This commit is contained in:
= 2019-12-18 22:39:56 +01:00
parent 808323cc22
commit 6c168e80bf
2 changed files with 113 additions and 10 deletions

View File

@ -115,3 +115,30 @@ abstract="In this paper, we propose a semi-static secure broadcast encryption sc
isbn="978-3-319-04873-4" isbn="978-3-319-04873-4"
} }
@InProceedings{DTPKE,
author="Delerabl{\'e}e, C{\'e}cile
and Pointcheval, David",
editor="Wagner, David",
title="Dynamic Threshold Public-Key Encryption",
booktitle="Advances in Cryptology -- CRYPTO 2008",
year="2008",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="317--334",
abstract="This paper deals with threshold public-key encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; the sender can dynamically choose the authorized set of recipients, for each ciphertext; and the sender can dynamically set the threshold t for decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a. threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts.",
isbn="978-3-540-85174-5"
}
@InProceedings{TPKE,
author="Desmedt, Yvo
and Frankel, Yair",
editor="Brassard, Gilles",
title="Threshold cryptosystems",
booktitle="Advances in Cryptology --- CRYPTO' 89 Proceedings",
year="1990",
publisher="Springer New York",
address="New York, NY",
pages="307--315",
abstract="In a society oriented cryptography it is better to have a public key for the company (organization) than having one for each individual employee [Des88]. Certainly in emergency situations, power is shared in many organizations. Solutions to this problem were presented [Des88], based on [GMW87], but are completely im- practical and interactive. In this paper practical non-interactive public key systems are proposed which allow the reuse of the shared secret key since the key is not revealed either to insiders or to outsiders.",
isbn="978-0-387-34805-6"
}

View File

@ -31,6 +31,7 @@
\newcommand{\U}{\mathcal{U}} \newcommand{\U}{\mathcal{U}}
\newcommand{\CH}{$\mathcal{C}\mathcal{H}$\xspace} \newcommand{\CH}{$\mathcal{C}\mathcal{H}$\xspace}
\newcommand{\hdr}{\text{Hdr}} \newcommand{\hdr}{\text{Hdr}}
\newcommand{\set}[1]{\{#1\}}
@ -78,11 +79,37 @@ A bilinear map satisfying all the above three properties is said to be \emph{adm
All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. We note that the \emph{Decisional Diffie-Hellman} problem is easy within the setting of bilinear maps, as, given some generator $g$ and $g^a$, $g^b$ and $g^c$ where the question is if $c = ab$, it is straightforward to check if $e(g,g^c) = e(g^a,g^b)$, which holds for the case where $c = ab$. As such, new assumptions which are difficult within this setting, are required. All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. We note that the \emph{Decisional Diffie-Hellman} problem is easy within the setting of bilinear maps, as, given some generator $g$ and $g^a$, $g^b$ and $g^c$ where the question is if $c = ab$, it is straightforward to check if $e(g,g^c) = e(g^a,g^b)$, which holds for the case where $c = ab$. As such, new assumptions which are difficult within this setting, are required.
\subsubsection{The BDH Problem} \subsubsection{The BDH Problem}
\label{sec:BDHProb}
Let $\Gm$ and $\Gm_T$ be two groups of prime order $p$. Let $e : \Gm \times \Gm \ra \Gm_T$ be an admissible bilinear map and let $g$ be a generator of $\Gm$. The BDH problem is then in $(\Gm, \Gm_T, e)$ as follows: Given $(g, g^a, g^b, g^c)$ for some $a,b,c \in \mathbb{Z}^*_p$ compute $Z = e(g,g)^{abc}$. Let $\Gm$ and $\Gm_T$ be two groups of prime order $p$. Let $e : \Gm \times \Gm \ra \Gm_T$ be an admissible bilinear map and let $g$ be a generator of $\Gm$. The BDH problem is then in $(\Gm, \Gm_T, e)$ as follows: Given $(g, g^a, g^b, g^c)$ for some $a,b,c \in \mathbb{Z}^*_p$ compute $Z = e(g,g)^{abc}$.
