2툱ȋòÍ$
Generalized Anonymous Broadcast Encryption
Scheme
"zÊ
ÅzZ
ūɽ¸×ç
Email:{pyting, M96570030, M96570025}@mail.ntou.edu.tw
¿ b ¿ b ¿ b —…dT|ø_!k™}… 2툱ȋ òÍ$ âk°vx24£ˆ±4 ¤Í$ªJ@àÊAº VÖ ÛbGNìæ¦Ìí»W’eéÍ$2 Bbíl Boneh í “˛È‹ò¶” qlø_&MQY6ˆ±4휄 , ¤ œ„øÈòdíér\µâQY6ít¿R–V , QY6 ªJàAÐí’¿tu´ªjÇvòd , à‹.?jíu , 6 ̶)ø¨<Aªj Í(ì2¤ˆ±ÈÍ$íòd.ª}< ér4 , cq BDDHE ½æul,˚Øí , BbÊ™Ä_2 „p¤Í$íér4 É œ È É œ È É œ È —!k™}…í‹ò 2í™}…‹ò È‹ò ˆ±È ™Ä_ éríèv’eé
Abstract—In this paper, we propose an
identity-based, generalized, anonymous broadcast encryption sys-tem. This system can be used in a large scale medical database that requires dynamic assignments of access rights because it is both generalized and anonymous. First we design a mechanism to hide the broadcast targets for Boneh’s “Spatial Encryption ”. This mechanism hides the policy vector through the target’s public key. Any receiver can test the ciphertext to see if he is one of the target receivers. If he is not the target, he will not learn the set of target receivers. Then we define suitable security notion for this anonymous broadcast encryption system. Assuming that BDDHE problem is secure, we prove the security of the system in the standard model.
Index Terms:—Identity-based encryption,
General-ized identity-based encryption, Broadcast encryption, Anonymous broadcast encryption, Standard model, Secure
medical database.
ø
ø
ø
Êø_!k™}…í‹ò (Identity-Based
En-cryption, IBE) Í$[16][6] 2 , Uà6à™}…å
TÑt (Wà “Alice@xxx.com”) , òßÞ2 -(Private Key Generator, PKG) ð„w™}1¤D ò çÍ$d_œ×v , Ñ7Áý PKG íT¾ , ªJU༵™}…‹ò (Hierarchical
Identity-Based Encryption, HIBE) Í$[14][11] , «àcÕ
-Zíø PKG øµøµ%-¤ , Uà6²µí PKG „õAÐí™}J)ƒò ÊÈ‹òÍ$2 , ©_È6·ªJ‹ò]7 #L<íUà6Õ¯S , S2íUà6ªJàAÐíò jÇòd[3], [10] , ¡VrÖóÉíû˝[2], [13], [1], [7] 3bñ™ÊkòsÀÅ òsòdÅ ±Q‹jòFÛílvÈ ^0ËJ"¢ò6 G|cÍ$Aº , ¤Õ6!k™}…íÈ ‹ò (Identity-Based Broadcast Encryption, IBBE) Í$[15] , wßTutÇÀÅ.}¸Uà6,Ab A£ª
Boneh[8]Ê2008T|2™}…‹ò
(Gen-eralized Identity Based Encryption, GIBE) Í$í
