Generalized Anonymous Broadcast Encryption Scheme

(1)

2íˆ±È‹òÍ$

Generalized Anonymous Broadcast Encryption

Scheme

"zÊ

ÅzZ

Å«É½¸×ç

Email:{pyting, M96570030, M96570025}@mail.ntou.edu.tw

¿ b ¿ b ¿ b —…dT|ø_!k™}… 2íˆ±È‹ òÍ$ âk°vx24£ˆ±4 ¤Í$ªJ@àÊAº VÖ ÛbGNìæ¦Ìí»W’eéÍ$2 Bbíl Boneh _{í “˛È‹ò¶” qlø_&MQY6ˆ±4íœ„ , ¤} œ„øÈòdíér\µâQY6ít¿R–V , QY6 ªJàAÐí’¿tu´ªjÇvòd , à‹.?jíu , 6 Ì¶)ø¨<Aªj Í(ì2¤ˆ±ÈÍ$íòd.ª}< ér4 , cq BDDHE ½æul,˚Øí , BbÊ™Ä_2 „p¤Í$íér4 É œ È É œ È É œ È —!k™}…í‹ò 2í™}…‹ò È‹ò ˆ±È ™Ä_ éríèv’eé

Abstract—In this paper, we propose an

identity-based, generalized, anonymous broadcast encryption sys-tem. This system can be used in a large scale medical database that requires dynamic assignments of access rights because it is both generalized and anonymous. First we design a mechanism to hide the broadcast targets for Boneh’s “Spatial Encryption ”. This mechanism hides the policy vector through the target’s public key. Any receiver can test the ciphertext to see if he is one of the target receivers. If he is not the target, he will not learn the set of target receivers. Then we define suitable security notion for this anonymous broadcast encryption system. Assuming that BDDHE problem is secure, we prove the security of the system in the standard model.

Index Terms:—Identity-based encryption,

General-ized identity-based encryption, Broadcast encryption, Anonymous broadcast encryption, Standard model, Secure

medical database.

ø

Êø_!k™}…í‹ò (Identity-Based

En-cryption, IBE) Í$[16][6] 2 , Uà6à™}…å

TÑt (Wà “Alice@xxx.com”) , òßÞ2 -(Private Key Generator, PKG) ð„w™}1¤D ò çÍ$d_œ×v , Ñ7Áý PKG íT¾ , ªJUà¼µ™}…‹ò (Hierarchical

Identity-Based Encryption, HIBE) Í$[14][11] , «àcÕ

-Zíø PKG øµøµ%-¤ , Uà6²µí PKG _{„õAÐí™}J)ƒò} ÊÈ‹òÍ$2 , ©_È6·ªJ‹ò]7 #L<íUà6Õ¯S , S2íUà6ªJàAÐíò jÇòd[3], [10] , ¡VrÖóÉíû˝[2], [13], [1], [7] 3bñ™ÊkòsÀÅ òsòdÅ ±Q‹jòFÛílvÈ ^0ËJ"¢ò6 G|cÍ$Aº , ¤Õ6!k™}…íÈ ‹ò (Identity-Based Broadcast Encryption, IBBE) Í$[15] , wßTutÇÀÅ.}¸Uà6,Ab A£ª

Boneh[8]_{Ê2008T|2™}…‹ò}

(Gen-eralized Identity Based Encryption, GIBE) Í$í

(2)

·ªJzAÐ¶Mí?‰¤#FA , .d HIBE Í $2¤ÉÌkcÕí*˘É[5È , Ê GIBE Í$ 2à‹øø_òd‹ò#øˇAº¤?‰í>Õ , ¹ ªJTXÈ‹òÍ$íŠ? Êø_«à GIBE Í $ ZíÈ‹òÍ$2 , ¤6ªjòFF¤5 Aºªjíòd , Ä¤‹òvªJ0§ËGNìæ¦ Ì , _¯@àÊAºVÖí -!Z2 , Wà: Ê2 ÛU\í»W’eé2 , wUàAº¨Ö®_»Í ®_ù ®_»Þ èA Ê»W’eéí@à2 , øMèv’eH[ø_ èA/øŸÿÄíp“ , ¥M’eÎ7èAªJõƒq ñ5Õ , Fí3µ»Þ }Ä»Þ RÍ»Þ v 3L »Í3 ¨ÞœÉ3 U\3Aº· ª?æ¦¤°’e Ê…d2þt«àtÇÀ È‹òÍ$í–1Vql¥_œ„ , Bb6ı?D «à4í¤V±QúÖ_ñ™Èvíòd×ü ¸l¾ à‹òQ@àÛíÈ‹òÍ$k,H»W’ eé2 , „)ƒ¤íUà6ÖÍõ.ƒèvqñ , º ªJ*ÈòdíQYúï)ƒ¶Màí’m , Ä¤ …dT|7ø!k™}…íˆ±2È‹òÍ $Vj²¥_õ,í½æ , ¤Tí“ˆ±4”ÿu¿R ÈòdíQYúï Bbâ“˛È‹òÍ$ (Spatial

