Provably Secure Group Based Broadcast Encryption on Lattice

Journal of Information & Computational Science 8: 2 (2011) 179–193 Available at http://www.joics.com Provably Secure Group Based Broadcast Encryption...
Author: Noreen Cummings
4 downloads 0 Views 147KB Size
Journal of Information & Computational Science 8: 2 (2011) 179–193 Available at http://www.joics.com

Provably Secure Group Based Broadcast Encryption on Lattice ⋆ .

Ximing Li, Bo Yang ∗,

Yubin Guo, Weiwei Sun

College of Informatics, South China Agricultural University, GuangZhou 510640, China

Abstract In this paper, a new broadcast encryption scheme called as group based broadcast encryption (GBBE) is put forward where the group of privileged users is described by group numbers. To implement GBBE on lattice, a new basis extraction algorithm on lattice is given with which one can extract basis of a lattice generated by two or more matrices. Using the basis extraction algorithm, a concrete construction of GBBE is given. The GBBE scheme on lattice can be viewed as a way to benefit at the same time from the high efficiency of lattice cryptography and the management easiness provided by the use of a more adaptable data structure based on group. Under the standard learning with errors (LWE) problem, the scheme is proved secure in the Group Based Broadcast Encryption Selective Group Set (GBBE Selective-GS) security model. Keywords: Identity-based Encryption; Lattice; Basis Delegation; Broadcast Encryption; Group Based Encryption

1

Introduction

Wireless broadcasting is an efficient way to broadcast data to a large number of users. Some commercial applications of wireless broadcasting, such as satellite pay-TV, desire that only those users who have paid for the service can retrieve broadcast data. That is to say, the broadcaster will have the ability to choose dynamically a subset of privileged users from the set of all possible recipients and to send a ciphertext, readable only by the privileged users. This is often achieved by broadcast encryption [1], which is used whenever an sender wants to send messages to several recipients using an unsecured channel. Since a message sender in broadcast encryption schemes broadcasts a message to possible huge number of users, efficiency in transmission overhead has been considered a critical measure by ⋆ This work is supported by the National Natural Science Foundation of China under Grants No. 60773175 and 60973134, the Foundation of National Laboratory for Modern Communications under Grant No. 9140C1108020906 and the Natural Science Foundation of Guangdong Province under Grants No. 10151064201000028, 10351806001000000, 9151064201000058 and 2010B010600046 ∗ Corresponding author. Email address: [email protected] (Bo Yang).

1548–7741/ Copyright © 2011 Binary Information Press February 2011

180

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

service providers. Therefore, reducing storage or computation overhead without greatly sacrificing transmission overhead is important. In 1996, Ajtai [2] found that lattices, which up to that point were used only as tools in cryptanalysis, can actually be used to construct cryptographic primitives. His work sparked a great interest in understanding the complexity of lattice problems and their relation to cryptography. There is an special reason for our interest in lattice-based cryptography. The computations involved are very simple and often require only modular addition, which is advantageous in the broadcast encryption schemes when decryption is performed by a lot of low-cost devices.

1.1

Our Contribution

In this paper, we consider the applications where all the users are assigned to one or more groups and an broadcaster produces different kinds of content for different groups of users. This is a natural problem to deal with for a broadcaster who proposes to its customers several subscription packages, or for different broadcasters using the same asymmetrical broadcast encryption scheme. Because any user can be contained in one or more groups, privileged users need not be considered as being particularly small or large, so, our scheme is different from usual broadcast encryption schemes. We call the new broadcast encryption scheme as Group Based Broadcast Encryption (GBBE). After giving a new basis extraction algorithm, detailed construction of GBBE is given. For reasonable choices of parameters, Learning With Error problem (LWE) [3] is as hard as the Shortest Vector Problem (SVP) in lattices. Based on the hardness assumption of the LWE problem, the scheme is proved secure in the Group Based Broadcast Encryption Selective Group Set (GBBE Selective-GS) security model.

1.2 1.2.1

Related Work Broadcast Encryption

In 1991, broadcast encryption was first introduced by S. Berkovits in [4], in which he presented several broadcast schemes based on secret sharing. In 1994, Moni Naor and Amos Fiat [5] formalized the basic definitions and paradigms of this field. In particular, they presented schemes in which each user has a fixed reusable set of keys. Since then, it has become a major topic in cryptography, due to various commercial applications, such as satellite pay-TV. We refer to [6, 7, 8, 9] for historic details on broadcast encryption. Boneh and Hamburg provided a general framework for constructing identity-based broadcast encryption systems in [10]. In 2007, authors of [11, 6] put forward several kinds of identity-based broadcast encryption scheme using the bilinear mapping, which can be seen as the generalization of identity-based encryption systems. Authors of [12, 13] put forward broadcast signcryption scheme, but the ciphertext’s size of these schemes is linearly with the number of privileged receivers and these schemes can only get statically secure. 1.2.2

