bein identified out of all the users who can build a decryption blackbox with identical decryption capability. Bein able to identify this malicious user refer to as traitor is crucial towards the practicality of an ABE system. With a series of work [21,20,22,23,25,24], Liu et al. formalized the problem of traitor tracin for ABE well and proposed the counterparts supportin traitor tracin for some existin appealin ABE schemes. For example, [20,23] add fully collusion-resistant blackbox traceability to the fully secure CP-ABE scheme in [18], and [24] adds fully collusion-resistant blackbox traceability to the lare universe CP-ABE scheme in [28]. Note that the schemes in [20,22,23,25,24] achieve fully collusion-resistant blackbox traceability 4 at the cost of sublinear i.e, linear in the square root of the number of users in the system overhead, which is the most efficient level to date. While Liu et al. [21,20,22,23,25,24] transformed several existin appealin ABE schemes to their traceable counterparts, there are still many other appealin ABE schemes for which no traceable counterparts are proposed, for example, the fully secure ABE schemes in [1] which support reular lanuaes, lare universe, or constant size ciphertexts. Furthermore, we believe that in the future more and newer ABE schemes with better security, expressivity, efficiency and other appealin features will appear, and to be practical, these existin and future ABE schemes also need to be traceable aainst traitors. Investiatin these schemes and proposin the traceable counterparts one by one will be a heavy workload. In this paper, we make an attempt to propose a framework to transform existin and future ABE schemes to their traceable counterparts in a eneric manner. In particular, by specifyin some requirements on the structure of the ABE constructions, we propose an ABE template, and show that any ABE scheme satisfyin this template can be transformed to a fully collusion-resistant blackbox traceable ABE scheme in a eneric manner, at the cost of sublinear overhead, while keepin the appealin properties of the underlyin ABE schemes, such as fine-rained access control on encrypted data, hihly expressive access policy, short ciphertext, and so on. The contributions of this framework are two folds: For the existin ABE schemes satisfyin the template, the traceable counterparts can be iven directly by applyin the transformation framework. And we indeed show that the appealin ABE schemes in [1], which are fully secure and support reular lanuaes, constant size ciphertexts, or lare universe, do satisfy this template. In addition, we also show that the lare universe CP-ABE scheme by Rouselakis and Waters [28] also satisfies this template. For the existin ABE schemes not satisfyin the template and the potential future ABE schemes, this framework provides a taret which they can try to achieve and then also be transformed to a traceable one. 1.1 Our Results First, as shown in 1. Definition of Fi. 1, we define Traceable ABE by extendin the definition of Conventional non-traceable ABE, i.e., a predefinin the number of users in the system, b indexin the users with unique indexes, and c addin a tracin alorithm. As predefinin the number of users in the system is a necessary settin for achievin blackbox traceability and does not undermine the capacity of ABE, i.e. 4 Fully collusion-resistant traceability means that the number of colludin users in constructin a decryption device is not limited and can be arbitrary. 2
3 Conventional non-traceable ABE 1. Definition a. Predefine the number of users in the system b. Index the users with unique indexes c. Add a tracin alorithm Traceable ABE a Appealin properties of ABE b Blackbox traceability 2. Generic Construction/Transformation 2-3. Generic Transformation a. Define an ABE template for conventional nontraceable ABE b. Propose a eneric framework that transforms the ABE template to Aumented ABE, which will imply Traceable ABE. c. Enumerate a serial of existin ABE schemes as the instances of the ABE template Aumented ABE a Messae-hidin b Index-hidin 2-1. Definition a. Modify Encrypt alorithm to take one more parameter, an encryption index b. Define messae-hidin and index-hidin properties 2-2. Transformation An Aumented ABE scheme with messae-hidin and index-hidin properties implies a Traceable ABE scheme with blackbox traceability. A conventional non-traceable ABE scheme complyin with our ABE template can be transformed to a Traceable ABE scheme by the transformation in 2-3 and then 2-2. Fi. 1. Outline enablin fine-rained access control on encrypted data, the Traceable ABE has the appealin properties of conventional ABE and additionally supports blackbox traceability. This part is proceeded in Sec. 2. The aim of this work is to transform existin even some future conventional non-traceable ABE schemes to traceable counterparts, i.e. proposin a eneric framework that enables ABE schemes to be traceable, as shown in 2. Generic Construction/Transformation of Fi. 1. This aim is achieved by two steps. First, as shown in 2-1 Definition and 2-2 Transformation of Fi. 1, we define a simpler primitive called Aumented ABE or AuABE for short and show that an Aumented ABE implies a Traceable ABE. This part is proceeded in Sec. 3. Then, as shown in 2-3 Generic Transformation of Fi. 1, we propose a eneric framework to transform Conventional non-traceable ABE to Aumented ABE. This part is proceeded in Sec. 4. Thus, for the conventional non-traceable ABE schemes that satisfy the proposed ABE template, the 2-3 Generic Transformation will transform them to Aumented ABE counterparts, then the 2-2 Transformation will transform those Aumented ABE schemes to correspondin Traceable ABE schemes, which will keep the appealin properties of the correspondin conventional non-traceable ABE schemes and additionally support blackbox traceability. More specifically, in Sec. 2.1, we present a eneral ABE definition which covers a variety of ABE systems, includin CP-ABE, KP-ABE, ABE supportin boolean formula, ABE supportin reular lanuae, etc., and has a potential for supportin blackbox traceability. Namely, we define a functional ABE system, which is identical to conventional non-traceable ABE, except that each user/decryption key is assined and identified by a unique index k {1,..., K} K is the number of users in the system. Note that predefinin the number of users K in the system is a necessary settin for achievin blackbox traceability, and in practice this should not incur much concern, and does not undermine the capacity of ABE, i.e. enablin fine-rained access control on encrypted data. In other words, except this necessary settin, the functional ABE has all the appealin properties of conventional ABE, and additionally, as each user/decryption key is uniquely indexed, this functional ABE can support blackbox traceability and is referred to as Traceable ABE, as defined in Sec In Sec. 3.1, we define Aumented ABE by modifyin the definition of Traceable ABE. In particular, Aumented ABE has four alorithms Setup A, KeyGen A, Encrypt A, Decrypt A, where the setup, key eneration, 3