Encryption System)[8]”OG , ¤œ„xGIBE Í$ íÔ4 , w2©ø_Uà6í ID ú@ø_Ö&í"¦ ˛È , ©øMdKú@ø_˛È2íõdÑwér\µ

(security policy) , à‹võPk/øUà6í"¦˛ È2†vUà6ªj¤òd ¤Í$ªJyªø¥– }ÑrÖiH (role) , _¯@àk‡H»W’eéÍ$ 2 , Í7¤Í$1.xˆ±4 , Ä¤Bbqlø_¿ R‡Hér\µíœ„º¯˛È‹òÍ$«T , ªø¥ \ˆèvF6í¿’ , ÁýòdNÐí’m , U:< íÛU6ØJâòd2)ƒLSàí’m Bb• à[8] 2|2íér4ì2kˆ±íÈÍ$2 , 1 Ê™Ä_-„pFT|Í$íér4 ù ÜóÉíì2 cq J£˛È‹òÍ $ , ú Ñér4ì2D2íˆ±È‹òÍ$ , û ÑÍ$ér4í„p , ü Ñ!

ù !…cqD˛È‹òÍ$

IG, GTÑs_– (order) Ñ”bpí=ˇ , g_{ÑGíÞAb e : G × G → GT} _ÑÅ—Â(4 (Bilinear) _{Ý¢“4 (Non-degenerate) Dªl4} (Computable) _{íÂ(4úø (Pairing)}

BDDH (Bilinear Decision Diffie-Hellman) ½½½æ : }<¦š x VA PBDDH }0Cu RBDDH }0 , w2 PBDDH := {a, b, c ∈R Z∗p, z = e(g, g)abc;

(ga, gb, gc, z)} , RBDDH := {a, b, c ∈_R Z∗_p, z ∈R G∗_T; (ga, gb, gc, z)} ø_œ0ÖávÈ Æ¶ A(g, ga_{, g}b_{, g}c_{, z}_{) }< BDDH ½æíi‘Ñ} BDDH Adv_A(λ) := | Pr[A(x) = 1 : x ∈_RPBDDH] − Pr[A(x) = 1 : x ∈R RBDDH]| , w2 λ Ñér¡ b

BDDHE (Bilinear Decision Diffie-Hellman Ex-ponent) ½½½æ : }<¦š x VA PBDDHE }0Cu

RBDDHE }0 , w2 PBDDHE := {α ∈R Z∗p, h ∈R G∗_{, z} ₌ _e_{(g, h)}αn_; _(gα[0,n−1]_{, g}α[n+1,2n]_{, h, z}_{)} ,} RBDDHE := {α ∈R Z∗p, h ∈R G∗, z ∈R G∗ T; gα [0,n−1] , gα[n+1,2n]_{, h, z}_{} , w2¯U g}α[a,b] _H[ (gαa_{, g}αa+1_,_{· · · , g}αb_{) , a, b ∈ Z / a ≤ b ø} _œ0Æ¶ A(g, gα[0,n−1]_{, g}α[n+1,2n]_{, h, z}_{) }<}

BDDHE _{½æíi‘Ñ BDDHE Adv}_A,n(λ) := |

Pr[A(x) = 1 : x ∈_R P_BDDHE]− Pr[A(x) = 1 :

x∈_RR_BDDHE]| , w2 λ Ñér¡b ˛È‹òÍ$ ˛È‹òÍ$ ˛È‹òÍ$ Boneh àø_òdÅìí n &˛È‹òÍ $[8] õÛ GIBBE Í$ , wÑ>VAìòdÅí HIBE Í$[5] , ér4†!k BDDHE ½æ ¯U ¯U ¯U – v= (v1, v₂, ..., v_n)T _{∈ Zp}n _{H[ n &íW²¾} – _{âˇ G jÖZAí n &²¾ g}v _{:= (g}v1_{, g}v2_, ..., gvn)T _{∈ G}n Ê.ø−²¾ v í8”- , #

(3)

