diff --git a/papers/DTPKE-Const.pdf b/papers/DTPKE-Const.pdf new file mode 100644 index 0000000..7279300 Binary files /dev/null and b/papers/DTPKE-Const.pdf differ diff --git a/report.tex b/report.tex index 1c46e0d..c7c0940 100644 --- a/report.tex +++ b/report.tex @@ -11,8 +11,14 @@ \usepackage{xspace} \usepackage[margin=1.25in]{geometry} \usepackage{wasysym} +\usepackage{pdfpages} +\usepackage[toc,page]{appendix} +% Indent all description environments slightly +\usepackage{enumitem} +\setlist[description]{leftmargin=\parindent,labelindent=\parindent} + \newtheorem{definition}{Definition} \newtheorem{theorem}{Theorem} @@ -33,20 +39,24 @@ \newcommand{\hdr}{\text{Hdr}} \newcommand{\set}[1]{\{#1\}} \newcommand{\AHBE}{\texttt{AHBE}\xspace} +\newcommand{\overbar}[1]{\mkern 1.5mu\overline{\mkern-1.5mu#1\mkern-1.5mu}\mkern 1.5mu} - +% Use dash instead of bullets for itemize +\renewcommand\labelitemi{--} \author{Alexander Munch-Hansen \\ 201505956} \title{ \normalfont \normalsize - \textsc{Aarhus University} \\ [20pt] % Your university, school and/or department name(s) + \textsc{Aarhus University} \\ [20pt] \horrule{0.5pt} \\[0.4cm] % Thin top horizontal rule - \huge Beyond Public Key Cryptography \\ - \large A study of various extensions of public key crypto, with focus on Broadcast Encryption schemes \\ % The assignment title + \huge Beyond Public Key Cryptography \\ % The assignment main title + \large A study of various extensions of public key crypto, with focus on Broadcast Encryption schemes \\ % The assignment sub title \horrule{2pt} \\[0.5cm] % Thick bottom horizontal rule } +% TODO: Fix the remaining descriptions, such that they all use the environment! + \date{\today} \begin{document} \maketitle @@ -105,7 +115,7 @@ Let $(\Gm_1, \Gm_2, \Gm_T, e)$ define three groups $\Gm_1,\Gm_2,\Gm_T$ all of or & h, h^{\gamma}, \dots, h^{\gamma^{m-2}}, \\ & h^{\alpha}, h^{\alpha \cdot \gamma}, \dots, h^{\alpha \cdot \gamma^{2m - 1}}, \qquad h^{k \cdot g(\gamma)}, \end{align*} -and finally a $T \in \Gm_T$. The deciding part is then to decide whether $T$ is equal to $e(g,h)^{k \cdot f(\gamma)}$ or merely some random element of $\Gm_T$. +and finally a $Z \in \Gm_T$. The deciding part is then to decide whether $Z$ is equal to $e(g,h)^{k \cdot f(\gamma)}$ or merely some random element of $\Gm_T$. We want to note that the paper does not define either $\alpha$ or $\gamma$, which essentially means this problem is not well defined. We assume however, that both $\alpha$ and $\gamma$ have to come from $\mathbb{Z}^*_p$, whenever this problem is referenced. @@ -120,50 +130,56 @@ We will cover a basic identity based encryption scheme which illustrates a basic \subsection{The structure} \label{sec:IBEStruct} -\textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: \vspace{3mm} \\ -\-\hspace{5mm}\textbf{Setup:}\quad Takes some security parameter $k$ and returns the system parameters and a master-key. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). \vspace{3mm} \\ -\-\hspace{5mm}\textbf{Extract:}\quad Takes the system parameters, the master-key and an arbitrary \texttt{ID} $\in \{0,1\}^*$ and returns a private key $d$. \texttt{ID} is essentially any arbitrary string which will be used a public key and $d$ is the corresponding decryption key, which can be used by the owner of the \texttt{ID}. Thus, the \texttt{extract} algorithm extracts a private key from the given public key. \vspace{3mm} \\ -\-\hspace{5mm}\textbf{Encrypt:}\quad Takes the system parameters, \texttt{ID}, and $M \in \mathcal{M}$. Returns some ciphertext $C \in \mathcal{C}$.