Lattice Based Cryptography

The first version of the LWE-based cryptosystem together with a security proof were presented

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

181

by Regev in [3]. Gentry et al. [14] constructed an identity-based encryption scheme based on LWE. Another notable recent work is due to Cash et al. [15] who constructed a basis delegation technique that allows one to derive a short basis of a given lattice using a short basis of a related lattice. Hierarchical identity based encryption (HIBE) is a public key encryption scheme where entities are arranged in a directed tree. In [16], Shweta Agrawal et al. proposed an HIBE on lattice. They first propose a delegation mechanism, then use this delegation mechanism to construct two HIBE systems where the lattices have the same dimension for all nodes in the hierarchy scheme. Another HIBE scheme can be found in paper [17] which have similar structure with [16].

1.3

Organization

The rest of the paper is organized as follows. In section 2 we give some notations and review the underlying cryptographic concepts that are involved, such as the conceptions of lattice, the general framework of GBBE schemes, the formal security model for GBBE. In section 3, we give a new algorithm which can extract basis from lattices generated from one more matrices. We follow with a description of our construction in section 4 and in section 5 we prove the security of our scheme under the hardness of LWE problem. Finally, we give discussions and conclusions in section 6.

2 2.1

Preliminaries Notation

For a positive integer k, [k] denotes the set {1, · · · , k}, [0] is the empty set. We denote the set of integers modulo an integer q ≥ 1 by Zq . For x ∈ R the symbol ⌊x⌉ denotes the closest integer to x, ⌈x⌉ denotes the biggest integer that is smaller than x and ⌊x⌋ denotes the smallest integer that is bigger than x. Column vectors are named by lower-case bold letters (e.g., x) and matrices by upper-case bold letters (e.g., X). We identify a matrix X with the ordered set {xj } of its column vectors, and let (X||X′ ) denote the (ordered) concatenation of the sets X and X′ . For a set X of real vectors, e as the we define ||X|| = maxj ||xj || where || · || denotes the Euclidean norm and refer to ||X|| Gram-Schmidt norm of X.

2.2

Scheme of Group-based Broadcast Encryption

Let U be the set which consists of all the users, each user u in U is denoted by an integer i where i ∈ [n] and user group G is denoted by a subset of U. An GBBE scheme consists of four fundamental algorithms: Setup, KeyGen, Encrypt, Decrypt described below. Setup(1n ). The setup algorithm takes no input other than the implicit security parameter. It outputs the public parameter P P and a master key M K. KeyGen(P P, M K, Γ). The key generation algorithm takes as input the master key M K and a set Γ which consists of groups. It outputs a private key SK.

182

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

Encrypt(P P, M, Γ′ ). The encryption algorithm takes as input the public parameter P P , a message M and a set of group Γ′ over the all the groups. The algorithm will encrypt M and produce a ciphertext CT such that only the users belong to the group in Γ′ will be able to decrypt the message. Γ′ is contained in the ciphertext CT . Decrypt(P P, CT, SK). The decryption algorithm takes as input the public parameter P P , a ciphertext CT , which contains a group set Γ′ , and a private key SK, which is a private key for a user. If the user is contained in all the group in Γ′ then the algorithm will decrypt the ciphertext and return a message M .

2.3

Security Model of Group-based Broadcast Encryption

We consider semantic security of GBBE schemes and the adversary is assumed static, as in previous models. The security model is called as GBBE Selective Group Set which can be abbreviated to GBBE Selective-GS security model. The adversary is given the capability of querying secret keys of different group set adaptively. For a security parameter λ, we let Mλ denote the message space and let Cλ denote the ciphertext space. Init. The adversary A are given n users who belong to l fixed groups. That is to say every user ui : i ∈ [n] belongs to one or more groups which is a subset of {Gj : j ∈ [l]}. The challenger C runs Setup(1n ) and gives to A the public parameter P P . Phase 1. A adaptively sends group set Γ to C and C gives the private key SKΓ to A. So, A can decrypt any ciphertext encrypted for any user belongs to members of Γ. Challenge: Once the adversary A decides that Phase 1 is over, it outputs a set of groups Γ′ it intends to attack with the restriction that Γ′ must contain at least one new element that has not been asked in Phase 1. A also chooses a random bit m ∈ Mλ and sends to C. C chooses a random r ∈ {0, 1} and a random ciphertext C ∈ Cλ . If r = 0 it sets the challenge ciphertext to C ∗ = Encrypt(P P, Γ′ , M ). If r = 1 it sets the challenge ciphertext to C ∗ = C. It sends C ∗ as the challenge to the adversary. Guess: Finally, the adversary outputs a guess r′ ∈ {0, 1} and wins if r′ = r. We refer to such an adversary A as an GBBE-sGS-CPA adversary and define its advantage in attacking the encryption scheme E as AdvE,n,l (λ) = |2 Pr[r′ = r] − 1| Definition 1 A group based broadcast encryption system E is semantically secure and indistinguishable from random if for all GBBE-sGS-CPA PPT adversaries A the function AdvE,n,l (λ) is negligible. We say that E is GBBE-sGS-CPA secure.

