Abstract
In related-key attacks (RKA), an attacker modifies a secret key stored in a device by tampering or fault injection and observes the evaluation output of the cryptographic algorithm based on this related key. In this work, we show that the dual system encryption methodology of Waters (Crypto 2009) fits well with RKA security. We apply simple modifications to a regularly-secure identity-based encryption (IBE) scheme (TCC 2010) constructed through dual system to achieve RKA security for rational functions, which is beyond the polynomial barrier of Bellare et al. ’s framework (Asiacrypt 2012). We achieve security by pushing the complexity of RKA directly down to the underlying intractability assumption. We also discuss how to extend it to a hierarchical IBE scheme that remains secure against RKA over identity-based secret keys beyond the master secret, albeit under some structural constraints.
Sherman S. M. Chow is supported by General Research Fund (CUHK 14209918) from Research Grant Council, and CUHK Project Impact Enhancement Fund (3133292). The authors would like to thank S. M. Yiu for his early support and comments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
In the most optimistic case, our construction might turn out to remain secure against an even broader class of RKA attacks, but just no one has explicitly analyzed the hardness of the corresponding version of the assumption so far.
- 3.
Special restrictions may also apply to existing schemes. For example, Goyal et al. [20] proposed selectively secure \(\varPhi \)-RKA secure signatures, where \(\varPhi \) are the set of polynomials which are distinct even “ignoring the constant term” (i.e., the difference between any two polynomials should not just be in the constant term).
- 4.
Obviously, static assumptions are weaker than non-static counterparts.
- 5.
This belongs to q-type assumptions, commonly known for more than a decade.
- 6.
A random variable expressed in this way has degree t if the maximum degree of any variable is t [22].
- 7.
The case that \(\mathsf {ID}^* \ne \mathsf {ID}_\ell \) and \(\mathsf {ID}^* = \mathsf {ID}_\ell \bmod p_2\) is eliminated by Game\(_{ res }\).
- 8.
The case that \(\phi _\ell (\alpha ) \ne \alpha \) and \(\phi _\ell (\alpha ) = \alpha \bmod p_2\) can be eliminated by an extra game similar to Game\(_{ res }\) considering \(a + c \cdot \alpha \) modulo \(p_2\). We omit the repetitive details.
- 9.
The case that \(\mathsf {id}^*_i \ne \mathsf {id}_i\) and \(\mathsf {id}^*_i = \mathsf {id}_i \bmod p_2\) is eliminated by Game\(_{ res }\).
- 10.
The case that \(\phi _\ell (\alpha ) \ne \alpha \) and \(\phi _\ell (\alpha ) = \alpha \bmod p_2\) can be eliminated by an extra game similar to Game\(_{ res }\) considering \(a + c \cdot \alpha \) modulo \(p_2\). We omit the repetitive details.
References
Abdalla, M., Benhamouda, F., Passelègue, A.: Algebraic XOR-RKA-secure pseudorandom functions from post-zeroizing multilinear maps. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 386–412. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_14
Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_26
Bellare, M., Paterson, K.G., Thomson, S.: RKA security beyond the linear barrier: IBE, encryption and signatures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 331–348. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_21
Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)
Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_14
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)
Boyen, X.: General ad hoc encryption from exponent inversion IBE. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 394–411. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_23
Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85538-5_3
Chen, Y., Qin, B., Zhang, J., Deng, Y., Chow, S.S.M.: Non-malleable functions and their applications. J. Cryptol. 35(11), 1–41 (2022)
Chow, S.S.M.: Removing escrow from identity-based encryption. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 256–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_15
Chow, S.S.M., Franklin, M., Zhang, H.: Practical dual-receiver encryption. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 85–105. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_5
Chow, S.S.M., Russell, A., Tang, Q., Yung, M., Zhao, Y., Zhou, H.-S.: Let a non-barking watchdog bite: cliptographic signatures with an offline watchdog. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 221–251. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_8
Dauterman, E., Corrigan-Gibbs, H., Mazières, D., Boneh, D., Rizzo, D.: True2F: backdoor-resistant authentication tokens. In: IEEE Symposium on Security and Privacy (S&P), pp. 398–416. IEEE (2019)
Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_22
Emura, K., Katsumata, S., Watanabe, Y.: Identity-based encryption with security against the KGC: a formal model and its instantiation from lattices. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 113–133. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_6
Fujisaki, E., Xagawa, K.: Efficient RKA-secure KEM and IBE schemes against invertible functions. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 3–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_1
