Improved Hidden Vector Encryption with Short Ciphertexts and Tokens
Size: px
Start display at page:

Download "Improved Hidden Vector Encryption with Short Ciphertexts and Tokens"

Transcription

1 Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic rimitive having many alications, and it rovides conjunctive equality, subset, and comarison queries on encryted data. In redicate encrytion, a cihertext is associated with attributes and a token corresonds to a redicate. The token that corresonds to a redicate f can decryt the cihertext associated with attributes x if and only if f x) = 1. Currently, several HVE schemes were roosed where the cihertext size, the token size, and the decrytion cost are roortional to the number of attributes in the cihertext. In this aer, we construct efficient HVE schemes where the token consists of just four grou elements and the decrytion only requires four bilinear ma comutations, indeendent of the number of attributes in the cihertext. We first construct an HVE scheme in comosite order bilinear grous and rove its selective security under the well-known assumtions. Next, we convert it to use rime order asymmetric bilinear grous where there are no efficiently comutable isomorhisms between two grous. Keywords: Predicate encrytion, Hidden vector encrytion, Bilinear airing. 1 Introduction Public-key encrytion is one of the most fundamental rimitives in modern crytograhy. In ublic-key encrytion, a sender encryts a message M under a ublic key PK, and the receiver who has a rivate key SK that corresonds to the ublic key PK can only decryt the cihertext. This simle all-or-nothing semantics for decrytion is sufficient for traditional secure communication systems. However, as the alications of ublic-key encrytion come to be various, a more comlex semantics for decrytion is necessary to secify the set of receivers. For instance, suose that the cihertexts associated with keywords are in a database server, and a user who has ermission to read the cihertexts that are associated with some keywords may want to decryt that cihertexts. Predicate encrytion rovides this kind of comlex semantics in ublic-key encrytion. In redicate encrytion, a cihertext is associated with attributes and a token corresonds to a redicate. The token TK f that corresonds to a redicate f can decryt the cihertext CT that is associated with attributes x if and only if f x) = 1. A cihertext in redicate encrytion hides not only a message M but also attributes x. Currently, the exressiveness of redicates in redicate encrytion is limited. The most exressive redicate encrytion scheme is the one roosed by Katz, Sahai, and Waters in [19], and it suorts inner roduct redicates. This work was suorted by the IT R&D rogram of MKE/IITA. [KI002113, Develoment of Security Technology for Car- Healthcare]. Korea University, Korea. gusin@korea.ac.kr. Korea University, Korea. donghlee@korea.ac.kr. 1

2 Table 1: Comarison between revious HVE schemes and ours Scheme Grou Order Cihertext Size Token Size # of Pairing BW-HVE [9] q 2l G + O1) 2s + 1) G 2s + 1 KSW-HVE [19] qr 4l G + O1) 4l + 1) G 4l + 1 SW-HVE [25] qr l G + O1) s + 3) G s + 3 IP-HVE [18] 2l G + O1) 2s) G 2s OT-HVE [20] 2l G + O1) 2l + 3) G 2l + 3 Ours qr l G + O1) 4 G 4 Ours l G + O1) 4 Ĝ 4,q,r = rime values, l = # of attributes in cihertext, s = # of attributes in token Predicate encrytion enables efficient data rocessing in the cloud comuting systems where users data is stored in un-trusted remote servers. In the case of traditional ublic-key encrytion, a user encryts messages and then uloads the cihertexts to the remote servers. If the user needs information about the cihertexts, then he should download all the cihertexts from the remote servers to decryt them. Thus, this aroach demands unnecessary data transfers and data decrytion. In the case of redicate encrytion, a user creates cihertexts that are associated with related attributes x and then stores them in the remote servers. If the user wishes to acquire information about the cihertexts, then he generates a token TK f that matches a redicate f and transfers the token to the remote server. Next the remote server retrieves all the cihertexts that satisfy f x) = 1 using the token TK f by evaluating f x), and then it returns the retrieved cihertexts to the user. In this case, the remote server cannot learn any information excet the boolean value of f x). Hidden vector encrytion HVE) is a articular kind of redicate encrytion and it was introduced by Boneh and Waters [9]. HVE suorts evaluations of conjunctive equality, comarison, and subset redicates on encryted data. For examle, if a cihertext is associated with a vector x = x 1,...,x l ) of attributes and a token is associated with a vector σ = σ 1,...,σ l ) of attributes where an attribute is in a set Σ, then it can evaluate redicates like x i = σ i ), x i σ), and x i A) where A is a subset of Σ. Additionally, it suorts conjunctive combination of these rimitive redicates by extending the size of cihertexts. After the introduction of HVE based on comosite order bilinear grous, several HVE schemes have been roosed in [19, 25, 18, 20]. Katz, Sahai, and Waters [19] roosed a redicate encrytion scheme that suorts inner roduct redicates and they showed that it imlies an HVE scheme. Shi and Waters [25] resented a delegatable HVE scheme that enables the delegation of user s caabilities to others, and they showed that it imlies an anonymous hierarchical identity-based encrytion HIBE) scheme. Iovino and Persiano [18] constructed an HVE scheme based on rime order bilinear grous, but the number of attributes in Σ is restricted when it is comared to other HVE schemes. Okamoto and Takashima [20] roosed a hierarchical redicate encrytion scheme for inner roducts under rime order bilinear grous, and it also imlies an HVE scheme. Previous research on HVE has mainly focused on imroving the exressiveness of redicates or roviding additional roerties like the delegation. To aly HVE schemes to real alications, it is imortant to construct an efficient HVE scheme. One can measure the efficiency of HVE in terms of the cihertext size, the token size, and the number of airing oerations in decrytion. Let l be the number of attributes in the 2

3 cihertext and s be the number of attributes in the token excet the wild card attribute. Then the efficiency of revious HVE schemes is comared in Table 1. Theoretically, the number of grou elements in cihertext should be roortional to the number of attributes in the cihertexts, so the minimum size of cihertext is l G + O1). However, the token size and the number of airing oerations in decrytion can be constant, that is, indeendent of l. Therefore constructing an HVE scheme with the constant size of tokens and the constant number of airing oerations is an imortant roblem to solve. 1.1 Our Contributions In this aer, we roose HVE schemes that have the constant size of tokens and the constant cost of airing oerations. Our first construction is based on comosite order bilinear grous whose order is a roduct of three rimes. The cihertext consists of l + O1) grou elements, the token consists of four grou elements, and the decrytion requires four airing comutations. Our second one is based on rime order asymmetric bilinear grous where isomorhisms between two grous are not efficiently comutable. Though our construction in comosite order bilinear grous is algebraically similar to the one by Shi and Waters in [25], we achieved the constant size of tokens and the constant cost of decrytion, in contrast to the construction of Shi and Waters. The main technique for our constructions is to use the same random value for each attributes in the token. In contrast, the construction of Shi and Waters used different random values for each attributes. This technique is reminiscent of the one that enables the design of HIBE with the constant size of cihertexts in [10]. However, it is not easy to rove the security of HVE when the same random value is used in the token, since HVE should rovide an additional security roerty, namely attribute hiding, that is, the cihertext does not reveal any information about the attributes. 1.2 Related Works Predicate encrytion in ublic-key encrytion was resented by Boneh et al. [13]. They roosed a ublickey encrytion scheme with keyword search PEKS) using Boneh and Franklin s identity-based encrytion IBE) scheme [5, 6], and their construction corresonds to the imlementation of an equality redicate. Abdalla et al. [1] roved that anonymous IBE imlies redicate encrytion of an equality query, and they roosed the definition of anonymous HIBE by extending anonymous IBE. Several anonymous HIBE constructions were roosed in [8, 25, 23]. A redicate encrytion scheme for a comarison query was constructed by Boneh et al. in [12, 7], and it can be used to construct a fully collusion resistant traitor tracing scheme. By extending comarison redicates, Shi et al. [26] considered multi-dimensional range redicates on encryted data under a weaker security model. Research on redicate encrytion was dramatically advanced by the introduction of HVE by Boneh and Waters [9]. An HVE scheme is a redicate encrytion scheme of conjunctive equality, comarison, and subset redicates. After that, Shi and Waters [25] resented the definition of the delegation in redicate encrytion, and they roosed a delegatable HVE scheme. Iovono and Persiano [18] constructed an HVE scheme based on rime order bilinear grous with a restricted number of attributes. Katz, Sahai, and Waters [19] roosed the most exressive redicate encrytion scheme of inner roduct redicates, and they showed that it imlies anonymous IBE, HVE, and redicate encrytion for disjunctions, olynomials, CNF & DNF formulas, or threshold redicates. Okamoto and Takashima [20] constructed a hierarchical redicate encrytion scheme for inner roducts under rime order bilinear grous using the notion of dual airing vector saces. Predicate encrytion in symmetric encrytion was considered by Goldreich and Ostrovsky [16]. Song et al. [27] roosed an efficient scheme that suorts an equality redicate. Shen, Shi, and Waters [24] 3

