Complexity

ProtocolΠ3(E)has a communication complexity ofO(ℓmnκ2)bits, dominated by the message

m304 sent by theserverin each round. The storage cost on the server depends on the number of BLS signatures of each character of the file. Assuming a BLS signature of length roughly 170 bits [18], it results in total170ℓbits for a file withℓcharacters. When using byte as character unit of a file, that amounts to about 21 times blow up in terms of storage compared against the original file.

4.2.5 Security Against Server Adversaries

In this section we prove the security of the protocol against serveradversaries. We separately consider the DFA privacy, file privacy and the result authenticity against server adversaries.

DFA privacy against maliciousserveradversaries. Following the security definitions defined in Chapter 3, we formalize our claims againstserver compromise by defining serveradversary S = (S1, S2)who attacks the DFAM = hQ,Σ,δ,qinitiheld by theclient, as described in experiment

Expts_Π-₃dfa_(E) in Fig. 4.2a. S1 is given the BLS signature verification keyvk = hp,G1,G2, g, e, hi

and a public keyek of an IND-CPA secure encryption scheme, and generates a file_hσkik∈[ℓ]and

two DFAsM0 andM1. S2 then receivesvk, the ciphertexts hsk, bkik∈[ℓ]of its file, informationφ

created for it byS1, and oracle access toclientOr(vk,dk,ek′, Mb)forbchosen randomly.

clientOr responds to queries fromS2 as follows, ignoring malformed queries. S2 initiates by

sending a paillier encryption public keypek and an integerℓ(as inm301).clientOrresponds with a message containing an integernand a ciphertextθ(i.e., of the form ofm302). In addition,clientOr sends a message of the formα,ρ,Ψk, whereα ∈ Cpek,ρ ∈ Cek′ andΨk ∈ G1, i.e., three values

as in m303. The next ℓqueries byS2 must containnmelements ofCpek and an element ofCek,

i.e.,_hµijii∈[n],j∈[m]andbkas inm304, to whichclientOrresponds with three values as in message m303. After that,clientOrsends another ciphertextαofCpek as inm305. The next (and last) query byS2can consist simply of a value inR, as in messagem306.

Eventually S2 outputs a bit b′, and Expt_Πs-₃dfa_(E)(S) = 1 only if b′ = b. We say the advan-

tageofS isAdvs_Π-₃dfa_(E)(S) = 2_·P³_Expts-dfa

Π3(E)(S) = 1 ´

−1and defineAdvs_Π-₃dfa_(E)(t, ℓ, n, m) = maxSAdvsΠ-3dfa(E)(S)where the maximum is taken over all adversaries Staking timet, selecting a

ExperimentExpts-dfa Π3(E)(S1, S2) (p,G_1,G_{2, g, e)←ParamGen(1}κ₎ (_hp,G_1,G_{2, g, e, hi,h}G_{1, xi)←BLSKeyGen(p,}G_1,G_{2, g, e)} vk← hp,G_1,G_{2, g, e, hi} (ek,dk)←Gen(1κ) (ek′,dk′)_←Gen(1κ+2₎ (ℓ,hσkik∈[ℓ], M0, M1, φ)←S1(vk,ek) if _|M0.Q| 6=|M1.Q|orM0.Σ6=M1.Σthen return0 b _{← {}$ 0,1_} fork_∈[ℓ] sk←BLSSignhG_1,xi(σk||k) βk ←$ Z∗p sk←sβ_kk bk ←Encek(βk) b′ ←SclientOr(vk,dk,ek′,Mb) 2 (φ, vk, Mb.Σ,hsk, bkik∈[ℓ]) if b′ _=b then return1 else return0

(a) ExperimentExpts-dfa Π3(E)