ì gv _{¸ø_ n &²¾ w = (w1}_{, w}

2, ..., wn)T ,

LSAªJ'ñql| G 2íjÖ gv,w = (gv1₎w1 _{· (g}v2₎w2 _{· . . . · (g}vn)wn , w2 v, w :=

vTw H[s_ n &²¾íq

– Aff(M, x) ⊆ Z_pn _{H[ d &"¦˛È {My + x :}

y∈ Z_pd} , w2 M ∈ Z_pn×d , x ∈ Z_pn Í$=1 Í$=1 Í$=1 – Í$¡b : G G_T Ñs_–Ñ”b p (ér¡b λ = log p) í=ˇ , e : G × G → G_T _Ñ ø_Â(4úø ˜ò¡b¨Ö a0 ∈ Zp a ∈ Zpn b ∈ Zp , tÇ¡b¨Ö g ga0 ∈ G , t = e(g, g)b∈ G_T _{¸ø_²¾ g}a∈ Gn – _{©ø_Uà6íiH ρ ú@ø_ d &"¦} ˛È Vρ := Aff(Mρ, xρ) , wò KVρ =(gr, gb+ra0+rxρ,a_{, g}rMρTa_{), r} _{u* Z}∗ p 2Óœ‘²í jÖ – _{©ø_òdíér\µ π ú@ø_ n &²¾ x} – ÓŠƒb open(ρ, π) = 1, J x ∈ Vρ 0, w… û_Æ¶«Tà- : – Setup(λ, n) :ßÞtÇíÍ$¡b p G GT , g ∈_R G∗ _{¸˜ò¡b a0} b ∈_R Z_p , a ∈_R Z_pn , l t := e(g, g)b , |tÇ¡b PP := (p, G, GT; g, ga0, ga, t) ¸Í$Ü6ò K := (g, gb_{, g}a₎ ∈ Gn+2 , H[|,µí PKG – Delegate(PP, V₁, K_V1, V₂) : _{s_ä˛È V1} := Aff(M₁, x₁) V₂ := Aff(M₂, x₂) / V₂ u V1 í ä˛È , .æÊ d×d ä³ T ¸ d &²¾ y Å— M₂ = M₁T x₂ = x₁ + M₁y ,¤6Ë K_V1 , ªJà-¥l˛È V2 ú@íò KV2 , íll ˆK_V2 := (gr_{, g}b+ra0+rx1,a · gryTM1Ta_, grTTM1Ta₎ = (gr_{, g}b+ra0+rx2,a_{, g}rM2Ta_{) ,} _yøw

Óœ“ , ‘² s ∈R Z∗p 1l KV2 := (gr · gs, gb+ra0+rx2,a _{· g}s(a0+x2,a)_{, g}rM2Ta · gsM2Ta₎ =

(gr+s, gb+(r+s)(a0+x2,a), g(r+s)M2Ta_{) , K}_V2 ¹Ñ V₁ ¤# V2 _íò – Encrypt(PP, x, m) :_{I]7 m Ñˇ G}_T _2íø _jÖ , ‘² s ∈R Z∗p lòd c := (c1, c2, c3) := (gs, gs(a0+x,a), m · ts) – Decrypt(PP, V , K_V, x, c₁, c₂, c₃) :_{w2x ∈ V ,} ρ _{¹Ñ V , π ¹Ñ x , JÅ— open(ρ, π) Ñ} ö , ílÏW¤Æ¶ Delegate(PP, V , KV, Aff(0, x)) )ƒò K_{x} := (k1, k2) := (gr_, gb+r(a0+x,a)_{) ,}_{YÎ-¹ªj]7 m:}

c₃· e(c₂, k₁) e(c1, k2) =

m· ts· e(g, g)rs(a0+x,a) e(g, g)sb+rs(a0+x,a) = m ,HÍ$2ér\µ²¾ x uËÊòd,t0í , BbÊ- 2ø^Z¤Í$ , U)ÉªjòíUà6 ª)ƒ x

ú !k™}…í2ˆ±È‹òÍ$

J-ld¸ˆ±È‹òÍ$í4” , ì2wé r4 , Í(^Z˛È‹òÍ$Uwxeˆ±4 : 2íˆ±È‹òÍ$ 2íˆ±È‹òÍ$ 2íˆ±È‹òÍ$ : – Í$2FAºîªAW‹ò1È]7òd , È6.ÌkÔìíAº – _{‹ò6ªL<‘²ø_AºíÕ¯ S , UÊ S q} íAºªjò , 7.Ê S qíAº.?jò – _{òd.âxˆ±4 , ÉÊÕ¯ S qíAºø} −¨<Aªjò , 7.Ê S qíAº†´ – orN¬¤íœ„ø¶Mjò?‰ãÀFAW U , \¤6ªjòíòd , w¤66ªjò – s_³¼µ*˘¤É[íAº , ª¤#° øA <¹ A ¸ B ·ª¤# C , C ªjí òd A ¸ B ·?j , O A ?jíòd B .ø ì?j , ¥5?Í J-érì2£Í$2 , ·cqUà6í™}… å ID .â%¬ø_À²/^0íÆ¶)ƒ ú@í"¦˛È V := Aff(M, x) , w2 M uø_ n × n íä³ , x uø_ n &íW²¾ , â ID l

(4)

Aff(M, x) uñqí (ªÊÖávÈq|) , 7 â Aff(M, x) °)ú@í ID ul,˚Øí ér4ì2 ér4ì2 ér4ì2 : J-uø_”O6 C ¸ÛU6 A Èíˇ , à‹ LS^0íÛU6 A k¤ˇíi‘·ªJI , †¤Í$Êˆ± (Anonymous) íÈqì ²Ï4

(Selective) ID _{D²ÏpdÛU (Chosen Plaintext}

Attack, CPA)í81-uérí , Bb˚5Ñ (Anon,

Sel, CPA)-secure =1qì : C l‘²˛È& n ”b p ¸s_–Ñ p í=ˇ G, GT 1f£# A , A ‘²s_™}…å íÕ¯ S0 ={ID_0,1, ID_0,2, . . . , ID_0,k} , k < n S₁ = {ID_1,1, ID_1,2, . . . , ID_1,k} , k < n 1f£ (S0, S₁) # C , C ‘² x0 ∈ ∩k i=1V0,i, x1 ∈ ∩k

i=1V1,i , Vi,j Ñ

ID_i,j _{Fú@í"¦˛È , C ‘²w…ítÇ¡b PP} 1f£# A øŸÉ½¼¨ : A ² C É½ÖŸ¤#™}… å ID (ú@"¦˛È V) íò , C ÏW Dele-gate(PP, , K, V) 1f£ KV # A , Ou A . ?É½äÕ¯ S0 D S1 qí™}…åíò ”O¼¨ :A ‘²s_]7 m0 m1 f£# C , C Ó œ‘² β ∈ {0, 1} , l c∗ := Encrypt(PP, x_β, m_β) , 1f# A ùŸÉ½¼¨ : A y² C É½ÖŸ¤#™}… å ID (_{ú@"¦˛È V}) íò , A .?É½ä Õ¯ S0 D S1 qí™}…åíò “¿¼¨ : A | β , à β = β † A =)¤ˇ ,Híˇ2 A .âÊ“ƒtÇ¡b‡lNì ID í Õ¯ S0 D S1 , ˚Ñ²Ï4 ID íÛU_ [4] ; ÉTX A ‹òùÎ7³TX A jòùÎ , uF ‚í²ÏpdÛU úkø_Ýˆ±íÈ‹òÍ$ , ˇ2 A ÉÛb‘ø_u°í…åÕ¯ S , ?¹ S₀ .âk S1 , ´† A ªJ/ËâÈíúï} <òd2ípd ÛU6 A Ê V ˇ (ç A ÛUø_qì¡bÑ

SP _{í‹òÍ$ S) 2íi‘Ñ VAdv}_{A←→(S,SP)}(λ) :=

| Pr[A wins V] − Pr[A loses V] | càúkFí

qì¡b SP ¸Fíœ0ÖávÈíÛU6 A , i‘ VAdvA←→(S,SP)(λ) uø_ λ íªIƒb , †

˚¤È‹òÍ$ S u V-secure ˆ±í˛È‹òÍ$ ˆ±í˛È‹òÍ$ ˆ±í˛È‹òÍ$ û_Æ¶à- : =1qì =1qì =1qì Setup(λ , n) : ßÞø_Â(4úø e : G× G → GT , G GT Ñs_–Ñ”b p (log p = λ) í=ˇ , h : GT −→ Zp Ñø 1-1 5){ƒ , n u˛È& ‘² g ∈R G∗ , ßÞ˜ò¡b a0 b b₁ ∈_R Z_p , a a₁ ∈_R Z_pn , Í(l t := e(g, g)b t₁ := gb1 , |tÇ¡b PP := (p, G, G_T; g, ga0, ga_, ga1_{, t, t} 1) ¸Ü6ò K := (g, gb, ga, b1, a1) ø_…å ID ú@í"¦˛ÈÑ V = Aff(M,

x) , òÑ K_V = (gr_{, g}b+ra0+rx,a_{, g}rMTa_{, g}b1x,a1_,

gb1MTa1₎ _{w2 b b1} _{uÜ6í˜ò , r u* Z}∗ p 2 Óœ‘²íø_b ¤ ¤ ¤ Delegate(PP, V1, K_V1, V₂) : V₁ = Aff(M1, x₁) V₂ = Aff(M2, x2) , J V2 ⊆ V₁ _{† V1} _ªJ¤ # V2 KV1 := (gr, gb+ra0+rx1,a, grM T 1a_{, g}b1x1,a1_, gb1M1Ta1_{) ,}_{ÄÑ V2} _{u V1} _{íä˛È , FJ.æÊä³} T _{¸²¾ y U) M2} = M₁T , x₂ = x₁ + M₁y , ¤6Ë KV1 , ªJà-¥l˛È V2 ú@ íò KV2 , íll ˆKV2 := (gr, gb+ra0+rx1,a · gryTM₁Ta_{, g}rTTM₁Ta_{, g}b1x1,a1 _{· g}b1yTM₁Ta₁_{, g}b1TTM₁Ta₁₎

