Hindawi Security and Communication Networks Volume 2017, Article ID 1404279, 16 pages https://doi.org/10.1155/2017/1404279
Research Article Adaptive Security of Broadcast Encryption, Revisited Bingxin Zhu, Puwen Wei, and Mingqiang Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China Correspondence should be addressed to Puwen Wei;
[email protected] and Mingqiang Wang;
[email protected] Received 21 February 2017; Accepted 27 April 2017; Published 3 July 2017 Academic Editor: Paolo DâArco Copyright Š 2017 Bingxin Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of đ in the MA setting, where đ is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Waterâs transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the đ-type assumption in Gentry and Waterâs semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header.
1. Introduction Broadcast encryptions (BE), introduced by Fiat and Naor [1], allow a sender to broadcast encrypted messages in such a way that only a specified group of users can decrypt the messages. Such schemes are useful in many applications, for example, pay-TV systems, internet multicasting of video and music, DVD content protection, file system access control, and wireless sensor networks [2]. One basic security requirement for broadcast encryption is the fully collusion resistance, which means that even a coalition of all users outside of target user set đ learns nothing about the target plaintext. Naor et al. [3] proposed a fully collusion secure broadcast encryption scheme with the private key overhead đ(log2 (đ)), where đ is the total number of users. Subsequent works [4, 5] reduced the private key size to đ(log đ). However, the ciphertexts size of collusion resistant schemes, for example, [3â6], usually grows linearly with either the number of receivers or the number of revoked users. Boneh et al. [7] constructed a fully collusion secure broadcast encryption systems with low ciphertext overhead and short secret keys. But the security of their scheme was proven in a static model, where the adversary needs to choose the target user set before seeing the system parameter. To capture more powerful attacks, Gentry and Waters [8] provided a stronger security model, called
adaptive security, where the adversary can compromise usersâ keys and choose the target user set adaptively. They showed a generic method to construct adaptively secure broadcast encryption scheme by transforming semistatically secure broadcast encryption scheme, while the underlying semistatically secure scheme in [8] is based on a đ-type assumption, which is considered to be too strong. By introducing the dual system, Waters [9] presented a broadcast encryption scheme with ciphertext overhead of constant size, and the resulting scheme can be proven adaptively secure under static assumption (non-đ-type assumption). Then, Boneh, Waters, and Zhandry [10] made use of multilinear maps to construct a broadcast encryption where ciphertext overhead, private key size, and public key size are all poly-logarithmic in đ. Other works [11â15] focus on the improvements of broadcast encryptions with special functionalities, for example, identity-based BE, anonymous BE, and traitor-tracing BE. Recently, Wee [16] presented the first broadcast encryption scheme with constant-size ciphertext overhead, constant-size user secret keys, and linear-size public parameters under static assumptions, while the resulting scheme is proven secure under static security model. It is worth noting that although adaptive security defined in [8] seems strong enough to capture the security of broadcast encryptions, attacks in the real world are more complex,
2 for example, the adversary may adaptively get multiple challenge ciphertexts instead of only one. Such attacks are described in the so-called multiuser, multichallenge setting. Bellare et al. [17] initiated the study of the formal security in the multiuser setting, which shows that one-user, one-ciphertext security implies security in the multiuser, multichallenge setting. But the reduction loss of the proof is đđ˘ â
đđ , where đđ˘ and đđ denote the number of users and the number of challenge ciphertexts per user, respectively. However, large reduction loss usually implies large cryptographic parameters, which leads to low efficiency in practice. Recent breakthrough was made by Hofheinz and Jager [18], which provided the first IND-CCA secure PKE in the multiuser/multichallenge setting and the security tightly relates to the decision linear assumption. Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Weeâs proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural. However, the problem of constructing tightly secure broadcast encryptions in the multiuser/multichallenge setting is more subtle. Our Contribution. We define a stronger notion for broadcast encryption, called the adaptive security in the multichallenge setting (MA-security), where the adversary can not only adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge) but also adaptively query for the challenge ciphertexts on different target user sets instead of only one target set as in previous security model. Since each target user set is actually the combination of different users chosen by the adversary adaptively, it is more challenging for the reduction algorithm to prepare the parameters of broadcast encryptions than that of ordinary PKE or IBE. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of đ in the MA setting, where đ is the maximum number of encryption queries. To achieve tighter MA-security, we investigate the following two methods. The first method is from Gentry and Waters transformation [8] mentioned above. By exploring the random self-reducibility of BDHE assumption, we show that their transformation still holds in terms of MA-security, but at the cost of reduction loss đ on the advantage of underlying symmetric key encryption. We emphasize that the resulting broadcast encryption schemeâs security depends on both the BDHE assumption and the security of the symmetric key encryption. The reduction loss on the underlying symmetric key encryption is đ, while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the HofheinzKoch-Striecks techniques [19] to Gentry-Watersâ semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the userâs decryption
Security and Communication Networks key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Watersâ semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header. Note that the public key size of both schemes is linear with the number of users. An interesting problem is how to reduce the public key size of a MA-secure broadcast encryption under standard assumptions while preserving constant ciphertext header size.
2. Preliminaries Notations. Let [1, đ] fl {1, . . . , đ}, where đ â N. For a finite set đ
S, we denote by đĽ â ół¨ S the fact that đĽ is picked uniformly at random from S. đ can be denoted as a binary string; that is, đ = đ 1 â
â
â
đ đ , where đ đ â {0, 1} for đ â [1, đ]. We write vectors in bold font; for example, K = (đž0 , . . . , đž2đ ) for a vector of length 2đ + 1. SD(đ; đ) denotes the statistical distance of đ and đ, where đ and đ are random variables. We say đ and đ are đ-close if SD(đ; đ) ⤠đ. 2.1. Bilinear Map. Let G and Gđ be two groups of prime order đ, and let đ be a generator of G. đ : G Ă G â Gđ is a bilinear map with the following properties. (1) Bilinearity: for all đ˘, V â G and đ, đ â Z, đ(đ˘đ , Vđ ) = đ(đ˘, V)đđ . (2) Nondegeneracy: đ(đ, đ) ≠ 1. (3) Computability: there exists an efficient algorithm to compute đ(đ˘, V), for any đ˘, V â G. 2.2. Assumptions Decisional BDHE Problem [8]. Let (G, Gđ, đ, đ) be the description of the group parameter which is the output of group generator G(đ), where đ is the security parameter. Choose đ
ół¨ {0, 1} and given 2đ + 2 elements đâ 2
đ
đ+2
2đ
(đđ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ ) â G2đ+1 ,
(1)
đ â Gđ , đ
đ
đ+1
where đ, đ â ół¨ Zâđ , đ â đ(đđ , đđ ) if đ = 0 and đ â ół¨ Gđ if đ = 1. The problem is to guess đ. The decisional BDHE assumption states that for any PPT adversary A which takes as inputs the description of (G, Gđ , đ) and the above elements and outputs đâ , the advantage óľ¨óľ¨ â óľ¨óľ¨ AdvBDHE G,A (đ) fl óľ¨óľ¨Pr [đ = đ ] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ 2 óľ¨óľ¨
(2)
is negligible in đ. 2.3. Broadcast Encryption Systems. A broadcast encryption system consists of four randomized algorithms described below.
Security and Communication Networks
3
Table 1: MA experiment. ExpMA A,BE (đ) (PK, SK) âół¨ Setup (đ, â); đ
đ âół¨ {0, 1}; đó¸ âół¨ AOKeyGen (â
,SK),OEnc (â
,PK) ; If đó¸ = đ, return 1; otherwise, 0.
đđđĄđ˘đ(đ, â). Take as input the number of users đ and the maximal size â ⤠đ of a broadcast recipient group and output a public/secret key pair (PK, SK). (The security parameter đ is taken as parts of the input implicitly.) đžđđŚđşđđ(đ, đđž). Take as input a user index đ â [1, đ] and the secret key SK and output a private key đđ . đ¸đđ(đ, đđž). Take a user set đ â [1, đ] and the public key PK as input. It outputs a pair (đťđđ, đž), where đťđđ is the header and đž â K is the message encryption key from a key space K. đˇđđ(đ, đ, đđ , đťđđ, đđž). Take as input a user set đ â [1, đ], a user index đ â [1, đ], and the corresponding private key đđ for user đ, a header đťđđ, and the public key PK. If đ â đ, then the algorithm outputs the message encryption key đž â K.
3. Adaptive Security in the Multichallenge Setting (MA-Security) In this section, we define the adaptive security of broadcast encryption in the multichallenge setting. Let BE = (Setup, KeyGen, Enc, Dec) be a broadcast encryption scheme. The experiment for BE is described in Table 1. During the experiment, the adversary A takes đ and the description of BE including PK as inputs and A can have access to the following two kinds of oracles. (i) OKeyGen (â
, SK) is the secret key generation oracle which takes a user index đ as input and outputs KeyGen(đ, SK). Note that A cannot make đ as the key generation query if đ â đđ , where đđ has been queried to the encryption oracle. Suppose the adversary can make đkey key generation queries at most. (ii) OEnc (â
, PK) is the encryption oracle which takes đđ as input and outputs the challenge ciphertext đśđ = (đťđđđâ , đžđ,đ ), where (đťđđđâ , đž0,đ ) â Enc(đđ , PK), đ
đž1,đ â ół¨ K. The restriction on encryption query is that đđ can not include any user index đ which has been queried to OKeyGen . Suppose that the adversary A can only query encryption oracle OEnc (â
, PK) at most đEnc times. A broadcast encryption scheme BE is adaptively secure in the multichallenge setting (MA-secure) if, for any PPT adversary A, the advantage óľ¨óľ¨ 1 óľ¨óľ¨óľ¨ MA óľ¨óľ¨ óľ¨ (3) AdvMA A,BE (đ) fl óľ¨óľ¨Pr [ExpA,BE (đ) = 1] â óľ¨óľ¨ 2óľ¨ óľ¨ is negligible in đ.
Table 2: MS experiment. ExpMS A,BE (đ) đâ âół¨ A; (PK, SK) âół¨ Setup (đ, â); đ
đ âół¨ {0, 1}; đó¸ âół¨ AOKeyGen (â
,SK),OEnc (â
,PK) ; If đó¸ = đ, return 1; otherwise, 0.
Remark 1. The main difference between our MA-security and the adaptive security defined in [8] is the encryption queries. In MA-security experiment, the adversary can not only adaptively have access to the encryption oracle many times but also query for the challenge ciphertexts on different target user sets, while the adversary can make only one encryption query for one target user set in adaptive security experiment ExpAA,BE [8], where the related advantage of ExpAA,BE is denoted as AdvAA,BE (đ) fl | Pr[ExpAA,BE (đ) = 1] â 1/2|. To investigate Gentry and Waters transformation in the multichallenge setting, we also need to extend semistatic security defined in [8] to the multichallenge setting, which is called semistatic security in the multichallenge setting (MSsecurity). The MS-security is defined in a similar way as that of MA-security, where the adversary also takes đ and the description of BE including PK as inputs and can have access to OđžđđŚđşđđ (â
, SK) and OEnc (â
, PK) as defined in MA-security. But additional restrictions in MS-security are that A has to choose a target user set đâ at the beginning of the experiment and encryption queries đđ are such that đđ â đâ . Details of MS experiment are shown in Table 2 A broadcast encryption scheme BE is semistatically secure in the multichallenge setting (MS-secure) if, for any PPT adversary A, the advantage óľ¨óľ¨ MS óľ¨óľ¨ AdvMS A,BE fl óľ¨óľ¨Pr [ExpA,BE (đ) = 1] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ 2 óľ¨óľ¨
(4)
is negligible in đ.
