Anonymous Hierarchical Identity-Based Encryption ... - Unisinos

More documents

Recommendations

Info

CT ∗ real = [E, c 0, [c 0,(a) , c 0,(b) ], . . . , [c 1+D,(a) , c 1+D,(b) ]] — genuine ciphertext, as in a real attack;CT ∗ 0 = [⋆, c 0 , [c 0,(a) , c 0,(b) ], . . . , [c 1+D,(a) , c 1+D,(b) ]] — ciphertext for a random message;CT ∗ 1 = [⋆, c 0, [⋆, ⋆], [c 1,(a) , c 1,(b) ], . . . , [c 1+D,(a) , c 1+D,(b) ]] — first “linear pair” is random;· · ·CT ∗ n = [⋆, c 0, [⋆, ⋆], . . . , [⋆, ⋆], [c n,(a) , c n,(b) ], . . . , [c 1+D,(a) , c 1+D,(b) ]] — increasingly many corruptions;· · ·CT ∗ (1+D) = [⋆, c 0, [⋆, ⋆], . . . , [⋆, ⋆], [c 1+D,(a) , c 1+D,(b) ]] — last remaining “linear pair”;CT ∗ (2+D) = [⋆, c 0, [⋆, ⋆], . . . , [⋆, ⋆]] — all “linear pairs” replaced by random;CT ∗ random= [⋆, ⋆, [⋆, ⋆], . . . , [⋆, ⋆]] — completely random ciphertext, ipso facto anonymous.For each transition from one game to the next, we need to show that the adversary cannot tell thetwo games apart with non-negligible advantage. We already note the following:• The last two games, CT ∗ (2+D) and CT∗ random , are exactly the same since the only outstandingcomponent, c 0 = g r , is random and independent of the entire attack and thus amounts to ⋆(it is independent because there are no other components that depend on r).• The very first transition, from CT ∗ real to CT ∗ 0 , corresponds exactly to the semantic securityindistinguishability result we proved in the previous section, so we already know that theadversary cannot distinguish between them.For these reasons, we only need to focus on the intermediate transitions. In all of them, theelement E of the ciphertext is set to ⋆, which means that the simulator may completely disregardthe challenge plaintext chosen by the adversary.Proof of Theorem 7. It suffices to show that each of the middle 2 + D transitions (from CT ∗ i toCT ∗ i+1 for i = 0, . . . , 1 + D) is indistinguishable by the adversary. We show each of them to beindistinguishable under the Decision Linear assumption, in Lemmata 8 and 9. These results willestablish the theorem.Lemma 8. In the setting of Theorem 7, no adversary can distinguish Game #0 from Game #1,in time ˜τ ≈ τ, with advantage ˜ɛ ≈ ɛ, while making no more than q private key extraction queries.Proof. We reduce the Decision Linear problem in G to the adversary’s task in the stated attack.We build a reduction algorithm, B, that provides the adversary, A, with a simulated attack environment.Algorithm B is given as input a Decision Linear problem instance consisting of a tuple[g, g z 1, g z 2, g z 1 z 3, g z 2 z 4, ĝ, ĝ z 1, ĝ z 2, Z] ∈ G 5 × Ĝ3 × G for random exponents [z 1 , z 2 , z 3 , z 4 ] ∈ (Z p ) 4 ,where the test element Z ∈ G is either equal to g z 3+z 4or is a random element g z 5for some z 5 ∈ Z p .For clarity, the problem instance supplied to B will be rewritten as,The simulation is described as follows.⋄ Open :[g, g 1 , g 2 , g 31 , g 42 , ĝ, ĝ 1 , ĝ 2 , Z] ∈ G 5 × Ĝ3 × G .The adversary A opens the game by announcing the identity Id ∗ = [I ∗ 0 , I∗ 1 , . . . , I∗ L ∗] it wishesto attack, where A is allowed to choose the number of hierarchical components, L ∗ ∈ {1, . . . , D},although we impose that I ∗ 0 = 1 as usual. 22
