A unidirectional conditional proxy re-encryption scheme based on non-monotonic access structure

A unidirectional conditional proxy re-encryption scheme based on

non-monotonic access structure

Bin Wang

Information Engineering College of Yangzhou University

No.196 West HuaYang Road, Yangzhou City, Jiangsu Province, P.R.China E-mail: [email protected]

Abstract: Recently, Fang et al. [6] introduced an interactive(bidirectional) conditional proxy re-encryption(C-PRE) scheme such that a proxy can only convert ciphertexts that satisfy access policy set by a delegator. Their scheme supports monotonic access policy expressed by “OR” and “AND” gates. In addition, their scheme is called interactive since generation of re-encryption keys requires interaction between the delegator and delegatee. In this paper, we study the problem of constructing a unidirectional(non-interactive) C-PRE scheme supporting non-monotonic access policy expressed by “NOT”, “OR” and “AND” gates. A security model for unidirectional C-PRE schemes is also proposed in this paper. To yield a unidirectional C-PRE scheme supporting non-monotonic access policy, we extend the unidirectional PRE scheme presented by Libert et al. [8] by using the ideas from the non-monotonic attributed based encryption (ABE) scheme presented by Ostrovsky et al. [9]. Furthermore, the security of our C-PRE scheme is proved under the modified 3-weak Decision Bilinear Diffie-Hellman Inversion assumption in the standard model.

Keywords: Unidirectional conditional proxy re-encryption, The standard model, Non-monotonic access structure, Chosen ciphertext security, Attributed based encryption

1. Introduction

Bob via a re-encryption key and the same key can also be used to translate from Bob to Alice. On the other hand, if the re-encryption key only allows one-way conversion (e.g., from Alice to Bob), then the corresponding PRE scheme is called unidirectional.

The PRE scheme in [4] is bidirectional and CPA secure under DDH assumption. In 2005, Ateniese et al. [2] presented several CPA secure unidirectional PRE schemes based on bilinear pairing. Then Canetti and Hohenberger [5] presented an appropriate definition of chosen ciphertext security(CCA) for bidirectional PRE schemes and the first CCA secure bidirectional PRE scheme. The work in [5] left an open problem to come up with a CCA secure unidirectional PRE scheme. Libert and Vergnaud [8] presented a definition of chosen ciphertext security (CCA) for unidirectional PRE schemes and the first unidirectional PRE scheme with CCA security in the standard model.

Normal PRE schemes allow a semi-trusted proxy to translate ciphertexts from Alice to Bob unconditionally. It is desirable that a proxy can only convert ciphertexts under certain constraints set by the delegator. Shao et al. [12] designed a PRE scheme with keyword search property, which allows a proxy equipped with trapdoor information to test whether a ciphertext from Alice contains one specified keyword. However, it is pointed out [13] that the trapdoor still allows the proxy to convert ciphertexts from Alice without any restriction. On the other hand, Weng et al. [14, 15] introduced the notion of conditional proxy re-encryption (C-PRE) such that only ciphertexts whose keywords satisfy certain conditions set by Alice can be converted by a proxy. They also left it as an open problem to construct a C-PRE scheme supporting access policy consisting of “OR” and “AND” gates over keywords.

of bidirectional C-PRE scheme defined in [5]. CCA security of their C-PRE scheme was proved under the random oracle model. They also left it as an open problem to construct a non-interactive(unidirectional) C-PRE scheme with security in the standard model.

Although Wang et al. [13] defined their CCA security model for unidirectional PRE schemes supporting conjunctive keywords search, their security model is coupled tightly with the notion of conjunctive keywords search. Hence the model in [13] is not suitable for C-PRE schemes supporting generic access structure. In addition, the work in [6] considered security model for interactive(bidirectional) C-PRE schemes and proved security of their construction under the random oracle model.

Sahai and Waters [11] introduced the concept of attribute based encryption (ABE), in which a ciphertext is associated with a set of attributes, and a user’s private key will reflect an access policy over attributes that controls which ciphertexts a user is able to decrypt. The original construction of Sahai and Waters was limited to express threshold access structure. Goyal et al. [7] presented ABE schemes based on access tree in which the private key supports any monotonic access structure. To increase the expressibility of ABE schemes, Ostrovsky et al. [9] designed an ABE construction that supports non-monotonic access structure represented by “NOT”, “OR” and “AND” gates over attributes.

Motivated by the above discussion, we aim to design a unidirectional(non-interactive) C-PRE scheme supporting non-monotonic access structure to enhance the expressibility of C-PRE schemes. The rest of paper is organized as follows. At first, we provide security definitions for unidirectional C-PRE schemes in which a ciphertext is associated with a set of keywords, and a re-encryption key will reflect an access policy that controls which ciphertexts a proxy is able to re-encrypt. Subsequently, we extend the unidirectional PRE scheme [8] to yield a unidirectional C-PRE scheme supporting non-monotonic access structures. Finally our construction is proved to be CCA secure under the standard model.

affects the structure of a user’s secret key in our construction.

2. Preliminaries 2. 1 Bilinear pairing

Given a security parameter

λ

, an efficient algorithm

PG

(1 )

λ outputs

( , ,

e G G g p

_T

, , )

,

where

G

is a cyclic group of a prime order

p

generated by

g

, and

2

λ−1

< <

p

2

λ.

G

T

is a cyclic group of the same order, and let

e G G

:

× →

G

T be a efficiently computable

bilinear function with the following properties:

1. Bilinear:

e g

(

a

,

g

b

)

=

e g g

( , ) ,

ab for all

a b

,

∈

Z

_p.