4. MA-Secure Broadcast Encryption First we give a general result on the reduction loss of an adaptive secure broadcast encryption in the MA setting. Then, to derive a tighter reduction, we show how to extend Gentry-Waters transformation to the multichallenge setting and construct a concrete MA-secure broadcast encryption based on BDHE assumption. 4.1. General Construction Theorem 2. For any PPT adversary A which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exists an algorithm B with about the same running time as A, such that A AdvMA A,BE (đ) ⤠đEnc â
AdvB,BE (đ) .
(5)
4
Security and Communication Networks
Proof. The proof proceeds via the following games. (i) Game0 : Game0 is the real MA experiment except the following differences. When the adversary adaptively makes encryption query for set đđ , the challenger responds with Enc(đđ , PK) = (đťđđđ , đž0,đ ), where đ â [1, đEnc ]. (ii) Game1 : Game1 is identical to Game0 except that the challenger replies the encryption queries with (đťđđđ , đž1,đ ) for đ â [1, đEnc ], where (đťđđđ , đž0,đ ) â đ
ół¨ Kâ and Kâ denotes the key Enc(đđ , PK), đž1,đ â space. Now we construct a series of subgames 0, đ for đ = 0, . . . , đEnc to prove the indistinguishability between Game0 and Game1 . (i) Game0,1 . Game0,1 is the same as Game0 except that the đ
â
challenger chooses đž1,1 â ół¨ K to construct challenge (đťđđ1 , đž1,1 ) for the first encryption query đ1 . (ii) Game0,đ . Game0,đ is the same as Game0,đâ1 except that đ
the challenger chooses đž1,đ â ół¨ Kâ to construct challenge (đťđđđ , đž1,đ ) for the đth encryption query đđ , where đ â [1, đEnc ]. Let Game0,đ = 1 denote the event that the adversary outputs 1 in Game0,đ . Note that Game0,0 and Game0,đEnc are identical to Game0 and Game1 , respectively. Thus, óľ¨óľ¨ 1 óľ¨óľ¨óľ¨ óľ¨óľ¨óľ¨ 1 MA óľ¨óľ¨ óľ¨ óľ¨ AdvMA A,BE (đ) fl óľ¨óľ¨Pr [ExpA,BE (đ) = 1] â óľ¨óľ¨ = óľ¨óľ¨ 2óľ¨ óľ¨2 óľ¨ 1 â
Pr [ExpMA A,BE (đ) = 0 | đ = 0] + 2 1 óľ¨óľ¨óľ¨ 1 MA â
Pr [ExpA,BE (đ) = 1 | đ = 1] â óľ¨óľ¨óľ¨ = 2óľ¨ 2 óľ¨óľ¨ MA â
óľ¨óľ¨óľ¨Pr [ExpA,BE (đ) = 1 | đ = 1] â (1 óľ¨óľ¨ 1 óľ¨ â Pr [ExpMA A,BE (đ) = 0 | đ = 0])óľ¨óľ¨ = 2 óľ¨óľ¨ MA óľ¨ â
óľ¨óľ¨Pr [ExpA,BE (đ) = 1 | đ = 1] óľ¨óľ¨óľ¨ 1 â Pr [ExpMA A,BE (đ) = 1 | đ = 0]óľ¨óľ¨ = (6) 2 1 óľ¨ óľ¨ â
óľ¨óľ¨óľ¨Pr [Game1 = 1] â Pr [Game0 = 1]óľ¨óľ¨óľ¨ = 2 óľ¨ óľ¨ 1 óľ¨ â
óľ¨óľ¨óľ¨Pr [Game0,đEnc = 1] â Pr [Game0,0 = 1]óľ¨óľ¨óľ¨óľ¨ = 2 óľ¨óľ¨ â
óľ¨óľ¨óľ¨Pr [Game0,đEnc = 1] â Pr [Game0,đEnc â1 = 1] + Pr [Game0,đEnc â1 = 1] â Pr [Game0,đEnc â2 = 1] óľ¨ 1 + â
â
â
+ Pr [Game0,1 = 1] â Pr [Game0,0 = 1]óľ¨óľ¨óľ¨óľ¨ ⤠2 đEnc
óľ¨ óľ¨ â
â óľ¨óľ¨óľ¨Pr [Game0,đ = 1] â Pr [Game0,đâ1 = 1]óľ¨óľ¨óľ¨ . đ=1
Next, we show that |Pr[Game0,đ = 1] â Pr[Game0,đâ1 = 1]| is negligible, for đ â [1, đEnc ]. That is, if there exists a PPT adversary A1 which can distinguish the adjacent games for
some đ, we can construct a PPT algorithm B which can break the adaptive security of the underlying scheme. Claim (Game0,đâ1 đĄđ Game0,đ ). For any PPT adversary A1 which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exists algorithm B with about the same running time as A1 , such that 1 óľ¨óľ¨ óľ¨ â
óľ¨Pr [Game0,đ = 1] â Pr [Game0,đâ1 = 1]óľ¨óľ¨óľ¨ 2 óľ¨ =
AdvAB,BE
(7)
(đ) .
Proof. B simulates the experiment as follows. (i) The challenger runs Setup(đ, â) and sends PK to B which will send PK to A1 . (ii) A1 adaptively makes key generation queries for user index đ. (iii) B sends user index đ to the challenger which runs KeyGen(đ, SK) and sends back the secret key đđ for user đ. Then B sends đđ to A1 . (iv) A1 adaptively makes encryption queries for đđ , where đ denotes the đth query. (a) If đ â [1, đ â 1], B runs Enc(đđ , PK) = (đťđđđ , đ
ół¨ Kâ and sends đž0,đ ) and chooses đž1,đ â (đťđđđ , đž1,đ ) to A1 . (b) If đ â [đ + 1, đEnc ], B runs Enc(đđ , PK) = (đťđđđ , đž0,đ ) and sends (đťđđđ , đž0,đ ) to A1 . (c) If đ = đ, B sends đđ to the challenger which đ
ół¨ {0, 1} and sends back đśđâ = then chooses đ â đ
ół¨ Kâ , (đťđđđ , đž0,đ ) â (đťđđđ , đžđ,đ ) where đž1,đ â Enc(đđ , PK). Next B sends đśđâ to A1 . (v) A1 outputs đó¸ . If đó¸ = đ, B outputs 1, otherwise, 0. Observe that if đ = 1, A1 âs view is identical to that of Game0.đ . Otherwise A1 âs view is identical to that of Game0.đâ1 . Thus óľ¨óľ¨ 1 óľ¨óľ¨ óľ¨óľ¨ 1 AdvAB,BE fl óľ¨óľ¨óľ¨óľ¨Pr [ExpAB,BE (đ) = 1] â óľ¨óľ¨óľ¨óľ¨ = óľ¨óľ¨óľ¨óľ¨ 2óľ¨ óľ¨2 óľ¨ â
Pr [ExpAB,BE (đ) = 1 | đ = 1] +
1 2
1 óľ¨óľ¨ 1 â
Pr [ExpAB,BE (đ) = 0 | đ = 0] â óľ¨óľ¨óľ¨óľ¨ = 2óľ¨ 2 óľ¨óľ¨ A â
óľ¨óľ¨óľ¨Pr [ExpB,BE (đ) = 1 | đ = 1] óľ¨ 1 â (1 â Pr [ExpAB,BE (đ) = 0 | đ = 0])óľ¨óľ¨óľ¨óľ¨ = 2 óľ¨óľ¨ A â
óľ¨óľ¨óľ¨Pr [ExpB,BE (đ) = 1 | đ = 1] óľ¨ 1 â Pr [ExpAB,BE (đ) = 1 | đ = 0]óľ¨óľ¨óľ¨óľ¨ = 2 óľ¨óľ¨ óľ¨ â
óľ¨óľ¨Pr [Game0,đ = 1] â Pr [Game0,đâ1 = 1]óľ¨óľ¨óľ¨ .
(8)
Security and Communication Networks
5 an algorithm B with about the same running time as A, such that
Hence we have A AdvMA A,BE (đ) ⤠đEnc â
AdvB,BE (đ) ,
(9)
which completes the proof of Theorem 2. 4.2. MS-Secure Broadcast Encryption Based on BDHE Assumption. To reduce the reduction loss, we investigate Gentry-Waters broadcast encryption [8] in the MA setting. First we briefly recall the semistatically secure broadcast encryption scheme in [8]. Let G(đ, đ) be a PPT algorithm which takes as input the security parameter đ and the number of users đ and generates the description of group parameter (G, Gđ , đ, đ), where G, Gđ denotes the group of prime order đ = đ(đ, đ) and đ is the bilinear map. đ
đ
ół¨ G(đ, đ), đ, â1 , . . . , âđ â ół¨ Gđ+1 , where đđđĄđ˘đ(đ). (G, Gđ, đ) â đ
ół¨ Zđ . Set đ, â1 , . . . , âđ are generators of G and đź â đź
BDHE AdvMS A,BE (đ) = AdvG,B (đ) .
(16)
The proof is similar to that of [8] except that we have to deal with multiple challenges in the simulation. Furthermore, to derive a tighter reduction, we need the following lemma which makes use of the random self-reducibility of BDHE. Lemma 4. There exists an efficient algorithm that takes 2 đ đ+2 2đ as input (đđ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ , đ) for đ = đ đ(đđ , đđ ) and generates many tuples of the form 2
đ
đ+2
2đ
(đđ đ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ , đđ ) ,
(17)
đ
where đđ = đ(đđ , đđđ ) and đ đ , đđ â Zđ . đ
Proof. Compute đđ đ = (đđ )Vđ â
đđ˘đ and đđ = đVđ â
đ(đđ , đđ )đ˘đ ,
PK = (G, Gđ , đ; đ, đ (đ, đ) , â1 , . . . , âđ ) ,
(10)
SK = đđź .
(11)
đ
ół¨ Zđ . Let đ = đ â đđ mod đ. We implicitly where đ˘đ , Vđ â set đ đ = đ â
Vđ + đ˘đ mod đ,
Output (PK, SK).
(18)
đđ = đđ đ + đVđ mod đ. đ
đžđđŚđşđđ(đ, đđž). Choose đđ â ół¨ Zđ and output user đâs private key
Hence, we have đ
đđ = (đđ,0 , đđ,1 , . . . , đđ,đâ1 , đđ,đ , đđ,đ+1 , . . . , đđ,đ ) âđđ
= (đ
đ đđ đ đđ , â1đ , . . . , âđâ1 , đđź âđ đ , âđ+1 , . . . , âđđđ ) .
(12)
đ
ół¨ Zđ and compute đś1 = đđĄ , đś2 = đ¸đđ(đ, đđž). Choose đĄ â đĄ (âđâđ âđ ) . Set
đž = đ (đ, đ)
.
(14)
Output (đťđđ, đž). đˇđđ(đ, đ, đđ , đťđđ, đđž). If đ â đ, parse đđ as (đđ,0 , . . . , đđ,đ ) and đťđđ as (đś1 , đś2 ) and output đž = đ (đđ,đ â
â đđ,đ , đś1 ) â
đ (đđ,0 , đś2 ) .
If đ = 0, namely, đ = đđ , then đđ = đđ đ . If đ ≠ 0, namely, đ ≠ đđ , then đđ = đđ đ + đVđ . Since đVđ are uniformly distributed, we have đđ uniformly distributed over Zđ .
(13)
đâđ
đźâ
đĄ
(19)
Next, more details of the concrete proof of Theorem 3 can be found in Appendix A.
đĄ
đťđđ = (đđĄ , (ââđ ) ) ,
đ đđ if đ = đđ mod đ {đ (đ , đ đ ) đđ = { đ đ đđ đ +đVđ ) if đ ≠ đđ mod đ. {đ (đ , đ
(15)
đâđ\{đ}
Theorem 3. For any PPT adversary A which can make at most đkey = đđđđŚ (đ) key generation queries, đđ¸đđ = đđ¸đđ (đ) encryption queries with running time đĄó¸ , there exists
4.3. Transforming MS-Security to MA-Security. In this section, we show that Gentry-Waters transformation still holds in the multichallenge setting, but at the cost of reduction loss đEnc in the advantage of underlying symmetric encryption scheme. First, we briefly recall Gentry-Waters transformation [8]. Let BEMS = (SetupMS , KeyGenMS , EncMS , DecMS ) be a MS-secure broadcast system and Î sym = (SymSetup, SymEnc, SymDec) be a symmetric encryption scheme with key space Kó¸ . đ
đđđĄđ˘đ(đ). Run SetupMS (2đ) â (đđžó¸ , đđžó¸ ). Let đ â ół¨ {0, 1}đ ó¸ and đ đ denotes đth bit of đ . Let PK = đđž and SK = (đđžó¸ , đ ). Output (PK, SK). đžđđŚđşđđ(đ, đđž). Run KeyGenMS (2đ â đ đ , đđžó¸ ) â đđó¸ . Set đđ = (đđó¸ , đ đ ). Output private key đđ .
6
Security and Communication Networks length as the query and Oó¸ Enc (đ, â
) returns SymEnc(đ, đđ ) as the challenge ciphertext. We say the symmetric key encryption scheme Î sym is one-time CPA-secure if, for any PPT adversary A, the advantage
Table 3: IND-CPA experiment. ExpCPA A,Î sym (đ) đ
đ âół¨ {0, 1}; đ âół¨ SymSetup (1đ ); ó¸
đó¸ âół¨ AOEnc (đ,â
) ; If đó¸ = đ, return 1; otherwise, 0.
óľ¨óľ¨ CPA óľ¨óľ¨ AdvCPA A,Î sym fl óľ¨óľ¨Pr [ExpA,Î sym (đ) = 1] â óľ¨ đ
đ¸đđ(đ, đđž). Generate random |đ| bits: đĄ â {đĄđ â ół¨ {0, 1} : đ â đ
ół¨ K. Set đ} and đž â
EncMS (đ0 , đđžó¸ ) ół¨â (đťđđ0 , đ
0 ) , SymEnc (đ
0 , đž) ół¨â đś0 ; (20)
is negligible in đ, where the probability is taken over the random coins used in the experiment, as well as the random coins used by A.
(i) Game0 is identical to ExpMA A,BE (đ). (ii) Game1 is the same as Game0 except that for each
EncMS (đ1 , đđžó¸ ) ół¨â (đťđđ1 , đ
1 ) ,
đ
ół¨ Kó¸ encryption query the challenger chooses đ
0,đ â to construct đś0,đ = SymEnc(đ
0,đ , đž0,đ ), where đž0,đ = đž1,đ .
SymEnc (đ
1 , đž) ół¨â đś1 ; đťđđ âół¨ (đťđđ0 , đťđđ1 , đś0 , đś1 , đĄ) .
(iii) Game2 is the same as Game1 except that for each đ
Output (đťđđ, đž). đˇđđ(đ, đ, đđ , đťđđ, đđž). Parse đťđđ as (đťđđ0 , đťđđ1 , đś0 , đś1 , đĄ) and đđ as (đđó¸ , đ i ). Set đ0 and đ1 as above. Run đ
đ đ âđĄđ âół¨
(23)
Proof of Sketch. The main idea of the proof is similar to that of [8] except that we need to deal with multiple challenges, which incurs a reduction loss in the advantage of symmetric key encryption scheme. More precisely, we need to prove the indistinguishability of the following games.
đ0 âół¨ {2đ â đĄđ : đ â đ} ,
đ1 âół¨ {2đ â (1 â đĄđ ) : đ â đ} ,
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ 2 óľ¨óľ¨
DecMS (đđ đ âđĄđ , đ, đđó¸ , đťđđđ đ âđĄđ , đđžó¸ ) ,
đž âół¨ SymDec (đ
đ đ âđĄđ , đśđ đ âđĄđ ) .
ół¨ Kó¸ encryption query the challenger chooses đ
1,đ â to construct đś1,đ = SymEnc(đ
1,đ , đž1,đ ), where đž0,đ = đž1,đ .
(iv) Game3 is the same as Game2 except that the challenger đ
(21)
chooses đž0,đ â ół¨ K to construct đś0,đ = SymEnc(đ
0,đ , đž0,đ ). (v) Game4 is the same as Game3 except that the challenger đ
chooses đž1,đ â ół¨ K to construct đś1,đ = SymEnc(đ
1,đ , đž1,đ ).
Output đž. Theorem 5. For any PPT adversary A which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exist algorithms A1 , A2 , A3 , and A4 , each with about the same running time as A, such that MS MS AdvMA A,BE,đ (đ) ⤠AdvA1 ,BE,2đ (đ) + AdvA2 ,BE,2đ (đ)
+ đEnc â
AdvCPA A3 ,Î sym (đ) + đEnc
(22)
â
AdvCPA A4 ,Î sym (đ) . Notice that AdvCPA B,Î sym (đ) denotes the advantage of Î sym
= (SymSetup, SymEnc, SymDec), which is defined by the following one-time symmetric key IND-CPA experiment described in Table 3. During the experiment, A takes the security parameter and the description of Î sym as input and can make only one encryption query to encryption oracle Oó¸ Enc (đ, â
). More precisely, đ´ chooses a pair of plaintexts (đ0 , đ1 ) of the same
The indistinguishability among Game0 , Game1 , and Game2 relies on the MS-security of BE. By using hybrid arguments, we show the indistinguishability between Game2 and Game3 (Game3 and Game4 ), which relies on the one-time CPA security of the underlying symmetric key encryption. It is easy to check that the adversary has no advantage in Game4 . More details are shown in Appendix B.
5. Remove đ-Type Assumption In this section, we show how to remove the đ-type assumption of the MS-secure Gentry-Waters scheme in Section 4 by using Hofheinz-Koch-Striecks techniques [19], where the original Gentry-Waters scheme is lifted to composite order groups. Let G(đ, 4) be a composite-order group generator which generates group parameters (đş, đşđ , đ, đ, đ, đ1 , đ2 , đ3 , đ4 ), where đ : đş Ă đş â đşđ is a nondegenerate bilinear map and đş, đşđ are cyclic groups of order đ and đ is the product of different primes đ1 , đ2 , đ3 , and đ4 , and let đ be the generator of group đş and đđ , for đ â [1, 4], be the
Security and Communication Networks
7
random generators of subgroups đşđ1 , đşđ2 , đşđ3 , đşđ4 of orders đ1 , đ2 , đ3 , đ4 , respectively. Let UH be a family of universal hash functions H : đşđ â {0, 1}đ with the property that for any nontrivial subgroup đşđó¸ â đşđ and for H â UH, đ â đşđó¸ and đ â {0, 1}đ , we have SD((H, H(đ)), (H, đ)) = O(2âđ ). In addition, the resulting scheme relies on the following assumptions [19]. Dual System Assumption 1 (DS1). For any PPT adversary A, the advantage function AdvDS1 A (đ)
is negligible in đ, where (đş, đşđ , đ, đ, đ, (đđ )đ ) âół¨ G (đ, 4) ; đŚ
đŚ
Ě4 , đ đ Ě đĽĚ Ě đˇ fl (đş, đşđ , đ, đ, đ, (đđ )đ , đ2đĽ đ 2 4 , đ3 đ4 , đ3 đ4 ) ; đ
Ě4 , đ Ě4 , đ Ě4 , đ Ě4 âół¨ đ đşđ4 ,
đĽ, đŚ âół¨ Zâđ, đžó¸ âół¨ Zâđ;
(29)
Ě0 = đđĽđŚ , đ 2 ó¸
óľ¨ óľ¨ fl óľ¨óľ¨óľ¨Pr [A (đˇ, đ0 ) = 1] â Pr [A (đˇ, đ1 ) = 1]óľ¨óľ¨óľ¨
(24)
Ě1 = đđĽđŚ+đž ; đ 2 Ě0 = đđĽđŚ , đ 3
is negligible in đ, where
ó¸
Ě1 = đđĽđŚ+đž . đ 3
(đş, đşđ , đ, đ, đ, (đđ )đ ) âół¨ G (đ, 4) ; đˇ fl (đş, đşđ , đ, đ, đ, đ1 , đ3 , đ4 ) ; đ
đ0 âół¨ đşđ1 ,
(25)
Dual System Bilinear DDH Assumption (DS-BDDH). For any PPT adversary A, the advantage function AdvDS-BDDH (đ) A
(30)
óľ¨ óľ¨ fl óľ¨óľ¨óľ¨Pr [A (đˇ, đ0 ) = 1] â Pr [A (đˇ, đ1 ) = 1]óľ¨óľ¨óľ¨
đ
đ1 âół¨ đşđ1 đ2 .
is negligible in đ, where Dual System Assumption 2 (DS2). For any PPT adversary A, the advantage function
(đş, đşđ , đ, đ, đ, (đđ )đ ) âół¨ G (đ, 4) ; đ đ đˇ fl (đş, đşđ , đ, đ, đ, (đđ )đ , đ1đ , đ2đ , đ2đ , đ{2,4} , đ{2,4} , đ{2,4} );
AdvDS2 A (đ) óľ¨ óľ¨ fl óľ¨óľ¨óľ¨Pr [A (đˇ, đ0 ) = 1] â Pr [A (đˇ, đ1 ) = 1]óľ¨óľ¨óľ¨
(26)
đđđ
đ0 = đ (đ2 , đ2 )
,
(31)
đ§
đ1 = đ (đ2 , đ2 ) ;
is negligible in đ, where
đ
đ{2,4} âół¨ đşđ2 đ4 , đ, đ, đ, đ§ âół¨ Zâđ.
(đş, đşđ , đ, đ, đ, (đđ )đ ) âół¨ G (đ, 4) ; 5.1. Construction
đˇ fl (đş, đşđ , đ, đ, đ, đ1 , đ4 , đ{1,2} , đ{2,3} ) ;
đ
đđđĄđ˘đ(đ, đ). Generate đź, đ1 , . . . , đ2đ â ół¨ Zđ and compute (đ1 ,
đ
đ{1,2} âół¨ đşđ1 đ2 , đ
đ{2,3} âół¨ đşđ2 đ3 ;
(27)
đ
đ0 âół¨ đşđ1 đ2 , đ
đ1 âół¨ đşđ1 đ3 .
đ
đ
đ
. Set â â ół¨ đşđ, generate (đ
4,1 , . . . , đ1 1 , . . . , đ1 2đ ) â đşđ2đ+1 1 đ
ół¨ đşđ2đ4 , and compute (â1 , . . . , â2đ ) = (âđ1 â
đ
4,1 , . . . , âđ2đ â
đ
4,2đ ) â đ
4,2đ ). Set mpk đ
đ
đź
= (đ1 , đ1 1 , . . . , đ1 2đ , đ4 , â, đ (đ1 , â) , â1 , . . . , â2đ ) , msk = âđź .
Dual System Assumption 3 (DS3). For any PPT adversary A, the advantage function AdvDS3 A (đ)
(28) óľ¨ Ě0 ) = 1] â Pr [A (đˇ, đ Ě1 , đ Ě1 ) = 1]óľ¨óľ¨óľ¨óľ¨ Ě0 , đ fl óľ¨óľ¨óľ¨óľ¨Pr [A (đˇ, đ óľ¨
(32) (33)
Output (mpk, msk). đžđđŚđşđđ(đ˘, msk). Take an index đ˘ â [1, đ] and the master key đ
đ
ó¸ ó¸ ół¨ Zđ, generate (đ
4,1 , . . . , đ
4,2đ )â ół¨ đşđ2đ4 , msk as input. Set đđ˘ â đ đ ó¸ ó¸ and compute đž0 = âđđ˘ , đž1 = â1đ˘ â
đ
4,1 , . . . , đž2đ = â2đđ˘ â
đ
4,2đ
8
Security and Communication Networks
and output a user secret key đ đđ˘ = (đž0 , đž1 , . . . , msk â
đž2đ˘â1 , đž2đ˘+1 , . . . , đž2đ ) đ
đ
đ
ó¸ đ˘ đ˘ = (âđđ˘ , â1đ˘ â
đ
ó¸ 4,1 , . . . , msk â
â2đ˘â1 â
đ
4,2đ˘â1 , â2đ˘+1
(34)
đ
ó¸ ó¸ â
đ
4,2đ˘+1 , . . . , â2đđ˘ â
đ
4,2đ ).
Note that đž2đ˘ is not used in đ đđ˘ . đ¸đđ(đ, mpk). Take a set đ â [1, đ] as well as a master public key mpk as input. We denote đ as a binary string; that is, đ = đ 1 â
â
â
đ đ , where đ đ˘ â {0, 1} and đ˘ â [1, đ]. That is, đ đ˘ = 1 if user đ
đ˘ is in đ. Otherwise, đ đ˘ = 0. Generate đĄ â ół¨ Zđ and output đťđđ = (đś0 , đś1 ) =
đĄ đ đ 2đâđ đ đĄ (đ1 , (âđ1 ) ) , đ=1
(35)
đźđĄ
đž = H (đ (đ1 , â) ) .
(36)
The proof follows that of [19] and proceeds via a series of games described in Appendix C, where the user set đ is considered as a special kind of identity đđ. The main difference between games is presented in Table 4. Random function families, auxiliary secret key generation, auxiliary encryption function, semifunctional user secret keys, pseudo-normal ciphertexts, and semifunctional ciphertexts are defined as follows. More details can be found in Table 4. (i) Random Function Families. In our scheme each user index đ˘ â [1, đ] is interpreted as đ-bit binary string đ˘ = 0 â
â
â
010 â
â
â
0, where only đ˘-th bit is 1. Both user index đ˘ and user set đ are denoted as identity đđ. Let đđ|đ fl đđ1 â
â
â
đđđ be đbit prefix of đđ and denote ID|đ fl {0, 1}đ . For đ â [0, đ], define two random functions as follows. Ě đ (đđ|đ ) : ID|đ â đşđ đşđ ; đđ|đ ół¨â (đ2 đ4 )đžĚđ (đđ|đ ) ; (a) RF 2 4 đ
ół¨ đžĚđ (đđ|đ ) : ID|đ â Zâđ2 đ4 ; đđ|đ ół¨â đžĚđ , where đžĚđ â Zâđ2 đ4 .
đˇđđ(đ, đ˘, đ đđ˘ , đťđđ, mpk). If đ˘ â đ, parse đ đđ˘ as (đž0 , đž1 , . . . , msk â
đž2đ˘â1 , đž2đ˘+1 , . . . , đž2đ ) and đťđđ as (đś0 , đś1 ) and output đž = H(
đ (đś0 , msk â
âđđ=1 đž2đâđ đ ) đ (đś1 , đž0 )
).
(37)
Ě đ (đđ|đ ) : ID|đ â đşđ đşđ ; đđ|đ ół¨â (đ3 đ4 )đžĚđ (đđ|đ ) ; (b) RF 3 4 đ
ół¨ đžĚđ (đđ|đ ) : ID|đ â Zâđ3 đ4 ; đđ|đ ół¨â đžĚđ , where đžĚđ â â Zđ3 đ4 .
Correctness. đ (đś0 , msk â
âđđ=1 đž2đâđ đ )
(ii) Auxiliary Secret Key Generation
đ (đś1 , đž0 )
KeyGen (đ˘, msk, K)
đ
=
=
ó¸ đ˘ â
đ
4,2đâđ ) đ (đ1đĄ , msk â
âđđ=1 â2đâđ đ đ đ2đâđ đ
đ (âđđ=1 đ1
, â)
đ2đâđ đ
, â)
(38)
đĄâ
đđ˘
đĄâ
đđ˘
đ (đ1 , â) â
đ (đ1 , âđđ=1 â đ2đâđ đ
đ (âđđ=1 đ1
đĄâ
đđ˘
, â)
)
Enc (đâ , mpk, g1 , msk) = (đťđđ; đž)
đźđĄ
= đ (đ1 , â) . =
5.2. Security Proof Theorem 6. For any PPT adversary A which can make at most đđđđŚ = đđđđŚ (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exist algorithm B1 on DS1, B2 on DS2, B3 on DS3, and B4 on DS-BDDH with running time đĄó¸ +O(đđđ (đkey +đEnc )), respectively, for some constant đ â N, such that DS1 DS2 AdvMA A,BE (đ) ⤠AdvB1 (đ) + 2đ â
AdvB2 (đ) + đ DS-BDDH â
AdvDS3 + đEnc B3 (đ) + AdvB4
â
O (2âđ ) .
2đ+1 . where K = (đž0 , đž1 , đž2 , . . . , đž2đ ) â đşđ
(iii) Auxiliary Encryption Function
đ2đâđ đ đĄâ
đđ˘
đźđĄ
=
= (đž0 , đž1 , . . . , msk â
đž2đ˘â1 , đž2đ˘+1 , . . . , đž2đ ) ,
đ (đ1đĄ , âđź ) â
đ (đ1 , âđđ=1 â2đâđ đ ) đ (âđđ=1 đ1
(40)
đĄâ
đđ˘
(39)
đĄ đ đ 2đâđ đ đĄ (đ1 , (âđ1 ) đ=1 đđĄ
đĄ
(41)
; H (đ (đ1 , msk) )) ,
đ đĄ
where g1 = (đ1đĄ , đ1 1 , . . . , đ1 2đ ). (iv) Semi-Functional Type-i User Secret Keys Ě đ ( đđ|đ ) â
RF Ě đ ( đđ|đ ) , K) KeyGen (đ˘, msk â
RF Ě đ ( đđ|đ ) â
RF Ě đ ( đđ|đ ) = (đž0 , đž1 , . . . , msk â
RF â
đž2đ˘â1 , đž2đ˘+1 , . . . , đž2đ ) , where user đ˘ = đđ1 â
â
â
đđđ is denoted as đđ.
(42)
Security and Communication Networks
9
Table 4: Sequence of games, where a dash(â) means the same as in the previous game. Note that user set đâ and user identity đ˘ are interpreted as đđâ and đđ, respectively. Game
Challenge ciphertexts for identity đâ
User secret keys for identity đ˘ â [1, đ]
0
Enc(đâ , mpk)
KeyGen(đ˘, msk)
1
Enc(đâ , mpk, g{1,2} , msk)
KeyGen(đ˘, msk, K)
2, đ, 0
Ě đâ1 (đđâ |đâ1 )) Enc(â, â, g{1,2} , msk â
RF
Ě đâ1 (đđ|đâ1 ) â
RF Ě đâ1 (đđ|đâ1 ), K) KeyGen(đ˘, msk â
RF
2, đ, 1
Ě đâ1 (đđâ |đâ1 )) if đđđâ = 0: Enc(â, â, g{1,2} , msk â
RF
2, đ, 2
Ě đ (đđâ |đ )) if đđđâ = 0: Enc(â, â, g{1,2} , msk â
RF
3
Ě đ (đđâ )) Enc(â, â, g{1,2} , msk â
RF
Ě đ (đđ) â
RF Ě đ (đđ), K) KeyGen(đ˘, msk â
RF
4
đ
Ě đ (đđâ )), đžđ âół¨ Enc(â, â, g{1,2} , msk â
RF {0, 1}đ
Ě đ (đđ) â
RF Ě đ (đđ), K) KeyGen(đ˘, msk â
RF
Ě đâ1 (đđ|đâ1 ) â
RF Ě đâ1 (đđ|đâ1 ), K) KeyGen(đ˘, msk â
RF
Ě đâ1 (đđâ |đâ1 )) if đđđâ = 1: Enc(â, â, g{1,3} , msk â
RF
Ě đ (đđ|đ ) â
RF Ě đ (đđ|đ ), K) KeyGen(đ˘, msk â
RF
Ě đ (đđâ |đ )) if đđđâ = 1: Enc(â, â, g{1,3} , msk â
RF
(vii) Semi-Functional đđŚđđ-(âź, đ) Ciphertexts
(v) Pseudo-Normal Ciphertexts â
Enc (đ , mpk, g{1,2} , msk) = (đťđđ; đž) = đ
đ=1
(43)
đĄ đ2đâđ đ
(â (đ{1,2} )
Ě đ ( đđ|đ ) â
RF Ě đ ( đđ|đ )) Enc (đâ , mpk, g{1,3} , msk â
RF
đĄ (đ{1,2} ,
= (đťđđ; đž) =
đĄ
đ đ 2đâđ đĄ , (âđ{1,3} đ ) (đ{1,3} đ=1
đĄ
;
) ; H (đ (đ{1,2} , msk) )) , đĄ
Ě đ ( đđ|đ ) â
RF Ě đ ( đđ|đ )) )) H (đ (đ{1,3} , msk â
RF đđĄ
đ đĄ
đĄ 2đ 1 where g{1,2} = (đ{1,2} , đ{1,2} , . . . , đ{1,2} ).
(vi) Semi-Functional đđŚđđ-(â§, đ) Ciphertexts
=
đ đ 2đâđ đĄ (đ{1,3} , (âđ{1,3} đ ) đ=1
đĄ
;
Ě đ ( đđ|đ ) â
RF Ě đ ( đđ|đ )) Enc (đâ , mpk, g{1,2} , msk â
RF đ
đ2đâđ
(45)
đĄ
Ě đ ( đđ|đ )) )) , H (đ (đ{1,3} , msk â
RF
đĄ
đĄ = (đťđđ; đž) = (đ{1,2} , (âđ{1,2} đ ) ; đ=1
đđĄ
đ đĄ
đĄ 2đ 1 , đ{1,3} , . . . , đ{1,3} ) and đđ denotes đâ = where g{1,3} = (đ{1,3} đ 1 â
â
â
đ đ . đĄ
Ě đ ( đđ|đ )) â
RF Ě đ ( đđ|đ ) )) H (đ (đ{1,2} , msk â
RF
=
đĄ đ đ 2đâđ đ đĄ (đ{1,2} , (âđ{1,2} ) đ=1
(44)
A. Proof of Theorem 3 ;
Ě đ ( đđ|đ ))đĄ )) , H (đ (đ{1,2} , msk â
RF đđĄ
Appendix
đ đĄ
đĄ 2đ 1 where g{1,2} = (đ{1,2} , đ{1,2} , . . . , đ{1,2} ) and đđ denotes đâ = đ 1 â
â
â
đ đ .
Proof. If there exists a PPT adversary A which can break the MS-security of the broadcast encryption, then we show how to construct a PPT algorithm B to break BDHE assumption. Upon receiving the BDHE problem instance, which 2 đ đ+2 2đ consists of (đđ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ ) and đ, B MS simulates the experiment ExpA,BE (đ) for A as follows. (i) A chooses a set đâ â [1, đ].
10
Security and Communication Networks đ
number of encryption queries that adversary can make. A1 acts as follows:
(ii) Setup. B generates đŚ0 , . . . , đŚđ â ół¨ Zđ and sets âđ = đđŚđ
if đ â đâ , đ
âđ = đđŚđ +đ
đ
(A.1)
if đ â đâ .
đ+1
Since đđ is unknown, we implicitly set đź = đŚ0 â
đđ+1 đ and đ(đ, đ)đź can be computed as đ(đđ , đđ )đŚ0 . Now the public key is đź
PK = (G, Gđ, đ; đ, đ (đ, đ) , â1 , . . . , âđ ) .
(A.2)
B sends PK to A. (iii) Key generation queries: for đ â [1, đ] \ đâ , B chooses đ
đ§đ â ół¨ Zđ and computes đđ = đ§đ âđŚ0 â
đđ+1âđ and outputs đđ = (đđ,0 , đđ,1 , . . . , đđ,đâ1 , đđ,đ , đđ,đ+1 , . . . , đđ,đ ) đ
đ
đ
đ
đ
đ đ , đđź âđ đ , âđ+1 , . . . , âđđđ ) , = (đâđđ , â1đ , â2đ , . . . , âđâ1
đ+1
đ
where đđ,đ = đđź âđ đ = đđŚ0 â
đ
(A.3)
+(đŚđ +đđ )(đ§đ âđŚ0 â
đđ+1âđ )
đ
=
(iv) Encryption queries: A adaptively makes subset đđ â đâ as encryption query. B runs the algorithm of Lemma 4 to generate (đđ đ , đđ ) for đ â [1, đEnc ] and set đťđđđâ = (đś1,đ , đś2,đ ) = (đđ đ , (âđâđđ âđ )đ đ ) = (đđ đ , đŚ
đŚ
(đđ đ ) đâđđ đ ), đžđ = đđ 0 . Return (đťđđđâ , đžđ ) as the answer to đđ . Eventually, A outputs a bit đó¸ which is also the output of B. It is easy to check that B perfectly simulates ExpMS A,BE (đ). Therefore, Bâs advantage in deciding the BDHE instance is precisely Aâs advantage against the MS-security of the broadcast encryption scheme, which completes the proof.
B. Proof of Theorem 5 Proof. Let Gameđ = 1 denote the event that the adversary outputs 1 in Gameđ . Game0 . This is the real game which is identical to experiment ExpMA A,BE . Thus, óľ¨óľ¨ óľ¨óľ¨ AdvMA A,BE,đ (đ) = óľ¨óľ¨Pr [Game0 = 1] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ . 2 óľ¨óľ¨
(B.1)
(Game1 đĄđ Game0 ). Game1 is identical to Game0 except that the challenge ciphertext đś0,đ for đ â [1, đEnc ] is computed as đ
đ
(ii) Choose đ â ół¨ {0, 1}đ and generate đâ â {2đ â (1 â đ đ ) : đ â [1, đ]}, where đ đ denotes đth bit of đ . A1 sends đâ to the challenger. Notice that đâ â [1, 2đ]. (iii) The challenger runs SetupMS to obtain (PKó¸ , SKó¸ ) and sends PKó¸ to A1 . Then B1 sets PK â PKó¸ and sends PK to A. (iv) A adaptively makes key generation queries for đó¸ â [1, đ]. Then A1 sends 2đó¸ â đ đó¸ to the challenger of the MS experiment. (v) The challenger runs KeyGenMS (2đó¸ âđ đó¸ , SKó¸ ) to obtain đđó¸ ó¸ and sends đđó¸ ó¸ to A1 , which returns đđó¸ â (đđó¸ ó¸ , đ đó¸ ) to A. (vi) A adaptively makes encryption queries đđ . Then A1 sets đđ = {đĄđ = 1 â đ đ : đ â đđ }, đ0,đ = {2đ â đĄđ : đ â đđ }, đ1,đ = {2đ â (1 â đĄđ ) : đ â đđ } and sends đ0,đ for đ â [1, đEnc ] to the challenger. Notice that đ0,đ â đâ . (đ) ), where (vii) The challenger sends back (đťđđ0,đ , đ
0,đ
đđŚđ đđ +đ â
đ§đ .
â
(i) Choose đâ â ół¨ {0, 1}.
ół¨ Kó¸ and đś0,đ â SymEnc(đ
0,đ , đžđ ). follows: đ
0,đ â For any PPT adversary A which can distinguish Game1 from Game0 , there exists an algorithm A1 which can break the MS-security of BEMS scheme. Suppose đEnc is the maximal
đ
(0) (1) (đťđđ0,đ , đ
0,đ ) â EncMS (đ0,đ , PKó¸ ) and đ
0,đ â ół¨ Kó¸ . Note that đ â {0, 1} has been chosen by the challenger at the beginning of the experiment. (viii) A1 sets (đťđđ1,đ , đ
1,đ ) â EncMS (đ1,đ , PKó¸ ) and gener đ
(đ) ół¨ K. Then it sets đś0,đ â SymEnc(đ
0,đ , ates đž0,đ , đž1,đ â â đž0,đ ), đś1,đ â SymEnc(đ
1,đ , đž0,đ ), and đťđđđ â (đťđđ0,đ , đś0,đ , đťđđ1,đ , đś1,đ , đđ ) and sends (đťđđđâ , đžđâ ,đ ) to adversary A. (ix) A outputs a bit đó¸ . If đâ = đó¸ , A1 outputs 0, otherwise, 1.
Notice that if đ = 0, Aâs view is identical to that of Game0 . Otherwise, Aâs view is identical to that of Game1 . Hence, we have óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game0 = 1] â Pr [Game1 = 1]óľ¨óľ¨óľ¨ (B.2) ⤠AdvMS A1 ,BE,2đ (đ) . (Game2 đĄđ Game1 ). Game2 is identical to Game1 except that đ
ół¨ Kó¸ for each encryption query the challenger chooses đ
1,đ â to construct đś1,đ = SymEnc(đ
1,đ , đž0,đ ). The proof of the indistinguishability between Game2 and Game1 is similar to that of Game1 and Game0 . So we have óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game1 = 1] â Pr [Game2 = 1]óľ¨óľ¨óľ¨ (B.3) ⤠AdvMS A2 ,BE,2đ (đ) . (Game3 đĄđ Game2 ). Game3 is identical to Game2 except that đ
ół¨K for each encryption query the challenger chooses đž0,đ â đ
ół¨ SymEnc(đ
0,đ , đž0,đ ) for đ â [1, đEnc ]. to construct đś0,đ â
Security and Communication Networks
11
We construct a series of subgame 2, đ for đ = 1, . . . , đEnc , to prove the indistinguishability between Game 2 and Game 3. (i) Game2,1 . Game2,1 is identical to Game2 except that the đ
đ
challenger chooses đž0,1 â ół¨ K to construct đś0,1 â ół¨ SymEnc(đ
0,1 , đž0,1 ). (ii) Game2,đ . Game2,đ is identical to Game2,đâ1 except that đ
đ
the challenger chooses đž0,đ â ół¨ K to construct đś0,đ â ół¨ SymEnc(đ
0,đ , đž0,đ ).
indistinguishability between Game4 and Game3 is similar to that of Game3 and Game2 . So we have óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game3 = 1] â Pr [Game4 = 1]óľ¨óľ¨óľ¨ ⤠đEnc â
AdvCPA A4 ,Î sym (đ) .
In Game4 , all đ
0,đ , đ
1,đ , đž0,đ , đž1,đ for đ â [1, đEnc ] are chosen at random and đťđđđâ is independent of đžđ,đ . Hence, the adversary has no advantage. That is, óľ¨óľ¨ óľ¨óľ¨Pr [Game = 1] â óľ¨óľ¨ 4 óľ¨
Note that Game3 is identical to Game2,đEnc . Claim (Game2,đâ1 đĄđ Game2,đ ). For any PPT adversary M which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time ĚđĄ, there exists an algorithm A3 with running about the same time as M, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đâ1 = 1] â Pr [Game2,đ = 1]óľ¨óľ¨óľ¨ (B.4) ⤠AdvCPA A3 ,Î sym (đ) . đ
Proof. A3 chooses đâ â ół¨ {0, 1} and simulates the experiment as follows. ó¸
(i) A3 runs Setup(đ, â) and KeyGen(đ , SK) as in Game2 . (ii) M adaptively makes encryption queries for đđ , where đ denotes đth query. If đ â [1, đ â 1], A3 returns the answer as in Game2,đâ1 . If đ â [đ + 1, đEnc ], A3 returns the answer as in Game2 . If đ = đ, A3 đ
chooses đž0,đ , đž1,đ â ół¨ K and sends (đž0,đ , đž1,đ ) to the đ
challenger. The challenger chooses đ â ół¨ {0, 1} and returns đś0,đ = SymEnc(đ
, đžđ,đ ). Then A3 chooses đ
ó¸
đ
1,đ â ół¨ K , computes đś1,đ = SymEnc(đ
1,đ , đž1,đ ), and returns (đś0,đ , đś1,đ ). (iii) M outputs đó¸ . If đâ = đó¸ , A3 outputs 0, otherwise, 1. Observe that if đ = 1, Mâs view is identical to that of Game2,đâ1 . Otherwise, Mâs view is identical to that of Game2,đ . Thus óľ¨óľ¨óľ¨Pr [Game2,đâ1 = 1] â Pr [Game2,đ = 1]óľ¨óľ¨óľ¨ óľ¨ óľ¨ (B.5) CPA ⤠AdvA3 ,Î sym (đ) , which concludes the proof of the Claim. Due to the Claim, we have óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2 = 1] â Pr [Game3 = 1]óľ¨óľ¨óľ¨
(B.7)
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ = 0. 2 óľ¨óľ¨
(B.8)
Hence, we have MS MS AdvMA A,BE,đ (đ) ⤠AdvA1 ,BE,2đ (đ) + AdvA2 ,BE,2đ (đ)
+ đEnc â
AdvCPA A3 ,Î sym (đ) + đEnc
(B.9)
â
AdvCPA A4 ,Î sym (đ) .
C. Proof of Theorem 6 Game Sequence (i) Game0 is the real experiment ExpMA A,BE . (ii) Game1 is the same as Game0 except that all the challenge ciphertexts are pseudo-normal. (iii) Game2,đ,0 is the same as Game1 except that all user secret keys are semifunctional of type-(đ â 1), while the challenge ciphertexts are semifunctional of type(â§, đ â 1) for đ â [1, đ]. (iv) Game2,đ,1 is the same as Game2,đ,0 except that if đth bit of a challenge identity đđâ is 0 (i.e., đđđâ = 0), then the corresponding challenge ciphertexts are semifunctional of type-(â§, đ â 1). Otherwise, the corresponding challenge ciphertexts are semifunctional of type-(âź , đ â 1). (v) Game2,đ,2 is the same as Game2,đ,1 except that if đth bit of a challenge identity đđâ is 0 (i.e., đđđâ = 0), then the corresponding challenge ciphertexts are semifunctional of type-(â§, đ). Otherwise, the corresponding challenge ciphertexts are semifunctional of type(âź, đ). (vi) Game3 is the same as Game2,đ,0 except that all the challenge ciphertexts and user secret keys are semifunctional of type-(â§, đ) and semifunctional of typeđ, respectively.