2.4

Lattice

A lattice Λ ⊆ Zm is defined as the set of all integer linear combinations of m linearly independent basis vectors b = {b1 , · · · , bj } ⊂ Zm :

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

183

    ∑ Λ = L (B) = Bc = ci bi : c ∈ Zm   i∈[m]

When m ≥ 2, there are infinitely many bases that can generate the same lattice. Let n ≥ 1 and modulus q ≥ 2 be integers. An m-dimensional lattice is specified relative to the additive group Zq by a parity check matrix A ∈ Zn×m . The associated lattice is defined as q     ∑ m ⊥ m Λ (A) = x ∈ Zq : Ax = xj · aj = 0 ∈ Zq   j∈[m]

For any y in the subgroup of Znq generated by the columns of A, we define the coset Λy (A) = {x ∈ Zm : Ax = y} Definition 2 Let Λ be a subset of Zm . For any vector c ∈ Rm and any positive parameter σ > 0, define: ( ) ||x − c||2 ρσ,c (x) = exp −π σ2 ρσ,c (Λ) =



ρσ,c (x)

x∈Λ

The discrete Gaussian distribution over Λ with center c and parameter σ is ∀y ∈ Λ, DΛ,σ,c (y) =

ρσ,c (y) ρσ,c (Λ)

¯ α is defined as distribution over Zq of the random Definition 3 For some α ∈ (0, 1), a prime q, Ψ variable ⌊qX⌉ modq, where X is a normal random variable with mean 0 and standard deviation √ α/ 2π. The following theorem follows from Theorem 3.2 of [18] by taking δ = 1/3. Theorem 1 Let q ≥ 3 be odd and m = ⌈6n log q⌉. There is a probabilistic polynomial-time ) such that A is statistically algorithm TrapGen(q, n) that outputs a pair (A ∈ Zqn×m , TA ∈ Zm×m q ⊥ n×m and TA is a basis for Λq (A) satisfying close to a uniform matrix in Zq ||Tf A || ≤ O

(√ ) n log q and ∥TA ∥ ≤ O (n log q)

with all but negligible probability in n.

184

2.5

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

Hardness Assumption

Security of all our construction is reduced to the LWE (learning with errors) problem, a classic hard problem on lattices defined by Regev in [3]. ¯ α over Zq . An Definition 4 Consider a prime q, a positive integer n, and a distribution Ψ ¯ (Zq , n, Ψα )−LW E problem instance consists of access to an unspecified challenge oracle O, being, either, a noisy pseudo-random sampler OLW E , or, a truly random sampler OR , whose behaviors are respectively as follows: OLW E outputs samples of the form (ui , vi ) = (ui , uTi s+x) ∈ Znq ×Zq , where, s ∈ Znq is a uniformly ¯ α, distributed persistent value invariant across invocations, xi ∈ Zq is a fresh sample from Ψ n and ui is uniform in Zq . OR outputs truly uniform random samples from Znq × Zq . possibly quantum, algorithm for deciding the Theorem 2 ([3]) If there exists an efficient, ¯ α ) − LW E problem for q > 2√n/α then there exists an efficient quantum algorithm (Zq , n, Ψ ˜ for approximating the SIVP and GapSVP problems, to within O(n/α) factors in the l2 norm, in the worst case. The following lemma about the distribution will be needed to show that decryption works correctly. The proof is implicit in [14]. R ¯m T Lemma 1 Let e be some vector in Zm q and let y ← Ψα . Then the quantity e y treated as an integer in [q − 1] satisfies

|eT y| ≤ ||e|| q α ω



√ (log m) + ||e|| m/2

with all but negligible probability in m.

3

Basis Extraction Algorithm from One More Matrices

In this section we describe how to extract the basis of a lattice generated by two or more matrices. We give the theorem below from [14] which introduced the algorithm SamplePre that can output the preimage of a lattice generated by a matrix with the help of a basis. Theorem 3 Let (n, q, m) be positive integers with q ≥ 2 and m ≥ 2n lg q. There exist a PPT n×m algorithm SamplePre , a basis TA for A, a vector u, and an √ such that on input of A ∈ Z integer r ≥ ||T˜A || · ω( log m), the distribution of the output of e ← SamplePre(A, TA , u, r) is within negligible statistical distance of DΛuq (A),r

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

3.1

185

Algorithm SamplePreMul

First, we give the algorithm which can extract the basis of a lattice generated by two matrices. Then the method is extended to extract the basis of a lattice generated by more matrices. SamplePre is used as a sub algorithm to produce our algorithm. Based on TH. 3, we give theorem below. Theorem 4 Let n, q, m, k be positive integers with q ≥ 2 and m ≥ 2n lg q. There exists a PPT algorithm SamplePreMul such that on input of (A, B) ∈ Zn×m , basis (TA , TB ) ∈ Zm×m for q √ q ⊥ ⊥ 2n f (Λq (A), Λq (B)), a vector u ∈ Zq , and an integer r ≥ max(|| Tf A ||, || TB ||) · ω( log m), let ( ) A 0 F = , the distribution of the output of e ← SamplePreMul(A, B, TA , TB , u, r) is 0 B within negligible statistical distance of DΛuq (F),r .

