The PK-LSD-PI scheme

,...,

), , ( , ,

( ^{( ) ( )}

) ( 1

1) (

1 iz z

jz i

j t rf t

r rf

r me g h g g

g

S ^ρ

For decryption, a non-revoked user finds an appropriate subset

j jt

Si_, in the header and applies the Lagrange interpolation to compute the session key m.

We note that the private key size is still O(logn)and paring computing is reduced to 1 time.

4.4The PK-LSD-PI scheme

We can construct the PK-LSD-PI scheme in the simialar way. The numbers of public and private keys are O(1) and O(log^1+ε n), respectively , for any constant 0<ε <1. The header size O(r/ε), which is O(r) for constant ε . The decryption cost is again

) 1 ( O

Chapter5

Security Analysis

5.1The BE-PI scheme

We show that BE-PI scheme is fully collusion-resistant. No matter how many revoked users collude, they cannot compute the session key m. We show that it is one way secure (without decryption queries). The definition of one-wayness security is similar to the indistinguishability security except that the adversary, who controls the set U \ S^* of revoked users, is required to compute the session key m from the challenge )Hdr^*(S^*,m , where S is chosen by the adversary in advance. Later, we ^* shall how to achieve the IND-CCA security. Let q_H be the number of queries to hash function H by the collusion of the revoked users.

Theorem 1. Assume that the CBDH problem is (t₁,ε₁)−hard . For any

⎡

^log2n

⎤

0≤α ≤ , if the number of revoked user is no more than L=2^α, any collusion of them cannot decrypt the header to obtain the session key with probability ε =ε', time bound t =t₁−t' and q_H hash oracles under the random oracle model, where

'

t is polynomially bounded and q_H ≤t.

Proof. We reduce the CBDH problem to the problem of computing the session key from the header by the revoked users. Since the polynomials =

∑

^L= =

j

j i j

i a x

f 0

) (

0 and secret shares of users for the polynomials are independent for different i’s. We simply discuss security for a particular α . For notation simplicity in the proof, we drop the super index (α) from a_i^(α). Without loss of generality , let R={U_1,U₂,...,U_L} be the set of revoked users and S^* =U \R. Note that S was chosen by the adversary in ^*

advance. Let the input of the CBDH problem be (g,g^a,g^b,g^c), where the paring function is implicitly known. We set the parameters of decrypting header as follows:

1. Randomly select η₁,η₂,η₃,w₁,w₂,...,w_L∈Z_q. 2. Set the public key of the system:

i. Let the input g be the generator g in the system.

ii. Set f_α(i)=w_i,1≤i≤L. iii. Let g^a0 =g^fα(0) =g^a+η1.

iv. Compute g ,^ai 1≤i≤L, from g^a0 and g^f(j) = g^wj,1≤ j≤ L. This can be done by the Lagrange interpolation method over exponents.

v. Set g^ρ = g^b+η2

3. Set the secret key g^ρfα(i) of the revoked user U ,_i 1≤i≤L,as follows:

i. Compute g^ρfα(i) =(g^b)^wi 4. Set the header

L r r f

r f r f

f r

g g e g

g e g

g e i g g

g e

mˆ( , ) , ,( ,ˆ( , ) ,ˆ( , ) ,...,ˆ( , ) ,

(α ^{ρ α(0)} ₁ ^{ρ α(1) ρ α(2) ρ α( )} as

follows:

i. Let g^r = g^c+η3

ii. Compute eˆ(g^ρ,g^fα(i))^r =eˆ(g^ρ,g^r)^fα(i) =eˆ(g^b+η2,g^c+η3)^wi,1≤i≤L iii. Randomly select y∈G₁ and set me(g^ρ,g^fα(0))^r = y. We do not

know what m is. But, this does not matter.

Assume that the revoked users together can compute the session key m. During computation the users can query hash oracles H(.). If the query is of the right form

)

||

||

"

||"

(ID f j

H α , we set them to be g . If the query has ever been asked, we return ^aj the stored hash value for the query. For other non-queried inputs, we return random values in G . _q

We should check whether the distributions of the parameters in our reduction and those

in the system are equal. Since η₁,w₁,w₂,...,w_L are randomly chosen, g ,^ai 0≤i≤L are distributed uniformly over G_q^L+1, which is again the same as that of corresponding system parameters. The distributions of g in the header and ^r g in the public key ^ρ are both uniform over G . They are the same as the distributions of the system setting. _q Even thought we don’t known about m. We can check that they are all computed correctly. So, the reduction preserve the right distribution.