4 introduced the formal definition of redicate rivacy, and they resented a symmetric redicate encrytion scheme with redicate rivacy of inner roduct redicates using comosite order bilinear grous. Blundo et al. [3] roosed a symmetric HVE scheme that rovides weaker redicate rivacy under rime order asymmetric bilinear grous. Other research direction that is related with redicate encrytion is identity-based encrytion IBE) [5, 6, 4, 10, 28, 29] and attribute-based encrytion ABE) [22, 17, 2, 21]. In IBE, a cihertext is associated with an identity ID and a token is associated with a redicate f ID for an identity ID. If ID = ID, then we can decryt the cihertext using the token since f ID ID) = 1. In ABE, a cihertext is associated with a set S of attributes and a token is associated with a redicate f A where A is an access structure that is a subset of suerset of attributes. If S A, then we can decryt the cihertext using the token since f A S) = 1. Although IBE and ABE are analogous with redicate encrytion, they do not rovide the attribute hiding roerty in redicate encrytion. 2 Background We first define HVE and give the formal definition of its security model. We then give the necessary background on bilinear grous of comosite order and our comlexity assumtions. 2.1 Hidden Vector Encrytion Let Σ be a finite set of attributes and let be a secial symbol not in Σ. Define Σ = Σ { }. The star lays the role of a wild card or don t care value. For a vector σ = σ 1,...,σ l ) Σ l, we define a redicate f σ over Σ l as follows: For x = x 1,...,x l ) Σ l, it set f σ x) = 1 if i : σ i = x i or σ i = ), it set f σ x) = 0 otherwise. An HVE scheme consists of four algorithms Setu, GenToken, Encryt, Query). Formally it is defined as: Setu1 λ ). The setu algorithm takes as inut a security arameter 1 λ. It oututs a ublic key PK and a secret key SK. GenToken σ,sk,pk). The token generation algorithm takes as inut a vector σ = σ 1,...,σ l ) Σ l that corresonds to a redicate f σ, the secret key SK and the ublic key PK. It oututs a token TK σ for the vector σ. Encryt x,m,pk). The encryt algorithm takes as inut a vector x = x 1,...,x l ) Σ l, a message M M, and the ublic key PK. It oututs a cihertext CT for x and M. QueryCT,TK σ,pk). The query algorithm takes as inut a cihertext CT, a token TK σ for a vector σ that corresonds to a redicate f σ, and the ublic key PK. It oututs M if f σ x) = 1 or oututs otherwise. The scheme should satisfy the following correctness roerty: for all x Σ l, M M, σ Σ l, let PK,SK) Setu1 λ ), CT Encryt x,m,pk), and TK σ GenTokenσ,SK,PK). If f σ x) = 1, then QueryCT,TK σ,pk) = M. If f σ x) = 0, then QueryCT,TK σ,pk) = with all but negligible robability. 4

5 We define the selective security model of HVE as the following game between a challenger C and an adversary A: Init: A submits two vectors x 0, x 1 Σ l. Setu: C runs the setu algorithm and kees the secret key SK to itself, then it gives the ublic key PK to A. Query 1: A adatively requests a olynomial number of tokens for vectors σ 1,..., σ q1 that corresond to redicates f σ1,..., f σq1 subject to the restriction that f σi x 0 ) = f σi x 1 ) for all i. In resonses, C gives the corresonding tokens TK σi to A. Challenge: A submits two messages M 0,M 1 subject to the restriction that if there is an index i such that f σi x 0 ) = f σi x 1 ) = 1 then M 0 = M 1. C chooses a random coin γ and gives a cihertext CT of x γ,m γ ) to A. Query 2: A continues to request tokens for vectors σ q1 +1,..., σ q that corresond to redicates f σq1 +1,..., f σ q subject to the two restrictions as before. Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. The advantage of A is defined as Adv HVE A tosses made by A and C. = Pr[γ = γ ] 1/2 where the robability is taken over the coin Definition 2.1. We say that an HVE scheme is selectively secure if all robabilistic olynomial-time adversaries have at most a negligible advantage in the above game. 2.2 Bilinear Grous of Comosite Order The comosite order bilinear grous were first introduced in [11]. Let n = qr where,q, and r are distinct rime numbers. Let G and G T be two multilicative cyclic grous of comosite order n and g be a generator of G. The bilinear ma e : G G G T has the following roerties: 1. Bilinearity: u,v G and a,b Z n, eu a,v b ) = eu,v) ab. 2. Non-degeneracy: g such that eg,g) 1, that is, eg,g) is a generator of G T. We say that G is a bilinear grou if the grou oerations in G and G T as well as the bilinear ma e are all efficiently comutable. Furthermore, we assume that the descrition of G and G T includes generators of G and G T resectively. We use the notation G,G q,g r to denote the subgrous of order,q,r of G resectively. Similarly, we use the notation G T,,G T,q,G T,r to denote the subgrous of order,q,r of G T resectively. 2.3 Comlexity Assumtions We introduce three assumtions under comosite order bilinear grous. The decisional comosite bilinear Diffie-Hellman cbdh) assumtion was used to construct an HVE scheme in [9]. It is a natural extension of the decisional BDH assumtion in [5] from rime order bilinear grous to comosite order bilinear grous. The bilinear subgrou decision BSD) assumtion was introduced in [12] to construct a traitor 5

6 tracing scheme. The decisional comosite 3-arty Diffie-Hellman C3DH) assumtion was used to construct an HVE scheme in [9]. Decisional comosite Bilinear Diffie-Hellman cbdh) Assumtion Let n,g,g T,e) be a descrition of the bilinear grou of comosite order n = qr. Let g,g q,g r be generators of subgrous of order,q,r of G resectively. The decisional cbdh roblem is stated as follows: given a challenge tule D =,q,r,g,g T,e), g,g q,g r,g a,g b,g c ) and T, decides whether T = eg,g ) abc or T = R with random choices of a,b,c Z, R G T,. The advantage of A in solving the decisional cbdh roblem is defined as Adv cbdh Pr [ A D,T = eg,g ) abc ) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices of D,T and the random bits used by A. Definition 2.2. We say that the decisional cbdh assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the decisional cbdh roblem. Bilinear Subgrou Decision BSD) Assumtion Let n,g,g T,e) be a descrition of the bilinear grou of comosite order n = qr. Let g,g q,g r be generators of subgrous of order,q,r of G resectively. The BSD roblem is stated as follows: given a challenge tule D = n,g,g T,e), g,g q,g r ) and T, decides whether T = Q G T, or T = R G T with random choices of Q G T,,R G T. The advantage of A in solving the BSD roblem is defined as Adv BSD Pr [ A D,T = Q) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices of D,T and the random bits used by A. Definition 2.3. We say that the BSD assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the BSD roblem. Decisional Comosite 3-arty Diffie-Hellman C3DH) Assumtion Let n,g,g T,e) be a descrition of the bilinear grou of comosite order n = qr. Let g,g q,g r be generators of subgrous of order,q,r of G resectively. The decisional C3DH roblem is stated as follows: given a challenge tule D = n,g,g T,e), g,g q,g r,g a,g b,g ab R 1,g abc R 2 ) and T, decides whether T = g c R 3 or T = R with random choices of R 1,R 2,R 3 G q,r G q. The advantage of A in solving the decisional C3DH roblem is defined as Adv C3DH Pr [ A D,T = g c R 3 ) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices for D,T and the random bits used by A. Definition 2.4. We say that the decisional C3DH assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the decisional C3DH roblem. 6