\subsubsection{The BDHE Problem} \subsubsection{The BDHE Problem}
\label{sec:BDHE}
This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$? This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$?
\subsubsection{The DBDH Problem}
\label{sec:DBDH}
Note that this is simply the decisional version of \ref{sec:BDHProb}, but we will write it out for clarity.
Let $\Gm$ and $\Gm_T$ be two groups of prime order $p$. Let $e : \Gm \times \Gm \ra \Gm_T$ be an admissible bilinear map and let $g$ be a generator of $\Gm$. The BDH problem is then in $(\Gm, \Gm_T, e)$ as follows: Given $(g, g^a, g^b, g^c)$ for some $a,b,c \in \mathbb{Z}^*_p$, let $Z = e(g,g)^{d}$. If $b=1$ then $d = abc$, otherwise $d \in_R \mathbb{Z}^*_p$. The problem is then to decide the bit $b$ when you are given $(g,g^a,g^b,g^c, Z)$.
\subsubsection{THE MSE-DDH Problem}
\label{sec:MSE-DDH}
As defined in \cite{DTPKE}, whose scheme relies on the intractability of the $(\ell,m,t)$-\texttt{MSE-DDH} decisional problem.
Let $(\Gm_1, \Gm_2, \Gm_T, e)$ define three groups $\Gm_1,\Gm_2,\Gm_T$ all of order some prime $p$ and a bilinear map $e : \Gm_1 \times \Gm_2 \ra \Gm_T$. Let $\ell, m$ and $t$ be three integers. Let $g$ be a generator of $\Gm_1$ and let $h$ be a generator of $\Gm_2$. Then, given two random coprime polynomials, note that two polynomials are coprime if and only if they share no roots, of respective orders $\ell$ and $m$, with pairwise distinct roots $x_1, \dots x_\ell$ and $y_1, \dots, y_m$ respectively, as well as multiple sequences of exponentiations:
\begin{align*}
& x_1, \dots, x_\ell, \qquad \qquad \qquad y_1, \dots, y_m \\
& g, g^{\gamma}, \dots, g^{\gamma^{\ell + t - 2}}, \qquad \quad g^{k\cdot \gamma \cdot f(\gamma)} \\
& g^{\alpha}, g^{\alpha \cdot \gamma}, \dots, g^{\alpha \cdot \gamma^{\ell + t}}, \\
& h, h^{\gamma}, \dots, h^{\gamma^{m-2}}, \\
& h^{\alpha}, h^{\alpha \cdot \gamma}, \dots, h^{\alpha \cdot \gamma^{2m - 1}}, \qquad h^{k \cdot g(\gamma)},
\end{align*}
and finally a $T \in \Gm_T$. The deciding part is then to decide whether $T$ is equal to $e(g,h)^{k \cdot f(\gamma)}$ or merely some random element of $\Gm_T$.
We want to note that the paper does not define either $\alpha$ or $\gamma$, which essentially means this problem is not well defined. We assume however, that both $\alpha$ and $\gamma$ have to come from $\mathbb{Z}^*_p$, whenever this problem is referenced.
\subsection{Identity-Based Encryption} \subsection{Identity-Based Encryption}
\subsubsection{The structure} \subsubsection{The structure}
@ -117,10 +144,35 @@ An Identity-Based Encryption scheme is semantically secure against an adaptive c
This definition closely resembles the standard definition of \texttt{IND-CPA} but extended with the addition of extraction queries and that the challenger is now challenged on an \ID picked by the adversary. The addition of the extraction queries is supported by \cite{ExtractionDef}, when the scheme is to support multiple users, which is likely the case for any IBE scheme. Furthermore, the weaker notion of security known as \emph{Semantic Security} (\texttt{IND-ID-CPA}) can be defined based on \texttt{IND-ID-CCA}, except now the adversary is not allowed to issue any decryption queries, i.e. he is only allowed extraction queries. This definition closely resembles the standard definition of \texttt{IND-CPA} but extended with the addition of extraction queries and that the challenger is now challenged on an \ID picked by the adversary. The addition of the extraction queries is supported by \cite{ExtractionDef}, when the scheme is to support multiple users, which is likely the case for any IBE scheme. Furthermore, the weaker notion of security known as \emph{Semantic Security} (\texttt{IND-ID-CPA}) can be defined based on \texttt{IND-ID-CCA}, except now the adversary is not allowed to issue any decryption queries, i.e. he is only allowed extraction queries.
