A New Public Key Encryption with Equality Test

(1)

A New Public Key Encryption with Equality

Test

Kaibin Huang1_{, Raylin Tso}1_{, Yu-Chi Chen}2_{, Wangyu Li}1_{, and Hung-Min Sun}3

1

Department of Computer Science, National Chengchi University, Taipei, Taiwan kyle@iis.sinica.edu.tw, raylin@nccu.edu.tw, 9716015@gmail.com

2 _{Institute of Information Science, Academia Sinica}

wycchen@ieee.org

3 _{Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan}

hmsun@cs.nthu.edu.tw

Abstract. We proposed a new public key encryption scheme with equal-ity test (PKEET), which stands for a public key encryption scheme with comparable ciphertext. The equivalence among ciphertext under PKEET schemes can be verified without decryption. In some PKEET algorithms like Tang’s AoN-PKEET, which is called authorization-based PKEET, the equality test functionality is restricted to some authorized users: only users who own authorities are able to perform equality test functions. For the best of our knowledge, the authorities of all existing authorization-based PKEET schemes are valid for all ciphertext encrypted under the same public key. Accurately, we propose a CBA-PKEET scheme follow-ing Tang’s AoN-PKEET scheme, which means a PKEET scheme with ciphertext-binded authorities (CBA). Each ciphertext-binded authority is valid for a specific ciphertext, rather than all ciphertext encrypted un-der the same public key. Then, we compare the features and efficiency be-tween our CBA-PKEET and some existing authorization-based PKEET schemes. Finally, the security of CBA-PKEET is proved in the random oracle model based on the some hard problems.

Key words: ciphertext-binded authority, equality test, public key en-cryption

1 Introduction

In CT-RSA 2010, Yang et al. [12] proposed his public key encryption scheme with equality test (PKEET). PKEET [5][9][10][11][12] schemes provide the function-ality that the equivalence among ciphertext can be verified without decryption. For any two ciphertext, say Epk1(m1) and Epk2(m2), encrypted under different

public keys, the equality testing algorithm only indicates the equivalence result 1 for identical or 0 for different, other information about plaintext m1and m2will

not be leaked. Through this technique, some privacy preserving services could be achieved. For example, the financial service providers only know the bill is correct or not, but they don’t know the amount or detail about the transaction. Following Yang et al.’s work, Tang proposed his all-or-nothing PKEET scheme (AoN-PKEET [11]) in 2012. The authority concept is adopted in Tang’s work.

(2)

Only authorized proxies or users are able to perform equality test functions. By the way, the authority is permanently valid; that is: once someone gets Alice’s authority, all ciphertext encrypted under Alice’s public key becomes comparable. Motivation: considering a situation that Alice only authorizes a specific ciphertext to Bob, not all of Alice’s ciphertext, is it possible? For example, the dentists are only permitted to know those medical records about teeth, not heart, nor bonds. For the best of our knowledge, there is no existing PKEET algorithm which provides a ciphertext-binded authority (CBA) for equality test purpose, which the authority is valid only for one ciphertext, not all ciphertext encrypted under the same public key.

Our contribution: first, we construct a PKEET scheme with ciphertext-binded authorities (CBA-PKEET). Then, the features and efficiency between Tang’s works and our CBA-PKEET scheme are compared and shown in tables. Finally, following Tang’s definition, there are type-I adversaries who can ac-quire all authorities and type-II adversaries who can not acac-quire any authority. By Tang’s classification, we prove that our CBA-PKEET scheme is one-way se-cure against type-I adversaries and IND-CCA2 sese-cure against type-II adversaries based on decisional Diffie-Hellman problem.

Paper organization: after the abstract and introduction, we first discuss some preliminaries and in the next section. Tang’s AoN-PKEET scheme is intro-duced in section 3. Next, we follow Tang’s AoN-PKEET scheme, define model and introduce our CBA-PKEET scheme in section 4. The comparison between CBA-PKEET scheme and previous PKEET schemes are also shown in form of tables. The security proof is omitted due to the page limit, which will be shown in the full version paper. Finally, we provide a brief conclusion in the last section.