\vspace{3mm} \\ -\-\hspace{5mm}\textbf{Decrypt:}\quad Takes the system parameters, some private key $d$ and $C \in \mathcal{C}$. Returns the plaintext $M \in \mathcal{M}$. \vspace{3mm} \\ +\textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: +\begin{description} +\item[Setup] Takes some security parameter $k$ and returns the system parameters and a master-key. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). +\item[Extract] Takes the system parameters, the master-key and an arbitrary \texttt{ID} $\in \{0,1\}^*$ and returns a private key $d$. \texttt{ID} is essentially any arbitrary string which will be used a public key and $d$ is the corresponding decryption key, which can be used by the owner of the \texttt{ID}. Thus, the \texttt{extract} algorithm extracts a private key from the given public key. +\item[Encrypt] Takes the system parameters, \texttt{ID}, and $M \in \mathcal{M}$. Returns some ciphertext $C \in \mathcal{C}$. +\item[Decrypt] Takes the system parameters, some private key $d$ and $C \in \mathcal{C}$. Returns the plaintext $M \in \mathcal{M}$. +\end{description} Naturally, these algorithms must satisfy that: $$ \forall M \in M\ :\ \text{Decrypt}(\text{params}, C, d) = M\quad \text{where}\quad C = \text{Encrypt}(\text{params}, ID, M)$$ -\vspace{3mm} \\ + \subsubsection{Security} \textbf{Chosen Ciphertext Security.} \quad To this end, we will focus on Chosen Ciphertext Security (\texttt{IND-CPA}), as this is the standard acceptable notion of security for a public key encryption scheme \cite{security_notion}. The standard definition however, is not strong enough, as we must also require that the adversary might already know of several \texttt{ID}s and decryption keys, given by the \texttt{PKG} and these should not aid the adversary in breaking the security. We define an \emph{extraction query} to be a query which yields the decryption key for a given \ID. Furthermore, the adversary is given the choice of which \ID to be challenged on, rather than it being a random public key. \cite{WeilIBE} -An Identity-Based Encryption scheme is semantically secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CPA}) if no polynomially bounded adversary $\mathcal{A}$ has non-negligible advantage against the Challenger in the following game \adv{E}: \vspace{4mm} \\ -\-\hspace{5mm} \textbf{Setup:} The challenger is given a security parameter $k$ and he runs the \emph{Setup} algorithm explained above. This returns the public parameters and the master-key to the Challenger, who then forwards the public parameters to the adversary. \vsp{3mm} -\-\hspace{5mm} \textbf{Phase 1:} The adversary is allowed to issue queries $q_1, \dots, q_l$ where query $q_i$ is one of two queries; +An Identity-Based Encryption scheme is semantically secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CPA}) if no polynomially bounded adversary $\mathcal{A}$ has non-negligible advantage against the Challenger in the following game \adv{E}: +\begin{description} +\item[Setup] The challenger is given a security parameter $k$ and he runs the \emph{Setup} algorithm explained above. This returns the public parameters and the master-key to the Challenger, who then forwards the public parameters to the adversary. +\item[Phase 1] The adversary is allowed to issue queries $q_1, \dots, q_l$ where query $q_i$ is one of two queries; \begin{itemize} \item An extraction query run on $\ID_i$. The challenger responds by running the \emph{Extract} algorithm on the given $\ID_i$, returning the decryption key $d_i$ corresponding to the \ID. $d_i$ is sent to the adversary. \item A decryption query run on $\ID_i$ and some ciphertext $C_i$. First the challenger runs the \emph{Extract} algorithm to get the decryption key $d_i$ corresponding to the given $\ID_i$. The Challenger then runs the \emph{Decrypt} algorithm on $d_i$ and $C_i$, resulting in a plaintext. This plaintext is returned to the adversary. \end{itemize} -\hsp{6mm} These queries may be run \emph{adaptively}, hence the name of the security definition, thus, each query $q_i$ may depend on the previous queries $q_1,\dots,q_{i-1}$, if the adversary so desires. \vsp{3mm} -\hsp{5mm} \textbf{Challenge:} Once the adversary deems that Phase 1 is over, he outputs two plaintexts of equal length; $M_0, M_1 \in \mathcal{M}$, as well as an \ID on which he desires to be challenged. The single constraint, is that the adversary is not allowed to have queried this \ID before, in Phase 1. The Challenger then picks a bit $b \in_R \{0,1\}$ and sets $C = Encrypt(params, \ID, M_b)$. $C$ is then send to the adversary. \vsp{3mm} -\hsp{5mm} \textbf{Phase 2:} The adversary is allowed to issue additional $n-l$ queries; $q_{l+1},\dots,q_n$, where query $q_i$ is either of: +\hsp{6mm} These queries may be run \emph{adaptively}, hence the name of the security definition, thus, each query $q_i$ may depend on the previous queries $q_1,\dots,q_{i-1}$, if the adversary so desires. +\item[Challenge] Once the adversary deems that Phase 1 is over, he outputs two plaintexts of equal length; $M_0, M_1 \in \mathcal{M}$, as well as an \ID on which he desires to be challenged. The single constraint, is that the adversary is not allowed to have queried this \ID before, in Phase 1. The Challenger then picks a bit $b \in_R \{0,1\}$ and sets $C = Encrypt(params, \ID, M_b)$. $C$ is then send to the adversary. + \item[Phase 2] The adversary is allowed to issue additional $n-l$ queries; $q_{l+1},\dots,q_n$, where query $q_i$ is either of: \begin{itemize} \item An extraction query run on $\ID_i$. The same query, except $\ID_i \neq \ID$, where \ID is the \ID of the challenge. \item A decryption query run on $\ID_i$ and some ciphertext $C_i$. The same query, except $\ID_i \neq \ID$ and $C_i \neq C$, where $C$ is the ciphertext of the challenge. -\end{itemize} -\hsp{6mm} These queries may be run adaptively, as in Phase 1. \vsp{3mm} -\hsp{5mm} \textbf{Guess:} The adversary outputs a guess bit $b' \in \{0,1\}$ and he will win the game if $b' = b$. \vsp{3mm} -\hsp{5mm} An adversary \adv{A} as defined above, is refered to as an \texttt{IND-ID-CPA} adversary. The advantage of \adv{A} in defeating the Challenger in the scheme \adv{E}, is defined as a function of the security parameter $k$, $Adv_{\mathcal{E}, \mathcal{A}} = |Pr(b=b') - \frac{1}{2}|$. +\end{itemize} +These queries may be run adaptively, as in Phase 1. +\item[Guess] The adversary outputs a guess bit $b' \in \{0,1\}$ and he will win the game if $b' = b$. + + An adversary \adv{A} as defined above, is refered to as an \texttt{IND-ID-CPA} adversary. The advantage of \adv{A} in defeating the Challenger in the scheme \adv{E}, is defined as a function of the security parameter $k$, $Adv_{\mathcal{E}, \mathcal{A}} = |Pr(b=b') - \frac{1}{2}|$. +\end{description} This definition closely resembles the standard definition of \texttt{IND-CPA} but extended with the addition of extraction queries and that the challenger is now challenged on an \ID picked by the adversary. The addition of the extraction queries is supported by \cite{ExtractionDef}, when the scheme is to support multiple users, which is likely the case for any IBE scheme. Furthermore, the weaker notion of security known as \emph{Semantic Security} (\texttt{IND-ID-CPA}) can be defined based on \texttt{IND-ID-CCA}, except now the adversary is not allowed to issue any decryption queries, i.e. he is