= (gr, gb+ra0+rx2,a, grM2Ta_{, g}b1x2,a1_{, g}b1M2Ta1_{) ,} _y

øwÓœ“ , ‘² s ∈R Z∗p 1l KV2 := (gr · gs, gb+ra0+rx2,a_{· g}s(a0+x2,a)_{, g}rM₂Ta · gsM₂Ta_{, g}b1x2,a1_, gb1M2Ta1₎ = (gr+s_{, g}b+(r+s)(a0+x2,a)_{, g}(r+s)M₂Ta_, gb1x2,a1, gb1M2Ta1_{) , K} V2 ¹Ñ V1 ¤# V2 íò ˆ±È‹ò ˆ±È‹ò ˆ±È‹ò Encrypt(PP, S, m) : m ÑHÈí ]7 , Ñ“–cJ-cq]7 m Ñˇ GT 2íø _jÖ(õTv¦ø]7JÌÜöíj){Ñ GT 2íjÖ) , S ÑÈúïí™}…å5Õ¯ , ? ¹ S = {ID1, ID₂, ..., IDk} , k < n , à‡ø FH©ø IDi ªJ_çËú@ƒø_"¦˛È Vi = Aff(M_i, x_i) _{‹ò6ªJ-¥lòd c :}

(5)

1) vƒø_ér\µ π £wú@í²¾ x = (x1, x₂, ..., x_n) Å— x ∈ ∩k i=1Vi / Pr[x ∈ ∪IDj∈S/ Vj] ªI 2) _{Óœ‘²ø_²¾ y}_m ∈_R Z_pn _{¸cb u ∈}_R Zp 3) _{l v}_i := M_iy_m+ x_i , i = 1, 2, ..., k

4) _{l r1,i} := e(gvi,a1_{, g}b1₎u _{= e(g}b1vi,a1_{, g}u₎ ∈ GT , i = 1, 2, ..., k 5) ‘² (key, r₂, ..., r_n) ∈ Z_pn Å— key ≡ Ri, vi (mod p) , Ri := (h(r1,i), r2, ..., rn) , i= 1, 2, ..., k 6) _{Óœ‘² s ∈ Z}_p , l (c1, c₂, c3) := (gs_{, g}s(a0+x,a)_{, m} _{· t}s₎ 7) I R := (r2, r₃, ... , r_n) ,SE Ñø_éríú ˚‹òÍ$ , l xe := SEkey( x1 x2 ... xn) ]7 m íòdÑ c := (ym, gu, R, xe, c1, c2, c3) ¥ 6 Ñ˛È‹òÆ¶í‹òj¶ ¥ 2 ∼ 5_{¸ 7 íqluÑ7UÈ‹òÍ$xˆ±4 , Jø} ø_òdíér\µ π £wú@í²¾ x òQtÇ , LSAîª‡i x u´˘kø_…åú@í"¦ ˛È , *7)øÈíúï ¥ 7 «àø_ÀŸò key ø x ‹ò–V7. òQtÇ ; ¥ 2 ∼ 5 âtÇ (y_m, gu, R) ,_{U S Õ} ¯qíUà6·àAÐíòl|¤òd5ÀŸò key , _{7.Ê S qíUà6†´ ¥ 5 Ñjø_ n} j:j˙ , k .âük n , ´†Ìj ¥ 2 ∼

4 _{U)©Ÿ‹òv , ¹UÕ¯ S qíAº.‰ , ¥}

5 _{:j˙í[bE}.° , 7j:j˙)ƒí} ÀŸò key ?.ó° õÒ@àvÕ¯ S .âøFªjòí,µ ID ·[ªV , âkÊ»W’eéí@à2 ID íqlÑø _˜ , à : C×»Í\i\*** , Ä¤ÉÛb•O ˜ , ÿªz,µ ID (C×»Í C×»Íi * **) ·[pÕ¯ S q ˆ±Èjò ˆ±Èjò ˆ±Èjò Decrypt(PP, Vi, KVi, c) : à‹òd c íér\µ π Fú@í²¾ x ∈ Vi , †¤Æ¶ªJ j|£üpd m , Vi ÑÕ¯ S 2Uà6 IDi Fú@ í"¦˛È , KVi Ñ IDi 5ò , jò¥à- : 1) ˆv_i = M_i y_m+ x_i

2) _{l ˆr}_1,i = e(gb1ˆvi,a1_{, g}u)

3) _{l ˆ}key ≡ ˆR_i,ˆvi (mod p) , ˆR_i = (h(ˆr1,i), r₂, ..., r_n) 4) _{à ˆ}key _{jò x}_e _{)ƒ ˆ}x₁ ˆx₂ ... ˆxn , ´Ÿ ˆx = (ˆx1, ˆx2, ... , ˆx_n) 5) _{I ˆ}Vx= Aff(0, ˆx) ÏW¤Æ¶ Delegate(PP, V_i, K_V_i, ˆVx) ,)ƒ K_{ˆx} := (k₁, k₂) = (gr, gb+r(a0+ˆx,a)) 6) Hp-ªj| ˆm c₃· e(c₂, k1) e(c1, k2) =

m· ts· e(g, g)rs(a0+x,a) e(g, g)sb+rs(a0+ˆx,a) = mˆ

£ü4 £ü4

£ü4 :

1) _{J x ∈ V}_i _{† ˆv}_i = M_i y_m+ x_i = v_i

2) ˆr_1,i = e(gb1ˆvi,a1_{, g}u_{) = e(g}b1vi,a1_{, g}u_{) =} r_1,i

3) ˆR_i = (h(ˆr1,i), r2, ..., r_n) = (h(r1,i), r2, ..., r_n)

= Ri , keyˆ ≡ ˆRi,ˆvi = Ri, vi ≡ key

4) _{ÄÑ ˆ}key = key FJ ˆx = x 5) *jòí¥ 6 ªø , ç ˆx = x v , ˆm = m Ä¤ç x ∈ Vi †ªj|£üípd m

û ér4„p

ìÜ 1. ìÜ 1.

ìÜ 1. Êø_ (Anon, Sel, CPA) ˇ2 , úkLS ÛUˆ±íÈ‹òÍ$ S íœ0ÖávÈÛU 6 A , æÊø_}< BDDHE ½æíÆ¶ B , ÏW ívÈ× A ó° , U) BDDHE AdvB,n+1(λ) =

1

2 · (Anon, Sel, CPA)AdvA←→(S,n)(λ)

„p „p

„p :

àÇøFý , Êø_ˆ±íÈ‹òÍ$2 , Bbª„ pJæÊø_ÛU6 A Ê (Anon, Sel, CPA) ˇ 2úÍ$ S .ªIíi‘ , †ªJ Zø_Æ

(6)

¶ B ú BDDHE ½æ.ªIíi‘ , âk˛ÈÌ „ , /¤„pâ[8]5„pðÞ|V , ¤TôI¤„p , Ì„p~cdêc[9] BDDHE ½æ (g, G, G_T; z)

B

-

_A

w2 z = (gα[0,n]_, gα[n+2,2n+2], h, z) 1. z∈ P_BDDHE i.e. z = e(g, h)αn+1 2. z∈ R_BDDHE i.e. z ∈R G_T -(n, p, G, G_T) …åÕ¯ S₀ S₁ -PP - øŸÉ½¼¨ - ”O¼¨ - ùŸÉ½¼¨ “¿¼¨ 0 / 1 Çø ˆ±È‹òÍ$ér4„p5ÛU_ [ìÜ 2. [ìÜ 2. [ìÜ 2. J BDDHE ½æul,.ª}<í , † 2íˆ±È‹òÍ$ S u (Anon, Sel,

