A New Public Key Encryption with Equality
Test
Kaibin Huang1, Raylin Tso1, Yu-Chi Chen2, Wangyu Li1, and Hung-Min Sun3
1
Department of Computer Science, National Chengchi University, Taipei, Taiwan kyle@iis.sinica.edu.tw, raylin@nccu.edu.tw, 9716015@gmail.com
2 Institute of Information Science, Academia Sinica
wycchen@ieee.org
3 Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan
hmsun@cs.nthu.edu.tw
Abstract. We proposed a new public key encryption scheme with equal-ity test (PKEET), which stands for a public key encryption scheme with comparable ciphertext. The equivalence among ciphertext under PKEET schemes can be verified without decryption. In some PKEET algorithms like Tang’s AoN-PKEET, which is called authorization-based PKEET, the equality test functionality is restricted to some authorized users: only users who own authorities are able to perform equality test functions. For the best of our knowledge, the authorities of all existing authorization-based PKEET schemes are valid for all ciphertext encrypted under the same public key. Accurately, we propose a CBA-PKEET scheme follow-ing Tang’s AoN-PKEET scheme, which means a PKEET scheme with ciphertext-binded authorities (CBA). Each ciphertext-binded authority is valid for a specific ciphertext, rather than all ciphertext encrypted un-der the same public key. Then, we compare the features and efficiency be-tween our CBA-PKEET and some existing authorization-based PKEET schemes. Finally, the security of CBA-PKEET is proved in the random oracle model based on the some hard problems.
Key words: ciphertext-binded authority, equality test, public key en-cryption
1
Introduction
In CT-RSA 2010, Yang et al. [12] proposed his public key encryption scheme with equality test (PKEET). PKEET [5][9][10][11][12] schemes provide the function-ality that the equivalence among ciphertext can be verified without decryption. For any two ciphertext, say Epk1(m1) and Epk2(m2), encrypted under different
public keys, the equality testing algorithm only indicates the equivalence result 1 for identical or 0 for different, other information about plaintext m1and m2will
not be leaked. Through this technique, some privacy preserving services could be achieved. For example, the financial service providers only know the bill is correct or not, but they don’t know the amount or detail about the transaction. Following Yang et al.’s work, Tang proposed his all-or-nothing PKEET scheme (AoN-PKEET [11]) in 2012. The authority concept is adopted in Tang’s work.
Only authorized proxies or users are able to perform equality test functions. By the way, the authority is permanently valid; that is: once someone gets Alice’s authority, all ciphertext encrypted under Alice’s public key becomes comparable. Motivation: considering a situation that Alice only authorizes a specific ciphertext to Bob, not all of Alice’s ciphertext, is it possible? For example, the dentists are only permitted to know those medical records about teeth, not heart, nor bonds. For the best of our knowledge, there is no existing PKEET algorithm which provides a ciphertext-binded authority (CBA) for equality test purpose, which the authority is valid only for one ciphertext, not all ciphertext encrypted under the same public key.
Our contribution: first, we construct a PKEET scheme with ciphertext-binded authorities (CBA-PKEET). Then, the features and efficiency between Tang’s works and our CBA-PKEET scheme are compared and shown in tables. Finally, following Tang’s definition, there are type-I adversaries who can ac-quire all authorities and type-II adversaries who can not acac-quire any authority. By Tang’s classification, we prove that our CBA-PKEET scheme is one-way se-cure against type-I adversaries and IND-CCA2 sese-cure against type-II adversaries based on decisional Diffie-Hellman problem.
Paper organization: after the abstract and introduction, we first discuss some preliminaries and in the next section. Tang’s AoN-PKEET scheme is intro-duced in section 3. Next, we follow Tang’s AoN-PKEET scheme, define model and introduce our CBA-PKEET scheme in section 4. The comparison between CBA-PKEET scheme and previous PKEET schemes are also shown in form of tables. The security proof is omitted due to the page limit, which will be shown in the full version paper. Finally, we provide a brief conclusion in the last section.
2
Preliminaries and related works
In this section, there are some preliminaries discussed before the PKEET issues. We first define some symbols and operations which will be frequently used in the later computations.
2.1 Operation definition
1. Let || be the concatenation symbol; ⊕ stands for the XOR operation; ⊥ represents for null; ∼= is ”approximately equal”; ⇒ means ”imply”; e ∈RG denotes that e is an element randomly selected from the group G.
2. We define two substring operations, for any given string s: – LSBL[s] returns the least significant L-bit segment.
– M SBL[s] returns the most significant L-bit segment.
3. Pr[H] = 2−range(H). Let H be a one-way cryptographic hash function. Pr[H] stands for the probability that given any input h, find the corresponding hash value h0= H(h) without querying hash oracle in the random oracle model. 4. For any exponential operations in the multiplicative group, e.x. gx (mod p),
expressions for clear. That is, gx (mod p) will be abbreviated as gx in the
following paragraphs and sections.