\subsection{Dynamic Threshold Public-Key Encryption}
Perhaps explain the intuition TODO
\subsubsection{Security Model}
\-\hspace{5mm} \textbf{Setup:}\quad The challenger runs Setup$(\lambda)$ of the \texttt{DTPKE} scheme, obtaining the $\mathtt{params} = (MK,EK,DK,VK,CK)$. All the public parameters (all except for $MK$) are given to the adversary \adv{A}. \vsp{3mm}
\-\hspace{5mm} \textbf{Phase 1:}\quad The adversary is allowed to adaptively issue queries where query $q_i$ is one of three queries;
\begin{itemize}
\item A \texttt{Join} query on an id \texttt{ID}; The challenger runs the \texttt{Join} algorithm on input $(MK,\mathtt{ID})$, to create a new user in the system. Note that the challenger has $MK$ from the setup step.
\item A \texttt{Corrupt} query on an id \texttt{ID}: The challenger forwards the corresponding private key to the adversary.
\item A \texttt{ShareDecrypt} query on an id \texttt{ID} and a header \texttt{Hdr}: The challenger runs the \texttt{ShareDecrypt} algorithm of the \texttt{DTPKE} scheme on \texttt{Hdr}, using the corresponding private key, and forwards the partial decryption to the adversary.
\end{itemize}
\hsp{5mm} \textbf{Challenge:}\quad The adversary \adv{A} outputs a target set of users $S^*$ as well as a threshold $t^*$. The challenger selects $b \in_R \set{0, 1}$ and then runs \texttt{Encrypt} to obtain $\mathtt{Hdr}^*, k_0) \la \mathtt{Encrypt}(EK, S^*, t^*)$. Furthermore, he picks another key $k_1 \in_R \mathcal{K}$. The challenger outsputs $(\mathtt{Hdr}^*, k_b)$ to \adv{A}. \vsp{3mm}
\hsp{5mm} \textbf{Phase 2:}\quad The adversary \adv{A} is allowed to continue adaptively issuing \texttt{Join, Corrupt} and \texttt{ShareDecrypt} queries, with the only constraint that he asks less than or equal to $t^*-1$.\vsp{3mm}
\hsp{5mm} \textbf{Guess:} The adversary outputs a guess bit $b' \in \{0,1\}$ and he will win the game if $b' = b$. \vsp{5mm}
From this basic description, we can define three sub definitions:
\begin{itemize}
\item \emph{Non-Adaptive Adversary} (\texttt{NAA}): We restrict the adversary to decide upon the challenge set $S^*$ as well as the threshold $t^*$ before the \texttt{Setup} step is run.
\item \emph{Non-Adaptive Corruption} (\texttt{NAC}): We restrict the adversary to decide before the setup is run, which identities will be corrupted.
\item \emph{Chosen-Plaintext Adversary} (\texttt{CPA}): We restrict the adversary from issuing share decryption queries.
\end{itemize}
\subsection{Broadcast Encryption} \subsection{Broadcast Encryption}
% TODO: Consider moving the introduction to what a BE Scheme is to here. Same goes for IBE and AHBE and DTPKE.