2 Preliminaries and related works

In this section, there are some preliminaries discussed before the PKEET issues. We first define some symbols and operations which will be frequently used in the later computations.

2.1 Operation definition

1. Let || be the concatenation symbol; ⊕ stands for the XOR operation; ⊥ represents for null; ∼= is ”approximately equal”; ⇒ means ”imply”; e ∈RG denotes that e is an element randomly selected from the group G.

2. We define two substring operations, for any given string s: – LSBL[s] returns the least significant L-bit segment.

– M SBL[s] returns the most significant L-bit segment.

3. Pr[H] = 2−range(H). Let H be a one-way cryptographic hash function. Pr[H] stands for the probability that given any input h, find the corresponding hash value h0= H(h) without querying hash oracle in the random oracle model. 4. For any exponential operations in the multiplicative group, e.x. gx _{(mod p),}

(3)

expressions for clear. That is, gx _{(mod p) will be abbreviated as g}x _{in the}

following paragraphs and sections.

Second, for security proof, the related hard problem in cryptography is intro-duced here.

2.2 CDH and DDH problems

CDH denotes computational Diffie-Hellman problem. Given a secure parameter k, a multiplicative cyclic group G, a prime order q = q(k) = order(G), a prime modular p, a generator g ∈ G and two elements gα_{, g}β _{∈ G (α, β ∈}

R Z∗q);

CDH problem is defined to find the element gαβ_{∈ G. Generally, CDH is a hard}

problem in cryptography; the probability of breaking CDH problem is described as:

Pr[gαβ_{← Adv(k, G, q, p, g, g}α, gβ)] ≤ negl(k)

Besides those parameters in CDH problem, adversaries of DDH problem are given one more parameter gγ_{. DDH problem can be described as: given}

(k, G, q, p, g, gα_{, g}β_{, g}γ_{); decide whether g}γ _{= g}αβ _{or not. For clear, we define a}

boolean value b ∈ {0, 1}: b = 1 ⇐⇒ gγ _{= g}αβ_{; b = 0 otherwise. Although DDH}

problem is trivially weaker than CDH problem, it is also considered hard in the cryptography; the probability of breaking DDH problem is described as:

Pr b ∈R{0, 1}; e ←RG; g γ_← b{e, gαβ}; b0 ← Adv(k, G, q, p, g, gα_{, g}β_{, g}γ₎ : b0= b ≤ 1 2+ negl(k)

2.3 Properties of PKEET schemes

Formalized by Yang et al., they propose that a PKEET scheme Π = {G, E , D, C} has ciphertext comparability with error for some function (·) if there exists an efficiently computable deterministic function C(·, ·) such that for every secure parameter k ∈ N, we have

Definition 1 Perfect consistency: ∀m ∈ M gSp(1k_),

Pr (sk1, pk1) ← G(1 k_{); (sk} 2, pk2) ← G(1k); c1← Epk1(m); c2← Epk2(m) : C(c1, c2) = 1 = 1

Definition 2 Soundness: ∀m1, m2∈ M gSp(1k), for every polynomial-time

ad-versary Adv, Pr   (c1, c2, sk1, sk2) ← Adv; m1← Dsk1(c1); m2← Dsk2(c2) : m1, m26=⊥ ∧m16= m2 ∧C(c1, c2) = 1  = (k) ∈ negl(k)

(4)

3 Tang’s AoN-PKEET

Following Yang et al.’s PKEET scheme, Tang proposes his all-or-nothing public key encryption scheme with equality test, which is AoN-PKEET. The key point of Tang’s AoN-PKEET is that:

c = (Epk(m), Epk0(H(m)))

The former one is used for decryption and the latter one is used for equality testing.