only allowed extraction queries. \subsection{A Scheme} -The scheme we will focus on is that of Boneh and Franklin as described in \cite{WeilIBE}. The structure will be as defined in Section \ref{sec:IBEStruct}. We let $\lambda$ be the given security parameter given implicitly to the setup algorithm. We let $\mathcal{G}$ be a BDH parameter generator. \vsp{4mm} -\hsp{5mm}\textbf{Setup:}\quad Given $k$; +The scheme we will focus on is that of Boneh and Franklin as described in \cite{WeilIBE}. The structure will be as defined in Section \ref{sec:IBEStruct}. We let $\lambda$ be the given security parameter given implicitly to the setup algorithm. We let $\mathcal{G}$ be a BDH parameter generator. +\begin{description} +\item[Setup] Given $k$; \begin{enumerate} \item Run $\mathcal{G}$ on the input $k$ in order to generate a prime $p$ which defines the order of two groups $\Gm$ and $\Gm_T$ as well as an \emph{admissible} bilinear map $e : \Gm \times \Gm \ra \Gm_T$. Pick a random generator $g \in_R \Gm$. \item Pick a random $s \in_R \mathbb{Z}^*_p$ and set the public key PK as such, $PK = g^s$. \item Choose two hash functions: $H_1 : \{0,1\}^* \ra G^*$ and $H_2 : G_T \ra \{0,1\}^n$ for some $n$. Note that in the security analysis of this scheme, $H_1$ and $H_2$ will be viewed as random oracles. \\ The message space will be $\mathcal{M} = \{0,1\}^n$ and the ciphertext space is $\mathcal{C} = \Gm^{*} \times \{0,1\}^n$. Finally, the system parameters \texttt{params} are $(p, \Gm, \Gm_T, e, n, g, PK, H_1, H_2)$. The \emph{master key} (Or the systems private key), is then $s$. % TODO: Is this not the same s from the generation of the pk? \end{enumerate} -\hsp{5mm}\textbf{Extract:}\quad For a given string \ID $\in \{0,1\}^*$ the algorithm does two things; Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$ and it sets the private key $d_{\mathtt{ID}}$ to be $d_{\mathtt{ID}} = Q_{\mathtt{ID}}^s$, for the master key $s$. \vsp{3mm} -\hsp{5mm}\textbf{Encrypt:}\quad To encrypt some $m \in \mathcal{M}$ under the public key \ID, the user does the following: Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$, choose a random $r \in_R \mathbb{Z}^*_p$ and set the final ciphertext to be: -$$C = (g^r, m \oplus H_2(g_{\mathtt{ID}}^r)\quad \text{ where }\quad g_{\mathtt{ID}} = e(Q_{\mathtt{ID}}, PK) \in \Gm^*_T$$ -\hsp{5mm}\textbf{Decrypt:}\quad Parse $C = (u,v)$ as a ciphertext decrypted under the public key \texttt{ID}. Then, to decrypt $C$ using the private key $d_{\mathtt{ID}} \in \Gm^*$, compute: -$$v \oplus H_2(e(d_{\mathtt{ID}}, u)) = m$$ +\item[Extract] For a given string \ID $\in \{0,1\}^*$ the algorithm does two things; Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$ and it sets the private key $d_{\mathtt{ID}}$ to be $d_{\mathtt{ID}} = Q_{\mathtt{ID}}^s$, for the master key $s$. +\item[Encrypt] To encrypt some $m \in \mathcal{M}$ under the public key \ID, the user does the following: Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$, choose a random $r \in_R \mathbb{Z}^*_p$ and set the final ciphertext to be: + $$C = (g^r, m \oplus H_2(g_{\mathtt{ID}}^r)\quad \text{ where }\quad g_{\mathtt{ID}} = e(Q_{\mathtt{ID}}, PK) \in \Gm^*_T$$ + \item[Decrypt] Parse $C = (u,v)$ as a ciphertext decrypted under the public key \texttt{ID}. Then, to decrypt $C$ using the private key $d_{\mathtt{ID}} \in \Gm^*$, compute: + $$v \oplus H_2(e(d_{\mathtt{ID}}, u)) = m$$ Correctness of the above scheme is obvious from two facts; \begin{enumerate} @@ -172,6 +188,9 @@ Correctness of the above scheme is obvious from two facts; \end{enumerate} Where these masks which are used during encryption and decryption are the same