OTC encryption is IND-CPA secure based on Ateniese’s assumption

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Security notion

For the proposed OTC scheme, it is claimed that both the encrypted ciphertext 𝐶 and the commutatively encrypted ciphertext 𝐶′ are IND-CPA secure in the standard model, both of which are based on the intractability of Ateniese’s assumption. In a high-level viewpoint, assume the ciphertext 𝐶 is CPA secure, the commutatively encrypted ciphertext 𝐶′ is inherently IND-CPA secure. Owing to this, only the former one has to be proved.

Theorem 5: OTC encryption is IND-CPA secure based on Ateniese’s assumption

Proof. First, the Ateniese’s assumption is recalled as “Given a Type-I pairing 𝑒: 𝔾_• × 𝔾_• → 𝔾_™ and elements 𝑔_•, 𝑔_•^ˆ, 𝑔_•^ˆŒ ∈ 𝔾_•, 𝑔_™ ← 𝑒(𝑔_•, 𝑔_•), 𝑔_™^• ∈ 𝔾_™, output whether 𝛽 = 𝛾 or not, where variables 𝛼, 𝛽, 𝛾 ∈ ℤ_W^∗ are unknown”, which was defined in section 2.1.3.

Then, a simulator takes as input the parameters of Ateniese’s assumption to simulate a game.

Assume there is an adversary who owns non-negligible advanced probability 𝜀 to break the IND-CPA security of OTC, the simulator is able to take advantage of the adversary to break Ateniese’s assumption with non-negligible probability.

• In the beginning, the simulator sends the public key 𝑝𝑘 ← 𝑔_•^ˆ to the adversary.

• After the adversary outputs messages (𝑚_Í, 𝑚_•), the simulator assigns a challenge 𝐶_Ï ← (𝑔_•^ˆŒ, 𝑚_Ï𝑔_™^•) to the adversary where 𝑏 ^$ {0, 1}.

• The adversary outputs 𝑏^Ó ∈ {0, 1} to terminate the game. If 𝑏 = 𝑏′, the simulator outputs 𝛽 = 𝛾; otherwise, it outputs 𝛽 ≠ 𝛾.

Now, there are two cases, whether 𝛽 = 𝛾 or not.

• If 𝛽 = 𝛾, above simulation is an OTC encryption scheme so that the adversary has ½ + 𝜀 probability to output a correct 𝑏^Ó = 𝑏.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• If 𝛽 ≠ 𝛾, 𝑔_™^• is a random number that is uniformly distributed in 𝔾_™ so that no information about 𝑔_•^Œ will be obtained in the adversary’s viewpoint. In other words, for both possible messages 𝑚_Ï, no extra clue is provided to help distinguish between them. The probability of a right guessing is definitely ½.

To sum up, the adversary has non-negligible advanced probability 𝜀/2 to output a right guess 𝑏′, which implies that the simulator inherently has non-negligible advanced probability 𝜀/2 to break Ateniese’s assumption. By the intractability of Ateniese’s assumption, it is said that OTC encryption is IND-CPA secure in the standard model based on Ateniese’s assumption.

Discussions

Compared to the dual-receiver encryption [71], the commutative encryption is much more elastic that the receivers can be dynamically chosen. That is, the first receiver is chosen by the first sender, and the second receiver can be selected by the second sender. In this scenario, the first sender might not know the second receiver and vice versa. The receiver-chosen flexibility is a feature that dual-receiver encryption cannot achieve, which creates the probability of commutative encryption schemes in difference applications. For example, the anonymous consensus system in Figure 13 is a wonderful case.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

4. Public key encryption with equality test

The equality test technique [72]–[74] is an extra functionality besides public key encryption schemes (see Figure 14), which the ciphertext receiver has capability to authorize a third party through a trapdoor that allows the plaintext equality test between ciphertexts without decryption.

That is to say, equality test is a fundamental ciphertext computation that authorized users can verify the plaintext equivalence without decryption. The computation begins with a famous problem: the millionaire’s problem.