If the revoked users compute m from the header with probability ε , we can solve the CBDH problem with probability ε₁ =ε by computing the following:

(3)

Let t' be the time for this reduction and the solution computation in Equation (3). We can see that t' is polynomial bounded. Thus, if the collusion attack of the revoked users takes t₁−t' time, we can solve CBDH problem within time t₁.

Since each query takes a constant time, q_H cannot exceed runtime t. This complete the proof.

5.2The PK-SD-PI scheme

The proof of PK-SD-PI scheme is similart to BE-PI scheme. In PK-SD-PI scheme all polynomial f_j⁽ⁱ⁾(x) are degree one. Let the CBDH problem input values

2. All polynomials are degree 1. We can compute all values of f_j⁽ⁱ⁾(x). 3. Set g^ρ = g^b+η2. It is equal to above setting.

4. Assign secret shares ^{( )} ( ) ^{( )}, ^{( 2)},....

) ( 1 ) ( 1

) (

u i j u i j u

i

j U a f U f U

f g g

g^ρ = ^ρ to U_u ∈ . R

5. Let H(ID||"f"||i|| j||0)= g^wi,j,0 = g^ai,j,0 H(ID||"f"||i|| j||1)= g^wi,j,1 =g^ai,j,1.

For polynomial f_j⁽_'^i')(x)which secret shares are assigned to less than two revoked user.

The setting is similar to 5.1 . We choose random numbers η_i,'j,'1,w_i,'j,'u and set

0 , , )

' (

'ⁱ (0) _{i j}

j a

f = +η

(a is unknown value)

u j i i

j u w

f⁽_'^')( )= _{,' ,'}

, H(ID||"f"||i'|| j'||0)=g^a+ηi',j',1 , H(ID||"f"||i|| j||1)= g^ai,j,1 . Where g^ai,j,1 is computed from ^{(0) ( )}

) ' (

' ) ' (

' , ^{f u}

f_jⁱ _jⁱ

g

g .When we send the challenge message to set S\R . For each subset S_i,t, S only appear one time and revoked users under _i subtree S were all contained in subtree _i S . Such that all users in R has only one _t share f_j⁽ⁱ⁾(t) over function f_j⁽ⁱ⁾(x). By the proof of 5.1, if adversary can compute m from any header of subset S_i,t. We can solve the CBDH problem.

5.3The BE-PI-2 scheme

The proof of BE-PI-2 scheme is also based on CBDH problem. Let the input of the CBDH problem be (g,g^a,g^b,g^c), where the paring function is implicitly known.

We set the parameters of decrypting header as follows:

1. Randomly select τ,κ,μ₁,μ₂,...,μ_L,w₁,w₂,...,w_L∈Z_q. 2. Set the public key of the system:

i. Let the input g be the generator g in the system.

ii. Set f_α(i)=w_i,1≤i≤L. iii. Let g^a0 =g^fα(0) = g^a+τ.

iv. Compute g ,^ai 1≤i≤L, from g^a0 and g^f(j) = g^wj,1≤ j≤ L. This can be done by the Lagrange interpolation method over exponents.

v. Set h_α =g^b⋅g^κ = g^b+κ vi. Set g^ρ = g^a

3. Set the secret key (g^ri,g^rifα(i),g^rifα(0)h_α^a) of the revoked user U ,_i 1≤i≤L,as follows:

i. Let g^ri = g^−b⋅g^μi = g^−b+μi

ii. Compute g^rifα(i) =(g^ri)^wi,1≤i≤L

iii. Compute g^rifα(0)h_α^ρ = g^{(−b+μi)(a+κ)}(g^b+κ)^a =(g^b)^−κ ⋅g^a(μ+κ)⋅g^μκ

4. Set the header

)) ,

( ),..., ,

2 ( ), ,

1 ( , ) , ˆ( , ,

(

α

g^r me g^ρ h_α ^r g^rfα(1) g^rfα(2) L g^rfα(L) as follows:

i. Let g^r = g^c

ii. Compute g^rfα(i) =(g^c)^wi,1≤i≤L

iii. Randomly select y∈G₁ and set meˆ(g^ρ,h_α)^r = y. We do not know what m is. But, this does not matter.

If the revoked user compute m from the header with probability ε , we can solve the ₂ CBDH problem with probability ε₂'=ε₂ by the computing the following:

g abc

g e m

y⋅ ⁻¹ = ˆ( , )

在文檔中 低儲存量及常數計算量的公開金鑰廣播加密系統 (頁 41-46)