ExperimentExpts-file

Π3(E)(S1, S2) (p,G_1,G_{2, g, e)←}ParamGen(1κ) (_hp,G_1,G_{2, g, e, hi,h}G_{1, xi)←BLSKeyGen(p,}G_1,G_{2, g, e)} vk← hp,G_1,G_{2, g, e, hi} (ek,dk)←Gen(1κ) (ek′,dk′)_←Gen(1κ+2) (ℓ,_hσ0kik∈[ℓ],hσ1kik∈[ℓ], M, φ) ←S1(vk,ek) b ← {$ 0,1} fork_∈[ℓ] sk←BLSSignhG₁,xi(σbk||k) βk ←$ Z∗p sk←sβkk bk ←Encek(βk) b′ _←SclientOr(vk,dk,ek′,M),H1(·) 2 (φ, vk, M.Σ,hsk, bkik∈[ℓ]) if b′ =b then return1 else return0

(b) ExperimentExpts-file Π3(E)

We reduce DFA privacy against server attacks to the IND-CPA [10] security of the encryption scheme. IND-CPA security is defined using the experiment in Fig. 3.3 in Chapter 3, in which an adversaryUis provided a public keypkˆ and access to an oracleEnc_pkbˆ_ˆ(_·,_·)that consistently encrypts either the first of its two inputs (ifˆb = 0) or the second of those inputs (ifˆb = 1). EventuallyU outputs a guess bˆ′ at ˆb, and Expt_Eind-cpa(U) = 1 only ifˆb′ = ˆb. The IND-CPA advantage of U is defined asAdvind_E -cpa(U) = 2·P³_Exptind-cpa

E (U) = 1

´

−1. Then,Advind_E -cpa(t, w) = maxUAdvind_E -cpa(U)where the maximum is taken over all adversariesU executing in timetand makingwqueries toEncˆb_ˆ

pk(·,·).

We now prove the DFA privacy of the protocol.

Theorem 4. Fort′=t+tParamGen+tBLSKeyGen+tGen+ℓ·(tBLSSign+tEnc),

Advs_Π-₃dfa_(E)(t, ℓ, n, m)_≤2Advind_E -cpa(t′, ℓ+ 1)

Proof. LetS be an adversary meeting the parameterst,ℓ,n,m. Consider a simulationSims-dfa

Π3(E)

forExpts-dfa

Π3(E) that differs only by simulatingclientOr so as to substitute the ciphertext produced

with ek′ in c304with encryptions of a random injection π′ _{independent ofπ it chose as inc303}

(i.e., ρ _← Enc_pk′(π′),π′ ←$ Injs(Q→ R))and to substitute all ciphertexts created inc309with encryptions of zero. Thenbis hidden information-theoretically fromS inSims_Π-₃dfa_(E), sinceγ is a random element ofR_{ins305(seec308) andΨkis a random element in}G_{1(seec310), and sinceγ}∗

is a random element ofR(seec303). As a result,P

³

Sims_Π-₃dfa_(E)(S) = 1´= 1₂and forAdvs_Π-₃dfa_(E)(S)

to be nonzero,Smust distinguishSims_Π-₃dfa_(E)fromExpts_Π-₃dfa_(E).

We construct an IND-CPA adversaryUthat, on inputpkˆ, setsek′ ←pkˆ and uses its own oracle Encˆb_ˆ

pk to choose between runningExpt s-dfa

Π3(E)andSim

s-dfa

Π3(E)forSby settingθ ←Enc

ˆ_b ˆ

pk(π, π

′_)in

c304andρ_← Encˆb_ˆ

pk(r,0)inc307. (Aside from this,UperformsExpt s-dfa

Π3(E)faithfully, generating

returnsˆb′= 0ifS2outputsb′=bandˆb′ = 1, otherwise. Then,

P³_Exptind-cpa

E (U) = 1

´

= 1

2P

³

Expts_Π-₃dfa_(E)(S) = 1´+1 2P

³

Sims_Π-₃dfa_(E)(S) = 0´

= 1 2 µ 1 2+ 1 2Adv s-dfa Π3(E)(S) ¶ +1 4 = 1 2 + 1 4Adv s-dfa Π3(E)(S)

and soAdvind_E -cpa(U) = 1₂Advs_Π-₃dfa_(E)(S).

Note thatUmakesℓ+ 1oracle queries and runs in timet′ =t+tParamGen+tBLSKeyGen+tGen+ ℓ_·(tBLSSign +tEnc), due to the need to generate BLS signature signing key,(ek,dk)and encryptℓ file characters.