2. Non-degenerate:

( , )

1

T

G

e g g

≠

2.2 Modified 3-wDBDHI assumption

Given

( , ,

e G G g p

T

, , )

output by

PG

(1 )

λ

, we define two experiments in which an adversary

A

outputs 0 or 1.

Experiment 0:

A

is given 2 2 1

*

( ,

,

,

,

, ( , ) ), ,

b

a a b

a a

R p

g g

g

g

g e g g

a b

←

Z

.

Experiment 1:

A

is given 2 1

( ,

_{g g}

a

,

_g

a

,

_g

a

,

_{g T}

b

, )

_, *

,

R p

,

R T

a b

←

Z T

←

G

.

The modified 3-weak Decision Bilinear Diffie-Hellman Inversion assumption [8] claims for any polynomial time algorithm

A

, the probability

| Pr[

W

0

]

−

Pr[

W

1

] |

is

negligible, where

W

_i is the event that

A

outputs 1 in experiment

i

. 2.3 One-time signature

A digital signature scheme

Sig

=

(Gen,S,V)

consists of the following algorithms:

1. Gen(

λ

): Outputs a secret/public key pair

(

sk pk

,

)

.

2. S (

sk m

,

): Given a secret key

sk

and a message

m

, then outputs a signature

σ

.

by

Sig

=

(Gen,S,V)

in experiment

1 ,

( )

Sig SCMA

Exp

λ

A

.

1 ,k

( )

Sig SCMA

Exp

A

The challenger

C

runs

(

pk sk

,

)

←

Gen(1 )

λ and sets

S

_σ

← ∅

.

* * O-Sig

(

m

,

σ

)

←

A

(

pk

)

.

The adversary

A

wins if

(

m

*

,

σ

*

)

∉

S

_σ and V

(

pk m

,

*

,

σ

*

)

=1.

Advantage of

A

in experiment

1 ,

( )

Sig SCMA

Exp

λ

A

is defined to be the probability that

A

wins in the experiment.

The oracle

O-Sig

is defined as follows:

O-Sig( )

m

Returns

σ

=

S sk m

(

, )

and updates

S

_σ =

S

_σ

∪

{( , )}

m

σ

.

A strongly unforgeable one-time signature scheme

Sig

requires that for any PPT adversary

A

who can access the oracle

O-Sig

only once, its advantage

Adv

OTS in experiment

1 ,k

( )

Sig SCMA

Exp

A

is negligible.

3. Security definitions and model

3.1 Syntax of unidirectional C-PRE schemes

A unidirectional single-hop C-PRE scheme consists of the following algorithms. A ciphertext is associated with a set of keywords, and a re-encryption key will reflect an access policy over keywords that controls which ciphertexts a proxy is able to re-encrypt.

Setup( )

λ

: Given the security parameter

λ

, this algorithm produces a set

par

of global public parameters.

Keygen(

par

)

: Given

par

, this algorithm generates a secret/public key pair

(

sk pk

,

)

.

key

pk

_j of user

j

≠

i

and an access structure

A

, this algorithm generates a re-encryption key

,

i j A

R

_→ . We use an algorithm rather than an interactive protocol to implicitly assume that the

process of generating re-encryption keys is non-interactive.

1

Enc (

par pk m

,

_i

, )

: Given

par

, a public key

pk

_i and a message

m

, this algorithm

outputs a first level ciphertext

CT

₁ that cannot be re-encrypted for another party.

2

Enc (

par pk m

,

_i

, , )

γ

: Given

par

, a public key

pk

_i, a message

m

and a set

γ

of

keywords(attributes), this algorithm outputs a second level ciphertext

CT

₂ that can be re-encrypted into a first level ciphertext.

2 ,

ReEnc(

par CT

,

, ,

γ

pk R

_i

,

_{i→j A}

)

: Given

par

, a re-encryption key

R

_{i→j A,} and a second

level ciphertext

CT

₂ encrypted under

pk

_i and a set

γ

of keywords, this algorithm outputs a

first level ciphertext

CT

₁ encrypted under

pk

_j when

γ

satisfies access structure

A

;otherwise a message “invalid” is returned.

1 1

Dec (

par sk CT

,

_i

,

)

: Given

par

, a secret key

sk

_i and a first level ciphertext

CT

₁, this algorithm outputs a message

m

or a message “invalid”.

2 2

Dec (

par sk CT

,

_i

,

)

: Given

par

, a secret key

sk

_i and a second level ciphertext

CT

₂, this algorithm outputs a message

m

or a message “invalid”.

In the following, we will take

par

as implicit input for simplicity. For any message

m

, any couple of secret/public key pair

(

sk pk

_i

,

_i

)

,

(

sk

_j

,

pk

_j

)

, the following conditions of correctness should be satisfied:

(1)

Dec (

₁

sk

_i

, Enc (

₁

pk m

_i

, ))

=

m

;

Dec (

₂

sk

_i

, Enc (

₂

pk m

_i

, , ))

γ

=

m

;

(2) If

γ

satisfies the access structure

A

, the following should hold:

1

CT

=

ReEnc(Enc (

₂

pk m

_i

, , ), ,

γ γ

pk

_i

, ReKeygen(

sk pk A

_i

,

_j

, ))

,

1 1

3.2 Security of second level ciphertexts

Init: As in [8], the adversary

Ad

determines the target user

i

*, the corrupted users and

declares a set

γ

* of keywords that he wishes to be challenged upon at this stage.