·ªJzAжMí?‰¤#FA , .d HIBE Í $2¤ÉÌkcÕí*˘É[5È , Ê GIBE Í$ 2à‹øø_òd‹ò#øˇAº¤?‰í>Õ , ¹ ªJTXÈ‹òÍ$íŠ? Êø_«à GIBE Í $ ZíÈ‹òÍ$2 , ¤6ªjòFF¤5 Aºªjíòd , Ĥ‹òvªJ0§ËGNìæ¦ Ì , _¯@àÊAºVÖí -!Z2 , Wà: Ê2 ÛU\í»W’eé2 , wUàAº¨Ö®_»Í ®_ù ®_»Þ èA Ê»W’eéí@à2 , øMèv’eH[ø_ èA/øŸÿÄíp“ , ¥M’eÎ7èAªJõƒq ñ5Õ , Fí3µ»Þ }Ä»Þ RÍ»Þ v 3L »Í3 ¨ÞœÉ3 U\3Aº· ª?榤°’e Ê…d2þt«àtÇÀ È‹òÍ$í–1Vql¥_œ„ , Bb6ı?D «à4í¤V±QúÖ_ñ™Èvíòd×ü ¸l¾ à‹òQ@àÛíÈ‹òÍ$k,H»W’ eé2 , „)ƒ¤íUà6ÖÍõ.ƒèvqñ , º ªJ*ÈòdíQYúï)ƒ¶Màí’m , Ĥ …dT|7ø!k™}…툱2È‹òÍ $Vj²¥_õ,í½æ , ¤T퓈±4”ÿu¿R ÈòdíQYúï Bbâ“˛È‹òÍ$ (Spatial
Encryption System)[8]”OG , ¤œ„xGIBE Í$ íÔ4 , w2©ø_Uà6í ID ú@ø_Ö&í"¦ ˛È , ©øMdKú@ø_˛È2íõdÑwér\µ
(security policy) , à‹võPk/øUà6í"¦˛ È2†vUà6ªj¤òd ¤Í$ªJyªø¥– }ÑrÖiH (role) , _¯@àk‡H»W’eéÍ$ 2 , Í7¤Í$1.xˆ±4 , ĤBbqlø_¿ R‡Hér\µíœ„º¯˛È‹òÍ$«T , ªø¥ \ˆèvF6í¿’ , ÁýòdNÐí’m , U:< íÛU6ØJâòd2)ƒLSàí’m Bb• à[8] 2|2íér4ì2kˆ±íÈÍ$2 , 1 Ê™Ä_-„pFT|Í$íér4 ù ÜóÉíì2 cq J£˛È‹òÍ $ , ú Ñér4ì2D2툱ȋòÍ$ , û ÑÍ$ér4í„p , ü Ñ!
ù !…cqD˛È‹òÍ$
ù !…cqD˛È‹òÍ$
ù !…cqD˛È‹òÍ$
IG, GTÑs_– (order) Ñ”bpí=ˇ , gÑGíÞAb e : G × G → GT ÑÅ—Â(4 (Bilinear) Ý¢“4 (Non-degenerate) Dªl4 (Computable) íÂ(4úø (Pairing)BDDH (Bilinear Decision Diffie-Hellman) ½½½æ : }<¦š x VA PBDDH }0Cu RBDDH }0 , w2 PBDDH := {a, b, c ∈R Z∗p, z = e(g, g)abc;
(ga, gb, gc, z)} , RBDDH := {a, b, c ∈R Z∗p, z ∈R G∗T; (ga, gb, gc, z)} ø_œ0ÖávÈ Æ¶ A(g, ga, gb, gc, z) }< BDDH ½æíi‘Ñ BDDH AdvA(λ) := | Pr[A(x) = 1 : x ∈RPBDDH] − Pr[A(x) = 1 : x ∈R RBDDH]| , w2 λ Ñér¡ b
BDDHE (Bilinear Decision Diffie-Hellman Ex-ponent) ½½½æ : }<¦š x VA PBDDHE }0Cu
RBDDHE }0 , w2 PBDDHE := {α ∈R Z∗p, h ∈R G∗, z = e(g, h)αn; (gα[0,n−1], gα[n+1,2n], h, z)} , RBDDHE := {α ∈R Z∗p, h ∈R G∗, z ∈R G∗ T; gα [0,n−1] , gα[n+1,2n], h, z} , w2¯U gα[a,b] H[ (gαa, gαa+1,· · · , gαb) , a, b ∈ Z / a ≤ b ø _œ0ƶ A(g, gα[0,n−1], gα[n+1,2n], h, z) }<
BDDHE ½æíi‘Ñ BDDHE AdvA,n(λ) := |
Pr[A(x) = 1 : x ∈R PBDDHE]− Pr[A(x) = 1 :
x∈RRBDDHE]| , w2 λ Ñér¡b ˛È‹òÍ$ ˛È‹òÍ$ ˛È‹òÍ$ Boneh àø_òdÅìí n &˛È‹òÍ $[8] õÛ GIBBE Í$ , wÑ>VAìòdÅí HIBE Í$[5] , ér4†!k BDDHE ½æ ¯U ¯U ¯U – v= (v1, v2, ..., vn)T ∈ Zpn H[ n &íW²¾ – ⡠G jÖZAí n &²¾ gv := (gv1, gv2, ..., gvn)T ∈ Gn Ê.ø−²¾ v í8”- , #