4 and decryption alorithms, i.e., Setup A, KeyGen A, and Decrypt A, are the same as that of the Traceable ABE. The encryption alorithm Encrypt A takes one more parameter k {1,..., K + 1} than the oriinal one in Traceable ABE, and the decryption criteria in Aumented ABE is chaned in such a way that an encrypted messae usin ciphertext ta Y and encryption index k can be recovered usin a decryption key SK k,x, which is identified by index k {1,..., K} and associated with a key ta X, only if X matches Y k k, where X matches Y is the standard decryption criteria for conventional ABE and k k is an additional requirement incurred by encryption index k. We define the messae-hidin and encryption- index-hidin properties of Aumented ABE in Sec. 3.1, and in Sec. 3.2 we show that a messae-hidin and index-hidin Aumented ABE scheme, say Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A, will imply a secure Traceable ABE scheme Σ = Setup A, KeyGen A, Encrypt, Decrypt A, where the encryption alorithm Encrypt is derived from Encrypt A by always settin the encryption index to be 1, and the tracin alorithm Trace is built on Encrypt A by producin ciphertexts with index k {1, K} and feedin these ciphertexts to the decryption blackbox. The messae-hidin property of Aumented ABE will uarantee the security of the derived Traceable ABE and the index-hidin property of Aumented ABE will uarantee the traceability of the derived Traceable ABE. The definitions of Traceable ABE in Sec. 2, the definitions of Aumented ABE in Sec. 3.1, and the reduction of Traceable ABE to Aumented ABE in Sec. 3.2 are similar to precious work in [20,22,23,25,24]. While [20,23,25,24] focus on CP-ABE and [22] focuses on KP-ABE, this paper formalizes the definitions of Traceable ABE and Aumented ABE and the reduction of Traceable ABE to Aumented ABE in a most eneric manner, which covers all kinds of ABE, includin CP-ABE, KP-ABE, ABE supportin boolean formulas, ABE supportin reular lanuaes, etc. While re-formalizin these preliminaries is a necessary part, the major contribution of this paper lies in the eneric transformation of Conventional non-traceable ABE to Aumented ABE i.e. the 2-3 part in Fi. 1. In particular, We define an ABE template for Conventional non-traceable ABE. The template represents a type of ABE construction techniques, so that this template covers not only many existin important ABE schemes with appealin properties, but also some possible ABE schemes in the future, which consider this template and correspondin construction techniques when desined. We propose a eneric framework that transforms the ABE template to Aumented ABE. This means that all the ABE schemes fallin in the template can be transformed to their traceable counterparts, enjoyin their oriinal appealin properties and additional fully collusion-resistant blackbox traceability. The overhead for the transformation i.e. the overhead for the fully collusion-resistant blackbox traceability is linear in K, i.e. the resultin Traceable ABE schemes achieve the most efficient level to date for fully collusion-resistant blackbox traceable systems. We prove the messae-hidin and index-hidin properties of the resultin Aumented ABE in the standard model. The outline for the security analysis is iven later in Fi. 2. We show some existin appealin ABE schemes, i.e. the ones in [1] which are fully secure and support reular lanuaes, constant size ciphertexts, and lare universe, satisfy our ABE template. That is, we can obtain the traceable counterparts for these appealin ABE schemes, by applyin our eneric transformation framework. To cover the appealin ABE schemes in [1], the template, as well as the eneric transformation and the proof, are described on composite order roups. To be more eneral, we show that the template, the transformation, and the proof also work well for the schemes on prime order roups, and present the lare universe CP-ABE scheme Rouselakis and Waters [28] as an example. We do not want to oversell our asymptotic result. Our method/framework considers and works for a subset of pairin-based ABE schemes, namely, those ABE schemes complyin with our non-traceable ABE template, rather than ALL the ABE schemes. For example, our framework is not applicable to the latticebased ABE schemes e.. [9]. Actually, as so far there is not known results on lattice-based ABE schemes with traitor tracin. We would like to view our asymptotic result mainly as a steppin stone towards buildin practical ABE schemes. In particular, in retrospect, the ABE schemes by Waters [30], Lewko et al. [18], Lewko and Waters [19], Attrapadun [1], and so on, represent one of the main branches of ABE development, as well as a branch 4
5 of pairin-based ABE desin/construction method, and it is reasonable to believe that new ABE schemes in this branch will be proposed in future. While these ABE schemes have been ettin better security, policy expressivity, and/or efficiency, they did not consider or support traitor tracin, and this seriously limits their applicability in practice. Our asymptotic result makes the ABE schemes followin this branch to have traitor tracin functionality, while leavin it as future work to further reduce the overhead incurred by traitor tracin functionality and make other types of ABE schemes e.. the lattice-based ones to support traitor tracin. 2 ABE and Blackbox Traceability In this section, we define a functional ABE and its security, which are similar to Conventional nontraceable ABE e.. [19,28], except that we explicitly assin and identify users usin unique indices. Then we formalize the fully collusion-resistant traceability for this functional ABE. To be as eneral as possible, in the definitions of this functional ABE, we use the terms ciphertext ta and key ta, rather than access policy and attributes. When the ciphertext ta is an attribute set and the key ta is a Boolean formula, it is a KP-ABE supportin Boolean formula as policy; when ciphertext ta is a Deterministic Finite Automata DFA and the key ta is a strin, it is a CP-ABE supportin DFA as policy, an so on. 2.1 Attribute-Based Encryption and its Security Attribute-Based Encryption Syntax. Given inteers a and b where a b, let [a, b] be the set {a, a + 1,..., b}. Also, we use [b] to denote the set {1, 2,..., b}. Let relation Γ : X Y {0, 1} is a predicate function that maps a pair of key ta in a space X and ciphertext ta in a space Y to {0, 1}. An Attribute- Based Encryption ABE scheme for predicate Γ consists of followin alorithms: Setupλ, Γ, K PP, MSK. The alorithm takes as input a security parameter λ, a