Fujisaki, E., Xagawa, K.: Note on the RKA security of continuously non-malleable key-derivation function from PKC 2015. Crypto. ePrint 2015/1088 (2015)
Goyal, V., O’Neill, A., Rao, V.: Correlated-input secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_12
Hofheinz, D., Jia, D., Pan, J.: Identity-based encryption tightly secure under chosen-ciphertext attacks. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 190–220. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_7
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Lewko, A., Rouselakis, Y., Waters, B.: Achieving leakage resilience through dual system encryption. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_6
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27
Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1
Qin, B., Liu, S., Yuen, T.H., Deng, R.H., Chen, K.: Continuous non-malleable key derivation and its application to related-key security. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 557–578. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_25
Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Yuen, T.H., Chow, S.S.M., Zhang, Y., Yiu, S.M.: Identity-based encryption resilient to continual auxiliary leakage. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 117–134. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_9
Yuen, T.H., Zhang, C., Chow, S.S.M., Yiu, S.: Related randomness attacks for public key cryptosystems. In: Bao, F., Miller, S., Zhou, J., Ahn, G. (eds.) ACM AsiaCCS, pp. 215–223. ACM (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Generic Security of Specific Cases of Our Assumption
This section justifies the security of our \(\varPhi \)-oracle DBDH assumption in the variant abstraction of Maurer [25]. This variant GGM model internally stores tuples denoting group elements. We consider the order of the generic group N is a composite of three distinct primes \(p_1p_2p_3\), which Boyen [10] has discussed a few caveats or justifications. The model internally stores two types of tuples, \((\mu _1, \mu _2, \mu _3)\) and \([\nu _1, \nu _2, \nu _3]\), where \(\mu _i, \nu _i \in [1, p_i]\), to represent an element in the base group and the target group, respectively. This computational model provides two types of operations, \(\mathsf {add}\) and \(\mathsf {mul}\), which adds and multiplies the tuples, representing the group operation and the pairing, respectively.
The \(\varPhi \)-oracle DBDH problem can be formalized as one to distinguish two black-box accesses \(\mathbf {B}\) and \(\mathbf {B'}\) of the same type but with a different distribution of the initial state. Specifically, for \(\mathbf {B}\), the model stores tuples
and for \(\mathbf {B'}\), the model stores tuples
The computational model offers an additional oracle \(\mathcal {O}\), which takes a polynomial \(f_i\) of degree at most d from \(\varPhi \) as input and stores \((f_i(\alpha ), w_{i, 1}, 0)\) and \((vf_i(\alpha ), w_{i_2}, 0)\) in its state, where \(w_{i, 1}, w_{i, 2}\) are sampled uniformly from \([1, p_2]\). The adversary can only make at most q \(\mathsf {add}, \mathsf {mul}\), or \(\mathcal {O}\) queries to the model.
If no collision occurs in both \(\mathbf {B}\) and \(\mathbf {B'}\), the views of the adversary are trivially identical. Next, we bound the collision probability. In the former case of accessing \(\mathbf {B}\), the collision occurs in either the base group or the target group.
For the base group, it is obvious that the collision probability is bounded by \(q^2/p\) (based on an existing analysis [25]), where p is the minimal of \((p_1, p_2, p_3)\).
For the target group, when a collision occurs, the values in all three positions must be identical, which means the values in the second position (\({\bmod ~p_2}\)) must be identical. Note that any value in the second position is in the form of
i.e., a multivariate polynomial of variables \((x, y, w_{1, 1}, w_{1, 2}, \ldots , w_{q, 1}, w_{q, 2})\), and their degree is bounded by 2. Therefore, using a lemma due to Schwartz [27], no collision occurs, except a probability of \(2q^2/p\).
Conditioned on that no collision on the value in the second position, we have any value in the first position being in the form of
which is a multivariate polynomial of \((\alpha , s, v)\), and the degree is bounded by \(d+1\). Similarly [27], no collision occurs except for probability \(\frac{ (d+1)(q^2+q)+ 2q^2}{p}\). It is also evident that the collision probability in the latter case (accessing \(\mathbf {B'}\)) is bounded by the former one (the black-box access to \(\mathbf {B}\)). Thus, the advantage of our assumption above is bounded by \(\frac{(d+1)(q^2+q)+ 3q^2}{p}\), which is negligible.
The non-interactive version of the assumption can be analyzed in this GGM similarly. Applying an analogous analysis (which we skip due to the space limit), the function family \(\varPhi \) can be easily extended to rational functions, as long as the degrees of their denominators are also bounded. This stems from an idea of Boyen [10], which notationally replaces a rational exponent with a polynomial multiplied with the (non-zero) least common multiple of all denominators.
