Bilinear Entropy Expansion from the Decisional Linear Assumption

Similar documents
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Cryptanalysis of Pseudorandom Generators

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

Cryptography. Lecture 8. Arpita Patra

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

Elliptic Curves and Cryptography

Advanced Cryptography Midterm Exam

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

RECIPROCITY LAWS JEREMY BOOHER

CDH/DDH-Based Encryption. K&L Sections , 11.4.

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Cryptography Assignment 3

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

A Public-Key Cryptosystem Based on Lucas Sequences

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

p-adic Measures and Bernoulli Numbers

Predicate Privacy in Encryption Systems

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule

The non-stochastic multi-armed bandit problem

arxiv: v1 [physics.data-an] 26 Oct 2012

c Copyright by Helen J. Elwood December, 2011

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices

Shadow Computing: An Energy-Aware Fault Tolerant Computing Model

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1)

Distributed Rule-Based Inference in the Presence of Redundant Information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

Pseudorandom Sequence Generation

Linear diophantine equations for discrete tomography

MATH 2710: NOTES FOR ANALYSIS

Elementary Analysis in Q p

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

POINTS ON CONICS MODULO p

1-way quantum finite automata: strengths, weaknesses and generalizations

Radial Basis Function Networks: Algorithms

Extension of Minimax to Infinite Matrices

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

CMSC 425: Lecture 4 Geometry and Geometric Programming

System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests

An Attack on a Fully Homomorphic Encryption Scheme

Approximating min-max k-clustering

Fault Tolerant Quantum Computing Robert Rogers, Thomas Sylwester, Abe Pauls

By Evan Chen OTIS, Internal Use

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

The Fekete Szegő theorem with splitting conditions: Part I

MAS 4203 Number Theory. M. Yotov

ECE 534 Information Theory - Midterm 2

HENSEL S LEMMA KEITH CONRAD

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

A Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution

For q 0; 1; : : : ; `? 1, we have m 0; 1; : : : ; q? 1. The set fh j(x) : j 0; 1; ; : : : ; `? 1g forms a basis for the tness functions dened on the i

An Estimate For Heilbronn s Exponential Sum

Brownian Motion and Random Prime Factorization

RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points.

4. Score normalization technical details We now discuss the technical details of the score normalization method.

arxiv: v1 [quant-ph] 3 Feb 2015

CR extensions with a classical Several Complex Variables point of view. August Peter Brådalen Sonne Master s Thesis, Spring 2018

The Value of Even Distribution for Temporal Resource Partitions

Convex Optimization methods for Computing Channel Capacity

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

COMMUNICATION BETWEEN SHAREHOLDERS 1

Uncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning

Feedback-error control

δ(xy) = φ(x)δ(y) + y p δ(x). (1)

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

An Overview of Witt Vectors

Galois Fields, Linear Feedback Shift Registers and their Applications

Desingularization Explains Order-Degree Curves for Ore Operators

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes

An Investigation of Some Forward Security Properties for PEKS and IBE

DISCRIMINANTS IN TOWERS

On the Relationship Between Packet Size and Router Performance for Heavy-Tailed Traffic 1

Information collection on a graph

Online Appendix to Accompany AComparisonof Traditional and Open-Access Appointment Scheduling Policies

Solution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS

Hidden Predictors: A Factor Analysis Primer

New Schedulability Test Conditions for Non-preemptive Scheduling on Multiprocessor Platforms

LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL

Introduction to Group Theory Note 1

Convex Analysis and Economic Theory Winter 2018

Mobius Functions, Legendre Symbols, and Discriminants

The inverse Goldbach problem

Characteristics of Fibonacci-type Sequences

Efficient Cryptosystems From 2 k -th Power Residue Symbols

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III

Topic 7: Using identity types

Sums of independent random variables

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Sets of Real Numbers

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013

Transcription:

Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo a techniue insired by seudorandom functions that allows us to increase the entroy available for roving the security of dual system encrytion schemes under the Decisional Linear Assumtion. We show an alication of the tool to Attribute-Based Encrytion by resenting a Key-Policy ABE scheme that is fully-secure under DLIN with short ublic arameters. 1 Introduction Since its concetion in [32] attribute-based encrytion (ABE) has served as a demonstrably fertile ground for exloring the ossible tradeoffs between exressibility security and efficiency in crytograhically enforced access control. In addition to the otential alications it has in its own right the rimitive of attribute-based encrytion has been a catalyst for the definitions and constructions of further crytograhic rimitives such as functional encrytion for general circuits. The rich structure of secret keys demanded by exressive attribute-based encrytion has romoted a continuing evolution of roof techniues designed to meet the challenges inherent in balancing large and comlex structures on the inhead of simle comutational hardness assumtions. The origins of attribute-based encrytion can be traced back to identity-based encrytion [11 5] where users have identities that serve as ublic keys and secret keys are generated on demand by a master authority. A desirable notion of security for such schemes ensures resilience against arbitrary collusions among users by allowing an attacker to demand many secret keys for individual users and attack a cihertext encryted to any user not reresented in the set of obtained keys. Proving this kind of security reuires a reduction design that can satisfy the attacker s demands without fully knowing the master secret key. This challenge is exacerbated in the (key-olicy) attribute-based setting where user keys corresond to access olicies exressed over attributes and cihertexts are associated with subsets of these attributes. Decrytion is allowed recisely when a single user s olicy is satisfied by a cihertext s attribute set. Thus the structure of allowable keys that the attacker can reuest grows more comlex as the scheme is euied to exress more comlex olicies. As a conseuence of this the intuitive and elegant constructions of attribute-based encrytion in bilinear grous in [18 34] were only roven secure in the selective security model: a weakened model of security that reuires the attacker to declare the target of attack in advance before seeing the ublic arameters of the system. This limitation of the model allows Allison Lewko is suorted in art by NSF CNS 1413971 and NSF CCF 1423306. 1