Proof We give the description of algorithm SamplePreMul(A, TA , B, TB , u, σ) as below: Inputs: Two rank n matrix A and B ∈ Zn×m . q ⊥ 2n Two short basis TA and TB of (Λ⊥ q (A), Λq (B)) and a vector u ∈ Zq . √ f A gaussian parameter r ≥ max(|| Tf log m). A ||, || TB ||) · ω(

( Output: Let F :=

A 0

) . The algorithm outputs a vector e ∈ Z2m sampled from a q

0 B distribution statistically close to DΛuq (F),r . In particular, e ∈ Λuq (F). That is to say F · e = ) ( A 0 · e = u. 0 B The algorithm uses the algorithm SamplePre defined in [14] as a sub function and works in four steps:

1. parse u = (u1 , u2 , . . . , u2n ) into two vector u1 and u2 , such that u1 = (u1 , u2 , . . . , un ) and u2 = (un+1 , un+2 , . . . , u2n ). 2. run SamplePre(A, TA , u1 , r) to get e1 , such that e1 ∈ Zm q sampled from a distribution statistically close to DΛuq 1 (A),r . 3. run SamplePre(B, TB , u2 , r) to get e2 , such that e2 ∈ Zm q sampled from a distribution statistically close to DΛuq 2 (B),r . 4. output e = (e1 , e2 , . . . , e2n ) ∈ Z2m and (e1 , e2 , . . . , en ) = e1 , (en+1 , en+2 , . . . , e2n ) = e2 . e is q statistically close to DΛuq (F),r .

186

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

Clearly, ( F·e =

A 0 0 B

) ( ·

e1

)

e2

= (Ae1 + 0e2 , 0e1 + Be2 ) = (u1 , u2 ) = u For any fixed vector defined by e = (e1 , e2 ) ∈ Λuq (F), let p(e) denote the probability that SamplePreMul(A, TA , B, TB , u, r) outputs that vector. We have ρr (e1 ) ρr (e2 ) · ρr (e1 : Ae1 = u1 ) ρr (e2 : Be2 = u2 ) ρr (e1 )ρr (e2 ) = u1 ρr (Λq (A)) · ρr (Λuq 2 (B))

p(e) = p(e1 )p(e2 ) =

We claim that



ρr (Λuq (F)) =

(1)

ρr (e)

e∈Λu q (F)



=

ρr (e)

e∈Z2m q : Fe=u,u=(u1 ,u2 )



=

e1 ∈Zm q ,Ae1 =u1

[





ρr (e1 )

ρr (e2 )

(2)

e2 ∈Zm q ,Be2 =u2

] 1−ϵ , 1 ρr (Λuq 1 (A)) · ρr (Λuq 2 (B)) 1+ϵ

(3)

Ruler 3 from Micciancio, D. and Regev, O. in their work [19], for some negligible function ϵ. From ruler 3 and ruler 1, we can get [ ] 1−ϵ ρr (e1 )ρr (e2 ) p(e) ∈ ,1 1+ϵ ρr (Λuq (F)) which is within negligible statistical distance of DΛuq (F),r .

3.2

Basis Extraction Algorithm

Based on TH. 4, we can construct an algorithm which may give a basis form two lattices generated by two matrices. Theorem 5 Let (n, q, m, k) be positive integers with q ≥ 2 and m ≥ 2n lg q. There exists a PPT algorithm SampleBasisMul such that on input of (A, B) ∈ Zn×m ( , basis (T) A , TB ) for √ A 0 f (Λuq (A), Λuq (B)), and an integer L ≥ max(|| Tf , outputs A ||, || TB ||)·ω( log m), let F = 0 B TC ← SampleBasisMul (A, B, TA , TB , L)

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

187

such that, for an overwhelming fraction of F ∈ Z2n×2m , TF is a basis of Λ⊥ q q (F) (with overwhelming probability). Furthermore, up to a statistical distance the distribution of the basis TC only depends on (A, B) and L (does not depend on TA and TB ). Proof The algorithm SampleBasisMul(A, B, TA , TB , L) works as follows. It draws O((2m)2 ) samples by running SamplePreMul (A, TA , B, TB , u = 0, r) for many times. By Lemma 2.2 (1) of [15], we have, with overwhelming probability, that the samples contain 2m linearly-independent √ vectors. By Lemma 2.2 [15], they have length at most r 2m = L. The algorithm then applies the deterministic procedure to process the samples into a basis for Λ⊥ q (F) without increasing the length of their Gram-Schmidt vectors. Theorem below is a natural extension of TH.5. Theorem 6 Let (n, q, m, k, d) be positive integers with q ≥ 2 and m ≥ 2n lg q. There exists a PPT algorithm SampleBasisAND such that on input of Ai ∈Zn×m : i ∈ [d], basises  TAi for A 0 ... 0  1    0 A . . . 0 √ 2   u g Λq (Ai ), an integer L ≥ maxi∈[k] ||TAi || · ω( log m), let F =  . , outputs . . . . . . .  . . . .    0 0 . . . Ad TF ← SampleBasisAND(Ai:i∈[d] , TAi:i∈[d] , L) such that, for an overwhelming fraction of F ∈ Z2n×2m , TC is a basis of Λ⊥ q q (F) (with overwhelming probability). Furthermore, up to a statistical distance the distribution of the basis TF only depends on A and L (and does not depend on TA ). In section 4, we also need algorithm BasisDel defined in [16]. Theorem 7 Let (n, q, m, k) be positive integers with q ≥ 2 and m ≥ 2n lg q. There exists a PPT √ algorithm BasisDel such that on input of G ∈ Zn×m , basis TG for Λuq (A), σ > ||Tf A ||· nm log q · q ω(log2 m) and an invertible matrix R ∈ Dm×m , outputs TGR−1 ← BasisDel(G, TG , R, σ). Algorithm SampleRwithBasis introduced in [17] is used in the simulation, on inputting a matrix A it can output a random matrix R ∈ Dm×m and the basis of lattice generated by matrix AR.

4

Construction of Group-based Broadcast Encryption Scheme

In this section, we describe a public-key group-based broadcast encryption scheme. There are a large number of users and a large number of groups in this scheme, each user may be contained in one or more groups. From the inverse point of view, for a fixed number l of groups of users, we can associate a user u ∈ U with the set of groups Γ he belongs to in this manner: Γ(u) = {i ∈ [l] : u ∈ Gl } ⊂ [l]. In this scheme every group is assigned a matrix, every user is associated with a big matrix. Def. 5 gives an algorithm to fix many matrices into a big matrix.

188

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

Definition 5 For a series of matrix Ai and {i ∈ Γ ⊂ [l]}, as below:  A 0  Γ1  0 AΓ 2  fAndM (Ai , i ∈ Γ) =  . ..  .. .  0 0

with |Γ| = d, function fAndM is defined  ... 0  ... 0   .. ..  . .   . . . AΓd

In our scheme, each group Gi is assigned a matrix Ai . For a group set GΓ = {Gi : i ∈ Γ ⊂ [l]}, the associated matrix is defined as FΓ = fAndM (Ai , i ∈ Γ). H() is a hash function which can map a integer into a invertible matrix in Dm×m . A detailed description of our scheme follows.

4.1

Description

Setup(1n ) On input a security parameter n and maximum depth d: 1. Define the universe U. 2. Choose y1 , y2 , . . . , yt uniformly at random from Znq . 3. Run the trapdoor generation algorithm TrapGen to generate matrix G ∈ Zqn×m with short basis TG . 4. The published public parameters are: G, yi:i∈[t] The master key is: TG KeyGen(Γ, PP, MK). 1. For a user with group set Γ ⊆ U , each group number i is mapped to a key as below Di = TGR−1 = BasisDel(G, TG , Ri = H(i), σ). i 2. Private key is DΓ = {Di }i∈Γ . Encryption(PP, Γ′ , m). The encryption algorithm encrypts a message m ∈ {0, 1} under the group set Γ′ . Denote k = |Γ′ |. 1. Denote k = |Γ′ |, assume Γ′ = {g1 , g2 , . . . , gk }. 2. Let u = (yg1 , yg2 , . . . , ygk ) ∈ Zkn q , FΓ′ = fAndM (Agi : i ∈ [k]). dm 3. Choose s from Zkn . q randomly. Let X = ψα , choose x ∈ X and x ∈ X

4. Use Regev’s dual public key encryption/decryption scheme, take s as secret key. Let c0 = ⟨s, u⟩ + x + m ⌊q/2⌋, c1 = FTΓ′ s + x. 5. The ciphertext is then published as:E = (Γ′ , c0 , c1 ). Decryption(PP, SKΓ , CT). On input public parameters PP, a private key SKΓ for a user uΓ with group sets Γ, and a ciphertext CT:.