B Security Proofs
1.1 Proof of Theorem 2
Proof
We prove by a hybrid argument using a sequence of games. The first game Game\(_{ real }\) is the real \(\varPhi \)-RKA IND-ID-CPA game. We denote the challenge identity to be \(\mathsf {ID}^*\). The second game Game\(_{ res }\) is the same as Game\(_{ real }\), except that the adversary cannot ask for the secret key of identity \(\mathsf {ID}= \mathsf {ID}^* \bmod p_2\). This restriction will be retained throughout the subsequent games. Let q be the number of extraction oracle queries. For \(k = 0\) to q, we define Game\(_k\) as:
Game\(_{k}\): It is the same as Game\(_{ res }\), except that the challenge ciphertext is semi-functional (SF), and the keys used to answer first k oracle queries are SF. The keys for the rest of the queries are normal.
As a result, in Game\(_{0}\), all keys are normal and the challenge ciphertext is SF. In Game\(_{q}\), all keys and the challenge ciphertext are SF. We defer to the lemmas below to prove the indistinguishability between these games.
The last game is Game\(_{ final }\), which is the same as Game\(_{q}\) except that the challenge ciphertext is a semi-functional ciphertext encrypting a random message instead of one of the two challenge messages. In Game\(_{ final }\), the value of \(b'\) is information-theoretically hidden from \(\mathcal {A}\). Hence \(\mathcal {A}\) has no advantage in winning Game\(_{ final }\). We will prove below that if Assumptions 1, 2, and the \(\varPhi \)-oracle DBDH assumption hold, then Game\(_{ real }\) is indistinguishable from Game\(_{ final }\). \(\square \)
Lemma 1
We can construct an algorithm \(\mathcal {B}\) with a non-negligible advantage in breaking Assumption 1 or Assumption 2 if there exists an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ real }) - Adv _\mathcal {A}(\mathrm {Game}_{ res }) = \epsilon \).
The proof of Lemma 1 is easy (e.g., see [24, 30]) and is omitted.
Lemma 2
We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 1 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ res }) - Adv _\mathcal {A}(\mathrm {Game}_{0}) = \epsilon \).
Proof
Given \((g, X_3, T)\) from Assumption 1, \(\mathcal {B}\) can simulate Game\(_{ res }\) or Game\(_{0}\). \(\mathcal {B}\) chooses random \(a,b,c,\alpha \in \mathbb {Z}_N\), \(h_1 \in \mathbb {G}_{p_1}\). \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^b, v_1 = g^c, g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).
For the RKA-extraction oracle queries \((\phi , \mathsf {ID})\), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi (\mathsf {msk})\), \(\mathsf {ID})\). Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) using the knowledge of \(\alpha \).
In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^*\). \(\mathcal {B}\) randomly picks a bit \(b' \in \{0, 1\}\). \(\mathcal {B}\) calculates the challenge ciphertext as:
If \({T} = g^s \), this is a normal ciphertext, and hence \(\mathcal {B}\) simulates Game\(_{ res }\). If \({T} = g^s Y_2\), this is an SF ciphertext with \(\hat{g}_2 = {Y}_2, \hat{g}_2^{\delta } = {Y}_2^{a+b \mathsf {ID}^* +c\alpha }\); and \(\mathcal {B}\) simulates Game\(_{0}\) with \(\delta = a+b \mathsf {ID}^* +c\alpha \). The values of \(a, b, c, \alpha \bmod p_2\) are not correlated with the corresponding values modulo \(p_1\) by the Chinese remainder theorem. If \(\mathcal {A}\) can distinguish between Game\(_{ res }\) and Game\(_{0}\), \(\mathcal {B}\) can break Assumption 1. \(\square \)
Lemma 3
We can construct an algorithm \(\mathcal {B}\) which breaks Assumption 2 with advantage \(\epsilon \) if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{\ell -1}) - Adv _\mathcal {A}(\mathrm {Game}_{\ell }) = \epsilon \).
Proof
Given \((g, X_1{X}_2, X_3, Y_2Y_3, T)\) from Assumption 2, \(\mathcal {B}\) can simulate Game\(_{\ell -1}\) or Game\(_{\ell }\). \(\mathcal {B}\) chooses random \(a, b, c, \alpha \in \mathbb {Z}_N\), sets \(g_1 = g, h_1 = g^a, u_1 = g^b, v_1 = g^c\), and \(g_3 = X_3\), and generates the rest of \(\mathsf {mpk}\) and \(\mathsf {msk}= \alpha \) according to \(\mathsf {Setup}\).