the security reduction to embed the comutational challenge into its view of the ublic arameters of the scheme in a way that artitions the sace of secret keys. Keys that do not satisfy the targeted cihertext are able to be generated under the embedding while keys that do satisfy the cihertext cannot be generated. This aroach does not extend well to the full security model where this artificial limitation on the attacker is lifted. The first fully secure ABE schemes aeared in [19] using the dual system encrytion methodology [33] for designing the security reduction. In a dual system aroach there are tyically multile (comutationally indistinguishable) forms of keys and cihertexts. There are normal keys and cihertexts that are emloyed in the real system and then are various forms of semi-functional keys and cihertexts. The core idea is to rove security via a hybrid argument where the cihertext is changed to semi-functional and keys are changed to semi-functional tyes one by one until all the keys are of a semi-functional tye incaable of decryting the semi-functional cihertext (it is imortant that they still decryt normal cihertexts otherwise the hybrid transitions could be detected by the attacker who can create normal cihertexts for itself using the ublic arameters). Once we reach a state where the key and cihertexts distributions rovided to the attacker are no longer bound by correct decryt behavior it is easier for the reduction to roduce these without knowing the master secret key. The most critical ste of these dual system arguments occurs when a articular key changes from a tye that can decryt the challenge cihertext to a tye that cannot - the fact that this change is not detected by the attacker is where the reduction must use the criterion that the access olicy is not satisfied. The security reductions in [19] and many subseuent works (e.g. [28 22]) used an information-theoretic argument for this ste. However this argument reuires a great deal of entroy (secifically fresh randomness for each attribute-use in a olicy). This entroy was sulied by arameters in the semi-functional sace that aralleled the ublished arameters of the normal sace. This necessitated a blowu in ublic arameter and cihertext sizes secifically a multilicative factor of the the number of attribute-uses allowed for access olicies. In [26] it was observed that the initial stes of a tyical dual system encrytion hybrid argument could be re-interreted as roviding a shadow coy of the system arameters in the semi-functional sace that does not have to be committed to when the ublic arameters for the normal sace are rovided. This ersective suggests that one can embed a comutational challenge into these semi-functional sace arameters as semi-functional objects are roduced. For instance when a ortion of these arameters affect a single semi-functional key that is ueried after the semi-functional cihertext one can essentially embed the challenge in the same way as the original selective security arguments in [18]. In the reverse case where the semi-functional key is ueried before the challenge cihertext the embedding can be similar to a selective security roof for a cihertext-olicy ABE scheme where keys are associated with attributes and cihertexts are associated with access olicies. In [26] state of the art selective techniues for KP-ABE and CP-ABE systems were combined into a full security roof avoiding the blowu in arameters incurred by the information-theoretic dual system techniues. However even selective security for CP-ABE systems remains a rather challenging task and the state of the art techniue in [34] introduces an undesirable -tye assumtion into the fully secure ABE scheme. In the CP-ABE setting selectivity means that the attacker declares a target access olicy u front. This can then be leveraged by the security reduction to design ublic arameters so that it can create keys recisely for sets of attributes that do not satisfy this target olicy. The -tye assumtion in [34] was a conseuence of the need to encode a otentially large access olicy into small ublic arameters. This leaves us still searching for an ideal KP-ABE scheme in the bilinear setting that has arameter sizes comarable to the selectively secure scheme in [18] and a full security roof from a simle assumtion such as the 2

decisional linear assumtion (DLIN). A security reduction for such a scheme must seemingly break outside the mold of using either a urely information-theoretic or urely comutational argument for leveraging the fact that a reuested key olicy cannot be satisfied by the challenge cihertext. Our Results To demonstrate our aroach we resent a KP-ABE constructions in the comosite-order bilinear setting which is roven fully secure from simle assumtions and suorts LSSS/MSP access olicies (like its bilinear redecessors). Security is roven using a few secific instances of subgrou-decision assumtions and DLIN. Our scheme greatly reduces the size of the ublic arameters as comared to [19 28] as the number of grou elements we need to include in the ublic arameters grows only logarithmically rather than linearly in the bound on the number of attribute-uses in an access olicy. Our Techniues We intermix the comutational and information-theoretic dual system encrytion aroaches using comutational stes to boost the entroy of a small set of (unublished) semi-functional arameters to a level that suffices to make the rior informationtheoretic argument work. Essentially we use the fact that the semi-functional sace arameters are never ublished to not only delay their definition as exloited in [26] but further to argue that they can (comutationally) aear to rovide more entroy than their size would information-theoretically allow. The gadget that allows us do this comutational re-rocessing before the running information-theoretic argument is resented as our bilinear entroy exansion lemma. The insiration for the gadget construction comes from seudorandom generators/seudorandom functions. Naturally if we want a small set of semi-functional generators to seemingly roduce a large amount of entroy we may want to view these arameters as the seed for a PRF for examle. Out-of-the-box PRF constructions like Naor-Reingold [27] and its DLIN-based extension [25] however are unsuitable in the bilinear setting (even though the DLIN version would remain secure) because they would reuire direct access to the seed for comutation and a secure bilinear construction will only rovide indirect access to the seed as exonents of grou elements. To circumvent this difficulty we use a subset-sum based construction that can be comuted in a bilinear grou with the seed elements in the exonents. Of course using a naked linear structure would be detectable but we are able to use a rather minimal amount of additional random exonents to ush the linear sub-structure out of reach of detection by regular grou or airing oerations. We build our construction in two stes. First we resent a construction for a one-use KP-ABE system which only suorts access olicies where each attribute is used at most once. This scheme achieves cihertext and key sizes which rival those of selectively secure schemes (u to constants) while significantly reducing ublic arameter size. Then we aly a standard transformation to get from a one-use system to a system which allows multile uses of attributes in olicies (the number of uses allowed er attribute is constant and fixed at setu). The overhead of this transformation is drastically mitigated by our scheme s small ublic arameters. The effect on cihertext and key sizes comared to revious alications of this transformation remain the same u to constants. Further Discussion of Related Work Additional work on ABE in the bilinear setting includes various constructions of KP-ABE and CP-ABE schemes (e.g. [4 31 17]) schemes suorting multile authorities (e.g. [7 8 30 22]) and schemes suorting large attribute universes (e.g. [23 29]). Some of the structure for randomization in our schemes is insired by 3