ì gv ¸ø_ n &²¾ w = (w1, w
2, ..., wn)T ,
LSAªJ'ñql| G 2íjÖ gv,w = (gv1)w1 · (gv2)w2 · . . . · (gvn)wn , w2 v, w :=
vTw H[s_ n &²¾íq
– Aff(M, x) ⊆ Zpn H[ d &"¦˛È {My + x :
y∈ Zpd} , w2 M ∈ Zpn×d , x ∈ Zpn Í$=1 Í$=1 Í$=1 – Í$¡b : G GT Ñs_–Ñ”b p (ér¡b λ = log p) í=ˇ , e : G × G → GT Ñ ø_Â(4úø ˜ò¡b¨Ö a0 ∈ Zp a ∈ Zpn b ∈ Zp , tÇ¡b¨Ö g ga0 ∈ G , t = e(g, g)b∈ GT ¸ø_²¾ ga∈ Gn – ©ø_Uà6íiH ρ ú@ø_ d &"¦ ˛È Vρ := Aff(Mρ, xρ) , wò KVρ =(gr, gb+ra0+rxρ,a, grMρTa), r u* Z∗ p 2Óœ‘²í jÖ – ©ø_òdíér\µ π ú@ø_ n &²¾ x – ÓŠƒb open(ρ, π) = 1, J x ∈ Vρ 0, w… û_ƶ«Tà- : – Setup(λ, n) :ßÞtÇíÍ$¡b p G GT , g ∈R G∗ ¸˜ò¡b a0 b ∈R Zp , a ∈R Zpn , l t := e(g, g)b , |tÇ¡b PP := (p, G, GT; g, ga0, ga, t) ¸Í$Ü6ò K := (g, gb, ga) ∈ Gn+2 , H[|,µí PKG – Delegate(PP, V1, KV1, V2) : s_ä˛È V1 := Aff(M1, x1) V2 := Aff(M2, x2) / V2 u V1 í ä˛È , .æÊ d×d ä³ T ¸ d &²¾ y Å— M2 = M1T x2 = x1 + M1y ,¤6Ë KV1 , ªJà-¥l˛È V2 ú@íò KV2 , íll ˆKV2 := (gr, gb+ra0+rx1,a · gryTM1Ta, grTTM1Ta) = (gr, gb+ra0+rx2,a, grM2Ta) , yøw
Óœ“ , ‘² s ∈R Z∗p 1l KV2 := (gr · gs, gb+ra0+rx2,a · gs(a0+x2,a), grM2Ta · gsM2Ta) =
(gr+s, gb+(r+s)(a0+x2,a), g(r+s)M2Ta) , KV2 ¹Ñ V1 ¤# V2 íò – Encrypt(PP, x, m) :I]7 m Ñˇ GT 2íø _jÖ , ‘² s ∈R Z∗p lòd c := (c1, c2, c3) := (gs, gs(a0+x,a), m · ts) – Decrypt(PP, V , KV, x, c1, c2, c3) :w2x ∈ V , ρ ¹Ñ V , π ¹Ñ x , JÅ— open(ρ, π) Ñ ö , ílÏW¤Æ¶ Delegate(PP, V , KV, Aff(0, x)) )ƒò K{x} := (k1, k2) := (gr, gb+r(a0+x,a)) ,YÎ-¹ªj]7 m:
c3· e(c2, k1) e(c1, k2) =
m· ts· e(g, g)rs(a0+x,a) e(g, g)sb+rs(a0+x,a) = m ,HÍ$2ér\µ²¾ x uËÊòd,t0í , BbÊ- 2ø^Z¤Í$ , U)ɪjòíUà6 ª)ƒ x
ú !k™}…í2ˆ±È‹òÍ$
ú !k™}…í2ˆ±È‹òÍ$
ú !k™}…í2ˆ±È‹òÍ$
J-ld¸ˆ±È‹òÍ$í4” , ì2wé r4 , Í(^Z˛È‹òÍ$Uwxeˆ±4 : 2툱ȋòÍ$ 2툱ȋòÍ$ 2툱ȋòÍ$ : – Í$2FAºîªAW‹ò1È]7òd , È6.ÌkÔìíAº – ‹ò6ªL<‘²ø_AºíÕ¯ S , UÊ S q íAºªjò , 7.Ê S qíAº.?jò – òd.âxˆ±4 , ÉÊÕ¯ S qíAºø −¨<Aªjò , 7.Ê S qíAº†´ – orN¬¤íœ„ø¶Mjò?‰ãÀFAW U , \¤6ªjòíòd , w¤66ªjò – s_³¼µ*˘¤É[íAº , ª¤#° øA <¹ A ¸ B ·ª¤# C , C ªjí òd A ¸ B ·?j , O A ?jíòd B .