For the k-th distinct RKA-extraction oracle query on \(\mathsf {ID}_k\) and \(\phi _k\), \(\mathcal {B}\) can compute \(\phi _k(\alpha )\) and check if \(\phi _k(\alpha ) = \alpha \) using the knowledge of \(\alpha \).
-
If \(k < \ell \), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\).
-
If \(k > \ell \), \(\mathcal {B}\) calculates \((K_1, K_2) \leftarrow \mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\) using \(\mathsf {msk}\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2 \in \mathbb {Z}_N\) and returns the (related) SF-key:
$$ {K'_1} = {K_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad K'_2 = K_2 \cdot (Y_2Y_3)^{\gamma _2}. $$This is semi-functional. By the Chinese remainder theorem, the values of \({\gamma _1}, \gamma _2\) modulo \(p_2\) and modulo \(p_3\) are not correlated.
-
If \(k = \ell \), \(\mathcal {B}\) chooses random \(X'_3, X''_3 \in \mathbb {G}_{p_3}\) and returns the (related) key:
$$ K_1 = g_1^{\phi _\ell (\alpha )} \cdot T^{a + b \cdot \mathsf {ID}_\ell + c \cdot \phi _\ell (\alpha )} \cdot X'_3, \quad K_2 = T \cdot X''_3. $$If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is an SF key with \(\bar{g}_2 ^{{\gamma }} = Z_2^{a + b \cdot \mathsf {ID}_\ell + c\cdot \phi (\alpha )}\) and \(\bar{g}_2 = Z_2\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Note that the value of \({\gamma } \bmod p_2\) is not correlated with the values of a, b, c, and \(\alpha \) modulo \(p_1\).
In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^*\). \(\mathcal {B}\) chooses a random bit \(b' \in \{0, 1\}\) and calculates the challenge ciphertext:
It is an SF ciphertext with \(\hat{g}_2 = {X}_2\) and \(\hat{g}_2^{\delta } = X_2^{a + b \cdot \mathsf {ID}^* + c \cdot \alpha }\). If the \(\ell \)-th SF key is created for decrypting the challenge ciphertext, i.e., \(\mathsf {ID}_\ell = \mathsf {ID}^*\) and \(\phi _\ell (\alpha ) = \alpha \), its \(\gamma \) factor becomes \(\delta = a + b \cdot \mathsf {ID}^* + c\cdot \alpha \), so it is a nominally semi-functional key which will always decrypt the challenge ciphertext.
Finally, we have to consider the view of the adversary in the Game\(_\ell \). The value of \({\delta } = a + b \cdot \mathsf {ID}^* + c \cdot \alpha \bmod p_2\) is uncorrelated to \(\gamma = a + b \cdot \mathsf {ID}_\ell + c \cdot \phi _\ell (\alpha )\) since \(a, b, c, \alpha \) are only known in modulo \(p_1\) and:
-
Case 1: \(\mathsf {ID}^* \ne \mathsf {ID}_\ell \). Then \(a + b \cdot \mathsf {ID}_\ell \) is uncorrelatedFootnote 7 to \(a + b \cdot \mathsf {ID}^*\) modulo \(p_2\). It implies \(\gamma \) is uncorrelated to \(\delta \) since \(a, b, c, \alpha \) are randomly chosen from \(\mathbb {Z}_N\).
-
Case 2: \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) \ne \alpha \). Then \(a + c \cdot \phi _\ell (\alpha )\) is uncorrelatedFootnote 8. It implies \(\gamma \) is uncorrelated to \(\delta \) since \(a, b, c, \alpha \) are randomly chosen from \(\mathbb {Z}_N\).
By definition, the adversary query with \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) = \alpha \).
So, \(\mathcal {B}\) can break Assumption 2 if \(\mathcal {A}\) can distinguish Game\(_{\ell -1}\) and Game\(_\ell \). \(\square \)
Lemma 4
Given an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{q}) - Adv _\mathcal {A}(\mathrm {Game}_{ final }) = \epsilon \), we can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking the \(\varPhi \)-oracle DBDH assumption.