[23]. The large universe scheme in [29] also achieves full-security with short ublic arameters using concetually different techniues. We view the main contribution of this aer to be the entroy exansion lemma which we believe is modular and otentially useful in other settings. Our aroach lends a clear understanding of the roles of information-theoretic and comutational techniues in dual-system encrytion roofs. There are also recent constructions of ABE schemes in the lattice setting. The construction of [16] allows access olicies to be exressed as circuits which makes it more exressive than any known bilinear scheme. It was roven selectively secure under the standard LWE assumtion. Circuit olicies are also suorted by the construction in [13] based on multilinear mas. This scheme is also roven selectively secure under a articular comutational hardness assumtion for multilinear grous. The very recent multilinear scheme in [14] achieves full security relying on comutational hardness assumtions in multilinear grous. The fully secure general functional encrytion scheme in [35] which relies on indistinguishability obfuscation can also be secialized to the ABE setting. Some relationshis between ABE and other crytograhic rimitives have also been exlored. The work of [2] derives schemes for verifiable comutation from attribute-based encrytion schemes while [15] use attribute-based encrytion as a tool in designing more general functional encrytion and reusable garbling schemes. Dual system encrytion roof techniues have also been further studied in the works of [21 10 35 1] alied to achieve leakage resilience in [24 20 12] and alied directly to comutational assumtions in [9]. 2 Preliminaries 2.1 Comosite Order Bilinear Grous Our construction uses comosite order bilinear grous. which were introduced in [6]. We let G denote a grou generator - an algorithm which takes a security arameter λ as inut and oututs a descrition of a bilinear grou G. We define G s outut as (N G G T e) where N = w is a roduct of three distinct rimes G and G T are cyclic grous of order N and e : G G G T is a ma with the following roerties: 1. (Bilinear) g f G a b Z N e(g a f b ) = e(g f) ab 2. (Non-degenerate) g G such that e(g g) has order N in G T. We refer to G as the source grou and G T as the target grou. We assume that the grou oerations in G and G T and the ma e are comutable in olynomial time with resect to λ and the grou descritions of G and G T include a generator of each grou. We let G G and G w denote the subgrous of order and w in G resectively. We note that these subgrous are orthogonal to each other under the bilinear ma e: if u v are elements of two different subgrous out of {G G G w } then e(u v) is the identity element in G T. If g generates G g generates G and g w generates G w then every element f of G can be exressed as f = g c 1 g c 2 g c 3 w for some values c 1 c 2 c 3 Z N. We will refer to g c 1 as the G art of f for examle. 2.2 Comlexity Assumtions We now resent the comlexity assumtions we will use to rove the security of our system. We use the notation x S to exress that element x is chosen uniformly at random from the finite set S. We will first consider grous G whose orders are roducts of three distinct rimes: w. We denote the subgrous of G with these orders by G G G w resectively. We use the notation g g g w to denote generators of these resective subgrous. 4

Subgrou Decision Assumtion 1 The Subgrou Decision Problem 1 is stated as follows: on a grou G of order w given g g w and T where either T = g s G or T = g g s s G (where s is distributed uniformly in Z and s is distributed uniformly in Z ) outut yes if T = g s and no otherwise. Definition 1. Subgrou Decision Assumtion 1 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 1 in G. Subgrou Decision Assumtion 2 on a grou G of order w given g g w g g s s g r gw r and T where either T = gg y w y The Subgrou Decision Problem 2 is stated as follows: or T = ggỹ y gw y (where s y are distributed uniformly in Z s r and ỹ are distributed uniformly in Z and r y are distributed uniformly in Z w ) outut yes if T = g y g y w and no otherwise. Definition 2. Subgrou Decision Assumtion 2 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 2 in G. Subgrou Decision Assumtion 3 The Subgrou Decision Problem 3 is stated as follows: given a grou G of order w given g g g w g α g α g g s s and T where either T = e(g g ) αs or T = X (where α s are distributed uniformly in Z α s are distributed uniformly in Z and X is distributed uniformly in G T ) outut yes if T = e(g g ) αs and no otherwise. Definition 3. Subgrou Decision Assumtion 3 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 3 roblem in G. We additionally use one assumtion in the rime order setting where G is a bilinear grou of rime order and g is a generator: 2-Linear Assumtion (DLIN) The 2-Linear roblem is stated as follows: given a cyclic grou G of rime order g g y 1 g y 2 g y 1c 1 g y 2c 2 g c 1+c 2 +r G (where y 1 y 2 c 1 c 2 are distributed uniformly in Z and r is either a uniform random element of Z or 0) outut yes if r is a random element of Z and no otherwise. Definition 4. 2-Linear Assumtion in G: no olynomial time algorithm can achieve nonnegligible advantage in deciding the 2-Linear roblem in G. 2.3 Background for ABE We now give reuired background material on Linear Secret Sharing Schemes the formal definition of a KP-ABE scheme and the security definition we will use. 2.3.1 Linear Secret Sharing Schemes Our construction uses linear secret-sharing schemes (LSSS). We use the following definition (adated from [3]). In the context of ABE attributes will lay the role of arties and will be reresented as nonemty subsets K [k] for a fixed k. Definition 5. (Linear Secret-Sharing Schemes (LSSS)) A secret sharing scheme Π over a set of attributes is called linear (over Z ) if 1. The shares belonging to all attributes form a vector over Z. 5