ø ì?j , ¥5?Í J-érì2£Í$2 , ·cqUà6í™}… å ID .â%¬ø_À²/^0íƶ)ƒ ú@í"¦˛È V := Aff(M, x) , w2 M uø_ n × n íä³ , x uø_ n &íW²¾ , â ID lAff(M, x) uñqí (ªÊÖávÈq|) , 7 â Aff(M, x) °)ú@í ID ul,˚Øí ér4ì2 ér4ì2 ér4ì2 : J-uø_”O6 C ¸ÛU6 A Èíˇ , à‹ LS^0íÛU6 A k¤ˇíi‘·ªJI , †¤Í$ʈ± (Anonymous) íÈqì ²Ï4
(Selective) ID D²ÏpdÛU (Chosen Plaintext
Attack, CPA)í81-uérí , Bb˚5Ñ (Anon,
Sel, CPA)-secure =1qì : C l‘²˛È& n ”b p ¸s_–Ñ p í=ˇ G, GT 1f£# A , A ‘²s_™}…å íÕ¯ S0 ={ID0,1, ID0,2, . . . , ID0,k} , k < n S1 = {ID1,1, ID1,2, . . . , ID1,k} , k < n 1f£ (S0, S1) # C , C ‘² x0 ∈ ∩k i=1V0,i, x1 ∈ ∩k
i=1V1,i , Vi,j Ñ
IDi,j Fú@í"¦˛È , C ‘²w…ítÇ¡b PP 1f£# A øŸÉ½¼¨ : A ² C ɽ֟¤#™}… å ID (ú@"¦˛È V) íò , C ÏW Dele-gate(PP, , K, V) 1f£ KV # A , Ou A . ?ɽäÕ¯ S0 D S1 qí™}…åíò ”O¼¨ :A ‘²s_]7 m0 m1 f£# C , C Ó œ‘² β ∈ {0, 1} , l c∗ := Encrypt(PP, xβ, mβ) , 1f# A ùŸÉ½¼¨ : A y² C ɽ֟¤#™}… å ID (ú@"¦˛È V) íò , A .?ɽä Õ¯ S0 D S1 qí™}…åíò “¿¼¨ : A | β , à β = β † A =)¤ˇ ,Híˇ2 A .âÊ“ƒtÇ¡b‡lNì ID í Õ¯ S0 D S1 , ˚ѲÏ4 ID íÛU_ [4] ; ÉTX A ‹òùÎ7³TX A jòùÎ , uF ‚í²ÏpdÛU úkø_݈±íÈ‹òÍ$ , ˇ2 A ÉÛb‘ø_u°í…åÕ¯ S , ?¹ S0 .âk S1 , ´† A ªJ/ËâÈíúï} <òd2ípd ÛU6 A Ê V ˇ (ç A ÛUø_qì¡bÑ
SP í‹òÍ$ S) 2íi‘Ñ VAdvA←→(S,SP)(λ) :=
| Pr[A wins V] − Pr[A loses V] | càúkFí
qì¡b SP ¸Fíœ0ÖávÈíÛU6 A , i‘ VAdvA←→(S,SP)(λ) uø_ λ íªIƒb , †
˚¤È‹òÍ$ S u V-secure ˆ±í˛È‹òÍ$ ˆ±í˛È‹òÍ$ ˆ±í˛È‹òÍ$ û_ƶà- : =1qì =1qì =1qì Setup(λ , n) : ßÞø_Â(4úø e : G× G → GT , G GT Ñs_–Ñ”b p (log p = λ) í=ˇ , h : GT −→ Zp Ñø 1-1 5){ƒ , n u˛È& ‘² g ∈R G∗ , ßÞ˜ò¡b a0 b b1 ∈R Zp , a a1 ∈R Zpn , Í(l t := e(g, g)b t1 := gb1 , |tÇ¡b PP := (p, G, GT; g, ga0, ga, ga1, t, t 1) ¸Ü6ò K := (g, gb, ga, b1, a1) ø_…å ID ú@í"¦˛ÈÑ V = Aff(M,
x) , òÑ KV = (gr, gb+ra0+rx,a, grMTa, gb1x,a1,
gb1MTa1) w2 b b1 uÜ6í˜ò , r u* Z∗ p 2 Óœ‘²íø_b ¤ ¤ ¤ Delegate(PP, V1, KV1, V2) : V1 = Aff(M1, x1) V2 = Aff(M2, x2) , J V2 ⊆ V1 † V1 ªJ¤ # V2 KV1 := (gr, gb+ra0+rx1,a, grM T 1a, gb1x1,a1, gb1M1Ta1) ,ÄÑ V2 u V1 íä˛È , FJ.æÊä³ T ¸²¾ y U) M2 = M1T , x2 = x1 + M1y , ¤6Ë KV1 , ªJà-¥l˛È V2 ú@ íò KV2 , íll ˆKV2 := (gr, gb+ra0+rx1,a · gryTM1Ta, grTTM1Ta, gb1x1,a1 · gb1yTM1Ta1, gb1TTM1Ta1)