predicate Γ, and the number of users in the system K, runs in polynomial time in λ, and outputs a public parameter PP and a master secret key MSK. KeyGenPP, MSK, X SK k,x. The alorithm takes as input PP, MSK, and a key ta X X, and outputs a secret key SK k,x correspondin to X. The secret key is assined and identified by a unique index k [K]. EncryptPP, M, Y CT Y. The alorithm takes as input PP, a messae M, and a ciphertext ta Y Y, and outputs a ciphertext CT Y. Y is included in CT Y. DecryptPP, CT Y, SK k,x M or. The alorithm takes as input PP, a ciphertext CT Y, and a secret key SK k,x, and outputs a messae M or indicatin the failure of decryption. Correctness. For all X X, Y Y, and messaes M, suppose PP, MSK Setupλ, Γ, K, SK k,x KeyGenPP, MSK, X, CT Y EncryptPP, M, Y. If Γ X, Y = 1 then DecryptPP, CT Y, SK k,x = M. Security. The security of an ABE scheme for predicate Γ is defined usin the followin messae-hidin ame, which is a typical semantic security ame and is similar to that for conventional ABE [19,28] security. Game MH. The messae-hidin ame is defined between a challener and an adversary A as follows: Setup. The challener runs Setupλ, Γ, K and ives the public parameter PP to A. Phase 1. For i = 1 to Q 1, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y EncryptPP, M b, Y to A. Phase 2. For i = Q to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. 5
6 Guess. A outputs a uess b {0, 1} for b. A wins the ame if b = b under the restriction that none of the queried {k i, X ki } Q i=1 Γ X ki, Y = 1. The advantae of A is defined as MHAdv A = Pr[b = b] 1 2. can satisfy Definition 1. A K-user ABE scheme for predicate Γ is secure if for all probabilistic polynomial time PPT adversaries A, MHAdv A is neliible in λ. We say that a K-user ABE scheme for predicate Γ is selectively secure if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. Remark: As pointed out in previous work [20,22,23,25,24], 1 althouh the KeyGen alorithm is responsible for determinin/assinin the index of each user s secret key, to capture the security that an adversary can adaptively choose secret keys to corrupt, the above model allows A to specify the index when queryin for a key, i.e., for i = 1 to Q, A submits pairs of k i, X ki for secret keys with key tas correspondin to X ki, and the challener will assin k i to be the index of the correspondin secret key, where Q K, k i [K], and k i k j 1 i j Q this is to ensure that each user/key can be uniquely identified by an index. 2 For k i k j it does not require X ki X kj, i.e., different users/keys may have the same key ta. 2.2 Blackbox Traceability A ciphertext-ta-specific decryption blackbox D is described by a ciphertext ta Y D and a noticable probability value ɛ i.e. ɛ = 1/fλ for some polynomial f, and this blackbox D can decrypt ciphertexts enerated under Y D with probability at least ɛ. Such a blackbox can reflect most practical scenarios, which include the key-like decryption blackbox for sale and decryption blackbox found in the wild, which are discussed in [20,23]. In particular, once a blackbox is found bein useful, i.e. bein able to decrypt ciphertexts reardless of how this is found, for example, an explicit description of the blackbox s decryption ability is iven, or the law enforcement aency finds some clue, we can reard it as a ciphertext-ta-specific decryption blackbox with the correspondin ciphertext ta which is associated to the ciphertext that it can decrypt. We now define the tracin alorithm and traceability aainst ciphertext-ta-specific decryption blackbox. Trace D PP, Y D, ɛ K T [K]. Trace is an oracle alorithm that interacts with a ciphertext-ta-specific decryption blackbox D. By iven the public parameter PP, a ciphertext ta Y D, and a probability value ɛ, the alorithm runs in time polynomial in λ and 1/ɛ, and outputs an index set K T [K] which identifies the set of malicious users. Note that ɛ has to be polynomially related to λ, i.e. ɛ = 1/fλ for some polynomial f. Traceability. The followin tracin ame captures the notion of fully collusion-resistant traceability aainst ciphertext-ta-specific decryption blackbox. In the ame, the adversary tarets to build a decryption blackbox D that can decrypt ciphertexts under some ciphertext ta Y D. The tracin alorithm, on the other side, is desined to extract the index of at least one of the malicious users whose decryption keys have been used for constructin D. Game TR. The tracin ame is defined between a challener and an adversary A as follows: Setup. The challener runs Setupλ, Γ, K and ives the public parameter PP to A. Key Query. For i = 1 to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Decryption Blackbox Generation. A outputs a decryption blackbox D associated with a ciphertext ta Y D and a non-neliible probability value ɛ. Tracin. The challener runs Trace D PP, Y D, ɛ to obtain an index set K T [K]. Let K D = {k i 1 i Q} be the index set of secret keys corrupted by the adversary. We say that A wins the ame if the followin two conditions hold: 6
7 1. Pr[DEncryptPP, M, Y D = M] ɛ, where the probability is taken over the random choices of messae M and the random coins of D. A decryption blackbox satisfyin this condition is said to be a useful ciphertext-ta-specific decryption blackbox. 2. K T =, or K T K D, or Γ X kt, Y D 1 k t K T. We denote by TRAdv A the probability that A wins. Remark: For a useful ciphertext-ta-specific decryption blackbox D, the traced K T must satisfy K T K T K D k t K T s.t. Γ X kt, Y D = 1 for traceability. 1 K T K T K D captures the preliminary traceability that the tracin alorithm can extract at least one malicious user and the coalition of malicious users cannot frame any innocent user. 2 k t K T s.t. Γ X kt, Y D = 1 captures the stron traceability that the tracin alorithm can extract at least one malicious user whose secret key enables D to have the decryption ability correspondin to Y D. We refer to [17,20] for why stron traceability is desirable. Note that, as of [7,8,11,17,20], we are modelin a stateless resettable decryption blackbox such a blackbox is just an oracle and maintains no state between activations. Also note that we are modelin public traceability, namely, the Trace alorithm does not need any secrets and anyone can perform the tracin. Definition 2. A K-user ABE scheme for predicate Γ is traceable aainst ciphertext-ta-specific decryption blackbox if for all PPT adversaries A, TRAdv A is neliible in λ. We say that a K-user ABE scheme for predicate Γ is selectively traceable aainst ciphertext-ta-specific decryption blackbox if we add an Init stae before Setup where the adversary commits to the ciphertext ta Y D. 3 Aumented Attribute-Based Encryption As outlined in Sec. 1.1, we now define Aumented ABE or AuABE for short from the ABE above and formalize its messae-hidin and index-hidin notions, then show that a messae-hidin and index-hidin AuABE can be transformed to a secure ABE with blackbox traceability. 3.1 Definitions An AuABE scheme has four alorithms: Setup A, KeyGen A, Encrypt A, and Decrypt A. The setup alorithm Setup A and key eneration alorithm KeyGen A are the same as that of ABE, respectively. For the encryption alorithm, it takes one more parameter k [K + 1] as input, and is defined as follows. Encrypt A PP, M, Y, k CT Y. The alorithm takes as input PP, a messae M, a ciphertext ta Y, and an index k [K + 1], and outputs a ciphertext CT Y. Y is included in CT Y, but the value of k is not. The decryption alorithm Decrypt A is also defined in the same way as that of ABE. However, the correctness definition is chaned to the followin. Correctness. For all X X, Y Y, k [K + 1], and messaes M, suppose PP, MSK Setup A λ, Γ, K, SK k,x KeyGen A PP, MSK, X, CT Y Encrypt A PP, M, Y, k. If Γ X, Y = 1 k k then Decrypt A PP, CT Y, SK k,x = M. Note that durin decryption, as lon as Γ X, Y = 1, the decryption alorithm outputs a messae, but only when k k, the output messae is equal to the correct messae, that is, k k is an additional condition and if and only if Γ X, Y = 1 k k, can SK k,x correctly decrypt a ciphertext under Y, k. If we always set k = 1, the functions of AuABE are identical to that of ABE. In fact, the idea behind transformin an AuABE to a traceable ABE, that we will show shortly, is to construct an AuABE with index-hidin property, and then always sets k = 1 in normal encryption, while usin k [K + 1] to enerate ciphertexts for tracin. Security. We define the security of AuABE in three ames. The first ame is a messae-hidin ame and says that a ciphertext created usin index 1 is unreadable to the users whose key tas do not satisfy 7
8 the ciphertext ta. The second ame is a messae-hidin ame and says that a ciphertext created usin index K + 1 is unreadable by anyone. The third ame is an index-hidin ame and captures the intuition that a ciphertext created usin index k reveals no non-trivial information about k. Game A MH 1. The messae-hidin ame Game A MH 1 is similar to Game MH except that the Challene phase is Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M b, Y, 1 to A. A wins the ame if b = b under the restriction that none of the queried {k i, X ki } Q i=1 Γ X ki, Y = 1. The advantae of A is defined as MH A 1 Adv A = Pr[b = b] 1 2. can satisfy Definition 3. A K-user Aumented ABE scheme for predicate Γ is Type-I messae-hidin if for all PPT adversaries A the advantae MH A 1 Adv A is neliible in λ. We say that an Aumented ABE scheme for predicate Γ is selectively Type-I messae-hidin if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. Game A MH 2. The messae-hidin ame Game A MH 2 is similar to Game MH except that the Challene phase is Challene. A submits two equal-lenth messaes M 0, M 1 and a ciphertext ta Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M b, Y, K + 1 to A. A wins the ame if b = b. The advantae of A is defined as MH A 2 Adv A = Pr[b = b] 1 2. Definition 4. A K-user Aumented ABE scheme for predicate Γ is Type-II messae-hidin if for all PPT adversaries A the advantae MH A 2 Adv A is neliible in λ. Game A IH. The index-hidin ame defines that, for any ciphertext ta Y, without a secret key such SK k,x k that Γ X k, Y = 1, an adversary cannot distinuish between a ciphertext under Y, k and Y, k + 1. The ame proceeds as follows: Setup. The challener runs Setup A λ, Γ, K and ives the public parameter PP to A. Key Query. For i = 1 to Q, A adaptively submits index, key ta pair k i, X ki to ask for secret key for key ta X ki. For each k i, X ki pair, the challener responds with a secret key SK ki,x ki, which corresponds to key ta X ki and has index k i. Challene. A submits a messae M and a ciphertext ta pair Y. The challener flips a random coin b {0, 1}, and sends CT Y Encrypt A PP, M, Y, k + b to A. Guess. A outputs a uess b {0, 1} for b. A wins the ame if b = b under the restriction that none of the queried pairs {k i, X ki } Q i=1 k i = k Γ X ki, Y = 1. The advantae of A is defined as IH A Adv A [ k] = Pr[b = b] 1 2. can satisfy Definition 5. A K-user Aumented ABE scheme for predicate Γ is index-hidin if for all PPT adversaries A the advantaes IH A Adv A [ k] for k = 1,..., K are neliible in λ. We say that an Aumented ABE scheme for predicate Γ is selectively index-hidin if we add an Init stae before Setup where the adversary commits to the challene ciphertext ta Y. 3.2 The Reduction of Traceable ABE to Aumented ABE Let Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A be an AuABE, define EncryptPP, M, Y = Encrypt A PP, M, Y, 1, then Σ = Setup A, KeyGen A, Encrypt, Decrypt A is an ABE derived from Σ A. In the followin, we show that if Σ A is Type-I messae-hidin, then Σ is secure w.r.t. Def. 1. Furthermore, we propose a tracin alorithm Trace for Σ and show that if Σ A is Type-II messae-hidin and index-hidin, then Σ equipped with Trace is traceable w.r.t. Def. 2. 8
9 3.2.1 ABE Security Theorem 1. If Σ A is Type-I messae-hidin resp. selectively Type-I messae-hidin, then Σ is secure resp. selectively secure. Proof. The proof is similar to that in [20,23]. Due to the pae limitation, we omit the details here ABE Traceability We now propose a tracin alorithm Trace, which uses a eneral tracin method previously used in [6,26,7,8,11,20], and show that equipped with Trace, Σ is traceable w.r.t. Def. 2. Trace D PP, Y D, ɛ K T [K]: Given a ciphertext-ta-specific decryption blackbox D associated with a ciphertext ta Y D and probability ɛ > 0, the tracin alorithm works as follows: 1. For k = 1 to K + 1, do the followin: a Repeat the followin 8λN/ɛ 2 times: i. Sample M from the messae space at random. ii. Let CT YD Encrypt A PP, M, Y D, k. iii. Query oracle D on input CT YD, and compare the output of D with M. b Let ˆp k be the fraction of times that D decrypted the ciphertexts correctly. 2. Let K T be the set of all k [K] for which ˆp k ˆp k+1 ɛ/4k. Output K T as the index set of the decryption keys of malicious users. Theorem 2. If Σ A is Type-II messae-hidin and index-hidin resp. selectively index-hidin, then Σ is traceable resp. selectively traceable. Proof. The proof is similar to that in [20,23]. Due to the pae limitation, we omit the details here. 4 Transform a Non-Traceable ABE to an Aumented ABE In this section, we first formailze the notation of Pair Encodin Scheme in Sec. 4.1, which is the core components of the conventional non-traceable ABE template we propose in Sec Then in Sec. 4.3 we propose the eneric transformation from the ABE template to the Aumented ABE and in Sec. 4.4 prove the security of the resultin Aumented ABE. Note that the ABE template, the transformation, and the proof in this section are described in composite order bilinear roups, but as shown later in Sec. 5, all these also work well in prime order bilinear roups. 4.1 Pair Encodin Scheme: Syntax The notion of Pair Encodin Scheme here is inspired by the work of Attrapdun [1]. Attrapdun [1] proposed the notion of Pair Encodin Scheme, includin syntax and security definitions, and proved the full security of some Functional Encryption schemes based on the security of correspondin Pair Encodin Scheme instantiations. Here we borrow the term of Pair Encodin Scheme, and actually we only use the syntax to abstract the structures of the non-traceable ABE schemes which we aim to transform to AuABE, while not considerin or usin the security properties of Pair Encodin Scheme. A Pair Encodin Scheme for predicate Γ consists of four deterministic alorithms iven by SysParam, KeyParam, CiperParam, DecPair: SysParamΓ d, d 0. It takes as input a predicate Γ : X Y {0, 1} and outputs two inteers d and d 0. d is used to specify the number of common variables in KeyParam and CiperParam, and d 0 d will be used to specify the requirements of the ABE template. For the default notation, let α and β = β 1,..., β d denote the list of common variables. 9
10 KeyParamX, N φ = φ 0, φ 1,..., φ dk, d δ. It takes as inputs N N and a key ta X X, and outputs a sequence of polynomials φ = φ 0, φ 1,..., φ dk with coefficients in Z N and an inteer d δ that specifies the number of its own variables. Let δ = δ 1,..., δ dδ be the variables, we require that each polynomial φ z 0 z d k is a linear combination of monomials α, δ i, δ i β j, where α, β = β 1,..., β d are the common variables. For simplicity, we write φα, β, δ = φ 0 α, β, δ, φ 1 α, β, δ,..., φ dk α, β, δ. CiperParamY, N ψ = ψ 1,..., ψ dc, d π. It takes as inputs N N and a ciphertext ta Y Y, and outputs a sequence of polynomials ψ = ψ 1,..., ψ dc with coefficients in Z N and an inteer d π that specifies the number of its own variables. Let π = π, π 1,..., π dπ be the variables, we require that each polynomial ψ z 1 z d c is a linear combination of monomials π, π i, πβ j, π i β j, where β = β 1,..., β d are the common variables. For simplicity, we write ψβ, π = ψ 1 β, π,..., ψ dc β, π. DecPairX, Y, N E. It takes as inputs N N, a key ta X X, and a ciphertext ta Y Y, and output E Z d k+1 d c N. Correctness. The correctness requirement is defined as follows. First, for any N N, X X, Y Y, let φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N, ψ = ψ 1,..., ψ dc, d π CiperParamY, N, and E DecPairX, Y, N, if Γ X, Y = 1, then for any α, β = β 1,..., β d, δ = δ 1,..., δ dδ, π = π, π 1,..., π dπ, we have φα, β, δeψβ, π T = απ, where the equality holds symbolically. Note that since φα, β, δeψβ, π T = i [0,d k ],j [1,d E c] i,jφ i ψ j, this correctness amounts to check if there is a linear combination of φ i ψ j terms summed up to απ. Second, for p that divides N, if we let KeyParamX, N φ = φ 0, φ 1,..., φ dk, d δ and KeyParamX, p φ = φ 0, φ 1,..., φ d k, d δ, then it holds that φ mod p = φ. The requirement for CiperParam is similar. Remark. We mandate that the variables used in KeyParam and those in CiperParam are different except only the common variables α and β. We remark that in the syntax, all variables are only symbolic: no probability distributions have been assined to them yet. We will assin these in the later ABE template constcution. Note that d δ, d k, can depend on X and d π, d c can depend on Y. We also remark that each polynomial in φ, ψ has no constant terms. 4.2 A Template for Non-traceable ABE Constructions Below, we first review the Composite Order Bilinear Groups and some notations. Then, from a Pair Encodin Scheme, by addin some additional requirements, we define a template for Conventional non-traceable ABE constructions, which works on composite order bilinear roups. We would like to point out, as shown later in Sec. 5, the template can be easily chaned to one on prime order bilinear roups, and the transformation from the non-traceable ABE template to Aumented ABE, as well as the proof, work well on prime order bilinear roups. Composite Order Bilinear Groups. Let G be a roup enerator, which takes a security parameter λ and outputs p 1, p 2, p 3, G, G T, e where p 1, p 2, p 3 are distinct primes, G and G T are cyclic roups of order N = p 1 p 2 p 3, and e : G G G T a map such that: 1 Bilinear, h G, a, b Z N, e a, h b = e, h ab, 2 Non-Deenerate G such that e, has order N in G T. Assume that roup operations in G and G T as well as the bilinear map e are computable in polynomial time with respect to λ. Let G p1, G p2 and G p3 be the subroups of order p 1, p 2 and p 3 in G, respectively. These subroups are orthoonal to each other under the bilinear map e: if h i G pi and h j G pj for i j, then eh i, h j = 1 the identity element in G T. Notations. For a iven vector v = v 1,..., v d Z d N and G, by v we mean the vector v1,..., v d G d. For two vectors V = V 1,..., V d, W = W 1,..., W d G d, by V W we mean the vector V 1 W 1,..., V d W d G d, i.e. it performs component-wise multiplication. Furthermore, by e d V, W we mean d k=1 ev k, W k. Particularly, for v = v 1,..., v d, w = w 1,..., w d Z d N, we have v w = v+w, and e d v, w = d k=1 ev k, w k = e, vw, where v w is the inner product of v and w. Sometimes we omit the subscribe d of e d V, W. For a vector V = V 1,..., V d G d and a matrix A = A i,j d t Z d t N, by V A we mean n i=1 V Ai,1 n i, i=1 V Ai,2 n i,..., i=1 V Ai,t i G t. 10
11 Non-traceable ABE template. The template consists of four alorithms as follows: Setup NT λ, Γ PP, MSK. Run N, p 1, p 2, p 3, G, G T, e Gλ. Pick enerators G p1, X 3 G p3. Run d, d 0 SysParamΓ, where 1 d 0 d. Pick random β = β 1,..., β d Z d N. Pick random α Z N. The public parameter is PP = N, G, G T, e,, β, X 3, e, α. The master secret key is MSK = α. KeyGen NT PP, MSK, X SK X. Upon input a key ta X, run φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N. Pick random δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1. Output a secret key SK X as p 3 SK X = X, K = φα,β,δ R. To satisfy the template, it is required that for any key ta X and variables δ = δ 1,..., δ dδ, 1. d k d for z [2, d k ], φ z α, β, δ does not contain α or β 1 δ 1. For simplicity, we write them as φ z β, δ, as they do not contain α. 3. φ 1 α, β, δ = δ 1, φ 0 α, β, δ = α + β 1 δ 1 + d 0 β d=2 dφ dβ, δ. That is, 5 SK X = d 0 X, K 0 = α β1δ1 β d φ d β,δ R 0, K 1 = δ1 R 1, d=2 K 2 = φ2β,δ R 2,..., K dk = φ d k β,δ R dk. Encrypt NT PP, M, Y CT Y. Upon input a ciphertext ta Y, run ψ = ψ 1,..., ψ dc, d π CiperParamY, N. Pick random π = π, π 1,..., π dπ Z dπ+1 N. Set P = ψβ,π. Output a ciphertext CT Y as CT Y = Y, P, C = M e, απ. Note that P can be computed from β and π since ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j. To satisfy the template, it is required that for any ciphertext ta Y and variables π = π, π 1,..., π dπ, 1. ψ 1 β, π = π. 2. ψ 2 β, π = β 2 π,..., ψ d0 β, π = β d0 π. That is, the first d 0 components of P are P 1 = π, P 2 = β2π,..., P d0 = β d 0 π. Decrypt NT PP, CT Y, SK X M or. Obtain X, Y from SK X, CT Y. Suppose Γ X, Y = 1 if Γ X, Y 1, output. Run E DecPairX, Y, N. Compute e, απ = ek E, P, and output M C/e, απ. To satisfy the template, it is required that there are two alorithms DecPair 1 and DecPair 2 such that: For any N N, X X, Y Y, let φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N, ψ = ψ 1,..., ψ dc, d π CiperParamY, N, for any variables α, β = β 1, β 2,..., β d, δ = δ 1, δ 2,..., δ dδ, π = π, π 1,..., π dπ, let E 1 DecPair 1 X, Y, N, E 2 DecPair 2 X, Y, N, if Γ X, Y = 1 we have that φe 1 ψ T = β 1 δ 1 π and φe 2 ψ T = β 1 δ 1 π + απ. Note that e, απ can be computed by e, απ = ek E2, P /ek E1, P. Later we will show there are a series of ABE schemes with appealin features complyin with this template. 5 Note that to cover as many ABE schemes as possible, we only specify the necessary requirements which we may use in the constructions and proofs of our eneric transformation framework. Here we do not require φ dβ, δ for d = 2 to d 0 to contain only linear combination of monomials δ i. Actually, if φ dβ, δ contained β j, K 0 could still be computed, by puttin β in MSK. 11
12 4.3 Aumented ABE Transformed from Non-traceable ABE Notations. Suppose that the number of users K in the system equals to m 2 for some m. In practice, if K is not a square, we can add some dummy users until it pads to the next square. We arrane the users in an m m matrix and uniquely assin a tuple i, j, where i, j [1, m], to each user. A user at position i, j of the matrix has index k = i 1 m + j. For simplicity, we directly use i, j as the index where i, j ī, j means that i > ī i = ī j j. The use of pairwise notation i, j is purely a notational convenience, as k = i 1 m + j defines a bijection between {i, j i, j [1, m]} and [1, K]. Given a bilinear roup order N, one can randomly choose r x, r y, r z Z N, and set χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. Let span{χ 1, χ 2 } = {ν 1 χ 1 + ν 2 χ 2 ν 1, ν 2 Z N } be the subspace spanned by χ 1 and χ 2. We can see that χ 3 is orthoonal to the subspace span{χ 1, χ 2 } and Z 3 N = span{χ 1, χ 2, χ 3 } = {ν 1 χ 1 + ν 2 χ 2 + ν 3 χ 3 ν 1, ν 2, ν 3 Z N }. For any v span{χ 1, χ 2 }, χ 3 v = 0, and for random v Z 3 N, χ 3 v 0 happens with overwhelmin probability. Below we propose our AuABE construction, which is transformed from the Conventional Non-traceable ABE template in above Sec Note that the parts written in the box are the same as the Conventional Non-traceable ABE template, and we add/modify some additional parts to form our eneric AuABE construction. Setup A λ, Γ, K = m 2 PP, MSK. Run N, p 1, p 2, p 3, G, G T, e Gλ. Pick enerators G p1, X 3 G p3. Run d, d 0 SysParamΓ, where 1 d 0 d. Pick random β = β 1,..., β d Z d N. Pick random {α i, r i, z i Z N } i [m], {c j Z N } j [m]. The public parameter is PP = N, G, G T, e,, h = β, X 3, {E i = e, αi, G i = ri, Z i = zi } i [m], {H j = cj } j [m]. The master secret key is MSK = α 1,..., α m, r 1,..., r m, c 1,..., c m. A counter ctr = 0 is implicitly included in MSK. KeyGen A PP, MSK, X SK i,j,x. Upon input a key ta X, run φ = φ 0, φ 1,..., φ dk, d δ KeyParamX, N. Pick random δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1 p 3. Pick random R 0 G p3. Set ctr = ctr + 1 and then compute the correspondin index in the form of i, j where 1 i, j m and i 1 m + j = ctr. Output a secret key SK i,j,x as SK i,j,x = i, j, X, K = φricj+αi, β, δ R, K 0 = Z δ1 i R 0, Note the requirements stated in KeyGen NT, we have SK i,j,x = d 0 i, j, X, K 0 = ricj+αi β1δ1 β d φ d β,δ R 0, K 1 = δ1 R 1, d=2 K 2 = φ2β,δ R 2,..., K dk = φ d k β,δ R dk, K 0 = Z δ1 i R 0. Encrypt A PP, M, Y, ī, j CT Y. 1. Upon input a ciphertext ta Y, run ψ = ψ 1,..., ψ dc, d π CiperParamY, N. Pick random π = π, π 1,..., π dπ Z dπ+1 N. Set P = ψβ,π. Note that P can be computed from β and π since ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j. 2. Pick random κ, τ, s 1,..., s m, t 1,..., t m Z N, 12
13 v c, w 1,..., w m Z 3 N. Pick random r x, r y, r z Z N, and set χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. Pick random v i Z 3 N i {1,..., ī}, For each row i [m]: if i < ī: randomly choose ŝ i Z p, and set v i span{χ 1, χ 2 } i {ī + 1,..., m}. if i ī: set R i = vi, R i = κvi, Q i = si, Q i,1 = β1 si Z ti i β1 π, Q i,2 = β2 si,..., Q i,d0 = β d 0 s i, Q i = ti, T i = Eŝi i. R i = G sivi i, R i = G κsivi i, Q i = τsivivc, Q i,1 = β1 τsivivc Z ti i β1 π, Q i,2 = β2 τsivivc,..., Q i,d0 = β d 0 τs iv iv c, Q i = ti, T i = M E τsivivc i. For each column j [m]: if j < j: randomly choose µ j Z N, and set C j = H τvc+µjχ3 j κwj, C j =. wj if j j: set C j = H τvc j κwj, C j =. wj 3. Output the ciphertext CT Y as CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1. Decrypt A PP, CT Y, SK i,j,x M or. Parse CT Y to CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1 and SK i,j,x to SK i,j,x = i, j, X, K = K 0,..., K dk, K 0. Obtain Y, X from CTY, SK i,j,x. Suppose Γ X, Y = 1 if Γ X, Y 1, output. 1. Run E 1 Pair 1 X, Y, N. Compute D P ek E1, P. 2. Compute ek 0, Q i ek D I 0, Q i ek 1, Q i,1 d 0 ek d=2 d, Q e3r i, C j e i, d 3 R i, C j. 3. Computes M T i /D P D I as the output messae. Suppose that the ciphertext is enerated from messae M and encryption index ī, j, it can be verified that only when i > ī or i = ī j j, M = M. This is because for i > ī, we have v i χ 3 = 0 since v i span{χ 1, χ 2 }, and for i = ī, we have that v i χ 3 0 happens with overwhelmin probability since v i is randomly chosen from Z 3 N. The correctness is referred to Appendix A. 4.4 Aumented ABE Security Let Σ NT = Setup NT, KeyGen NT, Encrypt NT, Decrypt NT be a non-traceable ABE scheme satisfyin the template in Sec. 4.2, and Σ A = Setup A, KeyGen A, Encrypt A, Decrypt A be an Aumented ABE scheme derived from Σ NT as shown in Sec As shown in Fi. 2, Theorem 3, Theorem 4, and Theorem 5 state that the AuABE proposed above is Type-I messae-hidin, Type-II messae-hidin, and selectively index-hidin, respectively. Below we prove Theorem 3 and Theorem 4 in a framework manner. For the Theorem 5, we prove it in a framework manner partially, namely, we prove Claim 1 in a framework manner, while provin Lemma 1 case by case for the concrete underlyin conventional non-traceable ABE schemes, and the proof of Claim 2 will be identical to that of Lemma 1. 13