\subsubsection{security defintions} \subsubsection{security defintions}
\label{sec:BESec} \label{sec:BESec}
We define three levels of security, \emph{Static, Semi-Static} and \emph{Adaptive}. For the sake of simplicity, we will explain Semi-static and then emphasise the differences. Note that Semi-static security is stronger than Static security, but weaker than Adaptive. The definition of Semi-Static is due to Gentry and Waters \cite{BESecDef, GentryWaters}. \vsp{4mm} We define three levels of security, \emph{Static, Semi-Static} and \emph{Adaptive}. For the sake of simplicity, we will explain Semi-static and then emphasise the differences. Note that Semi-Static security is stronger than Static security, but weaker than Adaptive. The definition of Semi-Static is due to Gentry and Waters \cite{BESecDef, GentryWaters}. \vsp{4mm}
\hsp{5mm}\textbf{Initialisation:}\quad The adversary \adv{A} first commits to a \emph{potential} set of receivers which he wishes to attack, $\tilde{S}$, and outputs this. \vsp{3mm} \hsp{5mm}\textbf{Initialisation:}\quad The adversary \adv{A} first commits to a \emph{potential} set of receivers which he wishes to attack, $\tilde{S}$, and outputs this. \vsp{3mm}
\hsp{5mm}\textbf{Setup:}\quad The challenger \CH runs the $BSetup(n, \ell)$ algorithm of the BE scheme, obtaining a public key PK. \CH gives this PK to \adv{A}. \vsp{3mm} \hsp{5mm}\textbf{Setup:}\quad The challenger \CH runs the $BSetup(n, \ell)$ algorithm of the BE scheme, obtaining a public key PK. \CH gives this PK to \adv{A}. \vsp{3mm}
\hsp{5mm}\textbf{Key Extraction Phase:}\quad The adversary \adv{A} is allowed to issue private key queries for indices $i \in [n] \setminus \tilde{S}$, i.e. he is allowed to ask for the private keys of any user not in the set of potential receivers. \vsp{3mm} \hsp{5mm}\textbf{Key Extraction Phase:}\quad The adversary \adv{A} is allowed to issue private key queries for indices $i \in [n] \setminus \tilde{S}$, i.e. he is allowed to ask for the private keys of any user not in the set of potential receivers. \vsp{3mm}
@ -128,7 +180,7 @@ We define three levels of security, \emph{Static, Semi-Static} and \emph{Adaptiv
\hsp{5mm}\textbf{Guess:}\quad Adversary \adv{A} outputs a guess $b' \in \{0,1\}$ and he wins if $b' = b$. \\ \\ \hsp{5mm}\textbf{Guess:}\quad Adversary \adv{A} outputs a guess $b' \in \{0,1\}$ and he wins if $b' = b$. \\ \\
\noindent \noindent
The advantage of \adv{A} is then defined as: $$Adv_{SS,BE,n,\ell}(\lambda) = |Pr(b'=b) - \frac{1}{2}|$$ The advantage of \adv{A} is then defined as: $$Adv_{SS,BE,n,\ell}(\lambda) = |Pr(b'=b) - \frac{1}{2}|$$
Static security is the least strongest type and it requires the adversary to commit to a set of which he wants to be challenged on, in the initialisation phase, rather than the potential set the Semi-static adversary has to commit to. Adaptive security is arguably the most desired and correct type, as it enforces nothing in regards to the attack set $S^*$. The adversary is allowed to see the PK and ask for several private keys, before choosing which set he wishes to attack. We note here, that due to Gentry and Waters \cite{GentryWaters}, we can transform a Semi-statically secure BE scheme to an Adaptively secure BE scheme. Static security is the least strongest type and it requires the adversary to commit to the set of receivers of which he wants to be challenged on, in the initialisation phase, rather than the potential set the Semi-Static adversary has to commit to. Adaptive security is arguably the most desired and correct type, as it enforces nothing in regards to the attack set $S^*$. The adversary is allowed to see the public key PK and ask for several private keys, before choosing which set he wishes to be challenged on. We note here, that due to Gentry and Waters \cite{GentryWaters}, we can transform a Semi-Statically secure BE scheme to an Adaptively secure BE scheme.