as; $$e(d_{\mathtt{ID}}, u) = e(Q_{\mathtt{ID}}^s, g^r) = e(Q_{\mathtt{ID}}, g)^{sr} = e(Q_{\mathtt{ID}}, PK)^r = g^r_{\mathtt{ID}}$$ + +\end{description} + \subsection{Security} The scheme can be shown to be semantically secure (\texttt{IND-ID-CPA}), assuming that the BDH problem is hard in the groups generated by $\mathcal{G}$. @@ -182,7 +201,7 @@ In a Threshold Public-Key Encryption (\texttt{TPKE}) scheme, the decryption key \subsection{Security Model} -\-\hspace{5mm} \textbf{Setup:}\quad The challenger runs Setup$(\lambda)$ of the \texttt{DTPKE} scheme, obtaining the $\mathtt{params} = (MK,EK,DK,VK,CK)$. All the public parameters (all except for $MK$) are given to the adversary \adv{A}. \vsp{3mm} +\-\hspace{5mm} \textbf{Setup:}\quad The challenger runs Setup$(\lambda)$ of the \texttt{DTPKE} scheme, obtaining the $$\mathtt{params} = (MK,EK,DK,VK,CK)$$. All the public parameters (all except for $MK$) are given to the adversary \adv{A}. \vsp{3mm} \-\hspace{5mm} \textbf{Phase 1:}\quad The adversary is allowed to adaptively issue queries where query $q_i$ is one of three queries; \begin{itemize} \item A \texttt{Join} query on an id \texttt{ID}; The challenger runs the \texttt{Join} algorithm on input $(MK,\mathtt{ID})$, to create a new user in the system. Note that the challenger has $MK$ from the setup step. @@ -203,7 +222,7 @@ From this basic description, we can define three sub definitions: \subsection{Modelling \texttt{DTPKE}} A \texttt{DTPKE}-scheme consist of $7$ algorithms: \texttt{DTPKE} $= ($\texttt{Setup}, \texttt{Join}, \texttt{Encrypt}, \texttt{ValidateCT}, \texttt{ShareDecrypt}, \texttt{ShareVerify}, \texttt{Combine}$)$. \vsp{4mm} -\hsp{5mm}\textbf{Setup$(\lambda)$:}\quad Takes security parameter $\lambda$. Outputs a set of system parameters: $\mathtt{params} = (MK,EK,DK,VK,CK)$. $MK$ is a Master Secret Key, $EK$ is the Encryption Key, $DK$ is the Decryption Key, $VK$ is the Validation Key and $CK$ is the Combination Key. $MK$ is kept secret by the issuer, but the other four are public parameters. \vsp{3mm} +\hsp{5mm}\textbf{Setup$(\lambda)$:}\quad Takes security parameter $\lambda$. Outputs a set of system parameters: $$\mathtt{params} = (MK,EK,DK,VK,CK).$$ $MK$ is a Master Secret Key, $EK$ is the Encryption Key, $DK$ is the Decryption Key, $VK$ is the Validation Key and $CK$ is the Combination Key. $MK$ is kept secret by the issuer, but the other four are public parameters. \vsp{3mm} \hsp{5mm}\textbf{Join$(MK, \mathtt{ID})$:}\quad Takes the $MK$ and an identity \ID of a user. Outputs the user's keys $(usk, upk, uvk)$, where $usk$ is the secret key used for decryption, $upk$ is the public key used for encrypting and $uvk$ is the verification key. $upk, uvk$ are both public, whereas $usk$ is given privately to the user.\vsp{3mm} \hsp{5mm}\textbf{Encryptp$(EK, S, t, M)$:}\quad Takes the Encryption Key, the public keys of the users within the receiver set $S$, a threshold $t$ and a message to be encrypted, $M$. Outputs a ciphertext.\vsp{3mm} \hsp{5mm}\textbf{ValidateCT$(EK, S, t, C)$:}\quad Takes the encryption key, the public keys of the receiver set, a threshold and a ciphertext. Checks whether $C$ is a valid ciphertext with respect to $EK, S$ and $t$. \vsp{3mm} @@ -212,9 +231,80 @@ A \texttt{DTPKE}-scheme consist of $7$ algorithms: \texttt{DTPKE} $= ($\texttt{S \hsp{5mm}\textbf{Combine$(CK, S, t, C, T, \Sigma)$:}\quad Takes the combination key $CK$, a ciphertext $C$, some subset $T \subseteq S$ of $t$ authorised users and $\Sigma = (\sigma_1, \dots, \sigma_t)$ which is a list of $t$ decryption share. Outputs the plaintext $M$ or $\perp$.\vsp{3mm} \subsection{A scheme and the Security Thereof} -It should be noted that this scheme is very long and as such will be left out of the report, but it will be left within the appendix, completely as the original authors wrote it. We will instead list their security proof, which contains an error worth of noting. Their proof is a reduction to the \texttt{MSE-DDH} problem, as defined in Section \ref{sec:MSE-DDH}. That being said, their security proof states that the \texttt{DTPKE} scheme has \texttt{IND-NAA-NAC-CPA} security (Non-adaptive adversary, non-adaptive corruption, chosen-plaintext attack). +It should be noted that this scheme is very long and as such will be left out of the report, but it will be included in the appendix, completely as the original authors wrote it. We will instead list their security proof, which contains an error worth of noting. Their proof is a reduction to the \texttt{MSE-DDH} problem, as defined in Section \ref{sec:MSE-DDH}. Regardless, their security proof states that the \texttt{DTPKE} scheme has \texttt{IND-NAA-NAC-CPA} security (Non-adaptive adversary, non-adaptive corruption, chosen-plaintext attack). + +\begin{theorem} + For any $l,m,t,$ $\mathbf{Adv}^{ind}_{\mathtt{DTPKE}}(l,m,t) \leq 2 \cdot \mathbf{Adv}^{\text{MSE-DDH}}(l,m,t)$. Where $l$ denotes the total number of \textbf{Join} queries that can be issued by the adversary, $m$ is the maximal size the authorised set of receivers is allowed to be, $t$ is the threshold. +\end{theorem} +\begin{proof} + Let \texttt{DTPKE} denote the construction as described in Appendix A. Now, to establish the semantic security, the \texttt{IND-NAA-NAC-CPA} security, for static adversaries of the \texttt{DTPKE} scheme, we describe a reduction to the \texttt{MSE-DDH} problem. To this end, we assume an adversary \adv{A} who can break the scheme under an $(l,m,t)$-collusion. This adversary \adv{A} will be used to build an algorithm \adv{B} who can then distinguish the two distributions of the $(l,m,t)$-\texttt{MSE-DDH} problem. + + The algorithm \adv{B} is given as input some group system $Pub = (p, \Gm_1, \Gm_2, \Gm_T, e)$ as described in \ref{sec:MSE-DDH} as well as an $(l,m,t)$-\texttt{MSE-DDH} instance in $Pub$. The \texttt{MSE-DDH} instances gives us, \adv{B}, two coprime polynomials $f_{poly}$ and $g_{poly}$ of orders $l$ and $m$ with pairwise distinct roots $(x_1, \dots, x_l)$ and $(x_{l+t}, \dots, x_{l+t+m-1})$ respectively. Finally, \adv{B} has all the exponents; + \begin{align*} + & x_1, \dots, x_\ell, \qquad \qquad \qquad y_1, \dots, y_m \\ + & g, g^{\gamma}, \dots, g^{\gamma^{\ell + t - 2}}, \qquad \quad g^{k\cdot \gamma \cdot f(\gamma)} \\ + & g^{\alpha}, g^{\alpha \cdot \gamma}, \dots, g^{\alpha \cdot \gamma^{\ell + t}}, \\ + & h, h^{\gamma}, \dots, h^{\gamma^{m-2}}, \\ + & h^{\alpha}, h^{\alpha \cdot \gamma}, \dots, h^{\alpha \cdot \gamma^{2m - 1}}, \qquad h^{k \cdot g(\gamma)}, + \end{align*} + as well as the $Z \in \Gm_T$ which can either be $e(g,h)^{k \cdot f(\gamma)}$ or some random element within $\Gm_T$. We define the following polynomials: + $$f(X) = \prod_{i=1}^\ell (X+x_i), \quad q(X) = \prod_{i=1}^{\ell +t - 1} (X+x_i), \quad g(X) = \prod_{i=1}^{\ell +t+m - 1} (X+x_i)$$ + + Do note here, that the proof does not argue in any way for the sudden appearence of the $x_i$ for $i = \ell+1, \dots, \ell + t - 1$. We have not looked further into a fix for this, however we further note that they are used for the set of $t-1$ users of the \emph{target set} who can be corrupted and as such \adv{B} must be prepared to be able to both give a secret key for the specific user, while this key must be used in the challenge to \adv{A}, as such, the key is not without relevance. + + As