2. There exists an l n matrix Λ called the share-generating matrix for Π. The matrix Λ has l rows and n columns. For all j = 1... l the j th row of Λ is labeled by an attribute K. When we consider the column vector v = (s r 2... r n ) where s Z is the secret to be shared and r 2... r n Z are randomly chosen then Λv is the vector of l shares of the secret s according to Π. The share (Λv) j = λ K belongs to attribute K. We note the linear reconstruction roerty: we suose that Π is an LSSS. We let S denote an authorized set. Then there is a subset S S such that the vector (1 0... 0) is in the san of rows of Λ indexed by S and there exist constants {ω K Z } K S such that for any valid shares {λ K } of a secret s according to Π we have: ω K λ K = s. These constants {ω K } can K S be found in time olynomial in the size of the share-generating matrix Λ [3]. For unauthorized sets no such S {ω K } exist. For our comosite order grou construction we will emloy LSSS matrices over Z N where N is a roduct of three distinct rimes w. As in the definition above over the rime order Z we say a set of attributes S is authorized if is a subset S S such that the rows of the access matrix A labeled by elements of S have the vector (1 0... 0) in their san modulo N. However in our security roof for our comosite order system we will further assume that for an unauthorized set the corresonding rows of A do not include the vector (1 0... 0) in their san modulo. We may assume this because if an adversary can roduce an access matrix A over Z N and an unauthorized set over Z N that is authorized over Z then this can be used to roduce a non-trivial factor of the grou order N which would violate our subgrou decision assumtions. 2.3.2 KP-ABE Definition A key-olicy attribute-based encrytion system consists of four algorithms: Setu Encryt KeyGen and Decryt. Setu(λ U) (PP MSK) The setu algorithm takes in the security arameter λ and the attribute universe descrition U. It oututs the ublic arameters PP and a master secret key MSK. Encryt(PP M S) CT The encrytion algorithm takes in the ublic arameters PP the message M and a set of attributes S. It will outut a cihertext CT. We assume that S is imlicitly included in CT. KeyGen(MSK PP A) SK The key generation algorithm takes in the master secret key MSK the ublic arameters PP and an access structure A over the universe of attributes. It oututs a rivate key SK which can be used to decryt cihertexts encryted under a set of attributes which satisfies A. We assume that A is imlicitly included in SK. Decryt(PP CT SK) M The decrytion algorithm takes in the ublic arameters PP a cihertext CT encryted under a set of attributes S and a rivate key SK for an access structure A. If the set of attributes of the cihertext satisfies the access structure of the rivate key it oututs the message M. 2.3.3 Full Security for KP-ABE Systems We define full security for KP-ABE Systems in terms of the following game: 6

The challenger runs the Setu algorithm and gives the ublic arameters to the at- Setu tacker. The attacker ueries the challenger for rivate keys corresonding to access struc- Phase 1 tures. Challenge The attacker declares two eual length messages M 0 M 1 and a set of attributes A U where U is the attribute universe such that A does not satisfy the access structure of any of the keys reuested in Phase 1. The challenger flis a random coin β {0 1} encryts M β under S to yield cihertext CT β and gives CT β to the attacker. Phase 2 The attacker ueries the challenger for rivate keys corresonding to access structures that are not satisfied by S. Guess The attacker oututs a guess β. KP ABE Definition 6. The advantage of an attacker A in this game is defined as AdvA (λ) = Pr[β = β ] 1 2. Definition 7. A key-olicy attribute based encrytion scheme is fully secure if no olynomial time algorithm can achieve a non-negligible advantage in the above security game. 2.3.4 Transformation from One-Use to Multile Use KP-ABE Given a KP-ABE scheme which is fully-secure when attributes are used at most once in access olicies we can obtain a KP-ABE scheme which is fully-secure when each attribute is used at most some constant number of times in access olicies using a standard transformation. Essentially multile uses of an attribute are treated as new attributes in the one-use system. For examle if we want an attribute x to be able to be used u to k x times in access olicies we will instantiate our one-use system with k x attributes x : 1... x : k x. Each time we want to label a row of an access matrix Λ with x we label it with x : i for a new value of i. Each time we want to associate a subset S of attributes to a cihertext we instead use the set S = {x : 1... x : k x x S}. We can then emloy the one-use KP-ABE scheme on this new larger set of attributes and retain its full security and functionality. Clearly this transformation comes at a cost. Tyically the cihertext and ublic arameter size of the KP-ABE scheme resulting from the transformation now scale linearly with the number of attribute-uses allowed in access olicies not just the number of attributes. This blowu is seen in all revious fully secure KP-ABE schemes based on static assumtions and resents a roblem if one desires olicies which have high reuse of attributes. Our one-use KP-ABE scheme mitigates the roblem with ublic arameter size by featuring ublic arameters that scale only logarithmically with the number of attributes suorted by the system comared to the linear scaling of all other known fully secure KP-ABE schemes based on static assumtions. 3 KP-ABE Construction Our single-use KP-ABE construction assumes a olynomially sized attribute universe U where attributes are non-emty subsets K [k] for some fixed k. The rior fully secure single-use KP-ABE scheme in [19] reuired a fresh grou element to aear in the ublic arameters for each attribute in the universe. After using the generic transformation discussed in section 2.3.4 7

this results in the scheme reuiring a fresh grou element for each attribute-use allowed in access olicies. As a concrete examle if one wanted to allow 9 attributes to be used u to 7 times each one needed to have 9 7 = 63 grou elements in the ublic arameters corresonding to this attribute. In our comosite order scheme to allow the same 63 = 2 6 1 attribute-uses we only need 2 6 grou elements in the ublic arameters corresonding to the attribute. The way we accomlish this dramatic comression of ublic arameters is to note that the encrytor can roduce 63 grou elements from 6 by taking roducts of all non-emty subsets (these corresond to subset-sums in the exonent). More generally given k grou elements g a 1... g a k we can roduce 2 k 1 grou elements by enumerating over all non-emty subsets a j K [k] and comuting gj K. We name the resulting collection of elements g A K where A K := a j. Our comosite order scheme uses two arallel such subset constructions (which j K is the reason for the factor of 2). Obviously these 2 k 1 grou elements no longer look random - they have linear relationshis in their exonents by construction. However since we are assuming the decisional linear assumtion is hard if we choose 2 k 1 additional random exonents {t K } then the 2(2 k 1) grou elements formed as {g t K g t KA K } are comutationally indistinguishable from 2(2 k 1) uniformly random grou elements (which lack any hidden linear structures in their exonents). The roof of this is the core of bilinear entroy exansion lemma though the full statement of the lemma includes some additional structure that is useful for linking into a KP-ABE construction. The dual system encrytion framework allows us to aly this argument to the arameters in the semi-functional sace where we do not need to ublish the values {g a j }. (Note that ublishing these would make the structure of {g t K g t KA K } detectable through alications of the bilinear ma.) Setu(λ U k) P P MSK The setu algorithm chooses a bilinear grou G of order N = w where w are rimes. We let G G G w reresent the subgrou of order and w resectively in G. It then draws α Z N and random grou element (generator) g G. For each j [k] it chooses values a j b j Z N. The ublic arameters are N g e(g g ) α {g a j g b j : j [k]}. The MSK is α and a generator g w of G w. Such a construction is euied to create keys for access olicies which include attributes K [k] where K is not emty. KeyGen(MSK Λ P P ) SK The key generation algorithm takes in the ublic arameters master secret key and LSSS access matrix Λ. First the key generation algorithm generates {λ K }: a linear sharing of α according to olicy matrix Λ (the reader is referred to section 2.3.1 for details). For each attribute K corresonding to a row in the olicy matrix Λ it then raises generator g w to random exonents to create g z K w g z K w w G w chooses exonent y K Z N and comutes g A K = g a j and g B K = g b j. Note that here and throughout the rest of the j K j K descrition of our construction and its roof of security we will use the notation A K = j K a j and B K = j K b j. It then oututs the secret key: SK Λ = {g λ K (This imlicitly includes Λ) g z K w g y K g z K w 8