\subsection{Ad-Hoc Broadcast Encryption} \subsection{Ad-Hoc Broadcast Encryption}
@ -143,11 +195,8 @@ Both the Challenger and an adversary \adv{A} are both given the security paramet
The advantage of \adv{A} is as expected; $Adv^{\texttt{AHBE}}_{\mathcal{A},n,N}(1^\lambda) = |Pr(b = b') - \frac{1}{2}|$. The advantage of \adv{A} is as expected; $Adv^{\texttt{AHBE}}_{\mathcal{A},n,N}(1^\lambda) = |Pr(b = b') - \frac{1}{2}|$.
% TODO: Write security definitions of BE
% TODO: Finish this section on the security definition of IBE as well as Bilinear Maps and BDH
% TODO: Write up all of the mathematical assumptions % TODO: Write up all of the mathematical assumptions
% TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf % TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf
% TODO: Write up the different security definitions for BE systems, Static, Semi-Static and Adaptive
\section{Identity Based Encryption} \section{Identity Based Encryption}
We will cover a basic identity based encryption scheme which illustrates a basic usage of bilinear maps as well as one way to extend the \emph{Diffie-Hellman Assumption} known from Public Key Encryption. This scheme is not secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CCA}). Note that it can be extended to cover this, but this is out of the scope of this paper. We note that although this scheme is not awefully relevant for the rest of this paper, it still is something we covered throughout the semester and it offers a delicate and simple introduction to some of the mathematical concepts and encryption schemes which will be used throughout this paper, specifically that of bilinear maps and public key cryptography. We will cover a basic identity based encryption scheme which illustrates a basic usage of bilinear maps as well as one way to extend the \emph{Diffie-Hellman Assumption} known from Public Key Encryption. This scheme is not secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CCA}). Note that it can be extended to cover this, but this is out of the scope of this paper. We note that although this scheme is not awefully relevant for the rest of this paper, it still is something we covered throughout the semester and it offers a delicate and simple introduction to some of the mathematical concepts and encryption schemes which will be used throughout this paper, specifically that of bilinear maps and public key cryptography.
@ -178,10 +227,32 @@ Where these masks which are used during encryption and decryption are the same a
$$e(d_{\mathtt{ID}}, u) = e(Q_{\mathtt{ID}}^s, g^r) = e(Q_{\mathtt{ID}}, g)^{sr} = e(Q_{\mathtt{ID}}, PK)^r = g^r_{\mathtt{ID}}$$ $$e(d_{\mathtt{ID}}, u) = e(Q_{\mathtt{ID}}^s, g^r) = e(Q_{\mathtt{ID}}, g)^{sr} = e(Q_{\mathtt{ID}}, PK)^r = g^r_{\mathtt{ID}}$$
\subsection{Security} \subsection{Security}
The scheme is showed to be semantically secure (\texttt{IND-ID-CPA}), assuming that the BDH problem is hard in the groups generated by $\mathcal{G}$. The scheme can be shown to be semantically secure (\texttt{IND-ID-CPA}), assuming that the BDH problem is hard in the groups generated by $\mathcal{G}$.
% TODO: Consider finishing this security proof. Is it really that important? It's the last from this paper. % TODO: Consider finishing this security proof. Is it really that important? It's the last from this paper.
\section{Dynamic Threshold Public-Key Encryption}
In a Threshold Public-Key Encryption (\texttt{TPKE}) scheme, the decryption key corresponding to a public key is shared among a set of $n$ users \cite{TPKE}. Specifically for \texttt{TPKE} is that for any ciphertext to be correctly decrypted, $t$ receivers has to participate and cooperate. Thus, if any number of users less than $t$ try to decrypt, they will gain nothing, hence the threshold part of \texttt{TPKE}. A limitation of existing \texttt{TPKE} schemes however, is that the threshold value of $t$ is tightly connected to the public key of the system, as such, one has to fix the threshold for good, when setting up the system. Many applications would benefit from a flexibility to choose $t$ whenever broadcasting. As such Dynamic Threshold Public-Key Encryption (\texttt{DTPKE}) is proposed \cite{DTPKE}.