Proof
Given \((g, g^\alpha X_{2}, X_3, g^s Y_2, Z_2, v, v^\alpha , v^{\alpha s}, T)\) and accesses to an oracle \(\mathcal {O}\) from the \(\varPhi \)-oracle DBDH assumption, \(\mathcal {B}\) chooses random \(a, b \in \mathbb {Z}_N\) and sets
\(\mathcal {B}\) implicitly sets \(\mathsf {msk}= \alpha \). \(\mathcal {B}\) sends the master public key \(\mathsf {mpk}\) to \(\mathcal {A}\).
\(\mathcal {B}\) can calculate the semi-functional secret key as follows. \(\mathcal {B}\) randomly picks \(r \in \mathbb {Z}_N\), \(R_2, R'_2 \in \mathbb {G}_{p_3}\), and \(R_3, R'_3 \in \mathbb {G}_{p_3}\), and returns:
If it is a related key query with input \(\phi \), then \(\mathcal {B}\) asks \(\mathcal {O}(\phi )\) for obtaining the related key \((g^{\phi (\alpha )} W_2\), \(v_1^{\phi (\alpha )} V_2)\). \(\mathcal {B}\) can answer all extraction oracle queries by:
Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) by checking if \(\frac{g^{\phi (\alpha )} W_2}{g^\alpha X_2}\) is in the subgroup \(\mathbb {G}_{p_2}\) but not \(\mathbb {G}_{p_1}\) and \(\mathbb {G}_{p_3}\). This is easily doable using \(g \in \mathbb {G}_{p_1}\) and \(X_3 \in \mathbb {G}_{p_3}\).
Finally, \(\mathcal {B}\) picks a random bit b and calculates the SF challenge ciphertext:
If \(T = \hat{e}(g, g)^{a s}\), \(\mathcal {B}\) simulates Game\(_q\); Game\(_{ final }\) otherwise. If \(\mathcal {A}\) can distinguish between these two, \(\mathcal {B}\) can break the \(\varPhi \)-oracle DBDH assumption. \(\square \)
1.2 Proof of Theorem 3
Proof
We prove by a hybrid argument using a sequence of games. The first game Game\(_{ real }\) is the real \((\varPhi _e, \varPhi _d)\)-RKA IND-ID-CPA game, and we denote the challenge identity to be \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\).
The second game Game\(_{ res }\) is the same as Game\(_{ real }\), except that the adversary cannot ask for keys for identities which are prefixes of \(\mathsf {ID}^*\) modulo \(p_2\), for both extraction oracle \(\mathcal {E}\mathcal {O}\) and delegation oracle \(\mathcal {D}\mathcal {O}\). This restriction will be retained throughout the subsequent games. After that, we use q to denote the number of distinct \(\mathsf {ID}\) queries to \(\mathcal {E}\mathcal {O}\) and \(\mathcal {D}\mathcal {O}\). For \(k = 0\) to q, we define Game\(_k\) as:
Game\(_{k}\): It is the same as Game\(_{ res }\), except that the challenge ciphertext is SF, and the keys used to answer first k oracle queries are SF. The keys for the rest of the queries are normal.
As a result, in Game\(_{0}\), all keys are normal and the challenge ciphertext is SF. In Game\(_{q}\), all keys and the challenge ciphertext are SF.
The last game is Game\(_{ final }\), which is the same as Game\(_{q}\) except that the challenge ciphertext is an SF encryption of a random message.
The following lemmas prove the indistinguishability between these games.
Lemma 5
When given an adversary \(\mathcal {A}\) with \( Adv _\mathcal {A}(\mathrm {Game}_{ real }) - Adv _\mathcal {A}(\mathrm {Game}_{ res })= \epsilon \), we can construct an algorithm \(\mathcal {B}\) with a non-negligible advantage in breaking Assumptions 1 or 2.
The proof of Lemma 5 is easy and is omitted.
Lemma 6
We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 1 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ res }) - Adv _\mathcal {A}(\mathrm {Game}_{0}) = \epsilon \).
Proof
Given \((g, X_3, T)\) from Assumption 1, \(\mathcal {B}\) can simulate Game\(_{ res }\) or Game\(_{0}\) with \(\mathcal {A}\). \(\mathcal {B}\) uses the bilinear group context from the assumption for the public system parameters, and chooses random \(a,b_1, \ldots , b_H, c, \alpha \in \mathbb {Z}_N\), \(h_1 \in \mathbb {G}_{p_1}\). \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^{b_1}, \ldots , u_H= g^{b_H}, v_1 = g^c, g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).
For the RKA-extraction oracle queries \((\phi , \mathsf {ID})\), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi (\mathsf {msk})\), \(\mathsf {ID})\). Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) using the knowledge of \(\alpha \).