Encryt(M S P P ) CT The encrytion algorithm first draws s Z N. For each K S the encrytion algorithm draws t K Z N and comutes g A K = g a j and g B K = g b j. It j K j K then oututs the cihertext: (This imlicitly includes S) CT = Me(g g ) αs {g s g sa K g t KB K g t K : ( K S)} Decryt(CT SK P P ) M We let S corresond to the set of attributes associated to cihertext CT and Λ be the olicy matrix. If S satisfies Λ the decrytion algorithm comutes suitable constants ω K such that ω K λ K = α (recall section 2.3.1). It then comutes: K S K S e(g s g λ K g z K w ) e(gy K g z K e(g t K w g sa K g t KB K ) w ) 1 ω K = ( ( e(g g ) sλ K e(g g ) sy e(g KA K g ) sy KA K e(g g ) t Ky K B K ) 1 ) ωk e(g K S g ) t Ky K B K = ( e(g g ) sλ K e(g g ) sy KA K ) ωk e(g K S g ) sy KA K = ( ) e(g g ) sλ ωk K K S sω K λ K = e(g g ) K S = e(g g ) αs The message can then be recovered by comuting: Me(g g ) αs /e(g g ) αs = M. This demonstrates correctness of the scheme. 4 Security Proof Our security roof uses a hybrid argument over a seuence of games. We let Game real denote the real security game. The rest of the games use semi-functional keys and cihertexts which we describe below. We let g denote a fixed generator of the subgrou G which will serve as the semi-functional sace. Like a tyical dual system encrytion roof we will begin by transitioning from a normal cihertext to a semi-functional cihertext with semi-functional comonents that mimic the structure of their normal counterarts. This kind of transition can be done with a basic subgrou decision assumtion. We will then erform a hybrid over keys gradually changing each one to a semi-functional form that does not roerly decryt the semi-functional cihertext. To start we can bring in semi-functional comonents for a articular key that mimic the structure of normal comonents u to the constraint that the shared valued in the semi-functional sace will be 0 (modulo ). Technically this constraint arises because we will be taking a challenge term from a subgrou decision assumtion that has an unknown exonent in the normal sace and raising it to a share - so we have to make this a share of 0 and searately share the α value in the normal sace so that the unknown exonent does not affect the correctness of the 9

sharing in the normal sace. At a higher level this constraint exlains why the simulator at this stage of the hybrid cannot solve the challenge roblem for itself by test decryting against a semi-functional cihertext. Since the structure in the semi-functional sace arallels the normal structure and the shared value here is zero the semi-functional comonents will cancel out uon decrytion. So we can arrive at a stage where a key and cihertext have semi-functional comonents structured just like the normal sace but with fresh arameters modulo that are indeendent of the ublished arameters modulo. This is a conseuence of the Chinese Remainder Theorem that ensures when we samle an exonent uniformly at random modulo N its modulo and modulo reductions are indeendent and uniformly random in Z Z resectively. Since these imlicit arameters in the semi-functional sace are never ublished we can use our bilinear entroy exansion lemma to argue that their subset-sum structure is hidden under the decisional linear assumtion. This allows us to relace them with higher entroy arameters (lacking the subset-sum structure of the normal sace) and then argue that the shared value in the semi-functional sace is information-theoretically hidden (this is where we use that the access olicy is not satisfied and that attributes are used at most once in the olicy). This enables us to switch the semi-functional shares in the key to shares of a random value now destroying correct decrytion of a semi-functional cihertext. We then remove some of the other (now unnecessary) semi-functional comonents of the key to reclaim the entroy of those arameters to use in rocessing the next key in the hybrid. Finally once we have reached a game where all keys are semi-functional with shares of a random secret modulo we can use Subgrou Decision Assumtion 3 to create such keys without knowing the master secret and can hence comlete the roof. We now formally resent our definitions of semi-functional cihertexts and keys and our hybrid roof: Semi-functional Cihertext We will use 3 tyes of semi-functional cihertexts. To roduce a semi-functional cihertext for an attribute set S one first calls the normal encrytion algorithm to roduce a normal cihertext consisting of: Me(g g ) αs {g s g sa K g t KB K g t K : ( K S)} One then draws s Z N. For each K S an exonent t K Z N is chosen. The remaining comosition of the semifunctional cihertext deends on the tye of cihertext desired: Tye 1 The semi-functional cihertext of Tye 1 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sa K g t K B K g t K g t K : ( K S)} (again here A K = j K a j and B K = j K b j ) Tye 2 The semi-functional cihertext of Tye 2 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sa K g t K bk g t K g t K : ( K S)} for fixed b K Z N which are chosen uniformly at random and fixed if they do not already exist (in a semi-functional key for instance). 10

