From 2cd4721db1506add8563f52ecc951456d1cb609b Mon Sep 17 00:00:00 2001 From: = <=> Date: Mon, 30 Dec 2019 02:10:19 +0100 Subject: [PATCH] l --- report.tex | 87 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 45 insertions(+), 42 deletions(-) diff --git a/report.tex b/report.tex index 7db1dce..9d894cb 100644 --- a/report.tex +++ b/report.tex @@ -13,7 +13,7 @@ \usepackage{wasysym} \usepackage{pdfpages} \usepackage[toc,page]{appendix} - +\usepackage{relsize} % Indent all description environments slightly \usepackage{enumitem} @@ -36,11 +36,12 @@ \newcommand{\ra}{\rightarrow} \newcommand{\U}{\mathcal{U}} \newcommand{\CH}{$\mathcal{C}\mathcal{H}$\xspace} -\newcommand{\hdr}{\text{Hdr}\xspace} +\newcommand{\hdr}{\normalfont\text{Hdr}\xspace} \newcommand{\set}[1]{\{#1\}} \newcommand{\AHBE}{\texttt{AHBE}\xspace} \newcommand{\overbar}[1]{\mkern 1.5mu\overline{\mkern-1.5mu#1\mkern-1.5mu}\mkern 1.5mu} \newcommand{\KHBE}{\texttt{KHBE}\xspace} +\newcommand{\mlarge}[1]{\mathlarger{\mathlarger{\mathlarger{#1}}}} % Use dash instead of bullets for itemize \renewcommand\labelitemi{--} @@ -239,7 +240,7 @@ Let $GroupGen(\lambda,n)$ be an algorithm which generates a group \G and \Gp{_T} \item[BSetup$(n, \ell)$] Run $(\mathbb{G}, \mathbb{G}_T, e) \xleftarrow{R} GroupGen(\lambda, n)$. Set $\alpha \in_R \Z_p$ and $g,h_1,\dots,h_n \in_R \mathbb{G}^{n+1}$. Finally, set $PK = ((\mathbb{G}, \mathbb{G}_T, e), g, e(g,g)^\alpha, h_1, \dots, h_n)$. The secret key is $SK = g^\alpha$. The result is the pair $(PK, SK)$. \item[BKeyGen$(i, SK)$] Set $r_i \in_R \Z_p$ and output; $$d_i \leftarrow (d_{i,0},\dots,d_{i,n}) \quad \text{ where } \quad d_{i,0} = g^{-r_i}, \quad d_{i,i} = g^\alpha h^{r_i}_i, \quad d_{i,j \text{ for } i\neq j} h^{r_i}_j$$ \item[BEncrypt$(S, PK)$] Set $t \in_R \Z_p$ and $$Hdr = (C_1,C_2), \quad \text{ where }\quad C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_i)^t $$ Finally, set $K = e(g,g)^{t\cdot \alpha}$. Output $(\hdr, K)$. -\item[BDecrypt$(S,i,d_i,\text{Hdr}, PK)$] Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2)$, output $$K =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ +\item[BDecrypt$(S,i,d_i,\hdr, PK)$] Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2)$, output $$K =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ \item[Correctness] Correctness is given by; \begin{align*} K &= e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2) \\ @@ -270,11 +271,11 @@ $$ \item[Key Extraction Phase] \adv{A} is allowed to query private keys for indices $i \in [1,n] \setminus \tilde{S}$. Intuitively, you should not be allowed to query the indices of which you wish to be challenged. To answer a query, \adv{B} will generate a $z_i \in_R \Z_p$ and set $r_i = z_i - y_0 \cdot a^{n+1-i}$. \adv{B} then outputs $$ d_i = (d_{i,0},\dots,d_{i,n})\quad \text{ where } \quad d_{i,0} = g^{-r_i},\quad d_{i,i} = g^\alpha h^{r_i}_i, \quad d_{i,j \text{ where } i\neq j}h^{r_i}_j $$ \item[Challenge] \adv{A} will then choose a subset $S^* \subseteq \tilde{S}$ to which \adv{B} sets: -$$\text{Hdr} = (C_1, C_2) \quad \text{ where } C_1 = g^s, \quad C_2 = (\prod_{j \in S^*}h_j)^s$$ +$$\hdr = (C_1, C_2) \quad \text{ where } C_1 = g^s, \quad C_2 = (\prod_{j \in S^*}h_j)^s$$ Note that $g^s$ comes from the original challenge and due to the construction of the $h_j$ values, $C_2$ is computable, as \adv{B} knows the discrete log of each of them, specifically $h_j = g^{y_j}$, as long as $j \in \tilde{S}$. -\adv{B} sets $K = Z^{y_0}$ (The original; $K = Z$) and sends $(\text{Hdr},K)$ to \adv{A}. +\adv{B} sets $K = Z^{y_0}$ (The original; $K = Z$) and sends $(\hdr,K)$ to \adv{A}. \item[Guess] \adv{A} will output a guess $b'$. \adv{B} forwards this bit to the Challenger. - \item[Correctness] This simulation intuitively works, as if \adv{A} returns $b' = 0$ then the pair $(\text{Hdr}, K)$ is generated according to the same distribution as in the real world, according to \adv{A}. This is also true for \adv{B}'s simulation, as for $b=0$, $K = e(g,g)^{\alpha \cdot s} = e(g,g)^{(a^{n+1} \cdot s) \cdot y_0} = Z^{y_0}$, so it's a valid ciphertext under randomness $s$. When $b=1$, the $K$ is however picked randomly from $\mathcal{K}$, resulting in a correctly produced header Hdr with randomness $s$, but the accompanying key $K$ is random, making the pair $(\hdr, K)$ where $\hdr$ does not correspond to $K$. + \item[Correctness] This simulation intuitively works, as if \adv{A} returns $b' = 0$ then the pair $(\hdr, K)$ is generated according to the same distribution as in the real world, according to \adv{A}. This is also true for \adv{B}'s simulation, as for $b=0$, $K = e(g,g)^{\alpha \cdot s} = e(g,g)^{(a^{n+1} \cdot s) \cdot y_0} = Z^{y_0}$, so it's a valid ciphertext under randomness $s$. When $b=1$, the $K$ is however picked randomly from $\mathcal{K}$, resulting in a correctly produced header Hdr with randomness $s$, but the accompanying key $K$ is random, making the pair $(\hdr, K)$ where $\hdr$ does not correspond to $K$. \end{description} This construction will be the foundation of the \emph{Ad-Hoc Broadcast Encryption} which we will explore in Section \ref{sec:AHBE} and likewise will this proof be brought up when exploring possible proofs of security of said \emph{Ad-Hoc Broadcast Encryption} scheme. @@ -409,8 +410,8 @@ As an \texttt{AHBE} system eliminate the trusted dealer, the \textbf{BSetup} and \begin{description} \item[KeyGen$(i,n,N)$] Let $N$ be defined as the number of potential receivers of the scheme and let $n \leq N$ be defined as the maximum number of receivers of an ad-hoc broadcast recipient group. The \textbf{KeyGen} (this) algorithm is run by each user $i \in [1,N]$ to create her own public/secret key pair. A user takes $n, N$ as well as her own index $i \in [1,N]$. It's not mentioned how the user receives this index in practice, without simply having a central authority giving them this, but one could imagine the users being aware of how many recipients there are in total and simply increment this to get their own index, if one disregards the issues of people joining the peer-to-peer network at the same time. The \textbf{KeyGen} algorithm outputs the users public/secret key pair $(PK_i,SK_i)$. We define a shorthand for several users key pairs; $\{(PK_i, SK_i)\ |\ i \in S \subseteq [1,N] $ as $(PK_i,SK_i)_{S}$ and likewise only for the public keys; $(PK_i)_{S}$. All of this depends on a security parameter $\lambda$, which is implicitly given to the algorithm. -\item[AHBEnc$(S, (PK_i)_{S})$] This is run by any sender who may or may not be in $[1,N]$, as long as the sender knows the public keys of the receivers. It takes the recipient set $S \subseteq [1,N]$ and the public keys for $i \in S$; $(PK_i)_{S}$. Given that $|S| \leq n$, the algorithm returns a pair $(\text{Hdr}, K)$ where Hdr is the header, the encapsulated key, and $K$ is the message encryption key. -\item[AHBDec$(S, j, sk_j, \text{Hdr}, (PK_i)_{S})$] This allows each recipient $i \in S$ to decrypt the message encryption key which is hidden in the header. If $|S| \leq n, j \in S$, then the algorithm returns the message encryption key $k$. +\item[AHBEnc$(S, (PK_i)_{S})$] This is run by any sender who may or may not be in $[1,N]$, as long as the sender knows the public keys of the receivers. It takes the recipient set $S \subseteq [1,N]$ and the public keys for $i \in S$; $(PK_i)_{S}$. Given that $|S| \leq n$, the algorithm returns a pair $(\hdr, K)$ where Hdr is the header, the encapsulated key, and $K$ is the message encryption key. +\item[AHBDec$(S, j, sk_j, \hdr, (PK_i)_{S})$] This allows each recipient $i \in S$ to decrypt the message encryption key which is hidden in the header. If $|S| \leq n, j \in S$, then the algorithm returns the message encryption key $k$. An \emph{Ad-Hoc Broadcast Encryption} system is defined to be \textbf{correct} if any user within the receiver set $S$ can decrypt a valid header. \end{description} @@ -423,7 +424,7 @@ In an adaptively secure ad-hoc broadcast encryption system, the adversary is all \begin{description} \item[Setup] The Challenger runs $\mathbf{KeyGen}(i, n, N)$ to obtain the users' public key. These public keys and the public parameters are given to the adversary \adv{A}. \item[Key Extraction Phase] The Challenger runs $\mathbf{KeyGen}(i, n, N)$ to obtain the users' public key. These public keys and the public parameters are given to the adversary \adv{A}. -\item[Challenge] \adv{A} specifies some challenge set $S^* \subseteq [1,N]$ s.t. \adv{A} has corrupted none of the users $i$ within $S^*$. The challenger sets $(\text{Hdr}^*, k_0) \leftarrow \mathbf{AHBEnc}(S^*, (PK_i)_{S^*})$ and $k_1 \in_R \mathbb{K}$. The challenger sets $b \in_R \{0,1\}$. It gives $(\text{Hdr}^*, k_b)$ to the adversary \adv{A}. +\item[Challenge] \adv{A} specifies some challenge set $S^* \subseteq [1,N]$ s.t. \adv{A} has corrupted none of the users $i$ within $S^*$. The challenger sets $(\hdr^*, k_0) \leftarrow \mathbf{AHBEnc}(S^*, (PK_i)_{S^*})$ and $k_1 \in_R \mathbb{K}$. The challenger sets $b \in_R \{0,1\}$. It gives $(\hdr^*, k_b)$ to the adversary \adv{A}. \item[Guess] The adversary \adv{A} will output a bit $b' \in \{0,1\}$ as an attempt to guess the bit $b$. \adv{A} wins if $b' = b$. The advantage of \adv{A} is as expected; $Adv^{\texttt{AHBE}}_{\mathcal{A},n,N}(1^\lambda) = |Pr(b = b') - \frac{1}{2}|$ and the scheme is deemed adaptively secure if this advantage is negligible in the security parameter $\lambda$. @@ -436,15 +437,15 @@ As mentioned, the authors present a transformation for any key homomorphic BE sc % Reference the AHBE article \begin{definition}[Key Homomorphism] - \normalfont Let $\oplus : \Gamma \times \Gamma \rightarrow \Gamma$, $\odot : \Omega \times \Omega \rightarrow \Omega$ and $\ocircle : \mathbb{K} \times \mathbb{K} \rightarrow \mathbb{K}$ be efficient operations in the public key space $\Gamma$, the decryption key space $\Omega$ and the message encryption key space $\mathbb{K}$, respectively. A BE scheme is then said to be homomorpic if the following conditions hold for all $S \subseteq [1,N]$ for $|S| \leq n$ and all $i \in S$: + \normalfont Let $\mlarge{\oplus} : \Gamma \times \Gamma \rightarrow \Gamma$, $\mlarge{\odot} : \Omega \times \Omega \rightarrow \Omega$ and $\mlarge{\ocircle} : \mathbb{K} \times \mathbb{K} \rightarrow \mathbb{K}$ be efficient operations in the public key space $\Gamma$, the decryption key space $\Omega$ and the message encryption key space $\mathbb{K}$, respectively. A BE scheme is then said to be homomorpic if the following conditions hold for all $S \subseteq [1,N]$ for $|S| \leq n$ and all $i \in S$: \begin{enumerate} \item If $(PK_1, SK_1) \leftarrow $\textbf{BSetup}$(n,N)$, where \textbf{BSetup} is the setup algorithm for the BE scheme, $n$ is the size of the receiver set and it is allowed to be of size $N$, \vsp{2mm} $(PK_2, SK_2) \leftarrow $\textbf{BSetup}$(n,N)$, \vsp{2mm} $(d_1(i) \la $ \textbf{BKeyGen}$(i, SK_1)$, \vsp{2mm} $(d_2(i) \la $ \textbf{BKeyGen}$(i, SK_2)$, \vsp{2mm} - $(\text{Hdr}, k) \la $\textbf{BEnc}$(S, PK_1 \oplus PK_2)$, \vsp{2mm} - then \textbf{BDec}$(S, i, d_1(i) \odot d_2(i), \text{Hdr}, PK_1 \oplus PK_2) = k$. - \item If \hdr is a header of $k_1$ under $(S, PK_1)$ and also a header of some $k_2$ under $(S, PK_2)$, then it also a header of $k_1 \ocircle k_2$ under $(S, PK_1 \oplus PK_2)$. + $(\hdr, k) \la $\textbf{BEnc}$(S, PK_1 \mlarge{\oplus} PK_2)$, \vsp{2mm} + then \textbf{BDec}$(S, i, d_1(i) \mlarge{\odot} d_2(i), \hdr, PK_1 \mlarge{\oplus} PK_2) = k$. + \item If \hdr is a header of $k_1$ under $(S, PK_1)$ and also a header of some $k_2$ under $(S, PK_2)$, then it also a header of $k_1 \mlarge{\ocircle} k_2$ under $(S, PK_1 \mlarge{\oplus} PK_2)$. \end{enumerate} \end{definition} @@ -467,7 +468,7 @@ The main idea behind their proposed transformation is to use the homomorphic pro \label{fig:KHBEMatrix} \end{figure} -Within Figure \ref{fig:KHBEMatrix}, the $PK_i$ is the public key of the BE instance specifically generated by user $i$. A decryption key $d_i(j)$ is generated by user $i$ for user $j$, in the underlying scheme. Each row is then published ($PK_i$) by the corresponding member of the group of broadcast receivers, $\U_i$, but their own specific decryption key , $d_i(i)$ is not published. The key homomorphism then allow for an arbitrary receiver set $S$, as all of the public keys for $i \in S$ can be easily aggregated; $\oplus_{i \in S} PK_i = PK_{\mathtt{AHBE}}$ into a new public key of a new instance of the underlying BE scheme, such that the $j$'th column $\{d_i(j)\}^n_{i=1}$ can be aggregated into a decryption key for this instance; $d(j) = \odot_{i \in S}d_i(j)$, i.e. a decryption key for the public key $PK_{\mathtt{AHBE}}$. Since the diagonal of the matrix is not published, only user $\U_i$ knows $d_i(i)$ and is thus the only one who can compute $d(i)$. This results in a system where a sender can choose any receiver set $S \subseteq[1,N]$ and broadcast to this set under the key $PK_{\mathtt{AHBE}} = \oplus_{i \in S} PK_i$ and only users $\U_i$ for $i \in S$ can decrypt using their decryption key $d(i)$. As $PK_{\mathtt{AHBE}}$ functions like a public key for a regular BE scheme where all users have decryption keys, if $j \not\in S$, user $\U_j$ won't be able use her decryption key $d(j) = \odot_{i \in S}d_i(j)$, as only users in the intended recipient set can decrypt in the new scheme. Note that it is a requirement of the scheme, that all $PK_i$ should be computationally independent and \emph{different}. Intuitively, if they are not different such that $d_1(1) = d_2(1)$, it's trivial to compute the decryption key of user $\U_1$, by simply looking at the data published by $\U_2$. +Within Figure \ref{fig:KHBEMatrix}, the $PK_i$ is the public key of the BE instance specifically generated by user $i$. A decryption key $d_i(j)$ is generated by user $i$ for user $j$, in the underlying scheme. Each row is then published ($PK_i$) by the corresponding member of the group of broadcast receivers, $\U_i$, but their own specific decryption key , $d_i(i)$ is not published. The key homomorphism then allow for an arbitrary receiver set $S$, as all of the public keys for $i \in S$ can be easily aggregated; $\mlarge{\oplus}_{i \in S} PK_i = PK_{\mathtt{AHBE}}$ into a new public key of a new instance of the underlying BE scheme, such that the $j$'th column $\{d_i(j)\}^n_{i=1}$ can be aggregated into a decryption key for this instance; $d(j) = \mlarge{\odot}_{i \in S}d_i(j)$, i.e. a decryption key for the public key $PK_{\mathtt{AHBE}}$. Since the diagonal of the matrix is not published, only user $\U_i$ knows $d_i(i)$ and is thus the only one who can compute $d(i)$. This results in a system where a sender