Parameters: let G be a multiplicative group of prime order q; g stands for a generator of G; k is a secure parameter; H1, H2and H3are three cryptographic

hash functions: H1: {0, 1}∗→ {0, 1}M +l, H2: {0, 1}∗→ Zq and H3: {0, 1}∗→

{0, 1}k

. Here M denotes the bit length of messages in G, and l is the bit length of q.

– G(1k): select x, y ∈R Zq as the private keys, and compute gx and gy as the

public keys.

– Epk(m): let c be the encrypted message, c = (c(1), c(2), c(3), c(4), c(5))

com-posed of 5 parts:

u, v ∈RZq, c(1)= gu, c(2) = gv, c(3)= H1(gux) ⊕ (m||u),

c(4)= gH2(gvy)+m_{, c}(5)_{= H}

3(c(1)||c(2)||c(3)||c(4)||m||u)

– Dsk(c): first calculate m0||u0← c(3)⊕ H1((c(1))x) and then check both c(1) ?=

gu0 _{and c}(5) ?_{= H}

3(c(1)||c(2)||c(3)||c(4)||m0||u0). Return the plaintext m in case

that both of these two equations are tenable.

If some trusted type-I users request to perform the equality test computation on c, the authority will be generated as:

– Ask = y.

Otherwise, Ask=⊥.

Let U1and U2be two users; Epk1(m1) and Epk2(m2) stand for two ciphertext

encrypted under pk1 and pk2 respectively. Anyone owns y1 and y2 can run the

comparison algorithm C to test the equivalence between c1 and c2.

– C(c1, c2, y1, y2): the algorithm returns 1 or 0 by computing

c(4)₁ · g−H2((c(2)1 )y1) ?_{= c}(4) 2 · g

−H2((c(2)2 )y2)

If the equation is tenable, it returns 1 as identical; otherwise, it returns 0 which means distinct.

Since c(1)= gu, (c(1))x= gux, the decryption is intuitive so that we do not infer it step by step. In the comparison phase C(c1, c2, y1, y2):

(5)

Similarly, c2= gm2. By definition of the multiplicative group G, the comparison

returns 1 if and only if m1 = m2. The perfect consistency holds. On the other

hand, by definition m1 6= m2 if and only if C(c1, c2) = 0. Obliviously, m1 6=

m2 ⇐⇒ gm1 6= gm2. The perfect soundness holds.

4 CBA-PKEET

We propose the model of CBA-PKEET before introducing the scheme. Definition 3 Model of CBA-PKEET schemes

– Key generation, (sk, pk) ← G(1k_{): a polynomial time key generation}

algo-rithm which takes a secure parameter k as input and then generates a secret and pubic key pair (sk, pk) of the PKEET scheme.

– Encryption, c ← Epk(m): a probabilistic encryption algorithm which encrypts

a message m under the public key pk, and then returns the ciphertext c = Epk(m) in a polynomial time.

– Decryption, m ← Dsk(c): a deterministic decryption algorithm which returns

the plaintext m = Dsk(c) in a polynomial time.

– Authentication, Ask(c): if an authorized user requests the authority which

makes the ciphertext c comparable, the authentication algorithm takes the private key sk into computation and output the ciphertext-binded authority Ask(c). Otherwise, it returns ⊥.

– Comparison, 1/0 ← C(c1, c2, Ask1(c1), Ask2(c2)): let c1 = Epk1(m1) and

c2 = Epk2(m2) denote two different ciphertext encrypted under two

differ-ent public keys. Anyone owns authorities Ask1(c1) and Ask2(c2) can perform

the comparison algorithm C, which returns the equivalence between m1 and

m2without decryption in a polynomial time. 1 stands for identical; 0 means

distinct.

Remark 1 The comparison of CBA-PKEET is different from the comparison of Tang’s AoN-PKEET. While replacing another ciphertext c01= Epk1(m

0_{) to c} 1

and keeping the authority Ask1(c1) (even c1and c 0

1are encrypted under the same

public key pk1), the comparison algorithm C(c01, c2, Ask1(c1), Ask2(c2)) does not

work in CBA-PKEET.

