PKE-AET is IND-CCA2 secure against type-II adversaries in the RO model

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

is shown in the pseudo-code expression. In the beginning, the simulator initializes an empty hash table 𝜏, a set of public parameter 𝑝𝑝 and the key pair (𝑠𝑘, 𝑝𝑘); and the adversary outputs his public key 𝑝𝑘_• on receiving parameters (𝑝𝑝, 𝑝𝑘). Then, the adversary is allowed to request hash oracle 𝒪_•¡, trapdoor oracles 𝒪_™, 𝒪_™1 and decryption oracles 𝒪_Š , 𝒪_Š¡. The simulator will answer them as shown. Finally, if the adversary outputs 𝑚 where 𝑒 𝑔^ˆ, 𝑚 = 𝑒(𝑔^ˆŒ, 𝑔), it breaks the OW-CCA2 of PKE-AET; and meanwhile, the simulator breaks the CONF assumption by outputting 𝑔^Œ ← 𝑚.

By the intractability of the CONF assumption, it is said that PKE-AET is OW-CCA2 secure.

Theorem 9: PKE-AET is IND-CCA2 secure against type-II adversaries in the RO model.

Proof. Assume that there is an adversary who is able to break the IND-CCA2 security of PKE-AET with non-negligible probability in the random oracle model, it can be demonstrated that how one simulator may utilize the adversary to break the CDH assumption (given 𝑔^ˆ, 𝑔^Œ ∈ 𝔾, find 𝑔^ˆŒ, defined in section 2.1.2) with non-negligible probability. Let Pr [𝐸𝑥𝑝_?] be the probability the adversary wins the experiment 𝐸𝑥𝑝_?. A series of experiments and the difference lemma [82] will be adopted to gradually proof the security.

Experiment 𝐸𝑥𝑝_Í: A simulator initializes the public parameters 𝑝𝑝 and a pair of keys 𝑠𝑘, 𝑝𝑘 in the beginning. Then, it passes 𝑝𝑝, 𝑝𝑘 to the adversary to begin the experiment. When the decryption oracle 𝒪_Š (𝐶) is requested, it returns 𝐷𝑒𝑐(𝑠𝑘, 𝐶); when the decryption oracle 𝒪_Š¡(𝐶) is requested, it returns 𝒪_Š (𝐶) if 𝐶 ≠ 𝐶_Ï. The challenge 𝐶_Ï ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚_Ï) is the encryption of one of messages (𝑚_Í, 𝑚_•) outputted by the adversary. Obviously, 𝐸𝑥𝑝_Í is identical the PKE-AET scheme. The probability is estimated as follow.

𝐴𝑑𝑣_{𝒜,»¸Ë°ÂË™}^{ÎxŠ°ŽŽÂ—} = Pr 𝐸𝑥𝑝_Í = Pr

𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ; (𝑚_Í, 𝑚_•) ← 𝒜^{𝒪Ð (∙)}(𝑝𝑝, 𝑝𝑘);

𝑏 ^$ 0, 1 ; 𝐶_Ï ← 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Ï ; 𝑏′ ← 𝒜^{𝒪С ∙} 𝑝𝑝, 𝑝𝑘, 𝐶_Ï : b = b′

−1 2

(40)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Experiment 𝐸𝑥𝑝_•: It is mainly the same as 𝐸𝑥𝑝_Í except the hash functions are replaced by random oracle accesses. Two hash tables 𝜏_•, 𝜏_— ←⊥ are initialized in the beginning of 𝐸𝑥𝑝_•. When a hash query 𝒪_• 𝑑_• or 𝒪_•¡ 𝑑_— is queried, the simulator checks data on table 𝜏_• or 𝜏_—, if there is already a record 𝑑_•, ℎ_• ∈ 𝜏_• or 𝑑_—, ℎ_— ∈ 𝜏_—, it returns the recorded hash value; if no record is found, it randomly picks a random value ℎ_• ^$ 𝔾 or ℎ_— ^$ 0, 1 ^Wܼ, saves 𝑑_•, ℎ_• or 𝑑_—, ℎ_— on table 𝜏_• or 𝜏_—, and returns hash value ℎ_• or ℎ_—, respectively. The hash functions in the encryption process and decryption oracles 𝒪_Š ∙ and 𝒪_Š¡ ∙ are substituted by random oracles as well. By the definition of the random oracle:

Pr 𝐸𝑥𝑝_Í = Pr 𝐸𝑥𝑝_• = Pr

𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ; (𝑚_Í, 𝑚_•) ← 𝒜^{𝒪Ð (∙)𝒪) (∙)𝒪)¡(∙)}(𝑝𝑝, 𝑝𝑘);

𝑏 ^$ 0, 1 ; 𝐶_Ï← 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Ï ;

𝑏′ ← 𝒜^{𝒪С ∙ 𝒪) ∙ 𝒪)¡ ∙} 𝑝𝑝, 𝑝𝑘, 𝐶_Ï : b = b′ (41)

Experiment 𝐸𝑥𝑝_—: It is mainly the same as 𝐸𝑥𝑝_• except that the challenge is modified as 𝐶_Ï ← (𝑔^ƒ, 𝑅_•, 𝑅_—) where 𝑟 ^$ ℤ_W^∗, 𝑅_• ^$ 𝔾 and 𝑅_— ^$ 0, 1 ^Wܼ. Then, two records (𝑔^•ƒ, 𝑅_•/𝑚_Ï^ƒ) and (𝑔^σ, 𝑅_—⊕ (𝑚_Ï||𝑟)) are added to hash tables 𝜏_• and 𝜏_—, respectively. It is inherently identical to 𝐸𝑥𝑝_• by the definition of random oracle. Experiment 𝐸𝑥𝑝_— reveals an interesting idea that ciphertext or challenge could actually be totally composed of randomness if the related hash records are correctly recorded in the hash tables. The probability of Pr 𝐸𝑥𝑝_— is shown below.

Pr 𝐸𝑥𝑝_• = Pr 𝐸𝑥𝑝_— = Pr

𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ; (𝑚_Í, 𝑚_•) ← 𝒜^{𝒪Ð (∙)𝒪) (∙)𝒪)¡(∙)}(𝑝𝑝, 𝑝𝑘);

𝑏 ^$ 0, 1 ; 𝑟 ^$ ℤ_W^∗, 𝑅_• ^$ 𝔾; 𝑅_— ^$ 0, 1 ^Wܼ; 𝜏_•. 𝑎𝑑𝑑((𝑔^•ƒ, 𝑅_•/𝑚_Ï^ƒ));

𝜏_—. 𝑎𝑑𝑑((𝑔^σ, 𝑅_—⊕ (𝑚_Ï||𝑟)));

𝐶_Ï← (𝑔^σ, 𝑅_•, 𝑅_—);

𝑏′ ← 𝒜^{𝒪С ∙ 𝒪) ∙ 𝒪)¡ ∙} 𝑝𝑝, 𝑝𝑘, 𝐶_Ï : 𝑏 = 𝑏′

(42)

‧

Experiment 𝐸𝑥𝑝_Þ: It is mainly the same as 𝐸𝑥𝑝_— except for following modifications related to the CDH assumption (given 𝑔^ˆ, 𝑔^Œ ∈ 𝔾, find 𝑔^ˆŒ). The detail simulation is described in form of pseudo codes illustrated in Figure 19. Four main modifications are listed below.

Figure 19: The simulated IND-CCA2 game of PKE-AET.