can choose any receiver set $S \subseteq[1,N]$ and broadcast to this set under the key $PK_{\mathtt{AHBE}} = \mlarge{\oplus}_{i \in S} PK_i$ and only users $\U_i$ for $i \in S$ can decrypt using their decryption key $d(i)$. As $PK_{\mathtt{AHBE}}$ functions like a public key for a regular BE scheme where all users have decryption keys, if $j \not\in S$, user $\U_j$ won't be able use her decryption key $d(j) = \mlarge{\odot}_{i \in S}d_i(j)$, as only users in the intended recipient set can decrypt in the new scheme. Note that it is a requirement of the scheme, that all $PK_i$ should be computationally independent and \emph{different}. Intuitively, if they are not different such that $d_1(1) = d_2(1)$, it's trivial to compute the decryption key of user $\U_1$, by simply looking at the data published by $\U_2$. % TODO: Be very consistent in what you call the public keys of the AHBE scheme! @@ -486,20 +487,22 @@ As discussed, an \AHBE scheme consist of three algorithms; \textbf{KeyGen, AHBEn \begin{itemize} \item Pick receiver set $S \subseteq [1,n]$ \item Compute the public key of the broadcast: - $$PK_{\mathtt{AHBE}} = \oplus_{i \in S} PK_i$$ + $$PK_{\mathtt{AHBE}} = \mlarge{\oplus}_{i \in S} PK_i$$ \item Invoke the underlying \KHBE encryption algorithm \textbf{BEnc}$(\cdot)$ in order to compute the header of the key: $$(Hdr, k) \la \mathbf{BEnc}(S, PK_{\mathtt{AHBE}})$$ and send $(S, Hdr)$ to the receiver set. \end{itemize} \item[AHBDec] Due to the underlying \KHBE scheme, the receiver $i \in S$ can compute a decryption key for the \texttt{AHBE} public key $PK_{AHBE}$ by computing: -$$d(i) = d_i(i) \odot\{\odot_{j \in S}^{j \neq i} d_j(i)\} = \odot_{j \in S} d_j(i)$$ +$$d(i) = d_i(i) \mlarge{\odot}\{\mlarge{\odot}_{j \in S}^{j \neq i} d_j(i)\} = \mlarge{\odot}_{j \in S} d_j(i)$$ As only user $\U_i$ knows $d_i(i)$ only she can compute $d(i)$. Due to the homomorphism of the \KHBE scheme, $d(i)$ is a valid decryption key for the public key $PK_{AHBE}$, as long as $i \in S$. To perform this decryption, each user $\U_i$ for $i \in S$, invokes the \KHBE decryption algorithm \textbf{BDec}$(\cdot)$; $$k = \mathbf{BDec}(S, i, d(i), Hdr, K) $$ \end{description} +% TODO: Make big operators for the key homomorphism things + \subsection{Proof of Security} -The security of the \AHBE scheme is proven by a reduction to the underlying \KHBE scheme. As such, if the underlying \KHBE scheme is presumed to be secure, so should the AHBE scheme. Furthermore, the AHBE scheme has semi-static security, if the \KHBE scheme has adaptive security. +The security of the \AHBE scheme is proven by a reduction to the underlying \KHBE scheme. As such, if the underlying \KHBE scheme is presumed to be secure, so should the \AHBE scheme. Furthermore, the \AHBE scheme has semi-static security, if the \KHBE scheme has adaptive security. \begin{theorem} The generic \AHBE scheme has semi-static security if the underlying \KHBE scheme has adaptive security. @@ -507,15 +510,15 @@ The security of the \AHBE scheme is proven by a reduction to the underlying \KHB \begin{proof} We note that something is wrong within this proof, which we will point out in Section \ref{sec:ProofIssues}. - We wish to construct an adversary \adv{B} who can break the security of the underlying KHBE scheme, by utilising the adversary \adv{A} who is assumed to be able to break the security of the \AHBE scheme. In the initialisation phase, \adv{A} will commit to a set $\tilde{S} \subseteq [1,n]$. Keep in mind that \adv{A} is a semi-static adversary, so he has to commit to a set of which he wishes to attack a subset of. + We wish to construct an adversary \adv{B} who can break the security of the underlying \KHBE scheme, by utilising the adversary \adv{A} who is assumed to be able to break the security of the \AHBE scheme. In the initialisation phase, \adv{A} will commit to a set $\tilde{S} \subseteq [1,n]$. Keep in mind that \adv{A} is a semi-static adversary, so he has to commit to a set of which he wishes to attack a subset of. - In the setup phase, \adv{B} picks a user at randomly from within $\tilde{S}$; $i* \in_R \tilde{S}$. \adv{B} then sets up the \emph{adaptive} game with the KHBE challenger \CH. \CH returns the system parameters and the \KHBE public key, denoted by $PK_{i^*}$. \adv{B} then queries for the secret key $d_{i^*}(j)$ for each index $j \not\in \tilde{S}$. + In the setup phase, \adv{B} picks a user at randomly from within $\tilde{S}$; $i^* \in_R \tilde{S}$. \adv{B} then sets up the \emph{adaptive} game with the \KHBE challenger \CH. \CH returns the system parameters and the \KHBE public key, denoted by $PK_{i^*}$. \adv{B} then queries for the secret key $d_{i^*}(j)$ for each index $j \not\in \tilde{S}$. For $i \in [1,n] \setminus \{i^*\}$, \adv{B} can generate the \KHBE public/private key pair $(PK_i, SK_i)$, as it's not the target of \adv{B}, as it is \emph{adaptive}. This allows \adv{B} to generate the corresponding decryption keys $d_i(j)$ for each index $j \in \{1,n\} \setminus \{i\}$. Then, for $i = 1,\dots,n$, \adv{B} generate $K_i = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$, such that all users' public keys can be provided to the adversary \adv{A}, as a part of the setup phase for the \AHBE scheme. - In the corruption phase, \adv{A} may corrupt any user $i \in \{1,\dots,n\} \setminus \tilde{S}$. These users are all however fabricated by the \adv{B}, so \adv{B} has the public/private key pairs for any user outside of $\tilde{S}$, thus it is no issue to yield the decryption key $d_i(i)$ and answer the query correctly. + In the corruption phase, \adv{A} may corrupt any user $i \in \{1,\dots,n\} \setminus \tilde{S}$. These users are all however fabricated by the algorithm \adv{B}, so \adv{B} has the public/private key pairs for any user outside of $\tilde{S}$, thus it is no issue to yield the decryption key $d_i(i)$ and answer the query correctly. - In the challenge phase, the adversary \adv{A} decides upon an attack set $S^* \subseteq \tilde{S}$. This is given to \adv{B} who then has two options. Either $i^* \not\in S^*$ and \adv{B} reports failure, as the answer from the \AHBE adversary \adv{A} will not be of any help to \adv{B} in breaking the underlying \KHBE scheme. On the other hand, if $i^* \in S^*$, \adv{B} simply forwards the set $S^*$ to the challenger \CH and requests for a \KHBE header and key from \CH. \adv{B} receives a pair $(\hdr^*, k_b)$ under $(S^*, PK_{i^*})$. \adv{B} then has to convert this into a wellformed challenge header for $(S^*, \oplus_{j \in S^*} PK_j)$ meant for the adversary \adv{A}. Thus, as we know all of the public/private key pairs, we can compute $\mathbf{BDec}(S^*, i^*, d_i(i^*), \hdr^*, PK_i) = k_{b,i}$ for $i \in S^* \setminus \{i^*\}$, noting that, due to the second property of the key homomorphism, we have for all $j \in S^*$; $\mathbf{BDec}(S^*, j, d_i(j), \hdr^*, PK_i) = k_{b,i}$. \adv{B} then sets $k^*_b = k_b \ocircle \{\ocircle_{i \in S^* \setminus \{i^*\}} k_{b,i}\}$ and then send $(\hdr^*, k^*_b)$ as a challenge to \adv{A}. Due to the homomorphic properties, if $\hdr^*$ hides the key $k_b$ under $(S^*, PK_{i^*})$, then it also hides the key $k^*_b$ under $(S^*, \oplus_{i \in S^*} PK_i)$, else the key $k_b$ is picked uniformly from the keyspace, so the aggregation of keys $k_b \ocircle \ocircle_{i \in S^* \setminus \{i^*\}} k_{b,i}$ still makes sense and will have the correct distribution, it will just be independent on $\hdr^*$. + In the challenge phase, the adversary \adv{A} decides upon an attack set $S^* \subseteq \tilde{S}$. This is given to \adv{B} who then has two options. Either $i^* \not\in S^*$ and \adv{B} reports failure, as the answer from the \AHBE adversary \adv{A} will not be of any help to \adv{B} in breaking the underlying \KHBE scheme. On the other hand, if $i^* \in S^*$, \adv{B} simply forwards the set $S^*$ to the challenger \CH and requests for a \KHBE header and key from \CH. \adv{B} receives a pair $(\hdr^*, k_b)$ under $(S^*, PK_{i^*})$. \adv{B} then has to convert this into a wellformed challenge header for $(S^*, \mlarge{\oplus}_{j \in S^*} PK_j)$ meant for the adversary \adv{A}. Thus, as we know all of the public/private key pairs, we can compute $\mathbf{BDec}(S^*, i^*, d_i(i^*), \hdr^*, PK_i) = k_{b,i}$ for $i \in S^* \setminus \{i^*\}$, noting that, due to the second property of the key homomorphism, we have for all $j \in S^*$; $\mathbf{BDec}(S^*, j, d_i(j), \hdr^*, PK_i) = k_{b,i}$. \adv{B} then sets $k^*_b = k_b \mlarge{\ocircle} \{\mlarge{\ocircle}_{i \in S^* \setminus \{i^*\}} k_{b,i}\}$ and then send $(\hdr^*, k^*_b)$ as a challenge to \adv{A}. Due to the homomorphic properties, if $\hdr^*$ hides the key $k_b$ under $(S^*, PK_{i^*})$, then it also hides the key $k^*_b$ under $(S^*, \mlarge{\oplus}_{i \in S^*} PK_i)$, else the key $k_b$ is picked uniformly from the keyspace, so the aggregation of keys $k_b \mlarge{\ocircle}\{ \mlarge{\ocircle}_{i \in S^* \setminus \{i^*\}} k_{b,i}\}$ still makes sense and will have the correct distribution, it will just be independent on $\hdr^*$. Finally, when \adv{A} guesses bit $b'$, this is forwarded by \adv{B} to the \KHBE challenger \CH. Intuitively, \adv{B} will guess correct, if adversary \adv{A} guesses correct. Thus, if we assume adversary \adv{A} has advantage $\epsilon$, then the advantage of \adv{B} is $\frac{1}{n} \epsilon$, due to \adv{B} aborting in the case of $i^* \not\in S^*$, thus incurring a factor $\frac{1}{n}$. \end{proof} @@ -524,7 +527,7 @@ We note that something is wrong within this proof, which we will point out in Se \subsection{Issues with the Proof} \label{sec:ProofIssues} -The primary issue of this proof arises when the following question is raised: "How can B get the keys $d_{i^*}(j)$ for $j \in \tilde{S}$". These decryption keys will have to be a