4.1 Our scheme

Based on Tang’s works, we take advantage of Fujisaki-Okamoto translation [7] to construct our CBA-PKEET scheme. Before introducing that, we have to introduce the concept of our scheme for ease of understanding.

c = Epk(m) = cm||cH(m)

The previous part of ciphertext denotes the encrypted message cm, and the

latter part cH(m)represents for the encrypted hash value of m for equality test

(6)

There are some public parameters (G, g, p, q, l, k) and three collision resistant one-way hash functions: H1, H2 and H3, which are defined as:

G is a multiplicative cyclic group with prime order q and modular p. The bit length of q is l, l ∼= k.

Each element in G is k-bit long. g is a generator in G.

Set the message space to G. k stands for a secure parameter.

H1: {0, 1}2k+l→ Z∗q; H2: G → {0, 1}2k+l; H3: {0, 1}∗→ {0, 1}k.

– G(1k_{): select x ∈}

R Z∗q, keep it as a secret key and publish the public key

y = gx_.

– Epk(m): to encrypt a message m into the ciphertext c, we first randomly pick

r ∈RZ∗q, and then compute c = (c

(1)_{, c}(2)_{) following:}

u = H1(m||r||H3(m)), c(1)= gu, c(2)= H2(yu) ⊕ (m||r||H3(m))

– Dsk(c): once receiving the ciphertext c, the owner of secret key x is able to

decrypt it by the following algorithm: 1. Compute (m0||r0||R) ← c(2)_{⊕ H}

2((c(1))x), u0 = H1(m0||r0||R).

2. Check if c(1) _{= g}? u0 _{and R} _{= H}?

3(m0)? If both two equations are

ten-able, then m0 = m, the decryption algorithm returns the plaintext m; otherwise, it returns ⊥ and terminates.

– Ask(c): once a trusted party sends an authentication request with respect

to the ciphertext c to the owner of secret key sk. He or she follows step 1 and 2 in the decryption phase. If c(1) ?_{= g}u0 _{and R = H}

3(m0), then he or she

returns the ciphertext-binded authority

Ask(c) = LSBk[H2((c(1))x)]

Otherwise, ⊥ will be returned.

– C(c1, c2, Ask1(c1), Ask2(c2)): let c1 and c2 be two ciphertext which are

en-crypted under different public keys pk1 and pk2 respectively. Anyone can

perform the comparison algorithm after getting two authorities Ask1(c1)

and Ask2(c2). The comparison algorithm is shown as the following equation:

LSBk[c (2) 1 ] ⊕ Ask1(c1) ? = LSBk[c (2) 2 ] ⊕ Ask2(c2)

If this equation is tenable, then those two plaintext m1and m2, which relates

to the ciphertext c1 and c2, are identical; otherwise, they are distinct. The

inference of the comparison is provided below. Let u1= H1(m1||r||H3(m1)),

LSBk[c (2) 1 ] ⊕ Ask1(c1) =LSBk[H2(y1u1) ⊕ (m1||r1||H3(m1))] ⊕ Ask1(c1) =LSBk[H2(gu1x1) ⊕ (m1||r1||H3(m1))] ⊕ LSBk[H2(gu1x1)] =LSBk[H2(gu1x1)] ⊕ LSBk[m1||r1||H3(m1)] ⊕ LSBk[H2(gu1x1)] =LSBk[m1||r1||H3(m1)] = H3(m1)

(7)

Table 1. Efficiency comparison

G E D A C Equality test(2A + C)

PKEET[12] 1 exp 3 exp 3 exp N/A 2 pairing 2 pairing

PCE[5] 1 exp 4 exp 2 pairing N/A 4 pairing 4 pairing

AoN-PKEET[11] 2 exp 5 exp 2 exp 0 4 exp 4 exp

FG-PKEET[10] 2 exp 4 exp 2 exp 3 exp 4 pairing 4 pairing

CBA-PKEET 1 exp 2 exp 2 exp 1 exp 2 xor 2 exp

Similarly, LSBk[c (2)