(B.6)
(vii) Game4 is the same as Game3 except that the challenge keys đžđ output by oracle OEnc (â
, mpk) are uniform bitstrings over {0, 1}đ .
(Game4 đĄđ Game3 ). Game4 is identical to Game3 except that
Lemma C.1 (Game0 to Game1 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an
⤠đEnc â
AdvCPA A3 ,Î sym (đ) .
đ
ół¨ K to construct đś1,đ = the challenger sets đž1,đ â SymEnc(đ
1,đ , đž1,đ ) for đ â [1, đEnc ]. The proof of the
12
Security and Communication Networks
algorithm B1 on DS1 with running time đĄ1 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ đˇđ1 óľ¨óľ¨Pr [Game0 = 1] â Pr [Game1 = 1]óľ¨óľ¨óľ¨ ⤠AdvB1 (đ) .
(C.1)
Proof. B1 receives the instance (đş, đşđ , đ, đ, đ, đ1 , đ3 , đ4 , đ) đ
Lemma C.3 (Game2,đ,0 to Game2,đ,1 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2 with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đ,0 = 1] â Pr [Game2,đ,1 = 1]óľ¨óľ¨óľ¨
đ
ół¨ đşđ1 or đ â ół¨ đşđ1 đ2 , and from the challenger, where đ â simulates the experiment for A as follows. đ
Setup. Choose a bit đ â {0, 1}. Pick đź, đ1 , . . . , đ2đ â ół¨ Zđ đ đ and compute (đ1 , đ1 1 , . . . , đ1 2đ ) â đşđ2đ+1 . Let â = đ â đşđ, 1 đ
Zâđ, đ
4,đ
đ đ4đ
ół¨ = đđ â for đ â [1, 2đ]. Set
đđ
for đ â [1, 2đ]. Compute âđ = â
â
đ
4,đ
mpk đź
đ
đ
= (đ1 , đ1 1 , . . . , đ1 2đ , đ4 , â, đ (đ1 , â) , â1 , . . . , â2đ ) , (C.2) msk = âđź .
(C.5)
⤠Advđˇđ2 B2 (đ) .
Proof. B2 receives the instance (đş, đşđ , đ, đ, đ, đ1 , đ4 , đ{1,2} , đ
đ
ół¨ đşđ1 đ2 or đ â ół¨ đşđ1 đ3 đ{2,3} , đ) from the challenger, where đ â đ
and chooses đ â ół¨ {0, 1}. Then B2 can use the parameter to generate msk, mpk as in the proof of Lemma C.1 and define a truly random function RF : {0, 1}đâ1 â đşđ2 đ3 đ4 . Key Generation Queries. Next, it can answer the secret key queries for đ˘ â [1, đ] as KeyGen(đ˘, msk â
RF(đđ|đâ1 ), K), where RF(đđ|đâ1 ) : đđ|đâ1 â (đ{2,3} đ4 )đžđâ1 (đđ|đâ1 ) , đžđâ1 (đđ|đâ1 ) : đđ|đâ1 ół¨â đ
Key Generation Queries. To answer key generation queries đó¸
đ
ó¸ ół¨ Zâđ and compute đ
4,đ = đ4 đ for đ˘ â [1, đ], set đó¸ đ â đ â [1, 2đ] and generate K = (đž0 , đž1 , đž2 , . . . , đž2đ ) = (âđĄ , â1đĄ â
đ
ó¸ đĄ ó¸ 2đ+1 đ
4,1 , . . . , â2đ â
đ
4,2đ ) â đşđ , where đĄ â ół¨ Zâđ, and return KeyGen(đ˘, msk, K).
Encryption Queries. A can adaptively make encryption queries đđ at most đEnc = đEnc (đ) times. B1 sets đ
đĄ â
đ2đâđ đ
Enc (đđ , mpk) = (đđĄđ , âđ đ
Encryption Queries. Upon receiving encryption queries đđâ , đ
ół¨ Zâđ, đ â [1, đEnc ] and returns B2 chooses đĄđ â đĄđ óľ¨ Enc (đđâ , mpk, g{1,2} , msk â
RF ( đđđâ óľ¨óľ¨óľ¨đâ1 ))
if (đđđâ )đ = 0, óľ¨ Enc (đđâ , mpk, đđĄđ , msk â
RF ( đđđâ óľ¨óľ¨óľ¨đâ1 ))
(C.3)
â ), (đťđđđâ , đžđ,0
đ
â where đĄđ â ół¨ Zâđ, đ â [1, đEnc ] and returns (đťđđđâ , đžđ,đ ), where â đ đžđ,1 â {0, 1} . Finally, A outputs a guess đó¸ . B1 outputs 1 if đó¸ = đ, otherwise, 0. The distribution of the master public key and user secret keys that A requests are identical to those in Game0 as well đ
as in Game1 . If đ â ół¨ đşđ1 , the distribution of challenge đ
ciphertexts is identical to that of Game0 , while if đ â ół¨ đşđ1 đ2 , the distribution of challenge ciphertexts is identical to that of Game1 . Therefore, we have (C.1). Lemma C.2 (Game1 to Game2,1,0 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, we have Pr [Game1 = 1] = Pr [Game2,1,0 = 1] .
(C.6)
if (đđđâ )đ = 1.
, H (đ (đđĄđ , msk)))
đ=1
=
ół¨ Zâđ. đžđâ1 , and đžđâ1 â
(C.4)
Proof. As shown in Table 4, msk â đşđ in Game1 , while Ě 0 (đ)â
RF Ě 0 (đ) in Game2,1,0 is also uniform in đşđ, mskó¸ = mskâ
RF where đđ|0 denotes the empty string đ. Since the distribution Ě 0 (đ) â
RF Ě 0 (đ) is identical, (C.4) holds. of msk and msk â
RF
Finally, A outputs a guess bit đó¸ . B2 outputs 1 if đó¸ = đ; otherwise 0. đ
đĄđ Note that g{1,2} is distributed uniformly over đşđ1 đ2 . If đ â ół¨ đşđ1 đ2 , the challenge ciphertexts are distributed identically as in Game2,đ,0 . Otherwise, the distribution is the same as in Game2,đ,1 . Hence (C.5) holds. Lemma C.4 (Game2,đ,1 to Game2,đ,2 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B3 on DS3 with running time đĄ3 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game2,đ,1 = 1] â Pr [Game2,đ,2 = 1]óľ¨óľ¨óľ¨ ⤠Advđˇđ3 B3 (đ) .
(C.7)
Ě đ) Ě is either Proof. B3 gets the instance (đˇ, đ), where đ = (đ, đĽđŚ
đĽđŚ
đĽđŚ+đžó¸
(đ2 , đ3 ) or (đ2
đĽđŚ+đžó¸
, đ3
) for
Ě4 , đđŚ đ Ě đĽĚ đˇ = (đş, đşđ , đ, đ, đ, đ1 , đ2 , đ3 , đ4 , đ2đĽ đ 2 4 , đ3 đ4 , đŚ
Ě4 ) , đ3 đ đ
Ě4 , đ Ě4 , đ Ě4 , đ Ě4 â đ ół¨ đşđ4 , đĽ, đŚ, đžó¸ âół¨ Zâđ.
(C.8)
(C.9)
Security and Communication Networks
13
Setup. B3 chooses đ â {0, 1} and (đź, đ1 , . . . , đ2n ) â Z2đ+1 đ , computes and sets
đ đ (đ1 1 , . . . , đ1 2đ )
đşđ2đ1 ,
â
đ
and generates đ, đĚ, đĚ â ół¨
Zâđ
Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) , Ě đ ( đđâ óľ¨óľ¨óľ¨ ) = RF RF óľ¨đ óľ¨đâ1
đ
â = (đ1 đ2 đ3 đ4 ) â đşđ, Ěâ = (đ đ )đĚ â đş , 2 4 đ2 đ4
(C.10)
Ěâ = (đ đ )đĚ â đş . 3 4 đ3 đ4 đ
ół¨ Zâđ for đ â Next B3 generates đđ â đ2đ đ1 đ
4,2đ ) = (đ4 , . . . , đ4 ) â đşđ2đ4 and sets
â
đ2đ
â
đ
4,2đâ1 , â
â
đŚĚ đ (đ3 đ 4)
[1, 2đ] and (đ
4,1 , . . . ,
â
đ
4,2đ , . . . , â
(C.11)
mpk = (đ1 , đ1 1 , . . . , đ1 2đ , đ4 , â, đ (đ1 , â) , â1 , . . . , â2đ ) .
Key Generation Queries. During the experiment B3 can answer key generation queries for identity đđâ for â â [1, đkey ] as follows. By running the algorithm in Lemma 6 of [20] (or algorithm in [19]) which takes as input (1đkey , (đ2 , đ4 , Ě4 , đđŚ đ Ě Ě and (1đkey , (đ3 , đ4 , đđĽ đ Ě đŚĚ Ě B3 đ2đĽ đ 3 4 , đ3 đ4 ), đ), 2 4 ), đ) can generate the following tuples: đkey
Ěâ ) , Ě4,â , đ (đ2â đ â=1 đĚ
(C.12)
đkey
Ěâ ) Ě4,â , đ (đ3â đ â=1 đĚ
đĚ đŚ
Ě = đđĽđŚ if đ 3
For an identity prefix đđâ |đ that is a prefix of an already queried identity, we rerandomize the element of Kâ . Encryption Queries. Upon receiving encryption queries đđâ ,
(C.13)
if (đđđâ )đ = 0, đĄ Ě đ ( đđâ óľ¨óľ¨óľ¨ )) Enc (đđâ , mpk, (g1 g3 ) đ , msk â
RF đ óľ¨đ
đĄ
đ
đ
â,2đ ) â đşđ2đ4 , where (đĄâ,1 , . . . , đĄâ,2đ ) â ół¨ (Zâđ)2đ , and sets ó¸
đĚ Ě đĚâ Ě đž0 = âđâ â
đ2â đ 4,â â
đ3 đ4,â ,
đž1 = đž0 đ1 â
đ
â,1 , .. . đâó¸ â
đ
ó¸ đŚ Ě đâ â
đ (đ3 đ 4)
Ěâ â
đ
â,2đâ1 , â
đ
Ěâ â
đ
â,2đ , â
đ
.. . đž2đ = đž0 đ2đ â
đ
â,2đ .
(C.17)
if (đđđâ )đ = 1,
ó¸
Ě4 ) đž2đâ1 = đž0 đ2đâ1 â
(đ2 đ
(C.16)
if (đđâ )đ = 1.