= (gr, gb+ra0+rx2,a, grM2Ta, gb1x2,a1, gb1M2Ta1) , y
øwÓœ“ , ‘² s ∈R Z∗p 1l KV2 := (gr · gs, gb+ra0+rx2,a· gs(a0+x2,a), grM2Ta · gsM2Ta, gb1x2,a1, gb1M2Ta1) = (gr+s, gb+(r+s)(a0+x2,a), g(r+s)M2Ta, gb1x2,a1, gb1M2Ta1) , K V2 ¹Ñ V1 ¤# V2 íò ˆ±È‹ò ˆ±È‹ò ˆ±È‹ò Encrypt(PP, S, m) : m ÑHÈí ]7 , Ñ“–cJ-cq]7 m Ñˇ GT 2íø _jÖ(õTv¦ø]7JÌÜöíj){Ñ GT 2íjÖ) , S ÑÈúïí™}…å5Õ¯ , ? ¹ S = {ID1, ID2, ..., IDk} , k < n , à‡ø FH©ø IDi ªJ_çËú@ƒø_"¦˛È Vi = Aff(Mi, xi) ‹ò6ªJ-¥lòd c :
1) vƒø_ér\µ π £wú@í²¾ x = (x1, x2, ..., xn) Å— x ∈ ∩k i=1Vi / Pr[x ∈ ∪IDj∈S/ Vj] ªI 2) Óœ‘²ø_²¾ ym ∈R Zpn ¸cb u ∈R Zp 3) l vi := Miym+ xi , i = 1, 2, ..., k
4) l r1,i := e(gvi,a1, gb1)u = e(gb1vi,a1, gu) ∈ GT , i = 1, 2, ..., k 5) ‘² (key, r2, ..., rn) ∈ Zpn Å— key ≡ Ri, vi (mod p) , Ri := (h(r1,i), r2, ..., rn) , i= 1, 2, ..., k 6) Óœ‘² s ∈ Zp , l (c1, c2, c3) := (gs, gs(a0+x,a), m · ts) 7) I R := (r2, r3, ... , rn) ,SE Ñø_éríú ˚‹òÍ$ , l xe := SEkey( x1 x2 ... xn) ]7 m íòdÑ c := (ym, gu, R, xe, c1, c2, c3) ¥ 6 Ñ˛È‹òƶí‹òj¶ ¥ 2 ∼ 5¸ 7 íqluÑ7UÈ‹òÍ$xˆ±4 , Jø ø_òdíér\µ π £wú@í²¾ x òQtÇ , LSAi x u´˘kø_…åú@í"¦ ˛È , *7)øÈíúï ¥ 7 «àø_ÀŸò key ø x ‹ò–V7. òQtÇ ; ¥ 2 ∼ 5 âtÇ (ym, gu, R) ,U S Õ ¯qíUà6·àAÐíòl|¤òd5ÀŸò key , 7.Ê S qíUà6†´ ¥ 5 Ñjø_ n j:j˙ , k .âük n , ´†Ìj ¥ 2 ∼
4 U)©Ÿ‹òv , ¹UÕ¯ S qíAº.‰ , ¥
5 :j˙í[bE}.° , 7j:j˙)ƒí ÀŸò key ?.ó° õÒ@àvÕ¯ S .âøFªjòí,µ ID ·[ªV , âkÊ»W’eéí@à2 ID íqlÑø _˜ , à : C×»Í\i\*** , ĤÉÛb•O ˜ , ÿªz,µ ID (C×»Í C×»Íi * **) ·[pÕ¯ S q ˆ±Èjò ˆ±Èjò ˆ±Èjò Decrypt(PP, Vi, KVi, c) : à‹òd c íér\µ π Fú@í²¾ x ∈ Vi , †¤Æ¶ªJ j|£üpd m , Vi ÑÕ¯ S 2Uà6 IDi Fú@ í"¦˛È , KVi Ñ IDi 5ò , jò¥à- : 1) ˆvi = Mi ym+ xi
2) l ˆr1,i = e(gb1ˆvi,a1, gu)
3) l ˆkey ≡ ˆRi,ˆvi (mod p) , ˆRi = (h(ˆr1,i), r2, ..., rn) 4) à ˆkey jò xe )ƒ ˆx1 ˆx2 ... ˆxn , ´Ÿ ˆx = (ˆx1, ˆx2, ... , ˆxn) 5) I ˆVx= Aff(0, ˆx) ÏW¤Æ¶ Delegate(PP, Vi, KVi, ˆVx) ,)ƒ K{ˆx} := (k1, k2) = (gr, gb+r(a0+ˆx,a)) 6) Hp-ªj| ˆm c3· e(c2, k1) e(c1, k2) =
