The cipher-bound trapdoors

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

4.2 The cipher-bound trapdoors

A research about equality test with cipher-bound trapdoors was proposed in [79]. Rather than existing PKEET schemes with permanent trapdoor which Bob can test the equality of all Alice’s ciphertexts once he got Alice’s trapdoor, a brand-new idea called ciphertext-bound-authority (CBA) was proposed in this paper. What is CBA? It denotes that the trapdoor which enables equality test is allocated ciphertext by ciphertext, every ciphertext requires a specific trapdoor. If ciphertext 1 is authorized to Bob, no information about ciphertext 2 will be leaked even when two ciphertexts are encrypted using the same public key.

Syntax of CBA-PKEET

The architecture mainly follows Tang’s AoN-PKEET construction; the only modification is the trapdoor which is modified from an overall authorization to an individual authorization. For clear expression, the syntax is introduced here again.

• 𝑆𝑒𝑡𝑢𝑝 1^¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver can decrypt the acquired ciphertext 𝐶 and obtain the hidden message 𝑚.

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶): The receiver is able to authorize the equality testability to some users through a trapdoor 𝑇 ← 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶).

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : On input two ciphertexts (𝐶_Í, 𝐶_•) and their receivers’ trapdoors (𝑇_Í, 𝑇_•), the authorized user can verify the equivalence between two ciphertexts. After the equality test, the algorithm outputs 1 for equal messages or 0 for different messages.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

What advantages or applications do ciphertext-bound authorities provides?

Let’s focus on the trapdoor phase, obviously the trapdoor algorithm 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶) takes a ciphertext as an additional parameter when compared to the AoN-PKEET scheme. That is what so called ciphertext-bound authorities / trapdoors. Definitely, it provides an additional choice that the data receiver can authorize the authority of a particular ciphertext, rather than all ciphertexts to the tester. In the following two scenarios, the authorization of particular range might be more suitable than overall authorization.

• A patient has some teeth problems so that he visits a dentist. Before being diagnosed, the dentist unavoidably checks the medical records of this patient. Now, the ciphertext-bound authorities might help the patient to reveal necessary teeth-related records to the dentist and meanwhile hide others like heart disease or high blood-pressure for his better privacy.

• Bank A tries to verify only one payment with bank B. If there are only equality test schemes with permanent trapdoors, bank A has to open all its ledger to bank B for simply one equality test request. The ciphertext-bound authority provides a more flexible solution to satisfy this problem.

Numerous cases may support the idea that sometimes an individual authorization is more flexible than an overall authorization. It is worthy to be noted that overall authorizations still satisfy many current applications, which will not be replaced by the individual authorizations. It is emphasized that the individual authorization makes equality test scheme much more flexible and stable. Then, after the syntax, a concrete construction of CBA-PKEET is proposed in this work.

• 𝑆𝑒𝑡𝑢𝑝(1^¼): On input a secure parameter 𝜅 , a multiplicative cyclic group {𝔾, 𝑔, 𝑞} is generated where 𝑔 ∈ 𝔾 denotes a generator of 𝔾; 𝑞 stands for the order of 𝔾. For all elements in 𝔾 and ℤ_W^∗, the bit-length are set as 𝔾 = 𝑞 and 𝑞 = 𝜅, respectively. Three collision-resistant and one-way hash functions 𝐻_•: 0, 1 ^∗ → ℤ_W^∗, 𝐻_—: 𝔾 → 0, 1 ^WÜ—¼ and 𝐻_Þ: 𝔾 → 0, 1 ^¼ are required. The message space ℳ is set identical to group 𝔾. The outputted public parameters are 𝑝𝑝 ← {𝜅, 𝔾, 𝑔, 𝑞, 𝐻_•, 𝐻_—, 𝐻_Þ}.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• 𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝): On input the public parameters 𝑝𝑝, a user randomly picks 𝑥 ^$ ℤ_W^∗ as its private key and publishes the public key 𝑦 ← 𝑔^s.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚 ∈ 𝔾, a sender randomly picks 𝑟 ^$ ℤ_W^∗ and outputs 𝐶 ← (𝑈, 𝑉) where 𝑢 ← 𝐻_• 𝑚 𝑟 𝐻_Þ 𝑚 , 𝑈 ← 𝑔^ý, 𝑉 ← 𝐻_— 𝑦^ý ⨁ 𝑚 𝑟 𝐻_Þ 𝑚 . Symbol ⨁ and || denote the XOR operation and the concatenation symbol, respectively.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): To decrypt a ciphertext (𝑈, 𝑉) ← 𝐶, the receiver computes 𝑚 𝑟 𝐻_Þ 𝑚 ← 𝐻_— 𝑈^s ⨁𝑉 and accepts 𝑚 if 𝑈 = 𝑔^{• ² ƒ •á ²} .