1. The public key. Let 𝑎, 𝑏 ^$ ℤ_W^∗, the new public key is replaced by 𝑝𝑘 ← 𝑔^{ˆ •}, 𝑔^{ˆ Ï} . 2. The decryption oracle. Let 𝑈, 𝑉, 𝑊 ← 𝐶 and 𝜂 ←⊥. For all 𝑑_•, ℎ_• ∈ 𝜏_•, set 𝜂[𝑉/

𝑑_•] ← 𝑇𝑟𝑢𝑒 . For all 𝑑_—, ℎ_— ∈ 𝜏_—, computes 𝑚||𝑟 ← 𝑊 ⊕ ℎ_—; if (𝑈 = 𝑔^ƒ∧ 𝜂[𝑚^ƒ] ), returns 𝑚 as the decryption result. If no matched record found, it returns ⊥.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

3. The hash oracle checks. Owing to the fact that the CDH problem is imported into 𝐸𝑥𝑝_Þ, a check is executed before returning the hash values. If the adversary requests a hash query 𝒪_• (𝑔^•ˆŒ) or 𝒪_•¡(𝑔^ψŒ), the simulator will not be able to return a convincing answer to the adversary and the simulation will fail. Let it be event 𝐸. When revising the description in Experiment 𝐸𝑥𝑝_—, the ciphertexts could be composed of randomness and the experiment still works if some hash records are correctly recorded. But in this Experiment 𝐸𝑥𝑝_Þ, these records cannot be recorded due to the hardness of the CDH problem. If event 𝐸 happens, the simulator aborts the simulated experiment and outputs 𝑔^ˆŒ ← 𝑑_•^•ø or 𝑔^ˆŒ ← 𝑑_—^Ïø to break the CDH problem.

4. The challenge. The challenge is set to 𝐶_Ï ← (𝑔^Œ, 𝑅_•, 𝑅_—) where 𝑅_• ^$ 𝔾 and 𝑅_— ^$ 0, 1 ^Wܼ.

The probability Pr [𝐸𝑥𝑝_—] is going to be discussed based on probabilities Pr [𝐸𝑥𝑝_Þ] and Pr [𝐸].

• If the adversary ever requests 𝒪_• (𝑔^•ˆŒ) or 𝒪_•¡(𝑔^ψŒ) that might cause failure, the simulated 𝐸𝑥𝑝_Þ will fail. But in this condition the simulator can break the CDH problem by outputting 𝑔^ˆŒ ← 𝑑_•^•ø or 𝑔^ˆŒ ← 𝑑_—^Ïø . The probability of event 𝐸 is estimated as (𝑞_• + 𝑞_•¡)𝐴𝑑𝑣_𝒜,𝔾^ŽŠ•_,𝔾* where 𝑞_• and 𝑞_•¡ are the access limits of 𝐻_• and 𝐻_—, respectively.

• If above event doesn’t occur, no information about 𝑚_Ï is hidden in the challenge 𝐶_Ï, the probability Pr [𝐸𝑥𝑝_Þ] is 1/2 for any adversary.

By the difference lemma [82], the probability Pr [𝐸𝑥𝑝_—] is estimated as Pr 𝐸𝑥𝑝_— ≤^•_—+ 𝐴𝑑𝑣_𝒜,𝔾^ŽŠ•_,𝔾*. Then, combining equation

(45) to (47), the probability 𝐴𝑑𝑣_{𝒜,»¸Ë°ÂË™}^{ÎxŠ°ŽŽÂ—} is estimated as

𝐴𝑑𝑣_{𝒜,»¸Ë°ÂË™}^{ÎxŠ°ŽŽÂ—} = Pr 𝐸𝑥𝑝_Í −1

2= Pr 𝐸𝑥𝑝_• −1

2≤ (𝑞_• + 𝑞_•¡)𝐴𝑑𝑣_𝒜,𝔾^ŽŠ•_,𝔾*

(43)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

As a result, by the intractable of the CDH problem, it is said that PKE-AET is IND-CCA2 secure against unauthorized type-II adversaries in the random oracle model.