Setup: The challenger

C

runs

Setup( )

λ

to produce the global public parameters

par

and generates key pairs as follows:

* *

KeyGen( )

⋅ →

(

pk sk

,

)

,

KeyGen( )

⋅ →

(

pk sk

_x

,

_x

)

,

KeyGen( )

⋅ →

(

pk sk

_h

,

_h

)

.

* *

(

pk sk

,

)

is the key pair for the honest target user

i

*. Key pairs subscripted by

h

or

h

/

represents honest parties and corrupted key pairs are subscripted by

x

or

x

/.

Phase 1:

Ad

takes

pk

*,

{

pk

_h

}

,

{

pk sk

_x

,

_x

}

as input and issue queries to oracles

O

_rekey,

renc

O

and

O

_dec−1.

Challenge:

Ad

outputs two equal-length messages

(

m m

₀

,

₁

)

. The challenger

C

flips a

random bit

b

and returns

CT

₂*=

Enc (

₂

pk m

*

,

_b

,

γ

*

)

.

Phase 2:

Ad

still issues queries to oracles

O

_rekey,

O

_renc and

O

_dec−1.

Guess:

Ad

outputs a bit

b

/.

The advantage of the adversary in this game is

ε

=

| Pr[

b

/

= −

b

] 0.5 |

. A C-PRE scheme is CCA secure at level 2 if

ε

is negligible.

The re-encryption key oracle

O

_rekey

Given a tuple

(

pk pk A

_i

,

_j

, )

, this oracle proceeds as follows:

(1) If both

pk

_i and

pk

_j are honest, returns

R

_{i→j A,}

←

ReKeygen(

sk pk A

_i

,

_j

, )

;

(2) If the honest

pk

_i=

pk

*,

pk

_j is corrupted and

γ

*does not satisfy

A

, returns

* _,

i j A

The re-encryption oracle

O

_renc

Given a tuple

((

CT

₂

, ,

γ

pk

_i

),

pk A

_j

, )

, where

CT

₂ is a second level ciphertext encrypted

under

(

pk

_i,

γ

)

, and

pk pk

_i

,

_j are public keys produced by

Keygen

, this oracle proceeds as follows:

(1) If

pk

_i=

pk

*,

pk

_j is corrupted and

Dec (

₂

sk CT

*

,

₂

) {

∈

m m

₀

,

₁

}

, returns a message “invalid” since re-encryption may leak information about the challenge bit

b

in this case.

(2) If

γ

satisfies the access structure

A

, computes

R

_{i→j A,}

←

ReKeygen(

sk pk A

_i

,

_j

, )

and returns the first level ciphertext

CT

₁

←

ReEnc((

CT pk

₂

,

_i

, ),

γ

R

_{i→j A,}

)

. Otherwise, outputs a message “invalid”.

First level decryption oracle

O

_dec−1

Given a tuple

(

pk CT

_i

,

₁

)

, where

CT

₁ is a first level ciphertext encrypted under the public

key

pk

_i, this oracle proceeds as follows:

(1) If

(

pk CT

_i

,

₁

)

is a derivative of the challenge pair

(

pk CT

*

,

₂*

)

, returns a message “invalid”.

(2) Otherwise, returns

m

←

Dec (

₁

sk CT

_i

,

₁

)

.

A Derivative

(

pk CT

_i

,

₁

)

of the challenge pair

(

pk CT

*

,

₂*

)

in this game is defined as follows:

If

CT

₁ is a first level ciphertext and

pk

_i=

pk

* , or

pk

_i belongs to a honest user,

1

(

pk CT

_i

,

)

is a derivative of the challenge pair if

Dec (

₁

sk CT

_i

,

₁

) {

∈

m m

₀

,

₁

}

.

3.3 Security of first level ciphertexts

Setup: The challenger

C

runs

Setup( )

λ

to produce the global public parameters

par

and generates key pairs in the same way as described previously:

* *

KeyGen( )

⋅ →

(

pk sk

,

)

,

KeyGen( )

⋅ →

(

pk sk

_x

,

_x

)

,

KeyGen( )

⋅ →

(

pk sk

_h

,

_h

)

.

Phase 1: The adversary

Ad

who takes as input

pk

*,

{

pk

_h

}

,

{

pk sk

_x

,

_x

}

can issue

queries to oracles

O

_rekey,

O

_dec−1.

Challenge:

Ad

outputs two equal-length message

(

m m

₀

,

₁

)

. The challenger

C

flips a

random bit

b

and returns

CT

₁*=

Enc (

₁

pk m

*

,

b

)

.

Phase 2:

Ad

still issues queries to the oracle

O

_dec−1.

Guess: The adversary outputs a bit

b

/.

The advantage of the adversary in this game is

ε

=

| Pr[

b

/

= −

b

] 0.5 |

. A C-PRE scheme is CCA secure at level 1 if

ε

is negligible.

The re-encryption key oracle

O

_rekey

Given a tuple

(

pk pk A

_i

,

_j

, )

, this oracle returns ,

i j A

R

_→

←

ReKeygen(

sk pk A

_i

,

_j

, )

. This means that the adversary is allowed access to all re-encryption keys without any restriction.