⋄ Setup :To create public parameters, the simulator B starts by drawing a tuple of random non-zero integers[ω, [α n , β n ] n=1,...,1+D ] ∈ $ (Z × p )3+2 D , and a vector of random integers [θ 0,l ] l=0,...,D ∈ $ (Z p ) 1+D .For each n = 1, . . . , 1+D, it also selects a vector of pairs of integers [θ n,l , ¯θ n,l ] l=0,...,D ∈ $ (Z p ) 2 (1+D) ,subject to the constraint that ∑ L ∗¯θ l=0 n,l Il ∗ = 0 (mod p), where it is noted that the elements withindices greater than L ∗ are left unconstrained. Next, the simulator assigns,[]Ω, [ a 0,l , b 0,l ] l=0,...,D ,← ⎢[ [ a n,l , b n,l ] l=0,...,D ] ⎣n=1,...,1+D⎡e(g, ĝ) ω , g θ 0,l1 , g θ 0,l2[ [(g θ n,lg ¯θ n,l1 ) αn , (g θ n,lg ¯θ ]n,l1 ) βn[]l=0,...,D ,l=0,...,D]n=1,...,1+DThe adversary is provided with the public parameters, Pub, which include the context G and theelements Ω and [[a n,l , b n,l ] l=0,...,D ] n=0,...,1+D ; their distribution is as in the real scheme.To complete the setup, the simulator computes what it can of the private key. Note that thepublic parameter simulation pegs the exponents α 0 and β 0 from the real scheme to the respectiveunknowns z 1 and z 2 implicitly defined by the Decision Linear instance. B partially computes themaster key, Msk, as, (except for the crossed-out vector of ŷ 0,·)[ŵ, [ â 0 , ˆb]0 , [——————ŷ 0,l ] l=0,...,D ],[ â n , ˆb←n , [ ŷ n,l ] l=0,...,D ] n=1,...,1+D⋄ Query :⎡⎣[ĝ ω ,[ĝ1 , ĝ 2 , [————————ĝ α ]0 β 0 θ 0,l] l=0,...,D ,ĝ αn , ĝ βn , [ (ĝ θ n,lĝ ¯θ n,l1 ) αn βn ] l=0,...,D]n=1,...,1+DIn the first probing phase, the adversary makes a number of extraction queries on adaptivelychosen identities distinct from Id ∗ and all its prefixes. Suppose that A makes such a query on Id =[I 0 , . . . , I L ] where I 0 = 1. To prepare a response, B starts by determining the identity componentof lowest index, L ′ , such that I L ′ ≠ IL ∗ , letting L ′ = L ∗ + 1 in the event that Id ∗ is a prefix of Id.′Under the stated rules of query, such an L ′ ∈ {1, . . . , D} always exists and is uniquely defined in saidinterval. The private key is constructed in two steps. In the first step, B creates a private key for theidentity Id ′ = [I 0 , . . . , IL ′ ]. Notice that Id′ is either equal to or a prefix of Id, but not of Id ∗ . DefineΘ 0 ← ∑ L ′l=0 θ 0,l I l . For n = 1, . . . , 1 + D, also define Θ n ← ∑ L ′l=0 θ n,l I l and ¯Θ n ← ∑ L ′¯θ l=0 n,l I l , andnote that all ¯Θ n ≠ 0 (mod p) except with negligible probability ≤ (1+D) /p over the choice of [¯θ n,l ].To proceed, B picks a tuple of random integers [˜ρ 0 , [˜ρ 0,m ] m=0,...,1+D ] ∈ $ (Z p ) 3+D , and, additionally,picks a random tuple [˜ρ n , [˜ρ n,m ] m=0,...,1+D ] ∈ $ (Z p ) 3+D for every n = 1, . . . , 1 + D. Moreover,B selects a supplemental collection of integers, [χ n , [χ n,m ] m=0,...,1+D ] n=1,...,1+D ∈ (Z p ) (3+D) (1+D) ,subject to certain constraints to be discussed later. The simulator creates the decryption portionof the prototype private key for Id ′ as,[]k 0 , [ k 0,(a) , k 0,(b) ],←[ k n,(a) , k n,(b) ] n=1,...,1+D⎡ŵ⎢⎣1+D∏n=1⎛⎝ ( ĝ −Θn/¯Θn2[â −˜ρnn() L ′Θ0 ˜ρ 0 ∏l=0ŷ I ln,l)˜ρ n⎞⎠,ĝ χn ˜ρ 0 Θ 0/¯Θn βn −˜ρn2 , ˆb n ĝ χn ˜ρ 0 Θ 0/¯Θn αn223[â −˜ρ 0 (1+D)0 , ˆb]−˜ρ 0 (1+D)0 ,]n=1,...,1+D⎤⎥⎦ ,⎤⎥⎦ .⎤⎦ .
Page 1 and 2: This paper is available from the IA
Page 3 and 4: invertible homomorphism, etc.). To
Page 5 and 6: Informally, we say that an assumpti
Page 7: 4 A Primer : Anonymous IBEWe start
Page 10 and 11: Setup(1 Σ , D) To generate the pub
Page 12 and 13: Encrypt(Pub, Id, Msg) To encrypt a
Page 14 and 15: [9] Dan Boneh, Xavier Boyen, and Ho
Page 16 and 17: Threshold. It is a known result [8]
Page 18 and 19: Proof of Theorem 6. We prove the th
Page 20 and 21: On the other hand, we have, for l =
Page 24 and 25: and the re-randomization portion as
Page 26 and 27: then, we can equate, for every l =
Page 28: This concludes the description of t

Anonymous Hierarchical Identity-Based Encryption ... - Unisinos

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?