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶): The receiver is able to authorize the equality testability to someone through trapdoor 𝑇 ← 𝐿𝑆𝐵_¼ 𝐻_— 𝑈^s . Symbol 𝐿𝑆𝐵_¼(∙) denotes the least 𝜅 significant bits of the inputted parameter.

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : On input ciphertexts 𝐶_Í ← (𝑈_Í, 𝑉_Í) , 𝐶_• ← (𝑈_•, 𝑉_•) and trapdoors (𝑇_Í, 𝑇_•), the equality between them is verified through the following equation. If the equation holds, it outputs 1 for tested equal; or it outputs 0 for non-equal.

( 𝐿𝑆𝐵_¼(V_Í) ⨁ 𝑇_Í ) = ( 𝐿𝑆𝐵_¼(V_•) ⨁ 𝑇_• ) (38)

The CBA-PKEET is perfect consistency and computational soundness. Equation (38) is clear that:

𝐿𝑆𝐵_¼(V_Í) ⨁ 𝑇_Í = 𝐿𝑆𝐵_¼(V_Í ⨁ 𝐻_—(𝑈_Í^s)) = H_Þ(m_Í) and 𝐿𝑆𝐵_¼(V_•) ⨁ 𝑇_• = H_Þ(m_•).

• Perfect consistency: when 𝑚_Í = 𝑚_•, the perfect consistency holds because 𝐻_Þ 𝑚_Í = 𝐻_Þ(𝑚_•).

• Computationally soundness: the verification whether 𝐻_Þ 𝑚_Í = 𝐻_Þ(𝑚_•) or not is almost the same as whether 𝑚_Í = 𝑚_• or not. But there is negligible probability 𝐴𝑑𝑣_𝒜,•^Ž«_á that 𝑚_Í ≠ 𝑚_• ∧ 𝐻_Þ 𝑚_Í = 𝐻_Þ 𝑚_• . Symbol 𝐴𝑑𝑣_𝒜,•^Ž« _á is defined in section 2.2.1, which denotes the negligible probability that collisions of hash function 𝐻_Þ were found.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Table 3: The efficiency comparison between CBA-PKEET and previous PKEET schemes

𝐾𝐺𝑒𝑛 𝐸𝑛𝑐 𝐷𝑒𝑐 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 𝑇𝑒𝑠𝑡

PKEET [75] 𝑡₂ 3 𝑡₂ 3 𝑡₂ N/A 2 𝑡_v

PCE [80] 𝑡₂ 4 𝑡₂ 2 𝑡_v N/A 2 𝑡_v

AoN-PKEET [76] 2 𝑡₂ 5 𝑡₂ 2 𝑡₂ 0 4 𝑡₂

FG-PKEET [77] 2 𝑡₂ 4 𝑡₂ 2 𝑡₂ 3 𝑡₂ 4 𝑡_v

CBA-PKEET 𝑡₂ 2 𝑡₂ 2 𝑡₂ 𝑡₂ 2 𝑡_s

Efficiency comparison with previous works

Table 3 shows the efficiency comparison with previous PKEET works. Symbols 𝑡₂, 𝑡_v and 𝑡_s are defined in Table 1, which stands for the time of exponential operations, pairing operations and XOR operations, respectively. The bilinear pairing is a computational heavy operation that costs approximately 8 times as the exponential operation in cyclic groups. Besides, 𝑡_s is negligible when compared to the other two operations.

𝑡_s ≪ 𝑡₂ < 𝑡_v ≅ 8 𝑡₂ (39)

Compared to previous works, the proposed CBA-PKEET works pretty efficiently since the computational heavy tool, bilinear mapping, is not adopted in this construction. Most previous works require heavy computations while equality tests were executed, and this is one of the most remarkable advantages that CBA-PKEET owns.

Security proof

Theorem 6: CBA-PKEET is OW-CCA2 secure against type-I adversaries in RO model.