m· ts· e(g, g)rs(a0+x,a) e(g, g)sb+rs(a0+ˆx,a) = mˆ
£ü4 £ü4
£ü4 :
1) J x ∈ Vi † ˆvi = Mi ym+ xi = vi
2) ˆr1,i = e(gb1ˆvi,a1, gu) = e(gb1vi,a1, gu) = r1,i
3) ˆRi = (h(ˆr1,i), r2, ..., rn) = (h(r1,i), r2, ..., rn)
= Ri , keyˆ ≡ ˆRi,ˆvi = Ri, vi ≡ key
4) ÄÑ ˆkey = key FJ ˆx = x 5) *jòí¥ 6 ªø , ç ˆx = x v , ˆm = m Ĥç x ∈ Vi †ªj|£üípd m
û ér4„p
û ér4„p
û ér4„p
ìÜ 1. ìÜ 1.ìÜ 1. Êø_ (Anon, Sel, CPA) ˇ2 , úkLS ÛUˆ±íÈ‹òÍ$ S íœ0ÖávÈÛU 6 A , æÊø_}< BDDHE ½æíƶ B , ÏW ívÈ× A ó° , U) BDDHE AdvB,n+1(λ) =
1
2 · (Anon, Sel, CPA)AdvA←→(S,n)(λ)
„p „p
„p :
àÇøFý , Êø_ˆ±íÈ‹òÍ$2 , Bbª„ pJæÊø_ÛU6 A Ê (Anon, Sel, CPA) ˇ 2úÍ$ S .ªIíi‘ , †ªJ Zø_Æ
¶ B ú BDDHE ½æ.ªIíi‘ , âk˛ÈÌ „ , /¤„pâ[8]5„pðÞ|V , ¤TôI¤„p , Ì„p~cdêc[9] BDDHE ½æ (g, G, GT; z)
B
-A
w2 z = (gα[0,n], gα[n+2,2n+2], h, z) 1. z∈ PBDDHE i.e. z = e(g, h)αn+1 2. z∈ RBDDHE i.e. z ∈R GT -(n, p, G, GT) …åÕ¯ S0 S1 -PP - øŸÉ½¼¨ - ”O¼¨ - ùŸÉ½¼¨ “¿¼¨ 0 / 1 Çø ˆ±È‹òÍ$ér4„p5ÛU_ [ìÜ 2. [ìÜ 2. [ìÜ 2. J BDDHE ½æul,.ª}<í , † 2툱ȋòÍ$ S u (Anon, Sel,CPA)-secure
Êø_ (Anon, Sel, CPA) ˇ2 , ø_ÛUˆ± È‹òÍ$ S íÛU6 A Yƒ c∗ ( , ‘² IDa IDb ∈ S0 , à‹FªJ‡i Ra, va ≡ Rb, vb , † H[…åÕ¯ S0 ªjòd c∗ , ¥5…åÕ¯ S1 ªj Ĥ , Ñ7^#ìÜ 1 , .â„p.æÊÆ ¶ A ª}<u´ Ra, va ≡ Rb, vb ùÜ 3. ùÜ 3. ùÜ 3. cq BDDH ½æul,.ª}<í , úk Fœ0ÖávÈíƶ A , #ì (PP, ym, gu, R, Va, Vb) ‡i Ra, va ≡ Rb, vb C Ra, va ≡ Rb, vb ul,.ª}<í „p „p „p: cqæÊø_œ0ÖávÈíƶ A , Å — | Pr[A(PP, ym, gu, R, V a, Vb) = 1 : Ra, va ≡ Rb, vb] − Pr[A(PP, ym, gu, R, V a, Vb) = 1 : Ra, va ≡ Rb, vb] | ≥ , ?¹cq A .ªIí i‘ªJAŠËâtÇíòd£ IDa IDb í"¦˛È Va Vb ‡iu´ Ra, va ≡ Rb, vb , «à A Bb Zø_ªJ}< BDDH ½æíƶ B à- : _Ò6 B *ø_ BDDH ½æ)ƒ p G GT ¸ (ga, gb, gc, z) íl B ‘² ga0 ∈R G ga ∈ R Gn t ∈R GT a2, a3, ..., an ∈R Zp , Í (ltÇ¡b PP := (p, G, GT ; g, ga0, ga, ga1 := (ga, ga2, ..., gan), t, t1 := gb1 = gb) ‡úL<í IDa IDb , B ‘² ym ∈R Zpn I gu := gc , ;W v i = Mi ym + xi l va := (va1, va2, ..., van) vb := (vb1, vb2, ..., vbn) , w2 Mi Ñ n × n íä³ , xi ∈ Zpn B l α := (va2, va3, ..., van), (a2, a3, ..., an), β := (vb2, vb3, ..., vbn), (a2, a3, ..., an) , ÄÑ r1,a = e(gb1va,a1, gu) = e(g, g)(va1a+α)b1u =