Ě = đđĽđŚ+đž . if đ 3 đĄ
â
Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) â
RF Ě đ ( đđâ óľ¨óľ¨óľ¨ ) , Kâ ) KeyGen (đ˘â , msk â
RF óľ¨đâ1 óľ¨đ
ó¸
Then B3 generates đâó¸ â Zâđ, (đ4â,1 , . . . , đ4â,2đ ) = (đ
â,1 , . . . ,
đž2đ = đž0
if (đđâ )đ = 0,
đĄ Ě đ ( đđâ óľ¨óľ¨óľ¨ )) Enc (đđâ , mpk, (g1 g2 ) đ , msk â
RF đ óľ¨đ
Ě = đđĽđŚ+đž , if đ 2
đĚ đŚ
đ2đ
Ě đ ( đđâ óľ¨óľ¨óľ¨ ) â
RF Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) , Kâ ) KeyGen (đ˘â , msk â
RF óľ¨đ óľ¨đâ1
đ
Ě = đđĽđŚ if đ 2
â Ě4,â , {đ3 â
đ Ě đâ = { đžĚâó¸ đĚâ đŚ Ě {đ3 â
đ4,â â
đ3 ,
đŚ
where đžĚâ , đžĚâ â Zâđ. Next B3 answers â-th secret key generation query for identity đđâ with prefix đđâ |đ that is not a prefix of an already queried identity as
ół¨ Zâđ and returns B3 chooses đĄđ â
respectively, where â Ě4,â , {đ2 â
đ Ě đâ = { đžĚâó¸ đĚâ đŚ Ě {đ2 â
đ4,â â
đ2 ,
(C.15)
if (đđâ )đ = 1,
đź
đ
Ě đ ( đđâ óľ¨óľ¨óľ¨ ) = RF Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) , RF óľ¨đ óľ¨đâ1 Ě đ ( đđâ óľ¨óľ¨óľ¨ ) = RF Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) â
(Ěâ)đžĚâ RF óľ¨đ óľ¨đâ1
đ2đ
â
đ
4,2đ ) , đ
Ě đ ( đđâ óľ¨óľ¨óľ¨ ) = RF Ě đâ1 ( đđâ óľ¨óľ¨óľ¨ ) â
(Ěâ)đžĚâ RF óľ¨đ óľ¨đâ1 if (đđâ )đ = 0,
(â1 , . . . , â2đâ1 , â2đ , . . . , â2đ ) = (âđ1 â
đ
4,1 , . . . , âđ2đâ1 đŚĚ đ (đ2 đ 4)
Thus Kâ = (đž0 , đž1 , . . . , đž2đâ1 , đž2đ , . . . , đž2đ ). For identity đđâ and â â [1, đkey ], B3 defines the random functions below:
(C.14)
â
â
where g1 g2 = ((đ1 đ2 )đĄâ , (đ1 đ2 )đ1 đĄ , . . . , (đ1 đ2 )đ2đ đĄ ), g1 g3 = đ
Ě Ě Ě ół¨ Zâđ. ((đ1 đ3 )đĄ , (đ1 đ3 )đ1 đĄ , . . . , (đ1 đ3 )đ2đ đĄ ), đĄâ , ĚđĄ â ó¸ Finally, A outputs a guess bit đ . B3 outputs 1 if đó¸ = đ, đĽđŚ đĽđŚ đĚ đŚ Ě đĚâ đŚ Ě otherwise 0. If đ = (đ2 , đ3 ) (i.e., đâ = (đ2â â
đ 4,â , đ3 â
đ4,â )), then the secret keys are distributed identically as in Game2,đ,1 . đĚâó¸ đĚâó¸ đĽđŚ+đžó¸ đĽđŚ+đžó¸ đĚ đŚ Ě đĚâ đŚ Ě , đ3 ) (i.e., đâ = (đ2â â
đ If đ = (đ2 4,â â
đ2 , đ3 â
đ4,â â
đ3 )), we have đĚ Ě4,â ) , (Ěâ, đ2â â
đ đĚâ Ě4,â ) (Ěâ, (Ěâ) â
đ đĚ Ě4,â ) , (Ěâ, đ3â â
đ đĚâ Ě4,â ) (Ěâ, (Ěâ) â
đ
(C.18)
14
Security and Communication Networks
identically distributed, respectively. Therefore, in this case, the distribution is the same as in Game2,đ,2 . Besides, the distribution of the challenge ciphertexts is identical in these two games. Hence, (C.7) holds.
Key Generation Queries. B4 defines a truly random function RFó¸ : {0, 1}đ â đşđ2 đ4 . Next it can answer the secret key generation queries for identity đ˘ â [1, đ] as
Lemma C.5 (Game2,đâ1,2 to Game2,đ,0 ). For any PPT adversary A with at most đđđđŚ = đđđđŚ (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2, with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that
KeyGen (đ˘, msk â
RFó¸ (đđ) , K) ,
óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đâ1,2 = 1] â Pr [Game2,đ,0 = 1]óľ¨óľ¨óľ¨ ⤠Advđˇđ2 B2 (đ) .
⤠Advđˇđ2 B2 (đ) .
(C.19)
â¤
âđ
+ đđ¸đđ â
O (2 ) .
(C.21)
đ đ2đ
đ đ
g = (đ1đ , đ1 1 , . . . , đ1 đ đ1 đ
gđ = (đ1đ đ , đ1
đ đ2đ đ
, . . . , đ1
đ
ół¨ Setup. B4 chooses (đź, đ1 , . . . , đ2đ ) â đ đ (đ1 1 , . . . , đ1 2đ ) â đşđ2đ1 . Set â = đ â (Zâđ)2đ and compute (đ
4,1 , . . . , đ
4,2đ )
Thus
Z2đ+1 đ
and computes đ
đşđ, (đ1 , đ2 , . . . , đ2đ ) â ół¨ đ đ = (đ41 , . . . , đ42đ ) â đşđ2đ4 .
(â1 , . . . , â2đ ) = (âđ1 â
đ
4,1 , . . . , âđ2đ â
đ
4,2đ ) ; đ
đź
mpk = (đ1 , đ1 1 , . . . , đ1 2đ , â, đ (đ1 , â) , â1 , . . . , â2đ ) , (C.23)
);
Ě
(C.25)
Ě
Ěđ đ đ đ đ đ gĚđ = (đ2Ěđ đ , đ2 2 , . . . , đ2 2đ ) ; đ
đ đ (đ2Ěđ ) , đ{2,4} , đ{2,4} , đ{2,4} , đ
where đ , đ Ě â ół¨ Zâđ. Then B4 runs the algorithm Rerandđđđ (đ, đ đ g, gđ , gĚ, gĚđ , (đ2Ěđ )đ , đ{2,4} , đ{2,4} , đ{2,4} , đ) in [19] and outputs đ
đ
đ đ đ , đ{2,4} , đđđđ ), where (gđđ , gĚđđ , (đ2Ěđ )đđ , đ{2,4} đ đ
đ đ1 đđ
gđđ = (đ1 đ , đ1
đ đ2đ đđ
, . . . , đ1
đ đ1 đ đ1
đĄ
â
(đ1đ ) 1 , (đ1
đ đ
đ
) = ((đ1đ đ ) 1 đ đ2đ đ đ1
đĄ
) â
(đ1 1 ) 1 , . . . , (đ1
)
đ đ2đ đĄ1
â
(đ1
) ),
Ě
Ě
đ1
Ě
đ đ đ đ đ đ đ đ gĚđđ = (đĚ2 đ , đĚ2 1 đ , . . . , đĚ2 2đ đ ) = ((đĚ2Ěđ đ ) Ěđ đ1 đ đ1
đĄ1
â
(đĚ2Ěđ ) , (đĚ2 Ěđ đ
Ěđ đ
Ěđ đ2đ đ đ1
đĄ1
) â
(đĚ2 1 ) , . . . , (đĚ2
)
(C.26)
đĄ1
â
(đĚ2 2đ ) ) , đđ
đ2
đĄ2
(đ2Ěđ ) = (đ2Ěđ đ ) â
(đ2Ěđ ) = (đ2Ěđ )
where đ, đ, đ, đ§ â Zâđ.
),
Ěđ đ đ đ gĚ = (đ2Ěđ , đ2 2 , . . . , đ2 2đ ) ,
đ đ đˇ = (đş, đşđ , N, đ, đ, (đđ )đ , đ1đ , đ2đ , đ2đ , đ{2,4} , đ{2,4} , đ{2,4} ) , (C.22)
msk = âđź .
đ
Encryption Queries. Upon receiving encryption queries đđâ for some đ â [1, đEnc ], B4 sets
Proof. B4 is provided with the instance (đˇ, đ) where đ is either đ(đ2 , đ2 )đđđ or đ(đ2 , đ2 )đ§ , for
đ
đó¸
(C.20)
Lemma C.7 (Game3 to Game4 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B4 on DS-BDDH with running time đĄ4 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N such that
Advđˇđ-đľđˇđˇđť (đ) B4
đ
Ě Ě ĚđĄ ó¸ ó¸ ó¸ and K = (âđĄ , â1đĄ â
đ
4,1 , . . . , â2đ â
đ
4,2đ ) for ĚđĄ â ół¨ Zâđ, (đ
4,1 ,..., đó¸
In Game2,đ,0 all the challenge ciphertexts are semifunctional of type-(â§, đ â 1), while in Game2,đâ1,2 if đth bit of challenge identity đđ is 0 (i.e., đđđ = 0), the challenge ciphertexts are totally identical to those in Game2,đ,0 . Otherwise, the challenge ciphertexts are semifunctional of type-(âź, đ â 1). Actually, the proof of (Game2,đâ1,2 to Game2,đ,0 ) and (Game2,đ,2 to Game3 ) is similar to that in Lemma C.3 and thus omitted.
óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game3 = 1] â Pr [Game4 = 1]óľ¨óľ¨óľ¨
đ
ó¸
where RFó¸ : đđ ół¨â (đ{2,4} )đž (đđ) , đžó¸ (đđ) : đđ ół¨â đžó¸ for đžó¸ â ół¨ Zâđ,
ó¸ ó¸ ) = (đ41 , . . . , đ42đ ), where (đ1ó¸ , . . . , đ2đ )â ół¨ (Zâđ)2đ . đ
4,2đ
Lemma C.6 (Game2,đ,2 to Game3 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2, with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đ,2 = 1] â Pr [Game3 = 1]óľ¨óľ¨óľ¨
(C.24)
đđ2 +đĄ2
đ
đ2
đĄ
đđ +đĄ
đ
đ3
đĄ
đđ +đĄ
,
đ đ 2 2 2 đ{2,4} = (đ{2,4} ) â
đ{2,4} = đ{2,4} , đ đ 3 3 3 = (đ{2,4} ) â
đ{2,4} = đ{2,4} , đ{2,4} đ = đ (đ2Ěđ , đ{2,4} ) đđđđ
đ§đđđ
,
đ
where đ1 , đ2 , đ3 , đĄ1 , đĄ2 , đĄ3 â ół¨ Zâđ, đ§đ = đ§đ1 + đđđĄ1 ; đ§đđ = đ§đ đ2 + đđ đđĄ2 , đ§đđđ = đ§đđ đ3 + đđ đđ đĄ3 . It is easy to check that đđ , đđ , đđ
Security and Communication Networks
15
are uniformly distributed in Zđ. If đ§ = đđđ, then đ§đ = đđ đđ, đ = đđđ đđ đđ . For the case đ§đđ = đđ đđ đ, đ§đđđ = đđ đđ đđ and đđđđ đ§ ≠ đđđ, since đ, đ, đ, đ§, đ1 , đĄ1 , đ2 , đĄ2 , đ3 , đĄ3 â Zâđ and đđ , đđ , đđ are uniformly distributed over Zđ, we have đ§đ , đ§đđ , đ§đđđ all đ = đ(đĚ2Ěđ , đ{2,4} )đ§đđđ . uniformly distributed in Zđ and đđđđ
đđ
đđ đđ đ (gđđ , gĚđđ , (đ2Ěđ ) , đ{2,4} , đ{2,4} , đđđđ ) đ
đ âół¨ Rerandđđđ (đ, g, gđ , gĚ, gĚđ , (đ2Ěđ ) , đ{2,4} , đ{2,4} , (C.27) đ đ{2,4} , đ)
(i) If the challenge identity was not queried before, then B4 computes
đ
đđ
((đ1đ đĚ2Ěđ ) , ( â (đ1đ đĚ2Ěđ ) đ=1
đ2đâđ đ
đđ
ó¸
đ
đ
đ đ (gđđ , gĚđđ , (đ2Ěđ ) , đ{2,4} , đ{2,4} , đđó¸ ) âół¨ Rerandđ (đ,
(C.29) đđ
g, g , gĚ, gĚ
đđ
đđ , (đ2Ěđ )
đđ
đđ
đ ) , H (đ ((đ1đ đĚ2Ěđ ) , msk) â
đđđđ )) .