First level decryption oracle

O

_dec−1

Given a tuple

(

pk CT

_i

,

₁

)

, where

CT

₁ is a first level ciphertext encrypted under the public

key

pk

_i, this oracle proceeds as follows:

If

(

pk CT

_i

,

₁

)

is a derivative of the challenge pair

(

pk CT

*

,

₁*

)

, returns a message

“invalid”. Otherwise, returns

m

←

Dec (

₁

sk CT

_i

,

₁

)

.

A Derivative

(

pk CT

_i

,

₁

)

of the challenge pair

(

pk CT

*

,

₁*

)

in this game is defined as follows:

challenge pair if

Dec (

₁

sk CT

_i

,

₁

) {

∈

m m

₀

,

₁

}

.

Ateniese et al. [2] defined a security notion called master secret security for unidirectional PRE schemes. This notion requires that no coalition of dishonest delegatees be able to pool their re-encryption keys in order to expose the secret key of their common delegator. It is discussed in [6, 8] that CCA security at level 1 implies master secret security for single-hop PRE schemes.

4. Our C-PRE scheme

Setup( )

λ

: Given

( , ,

e G G g p

_T

, , )

output by

PG

(1 )

λ , picks generators *

1 2

(

g u v

, , )

←

G g

,

=

g

w

,

w

←

Z

_p and a strongly unforgeable one-time signature scheme

(

, , )

Sig

=

Gen S V

. Let parameter

d

specifies the exact number of keywords that every second

level ciphertext has. We associate each keyword with a unique element in

Z

*_p.

Then chooses two random polynomials

h x

( )

and

q x

( )

of degree

d

subject to the

constraint

q

(0)

=

w

−1

mod

p

. We also define two functions

T x

( )

=

g

₁xd

⋅

g

₂h x( ) and ( )

2

( )

q x

V x

=

g

that are publicly computable by interpolation. The set

par

of public

parameters is

( , , ,

g u v g g g

₁

,

₂

,

₂q(0)

=

g

,

,

g

₂q d( )

,

g

₂h(0)

,

,

g

₂h d( )

,

Sig

)

.

Keygen

: Picks

(

x

i₁

,

x

i₂

)

←

Z

*p and sets a secret/public key pair for user

i

as

1 2

1 2 1 2

(

,

),

(

xi

,

xi

)

i i i i i i

sk

=

x x

pk

=

X

=

g

X

=

g

.

ReKeygen(

sk pk A

_i

,

_j

, )

: Given the secret key

sk

_i of user

i

, the public key

pk

_j of

user

j

and a non-monotonic access structure

A

, user

i

generates a re-encryption key

R

_{i→j A,}

as follows:

primed keyword

p

/. Let

P

/=

{

p

/

|

p

∈

P

}

. Then define a monotonic access structure

A

over

P

=

P

/

∪

P

in such a way that

S

∈

A

if and only if

N S

( )

∈

A

, where

N

( )

⋅

is an operator

defined as

N S

( )

=

S

∪

{

p

/

∈

P

/

|

p

∈

P S

\ }

. That is,

N S

( )

consists of all the keywords in

S

plus the primed part of all the keywords that are not in

S

.

Let

A

be associated with a linear secret sharing mechanism

∏

. Then user

i

applies

∏

over the set

P

to obtain shares

{ }

λ

_k of the secret

x

_i2−1. For each keyword

p

_k

∈

P

(the

underlying unprimed keyword is

p

_k), a random

r

_k

←

Z

_p is chosen:

If

p

_k=

p

_k is unprimed,

D

_k=

(

(1) ₁k

(

) ,

rk (2) ₂rk

)

k j k k i

D

=

X

λ

⋅

T p

D

=

X

.

If

p

_k=

p

_k/ is primed,

D

_k=

(

(3) ₁ k rk

,

(4)

(

) ,

rk (5) ₂rk

)

k j k k k i

D

=

X

λ

g

D

=

V p

D

=

X

.

The re-encryption key

R

_{i→j A,} =

{

}

k

k p P

D

_∈ .

1

Enc (

pk m

_i

, )

: Given a public key

pk

_i and a message

m

, this algorithm proceeds as follows:

(1) Chooses

r

←

Z

_p and generates a fresh one-time signature key pair

(

ssk svk

,

)

←

Gen

( )

λ

;

(2)

C

₁

=

svk C

,

₂/

=

e g X

( ,

i₁

) ,

r

C

₃

=

e g g

( , )

r

⋅

m

, 4

(

)

svk r

C

=

u v

;

(3) Generates a one-time signature

σ

=

S ssk m C

(

,

||

₃

||

C

₄

)

;

The first level ciphertext

CT

₁=

(

C C C C

₁

,

₂/

,

₃

,

₄

, )

σ

.

2

Enc (

pk m

_i

, , )

γ

: Given the public key

pk

_i, a message

m

and a set

γ

of

d

keywords,

outputs a second level ciphertext

CT

₂ that can be re-encrypted into a first level ciphertext as follows:

(1) Chooses

r

←

Z

_p and generates a fresh one-time signature key pair

(

ssk svk

,

)

;

5

{ ( ) }

,

6

{ ( ) }

p r p r

p p

C

=

T p

∈γ

C

=

V p

∈γ;

(3) Generate a one-time signature

σ

=

S ssk m C

(

,

||

₃

||

C

₄

)

.

The second level ciphertext

CT

₂=

(

C C C C C

₁

,

₂

,

₃

,

₄

,

₅p

,

C

₆p

, )

σ

.

2 ,

ReEnc((

CT

, ,

γ

pk

_i

),

R

_{i→j A}

)

: Given a re-encryption key ,

i j A

R

_→ and a second level

ciphertext

CT

₂ encrypted under

(

pk

_i

, )

γ

, if

γ

satisfies access structure

A

, this algorithm

outputs a first level ciphertext

CT

₁ encrypted under

pk

_j as follows:

(1) Parses

CT

₂ as

C

₁

=

svk C

,

₂

=

X

i₂r

,

C

₃

=

e g g

( , )

r

⋅

m C

,

₄

=

(

u v

svk

)

r

5

{ ( ) }

,

6

{ ( ) }

p r p r

p p

C

=

T p

∈γ

C

=

V p

∈γ,

σ

(2) Recall that

A

induces a monotonic access structure

A

. Denote

γ

/

=

N

( )

γ

. As

γ

satisfies access structure

A

,

γ

/ is authorized in

A

by previous definition of the operator

( )

N

⋅

. Let

I

=

{ :

k p

_k

∈

γ

/

}

. A set of coefficients

{

ω

_k

}

_{k I∈} can be efficiently computed such that _{k k i2} 1

k I

ω λ

x

−

∈

=

∑

[3].

For every unprimed attribute

p

_k

=

p

_k

∈

γ

/, (so

p

_k

∈

γ

by definition of the operator

( )

N

⋅

), we proceeds as follows:

(2.1) Extracts

D

_k=

(

(1) ₁ k

(

) ,

rk (2) ₂rk

)

k j k k i

D

=

X

λ

⋅

T p

D

=

X

from the re-encryption key;

(2.2) Computes

Z

_k=

(

(1)

,

₂

)

(

(2)

,

₅pk

)

k k

e D

C

e D

C

=

₍

xj1k

₍

_{) ,}

rk x ri2

₎

₍

x ri2k

_{, (}

_{) )}

r

k k

e g

λ

⋅

T p

g

e g

T p

= 1 2

( , )

x xj i kr

e g g

λ

For every primed attributed

p

_k

=

p

_k/

∈

γ

/ (so

p

_k

∉

γ

by definition), let

{

}

k

p

k

γ

=

γ

∪

. Note that

|

γ

_k

|

= +

d

1

and recall that the degree of the polynomial

q

( )

⋅

is

d

.

Using the keywords in

γ

_k as an interpolation set, we compute lagrangian coefficients

{

}

k

p p γ

σ

_∈

such that

( )

(0)

(log

₂

)

1

k p g

p γ

σ

q p

q

g

−

∈

=

=

∑

. Then we proceeds as follows:

λ

re-encryption key and computes: k

Z

= (3) 2 (5) (4) 6 2

(

,

)

(

,

(

) ) (

p

,

)

pk

k p

k _p k

e D

C

e D

∏

_∈γ

C

σ

e D

C

σ =

1 2

2 2

(

,

)

(

,

( ( ) ) ) ( (

) ,

)

k j k i

p p

i k k i k

x r x r

x r r r x r

k p

e g

g

g

e g

V p

e V p

g

λ σ σ γ ∈

∏

=

1 2 2

2 ( ) ( ) 2

2 2

(

,

) (

,

)

(

,

(

) ) (

,

)

j k i k i

p p

i k k k i k

x x r r x r

x r q p r q p r x r

p

e g

g

e g

g

e g

g

e g

g

λ σ σ γ ⋅ ∈

∏

=

2 1 2

2 ( )

2

(

,

) (

,

)

( ,

)

i j k k i

i k _p p k

x x r r x r

x r r q p

e g

g e g

g

e g g

γ

λ

σ ∈

∑

=

( , )

j1i2 k

x x r

e g g

λ

Finally we have k

k k I

Z

ω ∈

∏

=

( , )

x x rj1i2 ( _{k I} k k)

e g g

⋅

∑

∈ω λ ₌

1 2 2

( , )

j i i rx x x

e g g

= 1

( , )

rxj

e g g

.

The first level ciphertext

CT

₁=

(

C C

₁

,

₂/

=

e g X

( ,

j₁

) ,

r

C C

₃

,

₄

, )

σ

.

1 1

Dec (

sk CT

_i

,

)

: Given a secret key

sk

_i and a first level ciphertext

CT

₁, this algorithm proceeds as follows:

(1) Parses

CT

₁ as

(

C C C C

₁

,

₂/

,

₃

,

₄

, )

σ

;

(2) Computes 1

1 / 2 i

x

C

=

_{( ,}

i1

₎

i1

_{( , )}

r

x x r

e g g

=

e g g

and

m

=

C e g g

₃

( , )

r ; (3) Tests

V C m C

(

₁

,

||

₃

||

C

₄

)

=

1

(V1)

If relation V1 does not hold, outputs a message “invalid”; otherwise outputs

m

.

2 2

Dec (

sk

_i

, (

CT

, ))

γ

: Given a secret key

sk

_i and a second level ciphertext

CT

₂, this algorithm proceeds as follows:

(1) Parses

CT

₂ as

(

C C C C C

₁

,

₂

,

₃

,

₄

,

₅p

,

C

₆p

, )

σ

;

(2) Tests 1

2 2 4

(

, (

C

))

(

_i

,

)

e C

u v

=

e X

C

(V2)

If relation V2 does not hold, outputs a message “invalid”.

(3) Otherwise, computes

2 2 2

3

1 1

2

( , )

( ,

)

i

( ,

i

)

i

r

x x r x

C

e g g

m

m

e g C

e g g

⋅

⋅

=

=

;

(4) If relation V1 does not hold, outputs a message “invalid” ; otherwise outputs

m

.

d

keywords, this restriction can be mitigated by using the method proposed in [9].

Theorem 1: Assume that the one-time signature scheme is strongly unforgeable. Our scheme is

CCA secure at level 2 under the modified 3-wDBDHI assumption.

Proof: Let 2

1

1 1 2

( ,

_{g A}

_g

a

,

_A

_g

a

,

_A

_g

a

,

_B

_{g T}

b

, )

−

=

=

=

=

be a modified 3-wDBDHI instance.

We build an algorithm

B

_A deciding whether

T

=

( , )

2

b a

e g g

from a successful CCA adversary

Ad

at level 2 with advantage

ε

.

Init: The adversary

Ad

determines the target user

i

*, the corrupted users and declares a

set

γ

* of

d

keywords to be challenged upon.

Setup:

B

_A picks a one-time signature scheme

Sig

=

(

Gen S V

, , )

such that the maximal

probability

δ

that any public key can be selected should be less than

2

−λ as in [8].

B

_A

generates a fresh one-time signature key pair

(

ssk svk

*

,

*

)

and sets

u

= 1

1

A

α ,

v

= 1 * 2

1 2

svk

A

− ⋅α

⋅

A

α ,

g

₁

=

(

A

₁

) ,

μ

g

₂

=

A

₂

,

α α μ

₁

,

₂

,

←

Z

_p*.

Having chosen a random degree

d

polynomial

f x

( )

，two random degree

d

polynomials

u x

( )

and

h x

( )

are defined as follows:

Let

γ

* =

{

p

₁*

,

,

p

*_d

}

.

B

_A sets

u x

( )

=

−

x

d for all

x

∈

γ

* and

u x

( )

≠

−

x

d for

some(arbitrary)

x

∉

γ

* . This ensures that

u x

( )

=

−

x

d if and only if

x

∈

γ

* . Let

( )

h x

=

(

a

−1

⋅ ⋅

μ

u x

( )

+

f x

( ))

. Hence

T x

( )

=

g

₁xd

⋅

g

₂h x( )=

g

₁xd+u x( )

⋅

g

₂f x( ) can be publicly computed for arbitrary

x

.

Then

B

_A picks

{ ,

θ

₁

,

θ

_d

}

←

Z

*_p and implicitly defines a random degree

d

polynomial

q x

( )

such that

q

(0)

=

(

a

2

)

−1,

q p

(

_i*

)

=

θ

_i,

1

≤ ≤

i

d

. We have

g

₂q(0)=

g

and ( )

2

( )

q x

Key generation: Public key of an honest user

i

∈

HU

\ { }

i

* is defined as

1

i

X

=

_g

axi1₌ 1

1 i

x

A

,

X

_i2=

_g

xi2 _{for randomly chosen} *

1

,

2

i i p

x x

←

Z

. The target user’s public key

is set as

X

_i*₁= *₁ i

a x

g

⋅ =

_A

₁xi*1_, *₂

i

X

=

2

*₂ *₂

2

i i

a x x

g

⋅

=

A

for randomly chosen * *

*

1

,

2 p

i i

x

x

←

Z

.

Key pair of a corrupted user

j

is set as

X

_j1= xj1

g

,

X

_j2= xj2

g

for randomly chosen *

1

,

2

j j p

x

x

←

Z

.

Given a tuple

(

pk pk A

_i

,

_j

, )

chosen by

Ad

, the re-encryption key oracle

O

_rekey is

simulated by

B

_A as follows:

Let

∏

be the linear secret sharing mechanism associated with the monotonic access

structure

A

induced by

A

over a set

P

. Let

M

be the share-generating matrix for

∏

with

l

rows and

n

columns. Each row

M

_k of

M

is labeled by a keyword named

p

_k

∈

P

and

p

_k is the unprimed keyword underlying

p

_k. We list the following propositions:

Proposition 1 [3]: Assume

Q

is not an authorized set in the access structure

A

.

(1, 0,

, 0)

n

is linearly independent of the rows

M

_Q, where

M

_Q is the sub-matrix of

M

containing those

rows labeled by keywords in

Q

.

Proposition 2 [1, 10]: A vector

π

is linearly independent of a matrix

N

if and only if there

exist a vector

θ

which can be efficiently computed such that

N

⋅ =

θ

0

while

π θ

⋅ =

1

. Then we consider the following cases:

(1)

i

=

i

*,

j

∈

CU

and

γ

*does not satisfy

A

:

When

A

is not satisfied by

γ

*,

γ

*/

=

N

(

γ

*

)

is not an authorized set in

A

. According to Proposition 1 and 2, there exists a column vector

θ

=

( ,

θ

₁

,

θ

_n

)

T such that

M

_γ*/

⋅ =

θ

0

and

(1, 0,

, 0)

₁

1

n

θ θ

⋅ = =

.

*

2 1

2

(

_i

)

s

=

a

⋅

x

− . Note that

S

is uniformly distributed subject to the constraint that the first

component is

s

. Let

M S

⋅

T be the vector of

l

shares for the secret

s

. Let

M

_k be the

row labeled by

p

_k

∈

γ

*/, we have that

M

k

⋅ =

θ

0

by Proposition 2. Hence the share

k

λ

=

M

_k

⋅

S

T=

M

_k

⋅

R

T, which has no dependency on

s

.

