Under the standard model

Now, we modify KeEncBasic to achieve the security against the adaptive chosen ciphertext attack under the standard model. The scheme is shown in Figure 3.4 and Figure 3.5. Comparison to KeEncROM, we assume that a hash function H is collision-resistant but not random. For such a function H, it is infeasible to find two distinct inputs v1 and v2 such that H(v1) = H(v2).

A hash function H is chosen from the collision-resistant hash family H.

At first, we choose five z-degree polynomial functions at random, f_a0(x), f_a1(x), f_b1(x), f_a2(x), f_b2(x), where f_aj(x) = Pz

i=0a_j,ixⁱ for 0 ≤ j ≤ 2 and f_bj(x) =Pz

i=0b_j,ixⁱ for 1 ≤ j ≤ 2. The decryptor saves the constant term of each of polynomial functions as the initial secret key SK₀. The decryptor and TA compute the secret key SK_j of time period j in a secure way. The public key consists of g, h, q, p, H and commitments of the coefficients of these polynomials.

To encrypt a message m at time period j, the encryptor computes the following value hj, α, β, s, δi, where α = g^k, β = h^k, s = m · g^kfa0(j), δ = g^kfa1(j)h^kfb1(j)(g^kfa2(j)h^kfb2(j))^υ and υ = H(j, α, β, s) for a random k ∈ Z_q. The decryptor can decrypt as long as he has SK_j = {f_a0(j), f_a1(j), f_b1(j), f_a2(j), f_b2(j)}. The decryptor computes υ⁰ = H(j, α, β, s) and checks if α^{fa1(j)+fa2(j)υ0}β^{fb1(j)+fb2(j)υ0} = δ. If so, he decrypts and obtains m.

Correctness. Let SK_j = {f_a0(j), f_a1(j), f_b1(j), f_a2(j), f_b2(j)} and a cipher-text of m is hj, α, β, s, δi. If υ = H(j, α, β, s), then α^{fa1(j)+fa2(j)υ}β^{fb1(j)+fb2(j)υ} = g^kfa1(j)g^kfa2(j)·υh^kfb1(j)h^kfb2(j)·υ = g^kfa1(j)h^kfb1(j)(g^kfa2(j)υh^kfb2(j)υ) = δ. We can obtain the message m by computing s/α^fa0(j)= m · g^kfa0(j)/α^fa0(j)= m.

Efficiency. After pre-computation, each encryption takes 5 modular expo-nentiations, 2 modular multiplications and 1 hash operations. Each decryption takes 3 modular exponentiations, 1 modular division, 2 modular multiplica-tions and 1 hash operamultiplica-tions. Computation time is independent of the time period j. Therefore, this scheme is as efficient as KeEncBasic.

Again, KeEncSTM’s public key consists of 3(z + 1) n-bit values and pri-vate key consists of only one 5n-bit value, which are both independent of the total number of time periods.

3.2.4 Security analysis

Assume the DDH assumption. We show that KeEncSTM is semantically se-cure against the adaptive chosen ciphertext attack. For time period j, the

decryption key SK_j doesn’t be disclosed, an adversary cannot distinguish E(P K, m₀, j) from E(P K, m₁, j). Therefore, our scheme has forward and backward securities.

Theorem 7 Assume the DDH problem is hard. For KeEncSTM, given pub-lic key P K = hg, h, q, H, {w_i, c_i, d_i}_0≤i≤zi and z private keys SK^∗_ji, 1 ≤ i ≤ z, no probabilistic polynomial-time adversary with access to the decryption oracle is able to find m₀ and m₁ in G_q such that their ciphertexts at time period j, j 6= j_l, 1 ≤ l ≤ z, are distinguishable.

Proof. Assume that the scheme does not have the desired properties. There is an adversary A that can distinguish the ciphertexts of the two messages m₀ and m₁ with a non-negligible probability even knowing z private keys and being able to query the decryption oracle (DO) adaptively. A has two probabilistic polynomial-time procedures A₁ and A₂. A₁ takes as input the public key and z private keys, makes some chosen-ciphertext queries to (DO), and outputs two messages m₀ and m₁. A₂ takes as input the public key PK, z private keys, m₀, m₁, and the ciphertext E(P K, m_b, j), queries (DO) adaptively, and outputs b⁰, where b is a random bit. We say that A attacks the scheme successfully if Pr[b = b⁰] = 1/2 + (n) for some non-negligible function

(n), where the probability is taken over b and the internal coin tosses of A₁, A₂, KG and z private keys. We show that we can use A to construct a probabilistic polynomial-time algorithm B for solving the DDH problem with a non-negligible probability.