\subsection{Modelling \texttt{DTPKE}}
A \texttt{DTPKE}-scheme consist of $7$ algorithms: $\mathtt{DTPKE} = (Setup, Join, Encrypt, ValidateCT, ShareDecrypt, ShareVerify, Combine)$. \vsp{4mm}
\hsp{5mm}\textbf{Setup$(\lambda)$:}\quad Takes security parameter $\lambda$. Outputs a set of system parameters: $\mathtt{params} = (MK,EK,DK,VK,CK)$. $MK$ is a Master Secret Key, $EK$ is the Encryption Key, $DK$ is the Decryption Key, $VK$ is the Validation Key and $CK$ is the Combination Key. $MK$ is kept secret by the issuer, but the other four are public parameters. \vsp{3mm}
\hsp{5mm}\textbf{Join$(MK, \mathtt{ID})$:}\quad Takes the $MK$ and an identity \ID of a user. Outputs the user's keys $(usk, upk, uvk)$, where $usk$ is the secret key used for decryption, $upk$ is the public key used for encrypting and $uvk$ is the verification key. $upk, uvk$ are both public, whereas $usk$ is given privately to the user.\vsp{3mm}
\hsp{5mm}\textbf{Encryptp$(EK, S, t, M)$:}\quad Takes the Encryption Key, the public keys of the users within the receiver set $S$, a threshold $t$ and a message to be encrypted, $M$. Outputs a ciphertext.\vsp{3mm}
\hsp{5mm}\textbf{ValidateCT$(EK, S, t, C)$:}\quad Takes the encryption key, the public keys of the receiver set, a threshold and a ciphertext. Checks whether $C$ is a valid ciphertext with respect to $EK, S$ and $t$. \vsp{3mm}
\hsp{5mm}\textbf{ShareDecrypt$(DK, \mathtt{ID}, usk, C)$:}\quad Takes the decryption key, a user id \ID and his private key $usk$, as well as a ciphertext $C$. Outputs a decryption share $\sigma$ or $\perp$. \vsp{3mm}
\hsp{5mm}\textbf{ShareVerify$(VK, \mathtt{ID}, uvk, C, \sigma)$:}\quad Takes the verification key $VK$, a user id \ID and his verification key $uvk$ plus a ciphertext $C$ and decryption share $\sigma$. Checks whether $\sigma$ is a valid decryption share with respect to $uvk$. \vsp{3mm}
\hsp{5mm}\textbf{Combine$(CK, S, t, C, T, \Sigma)$:}\quad Takes the combination key $CK$, a ciphertext $C$, some subset $T \subseteq S$ of $t$ authorised users and $\Sigma = (\sigma_1, \dots, \sigma_t)$ which is a list of $t$ decryption share. Outputs the plaintext $M$ or $\perp$.\vsp{3mm}
\subsection{A scheme and the security thereof}
It should be noted that this scheme is very long and as such will be left out of the report, but it will be left within the appendix, completely as the original authors wrote it. We will instead list their security proof, which contains an error worth of noting. Their proof is a reduction to the \texttt{MSE-DDH} problem, as defined in Section \ref{sec:MSE-DDH}. That being said, their security proof states that the \texttt{DTPKE} scheme has \texttt{IND-NAA-NAC-CPA} security (Non-adaptive adversary, non-adaptive corruption, chosen-plaintext attack).
% TODO: Explain this scheme and their security proof which doesn't work. Yikes.
% TOOD: Add the DTPKE scheme to the appendix.
% TODO: Consider scrapping the entire DTPKE thing ..