(1.1) For a unprimed keyword

p

_k

=

p

_k

∈

γ

*

⊆

γ

*/,

B

_A picks a random

r

_k

←

Z

_p and outputs the following:

k

D

= *

(1) (2)

1 ₂

(

k

(

) ,

rk rk

)

k j k k _i

D

=

X

λ

⋅

T p

D

=

X

The above is computable since the share

λ

_k is independent of *

2 1

2

(

a

⋅

x

_i

)

− by the above-mentioned discussion.

(1.2) For a unprimed keyword

p

_k

=

p

_k

∉

γ

*,

λ

_k is linearly dependent on *

2 1

2

(

a

⋅

x

_i

)

− .

A

B

picks a random

r

_k/

←

Z

_p , implicitly defines

1 1

/

(

)

(

)

(

)

j k

k k d

k k

a

x

r

r

p

u p

μ

−

_⋅

_⋅

λ

= −

+

and outputs

k

D

=

(

D

_k(1)

,

D

_k(2)

)

as follows:

(1)

k

D

= 1 ( ) ( ) ( )

1

(

)

(

)

(

1 2

)

d j

k rk x k pk u pk f pk rk

j k

X

λ

⋅

T p

=

g

λ

⋅

g

+

⋅

g

= 1 1 / 1 ( ) ( ) ( ) ( ) ( ) ( ) 1 2

(

)

(

)

j k k d d

j k k k k k k

a x

r

x p u p f p p u p

g

g

g

μ λ λ −_{⋅ ⋅} − + +

⋅

⋅

= / ( ) ( ) ( ) 1 2

(

_g

pk d+u pk

⋅

_g

f pk

)

rk

1 1

( ) ( ) ( )

k j k d k k

f p x a

p u p

g

μ λ− ⋅ ⋅ ⋅ ⋅ − + = 1 1 / ( ) ( ) ( ) ( ) ( ) ( ) 1 2

(

) (

)

k j d d

k k k k k k k

f p x

p u p f p r a p u p

g

g

g

μ λ − ⋅ ⋅ − +

_⋅

⋅ + (2) k

D

= *₂ k r i

X

= 1 1 / * 2 ( ) ( ) ( ) 2

(

)

j k k d

i k k

a x

r

x _{p u p}

A

μ−_{⋅ ⋅}λ − + = 1 1 *₂ /

*₂ ( ) ( ) 2

(

)(

)

j _i d k

i k k k

x x

x r _{a p u p}

A

g

μ λ −_{⋅ ⋅} − ⋅ +

As

λ

_k is linearly dependent on *

2 1

2

(

a

⋅

x

_i

)

− ,

_g

a⋅λk_{can be computed via} 1

A

₋ and

A

₁.

k

λ

is linearly dependent on *

2 1

2

(

a

⋅

x

_i

)

− .

B

_A picks a random

r

_k/

←

Z

_p, and implicitly

defines

r

_k=

r

_k/

− ⋅

λ

_k

x

_j1. Then outputs

D

_k=

(

D

_k(3)

,

D

_k(4)

,

D

_k(5)

)

as follows: (3)

k

D

= ₁ k rk rk/

j

X

λ

g

=

g

(4)

(

)

rk

k k

D

=

V p

=

/ 1

( )

2

(

_g

)

θpk⋅rk− ⋅λkxj ₌ /

1

2 2

(

_A

)

rk⋅θpk

⋅

(

_A

λk

)

−xj⋅θpk

*2 k r i

X

= 2 / *2 ( 1)

(

_g

a x⋅i

)

rk− ⋅λk xj ₌

/ ₂

*₂ 1 *₂

2

(

r xk _i

) (

a _k

)

xj x_i

A

⋅

⋅

g

⋅λ − ⋅

2 k

a

g

⋅λ can be computed via

A

₂ since

λ

_k is linearly dependent on *

2 1

2

(

a

⋅

x

_i

)

− .

(1.4) For a primed keyword

p

_k

=

p

_k/

∈

γ

*/ (the underlying unprimed keyword

p

_k

∉

γ

*),

k

λ

is independent of *

2 1

2

(

)

i

a

⋅

x

− .

B

_A picks a random

r

_k

←

Z

_p , Then outputs the following:

k

D

=

(

(3) ₁ k rk

,

(4)

(

) ,

rk (5) _*2rk

)

k j k k k i

D

=

X

λ

g

D

=

V p

D

=

X

(2)

i

=

i

* and

j

∈

HU

\ { }

i

* :

(2.1) For a primed keyword

p

_k

=

p

_k/ ,

B

_A picks a random

r

_k

←

Z

_p and outputs

k

D

=

(

D

_k(3)

,

D

_k(4)

,

D

_k(5)

)

as follows: (3)

k

D

= 1 1

1

(

)

j k j

k rk a x rk a k x rk

j

X

λ

g

=

g

⋅ λ

g

=

g

⋅λ

g

(4)

(

)

rk

k k

D

=

V p

(5)

k

D

= *₂ k

r i

X

*₂

2 k _i

r x

A

⋅

=

As

λ

_k may be linearly dependent on *

2 1

2

(

a

⋅

x

_i

)

− ,

_g

a⋅λk_{can be computed via} 1

A

₋ and

1

A

.

(2.2) For a unprimed keyword

p

_k

=

p

_k ,

B

_A picks a random

r

_k

←

Z

_p and outputs

k

D

=

(

D

_k(1)

,

D

_k(2)

)

as follows: (1)

k

D

= ₁k

(

)

rk

j k

X

λ

⋅

T p

= 1

(

a k

)

xj

(

)

rk

k

g

⋅λ

⋅

T p

(2)

k

D

= *₂ k

r i

X

= *2

2 k _i

r x

Similarly,

_g

a⋅λk _{can be computed via} 1

A

₋ and

A

₁.