In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\). \(\mathcal {B}\) picks a random bit \(b'\) and derives the challenge ciphertext:
If \({T} = g^s \), this is a normal ciphertext, and hence \(\mathcal {B}\) simulates Game\(_{ res }\). If \({T} = g^s Y_2\), this is an SF ciphertext with \(\hat{g}_2 = {Y}_2, \hat{g}_2^{\delta } = {Y}_2^{a+\sum _{i=1}^{j^*} b_i \mathsf {id}^*_i +c\alpha }\); and hence \(\mathcal {B}\) simulates Game\(_{0}\) with \(\delta = a+ \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i+c\alpha \). By the Chinese remainder theorem, the values of \(a, b_1, \ldots , b_j, c, \alpha \bmod p_2\) are not correlated with the corresponding values modulo \(p_1\). Therefore, if \(\mathcal {A}\) can distinguish between Game\(_{ res }\) and Game\(_{0}\), \(\mathcal {B}\) can break Assumption 1 with the same probability. \(\square \)
Lemma 7
We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 2 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{\ell -1}) - Adv _\mathcal {A}(\mathrm {Game}_{\ell }) = \epsilon \).
Proof
Given \((g, X_1{X}_2, X_3, Y_2Y_3, T)\) from Assumption 2, \(\mathcal {B}\) can simulate Game\(_{\ell -1}\) or Game\(_{\ell }\) with \(\mathcal {A}\). \(\mathcal {B}\) chooses random \(a, b_1, \ldots , b_H, c, \alpha \in \mathbb {Z}_N\). Like in the proof of the last lemma, \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^{b_1}, \ldots , u_H= g^{b_H}, v_1 = g^c\), and \(g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).
For the k-th distinct RKA-extraction oracle query on \(\mathsf {ID}_k = (\mathsf {id}_1, \ldots , \mathsf {id}_j)\) and \(\phi _k\), \(\mathcal {B}\) can check if \(\phi _k(\alpha ) = \alpha \) by the knowledge of \(\alpha \).
-
If \(k < \ell \), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\).
-
If \(k > \ell \), \(\mathcal {B}\) derives \((K_1, K_2, D_{j+1}, \ldots , D_H) \leftarrow \mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\) by \(\mathsf {msk}\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\in \mathbb {Z}_N\) and returns the (related) SF key:
$$ {{K}'_1} = {K_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad {K}'_2 = K_2 \cdot (Y_2Y_3)^{\gamma _2}, \quad \{{D}'_{i} = D_{i} \cdot (Y_2Y_3)^{\gamma '_{i}}\}_{\forall i \in \{j+1, \ldots , H\}}. $$This is semi-functional. By the Chinese remainder theorem, the values of \({\gamma _1}, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\) modulo \(p_2\) and modulo \(p_3\) are not correlated.
-
If \(k = \ell \), \(\mathcal {B}\) chooses random \(X'_3, X''_3, X_{3, j+1}, \ldots , X_{3, H} \in \mathbb {G}_{p_3}\) and returns the (related) key:
$$ K_1 = g_1^{\phi _\ell (\alpha )} T^{a + \sum _{i=1}^j b_i \mathsf {id}_i + c \phi _\ell (\alpha )} X'_3, K_2 = T X''_3, \{D_{i} = T^{b_{i}} X_{3, i}\}_{\forall i \in \{j+1, \ldots , H\}}. $$If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is an SF key with \(\bar{g}_2 = Z_2\), \(\bar{g}_2 ^{{\gamma }} = Z_2^{a + \sum _{i=1}^j b_i \mathsf {id}_i + \phi _\ell (\alpha )}\), \(\bar{g}_2 ^{{\gamma '_{j+1}}} = Z_2^{b_{j+1}}, \ldots , \bar{g}_2 ^{{\gamma '_{H}}} = Z_2^{b_{H}}\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Again, note that the values of \({\gamma }, \gamma '_{j+1}, \ldots , \gamma '_H\bmod p_2\) are not correlated with the values of \(a,b_1, \ldots , b_H, c\) and \(\alpha \) modulo \(p_1\).
For the k-th distinct RKA-delegation query on \(\mathsf {ID}_k = (\mathsf {id}_1, \ldots , \mathsf {id}_{j-1}, \mathsf {id}_{j})\) and \(\phi _{k} = (\varphi _1, \varphi _2, \varphi '_{j}, \ldots , \varphi '_H)\):
-
if \(k < \ell \), \(\mathcal {B}\) calculates \((K_1, K_2, D_{j}, \ldots , D_H) \leftarrow \mathsf {Extract}(\mathsf {msk}, (\mathsf {id}_1, \ldots , \mathsf {id}_{j-1}))\). \(\mathcal {B}\) returns \(\mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_j(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\).