% TODO: Fix all algorithms from BE schemes to be prefixed with B
\section{Broadcast Encryption} \section{Broadcast Encryption}
\label{sec:BE} \label{sec:BE}
Broadcast Encryption systems \cite{BEDef} in a nutshell, allows one sender to send to a subset $S \subseteq [n]$ of users with a single message. Traditionally, the user would have to encrypt this message once per user in a horribly inefficient manner. This is fixed, by defining the encryption key in such a way to allow for any user within the $S$ to decrypt the message, while not allowing anyone outside of $S$ to do so. It is preferable for this kind of schem to be \emph{public key based}, rather than symmetric. This allows any user to encrypt. It should allow \emph{stateless receivers} s.t. users won't need to keep any state such as updating a private key, and the system should be \emph{fully collusion resistant}, i.e. not allow decryption even if everybody outside of the set $S$ cooperated. Broadcast Encryption systems \cite{BEDef} in a nutshell, allows one sender to send to a subset $S \subseteq [n]$ of users with a single message. Traditionally, the user would have to encrypt this message once per user in a horribly inefficient manner. This is fixed, by defining the encryption key in such a way to allow for any user within the $S$ to decrypt the message, while not allowing anyone outside of $S$ to do so. It is preferable for this kind of schem to be \emph{public key based}, rather than symmetric. This allows any user to encrypt. It should allow \emph{stateless receivers} s.t. users won't need to keep any state such as updating a private key, and the system should be \emph{fully collusion resistant}, i.e. not allow decryption even if everybody outside of the set $S$ cooperated.
@ -233,7 +304,6 @@ This construction we'll be the foundation of the \emph{Ad-Hoc Broadcast Encrypti
% TODO: Fix those [1,n]. I want [n] everywhere, instead. Also mention that [n] is shorthand for it % TODO: Fix those [1,n]. I want [n] everywhere, instead. Also mention that [n] is shorthand for it
% TODO: The dynamic threshold encryption scheme % TODO: The dynamic threshold encryption scheme
% TODO: Discuss DBDH assumption
\section{Ad-Hoc Broadcast Encryption} \section{Ad-Hoc Broadcast Encryption}
The scheme presented in \ref{sec:BE} requires a \emph{trusted dealer} to perform its \emph{setup} and \emph{keygen}. It goes for a lot of \emph{Broadcast Encryption} systems, that they require a trusted entity to generate and distribute secret keys to all users. This tends to make the system very rigid and not applicable to ad hoc networks or peer-to-peer networks. A \emph{potential} solution to this is presented by \cite{AHBE}. They present a solution to the fully dynamic case of broadcast encryption. This has significant ties to the \emph{Dynamic Threshold Encryption} scheme in which users could freely join and leave, however they did not quite get rid of the trusted dealer. This is accomplished here. Keep in mind that broadcast encryption is simply threshold encryption for the threshold of $t=1$. The scheme presented in \ref{sec:BE} requires a \emph{trusted dealer} to perform its \emph{setup} and \emph{keygen}. It goes for a lot of \emph{Broadcast Encryption} systems, that they require a trusted entity to generate and distribute secret keys to all users. This tends to make the system very rigid and not applicable to ad hoc networks or peer-to-peer networks. A \emph{potential} solution to this is presented by \cite{AHBE}. They present a solution to the fully dynamic case of broadcast encryption. This has significant ties to the \emph{Dynamic Threshold Encryption} scheme in which users could freely join and leave, however they did not quite get rid of the trusted dealer. This is accomplished here. Keep in mind that broadcast encryption is simply threshold encryption for the threshold of $t=1$.