Figure 14: Public key encryption with equality test

The millionaire’s problem

Proposed by Yao [20], the millionaire’s problem is briefly described as follows. Two millionaires

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

manner. They want to know who is richer without leaking their wealth. So, in the whole process, the top priority of this comparing is to keep both amount secret. After the comparing process, the third-party answers 1 for 𝑚_Í > 𝑚_•; 0, in case 𝑚_Í = 𝑚_•; or −1 for 𝑚_Í < 𝑚_•.

Peng et al.’s ciphertext comparison – a solution of the millionaire’s problem

It is intuitive that the ciphertext computation is quite suitable for this problem. Peng et al. [59]

proposed a solution called “ciphertext comparison” based on the homomorphic encryption.

Interestingly, their scheme can not only verify the plaintexts equivalence between ciphertexts but also compare which side is bigger than the other side. It seems tailored to solve the millionaire’s problem. Before introducing their solution, four properties were defined in their work [59] to regulate the solutions of the millionaire’s problem.

• Correctness: The comparison over two ciphertexts should be consistent with the comparison of the decrypted plaintext.

• Precision: One out of three possible results should be precisely indicated by the comparison, namely larger than, equal to, or less than.

• Public verifiability: The whole process can be verifiable by all participants (testers).

• Privacy: Except for the comparison result, no other information about two messages will be leaked; or at least as few as possible.

The discussion begins with revisiting their schemes in a high-level view. First, an additive homomorphic encryption scheme is required, which supports ∀𝑚_Í, 𝑚_• ∈ ℳ: 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Í 𝐸𝑛𝑐 𝑝𝑘, 𝑚_• = 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Í+ 𝑚_• and 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Í ^• = 𝐸𝑛𝑐 𝑝𝑘, 𝑎𝑚_Í , see equation (27) in section 3.3. For security proof purpose, they choose Paillier encryption as the building block.

Second, to avoid the outsourced third party being compromised, there are a group of 𝑛 users responsible to compare two ciphertexts, rather than just one user. Third, the cipher space of Paillier encryption is a big composite number 𝑁 = 𝑝𝑞. However, the message space ℳ is set to a quite small space 0, 2^‹ instead of 𝑁 , where 2^‹Ü?‹ð < ^x and 1, 2^‹ð is the salt space. The

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

computed through the homomorphic decrease between these ciphertexts; and finally each tester adds a salt. A message looks random will be obtained after decryption, and the comparison result relies on the plaintext distribution in 𝑁. The algorithms are summarized below. Some proofs for security concerns might be omitted.

• 𝑆𝑒𝑡𝑢𝑝 1^É : the ciphertext comparison sets the public parameter 𝑝𝑝 ← 1^É like the Paillier encryption.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameter, all testers cooperate to decide the modular 𝑁 = 𝑝𝑞 and an element 𝑔 ∈ ℤ_x∗¡ where 𝑝, 𝑞 < 1^É are two big prime random numbers with equal bit-length. Equation gcd 𝑔^Ö, 𝑁 = 1 must be satisfied where 𝜆𝑁 ← 𝜙(𝑁^—) ; otherwise, another 𝑔 will be randomly chosen to satisfy the condition. Besides, another two numbers 𝐿, 𝐿′ are needed, where 2^‹Ü?‹ð < ^x

— . Finally, the public key 𝑝𝑘 ← (𝑔, 𝑁, 𝐿, 𝐿′) is published and the secret key 𝜆 is kept in secret. It is remarkable that no particular one tester knows the secret key 𝜆. The secret key is shared to all testers through secret sharing techniques; and the decryption is available only when all testers cooperate.

Finally, the message space ℳ is set to 0, 2^‹ .

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The same as the Paillier encryption, to encrypt a message 𝑚, the sender selects a random number 𝑟 ^$ ℤ_x∗¡ computes 𝐶 ≡ 𝑔^²𝑟^x 𝑚𝑜𝑑 𝑁^—.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The same with Paillier encryption. The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ≡ ( 𝐿(𝐶^Ö 𝑚𝑜𝑑 𝑁^—) 𝐿(𝑔^Ö 𝑚𝑜𝑑 𝑁^—)) 𝑚𝑜𝑑 𝑁 where 𝐿 𝑥 ¹²³ (𝑥 − 1) 𝑁.