(ii) If the challenge identity was queried before, then B4 uses the algorithm Rerandđ in [19] to compute ó¸
and returns
đđ đđ đ , đ{2,4} , đ{2,4} , đ{2,4} , đađđ )
of Rerandđ and Rerandđ , đđ , đđ are uniformly distributed in Zđ. Since the uniform distribution in Zđ is statistically indistinguishable from the uniform distribution in Zâđ, we have that the distribution of challenge ciphertexts are O(2âđ )close to that of Game3 . Note that we implicitly set đžĚđ = đđ đđ . For the challenge identity queried before, we can just rerandomize the previously used query value đđ . If đ = đ(đ2 , đ2 )đ§ , then
and returns đ
đđó¸
((đ1đ đĚ2Ěđ ) , (â (đ1đ đĚ2Ěđ )
đ2đâđ đ
đđ
đ
đ2đâđ đ
((đ1đ đĚ2Ěđ ) , (â (đ1đ đĚ2Ěđ )
đđó¸
(C.28)
đđ
) ,
đ=1
) ,
đ=1
(C.30)
đđ
đđó¸
H (đ ((đ1đ đĚ2Ěđ ) , msk) â
đó¸ đ )) .
đ
đ2đâđ (â (đ1đ đĚ2Ěđ ) đ ) đ=1
The distribution of mpk and the requested user secret keys are identical to the real scheme. If đ = đ(đ2 , đ2 )đđđ = đ((đ1 đ2 )đ , đ{2,4} )đđ and the challenge identity was not queried before, đđ ((đ1đ đĚ2đ Ě)
đ
đ2đâđ , (â (đ1đ đĚ2đ Ě) đ ) đ=1
đđ
,
đđ
đđ
đ )) = ((đ1đ đĚ2Ěđ ) , H (đ ((đ1đ đĚ2Ěđ ) , msk) â
đđđđ
đ
đ2đâđ đ
(â (đ1đ đĚ2Ěđ )
(C.31)
đđ
đđ
đ H (đ ((đ1đ đĚ2Ěđ ) , msk) â
đđđđ )) = ((đ1đ đĚ2Ěđ ) ,
(C.32)
đđ
,
đđ
đ§đđđ â
đđâ1
H (đ ((đ1đ đĚ2Ěđ ) , msk â
(đ{2,4} )
))) .
Since đđ , đ§đđđ are uniformly distributed over Zđ. So đ((đ1đ đĚ2Ěđ )đđ , â1 msk â
(đ{2,4} )đ§đđđ â
đđ ) is statically close to the uniform distribution of subgroup of đşđ . Due to the property of universal hash function we have SD((H, H(đ((đ1đ đĚ2Ěđ )đđ , msk â
â1 (đ{2,4} )đ§đđđ â
đđ ))); (H, đ)) = O(2âđ ) for đ â {0, 1}đ . Thus the challenge ciphertexts are distributed O(2âđ )-close to that of Game4 . Hence (C.21) holds. Finally, we have
) ,
đ=1
DS1 DS2 AdvMA A,BE (đ) ⤠AdvB1 (đ) + 2đ â
AdvB2 (đ) + đ đđ
đđ
H (đ ((đ1đ đĚ2Ěđ ) , msk â
(đ{2,4} ) đ đ ))) . Note that the exponents đ, đ, đ, and đ§ are required to be uniformly distributed in Zâđ, but when we reuse the outputs
DS-BDDH â
AdvDS3 + đEnc B3 (đ) + AdvB4
â
O (2âđ ) , which completes the proof of Theorem 6.
(C.33)
16
Security and Communication Networks
Disclosure Parts of this paper are presented at Inscrypt 2016.
[11]
Conflicts of Interest The authors declare that there are no conflicts of interest regarding the publication of this paper.
[12]
Acknowledgments All authors were funded by National 973 Grant 2013CB834205, NSFC Grant 61672019, and The Fundamental Research Funds of Shandong University Grant 2016JC029. Puwen Wei was also funded by NSFC Grant 61502276.
[13]
[14]
References [1] A. Fiat and M. Naor, âBroadcast encryption,â in Advances in Cryptologyâ(CRYPTO â93), D. R. Stinson, Ed., vol. 773 of Lecture Notes in Computer Science, pp. 480â491, Springer, Berlin, Germany, 1993. [2] I. Kim and S. O. Hwang, âAn optimal identity-based broadcast encryption scheme for wireless sensor networks,â IEICE Transactions on Communications, vol. E96-B, no. 3, pp. 891â895, 2013. [3] D. Naor, M. Naor, and J. Lotspiech, âRevocation and tracing schemes for stateless receivers,â in Proceedings of the Advances in Cryptologyâ(CRYPTO â01), 21st Annual International Cryptology Conference, pp. 41â62, Springer, Berlin, Germany. [4] D. Halevy and A. Shamir, âThe LSD broadcast encryption scheme,â in Advances in Cryptologyâ(CRYPTO â02), M. Yung, Ed., vol. 2442 of Lecture Notes in Computer Science, pp. 47â60, Springer, Berlin, Germany, 2002. [5] M. T. Goodrich, J. Z. Sun, and R. Tamassia, âEfficient treebased revocation in groups of low-state devices,â in Advances in Cryptologyâ(CRYPTO â04), M. K. Franklin, Ed., vol. 3152 of Lecture Notes in Computer Science, pp. 511â527, Springer, Berlin, Germany, 2004. [6] Y. Dodis and N. Fazio, âPublic key broadcast encryption for stateless receivers,â in Security and Privacy in Digital Rights Management, ACM CCS-9 Workshop, J. Feigenbaum, Ed., vol. 2696 of Lecture Notes in Computer Science, pp. 61â80, Springer, Berlin, Germany, 2003. [7] D. Boneh, C. Gentry, and B. Waters, âCollusion resistant broadcast encryption with short ciphertexts and private keys,â in Advances in Cryptologyâ(CRYPTO â05), V. Shoup, Ed., vol. 3621 of Lecture Notes in Computer Science, pp. 258â275, Springer, Berlin, Germany, 2005. [8] C. Gentry and B. Waters, âAdaptive security in broadcast encryption systems (with short ciphertexts),â in Advances in Cryptologyâ(EUROCRYPT â09), A. Joux, Ed., vol. 5479 of Lecture Notes in Computer Science, pp. 171â188, Springer, Berlin, Germany, 2009. [9] B. Waters, âDual system encryption: realizing fully secure IBE and HIBE under simple assumptions,â in Advances in Cryptologyâ(CRYPTO â2009), S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 619â636, Springer, Berlin, Germany, 2009. [10] D. Boneh, B. Waters, and M. Zhandry, âLow overhead broadcast encryption from multilinear maps,â in Advances in Cryptologyâ(CRYPTO â14), J. A. Garay and R. Gennaro, Eds.,
[15]
[16]
[17]
[18]
[19]
[20]
vol. 8616 of Lecture Notes in Computer Science, pp. 206â223, Springer, Berlin, Germany, 2014. D. Boneh and B. Waters, âA fully collusion resistant broadcast, trace, and revoke system,â in Proceedings of CCS 2006: 13th ACM Conference on Computer and Communications Security, pp. 211â 220, Alexandria, Virginia, USA, November 2006. J. H. Han, J. H. Park, and D. H. Lee, âTransmission-efficient broadcast encryption scheme with personalized messages,â IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E96-A, no. 4, pp. 796â806, 2013. M. Zhang, B. Yang, Z. Chen, and T. Takagi, âEfficient and adaptively secure broadcast encryption systems,â Security and Communication Networks, vol. 6, no. 8, pp. 1044â1052, 2013. J. Kim, W. Susilo, M. H. Au, and J. Seberry, âAdaptively secure identity-based broadcast encryption with a constantsized ciphertext,â IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 679â693, 2015. S. H. Islam, M. K. Khan, and A. M. Al-Khouri, âAnonymous and provably secure certificateless multireceiver encryption without bilinear pairing,â Security and Communication Networks, vol. 8, no. 13, pp. 2214â2231, 2015. H. Wee, âD´ej`a Q: Encore´e un petit IBE,â in Theory of Cryptographyâ13th International Conference, TCC 2016-A, E. Kushilevitz and T. Malkin, Eds., vol. 9563 of Lecture Notes in Computer Science, pp. 237â258, Springer, Berlin, Germany, 2016. M. Bellare, A. Boldyreva, and S. Micali, âPublic-key encryption in a multi-user setting: security proofs and improvements,â in Advances in Cryptologyâ(EUROCRYPT â2000), B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259â274, Springer, Berlin, Germany, 2000. D. Hofheinz and T. Jager, âTightly secure signatures and public-key encryption,â Designs, Codes and Cryptography. An International Journal, vol. 80, no. 1, pp. 29â61, 2016. D. Hofheinz, J. Koch, and C. Striecks, âIdentity-based encryption with (almost) tight security in the multi-instance, multiciphertext setting,â in Public-key cryptographyâ(PKC â15), J. Katz, Ed., vol. 9020 of Lecture Notes in Computer Science, pp. 799â822, Springer, Berlin, Germany, 2015. J. Chen and H. Wee, âFully, (almost) tightly secure IBE and dual system groups,â in Advances in Cryptologyâ(CRYPTO â13), R. Canetti and J. A. Garay, Eds., vol. 8043 of Lecture Notes in Computer Science, pp. 435â460, Springer, Berlin, Germany, 2013.
International Journal of
Rotating Machinery
(QJLQHHULQJ Journal of
Hindawi Publishing Corporation http://www.hindawi.com
Volume 201
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of
Distributed Sensor Networks
Journal of
Sensors Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Control Science and Engineering
Advances in
Civil Engineering Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Submit your manuscripts at https://www.hindawi.com Journal of
Journal of
Electrical and Computer Engineering
Robotics Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
VLSI Design Advances in OptoElectronics
International Journal of
Navigation and Observation Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Chemical Engineering Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Active and Passive Electronic Components
Antennas and Propagation Hindawi Publishing Corporation http://www.hindawi.com
$HURVSDFH (QJLQHHULQJ
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
+LQGDZL3XEOLVKLQJ&RUSRUDWLRQ KWWSZZZKLQGDZLFRP
9ROXPH
Volume 201-
International Journal of
International Journal of
,QWHUQDWLRQDO-RXUQDORI
Modelling & Simulation in Engineering
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Shock and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Advances in
Acoustics and Vibration Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014