pair over any message 𝑚 and randomize 𝑟. In other words, there is actually no information hidden in ciphertext 𝐶∗ since both 𝑈∗ and 𝑉∗ are just some meaningless random numbers. The only clue comes from the injection 𝜏—. 𝑎𝑑𝑑 𝑈∗ Ý~, 𝑉∗⊕ 𝐻Þ 𝛿 which reveals the hash value 𝐻Þ(𝛿) to the adversary. Now the problem can be simplified to the targeted question: if the adversary can find a message 𝑚 that satisfies 𝐻Þ 𝑚 = 𝐻Þ(𝛿) to break the one-way security of CBA-PKEET, then the simulator can directly output 𝛿 ← 𝑚 to break the one-wayness of hash function 𝐻Þ. By the negligible probability of breaking the one-wayness of hash functions, it is proved one-way security for CBA-PKEET.
Figure 17: The simulated IND-CCA2 game for CBA-PKEET.
Theorem 7: CBA-PKEET is IND-CCA2 secure against type-II adversaries in RO model.
Proof. As type-II adversaries, the trapdoors are not available in the security proof. Assuming that CBA-PKEET is not IND-CCA2 secure, which means there is a type-II adversary has non-negligible probability 𝜖(𝜅) to break the IND-CCA2 security, then it can be demonstrated how to play a simulator role to break the DDH problem by utilizing this adversary. Following, the DDH problem
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
“whether (𝛾 = 𝛼𝛽) ← 𝒜 𝑔, 𝑔ˆ, 𝑔Œ, 𝑔• or not” will be imported for security proof. By integrating the IND-CCA2 secure model illustrated in Figure 9 and the random oracle model defined in section 2.2.1, the applied secure game is illustrated in Figure 17.
It is clear that the simulator begins the game with two settings: the first one is to replace 𝐻• with random oracle that has to be queried to the simulator; the second one is to set 𝑝𝑘 ← 𝑔Œ. With these settings, the simulator may be able to answer the decryption oracles 𝒪Š and 𝒪Š¡ through checking the hash table 𝜏. With above settings, the simulator successfully simulates an IND-CCA2 game. Then, if the adversary has a correct guess 𝑏Ó = 𝑏, the simulator outputs 𝛾 = 𝛼𝛽; otherwise, the simulator outputs 𝛾 ≠ 𝛼𝛽. The discussion continues with two scenarios.
• In case 𝛾 = 𝛼𝛽. This is the CBA-PKEET scheme. Then, the adversary has non-negligible probability 𝜖(𝜅) to break the IND-CCA2 security of CBA-PKEET.
• In case 𝛾 ≠ 𝛼𝛽. This is not the CBA-PKEET scheme so that the adversary has only 50%
probability to output correctly.
Both of above cases occur in half probability. In sum, the simulator will win with (1 + 𝜖(𝜅))/2 probability; in other words, it acquires 𝜖(𝜅)/2 advanced probability to break the DDH assumption and it is non-negligible. By the intractability of the DDH problem, it is proved that there is no polynomial-time adversary is able to break the IND-CCA2 security of CBA-PKEET with non-negligible probability. To conclude, it is proved that CBA-PKEET is IND-CCA2 security based on the intractability of the DDH assumption.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
4.3 Equality test scheme with compatible trapdoors
After the CBA-PKEET scheme was introduced, there are two kinds of trapdoors, permanent trapdoors and ciphertext-bound trapdoors, in order to satisfy different requirements. It is intuitive to consider the compatibility between two systems. A novel authorization-based PKEET scheme was proposed to satisfy the compatibility between two trapdoor types. In addition, to prevent the eavesdropping and tampering attacks, or it can be realized as the removal of secure channels, the newly-designed trapdoors are encrypted which could be accessed only by the assigned testers. On the other hand, the testers can verify the validity of trapdoors before equality tests. Finally, when it is compared to previous PKEET works, the proposed PKE-AET scheme is more efficient than most previous works, it firstly supports the compatibility, it removes the requirements of secure channels, and then it satisfies the highest security layers as other works do. Following, the newly designed compatible syntax called public key encryption with authorized equality test [81], PKE-AET, will be introduced.
• 𝑆𝑒𝑡𝑢𝑝 1¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.
• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.
• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.
• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver can decrypt the acquired ciphertext 𝐶 and obtain the hidden message 𝑚.
• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟: Both kinds of trapdoors are generated on input the receiver’s secret key 𝑠𝑘 and the tester’s public key 𝑝𝑘•.
1. 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑝𝑘•): The permanent trapdoor 𝑇 may be granted to a higher layer tester who can execute the equality test for all ciphertext of the receiver.
2. 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑝𝑘•, 𝐶) : The cipher-bound trapdoor 𝑇€ may be authorized to a normal tester who can only test a specific ciphertext of the receiver.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• 𝑉𝑒𝑟𝑖𝑓𝑦: Both kinds of trapdoors are verified using the receiver’s public key 𝑝𝑘 and the tester’s secret key 𝑠𝑘•.
1. 𝑉𝑒𝑟𝑖𝑓𝑦(𝑝𝑘, 𝑠𝑘•, 𝑇): It outputs 1 for valid or 0 for invalid.
2. 𝑉𝑒𝑟𝑖𝑓𝑦(𝑝𝑘, 𝑠𝑘•, 𝑇€, 𝐶): It outputs 1 for valid or 0 for invalid.
• 𝑇𝑒𝑠𝑡(𝐶Í, 𝐶•, 𝑇Í, 𝑇•, 𝑠𝑘•) : On input two ciphertexts (𝐶Í, 𝐶•) , their receivers’ trapdoors 𝑇Í, 𝑇• ∈ 𝑇, 𝑇€ — and the tester’s secret key 𝑠𝑘•, the authorized user can verify the equivalence between two ciphertexts. After the equality test, the algorithm outputs 1 for equal messages or 0 for different messages.
As a compatible solution, the description is a bit more complicated. Symbol 𝑇 denotes a permanent trapdoor and 𝑇€ stands for a cipher-bound trapdoor. Then, symbols (𝑠𝑘, 𝑝𝑘) and (𝑠𝑘•, 𝑝𝑘•) represent the receiver’s key pair and the tester’s key pair, respectively. Following, a concrete scheme is proposed in this work.
• 𝑆𝑒𝑡𝑢𝑝(1¼): On input a secure parameter 𝜅, a type-I bilinear pairing {𝑒: 𝔾 × 𝔾 → 𝔾™, 𝑔, 𝑞}
is generated where 𝑔 ∈ 𝔾 denotes a generator of 𝔾; 𝑞 stands for the order of 𝔾 and 𝔾™. The bit-length of elements in 𝔾 and 𝔾™ is 𝑞; and the bit-length of elements in ℤW∗ is 𝜅. Two collision-resistant and one-way hash functions 𝐻•: 𝔾 → 𝔾 and 𝐻—: 𝔾 → 0, 1 Wܼ are required. The message space ℳ is set identical to group 𝔾 . The outputted public parameters are 𝑝𝑝 ← {𝜅, 𝑒, 𝔾, 𝔾™, 𝑔, 𝑞, 𝐻•, 𝐻—}.
• 𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝): On input the public parameters 𝑝𝑝, a user randomly picks 𝑎, 𝑏 $ ℤW∗ as its private key and publishes the public key (𝑔•, 𝑔Ï).
• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚 ∈ 𝔾, a sender randomly picks 𝑟 $ ℤW∗ and outputs 𝐶 ← (𝑈, 𝑉, 𝑊) where 𝑈 ← 𝑔ƒ, 𝑉 ← 𝑚ƒ𝐻•(𝑔•ƒ) , 𝑊 ← 𝐻— 𝑔σ ⨁(𝑚||𝑟) . Symbol ⨁ presents the XOR operation.
• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): To decrypt a ciphertext 𝐶 ← (𝑈, 𝑉, 𝑊), the receiver computes (𝑚∗||𝑟∗) ← 𝐻— 𝑈Ï ⨁𝑊 and accepts 𝑚 ← 𝑚∗ if both 𝑈 = 𝑔ƒ∗ and 𝑉 = 𝑚∗ ƒ∗𝐻•(𝑈•) hold.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟: Both kinds of trapdoors are generated on input the receiver’s secret key 𝑎, 𝑏 ← 𝑠𝑘 and the tester’s public key 𝑔•., 𝑔Ï. ← 𝑝𝑘•.
1. 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑝𝑘•): 𝑇 ← (𝑔ý, 𝑎𝐻•(𝑔Ï.ý)) is outputted as a permanent trapdoor where 𝑢 $ ℤW∗.
2. 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑝𝑘•, 𝐶) : On input a ciphertext 𝑈, 𝑉, 𝑊 ← 𝐶 , 𝑇Ž ← (𝑔ý, 𝑈•𝐻•(𝑔Ï.ý)) is outputted as a cipher-bound trapdoor where 𝑢 $ ℤW∗.
• 𝑉𝑒𝑟𝑖𝑓𝑦: Both kinds of trapdoors are verified using the receiver’s public key (𝑔•, 𝑔Ï) ← 𝑝𝑘 and the tester’s secret key (𝑎•, 𝑏•) ← 𝑠𝑘•.
1. 𝑉𝑒𝑟𝑖𝑓𝑦(𝑝𝑘, 𝑠𝑘•, 𝑇) : the permanent trapdoor (𝑋, 𝑌) ← 𝑇 can be verified by computing 𝑎∗ ← 𝑌/𝐻• 𝑋Ï. 𝑚𝑜𝑑 𝑞, and outputting 1 if 𝑔•∗ = 𝑔•; or 0, otherwise.
2. 𝑉𝑒𝑟𝑖𝑓𝑦(𝑝𝑘, 𝑠𝑘•, 𝑇€, 𝐶) : on input a ciphertext 𝐶 ← (𝑈, 𝑉, 𝑊) the cipher-bound trapdoor (𝑋, 𝑌) ← 𝑇€ can be verified by computing 𝐴 ← 𝑌/𝐻•(𝑋Ï.) , and outputting 1 if 𝑒 𝐴, 𝑔 = 𝑒(𝑔•, 𝑈); or 0, otherwise.
• 𝑇𝑒𝑠𝑡(𝐶Í, 𝐶•, 𝑇Í, 𝑇•, 𝑠𝑘•): On input ciphertexts 𝐶Í ← (𝑈Í, 𝑉Í, 𝑊Í), 𝐶• ← (𝑈•, 𝑉•, 𝑊•) and trapdoors (𝑇Í, 𝑇•), the equality test follows the steps below.
1. If both trapdoors are verified valid, continue to next step; otherwise, forbid and quit.
2. If (𝑋Í, 𝑌Í) ← 𝑇Í is a permanent trapdoor, compute 𝑎∗ ← 𝑌Í/𝐻• 𝑋ÍÏ. 𝑚𝑜𝑑 𝑞 and 𝑍Í ← 𝑉Í/𝐻•(𝑈Í•); otherwise, compute 𝑍Í ← 𝑉Í/𝐻•(𝑌Í/𝐻•(𝑋ÍÏ.)).
3. Compute 𝑍• with 𝐶• and 𝑇• in the same way as step 2.
4. Output 1 if 𝑒(𝑈•, 𝑍Í) = 𝑒(𝑈Í, 𝑍•); or 0, otherwise.
The decryption is straightforward so that the inference is omitted here. The consistency and soundness are analyzed as follows. Before that, a brief inference related to the 𝑇𝑒𝑠𝑡 algorithm will be helpful for the analysis. After the basic computation over numerous symbol replacements, 𝑍Í will become 𝑚̓ï and 𝑍• is equal to 𝑚•ƒ where 𝑟Í, 𝑟• are the randomness that 𝑈Í = 𝑔ƒï and 𝑈• =
ƒ ƒ ƒ ƒ ƒ
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• Perfect consistency: When 𝑚Í = 𝑚•, the perfect consistency holds because 𝑒 𝑔ƒ , 𝑚̓ï = 𝑒 𝑔ƒï, 𝑚•ƒ = 𝑒 𝑔, 𝑚Í ƒïƒ .
• Perfect soundness: By the type-I bilinear pairing setting, 𝑚Í ≠ 𝑚• implies 𝑒 𝑔ƒ , 𝑚̓ï ≠ 𝑒 𝑔ƒï, 𝑚•ƒ and vice versa.
Table 4: An overall comparison between PKE-AET and previous PKEET schemes
AoN-PKEET[77] FG-PKEET[76] PKE-DET[78] PKE-AET
Efficiency 𝐾𝐺𝑒𝑛 2𝑡2 2𝑡2 2𝑡2 2𝑡2
𝐸𝑛𝑐 5𝑡2 4𝑡2 𝑡v+ 5𝑡2 4𝑡2
𝐷𝑒𝑐 2𝑡2 2𝑡2 𝑡v+ 4𝑡2 4𝑡2
𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 0 3𝑡2 3𝑡2 2𝑡2/3𝑡2
𝑇𝑒𝑠𝑡 4𝑡2 4𝑡v 4𝑡v+ 2𝑡2 2𝑡v+ (4𝑡2/2𝑡2)
Storage Ciphertext 5𝑞 + 𝜅 5𝑞 + 𝜅 4𝑞 + 𝜅 3𝑞 + 𝜅
Trapdoor 𝜅 2𝑞 2𝑞 2𝑞/2𝑞
Trapdoor Permanent P P P P
Cipher-bound O O O P
Private O P P P
Verifiable O O O P
Overall comparison with previous PKEET schemes
Above Table 4 shows the comparison between PKE-AET and previous PKEET schemes. The time units 𝑡2, 𝑡v as well as the length units 𝑞, 𝜅 denote the computation time of exponential and pairing operations as well as the bit-length of elements in 𝔾 and ℤW∗, respectively. All tokens are defined in Table 1. Due to the fact that PKE-AET supports both permanent trapdoors and cipher-bound trapdoors, some fields are demonstrated as 𝐴/𝐵 that denotes the performance of permanent/cipher-bound trapdoor, respectively. In general, PKE-AET leads better efficiency and storage space than [76], [78], but worse than [77]. However, PKE-AET is the only scheme that is compatible with both permanent trapdoors and cipher-bound trapdoors. On the other hand, when it comes to the privacy and verifiability of the trapdoors, PKE-AET is the only one scheme that ensures trapdoors
‧
can merely be obtained by assigned testers; and meanwhile, it provides the testers opportunities to verify the validity of received trapdoors. Next, the security is going to be discussed.
Figure 18: The simulated OW-CCA2 game of PKE-AET.
Security proof