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

189

√ 1. Let τ = σω( m log m). 2. Construct the vector u as in Encryption. 3. if Γ′ ⊆ Γ, user uΓ can calculate the basis of FΓ′ with the basis extraction algorithm as below: TFΓ′ = SampleBasisAND(FΓ′ , TF′Γ , L) 4. Set dΓ′ ← SamplePre(FΓ′ , TF′Γ , u, τ ). Note that FΓ′ dΓ′ = u ∈ Zkn q . 5. Compute w = c0 − dTΓ′ c1 ∈ Zq . ⌊ ⌋ ⌊ ⌋ ⌊ ⌋ 6. Compare w and 2q treating them as integers in Zq : if they are close, i.e., if |w− 2q | ≤ 4q in Z, output 1; otherwise output 0. In this system, the message to encrypt is a bit, one can easily extend it into a practical Key Encapsulation Mechanism (KEM) encryption paradigm [20, 21] where the broadcast ciphertext only encrypts a symmetric key used to encrypt the broadcast content.

4.2

Correctness and Parameters

When the cryptosystem is operated as specified, during decryption of a ciphertext encrypted to a group set Γ′ we have, ⌊q ⌋ w = c0 − dTΓ′ c1 = m + x − dTΓ′ u 2 √ √ √ From Lemma. 1 and the fact that ||dTΓ′ || ≤ τ km ≤ kσ km ω( log km), we can bound the error term (x − dTΓ′ u) as below √ √ √ √ (4) |x − dTΓ′ u| ≤ (kσ km ω( log km))(q α ω( (log km)) + km) √ √ 2 = kσq α kmω(log km) + k mσ ω( log km) (5) Therefore, let ||Tf A || =



n log q, for the system to work correctly we need that:

1. TrapGen can operate (i.e. m ≥ 6n log q). 2. The Error Term is less than q/5. i.e. √ √ kσq α kmω(log km) + k 2 mσ ω( log km) ≤ q/5 √ √ ⇒ k 2 mσ ω( log km) ≤ q(1/5 − kσ α kmω(log km)) √ 3. BasisDel used in KeyGen can operate (σ > n m log q · ω(log2 m) ). √ 4. Regev’s dual public key encryption/decryption can operate (q > 2 n/α). Taking (n, k) to be the security parameter, assume that δ is such that nδ > ⌈log q⌉ = O(k log n), √ 3 the parameters (m, q, σ, α) are set as m = 6n1+δ , q = m 2 k+2 · ω(log2k+1 n), σ = n m log q · 1 ω(log2 m), α = σ m ω(log . m is rounded up to the nearest larger integer and q to the nearest n) larger prime.

190

5

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

Proof of Security

We prove the security of our scheme in the GBBE Selective-GS model and reduce the security to the hardness of the LWE assumption. For simplicity, we assume that each user must belong to no more or less than d groups. This will not decrease the capability of the scheme, because this simple system can be easily extended to the original system by adding some empty groups. Theorem 8 Let A be a PPT adversary that attacks the scheme when H is modeled as a random oracle. Let QH is the number of H queries made by A. If A is a GBBE Selective-GS adversary with advantage ϵ, then there is a PPT algorithm B that decides LW EZnq ,α,Ψ¯α with advantage ϵ/QH − negl(n). Proof As described in Def.4, LWE is about recognizing an oracle O. Here, A is used to construct an LWE algorithm B with negligible advantage. Init. B requests from O and receives, for each i ∈ {0, 1, . . . , m}, a fresh pair (ui ; vi ) ∈ Znq × Zq . Setup. B prepares simulated attack environment for A as follows. 1. Sample random matrix R∗ ∈ Dm×m by running R∗ ← SampleR(1m ). 2. Assemble matrix A0 ∈ Zn×m by letting the i-th column of A0 be ui for all i = 1, 2, . . . , m. q Then A0 = (u1 ||u2 || · · · ||um ) 3. Set A ← A0 R∗ . The matrix A is uniform in Zn×m since all the R∗ is invertible mod q and q A0 is uniform in Zn×m . q 4. Publish the public parameters P P = (A, u0 ). Random-oracle hash queries. A may query the random oracle H on any group set Γ′ of its choice, adaptively, and at any time. B maintains a list Hlisit and answers the query as follows. 1. Let H1 be a empty matrices set. 2. For all {i : i ∈ Γ′ }, if i ∈ Hlist , find i in Hlist , retrieve the saved tuple (i, Ri , Bi , TBi ) from the Hlist and save Ri in H1 . / Hlist : 3. For all {i : i ∈ Γ′ }, if i ∈ (a) Compute Ai = A(R∗ )−1 . (b) Run SampleRwithBasis(Ai ) to obtain a random Ri ∈ Dm×m and a short basis TBi for Bi = Ai R. (c) Save the tuple (i, Ri , Bi , TBi ) in list Hlist . (d) Save Ri in H1 . 4. Return H1 . Secret key queries. A makes interactive key-extraction queries on arbitrary set Γ, chosen adaptively. B answers a query on Γ as follows. B answers the query as follows.