• 𝐶𝑜𝑚𝑝𝑎𝑟𝑒(𝑠𝑘, 𝐶_Í, 𝐶_•): First, each tester 𝑈_„ randomly picks 𝑣_„ ^$ [1, 2^‹ð] for all 𝑖 ∈ [1, 𝑛].

Secondly, they cooperate to decrypt 𝑚^∗ ← 𝐷𝑒𝑐(𝑠𝑘, 𝐶^∗) where 𝐶^∗ ← 𝐶_Í ∙ 𝐶_•^{°• ñìû úì}. Finally, algorithm 𝐶𝑜𝑚𝑝𝑎𝑟𝑒(𝑠𝑘, 𝐶_Í, 𝐶_•) outputs 1 (𝑚_Í > 𝑚_•) if 𝑚^∗< ^x_— ; outputs 0 (𝑚_Í = 𝑚_•) if 𝑚^∗ = 0; or outputs −1 (𝑚_Í < 𝑚_•) if 𝑚^∗ > ^x

— .

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Correctness: The decryption follows the Paillier decryption with equation (18) to (21). By the additive homomorphism, the final message will be 𝑚^∗ ← (𝑚_Í− 𝑚_•) ^?_„Ø•𝑣_„. Since all 𝑣_„ are 𝐿^Ó -bit positive integers and 2^‹Ü?‹ð < ^x_— , the distribution of 𝑚^∗ simply relies on the subtracted message (𝑚_Í − 𝑚_•) . If 𝑚^∗ = 0 , the only possibility is 𝑚_Í = 𝑚_•; if 𝑚^∗ < ^x_— , it indicates 𝑚_Í− 𝑚_• > 0, which implies 𝑚_Í > 𝑚_•; otherwise, the condition 𝑚^∗ > ^x_— occurs only when 𝑚_Í− 𝑚_• < 0. The plaintext distribution is illustrated in Figure 15.

Figure 15: The plaintext distribution of ciphertext comparison

Precision and Public verifiability: following the Correctness, all testers coordinate to execute the comparison algorithm which indicates one of three possible results. Privacy: Peng et al.’s scheme can be inherently proved IND-CCA secure as Paillier encryption does.

Remark. Owing to the fact that the additive homomorphic encryption is the main building block of their work, the ciphertext comparison can be executed only between the same user’s ciphertexts which are encrypted under the same public key.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

4.1 Equality test among different users’ ciphertexts

Although that Peng et al.’s ciphertext computation [59] is an excellent solution to solve the millionaire’s problem, the applications are inherently limited to ciphertexts encrypted using the same public key because it highly relies on the core building block, homomorphic encryption.

Then, it is intuitive to seek for the ciphertext computation solutions among ciphertexts encrypted using different public keys. There is no doubt that the solution among different public keys directly cover the solution under the same public key.

Guomin Yang [75] proposed the first solution³, public key encryption with equality test (PKEET), that allows comparisons among different users’ ciphertext without decryption. Unlike Peng et al.’s solution, the PKEET schemes nowadays is only able to execute the fundamental functionality that tests the plaintext equivalence between two ciphertexts. When it comes to the syntax, it is really close to the public key encryption containing 𝑆𝑒𝑡𝑢𝑝(1^Ö) , 𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝) , 𝐸𝑛𝑐(𝑝𝑘, 𝑚) and 𝐷𝑒𝑐(𝑠𝑘, 𝐶); in addition, there is a 𝑇𝑒𝑠𝑡(𝐶_•, 𝐶_—) algorithm that anyone can verify the equivalence between any two ciphertexts. The syntax is illustrated as below.

• 𝑆𝑒𝑡𝑢𝑝 1^¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.