Second, for security proof, the related hard problem in cryptography is intro-duced here.
2.2 CDH and DDH problems
CDH denotes computational Diffie-Hellman problem. Given a secure parameter k, a multiplicative cyclic group G, a prime order q = q(k) = order(G), a prime modular p, a generator g ∈ G and two elements gα, gβ ∈ G (α, β ∈
R Z∗q);
CDH problem is defined to find the element gαβ∈ G. Generally, CDH is a hard
problem in cryptography; the probability of breaking CDH problem is described as:
Pr[gαβ← Adv(k, G, q, p, g, gα, gβ)] ≤ negl(k)
Besides those parameters in CDH problem, adversaries of DDH problem are given one more parameter gγ. DDH problem can be described as: given
(k, G, q, p, g, gα, gβ, gγ); decide whether gγ = gαβ or not. For clear, we define a
boolean value b ∈ {0, 1}: b = 1 ⇐⇒ gγ = gαβ; b = 0 otherwise. Although DDH
problem is trivially weaker than CDH problem, it is also considered hard in the cryptography; the probability of breaking DDH problem is described as:
Pr b ∈R{0, 1}; e ←RG; g γ← b{e, gαβ}; b0 ← Adv(k, G, q, p, g, gα, gβ, gγ) : b0= b ≤ 1 2+ negl(k)
2.3 Properties of PKEET schemes
Formalized by Yang et al., they propose that a PKEET scheme Π = {G, E , D, C} has ciphertext comparability with error for some function (·) if there exists an efficiently computable deterministic function C(·, ·) such that for every secure parameter k ∈ N, we have
Definition 1 Perfect consistency: ∀m ∈ M gSp(1k),
Pr (sk1, pk1) ← G(1 k); (sk 2, pk2) ← G(1k); c1← Epk1(m); c2← Epk2(m) : C(c1, c2) = 1 = 1
Definition 2 Soundness: ∀m1, m2∈ M gSp(1k), for every polynomial-time
ad-versary Adv, Pr (c1, c2, sk1, sk2) ← Adv; m1← Dsk1(c1); m2← Dsk2(c2) : m1, m26=⊥ ∧m16= m2 ∧C(c1, c2) = 1 = (k) ∈ negl(k)
3
Tang’s AoN-PKEET
Following Yang et al.’s PKEET scheme, Tang proposes his all-or-nothing public key encryption scheme with equality test, which is AoN-PKEET. The key point of Tang’s AoN-PKEET is that:
c = (Epk(m), Epk0(H(m)))
The former one is used for decryption and the latter one is used for equality testing.
Parameters: let G be a multiplicative group of prime order q; g stands for a generator of G; k is a secure parameter; H1, H2and H3are three cryptographic
hash functions: H1: {0, 1}∗→ {0, 1}M +l, H2: {0, 1}∗→ Zq and H3: {0, 1}∗→
{0, 1}k
. Here M denotes the bit length of messages in G, and l is the bit length of q.
– G(1k): select x, y ∈R Zq as the private keys, and compute gx and gy as the
public keys.
– Epk(m): let c be the encrypted message, c = (c(1), c(2), c(3), c(4), c(5))
com-posed of 5 parts:
u, v ∈RZq, c(1)= gu, c(2) = gv, c(3)= H1(gux) ⊕ (m||u),
c(4)= gH2(gvy)+m, c(5)= H
3(c(1)||c(2)||c(3)||c(4)||m||u)
– Dsk(c): first calculate m0||u0← c(3)⊕ H1((c(1))x) and then check both c(1) ?=
gu0 and c(5) ?= H
3(c(1)||c(2)||c(3)||c(4)||m0||u0). Return the plaintext m in case
that both of these two equations are tenable.
If some trusted type-I users request to perform the equality test computation on c, the authority will be generated as:
– Ask = y.
Otherwise, Ask=⊥.
Let U1and U2be two users; Epk1(m1) and Epk2(m2) stand for two ciphertext
encrypted under pk1 and pk2 respectively. Anyone owns y1 and y2 can run the
comparison algorithm C to test the equivalence between c1 and c2.
– C(c1, c2, y1, y2): the algorithm returns 1 or 0 by computing
c(4)1 · g−H2((c(2)1 )y1) ?= c(4) 2 · g
−H2((c(2)2 )y2)
If the equation is tenable, it returns 1 as identical; otherwise, it returns 0 which means distinct.
Since c(1)= gu, (c(1))x= gux, the decryption is intuitive so that we do not infer it step by step. In the comparison phase C(c1, c2, y1, y2):
Similarly, c2= gm2. By definition of the multiplicative group G, the comparison
returns 1 if and only if m1 = m2. The perfect consistency holds. On the other
hand, by definition m1 6= m2 if and only if C(c1, c2) = 0. Obliviously, m1 6=
m2 ⇐⇒ gm1 6= gm2. The perfect soundness holds.