part of the public keys that \adv{B} has to present to \adv{A} in the beginning of the setup of the \AHBE scheme? The only key which is supposed to be private in the \AHBE scheme is $d_{i^*}(i^*)$, which is an issue, as \adv{B} eventually wants to attack the set $S^*$, which contains several of the users of which he will have to corrupt to get the missing keys. Specifically: +The primary issue of this proof arises when the following question is raised: "How can the algorithm \adv{B} get the keys $d_{i^*}(j)$ for $j \in \tilde{S}$". These decryption keys will have to be a part of the public keys that \adv{B} has to present to \adv{A} in the beginning of the setup of the \AHBE scheme? The only key which is supposed to be private in the \AHBE scheme is $d_{i^*}(i^*)$, which is an issue, as \adv{B} eventually wants to attack the set $S^*$, which contains several of the users of which he will have to corrupt to get the missing keys. Specifically: \begin{figure} \[ @@ -540,18 +543,18 @@ The primary issue of this proof arises when the following question is raised: "H \caption{The missing keys are underlined} \label{fig:UnderlinedKHBEMatrix} \end{figure} -If we consider the user $i^*$ to be $\U_1$ and $\tilde{S}$ to simply be all $n$ recipients, then the algorithm \adv{B} is missing all the underlined keys, in the proof, as he is not allowed to query these keys, since he at some point want to attack the set $S^* \subseteq \tilde{S}$, which is against the rules of the adaptive game for the (KH)BE scheme, as defined in Section \ref{sec:BESec}. +If we consider the user $i^*$ to be $\U_1$ and $\tilde{S}$ to simply be all $n$ recipients, then the algorithm \adv{B} is missing all the underlined keys, in the proof, as he is not allowed to query these keys, since he at some point want to attack the set $S^* \subseteq \tilde{S}$, which is against the rules of the adaptive game for the \texttt{(KH)BE} scheme, as defined in Section \ref{sec:BESec}. To remedy this, we considered primarily one thing; Adding another homomorphic property such that we can safely use \emph{only} $\{i^*\}$ as the recipient set we sent to \CH. \begin{definition} - If $\hdr^*$ is a header for $k_{i^*}$ under $(i^*, PK_{i^*})$, then it can be transformed into a header under $(S^*, PK)$ where $i^* \in S^*$ where the underlying key is allowed to change. + If $\hdr^*$ is a header for $k_{i^*}$ under $(i^*, PK_{i^*})$, then it can be transformed into a header under $(S^*, PK)$ such that the aggregated public keys for the users within $S^*$ equals $PK$ and $i^* \in S^*$, where the underlying key is allowed to change. \end{definition} -This would allow \adv{B} to challenge for a header for a receiver set only containing $i^*$, which means he does not have to worry of querying for the decryption keys of the other receivers within $S^*$. When \adv{B} receives the challenge header from the challenger, this can be transformed into a proper header for the adversary \adv{A}. +The property stated ion \textbf{Definition 2} would allow \adv{B} to challenge for a header for a receiver set only containing $i^*$, which means he does not have to worry about querying for the decryption keys of the other receivers within $S^*$. When \adv{B} receives the challenge header from the challenger, this can be transformed into a proper header for the adversary \adv{A}. This transformation would have to be both randomised and one-way, as otherwise the following attacks could take place; \begin{description} -\item The adversary is a part of the set $[1,n]$, but not a part of the set $S^*$. If then a message containing some header $\hdr$ is sent out to the set $S^*$, the adversary should not be allowed to decrypt the header $\hdr$ and recover the underlying key $k$ intended for the receiver set $S^*$. Now, if the transformation is not \emph{one-way} and the transformation \emph{did not} change the value of the underlying key, it would be simple for the adversary to \emph{artifically add} himself to the set $S^*$, by simply performing the homomorphic operation on the header \hdr achieving some header $\hdr^*$ and then decrypt it, achieving the underlying key $k$. Thus, the transformation necessarily must change the underlying value of the key. Thus, if the transformation is not \emph{one-way}, but does in fact alter the underlying key, a similiar attack can be staged, with a little more effort from the adversary. Say the adversary is in the total set of receivers, but not in the set $S^*$. When he then receives the broadcasted message containing \hdr, he can perform the homomorphic operation as before to the header \hdr and achieve a new header $\hdr^*$ for an altered key $k^*$. However, as the transformation is \emph{not} one-way, the adversary can then perform the inverse homomorphic operation on the key $k^*$ and get back the original key, $k$. This is naturally not desirable either. +\item The adversary