3 Another work “Plaintext-Checkable Encryption” [80] proposed in CT-RSA 2012 was also an early equality test work. But it focused on the comparison between a ciphertext (with trapdoor) and a plaintext, which is distinct from our research target so that it is not introduced in our discussions.

‧

On concerning the equality test functionality, two requirements were proposed as follows. Symbol 𝜖 𝜅 was defined in Table 1, which means a negligible probability in 𝜅.

• Perfect consistency: for all message 𝑚 ∈ ℳ

The idea about how to implement a testable ciphertext is quite straightforward. Conceptually, the ciphertext is composed of two parts which are designed for decryption purpose and equality test purpose, respectively. It is clear in Yang’s scheme. A ciphertext 𝐶 is composed of (𝑈, 𝑉, 𝑊) where (𝑈, 𝑊) is designed for decryption, and (𝑈, 𝑉) is designed for equality test obviously. To better understand how it works, Yang’s concrete construction is summarized as follows:

• 𝑆𝑒𝑡𝑢𝑝(1^¼) : On input a secure parameter 𝜅 , a type-I bilinear mapping system 𝑒: 𝔾_• × 𝔾_• → 𝔾_™ is selected first. Then, 𝑔 ∈ 𝔾_• denotes a generator in 𝔾_•; and 𝑞 stands for the order of 𝔾_• and 𝔾_™. 𝐻: 0, 1 ^∗ → 0, 1 ^Wܼ represents a collision-resistant one-way

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

hash function where 𝑞 and 𝜅 denote the bit-length of elements in 𝔾_• and ℤ_W^∗, respectively.

The outputted public parameters are 𝑝𝑝 ← {𝜅, 𝑒, 𝔾_•, 𝔾_™, 𝑔, 𝑞, 𝐻}.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters 𝑝𝑝, a user randomly picks 𝑥 ^$ ℤ_W^∗ as its private key and publishes the public key 𝑦 ← 𝑔_•^s.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚 ∈ 𝔾_•, a sender randomly picks 𝑟 ^$ ℤ_W^∗ and outputs 𝐶 ← (𝑈, 𝑉, 𝑊) where 𝑈 ← 𝑔_•^ƒ , 𝑉 ← 𝑚^ƒ and 𝑊 ← 𝐻 𝑈, 𝑉, 𝑦^ƒ ⨁(𝑚||𝑟) . Symbol ⨁ presents the XOR operation.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): To decrypt a ciphertext 𝐶 ← (𝑈, 𝑉, 𝑊), the receiver computes (𝑚||𝑟) ← 𝐻 𝑈, 𝑉, 𝑈^s ⨁𝑊 and accepts 𝑚 if 𝑈 = 𝑔^ƒ and 𝑉 = 𝑚^ƒ.

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•): On input ciphertexts 𝐶_Í ← (𝑈_Í, 𝑉_Í, 𝑊_Í) and 𝐶_• ← (𝑈_•, 𝑉_•, 𝑊_•), the equality between them can be easily verified through testing 𝑒 𝑈_Í, 𝑉_• = 𝑒(𝑈_•, 𝑉_Í). If the equation holds, it outputs 1 for tested equal; or it outputs 0 for non-equal.

The original PKEET is both perfect consistency and perfect soundness. The detail security proof is omitted in this work, which it is proved OW-CCA2 secure in [75].

• Perfect consistency: when 𝐶_Í ← 𝐸𝑛𝑐(𝑝𝑘_Í, 𝑚, 𝑟_Í) and 𝐶_• ← 𝐸𝑛𝑐(𝑝𝑘_•, 𝑚, 𝑟_•), the perfect consistency holds because for all 𝑚 ∈ 𝔾_•, 𝑒 𝑈_Í, 𝑉_• = 𝑒 𝑈_•, 𝑉_Í = 𝑒 𝑔_•, 𝑚 ^ƒïƒ .