CPA)-secure

Êø_ (Anon, Sel, CPA) ˇ2 , ø_ÛUˆ± È‹òÍ$ S íÛU6 A Yƒ c∗ ( , ‘² IDa ID_b ∈ S₀ , à‹FªJ‡i R_a, va ≡ Rb, vb , † H[…åÕ¯ S0 ªjòd c∗ , ¥5…åÕ¯ S₁ _{ªj Ä¤ , Ñ7^#ìÜ 1 , .â„p.æÊÆ} ¶ A ª}<u´ Ra, va ≡ Rb, vb ùÜ 3. ùÜ 3. ùÜ 3. cq BDDH ½æul,.ª}<í , úk Fœ0ÖávÈíÆ¶ A , #ì (PP, y_m, gu_, R, V_a, V_b) _{‡i R}_a, va ≡ Rb, vb C Ra, va ≡ Rb, vb ul,.ª}<í „p „p „p: cqæÊø_œ0ÖávÈíÆ¶ A , Å — | Pr[A(PP, y_m, gu_{, R, V} a, Vb) = 1 : Ra, va ≡ Rb, vb] − Pr[A(PP, y_m, gu_{, R, V} a, Vb) = 1 : Ra, va ≡ Rb, vb] | ≥ , ?¹cq A .ªIí i‘ªJAŠËâtÇíòd£ IDa IDb í"¦˛È V_a V_b _{‡iu´ R}_a, va ≡ Rb, v_b , «à A Bb Zø_ªJ}< BDDH ½æíÆ¶ B à- : _Ò6 B *ø_ BDDH ½æ)ƒ p G GT ¸ (ga, gb, gc, z) íl B ‘² ga0 ∈R G ga ∈ R Gn t ∈R GT a2, a3, ..., an ∈R Zp , Í (ltÇ¡b PP := (p, G, GT ; g, ga0, ga, ga1 := (ga_{, g}a2_{, ..., g}an), t, t1 := gb1 _{= g}b₎ ‡úL<í IDa IDb , B ‘² ym ∈R Zpn I gu _{:= g}c , ;W v i = Mi ym + xi l va := (v_a1, v_a2, ..., v_an) v_b := (v_b1, v_b2, ..., v_bn) , w2 Mi Ñ n × n íä³ , xi ∈ Zpn B l α := (va2, v_a3, ..., v_an), (a2, a₃, ..., a_n), β := (vb2, v_b3, ..., v_bn), (a2, a₃, ..., a_n) , ÄÑ r_1,a = e(gb1va,a1_{, g}u_{) = e(g, g)}(va1a+α)b1u ₌

(e(g, g)ab1u₎va1 · (e(g, g)b1u₎α _{= (e(g, g)}abc₎va1 ·

e(gb_{, g}c₎α _/ _r

1,b = e(gb1vb,a1, gu) =

e(g, g)(vb1a+β)b1u _{= (e(g, g)}ab1u₎vb1 · (e(g, g)b1u₎β ₌

(e(g, g)abc₎vb1 · e(gb_{, g}c₎β , à‹ z = e(g, g)abc _† r_1,a = zva1 · e(gb_{, g}c₎α r 1,b = zvb1 · e(gb, gc)β , FJ B l h(r1,a) = h(zva1 · e(gb_{, g}c₎α₎ h(r1,b) = h(zvb1 · e(gb_{, g}c₎β₎ B ‘² R := (r2, r3, ..., rn) ∈ Zpn−1 Å— Ra, va ≡ Rb, vb , 1ø (PP, ym, gu, R, Va, Vb) f £# A J A | ζ ∈ {0, 1} † B 6| ζ BDDH ÛU6íi‘à- : 1) z = e(g, g)abc: Pr[B(x) = 1 : x ∈_R P_BDDH] =Pr[ A(PP, y_m, gu_{, R, V} a, Vb) = 1: Ra, va ≡ Rb, vb] 2) z ∈R G_T: Pr[B(x) = 1 : x ∈_R RBDDH] = Pr[A(PP, y_m, gu_{, R, V} a, Vb) = 1 : Ra, va ≡ Rb, vb] ⇒ BDDH AdvB(λ) := | Pr[B(x) = 1 : x ∈RPBDDH] − Pr[B(x) = 1 : x ∈R RBDDH] | = | Pr[A(PP, y_m, gu_{, R, V} a, Vb) = 1 :

(7)

Ra, va ≡ Rb, v_b] − Pr[A(PP, y_m, gu, R, V_a, V_b) = 1 : Ra, va ≡ Rb, vb] | ≥  Ê BDDH _{½ æ ' ˚ Ø í c q - , BDDH} Adv_B(λ) Ñø_ªIíƒb , Ä¤.æÊÆ ¶ A U) | Pr[A(PP, ym, gu, R, Va, Vb) = 1 : Ra, va ≡ Rb, vb] − Pr[A(PP, ym, gu, R, Va, Vb) = 1 : R_a, v_a ≡ R_b, v_b] | ≥ , Ñø_.ªI íƒb â‹òÆ¶ Encrypt(PP, S, m) ªJõ| key ]7 m D (c1, c₂, c3) uêrÖí , Ä¤„p vÆ¶ A .Ûbø− (m, c1, c₂, c3) ¤Õl key v.ÛbtÇ¡b (ga0_{, g}a_{, t}_{) , FJBbòQ‘} ² ga0 _∈R _{G g}a _∈R _Gn t ∈ R GT , 7.Ûl‘ ² a0 ∈R Zp a ∈R Zpn b ∈R Zp yl ga0 ga t = e(g, g)b BDDH _{cqª BDDHE cqÿ , ?¹JæÊø} _Æ¶ A ª}< BDDH ½æ , †æÊø_Æ¶ B ª}< BDDHE ½æ B *ø_ BDDHE ½æ2 )ƒ (g, G, GT ; gα [0,n−1] , gα[n+1,2n], h, z) ,f£ (g, G, GT ; ga := gα, gb := gα n−1 , gc := h, z) # A , J A ª}< z = e(g, g)abc _{C z ∈} R GT † B ª} < z = e(g, h)αn _{C z ∈} RGT òd c 2Ì¶òQ)ƒ…åíÕ¯ S , 7, Þ„p2à‹³ò KVa KVb †ÊÖávÈq ‡i Ra, va ≡ Rb, vb C Ra, va ≡ Rb, vb ul,.ª}<í , R)ªjò xe íò key x ’ò4 , ÄÑcqæÊø_Æ¶ªÊÖávÈ | key ≡ Ri, vi , i ∈ {1, 2, ..., k} , †ª‡iu´ Ra, va ≡ Rb, vb J SE Ñø_Êÿk BDDHE cq (Wà BDDH cq) -éríú˚‹òÍ$ , †BbíÍ$Ê BD-DHE _{½æu˚Øícq-uérí} Êø_x_@ (Adaptive) ér4íˇ2 , C ªJAâË²ìtÇ¡b , A Ê”O¼¨vn‘² 1f£ S0, S₁ _{# C [12] 2T|ø~¬íšÓG} (Semi-Static) ér4 , 1T|øÂÀíÍ$ql j¶ , ªJzxšÓGér4íÈ‹òÍ$ , ² Ñx_@ér4íÈ‹òÍ$ , …d2íÍ$6 ªJdéNíØk