Discussion

So far, all PKEET schemes suffer from a problem that their security against type-I adversaries, or so called authorized users, may not be indistinguishable. A simple and general demonstration below shows that the indistinguishability is unachievable for most PKEET schemes. In any indistinguishable game, the adversary outputs two messages 𝑚_Í, 𝑚_• to the simulator and one of them is encrypted into the challenge 𝐶_Ï. Then, the adversary requests trapdoor oracle to acquire a permanent or cipher-bound trapdoor. Next, it encrypts 𝑚_• into 𝐶_•^∗ and executes 𝑇𝑒𝑠𝑡(𝐶_Ï, 𝐶_•^∗, 𝑇) with its trapdoor. Finally, the answer 𝑏 ← 𝑇𝑒𝑠𝑡(𝐶_Ï, 𝐶_•^∗, 𝑇) is easily obtained. That is why the security proof has to be discussed in two categories. After analyzing the reason why no known PKEET scheme can defend this attack, a conclusion was obtained: the adversary always obtains the trapdoor he needs. If this condition can be avoided, the security notion will be much better than just one-way security. Following, in the next research paper, a PKEET solution will be introduced, which is provable indistinguishable in the standard model that means the random oracle model is no longer needed while proofing the security. On the other hand, it could be proved indistinguishable even against the authorized users so that the categories type-I and type-II are also no longer required.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

4.4 Semantic secure equality test

Following the discussion of the previous page, there is no known PKEET scheme before this work that can be proved IND-CCA2 secure, or so called semantic secure. Hence, it was quite remarkable when the first semantic secure PKEET solution was proposed. Informally speaking, the proposed PKE-FET framework is similar to other PKEET schemes, including 𝑆𝑒𝑡𝑢𝑝, 𝐾𝐺𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 and 𝑇𝑒𝑠𝑡. The spotlight focuses on how the trapdoor is designed for better security. In previous works, the trapdoor is valid for all ciphertext or for a specific ciphertext, and the adversary in the simulated security games knows that the given trapdoor definitely works with the challenge ciphertext. The newly designed trapdoor breaks this. In the PKE-FET syntax (illustrated in Figure 20), a receiver picks several messages to generate a trapdoor that only makes these messages equality testable; and these messages are intractable from the trapdoor. In the viewpoint of the adversary, the trapdoor is valid for only few unknown messages. The detail discussion begins with the definition of the new syntax PKE-FET.

Figure 20: The flowchart of filtered equality test

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Syntax of PKE-FET

• 𝑆𝑒𝑡𝑢𝑝 1^¼ : On input a secure parameter 𝜅, public parameters 𝑝𝑝 are generated for public usage.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): A user picks a pair of private key and public key (𝑠𝑘, 𝑝𝑘) through the public parameters 𝑝𝑝, where the public key is published and the private key is securely kept.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender uses the receiver’s public key to encrypt a message 𝑚 into a testable ciphertext 𝐶.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver can decrypt the acquired ciphertext 𝐶 with its secret key and then obtain the hidden message 𝑚.

• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑴): The receiver firstly picks several messages, say group 𝑴, then it outputs a trapdoor 𝑇 ← 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑴). This trapdoor is valid only when the inputted message 𝑚 ∈ 𝑴.

• 𝑇𝑒𝑠𝑡 𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_• : Let 𝐸𝑛𝑐 𝑝𝑘_Í, 𝑚_Í ← 𝐶_Í , 𝐸𝑛𝑐 𝑝𝑘_•, 𝑚_• ← 𝐶_• , 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 𝑠𝑘_Í, 𝑴_Í ← 𝑇_Í and 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 𝑠𝑘_•, 𝑴_• ← 𝑇_•, on input two ciphertexts and their receivers’ trapdoors, the authorized user can verify the equivalence between two ciphertexts if 𝑚_Í ∈ 𝑴_Í and 𝑚_• ∈ 𝑴_•. After the equality test, the algorithm outputs 1 for 𝑚_Í ∈ 𝑴_Í, 𝑚_• ∈ 𝑴_• and 𝑚_Í = 𝑚_•; or 0, otherwise.