-
if \(k > \ell \), \(\mathcal {B}\) calculates \(\mathsf {sk}'_{\mathsf {ID}_k}\) as above. Denote \(\mathsf {sk}'_{\mathsf {ID}_k} = (\tilde{K}_1, \tilde{K}_2, \tilde{D}_{j+1}, \ldots , \tilde{D}_{H})\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\in \mathbb {Z}_N\) and returns the (related) SF key:
$$ {{K}'_1} = {\tilde{K}_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad {K}'_2 = \tilde{K}_2 \cdot (Y_2Y_3)^{\gamma _2}, \quad \{D'_{i} = \tilde{D}_{i} \cdot (Y_2Y_3)^{\gamma '_{i}}\}_{\forall i \in \{j+1, \ldots , H\}}. $$ -
if \(k = \ell \), \(\mathcal {B}\) picks \(X'_3, X''_3, X_{3, j}, \ldots , X_{3, H} \in \mathbb {G}_{p_3}\) and returns the (related) key:
$$ K_1 = g_1^{\alpha } \cdot T^{a + \sum _{i=1}^{j-1} b_i \mathsf {id}_i + c \alpha } \cdot X'_3, ~ K_2 = T \cdot X''_3, ~ \{D_{i} = T^{b_{i}} \cdot X_{3, i}\}_{\forall i \in \{j, \ldots , H\}}. $$\(\mathcal {B}\) returns \(\mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_{j}(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\). If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is a related SF key with \(\bar{g}_2 = \varphi _2(Z_2)\) due to the isomorphic property of \(\varphi _2\), \(\bar{g}_2 ^{{\gamma }} = \varphi _1(Z_2^{a + \sum _{i=1}^{j-1} b_i \mathsf {id}_i + c \cdot \alpha }) \cdot \varphi '_j(Z_2^{\mathsf {id}_{j} b_{j}})\), \(\bar{g}_2 ^{{\gamma '_{j+1}}} = \varphi '_{j+1}(Z_2^{b_{j+1}})\), and \(\bar{g}_2 ^{{\gamma '_{H}}} = \varphi '_H(Z_2^{b_{H}})\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Again, note that the values of \({\gamma }, \gamma '_{j+1}, \ldots , \gamma '_H\bmod p_2\) are not correlated with the values of \(a,b_1, \ldots , b_H, c\), and \(\alpha \) modulo \(p_1\).
\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\) and an identity \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\) in the challenge phase. \(\mathcal {B}\) picks a random bit \(b'\) and derives the challenge ciphertext:
It is an SF ciphertext with \(\hat{g}_2 = {X}_2\) and \(\hat{g}_2^{\delta } = X_2^{a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha }\). Recall that the \(\gamma \) factor for the \(\ell \)-th SF key will be equal to \(\delta \) for the same identity vector and when \(\phi _\ell (\alpha )\) is an identity function (i.e., a key that can decrypt the challenge ciphertext), so it is a nominally semi-functional key that will always decrypt the challenge ciphertext. If the \(\ell \)-th oracle query is for the extraction oracle, the value of \({\delta } = a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha \bmod p_2\) is uncorrelated to \(\gamma = a + \sum _{i=1}^j b_i \mathsf {id}_i + c \cdot \phi _\ell (\alpha )\) since \(a, b_1, \ldots , b_H, c, \alpha \) are only known in modulo \(p_1\) and:
-
Case 1: \(\mathsf {ID}_\ell \) is not a prefix of \(\mathsf {ID}^*\). There exists some \(i \in [1,j^*]\) such that \(\mathsf {id}^*_i \ne \mathsf {id}_i\). Then \(a + b_i \cdot \mathsf {id}_i\) is uncorrelatedFootnote 9 to \(a + b_i \cdot \mathsf {id}^*_i\) modulo \(p_2\). It implies \(\gamma \) is uncorrelated to \(\delta \) since a and \(b_i\) are randomly chosen from \(\mathbb {Z}_N\).
-
Case 2: \(\mathsf {ID}_\ell \) is a prefix of \(\mathsf {ID}^*\) and \(\phi _\ell (\alpha ) \ne \alpha \). Then \(a + c \cdot \phi _\ell (\alpha )\) is uncorrelatedFootnote 10, and \(\gamma \) is uncorrelated to \(\delta \) since a, c are random elements of \(\mathbb {Z}_N\).