Let the input of DDH be hg1, g2, u1, u2i. We construct a simulator S that simulates A⁰s view in its attack on the algorithm. The simulator S contains an encryption oracle E O and a decryption oracle DO. We will show that the simulation of A’s view will be nearly perfect if the quadruple is from D and A’s advantage is negligible if the quadruple is from R. We construct the simulator S as follows.

1. Key setup. The public key is constructed as follows.

(a) Randomly select a_j1, · · · , a_jz b_j1, · · · , b_jz over Z_q. we can compute w⁰_i for 0 ≤ i ≤ z by Lagrange interpolation. Thus f_a⁰₀(x) = Pz

(c) Then we set the public key as follows.

P K = hg, h, q, H, {w_i⁰, c⁰_i, d⁰_i}_0≤i≤zi,

where H is a family of collision-resistant hash functions, g = g₁ and h = g₂.

The key generation is a bit different from the actual cryptosystem; how-ever, the effect is the same.

2. Challenge. Feed the public key P K and the z private keys SK_j⁰ = {b_ji−1, eb_ji−1, r_1,i, r_2,i, r_3,i, r_4,i}, 2 ≤ i ≤ z + 1, to A₁ and get two messages m₀ and m₁ in G_q.

3. Encryption. Randomly select a bit b ∈_R{0, 1} and compute α⁰ = u₁, β⁰ = u₂, s⁰ = m_b· u^f

δ⁰ = u^f

4. Decryption. Given the ciphertext c, DO checks if c is valid by verifying u^f

If it is not valid, the oracle rejects it. Otherwise, DO returns m = s⁰/u^f

This completes the description of S. The adversary B takes as input (g₁, g₂, u₁, u₂) and outputs 1 if b = A₂(s⁰). To complete the proof, we show:

1. If (g1, g2, u1, u2) is from D, the joint distribution of the adversary’s view and the hidden bit b is statically indistinguishable from that in the actual attack.

2. If (g₁, g₂, u₁, u₂) comes from R, the distribution of the hidden bit b is independent of the adversary’s view.

The theorem follows immediately from the following two lemmas.

Lemma 8 If the S’s input (g₁, g₂, u₁, u₂) is from D, the joint distribution of the adversary’s view and the hidden bit b is statically indistinguishable from that in the actual attack.

We need argue two things. One is that the output of DO and E O has the right distribution. The other is that DO rejects all invalid ciphertexts except with a negligible probability. Since the input comes from D, we have that u₁

= g₁^r and u₂ = g^r₂ for some r. Thus, α⁰ = u₁, β⁰ = u₂, s⁰ = m_b· u^f

the encryption oracle E O has the right distribution. In addition, the

Moreover, we will show that DO rejects all invalid ciphertexts, except with a negligible probability. Consider that the invalid ciphertext hj, α⁰, β⁰, s⁰, δ⁰i.

From the output of the E O, we obtain another equation:

log δ⁰ = r · f_a⁰₁(j) + ra · f_b⁰₁(j) + υ⁰r · f_a⁰₂(j) + υ⁰ra · f_b⁰₂(j). (3.3) independent, the hyperplane H intersects P at a line.

The first time the DO rejects an invalid ciphertext, except with probability 1/q. However, the i_th query will be rejected, except with the probability at least 1/(q − i + 1). Following the result above, DO will rejects all invalid ciphertext, except with negligible probability.

Lemma 9 If the S’s input (g1, g2, u1, u2) is from R, the distribution of the hidden bit b is independent of the adversary’s view.

We should show that if DO rejects all invalid ciphertexts, the distribution of the hidden bit b is independent of the adversary’s view. Let r₁ = logu₁

and r₂ = log_g2u₂. Assume that r₁ 6= r₂. The public key w_j = g^fa000(j)h^fb000(j) determines the equation:

log wj = f_a⁰⁰₀(j) + af_b⁰⁰₀(j). (3.5)

Moreover, if the DO only decrypts valid ciphertexts (hj, α⁰, β⁰, s⁰, δ⁰i), then the adversary obtains only linearly dependent relation r⁰log w_j = r⁰f_a⁰⁰₀(j) + r⁰af_b⁰⁰₀(j), where r⁰ = logu1. Thus, no further information about (f_a⁰⁰₀(j), f_b⁰⁰₀(j))

Equations 3.5 and 3.6 are linearly independent. We can view τ as a one-time pad. As a result the bit b is independent of the adversary’s view.