2 ] ⊕ Ask2(c2) = H3(m2). The comparison becomes:

LSBk[c (2) 1 ] ⊕ Ask1(c1) = H3(m1) ? = H3(m2) = LSBk[c (2) 2 ] ⊕ Ask2(c2)

The perfect consistency obliviously holds. On the other hand, if m1 6= m2, by

definition, the probability that C(c1, c2, Ask1(c1), Ask2(c2)) = 1 can be estimated

by Pr   (sk1, pk1) ← G(1k); (sk2, pk2) ← G(1k); m16= m2; c1← Epk1(m1); c2← Epk2(m2) w1← Ask1(c1); w2← Ask2(c2) : C(c1, c2, w1, w2) = 1  = Pr[H3]

Because Pr[H3] ∈ negl(k), the soundness holds for secure parameter k.

Efficiency comparison: let xor, exp and pairing be the time cost of XOR, exponential and pairing computations respectively.

xor << exp < pairing ∼= 8 exp

We take Yang et al.’s [12], Tang’s [10] and [11] and Canard et al.’s [5] into com-parison, and show the efficiency comparison on the {G, E , D, A, C} model in table 1. The whole process of private equality test needs two times of authorization and one time of comparison.4_{Obliviously, the CBA-PKEET scheme works much}

more efficiently than those previous works. Remark 2 Security proof

Due to the page limit, the security proof is omitted, which will be shown in the full version of this paper.

5 Conclusion

We notice that PKEET with ciphertext-binded authorities is useful especially in finance fields. But so far, there is not a CBA-PKEET scheme existed. Follow-ing Tang’s AoN-PKEET scheme, we propose the first CBA-PKEET scheme. It

4 _{Since the authorities in Tang’s works [10][11], are valid for all ciphertext encrypted}

under the same public key, the equality test algorithm only costs the comparison time C, not 2A + C.

(8)

works much more efficiently than previous authorization-based PKEET schemes do. Then, we prove our CBA-PKEET scheme in the random oracle model based on Diffie-Hellman hard problems. Due to the page limit, the proof is omitted here, and it will appear in the full version of this paper.

Acknowledgment

Raylin Tso would like to thank the National Science Council, Taiwan, R.O.C. for supporting this research under Grant No. NSC 101-2628-E-004-001-MY2. Hung-Min Sun would like to thank the National Science Council, Taiwan, R.O.C. for supporting this research under Grant No. NSC 100-2628-E-007-018-MY3.

References

1. Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (h)ibe in the standard model. In EUROCRYPT, pages 553–572, 2010.

2. Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption schemes. In CRYPTO, pages 26–45, 1998.

3. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communica-tions Security, pages 62–73, 1993.

4. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In EURO-CRYPT, pages 92–111, 1994.

5. S´ebastien Canard, Georg Fuchsbauer, Aline Gouget, and Fabien Laguillaumie. Plaintext-checkable encryption. In CT-RSA, pages 332–348, 2012.

6. Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key en-cryption scheme. J. Cryptology, 20(3):265–294, 2007.

7. Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In Public Key Cryptography, pages 53–68, 1999. 8. Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst.

Sci., 28(2):270–299, 1984.

9. Helger Lipmaa. Verifiable homomorphic oblivious transfer and private equality test. In ASIACRYPT, pages 416–433, 2003.

10. Qiang Tang. Public key encryption schemes supporting equality test with autho-risation of different granularity. IJACT, 2(4):304–321, 2012.

11. Qiang Tang. Public key encryption supporting plaintext equality test and user-specified authorization. Security and Communication Networks, 5(12):1351–1362, 2012.

12. Guomin Yang, Chik How Tan, Qiong Huang, and Duncan S. Wong. Probabilistic public key encryption with equality test. In CT-RSA, pages 119–131, 2010.