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

191

1. Let H2 be a empty matrix set. 2. For all {i : i ∈ Γ}, if i ∈ Hlist , find i in Hlist , retrieve the saved tuple (i, Ri , Bi , TBi ) from the Hlist and save TBi in H2 . 3. For all {i : i ∈ Γ}, if i ∈ / Hlist : (a) Make random-oracle hash queries and save (i, Ri , Bi , TBi ) ) to the Hlist . (b) By construction Bi = A(R∗ )−1 R−1 and TBi is a short basis for Bi . i (c) Save TBi in H2 . 4. Send H2 to the adversary. Challenge A announces to B the user u ∈ U with the group set Γ′ on which it wishes to be challenged and a message m∗ ∈ {0, 1} to be encrypted. We require that, for group numbers in Γ′ , no more or less than one element has not been asked before. If one more elements have not been asked before, then B can pick one out and make hash queries for all the other group numbers by itself. If all the group numbers have been asked, the simulation must abort, for B is able to extract a private key for Γ′ and thus answer by itself the challenge that it intended to ask. 1. For the group number β that has not been asked, B proceeds as follows: (a) Retrieve v0 , v1 , . . . , vm ∈ Zq from the LWE instance (b) Set v∗ = (v1 , v2 , . . . , vm ). 2. Then for all group number without β, B can get the associated matrix from Hlist . That is to say, find each i ∈ Γ′ and i ̸= β, retrieve tuple (i, Ri , Bi , TBi ) from Hlist . Set FA = fAndM (Bi : i ∈ Γ′ , i ̸= β). (d−1)n

3. Set u = (y1 ||y2 || · · · ||yβ−1 ||yβ+1 || · · · ||yd )T ∈ Zq

.

(d−1)n

4. Choose s ∈ Zq

and x ∈ X (d−1)m randomly. ⌊ ⌋ 5. Let c∗0 = ⟨s, u⟩ + v0 + m∗ 2q ∈ Zq and c∗1 = (FTA s, v∗ ) + (x, 0) ∈ Zdm q . 6. Set CT ∗ = (c∗0 , c∗1 ) and send it to the adversary. When O is a pseudo-random LWE oracle then c∗0 = ⟨(s, s∗ ), (u, uβ )⟩ + x + m∗ ⌊q/2⌋ , and ∗ dm c∗1 = (FA , A0 )T ·(s, s∗ )+(x, x∗ ) for some random (s, s∗ ) ∈ Zdn q and noise values x and (x, x ) ∈ Zq . ∗ ′ ∗ ∗ In this case (c0 , c1 ) is a valid encryption of m for Γ . When O is a random oracle then (v0 , v∗ ) dm ∗ ∗ are uniform in (Zq , Zm q ) and therefore (c0 , c1 ) is uniform in (Zq , Zq ), because PPT adversary A can not distinguish the LWE part out from (c∗0 , c∗1 ). A makes more secret key queries, answered by B in the same manner as before. Finally, A guesses whether CT ∗ is an encryption of m∗ for Γ′ . B outputs A’s guess and ends the simulation. The distribution of the public parameters is identical to its distribution in the real system as responses to private key queries. Responses to H oracle queries are as in the real system. Finally,

192

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

if B does not abort then the challenge ciphertext is distributed either as in the real system or is independently random. Hence, if B does not abort then its advantage in solving LWE is the same as A’s advantage in attacking the system. Since A is PPT it only finds collisions on H with negligible probability. The simulator can proceed without aborting with probability Pr[not abort] > Then if A has advantage ϵ > 0, B has advantage at least ϵ/QH − negl(n).

6

1 QH

− negl(n).

Conclusion

In this paper, a group based broadcast encryption scheme on lattice is built and the construction of the scheme is given. Proof of security is described in detail under GBBE Selective-GS security model. A new basis extraction algorithm on lattice is put forward with which one can extract basis of a lattice generated by two or more random matrices. This method has not been mentioned in this way before. This algorithm has independent interest and may be improved to adapt other lattice based cryptographic applications such as attribute based encryption systems and signature schemes.