By the definition of the security model, the adversary cannot ask for any extraction oracle query with \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) = \alpha \).
If the \(\ell \)-th oracle query is for delegation, since \(\varphi _1 = \varphi '_j\), and \(\varphi _1\) is isomorphic,
-
Case 1: If \(\mathsf {ID}_\ell \) is not a prefix of \(\mathsf {ID}^*\), it is also uncorrelated to the value of \(\hat{g}_2^{\delta } = X_2^{a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha }\), due to a distribution analysis similar to the case of the extraction oracle.
-
Case 2: If \(\mathsf {ID}_\ell \) is a prefix of \(\mathsf {ID}^*\), we have \(\bar{g}_2 = \varphi _2(Z_2)\). Hence
$$ \gamma = (a + \sum _{i=1}^{j} b_i \mathsf {id}_i + c \alpha ) \cdot \log _{\varphi _2(Z_2)} \varphi _1(Z_2). $$\(\gamma \) is correctly distributed as \(\log _{\varphi _2(Z_2)} \varphi _1(Z_2)\) is randomly distributed in \(\mathbb {Z}_N\).
So, \(\mathcal {B}\) can break Assumption 2 if \(\mathcal {A}\) can distinguish Game\(_{\ell -1}\) and Game\(_\ell \). \(\square \)
Lemma 8
Given an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{q}) - Adv _\mathcal {A}(\mathrm {Game}_{ final }) =\epsilon \), we can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking the \(\varPhi _e\)-oracle DBDH assumption.
Proof
Given \((g, g^\alpha X_{2}, X_3, g^s Y_2, Z_2, v, v^\alpha , v^{\alpha s}, T)\) and accesses to an oracle \(\mathcal {O}\) from the \(\varPhi _e\)-oracle DBDH assumption, \(\mathcal {B}\) chooses random \(a, b \in \mathbb {Z}_N\) and sets
\(\mathcal {B}\) implicitly sets \(\mathsf {msk}= \alpha \). \(\mathcal {B}\) sends the master public key \(\mathsf {mpk}\) to \(\mathcal {A}\).
To compute the semi-functional secret key, \(\mathcal {B}\) randomly picks \(r \in \mathbb {Z}_N\) and \(R_2, R_3, R'_2, R'_3, R_{2, j+1}, R_{3, j+1}, \ldots , R_{2, H} R_{3, H} \in \mathbb {G}_{p_3}\), then returns:
If it is an RKA-delegation oracle query with input \(\phi _d = (\varphi _1, \varphi _2, \varphi '_{j}, \ldots , \varphi '_{H})\), \(\mathcal {B}\) returns \(\mathsf {sk}'_{\mathsf {ID}_k} \leftarrow \mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_{j}(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\).
If it is a related key query with input \(\phi _e\), then \(\mathcal {B}\) asks \(\mathcal {O}(\phi _e)\) and obtains \((g^{\phi _e(\alpha )} W_2, v_1^{\phi _e(\alpha )} V_2)\). \(\mathcal {B}\) returns
Therefore, \(\mathcal {B}\) can answer all extraction oracle queries. Note that \(\mathcal {B}\) can check if \(\phi _e(\alpha ) = \alpha \) by checking if \({g^{\phi _e(\alpha )} W_2}/{(g^\alpha X_2)}\) is in the subgroup \(\mathbb {G}_{p_2}\) but not \(\mathbb {G}_{p_1}\) and \(\mathbb {G}_{p_3}\). This is easily doable with the help of \(g \in \mathbb {G}_{p_1}\) and \(X_3 \in \mathbb {G}_{p_3}\).
Finally, \(\mathcal {B}\) picks a random bit \(b'\) and computes the SF challenge ciphertext:
If \(T = \hat{e}(g, g)^{a s}\), \(\mathcal {B}\) simulates Game\(_q\). Otherwise, \(\mathcal {B}\) simulates Game\(_{ final }\). If \(\mathcal {A}\) can distinguish, \(\mathcal {B}\) can break the \(\varPhi _e\)-oracle DBDH assumption. \(\square \)
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Yuen, T.H., Zhang, C., Chow, S.S.M. (2022). Don’t Tamper with Dual System Encryption. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-09234-3_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09233-6
Online ISBN: 978-3-031-09234-3
eBook Packages: Computer ScienceComputer Science (R0)