(e(g, g)ab1u)va1 · (e(g, g)b1u)α = (e(g, g)abc)va1 ·
e(gb, gc)α / r
1,b = e(gb1vb,a1, gu) =
e(g, g)(vb1a+β)b1u = (e(g, g)ab1u)vb1 · (e(g, g)b1u)β =
(e(g, g)abc)vb1 · e(gb, gc)β , à‹ z = e(g, g)abc † r1,a = zva1 · e(gb, gc)α r 1,b = zvb1 · e(gb, gc)β , FJ B l h(r1,a) = h(zva1 · e(gb, gc)α) h(r1,b) = h(zvb1 · e(gb, gc)β) B ‘² R := (r2, r3, ..., rn) ∈ Zpn−1 Å— Ra, va ≡ Rb, vb , 1ø (PP, ym, gu, R, Va, Vb) f £# A J A | ζ ∈ {0, 1} † B 6| ζ BDDH ÛU6íi‘à- : 1) z = e(g, g)abc: Pr[B(x) = 1 : x ∈R PBDDH] =Pr[ A(PP, ym, gu, R, V a, Vb) = 1: Ra, va ≡ Rb, vb] 2) z ∈R GT: Pr[B(x) = 1 : x ∈R RBDDH] = Pr[A(PP, ym, gu, R, V a, Vb) = 1 : Ra, va ≡ Rb, vb] ⇒ BDDH AdvB(λ) := | Pr[B(x) = 1 : x ∈RPBDDH] − Pr[B(x) = 1 : x ∈R RBDDH] | = | Pr[A(PP, ym, gu, R, V a, Vb) = 1 :
Ra, va ≡ Rb, vb] − Pr[A(PP, ym, gu, R, Va, Vb) = 1 : Ra, va ≡ Rb, vb] | ≥ Ê BDDH ½ æ ' ˚ Ø í c q - , BDDH AdvB(λ) Ñø_ªIíƒb , Ĥ.æÊÆ ¶ A U) | Pr[A(PP, ym, gu, R, Va, Vb) = 1 : Ra, va ≡ Rb, vb] − Pr[A(PP, ym, gu, R, Va, Vb) = 1 : Ra, va ≡ Rb, vb] | ≥ , Ñø_.ªI íƒb â‹òƶ Encrypt(PP, S, m) ªJõ| key ]7 m D (c1, c2, c3) uêrÖí , Ĥ„p vƶ A .Ûbø− (m, c1, c2, c3) ¤Õl key v.ÛbtÇ¡b (ga0, ga, t) , FJBbòQ‘ ² ga0 ∈R G ga ∈R Gn t ∈ R GT , 7.Ûl‘ ² a0 ∈R Zp a ∈R Zpn b ∈R Zp yl ga0 ga t = e(g, g)b BDDH cqª BDDHE cqÿ , ?¹JæÊø _ƶ A ª}< BDDH ½æ , †æÊø_ƶ B ª}< BDDHE ½æ B *ø_ BDDHE ½æ2 )ƒ (g, G, GT ; gα [0,n−1] , gα[n+1,2n], h, z) ,f£ (g, G, GT ; ga := gα, gb := gα n−1 , gc := h, z) # A , J A ª}< z = e(g, g)abc C z ∈ R GT † B ª} < z = e(g, h)αn C z ∈ RGT òd c 2̶òQ)ƒ…åíÕ¯ S , 7, Þ„p2à‹³ò KVa KVb †ÊÖávÈq ‡i Ra, va ≡ Rb, vb C Ra, va ≡ Rb, vb ul,.ª}<í , R)ªjò xe íò key x ’ò4 , ÄÑcqæÊø_ƶªÊÖávÈ | key ≡ Ri, vi , i ∈ {1, 2, ..., k} , †ª‡iu´ Ra, va ≡ Rb, vb J SE Ñø_Êÿk BDDHE cq (Wà BDDH cq) -éríú˚‹òÍ$ , †BbíÍ$Ê BD-DHE ½æu˚Øícq-uérí Êø_x_@ (Adaptive) ér4íˇ2 , C ªJAâ˲ìtÇ¡b , A Ê”O¼¨vn‘² 1f£ S0, S1 # C [12] 2T|ø~¬íšÓG (Semi-Static) ér4 , 1T|øÂÀíÍ$ql j¶ , ªJzxšÓGér4íÈ‹òÍ$ , ² Ñx_@ér4íÈ‹òÍ$ , …d2íÍ$6 ªJdéNíØk
ü !