4
CBA-PKEET
We propose the model of CBA-PKEET before introducing the scheme. Definition 3 Model of CBA-PKEET schemes
– Key generation, (sk, pk) ← G(1k): a polynomial time key generation
algo-rithm which takes a secure parameter k as input and then generates a secret and pubic key pair (sk, pk) of the PKEET scheme.
– Encryption, c ← Epk(m): a probabilistic encryption algorithm which encrypts
a message m under the public key pk, and then returns the ciphertext c = Epk(m) in a polynomial time.
– Decryption, m ← Dsk(c): a deterministic decryption algorithm which returns
the plaintext m = Dsk(c) in a polynomial time.
– Authentication, Ask(c): if an authorized user requests the authority which
makes the ciphertext c comparable, the authentication algorithm takes the private key sk into computation and output the ciphertext-binded authority Ask(c). Otherwise, it returns ⊥.
– Comparison, 1/0 ← C(c1, c2, Ask1(c1), Ask2(c2)): let c1 = Epk1(m1) and
c2 = Epk2(m2) denote two different ciphertext encrypted under two
differ-ent public keys. Anyone owns authorities Ask1(c1) and Ask2(c2) can perform
the comparison algorithm C, which returns the equivalence between m1 and
m2without decryption in a polynomial time. 1 stands for identical; 0 means
distinct.
Remark 1 The comparison of CBA-PKEET is different from the comparison of Tang’s AoN-PKEET. While replacing another ciphertext c01= Epk1(m
0) to c 1
and keeping the authority Ask1(c1) (even c1and c 0
1are encrypted under the same
public key pk1), the comparison algorithm C(c01, c2, Ask1(c1), Ask2(c2)) does not
work in CBA-PKEET.
4.1 Our scheme
Based on Tang’s works, we take advantage of Fujisaki-Okamoto translation [7] to construct our CBA-PKEET scheme. Before introducing that, we have to introduce the concept of our scheme for ease of understanding.
c = Epk(m) = cm||cH(m)
The previous part of ciphertext denotes the encrypted message cm, and the
latter part cH(m)represents for the encrypted hash value of m for equality test
There are some public parameters (G, g, p, q, l, k) and three collision resistant one-way hash functions: H1, H2 and H3, which are defined as:
G is a multiplicative cyclic group with prime order q and modular p. The bit length of q is l, l ∼= k.
Each element in G is k-bit long. g is a generator in G.
Set the message space to G. k stands for a secure parameter.
H1: {0, 1}2k+l→ Z∗q; H2: G → {0, 1}2k+l; H3: {0, 1}∗→ {0, 1}k.
– G(1k): select x ∈
R Z∗q, keep it as a secret key and publish the public key
y = gx.
– Epk(m): to encrypt a message m into the ciphertext c, we first randomly pick
r ∈RZ∗q, and then compute c = (c
(1), c(2)) following:
u = H1(m||r||H3(m)), c(1)= gu, c(2)= H2(yu) ⊕ (m||r||H3(m))
– Dsk(c): once receiving the ciphertext c, the owner of secret key x is able to
decrypt it by the following algorithm: 1. Compute (m0||r0||R) ← c(2)⊕ H
2((c(1))x), u0 = H1(m0||r0||R).
2. Check if c(1) = g? u0 and R = H?
3(m0)? If both two equations are
ten-able, then m0 = m, the decryption algorithm returns the plaintext m; otherwise, it returns ⊥ and terminates.
– Ask(c): once a trusted party sends an authentication request with respect
to the ciphertext c to the owner of secret key sk. He or she follows step 1 and 2 in the decryption phase. If c(1) ?= gu0 and R = H
3(m0), then he or she
returns the ciphertext-binded authority
Ask(c) = LSBk[H2((c(1))x)]
Otherwise, ⊥ will be returned.