ü !

…d!k Boneh í“˛È‹ò¶” qlø_¿ RÈúïíœ„ , AÑø_xˆ±4 !k™} …í2È‹òÍ$ , ¥_Í$ªJ@àÊÛb GNìªjò6í»W’eéÍ$2 cq BDDHE ½æul,˚Øí , …dÊ™Ä_-„p¤ˆ± ÈÍ$íér4

ý _á

…dóÉû˝wP2MÚ]û˝F (lå) U:TL-98-1501) £W\ÍÅ} (lå)U:NSC 97-2221-E-019-014)%‘^Œ, )Jß‚êA, Ô¤_á

þ ¡ 5 d .

[1] N. Attrapadung and H. Imai, “Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations”, in Asiacrypt’05, LNCS 3788, pp. 100–120, 2005.

[2] N. Attrapadung, K. Kobara, and H. Imai, “Sequential key derivation patterns for broadcast encryption and key predistri-bution schemes”, in Asiacrypt’03, LNCS 2894, pp. 374–391, 2003.

[3] S. Berkovits, “How to broadcast a secret”, in Eurocrypt’91, LNCS 547, pp. 535–541, 1991.

[4] D. Boneh. and X. Boyen, “Efficient selective-ID secure identity based encryption without random oracles”, in Eurocrypt’04, LNCS 3027, pp. 223–238, 2004.

[5] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity based encryption with constant size ciphertext”, in Eurocrypt’05, LNCS 3494, pp. 440–456, 2005.

[6] D. Boneh and M. K. Franklin, “Identity based encryption from the Weil pairing”, in SIAM Journal on Computing, 32(3), pp. 586–615, 2003.

[7] D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys”, in Crypto’05, LNCS 3621, pp. 258–275, 2005.

(8)

[8] D. Boneh and M. Hamburg, “Generalized identity based and broadcast encryption schemes”, in Asiacrypt’08, LNCS 5350, pp. 455–470, 2008.

[9] S. W. Chang, “Generalized anonymous broadcast encryption scheme”, in http://140.121.140.23/cgi-bin/cdrfb3/gsweb.cgi? o=dstdcdr, 2009.

[10] A. Fiat and M. Naor, “Broadcast encryption”, in Crypto’93, LNCS 773, pp. 480–491, 1994.

[11] C. Gentry and A. Silverberg, “Hierarchical ID-based cryptog-raphy”, in Asiacrypt’02, LNCS 2501, pp. 548–566, 2002. [12] C. Gentry and B. Waters, “Adaptive security in broadcast

encryption systems”, in Eurocrypt’09, LNCS 5479, pp. 171– 188, 2009.

[13] M. T. Goodrich, J. Z. Sun, and R. Tamassia, “Efficient tree-based revocation in groups of low-state devices”, in Crypto’04, LNCS 3152, pp. 511–527, 2004.

[14] J. Horwitz and B. Lynn, “Towards hierarchical identity-based encryption”, in Eurocrypt’02, LNCS 2332, pp. 466–481, 2002. [15] R. Sakai and J. Furukawa, “Identity-based broadcast encryp-tion”, in Cryptology ePrint Archive, Report 2007/217, available at http://eprint.iacr.org/2007/217.

[16] A. Shamir, “Identity-based cryptosystems and signature schemes”, in Crypto’84, LNCS 196, pp. 47–53, 1984.