7 3 Main Construction In this section, we construct an HVE scheme based on comosite order bilinear grous and rove security under the decisional cbdh, BSD, and decisional C3DH assumtions. Our construction has a similar algebraic structure to the construction of Shi and Waters [25], but ours has the constant size of tokens and the constant number of airing oerations. 3.1 Descrition Let Σ = Z m for some integer m and set Σ = Z m { }. Our scheme is described as follows. Setu1 λ ): The setu algorithm first generates the bilinear grou G of comosite order n = qr where,q and r are random rimes of bit size Θλ) and,q,r > m. Next, it chooses random elements v,w 1,w 2 G, u 1,h 1 ),...,u l,h l ) G 2, and exonents α,β Z. It kees these as a secret key SK. Then it chooses random elements R v,r w,1,r w,2 G q and R u,1,r h,1 ),...,R u,l,r h,l ) G 2 q, and it ublishes a ublic key PK with the descrition of the bilinear grou G as follows PK = V = vr v, W 1 = w 1 R w,1, W 2 = w 2 R w,2, {U i = u i R u,i, H i = h i R h,i )} l i=1, g q,g r, Ω = ev,g) αβ ). GenToken σ,sk,pk): The token generation algorithm takes as inut a vector σ = σ 1,...,σ l ) Σ l and the secret key SK. It first selects random exonents r 1,r 2,r 3 Z and random elements Y 0,Y 1,Y 2,Y 3 G r by raising g r to random exonents in Z n. Let S be the set of indexes that are not wild card ositions in the vector σ. Then it oututs a token as TK σ = K 0 = g αβ w r 1 1 wr 2 2 u σ i i h i ) r 3 Y 0, K 1 = v r 1 Y 1, K 2 = v r 2 Y 2, K 3 = v r 3 Y 3 ). Encryt x,m,pk): The encryt algorithm takes as inut a vector x = x 1,...,x l ) Σ l, a message M M G T and the ublic key PK. It first chooses a random exonent t Z n and random elements Z 0,Z 1,Z 2,Z 3,1,...,Z 3,l G q by raising g q to random elements from Z n. Next, it oututs a cihertext as ) CT = C = Ω t M, C 0 = V t Z 0, C 1 = W1Z t 1, C 2 = W2Z t 2, {C 3,i = U x i i H i ) t Z 3,i } l i=1. QueryCT,TK σ,pk): The query algorithm takes as inut a cihertext CT and a token TK σ of a vector σ. It first comutes M C ec 0,K 0 ) 1 ec 1,K 1 ) ec 2,K 2 ) e C 3,i,K 3 ). If M / M, it oututs indicating that the redicate f σ is not satisfied. Otherwise, it oututs M indicating that the redicate f σ is satisfied. Remark 3.1. In our construction, we limited the finite set Σ of attributes to be Z m. If we use a collisionresistant hash function, then we can easily exand this sace to all of {0,1} when m is large enough to contain the range of the hash function. 7

8 3.2 Correctness If f σ x) = 1, then the following simle calculation shows that QueryCT,TK σ,pk) = M as ec 0,K 0 ) 1 ec 1,K 1 ) ec 2,K 2 ) e C 3,i,K 3 ) = ev t,g αβ w r 1 1 wr 2 2 u σ i i h i ) r 3 ) 1 ew t 1,v r 1 ) ew t 2,v r 2 ) e u x i i h i) t,v r 3 ) = ev t,g αβ ) 1 e u σ i+x i ) i ) r 3,v t ) = ev t,g αβ ) 1. Otherwise, that is f σ x) = 0, then we can use Lemma 5.2 in [9] to show that the robability of QueryCT,TK σ, PK) is negligible by limiting M to less than G T 1/ Security Theorem 3.2. The above HVE construction is selectively secure under the decisional cbdh assumtion, the BSD assumtion, and the decisional C3DH assumtion. Proof. Suose there exists an adversary that distinguishes the original selective security game. Then the adversary commits two vectors x 0 = x 0,1,...,x 0,l ) and x 1 = x 1,1,...,x 1,l ) Σ l at the beginning of the game. Let X be the set of indexes i such that x 0,i = x 1,i and X be the set of indexes i such that x 0,i x 1,i. The roof uses a sequence of four games to argue that the adversary cannot win the original security game. Each individual game is described as follows. Game 0. This game denotes the original selective security game that is defined in Section 2.1. Game 1. We first modify Game 0 slightly into a new game Game 1. Game 1 is almost identical to Game 0 excet in the way the challenge cihertext elements are generated. In Game 1, if M 0 M 1, then the simulator generates the challenge cihertext element C by multilying a random element in G T, and it generates the rest of the cihertext elements as usual. If M 0 = M 1, then the challenge cihertext is generated correctly. Game 2. Next, we modify Game 1 into a new game Game 2. Game 2 is almost identical to Game 1 excet in the way the tokens are generated. Let S be the set of indexes that are not wild card ositions of the token query vector σ. Then any token query by the adversary must satisfy one of the following two cases: Tye 1 f σ x 0 ) = f σ x 1 ) = 1. In this case, S X = /0 and σ j = x 0, j = x 1, j for all index j S X. Tye 2 f σ x 0 ) = f σ x 1 ) = 0. In this case, there exists an index j S such that σ j x γ, j for all γ {0,1}. In Game 2, if the adversary requests the Tye 1 token query, then the simulator chooses two exonents r 1 and r 2 not indeendently at random, but in a correlated way as r 1 = πr 2 for a fixed value π. The simulator can use this correlation to simulate this game. However, the adversary cannot distinguish this correlation because of random blinding elements G r in the token. Game 3. We modify Game 2 into a game Game 3. Game 2 and Game 3 are identical excet in the challenge cihertext. In Game 3, the simulator creates the cihertext according to the following distribution as C 1 = W t 1g ρ Z 1, C 2 = W t 2g ρπ Z 2, 8

9 where ρ is a random value in Z and π is the fixed value in Z but π is hidden from the adversary. Game 4. We now define a new game Game 4. Game 4 differs from Game 3 in that for all i X, the cihertext comonent C i is relaced by a random element from G q. Note that in Game 4, the cihertext gives no information about the vector x γ or the message M γ encryted. Therefore, the adversary can win Game 4 with robability at most 1/2. Through the following four lemmas, we will rove that it is hard to distinguish Game i 1 from Game i under the given assumtions. Thus, the roof is easily obtained by the following four lemmas. This comletes our roof. Lemma 3.3. If the decisional cbdh assumtion and the BSD assumtion hold, then no olynomial-time adversary can distinguish between Game 0 and Game 1 with a non-negligible advantage. Proof. For this lemma, we additionally define a sequence of games Game 0,0,Game 0,1, and Game 0,2 where Game 0,0 = Game 0. Game 0,1 and Game 0,2 are almost identical to Game 0,0 excet in the way the challenge cihertext is generated. In Game 0,1, if M 0 M 1, then the simulator generates the challenge cihertext element C by multilying a random element in G T,, and it generates the rest of the cihertext elements as usual. If M 0 = M 1, then the challenge cihertext is generated correctly. In Game 0,2, if M 0 M 1, then the simulator generates the challenge cihertext element C as a random elements from G T instead of G T,, and it generates the rest of the cihertext elements as usual. If M 0 = M 1, then the challenge cihertext is generated correctly. It is not hard to see that Game 0,2 is identical to Game 1. Suose there exists an adversary A that distinguishes between Game 0,0 and Game 0,1 with a nonnegligible advantage. A simulator B that solves the decisional cbdh assumtion using A is given: a challenge tule D =,q,r,g,g T,e),g,g q,g r,g a,g b,g c ) and T where T = eg,g ) abc or T = R G T,. Then B that interacts with A is described as follows. Init: A gives two vectors x 0 = x 0,1,...,x 0,l ), x 1 = x 1,1,...,x 1,l ) Σ l. B then flis a random coin γ internally. Setu: B first chooses random elements R v,r w,1,r w,2 G q, R u,1,r h,1 ),...,R u,l,r h,l ) G 2 q, and random exonents v,w 1,w 2 Z n, u 1,h 1 ),...,u l,h l ) Z2 n. Next, it ublishes the grou descrition n,g,g T,e) and a ublic key as V = g v R v, W 1 = g w 1 R w,1, W 2 = g w 2 R w,2, {U i = g a ) u ir u,i, H i = g h i g a ) u i x γ,i R h,i )}, g q, g r, Ω = eg a,g b ) v. Query 1: A adatively requests a token for a vector σ = σ 1,...,σ l ) Σ l to B. Let S be the set of indexes that are not wild card ositions. Tye 1 If A requests a Tye 1 query, then B simly aborts and takes a random guess. The reason for this is by our definition such as if a Tye 1 query is made then the challenge messages M 0,M 1 will be equal. However, in this case the games Game 0 and Game 1 are identical, so there can be no difference in the adversary s advantage. Tye 2 If A requests a Tye 2 query, then there exists an index j S such that σ j x γ, j. Let = u i σ i x γ,i ) Z. Note that 0 excet with negligible robability. If 0, then B 9