Next, we prove that DO will reject all invalid ciphertexts, except with a negligible probability. Based on the adversary’s view, we examine the distri-bution of P = (f_a⁰₁(j), f_a⁰₂(j), f_b⁰₁(j), f_b⁰₂(j)) ∈ Z⁴_q. From the output of E O, we From the adversary’s view, P is a random point on the line L formed by intersecting the hyperplane of Equations 3.1, 3.2 and 3.7. Let r⁰₁ = logu⁰₁ and r₂⁰ = log_g2u⁰₂. If the submitted ciphertext (hj, α⁰, β⁰, s⁰, δ⁰i) is invalid, there are three cases to consider:

1. Case I. (α⁰, β⁰, s⁰) = (α, β, s). Since δ⁰ 6= δ, the decryption oracle still rejects.

2. Case II. (α⁰, β⁰, s⁰) 6= (α, β, s) but the hash value is the same. This im-mediately violates the collision-resistance of our hash function. There-fore, this cannot occur with non-negligible probability.

3. Case III. (α⁰, β⁰, s⁰) 6= (α, β, s) and the hash value is not the same.

Unless the point P satisfies the hyperplane logδ⁰. Otherwise, DO will reject. Moreover, Equations 3.1, 3.2, 3.4 and 3.7 are linearly indepen-dent when α⁰ 6= α^∗, r₁ 6= r⁰₁ and r₂ 6= r₂⁰. It follows that the decryption oracle rejects, except with a negligible probability.

Now, we consider the case that

when t 6= j, the tuple (f_a⁰₁(j), f_a⁰₂(j), f_b⁰₁(j), f_b⁰₂(j), f_a⁰₁(t), f_a⁰₂(t), f_b⁰₁(t), f_b⁰₂(t)) is uniformly distributed subject to several constraints. At first, we have Equa-tions 3.1, 3.2 and 3.7. Next, we have the two equaEqua-tions from the public key:

From the public key c_t and d_t, we obtain two equations:

log c_t= f_a⁰₁(t) + af_b⁰₁(t), (3.8) log d_t = f_a⁰

2(t) + af_b⁰

2(t). (3.9)

Since the adversary could have z secret keys other than j and t, he can knows z values of each of f_a⁰₁(·), f_b⁰₁(·), f_a⁰₂(·) and f_b⁰₂(·). Therefore, the following relations hold:

f_a⁰₁(j) + λf_a⁰₁(t) = s₁ (3.10) f_a⁰₂(j) + λf_a⁰₂(t) = s₂ (3.11) f_b⁰₁(j) + λf_b⁰₁(t) = s₃ (3.12) f_b⁰₂(j) + λf_b⁰₂(t) = s₄ (3.13) where λ is the Lagrange coefficient λ = (j − j₁)(j − j₂) · · · (j − j_z)/(t − j₁)(t − j₂) · · · (t − j_z). Now we have more equations than unknowns. However, it is easy to see that Equation 3.12 is linearly dependent on Equations 3.1, 3.2 and 3.10 while Equation 3.13 is linearly dependent on Equations 3.8, 3.9 and 3.11.

Thus, there are 7 linearly independent equations and 8 unknowns. Consider that the ciphertext (ht, α⁰⁰, β⁰⁰, s⁰⁰, δ⁰⁰i) submitted by the adversary is invalid.

DO will rejects unless

log δ⁰⁰ = r₁· f_a⁰₁(t) + r₂a · f_b⁰₁(t) + υ⁰⁰r₁· f_a⁰₂(t) + υ⁰⁰r₂a · f_b⁰₂(t), (3.14)

Looking at all 8 Equations 3.1, 3.2, 3.7- 3.11 and 3.14, we see that they are linearly independent when the following three conditions hold:

1. logu₁ 6= log_g2u₂. This is true since (g₁, g₂, u₁, u₂) is a random tuple.

2. logα⁰⁰ 6= log_g2β⁰⁰. This is true since the ciphertext (ht, α⁰⁰, β⁰⁰, s⁰⁰, δ⁰⁰i) is invalid.

3. H(j, α⁰, β⁰, s⁰) 6= H(t, α⁰⁰, β⁰⁰, s⁰⁰). This is true since j 6= t and H is chosen from a family of collision resistant functions. The collision resistance of H is necessary since the adversary’s choice of j, t is not known in advance.

Therefore, the ciphertxet is rejected except with negligible probability at most 1/q. The ith query except with probability at most 1/(q−i+1). This completes

the proof. 2

1. Algorithm KG(1ⁿ, z):

(a) Randomly select an n-bit prime p = 2q + 1, where q is also a prime.

Let G_qbe the subgroup of order q in Z_p^∗ and g be a generator of G_q. (b) Randomly select a degree-z polynomial f (x) =Pz

i=0a_ixⁱ mod q.

(c) H₁, H₂, H₃ are random oracle hash functions.