Tye 3 The semi-functional cihertext of Tye 3 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sã K g t K bk g t K g t K : ( K S)} for fixed ã K b K Z N which are chosen uniformly at random and fixed if they do not already exist. Semi-functional Keys We will use 7 tyes of semi-functional keys. To roduce a semifunctional key for an access olicy Λ one first calls the normal key generation algorithm to roduce a normal key consisting of: {g λ K g z K w g y K g z K w The first 6 tyes of keys fall under 3 classes which have two variants each: a Z variant and an R variant. For Z-tye keys one comutes a linear sharing of 0 under access olicy Λ creating shares λ K. For R-tye keys one comutes a linear sharing of a random element u of Z which is fixed once it is created and used for all R-tye keys. u is shared under access olicy Λ to create shares λ K. The next stes deend on the class of the key: Class 1 First comute g A K and g B K (where again A K and B K reresent the subset-sums of a j and b j ). For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 1Z or 1R (deending on the sharing λ K ) as: {g λ K g λ K gỹka K g z K w g y K gỹk g z K w gỹkb K Class 2 First comute g A K. Random values b K Z N are chosen if they do not already exist (in a semi-functional cihertext for instance) and fixed. For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 2Z or 2R as: {g λ K g λ K gỹka K g z K w g y K gỹk g z K w gỹk b K Class 3 Random values ã K b K Z N are chosen if they do not already exist and fixed. For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 3Z or 3R as: {g λ K g λ K gỹkã K g z K w g y K gỹk g z K w gỹk b K Note that we now have defined 6 tyes of keys: 1Z 1R 2Z 2R 3Z and 3R where the letter (Z/R) describes whether the λ K share zero or a random element of Z resectively and the number (1/2/3) describes whether the semi-functional analogues of the g A K and g B K in the G grou are structured as subset-sums or as random elements of G (Class 1 keys have both g A K and g B K. Class 2 keys have just g A K have both relaced by random elements gãk g b K 4R which does not contain any of these elements: structured with a random element g b K. Class 3 keys of G ). There is one final tye of key tye Tye 4R Using shares λ K of u (which is randomly chosen from Z and fixed if it has not already been fixed) one forms the semi-functional key of tye 4R as: {g λ K g λ K g z K w g y K g z K w 11

Proof Structure Our hybrid roof takes lace over a series of games defined as follows: Letting Q denote the total number of key ueries that the attacker makes we define Game l1 Game l2 Game l3 Game l4 Game l5 Game l6 and Game l7 for l = 1... Q. In each game the first l 1 keys are semi-functional of tye 4R and all keys after the lth reuest are normal. They differ in the construction of the lth key and the cihertext as follows: Game l1 In this game the lth key is tye 1Z and the cihertext is tye 1. Game l2 In this game the lth key is tye 2Z and the cihertext is tye 2. Game l3 In this game the lth key is tye 3Z and the cihertext is tye 3. Game l4 In this game the lth key is tye 3R and the cihertext is tye 3. Game l5 In this game the lth key is tye 2R and the cihertext is tye 2. Game l6 In this game the lth key is tye 1R and the cihertext is tye 1. Game l7 In this game the lth key is tye 4R and the cihertext is tye 1. Note that under this definition we have that in Game 07 the cihertext given to the attacker is tye 1 and the keys are all normal. The outer structure of our hybrid argument will rogress as follows. First we transition from Game real to Game 07 then to Game 11 next to Game 12 next to Game 13 next to Game 14 next to Game 15 next to Game 16 next to Game 17 and then to Game 21 and so on. We then arrive at Game Q7 where the cihertext is semifunctional of tye 1 and all of the keys given to the attacker are semi-functional of tye 4R. We then transition to one last game named Game final which will comlete our roof. Game final uses a semi-functional cihertext of a new tye: tye X which we will now define: Tye X The semi-functional cihertext of Tye X is formed as: MX {g s g s g sa K g t KB K g sa K g t K B K g t K g t K : ( K S)} where X is a uniform random element of G T.(again here A K = j K a j and B K = j K b j ) Game final In this game all keys are semi-functional of tye 4R and the cihertext is semifunctional of tye X. Note that a cihertext of tye X information-theoretically hides its message M because the message is multilied by the uniform random X which is unused anywhere else. So in Game final no olynomial time adversary will be able to achieve advantage in the security game comleting our roof. Our hybrid argument is accomlished in the following lemmas: Lemma 8. Under the Subgrou Decision Assumtion 1 no olynomial time attacker can achieve a non-negligible difference in advantage between Game real and Game 07. 12

Proof. If an algorithm A has non-negligible difference in advantage between Game real and Game 07 then we could use A to achieve non-negligible advantage in the Subgrou Decision Problem 1 as follows: Given g g w and T where either T = g s G or T = g g s s G (where s Z and s Z ) consider the following simulator B in the security game: The ublic arameters are formed by using the given g choosing α a j b j randomly from Z N and giving the constructed ublic arameters to A. B can resond to key reuests by running the usual key generation algorithm to make normal keys because it knows the MSK. To return the challenge cihertext for a set of attributes S for each K S a t K Z N is drawn then the following cihertext is constructed and rovided: } Me(g T ) α {T T A K T t K B K T t K : ( K S) The simulator is able to honestly follow the rest of the scheme using generators g g w so the only difference between its execution distributions deends on the different cihertexts formed deendent on T. Notice that if T = g s for s Z then the distribution of cihertexts formed is identical to the honest case (where t K = t K s) and so the simulator s behavior is exactly that of Game real. If T = g g s s for s Z s Z the cihertext formed is a semi-functional cihertext of tye 1 (where t K = t K s and t K = t K s are indeendent since the values of t K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem) so the simulator s behavior is exactly that of Game 07. Therefore any adversary with non-negligible difference in advantage between Game real and Game 07 could be used to achieve the same non-negligible advantage in deciding the Subgrou Decision Problem 1. By assumtion this is not ossible so such an adversary cannot exist. Lemma 9. Under the Subgrou Decision Assumtion 2 no olynomial time attacker can achieve a non-negligible difference in advantage between Game (l 1)7 and Game l1 for any l from 1 to Q Proof. If an algorithm A has non-negligible difference in advantage between Game (l 1)7 and Game l1 for some l in [1 Q] then we could use A to achieve non-negligible advantage in the Subgrou Decision Problem 2 as follows: Given g g w g g s s g r gw r and T where either T = gg y w y or T = ggỹ y gw y (where s y Z s r ỹ Z and r y Z w ) consider the simulator in the security game which acts as follows: The ublic arameters are formed by using the rovided g choosing α a j b j randomly from Z n and giving the constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S for each K S t K Z N is drawn then the following semi-functional cihertext of tye 1 is constructed and rovided: Me(g g s g s ) α {g s g s (g s g s ) A K (g s g s ) t K B K (g s g s ) t K : ( K S)} Here the semi-functional cihertext has t K = st K and t K = st K which are indeendent since the values of t K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem. For each reuested key for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w 13