10 chooses random exonents r 1,r 2,r 3 Z and random elements Y 0,Y 1,Y 2,Y 3 G r. Next, it creates a token as K 0 =g w 1 r 1 g w 2 r 2 g b ) h i / g a ) u i σ i x γ,i ) g h i ) r 3 Y0, K 1 =g v r 1 Y 1, K 2 = g v r 2 Y 2, K 3 = g v r 3 g b ) v / Y 3. Note that it can comute 1 since it knows. To show that the above token is the same as the real scheme, we define the randomness of the token as r 1 = r 1 mod, r 2 = r 2 mod, r 3 = r 3 b/ mod. It is obvious that r 1,r 2,r 3 are all uniformly distributed if r 1,r 2,r 3 are indeendently chosen at random. The following calculation shows that the above token is correctly distributed as the token in the real scheme as K 0 =g ab w r 1 1 wr 2 =g ab w r 1 1 wr g ab g a ) u i σ i x γ,i ) g h i ) r 3 b/ Y0 g b ) h i / g a ) u i σ i x γ,i ) g h i ) r 3 Y 0. Challenge: A gives two messages M 0,M 1 to B. If M 0 = M 1, then B aborts and takes a random guess. Otherwise, it chooses random elements Z 0,Z 1,Z 2,Z 3,1,...,Z 3,l G q and oututs a challenge cihertext as C = T v M γ, C 0 = g c ) v Z 0, C 1 = g c ) w 1 Z1, C 2 = g c ) w 2 Z2, i : C 3,i = g c ) h iz 3,i. If T is a valid cbdh tule, then B is laying Game 0,0. Otherwise, it is laying Game 0,1. Query 2: Same as Query Phase 1. Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. Suose there exists an adversary A that distinguishes between Game 0,1 and Game 0,2 with a nonnegligible advantage. A simulator B that solves the BSD assumtion using A is given: a tule D = n,g,g T,e),g,g q,g r ) and T where T = Q G T, or T = R G T. Then B that interacts with A is described as follows. Init: A gives two vectors x 0, x 1 Σ l. B then flis a random coin γ internally. Setu: B sets u the ublic key as the real setu algorithm using g,g q,g r from the assumtion. Query 1: B answers token queries by running the real token generation algorithm excet that it chooses random exonents from Z n instead of Z. However, this does not affect the simulation since it will raise the elements from G to the exonents. Challenge: A gives two messages M 0,M 1 to B. If M 0 = M 1, then B encryts the message to the vector x γ. Otherwise, it creates the challenge cihertext of message M γ to x γ as normal with excet that C is multilied by T. If T G T,, then B is laying Game 0,1. Otherwise, it is laying Game 0,2. 10

11 Query 2: Same as Query Phase 1. Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. This comletes our roof. Lemma 3.4. If the decisional C3DH assumtion holds, then no olynomial-time adversary can distinguish between Game 1 and Game 2 with a non-negligible advantage. Proof. Let q 1 denote the maximum number of Tye 1 queries made by the adversary. We define a sequence of games Game 1,0,Game 1,1,...,Game 1,q1 where Game 1,0 = Game 1. In Game 1,i, for all k-th Tye-1 queries such that k > i, the simulator creates the token as usual using three indeendent random exonents r 1,r 2,r 3 Z n. However, for all k-th Tye-1 queries such that k i, the simulator creates token comonents using the correlated random exonents such as r 1 = πr 2 for a fixed value π. It is obvious that Game 1,q1 is equal with Game 2. Before roving this lemma, we introduce the decisional Comosite 2-arty Diffie-Hellman C2DH) assumtion as follows: Let n,g,g T,e) be a descrition of the bilinear grou of comosite order n = qr. Let g,g q,g r be generators of subgrous of order,q,r of G resectively. The decisional C2DH roblem is stated as follows: given a challenge tule D = n,g,g T,e), g,g q,g r,g a R 1,g b R 2 ) and T, decides whether T = g ab R 3 or T = R with random choices of R 1,R 2,R 3 G q,r G q. It is easy to show that if there exists an adversary that breaks the decisional C2DH assumtion, then it can break the decisional C3DH assumtion. Suose there exists an adversary A that distinguishes between Game 1,d 1 and Game 1,d with a nonnegligible advantage. A simulator B that solves the decisional C2DH assumtion using A is given: a challenge tule D = n,g,g T,e),g,g q,g r,g a Y 1,g b Y 2 ) and T where T = g ab Y 3 or T = R with random choices of Y 1,Y 2,Y 3 G r, R G r. Then B that interacts with A is described as follows. Init: A gives two vectors x 0, x 1 Σ l. B then flis a random coin γ internally. Setu: B first chooses random exonents v,w 1,w 2,α,β Z n, u 1,h 1 ),...,u l,h l ) Z2 n, then it sets v = g v,w 1 = g w 1,w 2 = g w 2,u i = g u i,h i = g h i. Next, it chooses random elements R v,r w,1,r w,2 G q, R u,1,r h,1 ),...,R u,l,r h,l ) G 2 q, and it ublishes the grou descrition and a ublic key as V = vr v, W 1 = w 1 R w,1, W 2 = w 2 R w,2, {U i = u i R u,i, H i = h i R h,i )}, g q, g r, Ω = ev,g ) αβ. Query 1: A adatively requests a token for a vector σ = σ 1,...,σ l ) Σ l to B. Let S be the set of indexes that are not wild card ositions. Tye 1 Let k be the index of Tye 1 queries. If A requests a Tye 1 query, then B chooses random exonents r 1,r 2,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r. Next, it creates a token 11

12 deending on the k value as k < d : K 0 = g αβ g a Y 1 ) w 1 r 2 w r 2 K 2 = v r 2 Y 2, K 3 = v r 3 Y 3, k = d : K 0 = g αβ 2 u σ i i h i ) r 3 Y 0, K 1 = g a Y 1 ) v r 2 Y 1, T w 1 g b Y 2 ) w 2 u σ i i h i ) r 3 Y 0, K 1 = T v Y 1, K 2 = g b Y 2 ) v Y 2, K 3 = v r 3 Y 3, 2 k > d : K 0 = g αβ w r 1 1 wr 2 K 2 = v r 2 Y 2, K 3 = v r 3 Y 3. u σ i i h i ) r 3 Y 0, K 1 = v r 1 Y 1, If T is not a valid C2DH tule, then B is laying Game 1,d 1. Otherwise, it is laying Game 1,d as K 0 =g αβ g ab Y 3 ) w 1 g b Y 2 ) w 2 =g αβ w πr 2 1 w r 2 where π = a and r 2 = b. 2 u σ i u σ i i h i ) r 3 Ỹ 0, i h i ) r 3 Y 0 = g αβ w ab 1 w b 2 u σ i i h i ) r 3 Ỹ 0 K 1 =g ab Y 3 ) v Y 1 = v ab Ỹ 1 = v πr 2 Ỹ 1, K 2 = g b Y 2 ) v Y 2 = v b Ỹ 2 = v r 2 Ỹ 2, Tye 2 If A requests a Tye 2 query, then B creates the token as the real token generation algorithm since it knows all values that are needed. Challenge: A gives two messages M 0,M 1 to B. B creates the cihertext for M γ and x γ as the real encryt algorithm by choosing a random exonent t Z n and random elements in G q. Query 2: Same as Query Phase 1. Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. This comletes our roof. Lemma 3.5. If the decisional C3DH assumtion holds, then no olynomial-time adversary can distinguish between Game 2 and Game 3 with a non-negligible advantage. Proof. Suose there exists an adversary A that distinguishes between Game 2 and Game 3 with a nonnegligible advantage. A simulator B that solves the decisional C3DH assumtion using A is given: a challenge tule D = n,g,g T,e), g,g q,g r,g a,g b, g ab R 1,g abc R 2 ) and T where T = g c R 3 or T = g d R 3 for a random exonent d Z. Then B that interacts with A is described as follows. Init: A gives two vectors x 0 = x 0,1,...,x 0,l ), x 1 = x 1,1,...,x 1,l ) Σ l. B then flis a random coin γ internally. Setu: B first chooses random exonents w 1,w 2,α,β Z n, u 1,h 1 ),...,u l,h l ) Z2 n, and random elements R v,r w,1,r w,2 G q, R u,1,r h,1 ),...,R u,l,r h,l ) G 2 q. Next, it ublishes a ublic key as V = g ab R 1 )R v, W 1 = g ab R 1 g ) w 1 Rw,1, W 2 = g w 2 R w,2, {U i = g b ) u ir u,i, H i = g b ) u i x γ,i g ab R 1 ) h ir h,i )} 1 i l, g q, g r, Ω = eg ab R 1,g ) αβ. 12

13 Query 1: A adatively requests a token for a vector σ = σ 1,...,σ l ) Σ l to B. Let S be the set of indexes that are not wild card ositions. Tye 1 If A requests a Tye 1 query, then B chooses random exonents r 1,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r. Next, it creates a token as K 0 = g αβ ) g a w 1 w 2 r 1 g h i r 3 Y 0, K 1 = g a w 2 r ) 1 Y 1, K 2 = g a ) w 1 r 1 Y 2, K 3 = g r 3 Y 3. To show that the above token is the same as the token in Game 3, we define the randomness of the token as r 1 = w 2r 1/b mod, r 2 = w 1r 1/b mod, r 3 = r 3/ab mod. It is obvious that two random r 1 and r 2 are correlated as r 1 = πr 2 where π = w 2 /w 1. The distribution of the above token is correct as follows K 0 =g αβ g ab+1)w 1 ) w 2 r 1 /b g w 2 =g αβ g aw 1 w 2 r 1 g h i r 3 Y 0. ) w 1 r 1 /b g bu i σ i x γ,i )+abh i ) ) r 3 /ab Y0 Tye 2 If A requests a Tye 2 query, then there exists an index j S such that σ j x γ, j. Let = u i σ i x γ,i ) Z. Note that 0 excet with negligible robability. B first chooses random exonents r 1,r 2,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r, then it creates a token as K 0 =g αβ ) g a w 1 w 2 r 1 ) g w 2 r 3 g a h i w 2 r 3 g h i w 2 r 2 Y 0, K 1 = g a ) w 2 r 1 Y 1, K 2 = g a ) w 1 r 1 g b ) r 2 Y 2, K 3 = g a ) w 2 r 3 g w 2 r 2 Y 3. To show that the above token is the same as the token in Game 3, we define the randomness of the token as r 1 = w 2r 1/b mod, r 2 = w 1r 1/b b r 2/ab mod, r 3 = w 2r 3/b + w 2r 2/ab mod. It is not hard to see that r 1,r 2,r 3 are indeendent random values since 0 excet with negligible robability. The distribution of the above token is correct as follows K 0 =g αβ ab+1)w g ) 1 w 2 r 1 /b w g 2 g bu i σ i x γ,i )+abh i ) ) w 2 r 3 /b+w 2 r 2 /ab Y 0 ) w 1 r 1 /b bu i σ i x γ,i )r 2 /ab =g αβ g aw 1 w 2 r 1 g w 2 r 3 g ah i w 2 r 3 +h i w 2 r 2 ) Y 0. Challenge: A gives two messages M 0,M 1 to B. If M 0 = M 1, then B comutes C = eg abc R 2,g ) αβ M γ. Otherwise, it chooses a random elements in G T for C. Next, it chooses random elements Z 0,Z 1,Z 2,Z 3,1,..., Z 3,l G q and oututs a challenge cihertext as C 0 = g abc R 2 )Z 0, C 1 = g abc R 2 T ) w 1 Z1, C 2 = T w 2 Z2, i : C 3,i = g abc R 2 ) h iz 3,i. 13

14 If T is a valid C3DH tule, then B is laying Game 2. Otherwise, it is laying Game 3 as follows C 1 =g abc R 2 g d R 3 ) w 1 Z1 = g abc C 2 =g d R 3 ) w 2 Z2 = g ρ/w 1 +c)w 2 Z 2 = g cw 2 g c c g d ) w 1 Z1 = g abc g c ) w c+d)w 1 g 1 Z 1 = W1 c g ρ Z 1, g ρ w 2 /w 1 where T = g d R 3, ρ = c + d)w 1 and π = w 2 /w 1. Query 2: Same as Query Phase 1. Z 2 = W c 2 g ρ π Z 2 Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. This comletes our roof. Lemma 3.6. If the decisional C3DH assumtion holds, then no olynomial-time adversary can distinguish between Game 3 and Game 4 with a non-negligible advantage. Proof. Let X denote the set of indexes i where two committed vectors x 0, x 1 are not equal. We define a sequence of games Game 3,0,Game 3,1,...,Game 3, X where Game 3,0 = Game 3. Let X i X denote the set of first i indexes in X. In Game 3,i, the simulator creates cihertext elements C,C 0, and C j normally for all j / X i. For all j X i, the simulator relaces C j with random elements in G q. For C 1,C 2, the simulator creates the following cihertext elements like in game Game 4 as C 1 = W t 1g ρ Z 1, C 2 = W t 2g ρπ Z 2 where ρ is a random element from Z. Note that it is not hard to see that Game 3, X = Game 4. Suose there exists an adversary A that distinguishes between Game 3,d 1 and Game 3,d with a nonnegligible advantage. A simulator B that solves the C3DH assumtion using A is given: a challenge tule D = n,g,g T,e), g,g q,g r,g a,g b,g ab R 1,g abc R 2 ) and T where T = g c R 3 or T = R. Then B that interacts with A is described as follows. Init: A gives two vectors x 0 = x 0,1,...,x 0,l ), x 1 = x 1,1,...,x 1,l ) Σ l. B then flis a random coin γ internally. Setu: B first chooses random exonents w 1,w 2,α,β Z n, u 1,h 1 ),...,u l,h l ) Z2 n, and random elements R v,r w,1,r w,2 G q, R u,1,r h,1 ),...,R u,l,r h,l ) G 2 q. Next, it ublishes a ublic key as V = g ab R 1 )R v, W 1 = g ab R 1 g ) w 1 Rw,1, W 2 = g w 2 R w,2,u d = g b ) u d Ru,d, H d = g b ) u d x γ,d g ) h d Rh,d ), {U i = g b ) u ir u,i, H i = g b ) u i x γ,i g ab R 1 ) h ir h,i )} 1 i d l, g q, g r, Ω = eg ab R 1,g ) αβ. Query 1: A adatively requests a token for a vector σ = σ 1,...,σ l ) Σ l to B. Let S be the set of indexes that are not wild card ositions. Tye 1 For Tye 1 queries, it is guaranteed that d / S since S X = /0 and d X. If A requests a Tye 1 query, then B chooses random exonents r 1,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r. Next, it creates a token as K 0 = g αβ ) g a w 1 w 2 r 1 g h i r 3 Y 0, K 1 = g a w 2 r ) 1 Y 1, K 2 = g a ) w 1 r 1 Y 2, K 3 = g r 3 Y 3. 14

15 Note that it is the same as the simulation of the Tye 1 token in Game 3 if the randomness of the token are defined as r 1 = w 2r 1/b mod, r 2 = w 1r 1/b mod, r 3 = r 3/ab mod. Tye 2 For Tye 2 queries, there exists an index j S such that σ j x γ, j and there exists two cases such that d / S or d S. Let = u i σ i x γ,i ) Z. Note that 0 excet with negligible robability. In case of d / S, B chooses random exonents r 1,r 2,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r, then it creates a token as K 0 =g αβ g a ) w 1 w 2 r 1 g w 2 r 3 g a ) h i w 2 r 3 g h i w 2 r 2 Y 0, K 1 = g a ) w 2 r 1 Y 1, K 2 = g a ) w 1 r 1 g b ) r 2 Y 2, K 3 = g a ) w 2 r 3 g w 2 r 2 Y 3. Note that it is the same as the simulation of the Tye 2 token in Game 3 if the randomness of the token are defined as r 1 = w 2r 1/b mod, r 2 = w 1r 1/b b r 2/ab mod, r 3 = w 2r 3/b + w 2r 2/ab mod. In case of d S, B chooses random exonents r 1,r 2,r 3 Z n and random elements Y 0,Y 1,Y 2,Y 3 G r, then it creates a token as K 0 =g αβ ) g a w 1 w 2 r 1 ) g w 2 r 3 g a \{d} h i w 2 r 3 g \{d} h i w 2 r 2 Y 0, K 1 = g a ) w 2 r 1 Y 1, K 2 = g a ) w 1 r 1 g b ) r 2 Y 2, K 3 = g a ) w 2 r 3 g w 2 r 2 Y 3. To show that the above token is the same as the token in Game 3, we define the randomness of the token as r 1 = w 2r 1/b mod, r 2 = w 1r 1 + h dr 3)/b b + h d)r 2/ab mod, r 3 = w 2r 3/b + w 2r 2/ab mod. It is not hard to see that r 1,r 2,r 3 are indeendent random values since 0 excet with negligible robability. Therefore, the distribution of the above token is correct as follows K 0 =g αβ w r 1 1 wr 2 2 uσ d d h d) r 3 =g αβ g ab+1)w 1 g bu d σ d x γ,d )+h d ) ) w 2 r 1 /b g w 2 u σ i i h i ) r3 Y 0 \{d} ) w 1 r 1 +h d r 3 )/b b +h d )r 2 /ab ) w 2 r 3 /b+w 2 r 2 /ab g \{d} bu i σ i x γ,i )+abh i ) ) w 2 r 3 /b+w 2 r 2 /ab Y 0 =g αβ g aw 1 w 2 r 1 g w 2 r 3 g \{d}ah i w 2 r 3 +h i w 2 r 2 ) Y 0. Challenge: A gives two messages M 0,M 1 to B. If M 0 = M 1, then B comutes C = eg abc R 2,g ) αβ M γ. Otherwise, it chooses a random elements in G T for C. Next, it chooses random elements P,P 3,1,...,P 3,d 1 G and Z 0,Z 1,Z 2,Z 3,1,...,Z 3,l G q, then it oututs a challenge cihertext as C 0 = g abc R 2 )Z 0, C 1 = g abc R 2 P) w 1 Z1, C 2 = P w 2 Z2, i < d : C 3,i = P 3,i Z 3,i, C 3,d = T h d Z3,d, i > d : C 3,i = g abc R 2 ) h iz 3,i. If T is a valid C3DH tule, then B is laying Game 3,d 1. Otherwise, it is laying Game 3,d. 15

16 Query 2: Same as Query Phase 1. Guess: A oututs a guess γ. If γ = γ, it oututs 0. Otherwise, it oututs 1. This comletes our roof. 4 Construction in Prime Order Grous In this section, we construct an HVE scheme based on rime order asymmetric bilinear grous [15] where there are no efficiently comutable isomorhisms between two grous G and Ĝ. This construction is algebraically similar to our construction in comosite order bilinear grous. In the comosite order setting, the subgrous G q and G r were used to rovide the anonymity of cihertexts and to hide the correlation between two random values resectively. However, in the rime order asymmetric setting, the non-existence of efficiently comutable isomorhisms rovides the anonymity of cihertexts and hides the correlation of two random values in tokens. 4.1 Asymmetric Bilinear Grous of Prime Order Let G,Ĝ, and G T be multilicative cyclic grous of rime order where G Ĝ. Let g,ĝ be generators of G,Ĝ, resectively. The asymmetric bilinear ma e : G Ĝ G T has the following roerties: 1. Bilinearity: u G, v Ĝ and a,b Z, eu a, ˆv b ) = eu, ˆv) ab. 2. Non-degeneracy: g,ĝ such that eg,ĝ) 1, that is, eg,ĝ) is a generator of G T. We say that G,Ĝ,G T are asymmetric bilinear grous with no efficiently comutable isomorhisms if the grou oerations in G,Ĝ and G T as well as the bilinear ma e are all efficiently comutable, but there are no efficiently comutable isomorhisms between G and Ĝ. 4.2 Comlexity Assumtions We introduce three crytograhic assumtions that are secure under asymmetric bilinear grous of rime order where there are no efficiently comutable isomorhisms between two grous G and Ĝ. The decisional asymmetric bilinear Diffie-Hellman abdh) assumtion is the same as the decisional cbdh assumtion excet that it uses asymmetric bilinear grous. The decisional asymmetric Diffie-Hellman adh) assumtion says that the traditional decisional DH assumtion holds Ĝ grous since there are no efficiently comutable isomorhisms between two grous. The decisional asymmetric 3-arty Diffie-Hellman a3dh) assumtion is an asymmetric version of the decisional C3DH assumtion. Decisional asymmetric Bilinear Diffie-Hellman abdh) Assumtion Let,G,Ĝ,G T,e) be a descrition of the asymmetric bilinear grou of rime order with no efficiently comutable isomorhism from G to Ĝ. The decisional abdh roblem is stated as follows: given a challenge tule D =,G,Ĝ,G T,e), g,g a,g b,g c,ĝ,ĝ a,ĝ b ) and T, decides whether T = eg,ĝ) abc or T = R with random choices of a,b,c Z, R G T. The advantage of A in solving the decisional abdh roblem is defined as Adv abdh Pr [ A D,T = eg,ĝ) abc ) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices of D,T and the random bits used by A. 16

17 Definition 4.1. We say that the decisional abdh assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the decisional abdh roblem. Decisional asymmetric Diffie-Hellman adh) Assumtion Let,G,Ĝ,G T,e) be a descrition of the asymmetric bilinear grou of rime order with no efficiently comutable isomorhisms between G and Ĝ. Let g,ĝ be generators of G,Ĝ resectively. The decisional adh roblem is stated as follows: given a challenge tule D =,G,Ĝ,G T,e), g,ĝ,ĝ a,ĝ b ) and T, decides whether T = ĝ ab or T = R with random choices of a,b Z, R Ĝ. The advantage of A in solving the decisional adh roblem is defined as Adv adh Pr [ A D,T = ĝ ab ) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices of D,T and the random bits used by A. Definition 4.2. We say that the decisional adh assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the decisional adh roblem. Decisional asymmetric 3-arty Diffie-Hellman a3dh) Assumtion Let,G,Ĝ,G T,e) be a descrition of the asymmetric bilinear grou of rime order with no efficiently comutable isomorhism from G to Ĝ. Let g,ĝ be generators of G,Ĝ resectively. The decisional a3dh is stated as follows: given a challenge tule D =,G,Ĝ,G T,e), g,g a,g b,g ab,g abc,ĝ,ĝ a,ĝ b ) and T, decides whether T = g c or T = R with random choice of a,b,c Z, R G. The advantage of A in solving the decisional a3dh roblem is defined as Adv a3dh Pr [ A D,T = g c ) = 1 ] Pr [ A D,T = R) = 1 ] A = where the robability is taken over the random choices for D,T and the random bits used by A. Definition 4.3. We say that the decisional a3dh assumtion holds if no robabilistic olynomial-time algorithm has a non-negligible advantage in solving the decisional a3dh roblem. Remark 4.4. The decisional adh assumtion is equivalent to the external Diffie-Hellman XDH) assumtion. In this aer, we will use adh instead of XDH for notational consistency. 4.3 Descrition Let Σ = Z m for some integer m and set Σ = Z m { }. Our scheme is described as follows. Setu1 λ ): The setu algorithm first generates the asymmetric bilinear grou G,Ĝ of rime order where is a random rime of bit size Θλ) and > m. Let g,ĝ be the generators of G,Ĝ resectively. Next, it chooses random exonents v,w 1,w 2 Z, u 1,h 1 ),...,u l,h l ) Z, and α,β Z. It kees these as a secret key SK and oututs a ublic key PK with the descrition of the asymmetric bilinear grou G,Ĝ as follows PK = v = g v,w 1 = g w 1,w2 = g w 2, {ui = g u i,h i = g h i)} ) l i=1, Ω = ev,ĝ) αβ. 17

18 GenToken σ,sk,pk): The token generation algorithm takes as inut a vector σ = σ 1,...,σ l ) Σ l and the secret key SK. It first selects random exonents r 1,r 2,r 3 Z and comutes ˆv = ĝ v,ŵ 1 = ĝ w 1,ŵ2 = ĝ w 2,ûi = ĝ u i,ĥi = ĝ h i. Next, it oututs a token as TK σ = K 0 = ĝ αβ ŵ r 1 1 ŵr 2 2 û σ i i ĥ i ) r 3, K 1 = ˆv r 1, K 2 = ˆv r 2, K 3 = ˆv r 3 Encryt x,m,pk): The encryt algorithm takes as inut a vector x = x 1,...,x l ) Σ l, a message M M G T and the ublic key PK. It chooses a random exonent t Z and oututs a cihertext as ) CT = C = Ω t M, C 0 = v t, C 1 = w t 1, C 2 = w t 2, {C 3,i = u x i i h i) t } l i=1. QueryCT,TK σ,pk): The query algorithm takes as inut a cihertext CT and a token TK σ with a vector σ. It first comutes M C ec 0,K 0 ) 1 ec 1,K 1 ) ec 2,K 2 ) e C 3,i,K 3 ). If M / M, it oututs indicating that the redicate f σ is not satisfied. Otherwise, it oututs M indicating that the redicate f σ is satisfied. Remark 4.5. We can exand the finite sace Σ from Z m to all of {0,1} by using a collision-resistant hash function for the vector of attributes. 4.4 Security Theorem 4.6. The above HVE construction is selectively secure under the decisional abdh assumtion, the decisional adh assumtion, and the decisional a3dh assumtion. Proof. The main structure of this roof is almost the same as the roof of Theorem 3.2. That is, it consists of a sequence of Game 0, Game 1, Game 2, Game 3, Game 4 games, and we rove that there is no robabilistic olynomial-time adversary that distinguishes between Game i 1 and Game i. These games are nearly the same as those in the roof of Theorem 3.2. The difference is that the cihertext elements and the token elements are reresented in rime order grous, whereas those elements were reresented in comosite order grous in the roof of Theorem 3.2. For instance, C 1,C 2 elements of the challenge cihertext are relaced by C 1 = w t 1 gρ,c 2 = w t 2 g ρπ in Game 3, and the C i elements of the challenge cihertext in Game 4 are relaced with random values in G. First, the indistinguishability between Game 0 and Game 1 can be roven using the decisional abdh assumtion. The roof is almost the same as Lemma 3.3, since the main comonents of the decisional abdh assumtion under rime order asymmetric bilinear grous are the same as the decisional cbdh assumtion. Note that the BSD assumtion for Theorem 3.2 is not needed. Second, the indistinguishability between Game 1 and Game 2 can be roven using the decisional adh assumtion for Ĝ under rime order asymmetric bilinear grous. The roof is the same as Lemma 3.4, since the decisional C2DH assumtion in Lemma 3.4 is converted to the decisional adh assumtion in rime order asymmetric bilinear grous. Finally, the indistinguishability between Game 2 and Game 3, the indistinguishability between Game 3 and Game 4, resectively) can be roven under the decisional a3dh assumtion. The roof is the same as Lemma 3.5 Lemma 3.6 resectively) excet using the decisional a3dh instead of the decisional C3DH assumtion, since the decisional C3DH assumtion can be converted to the decisional a3dh in rime order asymmetric bilinear grous. This comletes our roof. ). 18