mentioned, $q(X)$ corresponds to the $t-1$ users within the receiver set who may be corrupted. As we are in a static environment, both the receiver set and the corruption set has to be given in the initialisation phase, so we know these ahead of time. $f(X)$ corresponds to the set of $\ell$ users not in the target set, who can be corrupted and $g(X)$ defines the $m$ users of the target set that cannot be corrupted. These polynomials thus allow us to be able to simulate the $\ell +t - 1$ corruptions where $t-1$ are in the target set. + + For $i \in [1, \ell + 1 - 1]$ we thus set $$f_i(x) = \frac{f(x) \cdot q(\gamma)}{x+x_i}, $$ which is a polynomial of degree $\ell + t - 2$ + \begin{description} + \item[Init] The adversary \adv{A} outputs his target set $S^* = \set{\mathtt{ID}^*_1, \dots, \mathtt{ID}^*_s}$ as well as a set $\overbar{C} = \set{\overbar{\mathtt{ID}}_1, \dots, \overbar{\mathtt{ID}}_c}$ of identities that \adv{A} intends on corrupting, such that $c \leq \ell$ and $|S^* \cap \overbar{C}| \leq t-1$. + \item[Setup] To generate the system parameters of the \texttt{DTPKE} scheme, \adv{B} sets $g = g_{MSE-DDH}^{f(\gamma) \cdot q(\gamma)}$ where $g_{MSE-DDH}$ come from the \texttt{MSE-DDH} problem as one of the two generators. Note that this is merely set for the sake of replicating what the original scheme does. $g$ is never published and is thus never required to be directly computed, which is not possible in this case either. \adv{B} then set: + $$h = h_{\mathtt{MSE-DDH}}, \qquad u = g_{\mathtt{MSE-DDH}}^{\alpha \cdot \gamma \cdot f(\gamma) \cdot q(\gamma)} = g^{\alpha \cdot \gamma}$$ + $$v = e(g_{\mathtt{MSE-DDH}}, h_{\mathtt{MSE-DDH}})^{\alpha \cdot f(\gamma) \cdot q(\gamma)} = e(g,h)^\alpha$$ + Where $u$ and $v$ can be computed from the \texttt{MSE-DDH} instance input, since $f \cdot q$ is a $\ell + t - 1$ degree polynomial. + + \adv{B} then creates a set $\mathcal{D} = \set{d_i}_{i=1}^{m-1}$ which is a set of dummy users such that: + \begin{itemize} + \item $\mathcal{D}_{m+t-s^*-1} = \set{d_i}_{i=1}^{m+t-s^*-1}$ is a subset of $\set{x_j}_{j=\ell+t}^{\ell+t+m-1}$, which corresponds to the dummy users included to complete the target set in the challenge. + \item The rest of the dummy users: $\set{d_i}_{m+t-s^*}^{m-1}$ are random elements in $\mathbb{Z}_p$. + \end{itemize} + \adv{B} then defines the encryption key $EK = (m,u,v,h^\alpha, \set{h^{\alpha \cdot \gamma^i}}_{i=1}^{2m-1}, \mathcal{D})$ and the combination key $CK = (h, \set{h^{\gamma^i}}_{i=1}^{m-2}, \mathcal{D})$. + \item[Generation of Users' Keys] \hspace{1cm} % Hack to force the itemize to the line below .. + + \begin{itemize} + \item For each $\overbar{\mathtt{ID}} \in \overbar{C}$, i.e. each \ID which is to be corrupted, \adv{B} computes and sends $(\overbar{\text{usk}}, \overbar{\text{upk}})$ to \adv{A} where: + \begin{align*} + &\overbar{\text{upk}} = x_i,\\ + &\overbar{\text{usk}} = g_{\mathtt{MSE-DDH}}^{f_i(\gamma)} = g^{\frac{1}{\gamma + x_i}} + \end{align*} + with the constraint that if $\mathtt{ID} \in S^*$ then $x_i$ must be taken from the subset $\set{x_j}_{j=\ell+1}^{\ell+t-1}$ i.e. the ones used in polynomial $q(X)$ (the ones we do not know where originate from) and otherwise $x_i$ must be taken from $\set{x_j}_{j=1}^{\ell}$, i.e. polynomial $f(X)$ or the roots of $f_{poly}$. + \item For each $\mathtt{ID} \in S^* - (S^* \cap \overbar{C}$, so each \ID which is in the target set \emph{but not} in the corruption target set, \adv{B} sends $upk = x_i$ to \adv{A} where $x_i$ must come from $\set{x_j}_{j=\ell+t}^{\ell+t+m-1} - \mathcal{D}_{m+t-s^*-1}$, i.e. the users from $g(X)$, but without the dummy users included to complete the target set in the challenge. + \item For each $\mathtt{ID} \not\in S^* \cup \overbar{C}$, each users who is not in the receiver set and may not be corrupted, \adv{B} sends $upk = x$ to \adv{A} where $x \not\in \set{x_j}_{j=1}^{\ell + t + m -1}$ + \end{itemize} + \adv{B} gives the group information $Pub$ as well as $(EK, CK)$ to \adv{A}. + \item[Challenge] \adv{B} computes \textbf{Encrypt} in order to obtain the challenge information: + $$(\hdr^*, S^*, t, K) = \mathbf{Encrypt}(EK, S^*, t), \text{ where}$$ + $$C_1 = g_{\mathtt{MSE-DDH}}^{-k \cdot \gamma \cdot f(\gamma)}, \qquad C_2 = h_{\mathtt{MSE-DDH}}^{k \cdot g(\gamma)}, \qquad K = Z,$$ + $$|S| = s^*, \qquad S^* \subseteq \set{x_j}_{j=\ell+1}^{\ell+t+m-1} - \mathcal{D}_{m+t-s^*-1}$$ + \adv{B} selects $b \in_R \set{0,1}$, sets $K_b = K$ and $K_{1-b} \in_R \mathcal{K}$. Then returns $(\hdr^*,K_0, K_1)$ to \adv{A}. + \item[Guess] \adv{A} outputs a guess $b' \in \set{0,1}$ and wins if $b' = b$. + \end{description} + Without proof we state that + + \begin{align*} + \mathbf{Adv}^{\mathtt{MSE-DDH}} &= \\ + &\quad \frac{1}{2} \times (Pr(b'=1 | b=1 \wedge \text{real}) + Pr(b'=1 | b=0 \wedge \text{real}) \\ + &- \frac{1}{2} \times (Pr(b'=1 | b=1 \wedge \text{random}) + Pr(b'=1 | b=0 \wedge \text{random}). + \end{align*} + + Now, as the distribution of $b$ is independent from the adversarys view; $$Pr(b'=1 | b=1 \wedge \text{random}) = Pr(b'=1 | b=0 \wedge \text{random})$$ Thus, the left side cancels out. In the real case however, the distribution of all variables which are defined by \adv{B} comply with the definition of the semantic security game, as all simulations are perfect. Thus, to conclude: + $$\mathbf{Adv}_{\mathtt{DTPKE}}^{\text{ind}}(\mathcal{A}) = Pr(b'=1 | b=1 \wedge \text{real}) - Pr(b'=1 | b=0 \wedge \text{real})$$ + Is exactly equal to $$2 \cdot (\frac{1}{2} \times (Pr(b'=1 | b=1 \wedge \text{real}) + Pr(b'=1 | b=0 \wedge \text{real})).$$ +\end{proof} + % TODO: Explain this scheme and their security proof which doesn't work. Yikes. -% TOOD: Add the DTPKE scheme to the appendix. +% TOOD: Add the DTPKE scheme to the appendix A. +% TODO: Consider making all upk and usk bold + \section{Broadcast Encryption} @@ -236,6 +326,7 @@ The advantage of \adv{A} is then defined as: $$Adv_{SS,BE,n,\ell}(\lambda) = |Pr Static security is the least strongest type and it requires the adversary to commit to the set of receivers of which he wants to be challenged on, in the initialisation phase, rather than the potential set the Semi-Static adversary has to commit to. Adaptive security is arguably the most desired and correct type, as it enforces nothing in regards to the attack set $S^*$. The adversary is allowed to see the public key PK and ask for several private keys, before choosing which set he wishes to be challenged on. We note here, that due to Gentry and Waters \cite{GentryWaters}, we can transform a Semi-Statically secure BE scheme to an Adaptively secure BE scheme. +% TODO: Consider using description environment or https://tex.stackexchange.com/questions/436977/how-to-insert-multiple-hspace-into-one-row-line % TODO, maybe new page this \subsection{Their construction} \label{sec:GentryWatersConst} @@ -472,4 +563,11 @@ As such, we conclude that, if there is a reduction to be found from the \AHBE in \nocite{*} \bibliography{refs} +% https://tex.stackexchange.com/questions/49643/making-appendix-for-thesis +\begin{appendices} + % TODO: Properly crop the construction + \chapter{\texttt{DTPKE}-scheme} + \includepdf[pages=-,pagecommand={},width=\textwidth]{papers/DTPKE-Const.pdf} +\end{appendices} + \end{document} \ No newline at end of file