using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u. The first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K (g r gw r ) λ K g z K w g y K g z K w Note that these are valid semi-functional keys of tye 4R where the λ K = r λ K ( λ K are a sharing of u so the r λ K are a sharing of u = ru which is uniformly distributed in Z and fixed across all R-tye keys). Also notice that the extra G w comonent g r λ K w is absorbed by the uniform random g z K w. For the lth key reuest the simulator generates λ K and λ K shares of α and 0 resectively. It then draws y K Z N and roduces the key: {g λ K T λ K (T y K ) A K g z K w T y K g z K w (T y K ) B K w : ( K labels Λ)} If T = gg y w y then the key is an honest key where λ K = λ K + yλ K which is a valid sharing of α (λ K is a sharing of zero which multilying it by y does not change and adding this to λ K (the sharing of α) results in another sharing of α) and y K = y K y. The extra G w comonents are all absorbed by the uniform random g z K w g z K w and w. If T = ggỹ y gw y then the key is semi-functional of tye 1Z where λ K = λ K + yλ K which is again a valid sharing of α ỹ K = y Kỹ and y K = y K y which are indeendent since the values of y K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem. The extra G w comonents are all absorbed by the uniform random g z K w g z K w and w. Therefore any adversary able to achieve a non-negligible difference in advantage between Game (l 1)7 and Game l1 for some l in [1 Q] could be used to achieve the same non-negligible advantage in deciding the Subgrou Decision Problem 2. By assumtion this is not ossible so such an adversary cannot exist. Bilinear Entroy Exansion Before the next ste of the hybrid roof we will need a result about the indistinguishability between two distributions based on the 2-Linear Comutational Hardness Assumtion. Definition 10. Given G a grou of rime order and g a generator of that grou let D 1 (m) be the distribution of: g s gỹ1... gỹm 1 gỹ1r 1... gỹm 1r M 1 gỹ1b 1... gỹm 1b M 1 g t 1... g t M 1 g sr 1+ t 1 b 1... g sr M 1+ t M 1 b M 1 where the ỹ i t i b i r i s Z and M = 2 m. 14

Definition 11. Given G a grou of rime order g a generator of that grou and C = {c 1... c m } a set of m elements drawn uniformly at random from Z let D 2 (m) be the same distribution as above where the ỹ i t i b i s Z but each r i = j C i c j where C i denotes the ith indexed nonemty subset of C ( C = m and there are M 1 = 2 m 1 nonemty subsets). The Bilinear Entroy Exansion Lemma states that these two distributions are indistinguishable: Lemma 12. The distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). We defer the roof of this lemma to the end of this security roof and return to the next ste in our hybrid: where the B K in the semi-functional sace change to random elements g b K. Lemma 13. Under the 2-Linear Assumtion no olynomial time attacker can achieve a nonnegligible difference in advantage between Game l1 and Game l2 for any l from 1 to Q. Proof. From Lemma 12 we have that the distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). However if an algorithm A is able to achieve a non-negligible difference in advantage δ between Game l1 and Game l2 for some l in [1 Q] then we could use A to create a distinguisher B for D 1 (k) and D 2 (k) where k is the same value that defines our attribute universe U. (This resents a contradiction since U = O(oly(λ)) and U is defined as containing all subsets of [k] so k = O(lg oly(λ))). We do this as follows: Let the generator of G used in D 1 (k) and D 2 (k) be g. Rename the set C as C = {b 1... b k }. Now given the challenge instance g s gỹ1... gỹk 1 gỹ1r 1... gỹk 1r K 1 gỹ1b 1... gỹk 1b K 1 g t 1... g t K 1 g sr 1+ t 1 b 1... g sr K 1+ t K 1 b K 1 relabel each index as the subset K [k] associated to it so in articular we have: gỹk gỹkr K for all nonemty subsets K [k]. (Note that here we do not even use all of the challenge instance just the sections of gỹk gỹkr K. The full set is needed later when we reuse the lemma in the next hybrid roof). Now B forms the ublic arameters using g choosing α a j b j randomly and giving the aroriately constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S first choose an s Z N. The simulator then redefines s by samling it uniformly at random from Z N. Then t K t K Z N are chosen for each K S. The following semi-functional cihertext can then be constructed and rovided: Me(g g ) αs {g s g s g sa K g t KB K g sa K (gỹkr K ) t K g t K (gỹk ) t K : ( K S)} 15