(d) Set the public key and base private key as

P K = hg^a0, g^a1, . . . , g^az, p, H₁, H₂, H₃i and SK₀ = hf (0)i.

(e) Let TA hold f (xj), xj ∈ Zq, 1 ≤ j ≤ z.

2. Algorithm UPD(P K, SK_j−1): the decryptor Bob and TA together com-pute SKj = hf (j)i from their shares in a secure distributed way.

3. Algorithm E^H1,H2,H3(P K, m, j): randomly select k ∈ Z_q and r ∈ G_q, compute

α = g^k, β₁ = r · (

z

Y

i=0

(g^ai)^ji)^k = r · g^{f (j)·k},

β₂ = k ⊕ H₁(j, r), s = m ⊕ H₂(j, r, k), h = H₃(j, r, k, m), and return the ciphertext hj, α, β₁, β₂, s, hi.

4. Algorithm D^H1,H2,H3(SK_j, hj, α, β₁, β₂, s, hi):

(a) Compute r = β₁/α^{f (j)}, k = β₂⊕ H₁(j, r) and m = s ⊕ H₂(j, r, k).

(b) Check whether α = g^k and h = H₃(j, r, k, m). If it is so, return m;

otherwise, return ’ ?’.

Figure 3.3: KeEncROM – discrete logarithm based key-evolving encryption scheme with z-resilience and semantic security against the adaptive chosen ciphertext attack under the random oracle model.

1. Algorithm KG(1ⁿ, z): let H be a collision-resistant hash function selected from a family of collision-resistant hash functions.

(a) Randomly select an n-bit prime p = 2q + 1, where q is also a prime.

All operations work over Z_p except being stated otherwise. Let G_q be the subgroup of order q in Z_p^∗ and g be a generator of G_q. (b) Randomly select five degree-z polynomial functions f_aj(x) =

Pz

i=0a_j,ixⁱ for 0 ≤ j ≤ 2 and f_bj(x) = Pz

i=0b_j,ixⁱ for 1 ≤ j ≤ 2.

(c) Set w^∗_i = g^a0,i, c^∗_i = g^a1,ih^b1,i and d^∗_i = g^a2,ih^b2,i for 0 ≤ i ≤ z.

(d) Set the public key and base private key as

P K = hg, h, q, H, {w^∗_i, c^∗_i, d^∗_i}0≤i≤zi and

SK0 = {fa0(0), fa1(0), fb1(0), fa2(0), fb2(0)}.

(e) Let TA hold {f_a0(x_j), f_a1(x_j), f_b1(x_j), f_a2(x_j), f_b2(x_j)}, x_j ∈ Z_q, 1 ≤ j ≤ z.

Figure 3.4: KeEncSTM (part 1)– discrete logarithm based key-evolving scheme with z-resilience and semantic security against the adaptive chosen ciphertext attack under the standard model.

1. Algorithm UPD(P K, SKj−1): the decryptor Bob and TA together com-pute SK_j = hf_a0(j), f_a1(j), f_b1(j), f_a2(j), f_b2(j)i from their shares in a secure distributed way.

2. Algorithm E(P K, m, j): randomly select k ∈ Z_q, compute

α = g^k, β = h^k, s = m ·

z

Y

i=0

(w_i^∗)^kji = m · g^kfa0(j), and

δ =

z

Y

i=0

(c^∗_i)^kji · (

z

Y

i=0

(d^∗_i)^kji)^υ = g^kfa1(j)h^kfb1(j)(g^kfa2(j)h^kfb2(j))^υ,

where υ ^def= H(j, α, β, s). Then, the encryptor returns the ciphertext C

= hj, α, β, s, δi.

3. Algorithm D(SK_j^∗, hj, α, β, s, δi).

(a) Compute υ = H(j, α, β, s).

(b) Check if α^{fa1(j)+fa2(j)υ}β^{fb1(j)+fb2(j)υ} = δ.

(c) If so, compute and return m = s/α^fa0(j).

Figure 3.5: KeEncSTM (part 2) – discrete logarithm based key-evolving encryption scheme with z-resilience and semantic security against the adaptive chosen ciphertext attack under the standard model.

Chapter 4

Distributed and Proactive Key-Evolving Encryption

In this chapter, we describe the procedure for a key evolving with TA. Then, we use the proactive mechanism to protect the TAs. Furthermore, we propose a key-evolving encryption in a distributed way. Multiple decryptors decrypts encrypted messages via distributed computing. Finally, we present how the proactive mechanism protects the secret of the decryptors. We assume that involved n parties are connected by a broadcast channel and any two parties are connected by a private channel such that a third party cannot get messages sent over the private channel.