File privacy against malicious server adversary. Next, we prove that the protocol protects the file privacy against an arbitrarily malicious serveradversary. We define the server adversaryS = (S1, S2)attacking the file ciphertextshsk, bkik∈[ℓ]as in experimentExptsΠ-3file(E) shown in Fig. 4.2b.

S1 produces two equal-length plaintext files hσ0kik∈[ℓ], hσ1kik∈[ℓ] and a DFA M. S2 receives

the ciphertexts _hsk, bkik∈[ℓ] for file hσbkik∈[ℓ] where b is chosen randomly. S2 is also given or-

acle access to clientOr(vk,dk,ek′, M) and hash oracle access to H1(·). Eventually S2 outputs

a bit b′, and Expts-file

Π3(E)(S) = 1 iff b

′ _{= b. We say the advantage of S is Adv}s-file

Π3(E)(S) =

2_·P³_Expts-file

Π3(E)(S) = 1 ´

−1and thenAdvs-file

Π3(E)(t, ℓ, n, m, h1) = maxSAdv

s-file

Π3(E)(S)where

the maximum is taken over all adversariesS= (S1, S2)taking timet, producing (fromS1) files of

ℓsymbols and a DFA ofnstates and alphabet of sizemand makingh1queries toH1(·). We now prove the following theorem:

Theorem 5. LetH1(·)be a random oracle. Fort′ =t+tParamGen+tBLSKeyGen+tGen+ℓ·(tBLSSign+ tEnc),

Advs_Π-₃file_(E)(t, ℓ, n, m, h1)≤2Adv_Eind-cpa(t′, ℓ+ 1) +Adv_Eind-cpa(t′, ℓ)

Proof. LetExpts_Π-₃file_(E)-0denote experimentExpt_Πs-₃file_(E) withbfixed atb= 0, and letExpts_Π-₃file_(E)-1

denote the experiment Expts-file

Π3(E) withb fixed atb = 1. Consider a simulation Sim

s-file-0 Π3(E) for

Expts-file-0

with ek′ in c304with encryptions of a random injection π′ independent ofπ it chose as inc303 (i.e., ρ _← Enc_pk′(π′),π′ ←$ Injs(Q→ R))and to substitute all ciphertexts created inc309with encryptions of zero. Proceeding as in the proof of Theorem 4, we construct an IND-CPA adversary U0 that, on inputpkˆ of an encryption scheme E′, setsek′ ← pkˆ and uses its own oracleEnc

ˆ_b ˆ

pk to choose between running Expts_Π-₃file_(E)-0 and Sim_Πs-₃file_(E)-0 for S, i.e., by settingθ ← Encˆb_ˆ

pk(π, π

′₎

inc304and ρ ← Encˆb_ˆ

pk(r,0) inc307. (Aside from this, U performsExpt s-dfa

Π3(E) faithfully, using

(ek,dk) _← Gen(1κ_{)it generates itself). Finally,U}

0returnsˆb′ = 0ifb′ =bandˆb′ = 1, otherwise.

Then,

1 +Advind_E -cpa(U0) = 2·P

³

Exptind_E -cpa(U0) = 1

´ = P³_Expts-file-0 Π3(E) (S) = 1 ´ +P³_Sims-file-0 Π3(E) (S) = 0 ´ (4.1)

Now consider a simulationSims_Π-₃file_(E)-1forExpts_Π-₃file_(E)-1that again differs only by simulating clientOrso as to substitute all ciphertexts produced withek′with encryptions of a random injection π′ independent of π it chose as in c303 (i.e., ρ ← Enc_pk′(π′), π′ ←$ Injs(Q → R)) and to substitute all ciphertexts created inc309with encryptions of zero. As above, we construct an IND- CPA adversary U1 that, on inputpkˆ of an encryption schemeE′, setsek′ ← pkˆ and uses its own

oracleEncˆb_ˆ

pk to choose between runningExpt s-file-1

Π3(E) andSim

s-file-1

Π3(E) forS, i.e., by settingθ ←

Encˆb_ˆ pk(π

′_{, π) inc304and ρ ← Enc}ˆb

ˆ

pk(0, r) inc307. (Aside from this,U performsExpt s-file-1 Π3(E)

faithfully, using(ek,dk) _← Gen(1κ)it generates itself). Finally,U1 returnsˆb′ = 1ifb′ = band ˆ_b′ _{= 0, otherwise. Then,}