Here t K = t KỹK for all K S. For each reuested key S for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u.the first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K g λ K g z K w g y K g z K w For the lth key reuest B can comute λ K : a sharing of 0 and return the key: {g λ K g λ K (gỹk ) A K g z K w g y K (gỹk )g z K w (gỹkr K ) Notice that if r K = j K b j then g r K = j K g b j is distributed identically to g B K = j K g b j by the Chinese Remainder Theorem. Each b j is a random element of Z N so its value taken mod is indeendent of its value mod. So the distributions of ( j K g b j g b j j K ) = (g B K g B K ) and ( g b j g b j ) = (g B K g r K ) are identical. j K j K Constructing the lth key and challenge cihertext this way gives them alternatively structured or random comonents deending on whether the r K = b j or are uniformly random j K in Z. If the challenge set is drawn from D 2 (k) then B behaves as exected in Game l1 (where the challenge cihertext and lth key are semi-functional of tye 1 and 1Z resectively). If the challenge set is drawn from D 1 (k) then B behaves as exected in Game l2 (where the challenge cihertext and lth key are semi-functional of tye 2 and 2Z resectively). Therefore any adversary with non-negligible difference in advantage δ between Game l1 and Game l2 could be used to achieve the same non-negligible difference in advantage in distinguishing the distributions D 1 (k) and D 2 (k). By Lemma 12 this is not ossible so such an adversary cannot exist and therefore we have roven that no olynomial time attacker can achieve a non-negligible difference in advantage between Game l1 and Game l2 for any l from 1 to Q. The roof for the next ste in our hybrid is similar as we transition from structured g A K to random elements gãk (excet this uses the full version of our Bilinear Entroy Exansion lemma): Lemma 14. Under the 2-Linear Assumtion no olynomial time attacker can achieve a nonnegligible difference in advantage between Game l2 and Game l3 for any l from 1 to Q. Proof. From Lemma 12 we have that the distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). However if an algorithm A is able to achieve non-negligible difference in advantage δ between Game l2 and Game l3 for some l in [1 Q] then again we could use A to create a distinguisher B for D 1 (k) and D 2 (k) (where again we use the same k which defines our attribute universe U and satisfies k = O(lg oly(λ))). We do this as follows: 16

Let the generator of G used in D 1 (k) and D 2 (k) be g. Relabel the set C as C = {a 1... a k }. Now given the challenge instance g s gỹ1... gỹk 1 gỹ1r 1... gỹk 1r K 1 gỹ1b 1... gỹk 1b K 1 g t 1... g t K 1 g sr 1+ t 1 b 1... g sr K 1+ t K 1 b K 1 relabel each index as the subset K [k] associated to it so we have: g s gỹk gỹkr K gỹkb K g t K g sr K+ t K b K for all nonemty subsets K [k]. Now B forms the ublic arameters using g choosing α a j b j randomly and giving the aroriately constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S first choose an s Z N. Then t K Z N are chosen for all K S. The following semi-functional cihertext can then be constructed and rovided: Me(g g ) αs {g s (g s ) g sa K g t KB K (g sr K+ t K b K ) g t K g t K : ( K S)} Note that here we imlicitly set b K = b K. For each reuested key for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u.the first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K A y K K g λ K g z K w g y K g z K w For the lth key reuest B can comute λ K : a sharing of 0 and return the key: {g λ K g λ K (gỹkr K )g z K w g y K (gỹk )g z K w (gỹkb K ) Again notice that if r K = j K a j then g A K = j K g a j is distributed identically to j K g a j = g r K by the Chinese Remainder Theorem. Each a j is a random element of Z N so its value taken mod is indeendent of its value mod. So the distributions of ( j K and ( j K g a j g a j j K ) = (g A K g r K ) are identical. g a j g a j j K ) = (g A K g A K ) 17

So constructing the challenge cihertext and lth key this way causes them to have alternatively structured or random comonents deending on whether the r K = j K a j or are uniformly random in Z. If the challenge set is drawn from D 2 (k) then B behaves as exected in Game l2 (where the challenge cihertext and lth key are semi-functional of tye 2 and 2Z resectively). If the challenge set is drawn from D 1 (k) then B behaves as exected in Game l3 (where the challenge cihertext and lth key are semi-functional of tye 3 and 3Z resectively). Therefore any adversary with non-negligible difference in advantage δ between Game l2 and Game l3. could be used to achieve the same non-negligible difference in advantage in distinguishing the distributions D 1 (k) and D 2 (k). By Lemma 12 this is not ossible so such an adversary cannot exist and therefore we have roven that no olynomial time attacker can achieve a non-negligible difference in advantage between Game l2 and Game l3 for any l from 1 to Q. We continue to the next ste in our hybrid roof: Lemma 15. No olynomial time attacker can achieve a non-negligible difference in advantage between Game l3 and Game l4 for any l from 1 to Q Proof. Recall that in both Game l3 and Game l4 the cihertext is semi-functional of tye 3 all keys after the lth key reuest are normal and the first l 1 keys are semi-functional of tye 4R. The only difference is the lth key (either semi-functional of tye 3Z or 3R). In Game l3 the shares λ K are a sharing of 0 while in Game l4 they are a sharing of the u used in R-tye keys. The transition between these two modes of oeration is accomlished using an informationtheoretic argument. Namely the distribution of elements seen by an attacker in both games is the same. To see this note that for any attribute K not included in the cihertext then the distributions of the elements of the key indexed by K are identical in both cases since the λ K are masked by a gãkỹ K where the ã K are chosen uniformly at random and used nowhere else (they do not aear in keys other than the lth key and only aear at most once in the lth key because of our single-use restriction) therefore hiding the value of all λ K information-theoretically. For attributes K used in the cihertext this argument does not aly (since these ã K do aear elsewhere - in the cihertext). For these note that in the security game the attacker is not allowed to reuest a key that is able to decryt the challenge cihertext. So for this key with olicy Λ the rows of the olicy matrix Λ corresonding to the attributes the challenge cihertext is encryted under do not contain (1 0... 0) in their san (modulo N). We can further assume that the corresonding rows of Λ do not include (1 0... 0) in their san modulo (because if an adversary can roduce an unauthorized set over Z N that is authorized over Z then this can be used to roduce a non-trivial factor of the grou order N which would violate our subgrou decision assumtions). Therefore there exists some vector w Z n orthogonal to the san of these rows which is not orthogonal to (1 0... 0) modulo (since Z is a finite field). By scaling this vector we can have w = (1 w 2... w n ) for some collection of w i. Now notice that whether the shares λ K which comrise λ were generated by taking Λ r = λ where r = (0 r 2... r n ) (that is a valid sharing of zero) or taking Λ( r + u w) where (that is a valid sharing of the u used in R-tye keys) then the distributions of shares λ K modulo (they are exonents of g ) that are not information-theoretically hidden by the revious argument are the same. All that is seen are λ K created by taking dot roducts with rows of Λ - for the shares that are not information-theoretically hidden we have that the u w contributes 0 modulo to the share so the distribution of these shares is the same as those roduced by an honest sharing of zero. 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback