Anonymous Identity-Based Broadcast Encryption with Revocation for File Sharing

Transcription

1 Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng and Informaton Technology Unversty of Wollongong, Wollongong, Australa {jl967,ymu,fuchun,wsuslo,rc517}@uow.edu.au Abstract. Tradtonally, a cphertext from an dentty-based broadcast encrypton can be dstrbuted to a group of recevers whose denttes are ncluded n the cphertext. Once the cphertext has been created, t s not possble to remove any ntended recevers from t wthout conductng decrypton. In ths paper, we consder an nterestng queston: how to remove target desgnated recevers from a cphertext generated by an anonymous dentty-based broadcast encrypton? The soluton to ths queston s found applcable to fle sharng wth revocaton. In ths work, we found an affrmatve answer to ths queston. We construct an anonymous dentty-based broadcast encrypton, whch offers the user revocaton of cphertext and the revocaton process does not reveal any nformaton of the plantext and recever dentty. In our proposed scheme, the group of recever denttes are anonymous and only known by the encryptor. We prove that our scheme s semantcally secure n the random oracle model. Keywords: Identty-Based Encrypton, Revocaton, Anonymty 1 Introducton In a broadcast encrypton system, a fle can be encrypted for a group of recevers such that any recever n the group can decrypt the cphertext usng ts respectve prvate key. The users outsde the group learn nothng about the encrypted fle even f they collude. Broadcast encrypton s a useful way for data sharng, where recevers can obtan the broadcast (or shared data wth ther prvate keys. However, drectly applyng a broadcast encrypton for data sharng n database systems or cloud computng mght suffer from some drawbacks. For example, t cannot preserve the recever prvacy, snce all recever denttes must be attached wth the cphertext. Therefore, f applyng an dentty-based broadcast encrypton scheme to fle sharng, an anonymous broadcast encrypton would be more desrable. We consder an applcaton scenaro usng an anonymous dentty-based broadcast encrypton, where the fle sharng system for a company s suppled by a cloud servce. Wthout losng generalty, let s assume that the system nvolves a cloud server, fle An extended abstract of ths paper appears n ACISP Ths s the full verson. We revse the typos about the group operatons n scheme s constructon and securty proofs, and gve the full probablty analyss.

2 owner, and a group of users. The fle owner frst encrypts a fle for a selected group S, and then stores the encrypted fle n the cloud for sharng. When some users R leave the company, the server must revoke them from accessng all fles. If the revoked users are n S, they cannot decrypt the cphertext after the server conducts revocaton. Mostly mportant, t requres the cloud server to be able to revoke users from a cphertext wthout knowng the encrypted fle and the denttes of recevers. A trval soluton to the scenaro s to adopt the decrypt then re-encrypt approach. It requres the server to have the ablty to decrypt the cphertext. When some denttes should be revoked, the server frst decrypts the cphertext and removes them from the orgnal authorzed user set. It then re-encrypts the fle usng the new authorzed user set. However, n ths trval soluton, the cloud server s able to learn the content and the dentty of authorzed users who can access the fle. Alternatvely, the cloud server wthout decrypton rght can encrypt the cphertext by usng the broadcast encrypton scheme (e.g. [21] where anyone can decrypt the cphertext except the revoked users. Ths method guarantees that the cloud server cannot get any useful nformaton about the content and the authorzed users denttes from the orgnal cphertext. The lmtaton s that ths method could cause a colluson attack. For example, let ID be the dentty of User ; f ID 1 / S R, ID 2 S R, ID 1 can use ts prvate key to help ID 2 recover the orgnal cphertext, then ID 2 uses ts prvate key to decrypt the orgnal cphertext. Our Contrbutons. We notce that there s no deal trval soluton to the aforementoned problem. In ths work, we provde a soluton to the stated problem earler and show how to revoke users denttes from the cphertext wthout the knowledge of the plantext and the knowledge of the recevers. We propose a new cryptographc noton called anonymous dentty-based broadcast encrypton wth revocaton (AIBBER to realze ths. Our novel soluton allows the cloud server to revoke users denttes wthout decrypton and acheves full anonymty where only the sender knows the recevers denttes. We present two securty models to meet the requrements of the proposed noton and show that our constructon s secure under the attacks n the proposed model. In our settng, both the system publc key and user prvate key are constant. The computaton n revocaton phase s small, more precsely O(t, where t s the number of revoked denttes. 1.1 Related Work Anonymous Broadcast Encrypton. Snce Fat and Naor [15] formally ntroduced broadcast encrypton, subsequent works [9, 10, 3, 8, 16, 25, 6] have proposed broadcast encrypton systems wth dfferent propertes. They manly focused on reducng publc key szes, prvate key szes, cphertext szes and computatonal costs for encrypton and decrypton. The noton of dentty-based broadcast encrypton was ntroduced by Saka and Furukawa [26], and Delerablée s work [8] acheves constant sze cphertext and prvate keys. In these schemes, the recever denttes must be attached wth the cphertext, whch exposes the prvacy of the recevers. The frst work addressng the anonymty n broadcast encrypton appeared n [1]. The authors presented the noton of prvate broadcast encrypton to protect the denttes of the recevers and gave a generc constructon from any key ndstngushable

3 CCA scheme, whch acheves recever anonymty and CCA securty. The securty n [1] depends on a strongly secure one-tme sgnature. Boneh, Saha and Waters [4] extended ths noton to construct prvate lnear broadcast encrypton and proposed a fully colluson resstant tracng trators scheme wth sublnear sze cphertexts and constant sze prvate keys. However, the recevers cannot be arbtrary sets of users. Subsequently, many anonymous ID-based broadcast encrypton schemes were proposed [18, 22, 14, 28, 12]. Lbert, Paterson and Quagla [22] examned the securty of the number-theoretc constructon n [1] and suggested the proof technques wthout the random oracle. The authors proposed an anonymous broadcast encrypton scheme that acheves adaptve securty wthout random oracles. The cphertext n ther schemes are lnear of the number of recevers and the securty depends on a one-tme sgnature. Later, Fazo and Perera [14] formalzed the noton of outsder-anonymous broadcast encrypton, whch les between the complete lack of protecton that characterzes tradtonal broadcast encrypton scheme [15] and the full anonymty n [1]. Ther constructons acheve sublnear cphertext length but fal to obtan anonymty among the recever. The work of Kayas and Samar [19] amed to study the lower bounds for the cphertext sze of prvate broadcast encrypton. They showed that an atomc prvate broadcast encrypton scheme wth fully anonymous must have a cphertext sze of Ω(n k, where n s the number of broadcast set and k s the securty parameter. Recently, Fazo, Ncolos and Perera [13] studed the broadcast steganography and ntroduced a new constructon called outsder-anonymous broadcast encrypton wth pseudorandom cphertexts, whch acheves sublnear cphertext sze and s secure wthout random oracles. Revocaton. The revocaton schemes n the lterature only guarantee the revoked users cannot decrypt the cphertext. Whle the revocaton n our paper focuses on how to revoke the denttes from a group of users S. Only the users who are n S but not n the revocaton set can retreve the plantext. Revocaton system s a varant of the broadcast encrypton system, where t takes a set of revoked users as nput to the encrypton functon. Several elegant revocaton constructons [23, 24, 11, 17, 5, 21, 20] have been proposed. Naor, Naor and Lotspech [23] presented a technque called subset-cover framework, and based on ths framework they proposed the frst stateless tree-based revocaton scheme whch was secure aganst a collson of any number of users. Boneh and Waters [5] ntroduced a prmtve called augmented broadcast encrypton whch was clamed to be suffcent for constructng trace and revoke schemes. The authors proposed a revocaton scheme wth sublnear sze cphertexts and prvate keys. The scheme was proved to be secure aganst adaptve adversares. Lewko, Saha and Waters [21] proposed a revocaton system wth very small prvate keys usng the two equaton technque. The prmary challenge s to acheve full colluson reslence. Anyone can decrypt the cphertext and get the broadcast message except the revoked users even f they collude. In Lewko et al. s scheme, the cphertext sze s O(t and the sze of the publc key s constant, where t s the number of revoked users. Recently, to narrow the scope of decrypter n [21], a sngle revocaton encrypton (SRE scheme was presented by Lee et al. [20], whch allows a sender to broadcast a message to a group of selected users and one group user s revoked. Any group member

4 can decrypt the cphertext except the revoked user. The authors then proposed a publc key trace and revoke scheme by combnng the layered subset dfference scheme and ther SRE scheme. Broadcast Proxy Re-Encrypton. The concept of proxy re-encrypton (PRE was ntroduced by Blaze, Bleumer and Strauss [2], whch provdes a flexble and secure way to share data. PRE allows an honest-but-curous proxy to turn a cphertext ntended for a recever nto another cphertext ntended for another recever. Whle, the proxy cannot learn any useful nformaton about the plantext durng the transformaton. Chu et al. [7] extended ths noton to construct the proxy broadcast re-encrypton (PBRE. Compared wth PRE, PBRE allows the proxy to transform a cphertext ntended for a recever set to another cphertext ntended for another recever set. Recently, motvated by the cloud emal system, Xu et al. [27] presented a condtonal dentty-based broadcast proxy reencrypton scheme wth constant cphertext based on [8]. In both the PRE and PBRE system, the data owner has to delegate a re-encrypton key to the proxy and the proxy knows the new recevers denttes. Organzaton. The rest of the paper s organzed as follows. In Secton 2, we gve some prelmnares ncludng complexty assumpton, the formal defnton of anonymous dentty-based broadcast encrypton wth revocaton and the correspondng securty models. The concrete constructon s presented n Secton 3. In Secton 4, we show the securty proofs of our scheme. Fnally, we conclude the paper n Secton 5. 2 Prelmnares 2.1 Complexty Assumpton Let G and G T be two cyclc groups of the same prme order p. A blnear map s a map e : G G G T whch satsfes the followng propertes: 1. Blnear: For all P, Q G and a, b Z p, we have e (ap, bq = e(p, Q ab. 2. Non-degeneracy: There exsts P, Q G such that e (P, Q Computablty: It s effcent to compute e (P, Q for all P, Q G. A blnear group BG = (G, G T, e, p s composed of objects as descrbed above. Blnear Dffe-Hellman Problem (BDH. Let BG = (G, G T, e, p be a blnear group wth a generator P G. The BDH problem n (G, G T, e s as follows: Gven a tuple (P, ap, bp, cp for some unknown a, b, c Z p as nput, output e(p, P abc G T. An algorthm A has advantage ε n solvng BDH n (G, G T, e f [ Pr A (P, ap, bp, cp = e(p, P abc] ε, where the probablty s over the random choce of a, b, c n Z p and P G. Defnton 1. We say that the BDH assumpton holds n G f no PPT adversary has advantage at least ε n solvng the BDH problem n G.

5 2.2 Anonymous ID-Based Broadcast Encrypton wth Revocaton The AIBBER system s derved from Identty-Based Broadcast Encrypton (IBBE [8] wth more functons. Formally, an AIBBER scheme conssts of the algorthms AIBBER = (Setup, KeyGen, Encrypt, Revoke, Decrypt defned as follows. Setup (1 λ : Takng a securty parameter 1 λ as nput, t outputs a master publc key mpk and a master secrete key msk. The mpk s publcly known whle the msk s kept secretly. KeyGen (mpk, msk, ID: Takng the master key par (msk, mpk and a user dentty ID as nput, t outputs a prvate key d ID for ID. Encrypt (mpk, M, S: Takng the master publc key mpk, a message M and a set of denttes S = (ID 1, ID 2,..., ID n as nput, t outputs a cphertext CT. Revoke (mpk, R, CT : Takng the master publc key mpk, a cphertext CT and a revocaton dentty set R = (ID 1, ID 2,, ID t as nput, t outputs a new cphertext CT wth R. Decrypt (mpk, CT, ID, d ID : Takng the master publc key mpk, a cphertext CT, an dentty ID and the prvate key d ID as nput. It outputs the message M f ID S and ID / R. Correctness. Note that f t = 0, the AIBBER scheme s AIBBE scheme. Thus, t requres that for any ID S and ID / R, f (mpk, msk Setup(1 λ, d ID KeyGen(mpk, msk, ID, CT Encrypt(mpk, M, S, CT Revoke(mpk, R, CT, we have Decrypt(CT, ID, d ID = M and Decrypt(CT, ID, d ID = M. 2.3 Securty Models The securty of AIBBER scheme requres that wthout a vald prvate key, both the encrypted message and the ntended recevers are unknown to the adversary. Let CT be the orgnal cphertext for recevers S, R be the revoke users and CT be the cphertext after revocaton. The securty requres: 1. The message n the cphertext CT cannot be dstngushed wthout a vald prvate key assocated wth an dentty ID S. The message n CT cannot be dstngushed wthout a vald prvate key assocated wth an dentty ID S and ID / R. 2. The dentty set n the cphertext CT cannot be dstngushed wthout a vald prvate key assocated wth an dentty ID S. The dentty set n CT cannot be dstngushed wthout a vald prvate key assocated wth an dentty ID S and ID / R. We defne the IND-ID-CPA securty and ANON-ID-CPA securty for the AIBBER system n a smlar way as anonymous IBBE system. IND-ID-CPA Securty. IND-ID-CPA securty n AIBBER allows the adversary to ssue the prvate key query to obtan the prvate key assocated wth any dentty ID of her choce. The adversary s challenged on an dentty set S, two messages M 0, M 1 of ts choce and a revocaton dentty set R. Adversary s goal s to dstngush whether the

6 challenge cphertext s encrypted under M 0 or M 1 for S wth some restrctons. We say that adversary breaks the scheme f t guesses the message correctly. Specfcally, the noton of IND-ID-CPA s defned under the followng game between the challenger C and the PPT adversary A. Setup: C runs the Setup algorthm to generate the master publc key mpk and master secret key msk. Then t sends the mpk to A and keeps the msk secretly. Phase 1: A ssues prvate key queres. Upon recevng a prvate key query for ID. C runs the KeyGen algorthm to generate the prvate key d ID and sends the result back to A. Challenge: When A decdes that Phase 1 s over, t outputs two dstnct messages M 0, M 1 from the same message space, a challenge dentty set S = (ID 1, ID 2,, ID n and a revocaton dentty set R = (ID 1, ID 2,, ID t wth the restrcton that A has not quered the prvate key on ID n Phase 1, where ID S and ID / R. C randomly pcks a bt b {0, 1} and generates the challenge cphertext CT as follows: CT = Encrypt(mpk, M b, S, CT = Revoke(mpk, R, CT. If R, set CT = CT as the challenge cphertext, otherwse set CT = CT as the challenge cphertext, then send CT to A. Phase 2: A ssues more prvate key queres as n Phase 1, but t cannot query the prvate key on ID where ID S and ID / R. Guess: Fnally, A outputs ts guess b {0, 1} and wns the game f b = b. We refer to such an adversary A as an IND-ID-CPA adversary and defne adversary A s advantage n attackng the scheme as Adv IND-ID-CPA AIBER (A = Pr [b = b ] 1/2. The probablty s over the random bts used by the challenger and the adversary. Defnton 2. We say that an AIBBER scheme s IND-ID-CPA secure f there s no IND- ID-CPA adversary A has a non-neglgble advantage n ths game. ANON-ID-CPA Securty. ANON-ID-CPA securty n AIBBER allows the adversary to ssue the prvate key query to obtan the prvate key of any dentty ID of ts choce. Smlarly, the adversary s challenged on a message M, two dentty sets S 0, S 1 and a revocaton dentty set R of ts choce. Adversary s goal s to dstngush whether the challenge cphertext s generated under S 0 or S 1 wth some restrctons. We say that adversary breaks the scheme f t guesses the dentty set correctly. Specfcally, the noton of ANON-ID-CPA s defned under the followng game between the challenger C and the PPT adversary A. Setup: C runs the Setup algorthm to generate the master publc key mpk and master secret key msk. Then t sends the mpk to A and keeps the msk secretly. Phase 1: A ssues prvate key queres. Upon recevng a prvate key query for ID. C runs the KeyGen algorthm to generate the prvate key d ID and sends the result back to A. Challenge: When A decdes that Phase 1 s over, t outputs a message M, two dstnct dentty sets S 0 = (ID 0,1, ID 0,2,..., ID 0,n, S 1 = (ID 1,1, ID 1,2,..., ID 1,n and a revocaton set R = (ID 1, ID 2,, ID t. We requre that A has not ssued the prvate

7 key queres on ID n Phase 1, where ID (S 0 S 1 \(S 0 S 1. C randomly pcks a bt b {0, 1} and generates the challenge cphertext CT as follows: CT = Encrypt(mpk, M, S b, CT = Revoke(mpk, R, CT. If R, set CT = CT as the challenge cphertext, otherwse set CT = CT as the challenge cphertext, then send CT to A. Phase 2: A ssues more prvate key queres as n Phase 1, but t cannot query the prvate key on any ID, where ID (S 0 S 1 \(S 0 S 1. Guess: Fnally, A outputs ts guess b {0, 1} and wns the game f b = b. We refer to such an adversary A as an ANON-ID-CPA adversary and defne adversary A s advantage n attackng the scheme as Adv ANON-ID-CPA AIBER (A = Pr [b = b ] 1/2. The probablty s over the random bts used by the challenger and the adversary. Defnton 3. We say that an AIBBER scheme s ANON-ID-CPA secure f there s for any PPT adversary A, AdvAIBER ANON-ID-CPA (A s neglgble. 3 The Proposed Scheme 3.1 Constructon Setup: Gven a securty parameter 1 λ, the setup algorthm randomly chooses a blnear group BG = (G, G T, e, p wth a generator P G, s Z p and computes P pub = sp. It then pcks four cryptographc hash functons H : {0, 1} Z p, H 1 : {0, 1} G, H 2 : G T {0, 1} G, H 3 : G T {0, 1} G. The master publc key and master secret key are mpk = {BG, P, P pub, H, H 1, H 2, H 3 }, msk = s. KeyGen: Gven the master key par (mpk, msk and an dentty ID {0, 1}, ths algorthm outputs the prvate key d ID = sh 1 (ID. Encrypt: Gven the master publc key mpk, a set of dentty S = (ID 1, ID 2,..., ID n and a message M G, ths algorthm randomly chooses r 1, r 2 Z p and v G. For = 1, 2,, n, t computes x = H(ID, f (x = n j=1,j n 1 x x j = a,j x j mod p, x x j A = H 2 ( e ( H 1 (ID, P pub r1, ID, B = v + H 3 ( e ( H 1 (ID, P pub r2, ID. We have f (x = 1 and f (x j = 0 for j. Then t creates the cphertext CT as C 0 = v + M, C 1 = r 1 P, C 2 = r 2 P, together wth, for each = 1, 2,, n: Q = j=0 n a j, 1 A j, U = j=1 n a j, 1 B j. j=1

8 Revoke: Gven a cphertext CT = (C 0, C 1, C 2, Q, U, [1, n], the master publc key mpk and a revocaton dentty set R, where R = t. It requres t < n. If R =, ths algorthm sets CT = CT. Otherwse, t randomly chooses u G and computes C 0 = u + C 0, x = H(ID for ID R, g (x = t (x x = =1 t b x mod p. Then t sets b = 0 for = t+1, t+2,, n 1 and for each = 1, 2,, n computes =0 Q = Q + b 1 u. Then t sets CT = (R, C 0, C 1, C 2, Q, U, [1, n]. Decrypt: Gven a cphertext CT = (R, C 0, C 1, C 2, Q, U, [1, n], an dentty ID, a prvate key d ID and the master publc key mpk, ths algorthm computes x = H(ID and U = U 1 + x U 2 + x 2 U x n 1 U n, Q = Q 1 + x Q 2 + x 2 Q x n 1 Q n. Then t computes x j = H(ID j for each ID j R to reconstruct g(x as: g (x = t (x x j = j=1 Fnally, t uses the prvate key d ID to compute t b j x j mod p. v = U H 3 ( e(c2, d ID, ID, u = g(x 1 ( Q H 2 ( e(c1, d ID, ID. and recovers the message M = C 0 u v. If the dentty ID S and ID / R, we have u = u, v = v, then t obtans the correct M after decrypton. Note: For smplcty, we omt the modulo operaton and assume that the coeffcents of all polynomals are from Z p n the rest of paper. j=0 3.2 Dscusson and Correctness One may thnk that after revocaton, the revocaton set may be updated multple tmes. Our scheme allows the server to update the revocaton set. For each update, the server uses the orgnal cphertext and the new revocaton set to perform the Revoke algorthm. Thus, the server needs to store the orgnal cphertext CT n our scheme. In our settng, there s no requrement of R S. The revocaton set R can be arbtrary users. From our settng, only the users n S can decrypton the cphertext CT. After revocaton, the revoked users cannot decrypt the cphertext CT. We note that f ID R, g(h(id = 0 and g(h(idu = 1 G. The user wth dentty ID cannot retreve one of the decrypton keys u, even all users n R conclude. To obtan the decrypton keys u and v, the user must belong to S and not belong to R. Thus our scheme ensures

9 that even f all the revoked users collude, they stll cannot access the fle and learn the denttes of recevers. Next we show that our constructon meets the requrements of correctness as we clamed n the Secton 2.3. If x = H(ID s computed correctly, for any ID S and ID / R, we have g(x 0 and Q = Q 1 + x Q 2 + x 2 Q x n 1 = ( Q 1 + x Q 2 + x 2 Q x n 1 Q n ( Q n + b0 + b 1 x + b 2 x b n 1x n 1 u = (a 1,0 A 1 + a 2,0 A a n,0 A n + x (a 1,1 A 1 + a 2,1 A a n,1 A n + + x n 1 (a 1,n 1 A 1 + a 2,n 1 A a n,n 1 A n + g(x u = ( a 1,0 + a 1,1 x + a 1,2 x a 1,n 1x n 1 + ( a 2,0 + a 2,1 x + a 2,2 x a 2,n 1x n 1 A1 + ( a n,0 + a n,1 x + a n,2 x a n,n 1x n 1 = f 1 (x A 1 + f 2 (x A f n (x A n + g(x u = A + g(x u u = g(x 1 (Q ( H 2 e(c1, d ID, ID = g(x 1 (A ( + g(x u H 2 e(c1, d ID, ID = g(x 1 = g(x 1 (g(x u = u. A2 + An + g(x u (H 2 (e ( H 1 (ID, P pub r1, ID H 2 (e ( r 1 P, sh 1 (ID, ID + g(x u The user ID uses ts prvate key d ID to remove A from Q va above computaton. As g(x 0, the user can obtan u. U = U 1 + x U 2 + x 2 U x n 1 U n = (a 1,0 B 1 + a 2,0 B a n,0 B n + x (a 1,1 B 1 + a 2,1 B a n,1 B n + + x n 1 (a 1,n 1 B 1 + a 2,n 1 B a n,n 1 B n = ( a 1,0 + a 1,1 x + a 1,2 x a 1,n 1x n 1 + ( a 2,0 + a 2,1 x + a 2,2 x a 2,n 1x n 1 B1 + ( a n,0 + a n,1 x + a n,2 x a n,n 1x n 1 = f 1 (x B 1 + f 2 (x B f n (x B n = B ( v = U H 3 ( e(c2, d ID, ID = B H 3 e ( r 2 P, sh 1 (ID, ID B2 + Bn = v + H 3 ( e ( P, H 1 (ID sr 2, ID H 3 ( e ( H 1 (ID, P pub r2, ID = v. After recoverng u and v, we get the message as C 0 u v = M +v+u u v = M. 4 Securty Analyss Theorem 1. Suppose the hash functons H 1, H 2, H 3 are random oracles. If the BDH problem s hard, the proposed scheme s IND-ID-CPA secure. Specfcally, suppose

10 there s an IND-ID-CPA adversary A that has advantage ɛ aganst our proposed scheme. A makes at most q E prvate key queres and q H1, q H2, q H3 queres to the functons H 1, H 2 and H 3 respectvely. Then there s an algorthm S to solve the BDH problem wth advantage ɛ ɛ n e q E (q H2 +q H3, where n s the number of the broadcast denttes. Proof. Suppose there exsts an adversary A who can break our scheme wth advantage ɛ. We buld a smulator S that can solve the BDH problem wth advantage ɛ by runnng A. Let (P, ap, bp, cp be a random nstance of BDH problem taken as nput by S and ts goal s to compute e(p, P abc. In order to use A to solve the problem, S needs to smulate a challenger and respond all the queres for A. For smplcty, we assume that the H 2 and H 3 query s after the H 1 query for the same dentty. S works by nteractng wth A n an IND-ID-CPA game as follows: Setup: S sets P pub = ap and creates mpk = (p, P, P pub, e, H. H 1 -queres: A makes H 1 queres. S responds to a query on ID as follow. S mantans a lst L 1 of a tuple (ID, c, r, h. Ths lst s ntally empty. S frst checks the L 1. If the query ID already appears on the L 1 n a tuple (ID, c, r, h, t returns the correspondng h as the value of H 1 (ID. Otherwse, do the followng: 1. Select c R {0, 1} wth P r[c = 0] = δ for some δ (determne later. 2. Pck r R Z p, f c = 0, compute h = r bp. If c = 1, compute h = r P. 3. Add the tuple (ID, c, r, h to the L 1 and respond wth h to A. H 2 -queres: A makes H 2 queres. S responds to a query on (X, ID as follow. S mantans a lst L 2 of a tuple (X, ID, λ. Ths lst s ntally empty. S frst checks the L 2. If the query (X, ID already appears on the L 2 n a tuple (X, ID, λ, t returns the correspondng λ as the value of H 2 (X, ID. Otherwse, S randomly pcks a λ G as the value of H 2 (X, ID, then adds the tuple (X, ID, λ to the L 2 and responds to A wth λ. H 3 -queres: A makes H 3 queres. S responds to a query on (Y, ID as follow. S mantans a lst L 3 of a tuple (Y, ID, γ. Ths lst s ntally empty. S frst checks the L 3. If the query (Y, ID already appears on the L 3 n a tuple (Y, ID, γ, t returns the correspondng γ as the value of H 3 (Y, ID. Otherwse, S randomly pcks a γ G as the value of H 3 (Y, ID, then adds the tuple (Y, ID, γ to the L 3 and responds to A wth γ. Phase 1: A ssues the prvate key queres on ID for several tmes as needed. For each tme, S frst runs the H 1 query to get the correspondng c and r. If c = 0, S aborts. If c = 1, S computes d ID = sh 1 (ID = ar P = r P pub. Challenge: When A decdes Phase 1 s over, t outputs two dstnct messages M 0, M 1, a challenge dentty set S = (ID 1, ID 2,, ID n and a revocaton dentty set R = (ID 1, ID 2,, ID t under the restrcton that A has not quered the prvate key on ID n Phase 1, where ID S and ID / R. S randomly pcks a random bt b {0, 1} and does the follows: Case 1: R =. In ths case, S randomly pcks r Z p, C0 G, for each ID S, = 1, 2, n, randomly chooses A, B G and computes x = H(ID, n x x n 1 j f (x = x = a,j x j, x j j=1,j j=0

11 Then S generates the challenge cphertext CT as C 0, C 1 = r cp, C 2 = cp, together wth, for each = 1, 2,, n : Q = n a j, 1 A j, U = j=1 Case 2: R. In ths case, S does the follows: n a j, 1 Bj. 1. Pck r R Z p, v, u R G, compute C 0 = v + u + M b, C1 = r cp, C2 = cp. 2. For each (ID S (ID / R, S randomly chooses A, B G. For each (ID S (ID R, S gets r from the L 1 (If ID s not n the L 1, do H 1 queres to get r. Then t computes X = e(ap, cp r r and checks whether the tuple (X, ID n the L 2. If yes, t obtans the correspondng λ and sets A = λ. Otherwse, t randomly choose A G and adds the new tuple (X, ID, A to the L 2. Then S computes Y = e(ap, cp r and checks whether the tuple (Y, ID n the L 3. If yes, t obtans the correspondng γ and sets w = γ. Otherwse, t randomly chooses w G and adds the new tuple (Y, ID, w to the L 3, and computes B = w + v. 3. For each ID S, = 1, 2, n, compute x = H(ID, j=1 n f (x = j=1,j x x j x x j n 1 = a,j x j, j=0 4. Compute x Q = n a j, 1 A j, U = j=1 = H(ID for ID R and g (x = t =1 (x x = n a j, 1 Bj. j=1 t b x. Then set b = 0 for = t + 1, t + 2,, n 1. For 1 n, compute =0 Q = Q + b 1 u, and set CT = (R, C 0, C1, C2, Q, U, [1, n]. Phase 2: A ssues prvate key queres as needed, but t cannot query the prvate key on ID, where ID S and ID / R. S responds as n Phase 1. Guess: Fnally, A outputs ts guess b {0, 1}. Probablty Analyss. Note that n the case R =, we can vew v as the encrypton key to encrypt the challenge message. Let W = (e(h 1 (ID, P pub c, ID where ID S. In the real scheme, B = v + H 3 (W, thus we also can regard H 3 (W as the encrypton key to encrypt v. Before queryng the H 3 value of W, the result of H 3 (W s unknown and random. From the vew of adversary, v s encrypted wth

12 a random number key ndependent of W. Therefore, B s a one-tme pad. In other words, the challenge cphertext s a one-tme pad. Accordng to the assumpton(a can break our scheme wth advantage ɛ, the adversary wll query H 3 on W. In ths case, smulator decdes the correspondng hard problem s soluton s n the L 3 and can solve t wth probablty δ n. When R, we can vew v and u as the encrypton key to encrypt the challenge message. However, n ths case, the adversary can retreve v by queryng the prvate key of (ID S (ID R. That s, the message encrypton key s only u. Let Ω = ( e(h 1 (ID, P pub r c, ID, where (ID S (ID / R. Smlarly, n real scheme Q = A + g(x u = H 2 (Ω + g(x u, we can regard Ω as the encrypton key to encrypt u. Before queryng the H 2 value of Ω, the result of H 2 (Ω s unknown and random. From the vew of adversary, u s encrypted wth a random number key ndependent of Ω. Therefore, Q s a one-tme pad, that s, the challenge cphertext s a one-tme pad. Accordng to the assumpton(a can break our scheme wth advantage ɛ, the adversary wll query H 2 on Ω. In ths case, smulator can decdes the soluton of the correspondng hard problem s n the L 3 and solve t wth probablty δ n l where l = S R. Here, we defne the query whch can solve the hard problem as useful query. If useful query happens, t means c j = 0, H 1 (ID j = r j bp and d IDj = r j abp. From the decrypton algorthm, we have e(c1, d IDj = e(p, P r r jabc and e(c2, d IDj = e(p, P rjabc. Here S gnores the guess of A and pcks a random tuple from the L 2 or L 3. It frst obtans the correspondng r j from the L 1. If S pcks the tuple (X j, ID j, λ j from the L 2, t computes X (r r j 1 j as the soluton to the gven nstance of BDH problem. If S pcks the tuple (Y j, ID j, γ j from the L 3, t computes X r 1 j j to the gven nstance of BDH problem. as the soluton The above completes the descrpton of smulaton algorthm S. To complete the securty proof, t remans to show that S correctly outputs e (P, P abc wth advantage at least ɛ. Accordng to our above analyss, we frst defne the followng events: E 1 : Smulaton dose not abort n prvate key query. E 2 : At least one of the H 1 values of challenge denttes contans hard problem. E 3 : Adversary chooses an dentty where c = 0 to dstngush challenge message. E 4 : Smulator correctly chooses the soluton from the L 2 or L 3 lst. The smulator can successfully solve the hard problem f and only f all events happen smultaneously. Next, we analyze the probablty of all events. From the prvate key query, we know when each c = 1, smulaton wll not abort, thus Pr[E 1 ] = Pr[c = 1, = 1, 2,, q E ] = (1 δ q E. All c are chosen by smulator where c = 0 wth probablty δ, c = 1 wth probablty 1 δ. When c = 0, the value of H 1 contans the hard problem, thus Pr[E 2 ] = δ. Snce all c are chosen by smulator and they are secretly to adversary, adversary does not know whch dentty s c s equal to 0 or 1. That s, from adversary s pont of vew, t does not know the probabltes of c = 0 and c = 1. Therefore, under event E 2, we

13 have Pr[E 3 ] = Pr[E 3 c = 0] Pr[c = 0] + Pr[E 3 c = 1] Pr[c = 1] = 1 n l Pr[c = 0] + 1 n l Pr[c = 1] = 1 n l 1 n. Note that the dentty ID S R allows to query the correspondng prvate key. In our settng, these denttes cannot be used to dstngush the challenge messages. Snce S R = l, the potental useful dentty s n l. Thus we have above result Pr[E 3 ] = 1 n l 1 n. Fnally, from the smulator s pont of vew, f adversary can guess the correct b and wth the condtons that E 1, E 2, E 3 happen, t only knows that the soluton of the hard problem s n the L 2 or L 3, but t dose not know whch one s, thus Pr[E 4 ] 1 q H2 +q H3. It s clear that these four events are ndependent, therefore, we have ɛ Pr[E 1 E 2 E 3 E 4 ] ɛ = Pr[E 1 ] Pr[E 2 ] Pr[E 3 ] Pr[E 4 ] ɛ (1 δ qe δ 1 n 1 q H2 +q H3 ɛ = (1 δ qe ɛ δ n(q H2 +q H3. The functon (1 δ qe δ s maxmzed at δ = 1 q E +1, we have ( 1 (1 δ qe δ = q E qe = 1 ( 1 1 qe +1. q E + 1 q E q E + 1 ( For a large q E, 1 1 qe +1 q E +1 1 e, thus we have ɛ (1 δ qe δ Ths completes the proof. ɛ n(q H2 + q H3 ɛ n e q E (q H2 + q H3. Dscusson. When R =, the challenge message s encrypted by v. If the adversary can dstngush the message, the smulator can decde t must have quered the H 3 value wth the nput embeddng the hard problem, but smulator does not know whch nput embeds the hard problem. In ths case, Pr[E 4 ] = 1 1 q H3 q H2 +q H3. When R, even the nputs of H 3 contan the hard problem, the adversary can retreve v by the dentty ID S and ID R. Thus the useful queres are from H 2 and Pr[E 4 ] = 1 1 q H2 +q H3. Theorem 2. Suppose the hash functons H 1, H 2, H 3 are random oracles. The proposed scheme s ANON-ID-CPA secure under the BDH assumpton. Specfcally, suppose there s an ANON-ID-CPA adversary A that has advantage ɛ aganst our proposed scheme. A makes at most q E prvate key queres and q H1, q H2, q H3 queres to the functons H 1, H 2 and H 3 respectvely. Then there s an algorthm S to solve the BDH problem wth advantage ɛ denttes. ɛ n e q E (q H2 +q H3 q H2, where n s the number of broadcast

14 Proof. The proof of Theorem 2 s smlar to the proof of Theorem 1. Gven a random nstance of BDH problem (P, ap, bp, cp, S works by nteractng wth A n an ANON- ID-CPA game. The Setup, H 1 -query, H 2 -query, H 3 -query and Phase 1 query are the same as n Theorem 1. Challenge: When A decdes Phase 1 s over, t outputs a challenge message M, two dstnct dentty sets S 0 = (ID 0,1, ID 0,2,, ID 0,n, S 1 = (ID 1,1, ID 1,2,, ID 1,n and a revocaton dentty set R = (ID 1, ID 2,, ID t. We requre that any dentty ID (S 0 S 1 \(S 0 S 1 has not been quered the prvate key n Phase 1. S pcks a random bt b {0, 1} and dose the follows: 1. Pck r R Z p, v G, compute C0 = v + M, C1 = r cp, C2 = cp. 2. For each ID S b \(S 0 S 1, randomly choose A, B G. For each ID S 0 S 1, S frst gets r from the L 1 (If ID s not n the L 1, do H 1 queres to get r. Then t computes X = e(ap, cp r r and checks whether the tuple (X, ID s n the L 2. If yes, t obtans the correspondng λ and sets A = λ. Otherwse, t randomly chooses A G and adds the new tuple (X, ID, A to the L 2. Then S computes Y = e(ap, cp r and checks whether the tuple (Y, ID n the L 3. If yes, t obtans the correspondng γ and sets w = γ. Otherwse, t randomly chooses w G and adds the new tuple (Y, ID, w to the L 3, and computes B = w + v. 3. For each = 1, 2, n, compute x = H(ID, n f (x = j=1,j x x j x x j n 1 = a,j x j, j=0 Q = n a j, 1 A j, U = j=1 n a j, 1 Bj, j=1 and set CT = (R, C0, C1, C2, Q, U, [1, n]. Case 1: R =. S sets the challenge cphertext CT = CT. Case 2: R. S randomly chooses u G and computes C 0 = u + C0. For each ID R, S computes x = H(ID, g (x = t =1 (x x = t b x, and sets b = 0 for = t + 1, t + 2,, n 1. Fnally, for each = 1, 2,, n, S computes Q = Q + b 1 u, and sets CT = (R, C 0, C1, C2, Q, U, [1, n]. Phase 2: A ssues more prvate key queres, but t cannot query the prvate key on ID, where ID (S 0 S 1 \(S 0 S 1. S responds as n Phase 1. Guess: Fnally, A outputs ts guess b {0, 1}. =0

15 Analyss. The adversary A can obtan the prvate keys for ID S 0 S 1, then computes v correctly through the decrypton algorthm. If A fnds that for dfferent denttes ID S 0 S 1, t gets dfferent v. Then A can dstngush the smulaton from the real scheme and aborts mmedately. Smlarly, for ID S 0 S 1 R, A can get A correctly through the challenge cphertext. Meanwhle, A can use the prvate key to compute A. If both are not equal for the same dentty, A can dstngush the smulaton from the real scheme and aborts mmedately. Moreover, for ID S 0 S 1, but ID / R, A can compute u correctly. If A fnds that for dfferent denttes ID, t gets dfferent u. Then A can dstngush the smulaton from the real scheme and aborts mmedately. Thus, n the securty proof, we should take these ssues nto consderaton. The settngs n our proof can address these ssues perfectly. As the same analyss n Theorem 1, the challenge cphertext s a one-tme pad unless the adversary ssues the addtonal queres. If addtonal queres happen, t means c j = 0, we have H 1 (ID j = r j bp and d IDj = r j abp. From the decrypton algorthm, we have e(c1, d IDj = e(r cp, r j abp = e(p, P r r jabc and e(c2, d IDj = e(cp, r j abp = e(p, P rjabc. Here S gnores the guess of A. S pcks a random tuple from the L 2 or L 3. It frst obtans the correspondng r j from the L 1. If S pcks the tuple (X j, ID j, λ j from the L 2, computes X (r r j 1 j as the soluton to the gven nstance of BDH problem. If S pcks the tuple (Y j, ID j, γ j from the L 3, computes Y r 1 j j as the soluton to the gven nstance of BDH problem. The above completes the descrpton of smulaton algorthm S. To complete the securty proof, t remans to show that S correctly outputs e (P, P abc wth advantage at least ɛ. We frst defne the followng events: E 1 : Smulaton dose not abort n prvate key query. E 2 : At least one of the H 1 values of challenge denttes contans hard problem. E 3 : Adversary chooses an dentty where c = 0 to dstngush challenge dentty sets. E 4 : Smulator correctly chooses the soluton from the L 2 or the L 3. Smulator can successfully solve the hard problem f and only f all events happen smultaneously. Next, we analyze the probablty of all events. From the prvate key queres, we know when each c = 1, smulaton wll not abort, thus Pr[E 1 ] = Pr[c = 1, = 1, 2,, q E ] = (1 δ q E. All c are chosen by smulator where c = 0 wth probablty δ, c = 1 wth probablty 1 δ. When c = 0, the value of H 1 contans the hard problem, thus Pr[E 2 ] = δ. Snce all c are chosen by a certan probablty whch s decded by smulator and they are secretly to adversary, adversary dose not know whch dentty s c s equal to 0 or 1. That s, from adversary s pont of vew, t does not know the probabltes of c = 0 and c = 1. Therefore, under event E 2, we have Pr[E 3 ] = Pr[E 3 c = 0] Pr[c = 0] + Pr[E 3 c = 1] Pr[c = 1] 1 n Pr[c = 0] + 1 n Pr[c = 1] = 1 n ( Pr[c = 0] + Pr[c = 1] = 1 n.

16 Note that the dentty ID S 0 S 1 allows to query the correspondng prvate key, these denttes cannot be used to dstngush the challenge dentty sets. If S 0 S 1 = k, the potental useful dentty s n k. Thus we have above result Pr[E 3 ] = 1 n k 1 n. Fnally, from the smulator s pont of vew, f adversary can guess the correct b and wth the condtons that E 1, E 2, E 3 happen, t only knows that the hard problem s embed n the H 2 query or H 3 query, thus Pr[E 4 ] 1 q H2 +q H3. It s clear that these four events are ndependent, therefore, we have ɛ Pr[E 1 E 2 E 3 E 4 ] ɛ = Pr[E 1 ] Pr[E 2 ] Pr[E 3 ] Pr[E 4 ] ɛ (1 δ qe δ 1 n 1 q H2 +q H3 ɛ = (1 δ qe ɛ δ n(q H2 +q H3. The functon (1 δ qe δ s maxmzed at δ = 1 q E +1, we have (1 δ qe δ = ( 1 q E qe = 1 ( 1 1 qe +1. q E + 1 q E q E + 1 ( For a large q E, 1 1 qe +1 q E +1 1 e, thus we have ɛ (1 δ qe δ ɛ n(q H2 + q H3 ɛ e q E n (q H2 + q H3. Ths completes the proof. 5 Concluson We presented an anonymous dentty-based broadcast encrypton wth revocaton scheme for fle sharng. The fle owner can encrypt a fle for sharng wth a group of users and stores the encrypted fle n the cloud server (or any other thrd party. The server can revoke target users wthout knowng the fle and the recever denttes. Our scheme ensures that even f all the revoked users collude, they stll cannot access the fle and learn the denttes of recevers. The cloud server also learns nothng about the fle and the recever denttes. Fnally, we proved that the proposed scheme s IND-ID-CPA secure and ANON-ID-CPA secure under the BDH assumpton n the random oracle model. References 1. Barth, A., Boneh, D., Waters, B.: Prvacy n encrypted content dstrbuton usng prvate broadcast encrypton. In: Fnancal Cryptography 2006, Lecture Notes n Computer Scence. vol. 4107, pp ( Blaze, M., Bleumer, G., Strauss, M.: Dvertble protocols and atomc proxy cryptography. In: Advances n Cryptology EUROCRYPT 98, Lecture Notes n Computer Scence. vol. 1403, pp (1998

17 3. Boneh, D., Gentry, C., Waters, B.: Colluson resstant broadcast encrypton wth short cphertext and prvate keys. In: CRYPTO 2005, Lecture Notes n Computer Scence. vol. 3621, pp ( Boneh, D., Saha, A., Waters, B.: Fully colluson resstant trator tracng wth short cphertexts and prvate keys. In: EUROCRYPT 2006, Lecture Notes n Computer Scence. vol. 4004, pp ( Boneh, D., Waters, B.: A fully colluson resstant broadcast, trace, and revoke system. In: CCS 06 Proceedngs of the 13th ACM conference on Computer and communcatons securty. pp ( Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encrypton from multlnear maps. In: CRYPTO 2014, Lecture Notes n Computer Scence. vol. 8616, pp ( Chu, C.K., Weng, J., Chow, S.S.M., Zhou, J., Deng, R.H.: Condtonal proxy broadcast reencrypton. In: 14th Australasan Conference, ACISP 2009, Lecture Notes n Computer Scence. vol. 5594, pp ( Delerablée, C.: Identty-based broadcast encrypton wth constant sze cphertexts and prvate keys. In: ASIACRYPT 2007, Lecture Notes n Computer Scence. vol. 4833, pp ( Delerablée, C., Paller, P., Pontcheval, D.: Fully colluson secure dynamc broadcast encrypton wth constant-sze cphertexts or decrypton keys. In: Parng-Based Cryptography - Parng 2007, Lecture Notes n Computer Scence. vol. 4575, pp ( Dods, Y., Fazo, N.: Publc key broadcast encrypton for stateless recevers. In: Securty and Prvacy n Dgtal Rghts Management, ACM CCS-9 Workshop. vol. 2696, pp ( Dods, Y., Fazo, N.: Publc key trace and revoke scheme secure aganst adaptve chosen cphertext attack. In: Publc Key Cryptography PKC 2003, Lecture Notes n Computer Scence. vol. 2567, pp ( Fan, C., Huang, L., Ho, P.: Anonymous multrecever dentty-based encrypton. IEEE Trans. Computers 59(9, ( Fazo, N., Ncolos, A.R., Perera, I.M.: Broadcast steganography. In: CT-RSA 2014, Lecture Notes n Computer Scence. vol. 8366, pp ( Fazo, N., Perera, I.M.: Outsder-anonymous broadcast encrypton wth sublnear cphertexts. In: PKC 2012, Lecture Notes n Computer Scence. vol. 7293, pp ( Fat, A., Naor, M.: Broadcast encrypton. In: Advances n Cryptology-CRYPTO 1993, Lecture Notes n Computer Scence. vol. 773, pp ( Gentry, C., Waters, B.: Adaptve securty n broadcast encrypton systems (wth short cphertexts. In: EUROCRYPT 2005, Lecture Notes n Computer Scence. vol. 5479, pp ( Goodrch, M.T., Sun, J.Z., Tamassa, R.: Effcent tree-based revocaton n groups of lowstate devces. In: Advances n Cryptology CRYPTO 2004, Lecture Notes n Computer Scence. vol. 3152, pp ( Hur, J., Park, C., Hwang, S.: Prvacy-preservng dentty-based broadcast encrypton. Informaton Fuson 13(4, ( Kayas, A., Samar, K.: Lower bounds for prvate broadcast encrypton. In: Informaton Hdng, Lecture Notes n Computer Scence. vol. 7692, pp ( Lee, K., Koo, W.K., Lee, D.H., Park, J.H.: Publc-key revocaton and tracng schemes wth subset dfference methods revsted. In: Computer Securty - ESORICS 2014, Lecture Notes n Computer Scence. vol. 8713, pp ( Lewko, A., Saha, A., Waters, B.: Revocaton systems wth very small prvate keys. In: 2010 IEEE Symposum on Securty and Prvacy. pp ( Lbert, B., Paterson, K.G., Quagla, E.A.: Anonymous broadcast encrypton: Adaptve securty and effcent constructons n the standard model. In: Publc Key Cryptography-PKC 2012, Lecture Notes n Computer Scence. vol. 7293, pp (2012

18 23. Naor, D., Naor, M., Lotspech, J.: Revocaton and tracng schemes for stateless recevers. In: Advances n Cryptology CRYPTO 2001, Lecture Notes n Computer Scence. vol. 2139, pp ( Naor, M., Pnkas, B.: Effcent trace and revoke schemes. In: Fnancal Cryptography, Lecture Notes n Computer Scence. vol. 1962, pp ( Phan, D.H., Pontcheval, D., Shahandasht, S.F., Strefler, M.: Adaptve cca broadcast encrypton wth constant-sze secret and cphertexts. In: ACISP vol. 7372, pp ( Saka, R., Furukawa, J.: Identty-based broadcast encrypton. IACR Cryptology eprnt Archve 2007, 217 ( Xu, P., Jao, T., Wu, Q., Wang, W., Jn, H.: Condtonal dentty-based broadcast proxy reencrypton and ts applcaton to cloud emal. IEEE Transactons on Computers 65(1, ( Zhang, L., Wu, Q., Mu, Y.: Anonymous dentty-based broadcast encrypton wth adaptve securty. In: Cyberspace Safety and Securty - 5th Internatonal Symposum, CSS Lecture Notes n Computer Scence, vol. 8300, pp (2013