@ -339,7 +409,7 @@ The security of the AHBE scheme is proven by a reduction to the underlying KHBE
% TODO: Fix (?) proof % TODO: Fix (?) proof
\subsection{Issues with the proof} \subsection{Issues with the proof}
- How can B get the keys $d_{i^*}(j)$ for $j \in \tilde{S}$, which B will need for the public keys he has to present in the beginning to A? The only key which is supposed to be private in the AHBE scheme is $d_{i^*}(i^*)$. Specifically: The primary issue of this proof arises when the following question is raised: "How can B get the keys $d_{i^*}(j)$ for $j \in \tilde{S}$". These decryption keys will have to be a part of the public keys that \adv{B} has to present to \adv{A} in the beginning of the setup of the AHBE scheme? The only key which is supposed to be private in the AHBE scheme is $d_{i^*}(i^*)$, which is an issue, as \adv{B} eventually wants to attack the set $S^*$, which contains several of the users of which he will have to corrupt to get the missing keys. Specifically:
\begin{figure} \begin{figure}
\[ \[
@ -357,7 +427,13 @@ The security of the AHBE scheme is proven by a reduction to the underlying KHBE
\end{figure} \end{figure}
If we consider the user $i^*$ to be $\U_1$ and $\tilde{S}$ to simply be all $n$ recipients, then the algorithm \adv{B} is missing all the underlined keys, in the proof, as he is not allowed to query these keys, since he at some point want to attack the set $S^* \subseteq \tilde{S}$, which is against the rules of the adaptive game for the (KH)BE scheme, as defined in Section \ref{sec:BESec}. If we consider the user $i^*$ to be $\U_1$ and $\tilde{S}$ to simply be all $n$ recipients, then the algorithm \adv{B} is missing all the underlined keys, in the proof, as he is not allowed to query these keys, since he at some point want to attack the set $S^* \subseteq \tilde{S}$, which is against the rules of the adaptive game for the (KH)BE scheme, as defined in Section \ref{sec:BESec}.
Things we considered; Adding another homomorphic property such that we can safely ONLY use $\{i^*\}$ as the recipient set we sent to \CH. This transformation would have to be both randomised and OTP, as otherwise if we sent a header encrypting some key, it should not be allowed to transform this header into another one, then decrypting it for the key and then recovering the old key from this. This goal seems quite difficult to achieve and we argue that this breaks the underlying security. To remedy this, we considered primarily one thing; Adding another homomorphic property such that we can safely use \emph{only} $\{i^*\}$ as the recipient set we sent to \CH.
\begin{theorem}
If \texttt{Hdr} is a header for $k_{i^*}$ under $(i^*, PK_{i^*})$, then it is also a header of $k_{i^*}$ under $(R^*, PK_i)$
\end{theorem} % TODO: Ask Sophia about this on friday
This would allow \adv{B} to challenge for a header for a receiver set only containing $i^*$, which means he does not have to worry of querying for the decryption keys of the other receivers within $S^*$. When \adv{B} receives the challenge header from the challenger, this can be transformed into a proper header for the adversary \adv{A}.
This transformation would have to be both randomised and OTP, as otherwise if we sent a header encrypting some key, it should not be allowed to transform this header into another one, then decrypting it for the key and then recovering the old key from this. This goal seems quite difficult to achieve and we argue that this breaks the underlying security.
\subsection{An AHBE Implementation} \subsection{An AHBE Implementation}
To end up with a Semi-statically secure AHBE scheme, we first need to produce an adaptively secure BE scheme which is key homomorphic. To this end, we use the scheme defined in \ref{sec:BE} coupled with the generic transformation from Semi-static to Adaptive by Gentry and Waters \cite{GentryWaters}. Note that $g, h_{i,s} \text{ for } i \in [1,n], s \in \{0,1\}$ be independent generators of a group $\mathbb{G}$ of prime order $p$, with a bilinear map $e : \Gm \times Gm \ra \Gm_{T}$. \vsp{5mm} To end up with a Semi-statically secure AHBE scheme, we first need to produce an adaptively secure BE scheme which is key homomorphic. To this end, we use the scheme defined in \ref{sec:BE} coupled with the generic transformation from Semi-static to Adaptive by Gentry and Waters \cite{GentryWaters}. Note that $g, h_{i,s} \text{ for } i \in [1,n], s \in \{0,1\}$ be independent generators of a group $\mathbb{G}$ of prime order $p$, with a bilinear map $e : \Gm \times Gm \ra \Gm_{T}$. \vsp{5mm}