Proof. Assuming that CBA-PKEET is not OW-CCA2 secure, which means there is a type-I adversary has non-negligible probability 𝜖(𝜅) to break the one-way security, then it could be demonstrated how to play a simulator role to break the one-wayness of the hash function 𝐻_Þ by utilizing this adversary. Following, the one-wayness “given 𝐻_Þ and 𝐻_Þ(𝛿), find 𝛿” and the random

‧

simulated by the simulator is depicted in the following Figure 16.

Figure 16: The simulated OW-CCA2 game of CBA-PKEET.

The proof begins with environment settings like 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É and (𝑠𝑘, 𝑝𝑘) ← 𝐾𝐺𝑒𝑛(𝑝𝑝).

Two hash tables 𝜏_•, 𝜏_— are initialized empty. The adversary is allowed to request decryption queries 𝒪_Š and 𝒪_Š¡, trapdoor queries 𝒪_™, and hash queries 𝒪_• and 𝒪_•¡ to the simulator, which will be replied as those drawn in The simulated OW-CCA2 game of CBA-PKEET.. The random oracles

‧

pair over any message 𝑚 and randomize 𝑟. In other words, there is actually no information hidden in ciphertext 𝐶^∗ since both 𝑈^∗ and 𝑉^∗ are just some meaningless random numbers. The only clue comes from the injection 𝜏_—. 𝑎𝑑𝑑 𝑈^{∗ Ý~}, 𝑉^∗⊕ 𝐻_Þ 𝛿 which reveals the hash value 𝐻_Þ(𝛿) to the adversary. Now the problem can be simplified to the targeted question: if the adversary can find a message 𝑚 that satisfies 𝐻_Þ 𝑚 = 𝐻_Þ(𝛿) to break the one-way security of CBA-PKEET, then the simulator can directly output 𝛿 ← 𝑚 to break the one-wayness of hash function 𝐻_Þ. By the negligible probability of breaking the one-wayness of hash functions, it is proved one-way security for CBA-PKEET.

Figure 17: The simulated IND-CCA2 game for CBA-PKEET.

Theorem 7: CBA-PKEET is IND-CCA2 secure against type-II adversaries in RO model.

Proof. As type-II adversaries, the trapdoors are not available in the security proof. Assuming that CBA-PKEET is not IND-CCA2 secure, which means there is a type-II adversary has non-negligible probability 𝜖(𝜅) to break the IND-CCA2 security, then it can be demonstrated how to play a simulator role to break the DDH problem by utilizing this adversary. Following, the DDH problem

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

“whether (𝛾 = 𝛼𝛽) ← 𝒜 𝑔, 𝑔^ˆ, 𝑔^Œ, 𝑔^• or not” will be imported for security proof. By integrating the IND-CCA2 secure model illustrated in Figure 9 and the random oracle model defined in section 2.2.1, the applied secure game is illustrated in Figure 17.

It is clear that the simulator begins the game with two settings: the first one is to replace 𝐻_• with random oracle that has to be queried to the simulator; the second one is to set 𝑝𝑘 ← 𝑔^Œ. With these settings, the simulator may be able to answer the decryption oracles 𝒪_Š and 𝒪_Š¡ through checking the hash table 𝜏. With above settings, the simulator successfully simulates an IND-CCA2 game. Then, if the adversary has a correct guess 𝑏^Ó = 𝑏, the simulator outputs 𝛾 = 𝛼𝛽; otherwise, the simulator outputs 𝛾 ≠ 𝛼𝛽. The discussion continues with two scenarios.

• In case 𝛾 = 𝛼𝛽. This is the CBA-PKEET scheme. Then, the adversary has non-negligible probability 𝜖(𝜅) to break the IND-CCA2 security of CBA-PKEET.

• In case 𝛾 ≠ 𝛼𝛽. This is not the CBA-PKEET scheme so that the adversary has only 50%

probability to output correctly.

Both of above cases occur in half probability. In sum, the simulator will win with (1 + 𝜖(𝜅))/2 probability; in other words, it acquires 𝜖(𝜅)/2 advanced probability to break the DDH assumption and it is non-negligible. By the intractability of the DDH problem, it is proved that there is no polynomial-time adversary is able to break the IND-CCA2 security of CBA-PKEET with non-negligible probability. To conclude, it is proved that CBA-PKEET is IND-CCA2 security based on the intractability of the DDH assumption.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 76-83)