is a part of the set $[1,n]$, but not a part of the set $S^*$. If then a message containing some header $\hdr$ is sent out to the set $S^*$, the adversary should not be allowed to decrypt the header $\hdr$ and recover the underlying key $k$ intended for the receiver set $S^*$. Now, if the transformation is not \emph{one-way} and the transformation \emph{did not} change the value of the underlying key, it would be simple for the adversary to \emph{artifically add} himself to the set $S^*$, by simply performing the homomorphic operation on the header \hdr achieving some header $\hdr^*$ and then decrypt it, achieving the underlying key $k$. Thus, the transformation necessarily must change the underlying value of the key. Thus, if the transformation is not \emph{one-way}, but does in fact alter the underlying key, a similiar attack can be staged, with a little more effort from the adversary. Say the adversary is in the total set of receivers, but not in the set $S^*$. When he then receives the broadcasted message containing \hdr, he can perform the homomorphic operation as before to the header \hdr and achieve a new header $\hdr^*$ for an altered key $k^*$. However, as the transformation is \emph{not} one-way, the adversary can then perform the inverse homomorphic operation of \textbf{Definition 2} on the key $k^*$ and get back the original key, $k$. This is naturally not desirable either. We note that this inverse operation might not be easy to find, however it must exist per definition on the transformation not being \emph{one-way}. \end{description} As such, we conclude that this homomorphic operation must be randomised, one-way and it must alter the value of the underlying key. However, on the other hand, if the operation changes the underlying key, then we run into another issue. If the key changes, this homomorphic transformation can instead be used as a distinguisher. @@ -564,51 +567,51 @@ We will describe a game where this homomorphic operation operation breaks the se \subsection{An \AHBE Implementation} \label{sec:AHBEImpl} -To end up with a Semi-statically secure \AHBE scheme, we first need to produce an adaptively secure BE scheme which is key homomorphic. To this end, we use the scheme defined in \ref{sec:BE} coupled with the generic transformation from Semi-static to Adaptive by Gentry and Waters \cite{GentryWaters}. Note that $g, h_{i,s} \text{ for } i \in [1,n], s \in \{0,1\}$ be independent generators of a group $\mathbb{G}$ of prime order $p$, with a bilinear map $e : \Gm \times Gm \ra \Gm_{T}$. +To achieve a Semi-Static secure \AHBE scheme, we first need to produce an adaptively secure \texttt{BE} scheme which is key homomorphic. To this end, we use the scheme defined in \ref{sec:BE} coupled with the generic transformation from Semi-Static to Adaptive by Gentry and Waters \cite{GentryWaters}. Note that $g, h_{i,s} \text{ for } i \in [1,n], s \in \{0,1\}$ be independent generators of a group $\mathbb{G}$ of prime order $p$, with a bilinear map $e : \Gm \times \Gm \ra \Gm_{T}$. -We define all algoritms prefixed by $AB$ to be an \emph{adaptively secure} \texttt{BE} algorithm. +We define all algoritms prefixed by \texttt{AB} to be an \emph{adaptively secure} \texttt{BE} algorithm. \begin{description} -\item[ABSetup$(n, \ell)$] Let $\alpha \in_R \mathbb{Z}_p$ and compute $g^\alpha, e(g,g)^\alpha$. The BE public key PK is then; $PK = e(g,g)^\alpha$ and the private key is $SK = g^\alpha$. +\item[ABSetup$(n, \ell)$] Let $\alpha \in_R \mathbb{Z}_p$ and compute $g^\alpha, e(g,g)^\alpha$. The \texttt{BE} public key $PK$ is then; $PK = e(g,g)^\alpha$ and the private key is $SK = g^\alpha$. \item[ABKeyGen$(i, SK)$] Set $r_i \in_R \mathbb{Z}_p$, $s_i \in_R \{0,1\}$. Output decryption key for user $i$; $d_i = (d_{i,0},\dots,d_{i,n})$: $$d_i \leftarrow (d_{i,0},\dots,d_{i,n}) \quad \text{ where } \quad d_{i,0} = g^{-r_i}, \quad d_{i,i} = g^\alpha h^{r_i}_{i,s_i}, \quad d_{i,j \text{ for } i\neq j} h^{r_i}_{j,s_i}$$ \item[ABEnc$(S, PK)$] Set $t \in_R \Z_p$ and $$Hdr = (C_1,C_2, C_3), \quad \text{ where }\quad C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_{i,0})^t,\quad C_3 = (\prod_{i \in S}h_{i,1})^t $$ Finally, set $K = e(g,g)^{t\cdot \alpha}$. Output $(\hdr, K)$. Send $(S, \hdr)$ to the receivers. -\item[ABDec$(S,i,d_i,\text{Hdr}, PK)$] Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2,C_3)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ +\item[ABDec$(S,i,d_i,\hdr, PK)$] Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2,C_3)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ The correctness is the exact same as defined in Section \ref{sec:GentryWatersConst}. \end{description} -As we desire a key homomorphic scheme, we define the aggregations like so; $PK_1 \oplus PK_2 = PK_1PK_2$, $d_{1_i} \odot d_{2_i} = (d_{1_{i,0}}, d_{2_{i,0}}, \dots, d_{1_{i,n}}, d_{2_{i,n}})$ and $k_1 \ocircle k_2 = k_1k_2$. Finally we instantiate the \AHBE scheme: +As we desire a key homomorphic scheme, we define the aggregations like so; $PK_1 \mlarge{\oplus} PK_2 = PK_1PK_2$, $d_{1_i} \mlarge{\odot} d_{2_i} = (d_{1_{i,0}}, d_{2_{i,0}}, \dots, d_{1_{i,n}}, d_{2_{i,n}})$ and $k_1 \mlarge{\ocircle} k_2 = k_1k_2$. Finally we instantiate the \AHBE scheme: % TODO: Fix it so that we are consistent with key of AHBE and user and BE \begin{description} \item[KeyGen$(i, n, N )$] Let the potential receivers be a set $\{1,\dots,N\}$. Let $n \leq N$ be the maximum number of recipients within a single broadcast. For simplicity, we assume that $n = N$. Generate an instance $\pi$ of a \KHBE scheme and let this be a system parameter. The KeyGen algorithm then does the following: \begin{itemize} -\item For receiver $i \in [1,n]$, invoke the \texttt{ABSetup}, to generate a public/private key pair $(PK_i, SK_i) = e(g,g)^{\alpha_i}, g^{\alpha_i}$ for the \KHBE scheme.. -\item Receiver $i$ runs \texttt{ABKeyGen} and obtains $d_i(j) \leftarrow \mathtt{ABKeyGen}(j,SK_i)$ for $i,l,j = 1,\dots,n$ where $d_i(j) = (d_{i,0,j}, \dots, d_{i,n,j})$ such that: \\ +\item For receiver $i \in [1,n]$, invoke the \textbf{ABSetup}, to generate a public/private key pair $(PK_i, SK_i) = e(g,g)^{\alpha_i}, g^{\alpha_i}$ for the \KHBE scheme.. +\item Receiver $i$ runs \textbf{ABKeyGen} and obtains $d_i(j) \leftarrow \mathbf{ABKeyGen}(j,SK_i)$ for $i,l,j = 1,\dots,n$ where $d_i(j) = (d_{i,0,j}, \dots, d_{i,n,j})$ such that: \\ $$d_{i,0,j} = g^{-r_{i,j}},\quad d_{i,j,j} = g^{\alpha_i}h^{r_{i,j}}_{j,s_i}, \quad d_{i,l,j} = h^{r_{i,j}}_{l,s_i},$$ \\ For $r_{i,j} \in_R \mathbb{Z}_p$, $s_i \in_R \{0,1\}$. Receiver $i$'s private key is then $d_i(i)$. \\ \item The public key of the specific receiver $i$ in the \AHBE scheme is then: \\ - $$PK_{AHBE_i} = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$$ Where $PK_i$ came from the BSetup call. + $$PK_{\mathtt{AHBE}_i} = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$$ Where $PK_i$ came from the BSetup call. \end{itemize} \item[AHBEnc$(S, (PK_i)_S)$] Computes the header and key for a receiver set $S$ in the following way: \begin{itemize} \item Pick receiver set $S \subseteq [1,n]$ \item Compute the public key of the broadcast: - $$PK_{AHBE} = \oplus_{i \in S} PK_i = \prod_{i \in S} PK_i = e(g,g)^{\sum_{i \in S} \alpha_i}$$ - Note that the $PK_i$'s used here are in fact the ones from the original \texttt{ABSetup} call, so it is contained within $PK_{AHBE_i}$. -\item Invoke the underlying \KHBE encryption algorithm BEnc$(\cdot)$ in order to compute the header of the key $\hdr = \mathtt{ABEnc}(S, PK_{AHBE}) = (C_1,C_2,C_3)$ for: + $$PK_{\mathtt{AHBE}} = \mlarge{\oplus}_{i \in S} PK_i = \prod_{i \in S} PK_i = e(g,g)^{\sum_{i \in S} \alpha_i}$$ + Note that the $PK_i$'s used here are in fact the ones from the original \textbf{ABSetup} call, so it is contained within $PK_{\mathtt{AHBE}_i}$. +\item Invoke the underlying \KHBE encryption algorithm \textbf{BEnc}$(\cdot)$ in order to compute the header of the key $\hdr = \mathbf{ABEnc}(S, PK_{\mathtt{AHBE}}) = (C_1,C_2,C_3)$ for: $$C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_{i,0})^t,\quad C_3 = (\prod_{i \in S}h_{i,1})^t$$ and for the secret key: - $$k = PK_{AHBE}^t = e(g,g)^{t \cdot \sum_{i \in S} \alpha_i}$$ + $$k = PK_{\mathtt{AHBE}}^t = e(g,g)^{t \cdot \sum_{i \in S} \alpha_i}$$ for $t \in_R \mathbb{Z}_p$ and send $(S, \hdr)$ to the receiver set. \end{itemize} -\item[AHBDec$(S, j, sk_j, \hdr, (PK_i)_S)$] Due to the underlying \KHBE scheme, the receiver $i \in S$ can compute a decryption key for the \AHBE public key $PK_{AHBE}$ by computing: +\item[AHBDec$(S, j, sk_j, \hdr, (PK_i)_S)$] Due to the underlying \KHBE scheme, the receiver $i \in S$ can compute a decryption key for the \AHBE public key $PK_{\mathtt{AHBE}}$ by computing: \begin{align*} - d(i) &= d_i(i) \odot\{\odot_{j \in S}^{j \neq i} d_j(i)\} = \odot_{j \in S} d_j(i) \\ + d(i) &= d_i(i) \mlarge{\odot}\{\mlarge{\odot}_{j \in S}^{j \neq i} d_j(i)\} = \mlarge{\odot}_{j \in S} d_j(i) \\ &= (\prod_{j \in S} d_{j,0,i}, \dots, \prod_{j \in S} d_{j,n,i}) \end{align*} -As only user $\U_i$ knows $d_i(i)$ only she can compute $d(i)$. Due to the homomorphism of the KHBE scheme, $d(i)$ is a valid decryption key for the public key $PK_{AHBE}$, as long as $i \in S$. To perform this decryption, each user $\U_i$ for $i \in S$, invokes the \KHBE decryption algorithm \texttt{ABDec}$(\cdot)$; -$$k = \mathtt{ABDec}(S, i, d(i), Hdr, PK_{AHBE}) $$ +As only user $\U_i$ knows $d_i(i)$ only she can compute $d(i)$. Due to the homomorphism of the \KHBE scheme, $d(i)$ is a valid decryption key for the public key $PK_{\mathtt{AHBE}}$, as long as $i \in S$. To perform this decryption, each user $\U_i$ for $i \in S$, invokes the \KHBE decryption algorithm \textbf{ABDec}$(\cdot)$; +$$k = \mathbf{ABDec}(S, i, d(i), \hdr, PK_{\mathtt{AHBE}}) $$ \end{description}