1 +Advind_E -cpa(U1) = 2·P

³

Exptind_E -cpa(U1) = 1

´ = P³_Sims-file-1 Π3(E) (S) = 0 ´ +P³_Expts-file-1 Π3(E) (S) = 1 ´ (4.2)

Finally, consider an adversaryUthat uses its oracleEncˆb_ˆ

pkto choose between runningSim s-file-0 Π3(E)

andSims-file-1

Π3(E) forS. Specifically, on input

ˆ

pkof an encryption scheme_E,Ugenerates(p,G_1,G_2,

g, e) _← ParamGen(1κ_{), (vk = hp,G}

1,G2, g, e, hi,hG1, xi) ← BLSKeyGen(p,G1,G2, g, e)and

invokes S1(vk,pkˆ). Upon receiving hσ0kik∈[ℓ] and hσ1kik∈[ℓ] fromS1, for each k ∈ [ℓ], U sets

βk ←$ Z∗pand setsbk←Enc ˆ b ˆ pk(uk·β −1

k modp, vk·βk−1 modp). Note that the way thatbkis com- puted determined whetherσ0korσ1kis encrypted.Uthen invokesS2(φ, vk, M.Σ,hsk, bkik∈[ℓ]). In

the simulation ofclientOr,U selectsr _←$ R_{and sets α← Encpek(r)inc305andc316using the}

Paillier public keypek it received fromS2 in the first query (as inm301). (U also generates ek′

itself and constructs an encryption of a random injection as inc304and encryptions of zero as in c309). ForS2’s other queries toH1(·), for any query that was previously posed toH1,Ureturns the value returned to that previous query, and for new queries,Ugenerates a random element fromG_1.

Finally whenS2outputsb′,Uoutputsb′ asˆb′. Then,

1 +Advind_E -cpa(U) = 2·P³_Exptind-cpa

E (U) = 1 ´ = 2·P³_Sims-file Π3(E)(S) = 1 ´ = P³_Sims-file-0 Π3(E) (S) = 1 ´ +P³_Sims-file-1 Π3(E) (S) = 1 ´ (4.3)

Adding (4.1), (4.2) and (4.3), we get

3 +Advind_E -cpa(U0) +Adv_Eind-cpa(U) +Advind_E -cpa(U1) =P³_Expts-file-0 Π3(E) (S) = 1 ´ +P³_Sims-file-0 Π3(E) (S) = 0 ´ +P³_Sims-file-0 Π3(E) (S) = 1 ´ +P³_Sims-file-1 Π3(E) (S) = 1 ´ +P ³

Sims_Π-₃file_(E)-1(S) = 0´+P

³

Expts_Π-₃file_(E)-1(S) = 1´ = 2·P³_Expts-file

Π3(E)(S) = 1 ´

+ 2 = 3 +Advs_Π-₃file_(E)(S)

The result then follows because each of U0 and U1 makes ℓ+ 1oracle queries and runs in time

t′ =t+tParamGen+tBLSKeyGen+tGen+ℓ·(tBLSSign+tEnc)due to the need to generate the BLS signature signing key,(ek,dk) and encryptℓfile characters. U makes ℓoracle queries in order to create the file ciphertexts and runs in timet′_{for similar reasons.}

Detection ofservermisbehavior We first formally define what it means for aclientto be able to detect any server misbehavior. Such an experiment is shown in Fig. 4.3. In this experiment, S2