14 Fi. 2. Outline for Security Analysis Theorem 3. If Σ NT is secure resp. selectively secure, then Σ A is Type-I messae-hidin resp. selectively Type-I messae-hidin. Proof. Suppose there is a PPT adversary A that can break Σ A in Game A MH 1 with non-neliible advantae MH A 1 Adv A, we construct a PPT alorithm B to break Σ NT with advantae Adv B Σ NT, which equals to MH A 1 Adv A. Setup. B receives the public parameter PP NT = N, G, G T, e, β, X 3, E = e, α from the challener, where G p1 and X 3 G p3 are the enerators of subroups G p1 and G p3 respectively, β = β 1,..., β d Z d N for d, d 0 SysParamΓ and α Z N are randomly chosen. B picks random {α i, r i, z i Z N } i [m], {c j Z N } j [m], then ives A the public parameter PP: PP = N, G, G T, e,, β, X 3, {E i = E e, α i, Gi = ri, Z i = zi } i [m], {H j = cj } j [m]. Note that B implicitly chooses {α i Z N } i [m] such that {α + α i α i mod p 1 } i [m]. Phase 1. To respond to A s query for i, j, X i,j, B submits X i,j to the challener, and receives a secret key SK NT X i,j = X i,j, K 0 = α β1δ1 d 0 d=2 β d φ d β,δ R 0, K1 = δ1 R 1, K 2 = φ2β,δ R 2,..., Kdk = φ d k β,δ R dk, where φ = φ 0, φ 1,..., φ dk, d δ KeyParamX i,j, N, δ = δ 1,..., δ dδ Z d δ N, R = R 0,..., R dk G d k+1 p 3. 14
15 B picks random R 0 G p3, then responses A with a secret key SK i,j,xi,j as SK i,j,xi,j = i, j, X i,j, K 0 = K 0 ricj+α i, K1 = K 1, K 2 = K 2,..., K dk = K dk, K 0 zi = K R 1 0. Note that such a secret key has the same distribution as the secret key in the real Aumented ABE scheme, i.e. SK i,j,xi,j = i, j, X i,j, K = φricj+αi,β,δ R, K 0 = Z σi,j i R 0, where R 0 = R zi R 1 0. Challene. A submits to B a ciphertext ta Y and two equal lenth messaes M 0, M 1. B submits Y, M 0, M 1 to the challener, and receives the challene ciphertext in the form of CT NT = Y, P = ψβ, π, C = M e, α π, where ψ = ψ 1,..., ψ dc, d π CiperParamY, N, π = π, π 1,..., π dπ Z dπ+1 N. Note that ψβ, π contains only linear combinations of monomials π, π i, πβ j, π i β j, and the first d 0 components of P are P 1 = π, P 2 = β2 π,..., P d0 = β d π 0. B creates a challene ciphertext for ī, j = 1, 1 as follows: 1. B picks random π = π, π 1,..., π d π Z dπ+1 N, then sets P = ψβ,π P 1.. Note that ψβ, π contains only linear combinations of monomials Here P means P 1,..., P d c π, π i, πβ j, π i β j, we have P 1 = ψβ, π. Note that ψβ, π contains only linear combinations of monomials π, π i, π β j, π i β j, we have that P = ψβ,π π. 2. B picks random κ, τ, s 1,..., s m, t 1,..., t m Z N, v c, w 1,..., w m Z 3 N. B picks random r x, r y, r z Z N, and sets χ 1 = r x, 0, r z, χ 2 = 0, r y, r z, χ 3 = χ 1 χ 2 = r y r z, r x r z, r x r y. B picks random v 1 Z 3 N, v i span{χ 1, χ 2 } i {2,..., m}. For each row i [m]: note that i ī since ī = 1, B sets R i = G s i vi i Q i = τs i vivc P1, r i τv ivc vi P 1, R i = G κs i vi P i r i κ τv vi ivc 1, Q i,1 = β1 τs i vivc Z ti i β1 π, Q i,2 = β2 τs i vivc P 2,..., Q i,d0 = β d 0 τs i vivc P d0, Q i = ti, T i = C e α i, P1 E τs i vivc i. For each column j [m]: note that j j since j = 1, B sets C j = H τvc j κwj, C j = wj. 3. B outputs the ciphertext CT Y as CT Y = Y, P, R i, R i, Q i, {Q i, d} d0 d=1, Q i, T i m i=1, C j, C j m j=1. Note that this CT Y is a well-formed ciphertext for ciphertext ta Y and encryption index ī, j = 1, 1, with implicitly settin s 1,..., s m Z N and π = π, π 1,..., π dπ Z dπ+1 N by s i + Phase 2. Same with Phase 1. π τv i v c s i mod p 1 i {1,..., m}, π π π mod p 1. Guess. A ives B a b. B ives b to the challener. Note that the distributions of the public parameter, secret keys and challene ciphertext that B ives A are same as the real scheme, we have Adv B Σ NT = MH A 1 Adv A. 15
16 Theorem 4. Σ A is Type-II messae-hidin. Proof. The arument for messae-hidin in Game A MH 2 is straihtforward since an encryption to index K + 1 i.e. m + 1, 1 contains no information about the messae. The simulator simply runs Setup A and KeyGen A and encrypts M b under the challene ciphertext ta Y and index m + 1, 1. Since for all i = 1 to m, T i = Eŝi i contains no information about the messae, the bit b is perfectly hidden and MH A Adv A = 0. Now we investiate the Theorem 5 where we prove the index-hidin property. As shown in Fi. 2, Theorem 5 follows Lemma 1 and Lemma 2, and we need to prove Lemma 1 case by case. Here we use Assumption X to represent the assumptions that Lemma 1 is based on, and we will present the concrete assumptions when we prove Lemma 1 concretely. Theorem 5. Suppose that the Assumption X, the D3DH, and the DLIN Assumption hold. 6 Then no PPT adversary can selectively win Game A IH with non-neliible advantae. Proof. It follows Lemma 1 and Lemma 2 below. Lemma 1. If the Assumption X hold, then for j < m, no PPT adversary can selectively distinuish between an encryption to ī, j and ī, j + 1 in Game A IH with non-neliible advantae. Proof. In Game A IH with index ī, j, let Y be the challene ciphertext ta, the restriction is that the adversary A does not query a secret key for index, key ta pair i, j, X i,j such that i, j = ī, j Γ Xi,j, Y = 1. Under this restriction, there are two ways for A to take: Case I: In Key Query phase, A does not query a secret key with index ī, j. Case II: In Key Query phase, A queries a secret key with index ī, j. Let X ī, j be the correspondin key ta. The restriction requires that Γ X ī, j, Y 1. Case I is easy to handle as the adversary does not query a secret key with the challene index ī, j. Case II captures the index-hidin requirement in that even if a user has a key with index ī, j he cannot distinuish between an encryption to Y, ī, j and Y, ī, j + 1, if the correspondin key ta does not satisfies Γ X ī, j, Y = 1. This is the most challenin part of achievin stron traceability. Actually, this is the only part where we cannot handle in a framework manner, and we have to prove this lemma for different schemes case by case. Lemma 2. If the Assumption X, the D3DH, and the DLIN Assumption hold, then for 1 ī m, no PPT adversary can selectively distinuish between an encryption to ī, m and ī + 1, 1 in Game A IH with non-neliible advantae. Proof. Similar to the proof of Lemma 6.3 in [11], to prove this lemma we define the followin hybrid experiment: H 1 : encrypt to ī, j = m; H 2 : encrypt to ī, j = m + 1; and H 3 : encrypt to ī + 1, 1. This lemma follows Claim 1 and Claim 2 below. Claim 1. If the Assumption X holds, then no PPT adversary can selectively distinuish between experiment H 1 and H 2 with non-neliible advantae. Proof. The proof is identical to that for Lemma 1. Claim 2. If the D3DH and the DLIN hold, then no PPT adversary can distinuish between experiment H 2 and H 3 with non-neliible advantae. 6 Here D3DH and DLIN are the abbreviation of the widely accepted Decision 3-Party Diffie Hellman Assumption and Decisional Linear Assumption, respectively. we refer to [11] for the details of these two assumptions. 16
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationNew Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationCiphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization
Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters University of Texas at Austin bwaters@csutexasedu Abstract We present a new methodology
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED
PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationTools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Allison Lewko The University of Texas at Austin alewko@csutexasedu Abstract In this paper, we explore a general
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationConstrained Pseudorandom Functions and Their Applications
Constrained Pseudorandom Functions and Their Applications Dan Boneh dabo@cs.stanford.edu Brent Waters bwaters@cs.utexas.edu September 9, 2013 Abstract We put forward a new notion of pseudorandom functions
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationShorter Identity-Based Encryption via Asymmetric Pairings
Shorter Identity-Based Encryption via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLightweight Symmetric-Key Hidden Vector Encryption without Pairings
Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology Kharagpur sikhar.patranabis@iitkgp.ac.in,
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationAdaptively secure identity-based broadcast encryption with a constant-sized ciphertext
University of Wollongong esearch Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 05 Adaptively secure identity-based broadcast encryption
More informationNew Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption
New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationAttribute-Based Encryption Schemes with Constant-Size Ciphertexts
Attribute-Based Encryption Schemes with Constant-Size Ciphertexts Nuttapong Attrapadung 1, Javier Herranz 2, Fabien Laguillaume 3, Benoît Libert 4, Elie de Panafieu 5, and Carla Ràfols 2 1 Research Center
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationCiphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations
Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations Hua Deng a, Qianhong Wu* b, Bo Qin c, Josep Domingo-Ferrer d, Lei Zhang
More informationEfficient chosen ciphertext secure identity-based encryption against key leakage attacks
SECURITY AND COMMUNICATION NETWORKS Security Comm Networks 26; 9:47 434 Published online 2 February 26 in Wiley Online Library (wileyonlinelibrarycom) DOI: 2/sec429 RESEARCH ARTICLE Efficient chosen ciphertext
More informationContribution to functional encryption through encodings
University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2016 Contribution to functional encryption through encodings Jongkil
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationUnbounded HIBE and Attribute-Based Encryption
Unbounded HIBE and ttribute-based Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work, we present
More informationWhite-Box Security Notions for Symmetric Encryption Schemes
White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013 Outline 1 What
More informationMatrix multiplication: a group-theoretic approach
CSG399: Gems of Theoretical Computer Science. Lec. 21-23. Mar. 27-Apr. 3, 2009. Instructor: Emanuele Viola Scribe: Ravi Sundaram Matrix multiplication: a roup-theoretic approach Given two n n matrices
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationFrom Social Trust Assisted Reciprocity (STAR) to Utility-Optimal Mobile Crowdsensing
From ocial Trust Assisted eciprocity (TA) to Utility-Optimal Mobile Crowdsensin Xiaowen Gon, Xu Chen, Junshan Zhan, H. Vincent Poor chool of Electrical, Computer and Enery Enineerin Arizona tate University,
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationProperty Preserving Symmetric Encryption Revisited
Property Preserving Symmetric Encryption Revisited Sanjit Chatterjee 1 and M. Prem Laxman Das 2 1 Department of Computer Science and Automation, Indian Institute of Science sanjit@csa.iisc.ernet.in 2 Society
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationEquivocating Yao: Constant-Rounds Adaptively Secure Multiparty Computation in the Plain Model
Equivocatin Yao: Constant-Rounds Adaptively Secure Multiparty Computation in the Plain Model Ran Canetti Oxana Poburinnaya Muthuramakrishnan Venkitasubramaniam December 30, 2016 Abstract Yao s arblin scheme
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationA Fully Collusion Resistant Broadcast, Trace and Revoke System
A Fully Collusion Resistant Broadcast, Trace and Revoke System Dan Boneh Brent Waters Abstract We introduce a simple primitive called Augmented Broadcast Encryption (ABE) that is sufficient for constructing
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationFunctional Encryption for Cascade Automata
Functional Encryption for Cascade Automata by Dan Brownstein, Shlomi Dolev, Niv Gilboa The Lynne and William Frankel Center for Computer Science Department of Computer Science, Ben-Gurion University, Beer
More informationShorter IBE and Signatures via Asymmetric Pairings
Shorter IBE and Signatures via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationFunctional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings
Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings Jongkil Kim, Willy Susilo, Fuchun Guo, and Man Ho Au 2 Centre for Computer and Information Security Research School
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More informationPositive Results and Techniques for Obfuscation
Positive Results and Techniques for Obfuscation Benjamin Lynn Stanford University Manoj Prabhakaran Princeton University February 28, 2004 Amit Sahai Princeton University Abstract Informally, an obfuscator
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationFunctional Encryption for Regular Languages
Functional Encryption for Regular Languages Brent Waters 1 The University of Texas at Austin bwaters@cs.utexas.edu Abstract. We provide a functional encryption system that supports functionality for regular
More informationAdaptively Secure Puncturable Pseudorandom Functions in the Standard Model
Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger Johns Hopkins University susan@cs.hu.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu November
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationOn Black-Box Reductions between Predicate Encryption Schemes
On Black-Box Reductions between Predicate Encryption Schemes Vipul Goyal Virendra Kumar Satya Lokam Mohammad Mahmoody February 20, 2012 Abstract We prove that there is no black-box construction of a threshold
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps
nbounded Inner Product Functional Encryption from Bilinear Maps Junichi Tomida and Katsuyuki Takashima 2 NTT tomida.junichi@lab.ntt.co.jp 2 Mitubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationCS259C, Final Paper: Discrete Log, CDH, and DDH
CS259C, Final Paper: Discrete Log, CDH, and DDH Deyan Simeonov 12/10/11 1 Introduction and Motivation In this paper we will present an overview of the relations between the Discrete Logarithm (DL), Computational
More informationReducing Depth in Constrained PRFs: From Bit-Fixing to NC 1
Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More information