• Perfect soundness: when 𝐶_Í ← 𝐸𝑛𝑐(𝑝𝑘_Í, 𝑚_Í, 𝑟_Í) and 𝐶_• ← 𝐸𝑛𝑐(𝑝𝑘_•, 𝑚_•, 𝑟_•) and 𝑚_Í ≠ 𝑚_•, the perfect soundness holds because for all 𝑚_Í, 𝑚_• ∈ 𝔾_•, 𝑒 𝑈_Í, 𝑉_• = 𝑒 𝑔_•, 𝑚_• ^ƒïƒ ≠ 𝑒 𝑔_•, 𝑚_Í ^ƒïƒ = 𝑒 𝑈_•, 𝑉_Í .

After Yang’s first PKEET, a great amount of equality test schemes had been proposed for various improvements. For example, Tang [76] firstly proposed an authorization concept in the All-or-Nothing PKEET proposition, which is a great improvement that only specific users who obtain the authorization from both sides can execute the equality test between two ciphertexts. Following this architecture, the security issues are discussed into two classifications: the authorized type-I

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

users and the unauthorized type-II users. Owing to the fact that most equality test researches follow the authorization framework, the updated syntax is briefly introduced below:

• 𝑆𝑒𝑡𝑢𝑝 1^¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver can decrypt the acquired ciphertext 𝐶 and obtain the hidden message 𝑚.

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘): The receiver is able to authorize the equality testability to some users through a trapdoor 𝑇 ← 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘).

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : On input two ciphertexts (𝐶_Í, 𝐶_•) and their receivers’ trapdoors (𝑇_Í, 𝑇_•), the authorized user can verify the equivalence between two ciphertexts. After the equality test, the algorithm outputs 1 for equal messages or 0 for different messages.

Tang et al.’ concrete AoN-PKEET scheme is omitted here for clear expression. It is worthy to be noted that the authorized trapdoor denotes an overall permission to all ciphertexts encrypted using the receiver’s public key. This kind of permissions are called permanent trapdoors afterward.

Then, let’s recall the design of equality test which mostly comes from the combination of two parts:

one for decryption and another one for equality test. Then, the technique is easy understanding that besides the decryption key, another key called testing key is additionally generated in the key generation phase, and it is enrolled while encrypting. Then, the trapdoor algorithm is done by simply sending the testing key to the authorized entity. Once a user is authorized, he/she is able to

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

those authorized users (so called type-I adversaries), Tang et al.’s scheme is proved OW-CCA2 secure; on the other hand, their scheme is IND-CCA2 secure for the unauthorized users (namely type-II adversaries).

Several authorization-based equality test schemes were gradually proposed. For example, Tang et al. also proposed another work called Fine-Grained PKEET [77], which is quite similar to [76];

the only difference is that [77] is not as efficient as [76] so that it was introduced to be designed against brute force attacks. Ma et al. [78] proposed a delegated equality test scheme, which works even less effectively than [77]. Both of them follow the permanent trapdoor setting as well.

Some ID-based encryption schemes [73], [74] with equality test functionality were also proposed gradually. Besides, with the growing trend of PKEET schemes, a series of security notions between the one-way security and the indistinguishability were proposed by Lu et al. [72] in order to regulate the security of PKEET schemes; after all, the one-way security is quite weak, but the indistinguishability is a hard upper bound due to the equality test functionality.

Discussion

Aforementioned permanent trapdoors could be authorized to trusted users to outsource the equality testability of all the receiver’s ciphertexts. For example, a boss can authorize its privilege to its secretary to help test emails in the company. However, there are some private email which are not related to the work that might come from the boss’s family or friends. If there are only permanent trapdoors, and the boss really needs the secretary’s help to pre-process the emails, how can the boss keep its secrecy about its private emails? Definitely, a more elastic solution is required that there should be another kind of trapdoor that outsources not all ciphertext testability to the authorized users. Perhaps the ciphertexts could be classified into different categories which some of them can be authorized and others do not. Or there could be a precise solution that a trapdoor is valid for a specific ciphertext. In the following section, it is going to introduce a cipher-bound trapdoor that satisfies above demand. A flexible equality test scheme will no doubt be more flexible with the aid of the cooperation between permanent trapdoors and cipher-bound trapdoors.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

4.2 The cipher-bound trapdoors

A research about equality test with cipher-bound trapdoors was proposed in [79]. Rather than existing PKEET schemes with permanent trapdoor which Bob can test the equality of all Alice’s ciphertexts once he got Alice’s trapdoor, a brand-new idea called ciphertext-bound-authority (CBA) was proposed in this paper. What is CBA? It denotes that the trapdoor which enables equality test is allocated ciphertext by ciphertext, every ciphertext requires a specific trapdoor. If ciphertext 1 is authorized to Bob, no information about ciphertext 2 will be leaked even when two ciphertexts are encrypted using the same public key.

Syntax of CBA-PKEET

The architecture mainly follows Tang’s AoN-PKEET construction; the only modification is the trapdoor which is modified from an overall authorization to an individual authorization. For clear expression, the syntax is introduced here again.

• 𝑆𝑒𝑡𝑢𝑝 1^¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver can decrypt the acquired ciphertext 𝐶 and obtain the hidden message 𝑚.

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶): The receiver is able to authorize the equality testability to some users through a trapdoor 𝑇 ← 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶).

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : On input two ciphertexts (𝐶_Í, 𝐶_•) and their receivers’ trapdoors (𝑇_Í, 𝑇_•), the authorized user can verify the equivalence between two ciphertexts. After the equality test, the algorithm outputs 1 for equal messages or 0 for different messages.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

What advantages or applications do ciphertext-bound authorities provides?

Let’s focus on the trapdoor phase, obviously the trapdoor algorithm 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶) takes a ciphertext as an additional parameter when compared to the AoN-PKEET scheme. That is what so called ciphertext-bound authorities / trapdoors. Definitely, it provides an additional choice that the data receiver can authorize the authority of a particular ciphertext, rather than all ciphertexts to the tester. In the following two scenarios, the authorization of particular range might be more suitable than overall authorization.

• A patient has some teeth problems so that he visits a dentist. Before being diagnosed, the dentist unavoidably checks the medical records of this patient. Now, the ciphertext-bound authorities might help the patient to reveal necessary teeth-related records to the dentist and meanwhile hide others like heart disease or high blood-pressure for his better privacy.

• Bank A tries to verify only one payment with bank B. If there are only equality test schemes with permanent trapdoors, bank A has to open all its ledger to bank B for simply one equality test request. The ciphertext-bound authority provides a more flexible solution to satisfy this problem.

Numerous cases may support the idea that sometimes an individual authorization is more flexible than an overall authorization. It is worthy to be noted that overall authorizations still satisfy many current applications, which will not be replaced by the individual authorizations. It is emphasized that the individual authorization makes equality test scheme much more flexible and stable. Then, after the syntax, a concrete construction of CBA-PKEET is proposed in this work.

• 𝑆𝑒𝑡𝑢𝑝(1^¼): On input a secure parameter 𝜅 , a multiplicative cyclic group {𝔾, 𝑔, 𝑞} is generated where 𝑔 ∈ 𝔾 denotes a generator of 𝔾; 𝑞 stands for the order of 𝔾. For all elements in 𝔾 and ℤ_W^∗, the bit-length are set as 𝔾 = 𝑞 and 𝑞 = 𝜅, respectively. Three collision-resistant and one-way hash functions 𝐻_•: 0, 1 ^∗ → ℤ_W^∗, 𝐻_—: 𝔾 → 0, 1 ^WÜ—¼ and 𝐻_Þ: 𝔾 → 0, 1 ^¼ are required. The message space ℳ is set identical to group 𝔾. The outputted public parameters are 𝑝𝑝 ← {𝜅, 𝔾, 𝑔, 𝑞, 𝐻_•, 𝐻_—, 𝐻_Þ}.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• 𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝): On input the public parameters 𝑝𝑝, a user randomly picks 𝑥 ^$ ℤ_W^∗ as its private key and publishes the public key 𝑦 ← 𝑔^s.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚 ∈ 𝔾, a sender randomly picks 𝑟 ^$ ℤ_W^∗ and outputs 𝐶 ← (𝑈, 𝑉) where 𝑢 ← 𝐻_• 𝑚 𝑟 𝐻_Þ 𝑚 , 𝑈 ← 𝑔^ý, 𝑉 ← 𝐻_— 𝑦^ý ⨁ 𝑚 𝑟 𝐻_Þ 𝑚 . Symbol ⨁ and || denote the XOR operation and the concatenation symbol, respectively.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): To decrypt a ciphertext (𝑈, 𝑉) ← 𝐶, the receiver computes 𝑚 𝑟 𝐻_Þ 𝑚 ← 𝐻_— 𝑈^s ⨁𝑉 and accepts 𝑚 if 𝑈 = 𝑔^{• ² ƒ •á ²} .

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝐶): The receiver is able to authorize the equality testability to someone through trapdoor 𝑇 ← 𝐿𝑆𝐵_¼ 𝐻_— 𝑈^s . Symbol 𝐿𝑆𝐵_¼(∙) denotes the least 𝜅 significant bits of the inputted parameter.

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : On input ciphertexts 𝐶_Í ← (𝑈_Í, 𝑉_Í) , 𝐶_• ← (𝑈_•, 𝑉_•) and trapdoors (𝑇_Í, 𝑇_•), the equality between them is verified through the following equation. If the equation holds, it outputs 1 for tested equal; or it outputs 0 for non-equal.

( 𝐿𝑆𝐵_¼(V_Í) ⨁ 𝑇_Í ) = ( 𝐿𝑆𝐵_¼(V_•) ⨁ 𝑇_• ) (38)

The CBA-PKEET is perfect consistency and computational soundness. Equation (38) is clear that:

𝐿𝑆𝐵_¼(V_Í) ⨁ 𝑇_Í = 𝐿𝑆𝐵_¼(V_Í ⨁ 𝐻_—(𝑈_Í^s)) = H_Þ(m_Í) and 𝐿𝑆𝐵_¼(V_•) ⨁ 𝑇_• = H_Þ(m_•).

• Perfect consistency: when 𝑚_Í = 𝑚_•, the perfect consistency holds because 𝐻_Þ 𝑚_Í = 𝐻_Þ(𝑚_•).

• Computationally soundness: the verification whether 𝐻_Þ 𝑚_Í = 𝐻_Þ(𝑚_•) or not is almost the same as whether 𝑚_Í = 𝑚_• or not. But there is negligible probability 𝐴𝑑𝑣_𝒜,•^Ž«_á that 𝑚_Í ≠ 𝑚_• ∧ 𝐻_Þ 𝑚_Í = 𝐻_Þ 𝑚_• . Symbol 𝐴𝑑𝑣_𝒜,•^Ž« _á is defined in section 2.2.1, which denotes the negligible probability that collisions of hash function 𝐻_Þ were found.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Table 3: The efficiency comparison between CBA-PKEET and previous PKEET schemes

𝐾𝐺𝑒𝑛 𝐸𝑛𝑐 𝐷𝑒𝑐 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 𝑇𝑒𝑠𝑡

PKEET [75] 𝑡₂ 3 𝑡₂ 3 𝑡₂ N/A 2 𝑡_v

PCE [80] 𝑡₂ 4 𝑡₂ 2 𝑡_v N/A 2 𝑡_v

AoN-PKEET [76] 2 𝑡₂ 5 𝑡₂ 2 𝑡₂ 0 4 𝑡₂

FG-PKEET [77] 2 𝑡₂ 4 𝑡₂ 2 𝑡₂ 3 𝑡₂ 4 𝑡_v

CBA-PKEET 𝑡₂ 2 𝑡₂ 2 𝑡₂ 𝑡₂ 2 𝑡_s

Efficiency comparison with previous works

Table 3 shows the efficiency comparison with previous PKEET works. Symbols 𝑡₂, 𝑡_v and 𝑡_s are

Table 3 shows the efficiency comparison with previous PKEET works. Symbols 𝑡₂, 𝑡_v and 𝑡_s are

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 65-79)