ExperimentExpts_Π-₃auth_(E)(S) (p,G_1,G_{2, g, e)←ParamGen(1}κ₎ (hp,G_1,G_{2, g, e, hi,h}G_{1, xi)←BLSKeyGen(p,}G_1,G_{2, g, e)} vk_{← h}p,G_1,G_{2, g, e, hi} (ek,dk)_←Gen(1κ₎ (ek′,dk′)←Gen(1κ+2) (ℓ,_hσkik∈[ℓ], M, φ)←S1(hp,G1,G2, g, e, hi,ek) fork∈[ℓ] sk←BLSSignhG₁,xi(σk||k) βk ←$ Z∗p sk←sβ_kk bk ←Encek(βk) π ←$ Injs(Q→R₎ γ∗ _←SclientOr(vk,dk,M,π),H1(·),H2(·) 2 (vk, M.Σ,hsk, bkik∈[ℓ]) if γ∗ ∈π(Q)∧γ∗6=π(M(hσkik∈[ℓ])) then return1 else return0

Figure 4.3: Experiment for proving result authenticity againstserveradversaries

is invoked with the public verification key _hp,G_1,G_{2, g, e, hi of the BLS signature and and file}

ciphertexts _hsk, bkik∈[ℓ]. S2 can then invoke clientOr first with a Paillier public key pek and an

integerℓ(as inm301) and receivesnandθin response (as inm302). S2can then invokeclientOrℓ

times, each time with ciphertextsα,ρandΨk(as inm303), and receives ciphertextshµijii∈[n],j∈[m],

andbkin response (as inm304). Finally,S2 outputs a ring elementγ∗as inm306. The experiment

outputs 1 if and only ifγ∗ ∈π(Q)andγ∗ 6=π(M(hσkik∈[ℓ])), whereπ is a random injection that

was given toclientOras input so that it will not need to select one by itself as inc303. This means that the protocol outputs an erroneous final state to theclientand goes undetected by theclient. For an arbitrarily maliciousserveradversaryS, we define its advantage as:

Advs_Π-₃auth_(E)(S) =P

³

Expts_Π-₃auth_(E)(S) = 1´

and defineAdvs-auth

Π3(E)(t, ℓ, n, m, h1, h2) = maxSAdv

s-auth

Π3(E)(S)where the maximum is taken over

all adversaries S executing in time t and selecting a file of length ℓ and a DFA ofn states and alphabet of sizemand makingh1 hash queries toH1(·)andh2queries toH2(·).

We reduce the result authenticity against aserveradversary to thebilinear computational Diffie- Hellman problem(BCDH) [18]. The BCDH problem is defined using the experiment in Fig. 4.4, in

which an adversary Ais given two bilinear groupsG_1andG_{2 both of orderp, a random generator}

gofG_1andgz1_{, g}z2_{, g}z3 _wherez

1, z2, z3 ←$ Z∗p. The experiment outputs 1 if and only ifAis able to computee(g, g)z1z2z3_{. The BCDH advantage ofAis defined as}

Advbcdh_{(A) =P}¡

Exptbcdh_{(A) = 1}¢

and thenAdvbcdh(t) = maxAAdvbcdh(A)where the maximum is taken over all adversaries A executing in timet. ExperimentExptbcdh_(A) (p,G_1,G_{2, g, e) ←}ParamGen(1κ) z1, z2, z3 ←$ Z∗p v←A(p,G_1,G_{2, g, e, g}z1_{, g}z2_{, g}z3₎ if v=e(g, g)z1z2z3 then return1 else return0

Figure 4.4: Experiment for defining BCDH problem

We now prove that the protocol guarantees the authenticity of the evaluation result against an arbitrarily maliciousserveradversary.

Theorem 6. LetH1(·)andH2(·)be random oracles. Fort1 =t+tParamGen+tBLSKeyGen+tGen+ ℓ_·(tBLSSign +tEnc)andt2 =t+ 2·tGen+ℓ·(tBLSSign+tEnc)

Advs_Π-₃auth_(E)(t, ℓ, n, m, h1, h2)≤AdvindE -cpa(t1, ℓ+ 1) + (m−1)·ℓ·h2·Advbcdh(t2)

Proof. Given a server adversaryS, there are essentially two avenues by which aSmight attempt to misbehave while escaping detection. The first is to createτ(σ, k, βk, ψk) =H2(e(H1(σ||k)βkψk, h)) for someσ ₆=σk, and to useτ(σ, k, βk, ψk)asηin the protocol. The second is to cause theclientto execute a state transition into an erroneous state inQwithout computing τ(σ, k, βk, ψk)for some σ6=σk. Letevent1denote the fact that the former event happens, and¬event1denote that the latter case happens. We prove in Lemma 1 that_¬event1can only happen in probability negligible with respect to the security parameter. Here we show that the occurrence ofevent1implies the ability to solve the BCDH problem.