ü !
ü !
…d!k Boneh í“˛È‹ò¶” qlø_¿ RÈúï휄 , AÑø_xˆ±4 !k™} …í2È‹òÍ$ , ¥_Í$ªJ@àÊÛb GNìªjò6í»W’eéÍ$2 cq BDDHE ½æul,˚Øí , …dÊ™Ä_-„p¤ˆ± ÈÍ$íér4ý _á
ý _á
ý _á
…dóÉû˝wP2MÚ]û˝F (lå) U:TL-98-1501) £W\ÍÅ} (lå)U:NSC 97-2221-E-019-014)%‘^Œ, )Jß‚êA, Ô¤_áþ ¡ 5 d .
þ ¡ 5 d .
þ ¡ 5 d .
[1] N. Attrapadung and H. Imai, “Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations”, in Asiacrypt’05, LNCS 3788, pp. 100–120, 2005.
[2] N. Attrapadung, K. Kobara, and H. Imai, “Sequential key derivation patterns for broadcast encryption and key predistri-bution schemes”, in Asiacrypt’03, LNCS 2894, pp. 374–391, 2003.
[3] S. Berkovits, “How to broadcast a secret”, in Eurocrypt’91, LNCS 547, pp. 535–541, 1991.
[4] D. Boneh. and X. Boyen, “Efficient selective-ID secure identity based encryption without random oracles”, in Eurocrypt’04, LNCS 3027, pp. 223–238, 2004.
[5] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity based encryption with constant size ciphertext”, in Eurocrypt’05, LNCS 3494, pp. 440–456, 2005.
[6] D. Boneh and M. K. Franklin, “Identity based encryption from the Weil pairing”, in SIAM Journal on Computing, 32(3), pp. 586–615, 2003.
[7] D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys”, in Crypto’05, LNCS 3621, pp. 258–275, 2005.
[8] D. Boneh and M. Hamburg, “Generalized identity based and broadcast encryption schemes”, in Asiacrypt’08, LNCS 5350, pp. 455–470, 2008.
[9] S. W. Chang, “Generalized anonymous broadcast encryption scheme”, in http://140.121.140.23/cgi-bin/cdrfb3/gsweb.cgi? o=dstdcdr, 2009.
[10] A. Fiat and M. Naor, “Broadcast encryption”, in Crypto’93, LNCS 773, pp. 480–491, 1994.
[11] C. Gentry and A. Silverberg, “Hierarchical ID-based cryptog-raphy”, in Asiacrypt’02, LNCS 2501, pp. 548–566, 2002. [12] C. Gentry and B. Waters, “Adaptive security in broadcast
encryption systems”, in Eurocrypt’09, LNCS 5479, pp. 171– 188, 2009.
[13] M. T. Goodrich, J. Z. Sun, and R. Tamassia, “Efficient tree-based revocation in groups of low-state devices”, in Crypto’04, LNCS 3152, pp. 511–527, 2004.
[14] J. Horwitz and B. Lynn, “Towards hierarchical identity-based encryption”, in Eurocrypt’02, LNCS 2332, pp. 466–481, 2002. [15] R. Sakai and J. Furukawa, “Identity-based broadcast encryp-tion”, in Cryptology ePrint Archive, Report 2007/217, available at http://eprint.iacr.org/2007/217.
[16] A. Shamir, “Identity-based cryptosystems and signature schemes”, in Crypto’84, LNCS 196, pp. 47–53, 1984.