(3) If

i

∈

HU

\ { }

i

* : This can be handled easily since we know the shared secret

x

_i2 in this case.

Finally, returns the re-encryption key ,

i j A

R

_→ =

{

D

_k

}

.

Let the challenge second level ciphertext

CT

₂*=

(

svk C C C C

*

,

₂*

,

₃*

,

₄*

,

₅p*

,

C

₆p*

,

σ

*

)

and

b

m

be the encrypted challenge message. Then we define an event

F

_OTS as follows and bound its probability to occur in a way similar to [8].

(1) The adversary issues a re-encryption query in which

2

CT

=

(

svk C C C C

*

,

₂

,

₃

,

₄

,

₅p

,

C

₆p

, )

σ

and

m

is the implicit message embedded in

CT

₂ such

that

(

m C

||

₃

||

C

₄

, )

σ

≠

(

m

b

||

C

₃*

||

C

₄*

,

σ

*

)

and

*

3 4

(

,

||

||

, )

1

V svk m C

C

σ

=

.

(2) The adversary issues a first level decryption query in which

CT

₁=

(

svk C C C

*

,

₂/

,

₃

,

₄

, )

σ

and

m

is the implicit message embedded in

CT

₁ such that

* * *

3 4 3 4

(

m C

||

||

C

, )

σ

≠

(

m

_b

||

C

||

C

,

σ

)

and

V svk m C

(

*

,

||

₃

||

C

₄

, )

σ

=

1

.

As the adversary has no information on

svk

* before the challenge phase, the probability of occurrence of

F

_OTS in phase 1 can be bounded by

2

O O

q

q

⋅ ≤

δ

_λ , where

q

_O is the total number of oracle queries made by the adversary and

δ

is the maximal probability that any one-time public key can be selected.

During the guess phase, the event

F

_OTS could be used to construct an algorithm breaking

strong unforgeability of the one-time signature scheme. Therefore

Pr[

]

2

OTS O

OTS

q

F

≤

_λ

+

Adv

.

The re-encryption oracle

O

_renc is simulated as follows:

Given a tuple

((

CT

₂

, ),

γ

pk pk A

_i

,

_j

, )

chosen by the adversary,

B

_A proceeds as follows:

(2) If

A

is not satisfied by

γ

or relation V2 does not hold, outputs a message “invalid”;

(3) If

i

∈

HU

\ { }

i

* or

j

∉

CU

,

B

_A makes a query to the oracle

O

_rekeyand re-encrypts by using the returned re-encryption key.

(4) If

i

=

i

*,

j

∈

CU

, we consider the following sub-cases:

(4.1)

C

₁=

svk

*: If

( ,

m C C

₃

,

₄

, )

σ

=

(

m C C

_b

,

₃*

,

₄*

,

σ

*

)

in this situation, we have

m

=

m

_b. But we should return “invalid” by our convention for the re-encryption oracle presented in section 3.2. In addition,

C

₁=

svk

*

∧

( ,

m C C

₃

,

₄

, )

σ

≠

(

m C C

_b

,

₃*

,

₄*

,

σ

*

)

implies an occurrence of

F

_OTS.

Hence

B

_A halts when

C

₁=

svk

* at step (4.1).

(4.2)

C

₁

≠

svk

*: Assuming

C

₄

=

(

u v

svk

)

r, relation V2 guarantees that 2

(

*₂

)

r i

C

=

X

. So

*₂ *₂ *₂

1 1

2

(

2

)

2

i i i

x r x x _r

C

=

A

⋅

=

A

, ₄

(

svk

)

r

C

=

u v

= 1( *) 2

1 2

(

A

α svk svk−

⋅

A

α

)

r ,

B

_A computes

* 1 2 *₂

1

( )

4

2

(

)

i

svk svk x

C

C

α α

−

=

A

₁r, 1

1 1

(

r

,

xj

)

e A

A

₋ =

e g X

( ,

_j1

)

r=

C

₂/ . Let

CT

₁=

(

C C C C

₁

,

₂/

,

₃

,

₄

, )

σ

. If

1 1 0 1

Dec (

sk CT

_j

,

) {

∈

m m

,

}

, returns a message “invalid”. Otherwise, returns

CT

₁.

The first-level decryption oracle

O

_dec−1 is simulated as follows:

Given a tuple

(

pk CT

_i

,

₁

)

, where

CT

₁ is a first level ciphertext encrypted under a public

key

pk

_i,

B

_A proceeds as follows:

(1) Parses

CT

₁ as

(

C C C C

₁

,

₂/

,

₃

,

₄

, )

σ

;

(2) If

i

∈

CU

, decrypts the ciphertext by the known secret key;

(3)

i

∈

HU

,

C

₁=

svk

*: Assuming

( ,

m C C

₃

,

₄

, )

σ

=

(

m C C

_b

,

₃*

,

₄*

,

σ

*

)

, we should output a

message “invalid” to indicate that

CT

₁ is a Derivative of the challenge

(

pk CT

*

,

₂*

)

. Otherwise,

* * *

3 4 3 4

( ,

m C C

,

, )

σ

≠

(

m C C

_b

,

,

,

σ

)

means that we either face with an occurrence of the event

OTS

F

or

B

_A should output a message “invalid” to indicate that relation V1 does not hold. Hence

A