Security analysis

Table 2. A Fragment of a bulletin board.

In Tun phase, when a friend of user U, Uf, does cooperative behaviors on contents, our scheme will deliver shares to Uf. This strawman solution counts all the cooperative behaviors of friends of user U at owner side. The drawback of this solution is that storage overhead and bulletin board management overhead. That is, the storage overhead at owner side is proportional to the size of friends of owner U. Our solution decentralizes storage overhead to each friends of user U such that decreasing the storage overhead and bulletin board management overhead. In secret recovery phase, this solution can use a secure way to deliver key to user who achieves the threshold.

4.2 Security analysis

Key recovery security

The security of our (Sha, Tun, Rec, Upd) scheme is based on the security of key allocation scheme [24] that we introduced in section 2.2. More specifically, our proof of security is based on the standard model assuming that a hash function H(x) can be implemented as a pseudo-random function F(x). We show security of the scheme against

33

active adversary who is allowed to adaptively corrupt nodes in the graph. After corrupting some nodes, the adversary is presented with a challenge: it is asked to recover the key of a node that is not a descendant of a corrupted node (the adversary is allowed to corrupt additional nodes that comply with this condition). We claim that if the adversary wins this game with a non-negligible probability, then we can construct an adversary who obtains non-negligible advantage in breaking the security of PRF, contradicting the definition of PRF defined in definition 2.

Now assume that adversary B is given access to the public information associated with the

key assignment of G and is allowed to adaptively corrupt nodes from V. That is, B obtains Ki

 KA(vi), where viV and can compute ()

ki

F

h for arbitrary labels {0,1}^. At some point, B makes a single query to a challenge oracle vc C(G), where vc is a node of the graph not a descendant of any corrupted nodes and is chosen by the oracle. After that, B may corrupt more nodes that do not have the challenge node vc among their descendants.

At some point B outputs a key kˆ{0,1}^and wins if kˆk_c.

Definition 4 Let KA be a key allocation that implements an access graph G = (V, O, E) and let B

34

be an algorithm that has access to oracles as above and returns a string in {0,1}^. We consider the following experiment:

Experiment Exp^kr_KA,B

) ( ),

ˆ B^KA(^{vi C G}

k

if after a call to vc = C(G) B makes a query KA(vi) where vcDesc(vi), return 0

if kˆk_cthen return 1 else return 0

The kr-advantage of B is defined as

kr B

AdvKA_, = Pr[Exp_KA^kr_,B 1].

While the above definition assumes an adaptive adversary, in our case this adversary is no more powerful than a static adversary that is given the maximum amount of information.

That is, if an adversary B^’ is given a challenge node vc, keys for every child of vc, and keys for every sibling of each node on the way from the root to vc, then B^’ can generate keys for all nodes in the graph except vc and its ancestors. To be more specific, adversary B^’ obtains

35

access to a single oracle that returns a challenge node vc along with all of the node keys as described above and B^’ eventually outputs its guess for kc. Since usage of static adversary makes our presentation easier, we will assume that a static adversary with maximal power is used.

If the adversary B^’ has non-negligible advantage in the key recovery experiment, then we can construct an adversary AB'that uses B^’ and can distinguish between a PRF and a random

function with non-negligible probability (i.e. break the security of PRFs).

LEMMA 1. _ pseudo-random functions using algorithm B^’. Instead of using public information associated with the graph G = (O, V, E) constructed according to the above key assignment scheme, in this experiment public information is constructed in such a way that with 50% probability the key assignment is performed in the usual way, and with 50% probability one of the functions

kc

F (vcV) is replaced with a random function g. '

AB obtains access to the same oracle C(G) as B^’ did, and when querying this oracle obtains a challenge node vc along with the keys of the children of vc and siblings of ancestors of vc (let this set of keys be denoted as _cso that

36

{vc, _c } = C(G). AB' is then asked to decide whether

kc

F or g was used in the key assignment.

It can be constructed as the following:

Adversary AB'

In the above algorithm, if B^’ guesses the key correctly, '

AB assumes that the PRF was used. If B^’ doesn’t return the correct key, '

AB bets on the random function. Now the prf-advantage of '

37

and if g was used, the probability that F_kˆ(l_j)results in the same value as g(l_j) is _ 2

1 .

Now the proof of key recovery security follows directly from Lemma 1, which states that if an adversary can break the scheme with non-negligible probability, it will also be able to break the security of PRFs.

Backward secrecy

For each participating user joining, and assume he is a friend of U, Uf, who recovers the secret k3,t (i.e. a secret associated with v3 in time period t). Uf cannot recover the secret k3,t-1

since the one-way property of F, Uf cannot recover master key K3 and instance secret wt

through k3,t. Even though he knows the master key K3, he doesn’t know the instance secret wt-1 therefore he can’t recover k3,t-1. Therefore, our proposed scheme guarantees the backward secrecy.

Forward secrecy

For each participating user leaving, and assume he is a friend of U, Uf, who recovers the secret k3,t (i.e. a secret associated with v3 in time period t). Uf cannot generate the secret k3,t+1 through the k3,t since we generate secret k3,t+1 using the instance secret wt+1 chosen randomly. Therefore, our proposed scheme guarantees the forward secrecy.

38