– C(c1, c2, Ask1(c1), Ask2(c2)): let c1 and c2 be two ciphertext which are
en-crypted under different public keys pk1 and pk2 respectively. Anyone can
perform the comparison algorithm after getting two authorities Ask1(c1)
and Ask2(c2). The comparison algorithm is shown as the following equation:
LSBk[c (2) 1 ] ⊕ Ask1(c1) ? = LSBk[c (2) 2 ] ⊕ Ask2(c2)
If this equation is tenable, then those two plaintext m1and m2, which relates
to the ciphertext c1 and c2, are identical; otherwise, they are distinct. The
inference of the comparison is provided below. Let u1= H1(m1||r||H3(m1)),
LSBk[c (2) 1 ] ⊕ Ask1(c1) =LSBk[H2(y1u1) ⊕ (m1||r1||H3(m1))] ⊕ Ask1(c1) =LSBk[H2(gu1x1) ⊕ (m1||r1||H3(m1))] ⊕ LSBk[H2(gu1x1)] =LSBk[H2(gu1x1)] ⊕ LSBk[m1||r1||H3(m1)] ⊕ LSBk[H2(gu1x1)] =LSBk[m1||r1||H3(m1)] = H3(m1)
Table 1. Efficiency comparison
G E D A C Equality test(2A + C)
PKEET[12] 1 exp 3 exp 3 exp N/A 2 pairing 2 pairing
PCE[5] 1 exp 4 exp 2 pairing N/A 4 pairing 4 pairing
AoN-PKEET[11] 2 exp 5 exp 2 exp 0 4 exp 4 exp
FG-PKEET[10] 2 exp 4 exp 2 exp 3 exp 4 pairing 4 pairing
CBA-PKEET 1 exp 2 exp 2 exp 1 exp 2 xor 2 exp
Similarly, LSBk[c (2)
2 ] ⊕ Ask2(c2) = H3(m2). The comparison becomes:
LSBk[c (2) 1 ] ⊕ Ask1(c1) = H3(m1) ? = H3(m2) = LSBk[c (2) 2 ] ⊕ Ask2(c2)
The perfect consistency obliviously holds. On the other hand, if m1 6= m2, by
definition, the probability that C(c1, c2, Ask1(c1), Ask2(c2)) = 1 can be estimated
by Pr (sk1, pk1) ← G(1k); (sk2, pk2) ← G(1k); m16= m2; c1← Epk1(m1); c2← Epk2(m2) w1← Ask1(c1); w2← Ask2(c2) : C(c1, c2, w1, w2) = 1 = Pr[H3]
Because Pr[H3] ∈ negl(k), the soundness holds for secure parameter k.
Efficiency comparison: let xor, exp and pairing be the time cost of XOR, exponential and pairing computations respectively.
xor << exp < pairing ∼= 8 exp
We take Yang et al.’s [12], Tang’s [10] and [11] and Canard et al.’s [5] into com-parison, and show the efficiency comparison on the {G, E , D, A, C} model in table 1. The whole process of private equality test needs two times of authorization and one time of comparison.4Obliviously, the CBA-PKEET scheme works much
more efficiently than those previous works. Remark 2 Security proof
Due to the page limit, the security proof is omitted, which will be shown in the full version of this paper.
5
Conclusion
We notice that PKEET with ciphertext-binded authorities is useful especially in finance fields. But so far, there is not a CBA-PKEET scheme existed. Follow-ing Tang’s AoN-PKEET scheme, we propose the first CBA-PKEET scheme. It
4 Since the authorities in Tang’s works [10][11], are valid for all ciphertext encrypted
under the same public key, the equality test algorithm only costs the comparison time C, not 2A + C.
works much more efficiently than previous authorization-based PKEET schemes do. Then, we prove our CBA-PKEET scheme in the random oracle model based on Diffie-Hellman hard problems. Due to the page limit, the proof is omitted here, and it will appear in the full version of this paper.
Acknowledgment
Raylin Tso would like to thank the National Science Council, Taiwan, R.O.C. for supporting this research under Grant No. NSC 101-2628-E-004-001-MY2. Hung-Min Sun would like to thank the National Science Council, Taiwan, R.O.C. for supporting this research under Grant No. NSC 100-2628-E-007-018-MY3.
References
1. Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (h)ibe in the standard model. In EUROCRYPT, pages 553–572, 2010.
2. Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption schemes. In CRYPTO, pages 26–45, 1998.
3. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communica-tions Security, pages 62–73, 1993.
4. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In EURO-CRYPT, pages 92–111, 1994.
5. S´ebastien Canard, Georg Fuchsbauer, Aline Gouget, and Fabien Laguillaumie. Plaintext-checkable encryption. In CT-RSA, pages 332–348, 2012.
6. Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key en-cryption scheme. J. Cryptology, 20(3):265–294, 2007.
7. Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In Public Key Cryptography, pages 53–68, 1999. 8. Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst.
Sci., 28(2):270–299, 1984.
9. Helger Lipmaa. Verifiable homomorphic oblivious transfer and private equality test. In ASIACRYPT, pages 416–433, 2003.
10. Qiang Tang. Public key encryption schemes supporting equality test with autho-risation of different granularity. IJACT, 2(4):304–321, 2012.
11. Qiang Tang. Public key encryption supporting plaintext equality test and user-specified authorization. Security and Communication Networks, 5(12):1351–1362, 2012.
12. Guomin Yang, Chik How Tan, Qiong Huang, and Duncan S. Wong. Probabilistic public key encryption with equality test. In CT-RSA, pages 119–131, 2010.