𝐴𝑑𝑣_{𝒜,»¸Ë°”Ë™}^{ÎxŠ°ŽŽÂ—} (𝜅)¹²³Pr

𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ; 𝑴 ^$ ℳ; 𝑇 ← 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 𝑠𝑘, 𝑴 ;

(𝑚_Í, 𝑚_•) ← 𝒜^{𝒪Ð ∙} (𝑝𝑝, 𝑝𝑘, 𝑇);

𝑏 ^$ 0, 1 ; 𝐶_Ï ← 𝐸𝑛𝑐 𝑝𝑘, 𝑚_Ï ; 𝑏′ ← 𝒜^{𝒪С ∙} 𝑝𝑝, 𝑝𝑘, 𝑇, 𝐶_Ï : 𝑏 = 𝑏′

−1 2

(44)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Security notion

The IND-CCA2 security⁴ is quite similar to that defined in section 3.1.2. In addition, the trapdoor is given to the adversary when the experiment starts with receiving the public parameters 𝑝𝑝 and the public key 𝑝𝑘. A PKE-FET scheme is IND-CCA2 secure if 𝐴𝑑𝑣_{𝒜,»¸Ë°”Ë™}^{ÎxŠ°ŽŽÂ—} 𝜅 is negligible.

The implementation of the PKE-FET scheme relies on the cooperation of bilinear mapping and the secret sharing technology, both of which were defined in chapter 2.

• 𝑆𝑒𝑡𝑢𝑝(1^¼): On input a secure parameter 𝜅, a type-III bilinear pairing {𝑒: 𝔾_• × 𝔾_— → 𝔾_™, 𝑔_•, 𝑔_—, 𝑞} is generated where 𝑔_• ∈ 𝔾_•, 𝑔_— ∈ 𝔾_— denote generators of 𝔾_• and 𝔾_—, respectively; and 𝑞 stands for the order of 𝔾_•, 𝔾_— and 𝔾_™. Two collision-resistant and one-way hash functions 𝐻_•: 𝔾 → 𝔾_™ and 𝐻_—: 0, 1 ^∗ → ℤ_W^∗ are required. The message space ℳ is set identical to group 𝔾. Another secure parameter 𝑛 (𝑛 ≪ ℳ = 𝑞) that regulates the maximum size of message sets hidden in the trapdoors is required. The outputted public parameters are 𝑝𝑝 ← {𝑒, 𝔾_•, 𝔾_—, 𝔾_™, 𝑔_•, 𝑔_—, 𝑞, 𝐻_•, 𝐻_—, 𝑛}.

• 𝐾𝑒𝑦𝐺𝑒𝑛(𝑝𝑝) : On input the public parameters 𝑝𝑝 , a user randomly picks (𝑘, 𝑙, 𝑠_Í, … , 𝑠_?) ^$ ℤ_W^∗ as its private key and publishes the public key (𝐾, 𝐿, 𝑆_Í, … 𝑆_?) where 𝐾 ← 𝑔_•^~, 𝐿 ← 𝑒 𝑔_•, 𝑔_— ^~î and 𝑆_„ ← 𝑔_•^Ýì for all 𝑖 ∈ [0, 𝑛].

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚 ∈ 𝔾_•, a sender randomly picks 𝑟 ^$ ℤ_W^∗ and outputs 𝐶 ← (𝑈, 𝑉, 𝑊, 𝑿) where 𝑈 ← 𝑔_•^ƒ, 𝑉 ← 𝑚𝐾^ƒ and 𝑊 ← 𝐿^ƒ𝐻_•(𝑚). Set 𝑿 is composed of 𝑿 ← (𝑋_Í, … , 𝑋_?) where ℎ ← 𝐻_—(𝑚) and 𝑋_„ ← 𝑆_„^ƒ;ì for all 𝑖 ∈ [0, 𝑛].

4 The probability 𝐴𝑑𝑣_{𝒜,»¸Ë°”Ë™}^{ÎxŠ°ŽŽÂ—} 𝜅 is defined without consideration about the trapdoor oracle and the test oracle. Whereas, the adversary might or might not acquire useful information if those two oracle accesses are available. If one day, the trapdoor oracle is taken into consideration, the key pair of the receiver has to change in each session, and it has to be ensured that the adversary has to output 𝑤_Í, 𝑤_• in a session without trapdoor oracle. The practical setting among key pairs, sessions, and trapdoor oracles is quite complicated so that it is kept as a future work.

‧

[0, 𝑛]. Note that the message set 𝑴 and coefficients 𝑎_„ are unknown to the testers.

• 𝑇𝑒𝑠𝑡(𝐶_Í, 𝐶_•, 𝑇_Í, 𝑇_•) : Let 𝐶_Í ← (𝑈_Í, 𝑉_Í, 𝑊_Í, 𝑿_Í) , 𝐶_• ← (𝑈_•, 𝑉_•, 𝑊_•, 𝑿_•) , 𝑇_Í,Í, … , 𝑇_Í,? ← 𝑇_Í and 𝑇_•,Í, … , 𝑇_•,? ← 𝑇_•, the filtered equality test follows the steps below.

1. Parse 𝑿_Í and 𝑿_• as (𝑋_Í,Í, … , 𝑋_Í,?) ← 𝑿_Í and (𝑋_•,Í, … , 𝑋_•,?) ← 𝑿_•. 2. Compute 𝑍_Í ← 𝑊_Í/ ^?_„ØÍ𝑒(𝑋_Í,„, 𝑇_Í,„) and 𝑍_• ← 𝑊_•/ ^?_„ØÍ𝑒(𝑋_•,„, 𝑇_•,„). 3. Output 1 if 𝑍_Í = 𝑍_•; or output 0, otherwise.

The decryption process is straightforward so that it is omitted. For the second step of algorithm 𝑇𝑒𝑠𝑡, a brief inference might help understand. The computation is symmetric so that symbols 𝐶_Í 𝑇_Í, 𝑈_Í, 𝑉_Í and 𝑊_Í are replaced by 𝐶, 𝑇, 𝑈, 𝑉 and 𝑊, respectively; 𝑋_Í,„ and 𝑇_Í,„ are substituted with 𝑋_„ and 𝑇_„, respectively. The same replacements are applied to those variables on the other side like 𝐶_• 𝑇_•, 𝑈_•, 𝑉_•, 𝑊_•, 𝑋_•,„ and 𝑇_•,„. second step of algorithm 𝑇𝑒𝑠𝑡 becomes:

‧

• Perfect consistency: By equation (46), the comparison between 𝑍_Í and 𝑍_• is actually the comparison between 𝐻_• 𝑚_Í and 𝐻_• 𝑚_• in case both condition I and II hold. The consistency definitely holds because 𝑚_Í = 𝑚_• implies 𝐻_• 𝑚_Í = 𝐻_• 𝑚_• .

• Computational soundness: Two scenarios are taken into consideration as follows.

o Condition I and II hold, but condition III fails. By the collision resistant property, it is computationally hard to find 𝑚_Í ≠ 𝑚_• and 𝐻_• 𝑚_Í = 𝐻_•(𝑚_•) . The probability is estimated as 𝐴𝑑𝑣_𝒜,•^Ž« (𝜅). It is defined in section 2.2.1.

o At least one of condition I or II fails. Since function 𝑓(𝑚_Í) or 𝑓(𝑚_•) is unpredictable, the false positive probability is estimated as 𝑞^°•.

It is clear that the computation of filtered equality test is not that efficient because of the belongingness verification is heavy. When it is compared with previous PKEET works (depicted in Table 5), despite 𝑛 ≪ |𝔾|, the computation complexity of PKE-FET is higher than other PKEET works. The spotlight is that it is IND-CCA2 secure against no matter type-I and type-II adversaries.

Table 5: Comparison between PKE-FET and previous PKEET schemes.

AoN-PKEET[77] PKE-DET[78] PKE-AET[81] PKE-FET

Efficiency 𝐾𝐺𝑒𝑛 𝑂(1) 𝑂(1) 𝑂(1) 𝑂(𝑛)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Trapdoor 𝑂(1) 𝑂(1) 𝑂(1) 𝑂(𝑛)

Trapdoor Scope 𝔾 𝔾 𝔾 or 1 𝑛

Security W/O trapdoor One-way One-way One-way IND

With trapdoor IND IND IND IND

Security proof

The efficiency is not good among all PKEET schemes, but the security is outstanding. Following, the security proof will focus on the security against type-I adversaries (authorized users), which implies the security against type-II adversaries (unauthorized users).

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 88-98)