Given an adversaryS = (S1, S2)for whichevent1happens, and that runs in timet, produces

a file of length ℓ, and produces a DFA ofnstates over an alphabet ofm symbols, while making h1 and h2 hash queries toH1(·) and H2(·) respectively, we construct a BCDH attacker A to at- tack the BCDH assumption. Consider the following simulation Sims_Π-₃auth_(E)(S)forExpts_Π-₃auth_(E)(S). On input two bilinear groups G_{1 and} G_{2 both of orderp, a random generator gof}G_{1 and Z1 =}

gz1_{, Z}

2=gz2, Z3=gz3 wherez1, z2, z3 ←$ Z∗p,Agenerates two public/private key pairs(ek,dk) and (ek′,dk′) for an IND-CPA encryption scheme and then invokes S1(hp,G1,G2, g, e, Z1i,ek)

to obtain (ℓ,_hσkik∈[ℓ], M, φ). Let |M.Q| = nand |M.Σ| = m. A then sets H1(σk||k) ← guk where uk ←$ Z∗p and then computes the encrypted file sequence hsk, bkik∈[ℓ] such that sk ← Zukβk

1 for βk ←$ Z∗p and bk ← Encek(βk). Note that the file ciphertext hsk, bkik∈[ℓ] is well

formed because e(sk, g) = e(Z1ukβk, g) = e(gz1ukβk, g) = e(g, g)z1ukβk = e(guk, gz1)βk =

e(H1(σk||k), Z1)βk, as in the real protocol. Athen chooses k∗ ←$ [ℓ]andσ∗ ←$ Σ\ {σk∗}as its guesses on the roundk∗and the input symbolσ∗thatS2will attempt forgery. Finally,Ainvokes

S2(hp,G1,G2, g, e, Z1i, M.Σ,hsk, bkik∈[ℓ])and simulates responses toS2’s queries toclientOras

follows.

After receiving pek andℓfromS2 (m301), Asets θ ← Encek′(π′), π′

$

← Injs(Q_→ R_)and

sends nandθtoS2 (as inm302). In round k ∈ [ℓ],A sets α ← Encpek(r), r

$

← Z_{N and sets}

ρ_← Encek(0). Ifk6=k∗, thenAgenerates the random challengeΨkexactly as specified inc310– c311. Ifk = k∗, thenAsets Ψk ← Z3. In either case, Athen sends α, ρand ΨktoS2 (m303).

Afterℓsuch rounds,Acomputesαto be the ciphertext of a random element ofR_{, and sends it toS}

(m305).

Meanwhile, Aanswers S2’s queries to the random oracleH1(·)as follows. For any query that was previously posed toH1,Areturns the value returned to that previous query, and for new queries, Agenerates a return value as follows. If the query isσ∗_||k∗_{, thenAreturnsZ}

2. For all other queries,

Apicksu _←$ Z∗

pand returnsgu. ForS2’s queries toH2(·), for any query that was previously posed toH2,Areturns the value returned to that previous query. For new queries,Apicksr

$

← Z_{N and}

IfS2computes

τ(σ∗, k∗, βk∗, ψ_k∗) =H₂(e(H₁(σ∗||k∗)βk∗ψk∗, Z₁))

=H2(e(Z₂βk∗z3, Z1)) =H2(e(g, g)z1z2z3βk∗)

thenA can output e(g, g)z1z2z3 _{by selecting a random queryχ thatS}

2 made ofH2 and returning χβk−∗1modp. The probability thatAoutputse(g, g)z1z2z3is then 1

In document 5302.pdf (Page 52-66)