References [1]

A. Fiat, M. Naor, Broadcast encryption, in: D. R. Stinson (Ed.), CRYPTO, Vol. 773 of Lecture Notes in Computer Science, Springer, 1993, pp. 480-491

[2]

M. Ajtai, Generating hard instances of lattice problems, in: Proceedings of the 1996 28th Annual ACM Symposium on the Theory of Computing, May 22, 1996-May 24, 1996, Conference Proceedings of the Annual ACM Symposium on Theory of Computing, ACM, Philadelphia, PA, USA, 1996, pp. 99-108

[3]

O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in: 13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications, November 7, 2005-November 11, 2005, Proceedings of the Annual ACM Symposium on Theory of Computing, Association for Computing Machinery, Scottsdale, A Z, United states, 2005, pp. 84-93

[4]

S. Berkovits, How to broadcast a secret, in: Advances in Cryptology-EUROCRYPT ’91. Workshop on the Theory and Application of Cryptographic Techniques Proceedings, 8-11 April 1991, Advances in Cryptology - EUROCRYPT ’91. Workshop on the Theory and Application of Cryptographic Techniques Proceedings, Springer-Verlag, Berlin, Germany, 1991, pp. 535-41

[5]

A. Fiat, M. Naor, Broadcast encryption, in: Proceedings of the 13th Annual International Cryptology Conference, Aug 22-26 1993, Lecture Notes in Computer Science, Publ by Springer-Verlag GmbH & Company KG, Santa Barbara, CA, United states, 1994, pp. 480-480

[6]

C. Delerablee, Identity-based broadcast encryption with constant size ciphertexts and private keys, in: K. Kurosawa (Ed.), Advances in Cryptology- Asiacrypt 2007, Vol. 4833 of Lecture Notes in Computer Science, 2007, pp. 200-215, delerablee, Cecile 13th International Conference on Theory and Application of Cryptology and Information Security Dec 02-06, 2007 Kuching, MALAYSIA

[7]

J. Y. Hwang, D. H. Lee, J. Lim, Generic transformation for scalable broadcast encryption schemes, in: V. Shoup (Ed.), Advances in Cryptology - Crypto 2005, Proceedings, Vol. 3621 of Lecture Notes in Computer Science, 2005, pp. 276-292, 25th Annual International Cryptology Conference Aug 14-18, 2005 Santa Barbara, CA

X. Li et al. /Journal of Information & Computational Science 8: 2 (2011) 179–193

193

[8]

H. Y. Chien, Efficient id-based broadcast encryption scheme-comments, Ieee Transactions on Broadcasting 53 (4) (2007) 809-810, chien, Hung-Yu

[9]

C. Gentry, B. Waters, Adaptive security in broadcast encryption systems (with short ciphertexts), in: A. Joux (Ed.), Advances in Cryptology - Eurocrypt 2009, Vol. 5479 of Lecture Notes in Computer Science, 2009, pp. 171–188, gentry, Craig Waters, Brent 28th Annual International Conference on Theory and Applications of Cryptographic Techniques Apr 26-30, 2009 Cologne, GERMANY

[10] D. Boneh, M. Hamburg, Generalized identity based and broadcast encryption schemes, in: ASIACRYPT, 2008, pp. 455-470 [11] C. Delerabl´ee, P. Paillier, D. Pointcheval, Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys, in: Pairing, 2007, pp. 39-59 [12] S. S. D. Selvi, S. S. Vivek, N. N. Karuturi, R. Gopalakrishnan, C. P. Rangan, Cryptanalysis of bohio et al.’s id-based broadcast signcryption (ibbsc) scheme for wireless ad-hoc networks, in: PST, 2008, pp. 109-120 [13] F. Li, X. Xin, Y. Hu, Indentity-based broadcast signcryption, Computer Standards & Interfaces 30 (1-2) (2008) 89-92 [14] C. Gentry, C. Peikert, V. Vaikuntanathan, Acm, Trapdoors for hard lattices and new cryptographic constructions, in: Stoc’08: Proceedings of the 2008 Acm International Symposium on Theory of Computing, 2008, pp. 197-206 [15] D. Cash, D. Hofheinz, E. Kiltz, How to delegate a lattice basis, http://eprint.iacr.org/ (2009) [16] S. Agrawal, D. Boneh, X. Boyen, Lattice basis delegation in fixed dimension and shorter ciphertext hierarchical ibe, in: Proc. of Crypto’10, Vol. 6223, 2010, pp. 98-115 [17] S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (h) ibe in the standard model, in: H. Gilbert (Ed.), Advances in Cryptology-Eurocrypt 2010, Vol. 6110 of Lecture Notes in Computer Science, 2010, pp. 553-572 [18] J. Alwen, C. Peikert, Generating shorter bases for hard random lattices, in: STACS, 2009, pp. 75-86 [19] D. Micciancio, O. Regev, Worst-case to average-case reductions based on gaussian measures, in: 45th Annual Ieee Symposium on Foundations of Computer Science, Proceedings, Annual Ieee Symposium on Foundations of Computer Science, 2004, pp. 372-381 [20] T. Ishihara, H. Aono, S. Hongo, J. Shikata, Construction of threshold (hybrid) encryption in the random oracle model: How to construct secure threshold tag-kem from weakly secure threshold kem, Information Security and Privacy, Proceedings 4586 (2007) 259-273 [21] M. Abe, R. Gennaro, K. Kurosawa, Tag-kem/dem: A new framework for hybrid encryption, Journal of Cryptology 21 (1) (2008) 97-130

Suggest Documents