19 4.5 Discussion Recently, a heuristic methodology that converts crytosystems from comosite order bilinear grous to rime order asymmetric bilinear grous was roosed by Freeman in [14]. The main idea of Freeman s method is constructing a roduct grou G n that has orthogonal subgrous by alying the direct roduct to a rime order bilinear grou G where n is the number of subgrous. Our construction in comosite order bilinear grous is also converted to a new construction in rime order asymmetric bilinear grous by alying Freeman s method. However, the new construction requires three grou elements of the rime order grou to reresent one element in the comosite order grou since Freeman s method converts one element of comosite order grous with three subgrous to three elements of rime order grous. That is, the number of grous elements in cihertexts and tokens, and the number of airing oerations in decrytion increase by three times. 5 Conclusion We resented the first efficient HVE schemes that have the constant size of tokens and the constant cost of airing comutations in decrytion. The first scheme was based on comosite order bilinear grous where the order is a roduct of three rimes. The second one was based on rime order asymmetric bilinear grous where there are no efficiently comutable isomorhisms between two grous. Although we roosed an HVE scheme under rime order bilinear grous, our construction was based on asymmetric bilinear grous that are a secial kind of rime order bilinear grous. Thus, one interesting roblem is to construct an HVE scheme that has the constant size of tokens under rime order symmetric bilinear grous. Additionally, another interesting roblem is to construct an HVE scheme that has the sublinear size of cihertexts. In anonymous HIBE, a scheme that has the constant size of cihertexts was resented in [23]. However, it is not easy to construct an HVE scheme that has the sub-linear size of cihertexts because it should suort wild cards in the token. References [1] Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone-Lee, J., Neven, G., Paillier, P., Shi, H.: Searchable encrytion revisited: consistency roerties, relation to anonymous IBE, and extensions. In: Shou, V. ed.) Advances in Crytology - CRYPTO Lecture Notes in Comuter Science, vol. 3621, Sringer 2005). [2] Bethencourt, J., Sahai, A., Waters, B.: Cihertext-olicy attribute-based encrytion. In: IEEE Symosium on Security and Privacy 2007, IEEE Comuter Society 2007). [3] Blundo, C., Iovino, V., Persiano, G.: Private-key hidden vector encrytion with key rivacy. In: Garay, J.A., Miyaji, A., Otsuka, A. eds.) CANS Lecture Notes in Comuter Science, vol. 5888, Sringer 2009). [4] Boneh, D., Boyen, X.: Efficient selective-id secure identity based encrytion without random oracles. In: Cachin, C., Camenisch, J. eds.) Advances in Crytology - EUROCRYPT Lecture Notes in Comuter Science, vol. 3027, Sringer 2004). 19

Similar documents

arxiv: v1 [cs.cr] 24 Feb 2017

arxiv: v1 [cs.cr] 24 Feb 2017 Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate

More information

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion

More information

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is

More information

Bilinear Entropy Expansion from the Decisional Linear Assumption

Bilinear Entropy Expansion from the Decisional Linear Assumption Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo

More information

Cryptography. Lecture 8. Arpita Patra

Cryptography. Lecture 8. Arpita Patra Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous

More information

Advanced Cryptography Midterm Exam

Advanced Cryptography Midterm Exam Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will

More information

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based

More information

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial

More information

CDH/DDH-Based Encryption. K&L Sections , 11.4.

CDH/DDH-Based Encryption. K&L Sections , 11.4. CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be

More information

Randomness Extraction in finite fields F p

Randomness Extraction in finite fields F p Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,

More information

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any

More information

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,

More information

Cryptography Assignment 3

Cryptography Assignment 3 Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr

More information

Author(s)Emura, Keita; Miyaji, Atsuko; Omote, International Conference on Availabi Reliability and Security, ARES 492

Author(s)Emura, Keita; Miyaji, Atsuko; Omote, International Conference on Availabi Reliability and Security, ARES 492 JAIST Reosi htts://dsacej Title A Dynamic Attribute-Based Grou Sign and its Alication in an Anonymous the Collection of Attribute Statisti Author(s)Emura, Keita; Miyaji, Atsuko; Omote, Citation International

More information

An Investigation of Some Forward Security Properties for PEKS and IBE

An Investigation of Some Forward Security Properties for PEKS and IBE An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg qiang.tang@uni.lu Astract. In

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com

More information

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter

More information

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

Lattice Attacks on the DGHV Homomorphic Encryption Scheme Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr

More information

Hidden-Vector Encryption with Groups of Prime Order

Hidden-Vector Encryption with Groups of Prime Order Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.

More information

Elliptic Curves and Cryptography

Elliptic Curves and Cryptography Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a

More information

arxiv: v1 [cs.cr] 9 Nov 2016

arxiv: v1 [cs.cr] 9 Nov 2016 Transforming Hidden Vector Encryption Schemes from Composite to Prime Order Groups Kwangsu Lee arxiv:1611.02821v1 [cs.cr] 9 Nov 2016 Abstract Predicate encryption is a new type of public ey encryption

More information

Bayesian System for Differential Cryptanalysis of DES

Bayesian System for Differential Cryptanalysis of DES Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential

More information

A Public-Key Cryptosystem Based on Lucas Sequences

A Public-Key Cryptosystem Based on Lucas Sequences Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010

More information

Efficient Identity-Based Encryption Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption

More information

On the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme

On the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment

More information

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift

More information

Approximating min-max k-clustering

Approximating min-max k-clustering Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost

More information

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly

More information

Cryptanalysis of Pseudorandom Generators

Cryptanalysis of Pseudorandom Generators CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we

More information

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar 15-859(M): Randomized Algorithms Lecturer: Anuam Guta Toic: Lower Bounds on Randomized Algorithms Date: Setember 22, 2004 Scribe: Srinath Sridhar 4.1 Introduction In this lecture, we will first consider

More information

A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem

A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com

More information

Efficient Hardware Architecture of SEED S-box for Smart Cards

Efficient Hardware Architecture of SEED S-box for Smart Cards JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes

More information

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1)

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1) CERTAIN CLASSES OF FINITE SUMS THAT INVOLVE GENERALIZED FIBONACCI AND LUCAS NUMBERS The beautiful identity R.S. Melham Deartment of Mathematical Sciences, University of Technology, Sydney PO Box 23, Broadway,

More information

Galois Fields, Linear Feedback Shift Registers and their Applications

Galois Fields, Linear Feedback Shift Registers and their Applications Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):

More information

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management

More information

An Attack on a Fully Homomorphic Encryption Scheme

An Attack on a Fully Homomorphic Encryption Scheme An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,

More information

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 7: Boneh-Boyen Proof & Waters IBE System CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,

More information

Delegation in Predicate Encryption Supporting Disjunctive Queries

Delegation in Predicate Encryption Supporting Disjunctive Queries Author manuscript, published in "Security and Privacy - Silver Linings in the Cloud Springer Ed. 2012 229-240" DOI : 10.1007/978-3-642-15257-3_21 Delegation in Predicate Encryption Supporting Disjunctive

More information

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encryption Systems Emily Shen 1, Elaine Shi 2, and Brent Waters 3 1 MIT eshen@csail.mit.edu 2 CMU/PARC eshi@parc.com 3 UT Austin bwaters@cs.utexas.edu Abstract. Predicate encryption

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 In this lecture we lay the groundwork needed to rove the Hasse-Minkowski theorem for Q, which states that a quadratic form over

More information

Secure and Practical Identity-Based Encryption

Secure and Practical Identity-Based Encryption Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.

More information

Efficient Identity-based Encryption Without Random Oracles

Efficient Identity-based Encryption Without Random Oracles Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random

More information

Identity-based encryption

Identity-based encryption Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages

More information

Privacy via Pseudorandom Sketches

Privacy via Pseudorandom Sketches Privacy via Pseudorandom Sketches Nina Mishra Mark Sandler December 18, 2005 Abstract Imagine a collection of individuals who each ossess rivate data that they do not wish to share with a third arty. This

More information

Definitional Issues in Functional Encryption

Definitional Issues in Functional Encryption Definitional Issues in Functional Encryption Adam O Neill Abstract We provide a formalization of the emergent notion of functional encryption, as well as introduce various security notions for it, and

More information

Perfect Keyword Privacy in PEKS Systems

Perfect Keyword Privacy in PEKS Systems Perfect Keyword Privacy in PEKS Systems Mototsugu Nishioka HITACHI, Ltd., Yokohama Research Laboratory, Japan mototsugu.nishioka.rc@hitachi.com Abstract. This paper presents a new security notion, called

More information

A Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying

A Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying MITSUBISHI ELECTRIC RESEARCH LABORATORIES htt://www.merl.com A Distance-sensitive Attribute Based Crytosystem for Privacy-Preserving Querying Sun, W.; Rane, S. TR2012-054 July 2012 Abstract We roose an

More information

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to

More information

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca

More information

1-way quantum finite automata: strengths, weaknesses and generalizations

1-way quantum finite automata: strengths, weaknesses and generalizations 1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum

More information

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS #A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt

More information

A New and Optimal Chosen-message Attack on RSA-type Cryptosystems

A New and Optimal Chosen-message Attack on RSA-type Cryptosystems Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message

More information

Threshold broadcast encryption with keyword search

Threshold broadcast encryption with keyword search University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Threshold broadcast encryption with keyword

More information

DIFFERENTIAL GEOMETRY. LECTURES 9-10,

DIFFERENTIAL GEOMETRY. LECTURES 9-10, DIFFERENTIAL GEOMETRY. LECTURES 9-10, 23-26.06.08 Let us rovide some more details to the definintion of the de Rham differential. Let V, W be two vector bundles and assume we want to define an oerator

More information

MATH 361: NUMBER THEORY ELEVENTH LECTURE

MATH 361: NUMBER THEORY ELEVENTH LECTURE MATH 361: NUMBER THEORY ELEVENTH LECTURE The subjects of this lecture are characters, Gauss sums, Jacobi sums, and counting formulas for olynomial equations over finite fields. 1. Definitions, Basic Proerties

More information

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,

More information

p-adic Measures and Bernoulli Numbers

p-adic Measures and Bernoulli Numbers -Adic Measures and Bernoulli Numbers Adam Bowers Introduction The constants B k in the Taylor series exansion t e t = t k B k k! k=0 are known as the Bernoulli numbers. The first few are,, 6, 0, 30, 0,

More information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in

More information

The non-stochastic multi-armed bandit problem

The non-stochastic multi-armed bandit problem Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at

More information

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS #A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,

More information

Towards understanding the Lorenz curve using the Uniform distribution. Chris J. Stephens. Newcastle City Council, Newcastle upon Tyne, UK

Towards understanding the Lorenz curve using the Uniform distribution. Chris J. Stephens. Newcastle City Council, Newcastle upon Tyne, UK Towards understanding the Lorenz curve using the Uniform distribution Chris J. Stehens Newcastle City Council, Newcastle uon Tyne, UK (For the Gini-Lorenz Conference, University of Siena, Italy, May 2005)

More information

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,

More information

Multiplicative group law on the folium of Descartes

Multiplicative group law on the folium of Descartes Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of

More information

QUADRATIC RESIDUES AND DIFFERENCE SETS

QUADRATIC RESIDUES AND DIFFERENCE SETS QUADRATIC RESIDUES AND DIFFERENCE SETS VSEVOLOD F. LEV AND JACK SONN Abstract. It has been conjectured by Sárközy that with finitely many excetions, the set of quadratic residues modulo a rime cannot be

More information

Sums of independent random variables

Sums of independent random variables 3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where

More information

Efficient Selective Identity-Based Encryption Without Random Oracles

Efficient Selective Identity-Based Encryption Without Random Oracles Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity

More information

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE

More information

Introduction to Group Theory Note 1

Introduction to Group Theory Note 1 Introduction to Grou Theory Note July 7, 009 Contents INTRODUCTION. Examles OF Symmetry Grous in Physics................................. ELEMENT OF GROUP THEORY. De nition of Grou................................................

More information

cient Round-Optimal Blind Signatures in the Standard Model

cient Round-Optimal Blind Signatures in the Standard Model E cient Round-Otimal lind Signatures in the Standard Model Essam Ghadafi University of the West of England, ristol, UK Essam.Ghadafi@gmail.com bstract. lind signatures are at the core of e-cash systems

More information

CMSC 425: Lecture 4 Geometry and Geometric Programming

CMSC 425: Lecture 4 Geometry and Geometric Programming CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas

More information

RECIPROCITY LAWS JEREMY BOOHER

RECIPROCITY LAWS JEREMY BOOHER RECIPROCITY LAWS JEREMY BOOHER 1 Introduction The law of uadratic recirocity gives a beautiful descrition of which rimes are suares modulo Secial cases of this law going back to Fermat, and Euler and Legendre

More information

Type-based Proxy Re-encryption and its Construction

Type-based Proxy Re-encryption and its Construction Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown

More information

Convex Optimization methods for Computing Channel Capacity

Convex Optimization methods for Computing Channel Capacity Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem

More information

Pseudorandom Sequence Generation

Pseudorandom Sequence Generation YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and

More information

Public Key Cryptosystems RSA

Public Key Cryptosystems RSA Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public

More information

Elementary Analysis in Q p

Elementary Analysis in Q p Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1) SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the

More information

Jacobi symbols and application to primality

Jacobi symbols and application to primality Jacobi symbols and alication to rimality Setember 19, 018 1 The grou Z/Z We review the structure of the abelian grou Z/Z. Using Chinese remainder theorem, we can restrict to the case when = k is a rime

More information

MA3H1 TOPICS IN NUMBER THEORY PART III

MA3H1 TOPICS IN NUMBER THEORY PART III MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced

More information

The Fekete Szegő theorem with splitting conditions: Part I

The Fekete Szegő theorem with splitting conditions: Part I ACTA ARITHMETICA XCIII.2 (2000) The Fekete Szegő theorem with slitting conditions: Part I by Robert Rumely (Athens, GA) A classical theorem of Fekete and Szegő [4] says that if E is a comact set in the

More information

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III AI*IA 23 Fusion of Multile Pattern Classifiers PART III AI*IA 23 Tutorial on Fusion of Multile Pattern Classifiers by F. Roli 49 Methods for fusing multile classifiers Methods for fusing multile classifiers

More information

POINTS ON CONICS MODULO p

POINTS ON CONICS MODULO p POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics

More information

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO) Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment

More information

RINGS OF INTEGERS WITHOUT A POWER BASIS

RINGS OF INTEGERS WITHOUT A POWER BASIS RINGS OF INTEGERS WITHOUT A POWER BASIS KEITH CONRAD Let K be a number field, with degree n and ring of integers O K. When O K = Z[α] for some α O K, the set {1, α,..., α n 1 } is a Z-basis of O K. We

More information

Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups

Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Towards a Classification of Non-interactive Comutational Assumtions in Cyclic Grous Essam Ghadafi 1 and Jens Groth 2 1 University of the West of England, Bristol, UK Essam.Ghadafi@gmail.com 2 University

More information

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino

More information

Shadow Computing: An Energy-Aware Fault Tolerant Computing Model

Shadow Computing: An Energy-Aware Fault Tolerant Computing Model Shadow Comuting: An Energy-Aware Fault Tolerant Comuting Model Bryan Mills, Taieb Znati, Rami Melhem Deartment of Comuter Science University of Pittsburgh (bmills, znati, melhem)@cs.itt.edu Index Terms

More information

Intrinsic Approximation on Cantor-like Sets, a Problem of Mahler

Intrinsic Approximation on Cantor-like Sets, a Problem of Mahler Intrinsic Aroximation on Cantor-like Sets, a Problem of Mahler Ryan Broderick, Lior Fishman, Asaf Reich and Barak Weiss July 200 Abstract In 984, Kurt Mahler osed the following fundamental question: How

More information

A New Functional Encryption for Multidimensional Range Query

A New Functional Encryption for Multidimensional Range Query A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore

More information

The Group of Primitive Almost Pythagorean Triples

The Group of Primitive Almost Pythagorean Triples The Grou of Primitive Almost Pythagorean Triles Nikolai A. Krylov and Lindsay M. Kulzer arxiv:1107.2860v2 [math.nt] 9 May 2012 Abstract We consider the triles of integer numbers that are solutions of the

More information

QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES

QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES 0 th March 0. Vol. No. 00-0 JATIT & LLS. All rights reserved. ISSN: -86 www.jatit.org E-ISSN: 87- QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES XIAOYU LI, LIJU CHEN School of Information

More information

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle] Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear

More information

MATH 2710: NOTES FOR ANALYSIS

MATH 2710: NOTES FOR ANALYSIS MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite

More information

Improved Capacity Bounds for the Binary Energy Harvesting Channel

Improved Capacity Bounds for the Binary Energy Harvesting Channel Imroved Caacity Bounds for the Binary Energy Harvesting Channel Kaya Tutuncuoglu 1, Omur Ozel 2, Aylin Yener 1, and Sennur Ulukus 2 1 Deartment of Electrical Engineering, The Pennsylvania State University,

More information

Ž. Ž. Ž. 2 QUADRATIC AND INVERSE REGRESSIONS FOR WISHART DISTRIBUTIONS 1

Ž. Ž. Ž. 2 QUADRATIC AND INVERSE REGRESSIONS FOR WISHART DISTRIBUTIONS 1 The Annals of Statistics 1998, Vol. 6, No., 573595 QUADRATIC AND INVERSE REGRESSIONS FOR WISHART DISTRIBUTIONS 1 BY GERARD LETAC AND HELENE ` MASSAM Universite Paul Sabatier and York University If U and

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback