Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts

Abstract

We consider designing public-key broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our scheme has constant-size secret keys and ciphertexts, and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then, we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally, we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie–Hellman exponent and the knowledge-of-exponent assumptions. We prove both of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time.

Appendices

Appendix A: Proof of Theorem 1

Proof

Suppose there exists a selective CCA adversary \({\mathsf{A}}\) that is able to distinguish the above scheme’s keys from random elements. We construct an algorithm \({\mathsf{B}}\) that either outputs a collision for a given key \({\kappa }\) or solves the \(n\)-BDHE decision problem.

Let \({\mathsf{B}}\) be given an \(n\)-BDHE challenge \((g,h,\{g_i\}_{i \in \{1,\ldots ,2n\} \setminus }\) \({ \{n+1\}},T)\) and has to decide whether \(T=e(g_{n+1},h)\) or it is random. \({\mathsf{B}}\) runs \({\mathsf{A}}\) and receives a set \(S^*\) of honest users on which it wishes to be challenged. As a UOWHF adversary, \({\mathsf{B}}\) also gives out \(h\) as the first message on which it wishes to be challenged and receives a key \({\kappa }\) for the hash function. \({\mathsf{B}}\) chooses a random \(\beta \in \mathbb{Z _p}\), calculates \(v\) as follows, and gives \({\textit{EK}}=(g,v,{\kappa })\) to \({\mathsf{A}}\).

$$\begin{aligned} v=g^\beta \cdot g_1^{-{\mathsf{H}}_{\kappa }(h)} \cdot \prod _{j\in S^*}{g_{n+1-j}^{-1}}. \end{aligned}$$

(2)

On any join query for user \(i\) made by the adversary, \({\mathsf{B}}\) gives \(pk_i=(g_i,g_{n+1-i},g_{n+1+i})\) to \({\mathsf{A}}\).

On any private-key query for user \(i\) made by \({\mathsf{A}}\) (note that \(i \notin S^*\)), \({\mathsf{B}}\) calculates the private key as follows and gives it to \({\mathsf{A}}\).

$$\begin{aligned} d_i=g_i^\beta \cdot g_{1+i}^{-{\mathsf{H}}_{\kappa }(h)} \cdot \prod _{j\in S^*}{g_{n+1-j+i}^{-1}}. \end{aligned}$$

Note that \(d_i\) is properly simulated since we have \(d_i=v^{\alpha ^i}\).

On a decryption query \((i,S,(C_0,C_1))\) by \({\mathsf{A}}\) (note that \(S \subset S^*\) and \(i \in S\)), \({\mathsf{B}}\) first checks the validity of the ciphertext using Eq. 1. If the ciphertext is valid then it checks whether \({\mathsf{H}}_{\kappa }(h)={\mathsf{H}}_{\kappa }(C_0)\) which in case of validity provides a collision for the hash function \({\mathsf{H}}_{\kappa }\) and hence \({\mathsf{B}}\) can output \(C_0\) as the second message and break the UOWHF property.

If Eq. 1 holds and \({\mathsf{H}}_{\kappa }(h) \ne {\mathsf{H}}_{\kappa }(C_0)\), then let \(\delta ={\mathsf{H}}_{\kappa }(C_0)-{\mathsf{H}}_{\kappa }(h)\). \({\mathsf{B}}\) calculates the key as follows:

$$\begin{aligned} K= \frac{e(C_1,g \cdot g_n^{1/\delta })}{e(g^\beta \cdot g_n^{\beta /\delta } \cdot g_1^{\delta } \cdot \displaystyle \prod _{j\in S^* \setminus S}{(g_{n+1-j} \cdot g_{2n+1-j}^{1/\delta })^{-1}},C_0)}. \end{aligned}$$

Now, since Eq. 1 holds, the ciphertext is in the form \( \left(g^t, ( v \cdot g_1^{{\mathsf{H}}_{\kappa }(g^t)} \cdot \prod \nolimits _{j \in S}g_{n+1-j} )^t\right) \) for some (unknown) \(t\). Hence, the above calculated \(K\) will be as follows:

$$\begin{aligned} K&= \frac{e\left(\left( v \cdot g_1^{{\mathsf{H}}_{\kappa }(g^t)} \cdot \displaystyle \prod \nolimits _{j \in S}g_{n+1-j} \right)^t,g \cdot g_n^{1/\delta }\right)}{e(g^\beta \cdot g_n^{\beta /\delta } \cdot g_1^{\delta } \cdot \displaystyle \prod \nolimits _{j\in S^* \setminus S}{(g_{n+1-j} \cdot g_{2n+1-j}^{1/\delta })^{-1}},g^t)} \\&= \left( \frac{e( g^\beta \cdot g_1^{\delta } \cdot \displaystyle \prod \nolimits _{j \in S^* \setminus S}g_{n+1-j}^{-1} ,g \cdot g_n^{1/\delta })}{e(g^\beta \cdot g_n^{\beta /\delta } \cdot g_1^{\delta } \cdot \displaystyle \prod \nolimits _{j\in S^* \setminus S}{(g_{n+1-j} \cdot g_{2n+1-j}^{1/\delta })^{-1}},g)} \right)^t \\&= \left( \frac{e( g^\beta \cdot g_1^{\delta } \cdot \displaystyle \prod \nolimits _{j \in S^* \setminus S}g_{n+1-j}^{-1} ,g^{1+\alpha ^n/\delta })}{e(g^{\beta (1+\alpha ^n/\delta )} \cdot g_1^{\delta } \cdot \displaystyle \prod \nolimits _{j\in S^* \setminus S}{g_{n+1-j}^{-(1+\alpha ^n/\delta )}},g)} \right)^t \\&= \left( \frac{e( g_1^{\delta },g^{1+\alpha ^n/\delta })}{e(g_1^{\delta },g)} \right)^t = e(g_1,g)^{\alpha ^n t} = e(g_{n+1},g)^t \\ \end{aligned}$$

and hence it is properly simulated. In the above, we have substituted \(v\) from Eq. 2 and used the fact that \(\forall k: g_{n+k}=g_k^{\alpha ^n}\).

At some point, \({\mathsf{A}}\) declares that it is ready to receive the challenge. \({\mathsf{B}}\) calculates the challenge ciphertext as \(C=(h,h^\beta )\) and gives \(C\) along with \(K=T\) to \({\mathsf{A}}\). First, note that from Eq. 2, we have \( v \cdot g_1^{{\mathsf{H}}_{\kappa }(h)} \cdot \prod \nolimits _{j \in S^*}g_{n+1-j} = g^\beta , \) and hence \(C\) is a valid ciphertext satisfying Eq. 1. Furthermore, assuming that \(h=g^t\) for some \(t\), we have \( h^\beta =(g^\beta )^t=(v \cdot g_1^{{\mathsf{H}}_{\kappa }(h)} \cdot \prod \nolimits _{j\in S^*}{g_{n+1-j}})^t, \) which means that if \(T=e(g_{n+1},h)=e(g_{n+1},g)^t\), then \(K\) is the key corresponding to the ciphertext \(C\), and if \(T\) is random, then \(K\) is a random key.

In the second phase of the attack, \({\mathsf{B}}\) answers \({\mathsf{A}}\)’s queries as in the first phase.

At the end, \({\mathsf{A}}\) outputs its guess \(b\). \({\mathsf{B}}\) outputs \(b\) as its decision for the \(n\)-BDHE challenge. Based on the above discussion, if \({\mathsf{A}}\) is successful in its CCA attack, then either \({\mathsf{B}}\) is able to compute a collision for \({\mathsf{H}}_{\kappa }\) and win the UOWHF game, or it is able to solve the \(n\)-BDHE decision problem successfully. \(\square \)

Appendix B: Proof of the OBDHE assumption

In this section, we prove Theorem 2. Let \(d_P,\,d_{P^{\prime }},\,d_Q\), and \(d_f\) be, respectively, the maximum degrees of the polynomials in \(P,\,P^{\prime },\,Q\), and \(f\). We prove the following upper bound in the generic bilinear group model. We consider two random encodings \(\xi ,\zeta :\mathbb{Z _p}^+\mapsto \{0,1\}^m\) and write \(\mathbb{G }=\{\xi (x)|x\in \mathbb{Z _p}^+\}\) and \(\mathbb{G _\mathrm{T}}=\{\zeta (x)|x\in \mathbb{Z _p}^+\}\). The following theorem is a sufficient condition for Theorem 2.

Theorem 5

For \(P,\,Q,\,P^{\prime }\,f,\,\xi ,\,\zeta ,\,\mathbb{G },\,\mathbb{G _\mathrm{T}}\) defined above, let \(|P|=s,\,|Q|=t\), and \(\ell =s+t\). Let \(d=\max (2d_P,d_Q,d_f)\). If \(f\) is independent of \((P \parallel P^{\prime },Q)\), then for any \({\mathsf{A}}\) making a total of at most \(q\) queries to the oracles computing the group operations and the bilinear pairing, and at most \(q^{\prime }\) queries to the \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) oracle, we have:

$$\begin{aligned}&\left|\Pr \left[ {\mathsf{A}}\left( \begin{array}{c} p,\xi (P(x_1,\ldots ,x_n)),\\ \zeta (Q(x_1,\ldots ,x_n)),\\ \zeta (t_0),\zeta (t_1);{{\fancyscript{O}_{g,e}^\mathrm{DH}}}(\cdot ,\cdot ) \end{array} \right) =b :\begin{array}{c} x_1,\ldots ,x_n,y\stackrel{\mathrm{R}}{\leftarrow }\mathbb{F _p},\\ b\stackrel{\mathrm{R}}{\leftarrow }\{0,1\},\\ t_b\leftarrow f(x_1,\ldots ,x_n),\\ t_{1-b}\leftarrow y \end{array} \right] - \frac{1}{2} \right|\\&\quad \le \displaystyle \frac{(q+q^{\prime }+\ell +2)^2 \cdot \max (2d_{P^{\prime }},d)}{2p} \end{aligned}$$

Proof

Assume that we are given the algorithm \({\mathsf{A}}\). Consider an algorithm \({\mathsf{B}}\) that interacts with \({\mathsf{A}}\) as follows. \({\mathsf{B}}\) maintains two lists of pairs:

$$\begin{aligned}&L=\{(p_i,\xi _i):i=1,\ldots ,\tau _0\} \quad \text{ and}\\&{L_{\mathrm{T}}}=\{(q_i,\zeta _i):i=1,\ldots ,\tau _1\}, \end{aligned}$$

such that at step \(\tau \) of its interaction with \({\mathsf{A}}\text{:}\tau _0+\tau _1=\tau +\ell +2\). Here, \(p_i \in \mathbb{F _p}[X_1,\ldots ,X_n],\,q_i \in \mathbb{F _p}[X_1,\ldots ,X_n,Y_0,Y_1]\), and \(\xi _i,\zeta _i\in \{0,1\}^m\).

\({\mathsf{B}}\) also maintains a counter \(\tau ^{\prime }\), initialized at zero, to count the number of \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) oracle queries, and a list of polynomials: \( P^{\prime }=\{p^{\prime }_i:i=1,\ldots ,\tau ^{\prime }\} \) to store the polynomial output of the \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) oracle queries.

At step \(\tau =0,\,{\mathsf{B}}\) initializes the lists by setting \(p_1,\ldots ,p_s\) in \(L\) equal to the polynomials in \(P,\,q_1,\ldots ,q_t\) in \({L_{\mathrm{T}}}\) equal to the polynomials in \(Q,\,q_{t+1}=Y_0\), and \(q_{t+2}=Y_1\). It also chooses \(\ell +2\) random strings in \(\{0,1\}^m\) and initializes \(\{\xi _i\}_{i=1}^{s}\) and \(\{\zeta _i\}_{i=1}^{t+2}\).

\({\mathsf{B}}\) then runs \({\mathsf{A}}\) under the input \(p,\,\{\xi _i\}_{i=1}^{s},\,\{\zeta _i\}_{i=1}^{t},\,\zeta _{t+1}\), and \(\zeta _{t+2}\). \({\mathsf{B}}\) answers \({\mathsf{A}}\)’s oracle queries as follows. We are assuming that \({\mathsf{A}}\)’s queries can only be strings obtained from \({\mathsf{B}}\) since \({\mathsf{B}}\) can, by increasing \(m\), make the strings in \(\mathbb{G }\) and \(\mathbb{G _\mathrm{T}}\) arbitrarily hard to guess.

Group operations: For a \(\mathbb{G }\) operation query \((\xi _i,\xi _j),\,{\mathsf{B}}\) calculates \(p_{\tau _0+1}\leftarrow p_i \pm p_j\) depending on whether multiplication or division is requested. If \(p_{\tau _0+1}=p_l\) for some \(l \le \tau _0\), then \({\mathsf{B}}\) sets \(\xi _{\tau _0+1}\leftarrow \xi _l\); otherwise, it sets \(\xi _{\tau _0+1}\) equal to a new random string different from all the previous \(\xi _i\). Then, it appends the new pair \((p_{\tau _0+1},\xi _{\tau _0+1})\) to \(L\), replies to \({\mathsf{A}}\)’s query with \(\xi _{\tau _0+1}\), and finally increments the counter \(\tau _0\). \(\mathbb{G _\mathrm{T}}\) operation queries are dealt with analogously by updating the list \({L_{\mathrm{T}}}\) and counter \(\tau _1\).

Bilinear pairings: For a pairing query of the form \((\xi _i,\xi _j),\,{\mathsf{B}}\) calculates \(q_{\tau _1+1}\leftarrow p_i \cdot p_j\). If \(q_{\tau _1+1}=q_l\) for some \(l \le \tau _1\), then \({\mathsf{B}}\) sets \(\zeta _{\tau _1+1}\leftarrow \zeta _l\); otherwise, it sets \(\zeta _{\tau _1+1}\) equal to a new random string different from all the previous \(\zeta _i\). Then, it appends the new pair \((q_{\tau _1+1},\zeta _{\tau _1+1})\) to \({L_{\mathrm{T}}}\), replies to \({\mathsf{A}}\)’s query with \(\zeta _{\tau _1+1}\), and finally increments the counter \(\tau _1\).

\({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) queries: For a \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) query \((\xi _i,\xi _j),\,{\mathsf{B}}\) calculates \(p_{\tau _0+1}\) \(\leftarrow p_i \cdot p_j\). If \(p_{\tau _0+1}=p_l\) for some \(l \le \tau _0\), then \({\mathsf{B}}\) sets \(\xi _{\tau _0+1}\leftarrow \xi _l\); otherwise, it sets \(\xi _{\tau _0+1}\) equal to a new random string different from all the previous \(\xi _i\). \({\mathsf{B}}\) also sets \(p^{\prime }_{\tau ^{\prime }+1} \leftarrow p_{\tau _0+1}\), appends \(p^{\prime }_{\tau ^{\prime }+1}\) to \(P^{\prime }\), and increments the counter \(\tau ^{\prime }\). Then, it appends the new pair \((p_{\tau _0+1},\xi _{\tau _0+1})\) to \(L\), replies to \({\mathsf{A}}\)’s query with \(\xi _{\tau _0+1}\), and finally increments the counter \(\tau _0\).

\({\mathsf{A}}\) terminates after at most \(q+q^{\prime }\) queries and returns a guess \(b^{\prime }\).

Now, \({\mathsf{B}}\) chooses \(x_1,\ldots ,x_n,y\stackrel{\mathrm{R}}{\leftarrow }\mathbb{F _p}\), and \(b\stackrel{\mathrm{R}}{\leftarrow }\{0,1\}\), and sets \(y_b\leftarrow f(x_1,\ldots ,x_n)\) and \(y_{1-b}\leftarrow y\). Setting \(X_i=x_i\) for all \(i=1,\ldots ,n,\,Y_0=y_0\), and \(Y_1=y_1\), we see that \({\mathsf{B}}\)’s interaction provides a perfect simulation for \({\mathsf{A}}\) as long as the chosen random values for the random variables do not result in any equality of the values of the intermediate different polynomials. In other words, the simulation is perfect unless for some \(i\) and \(j\), we have one of the following:

1. 1.

   \(p_i(x_1,\ldots ,x_n)=p_j(x_1,\ldots ,x_n)\), yet the polynomials \(p_i\) and \(p_j\) are not equal, or

2. 2.

   \(q_i(x_1,\ldots ,x_n,y_0,y_1)=q_j(x_1,\ldots ,x_n,y_0,y_1)\), yet the polynomials \(q_i\) and \(q_j\) are not equal.

Let Fail be the event that one of the above conditions holds. We bound the probability of this event.

First, if we set \(Y_b=f(X_1,\ldots ,X_n)\), this does not raise the probability that Fail happens. This is because the above substitution does not create any new equalities between polynomials \(q_i\) and \(q_j\). In general, \(q_i-q_j\) is in the form

$$\begin{aligned}&\sum _{k=1}^{s}{\sum _{l=1}^{s}{a_{k,l}p_kp_l}}+\sum _{k=1}^{s}{\sum _{l=1}^{q^{\prime }}{a^{\prime }_{k,l}p_kp^{\prime }_l}} +\sum _{k=1}^{q^{\prime }}{\sum _{l=1}^{q^{\prime }}{a^{\prime \prime }_{k,l}p^{\prime }_kp^{\prime }_l}}\\&\quad +\sum _{u=1}^{t}{b_uq_u}+cY_0+dY_1. \end{aligned}$$

Let us define

$$\begin{aligned} P^*&= P \parallel P^{\prime }=(p^*_1,\ldots ,p^*_{s+q^{\prime }})\\&= (p_1,\ldots ,p_s,p^{\prime }_1,\ldots ,p^{\prime }_{q^{\prime }}). \end{aligned}$$

Now, we can write \(q_i-q_j\) in the form

$$\begin{aligned} \sum _{k=1}^{s+q^{\prime }}{\sum _{l=1}^{s+q^{\prime }}{a_{k,l}p^*_kp^*_l}}+\sum _{u=1}^{t}{b_uq_u}+cY_0+dY_1. \end{aligned}$$

Hence, assuming that the substitution \(Y_b=f(X_1,\ldots ,X_n)\), does create a new equality, then \(q_i-q_j\), which is in the above form, is a nonzero polynomial, yet setting \(Y_b=f(X_1,\ldots ,X_n)\) makes it zero. Thus, \(f\) must be dependent on \((P \parallel P^{\prime },Q)\), which is a contradiction.

Now, that we made the substitution \(Y_b=f(X_1,\ldots ,X_n)\), our polynomials are only in \(X_1,\ldots ,X_n\), and \(Y_{1-b}\). The maximum degree of any polynomial in the form \(p_i-p_j\) or \(q_i-q_j\) is \(\max (2d_P,2d_{P^{\prime }},d_Q,d_f)=\max (2d_{P^{\prime }},d)\). Hence, for each pair \((i,j)\), the probability that a random assignment of the random variables is a root of one of the above polynomials is at most \(\max (2d_{P^{\prime }},d)/p\). Since there are at most \(2\genfrac(){0.0pt}{}{q+q^{\prime }+\ell +2}{2}\) pairs of \((p_i,p_j)\) and \((q_i,q_j)\) in total, we have

$$\begin{aligned} \begin{array}{ll} \Pr [\textsc {Fail}]&\le \displaystyle \genfrac(){0.0pt}{}{q+q^{\prime }+\ell +2}{2}\displaystyle \frac{2\max (2d_{P^{\prime }},d)}{p} \\&\le \displaystyle \frac{(q+q^{\prime }+\ell +2)^2\max (2d_{P^{\prime }},d)}{p}. \end{array} \end{aligned}$$

Now, we would like to bound \({\mathsf{A}}\)’s success probability, i.e., \(|\Pr [b=b^{\prime }]-\frac{1}{2}|\). We know that

$$\begin{aligned} \Pr [b=b^{\prime }]&= \Pr [b=b^{\prime }|\textsc {Fail}]\cdot \Pr [\textsc {Fail}]\\&\quad +\Pr [b=b^{\prime }|\lnot \textsc {Fail}]\cdot \Pr [\lnot \textsc {Fail}]. \end{aligned}$$

If Fail does not happen, then \({\mathsf{B}}\)’s simulation is perfect. In this case, since \(b\) is chosen after the simulation ends, \(\Pr [b=b^{\prime }|\lnot \textsc {Fail}]=\frac{1}{2}\). Substituting this and \(\Pr [\lnot \textsc {Fail}]=1-\Pr [\textsc {Fail}]\) in the above equation, we get the following after rearrangement:

$$\begin{aligned} \Pr [b=b^{\prime }]-\frac{1}{2}= (\Pr [b=b^{\prime }|\textsc {Fail}]-\frac{1}{2})\cdot \Pr [\textsc {Fail}]. \end{aligned}$$

Hence, we have

$$\begin{aligned} |\Pr [b=b^{\prime }]-\frac{1}{2}|&= |\Pr [b=b^{\prime }|\textsc {Fail}]\\&\quad -\frac{1}{2}|\cdot \Pr [\textsc {Fail}] \le \frac{1}{2} \Pr [\textsc {Fail}] , \end{aligned}$$

which gives us the claimed bound and finishes the proof. \(\square \)   

Appendix C: Proof of Theorem 3

Proof

Let \(d_P\) be the maximum degree of the polynomials in \(P\). We consider a random encoding \(\xi :\mathbb{Z _p}^+\mapsto \{0,1\}^m\) and write \(\mathbb{G }=\{\xi (x)|x\in \mathbb{Z _p}^+\}\).

Given an algorithm \({\mathsf{A}}\), we construct the extractor \({\mathsf{E}}\) as follows. \({\mathsf{E}}\) maintains a list \(L\) of pairs \((p_i,\xi _i)\), initialized with pairs containing the elements of \(P\) and random strings, respectively, as the first and second elements.

\({\mathsf{E}}\) runs \({\mathsf{A}}\) on input \((\xi _i)_{i=1}^{s}\). Any group operation query \((\xi _i,\xi _j)\) is responded by computing \(p_i+p_j\) and checking whether the resulting polynomial already exists in the list. If it does, \({\mathsf{E}}\) returns the corresponding encoding, and if not, it chooses a new random string as the encoding to be returned, and adds \(p_i+p_j\) and the encoding to the list \(L\).

When \({\mathsf{A}}\) terminates and returns \((\xi _i,\xi _j)\) as its output, \({\mathsf{E}}\) finds the corresponding polynomial pair \((p_i,p_j)\). If \(p_j \ne p_i q,\,{\mathsf{E}}\) outputs \(\perp \). Otherwise, let \(\{r_i\}_{i=1}^{t}\) be defined as above. \({\mathsf{E}}\) decomposes \(p_i\) as a linear combination of \(\{r_i\}_{i=1}^{t}\), that is, it finds coefficients \((b_i)_{i=1}^{t}\) such that \(p_i = \sum _{i=1}^{t}{b_i r_i}\) and outputs \((b_i)_{i=1}^{t}\).

Assume that \({\mathsf{A}}\) asks \(\sigma \) queries. \({\mathsf{E}}\)’s list contains \(s+\sigma \) pairs at the end of the execution of \({\mathsf{A}}\). All the polynomials in this list are in \({\mathrm{Span}}(P)\). Since both \(p_i\) and \(p_j\) are in \({\mathrm{Span}}(P)\), if \(p_j = p_i q\), then \(p_i \in V_q\), and hence \(p_i\) can be written as a linear combination of \(\{r_i\}_{i=1}^{t}\). Furthermore, the discrete logarithm of \({\mathsf{A}}\)’s first input \(\xi _i\) is equal to \(p_i(x_1,\ldots ,x_n)\), which in turn equals \(\sum _{i=1}^{t}{b_i r_i(x_1,\ldots ,x_n)}\). Therefore, \({\mathsf{E}}\) succeeds if its simulation of \({\mathsf{A}}\)’s environment is perfect and \(p_j = p_i q\).

Note that if \({\mathsf{A}}\)’s environment is simulated perfectly, then it outputs a pair for which we have \(p_j(x_1,\ldots ,x_n)=p_i(x_1,\ldots ,x_n)q(x_1,\ldots ,x_n)\), but not necessarily \(p_j = p_i q\).

Let Fail be the event that \({\mathsf{E}}\) fails. Based on the above discussion, \({\mathsf{E}}\) fails if either it fails to simulate \({\mathsf{A}}\)’s environment perfectly or if \(p_j \ne p_i q\) but \(p_j(x_1,\ldots ,x_n)=p_i(x_1,\ldots ,x_n)q(x_1,\ldots ,x_n)\). \({\mathsf{E}}\)’s simulation of the environment for \({\mathsf{A}}\) is perfect unless a set of random values \((x_1,\ldots ,x_n)\) result in some equality of the values of the different polynomials in \(L\). Hence, if we add \(p_i q\) as the polynomial number \(s+\sigma +1\) to the list \(L,\,{\mathsf{E}}\)’s overall probability of failure is bounded by the probability that a set of random values \((x_1,\ldots ,x_n)\) result in some equality of the values of the different polynomials in the augmented list of \(s+\sigma +1\) polynomials. Hence, we have:

$$\begin{aligned} \Pr [\textsc {Fail}] \le \genfrac(){0.0pt}{}{s+\sigma +1}{2}\frac{d_P}{p} \le \frac{(s+\sigma +1)^2 d_P}{p} , \end{aligned}$$

and the proof is complete. \(\square \)

The above proof is in the plain generic group model. It is easy to extend the proof to the bilinear generic group model. Furthermore, one can see that the proof still works (with some natural modifications) in the model where the adversary is allowed to query the oracles on any encoding, rather than only those it has received before (either as input or as responses to previous oracle queries).

Another point to note is that, in the bilinear group model, any input to the adversary in the target group can be disregarded and hence does not change the assumption.

Appendix D: Proof of Theorem 4

Proof

We make our proof in two stages.

Stage 1: First, we prove that if \({\mathsf{H}}\) is a UOWHF, then the following specific assumption is an instance of the OBDHE assumption as per our definition in Sect. 6.1: let \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) be an oracle that given \((x_1,x_2)\) outputs \(y\) s.t. \(e(x_1,x_2)=e(g,y)\). Given the following quantities:

$$\begin{aligned} g,\ h,\ \{g_k=g^{\alpha ^k}\}_{k \in \{1,\ldots ,2n\} \setminus \{n+1\}},\ v, \end{aligned}$$

and oracle access to \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\), it is hard to distinguish \(e(g^{\alpha ^{n+1}},h)\) from a random value if the queries to \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) are restricted to the following, where \(C \cap S = \varnothing \):

$$\begin{aligned} \begin{array}{l} \text{(1)}\ |C|\ \text{ queries}\ \{{{\fancyscript{O}_{g,e}^\mathrm{DH}}}(g_k,v)\}_{k \in C},\ \text{ and} \\ \text{(2)} \text{ one} \text{ query}\ {{\fancyscript{O}_{g,e}^\mathrm{DH}}}(w,h),\ \text{ where}\ w=v g_1^{{\mathsf{H}}_{\kappa }(h)} \displaystyle \prod _{j \in S}{g_{n+1-j}}. \end{array} \end{aligned}$$

Consider the hash function \({\mathsf{H}}_{\kappa }:\mathbb{G }\mapsto \mathbb{Z _p}\) and define the function \(\mu (h)=h^{{\mathsf{H}}_{\kappa }(h)}\). In the generic group model, the input to \({\mathsf{H}}_{\kappa }\) is an encoding representing \(h\), which is considered to be an encoding that may be chosen independently of \(h\). Therefore, we may assume \({\mathsf{H}}_{\kappa }(h)\) independent of \(h\). Of course this is true only if the sole way to calculate \(\mu (h)\) is through computing \({\mathsf{H}}_{\kappa }(h)\) first and then raising \(h\) to the power of the hash output. Otherwise, if \(\mu (h)\) cannot be computed through group operations, without computing \({\mathsf{H}}_{\kappa }(h)\) separately, then the encoding of \(h\) cannot be chosen independently of \(h\). For a “good” hash function, we may assume that \(\mu (h)\) cannot be computed through group operations, without computing \({\mathsf{H}}_{\kappa }(h)\) separately.

To be more precise, consider Theorem 5 and its presented proof in “Appendix B.” Assume that \(P\) also includes an extra element which is a multiplication of a polynomial and the function \(\eta (y)={\mathsf{H}}_{\kappa }(g^y)\). Now, if the encoding of \(h=g^y\) is chosen independently of \(h\), the proof will still work, i.e., Pr[Fail can be shown to be upper-bounded by a negligible bound, unless for some considerable portion of possible \(y\)’s, we have \(\rho _1(y)\eta ^2(y)+\rho _2(y)\eta (y)+\rho _3(y)=0\), where \(\rho _1,\,\rho _2\), and \(\rho _3\) are polynomials of degree at most \(\max (2d_{P^{\prime }},d)\). This condition implies that \(\eta (y)\) can be calculated for some considerable portion of possible \(y\)’s by solving the above equation.

Formally, let us define a \(\delta \) -good hash family as follows: We say a hash family \({\mathsf{H}}_{\kappa }:\mathbb{G }\mapsto \mathbb{Z _p}\) indexed by \({\kappa }\) is \(\delta \) -good if for a random \({\kappa }\), there does not exist polynomials \(\rho _1,\,\rho _2\), and \(\rho _3\) of degree at most \(\delta \) such that for a non-negligible portion of possible \(y\)’s, we have: \(\rho _1(y)\ {\mathsf{H}}_{\kappa }^2(g^y)+\rho _2(y)\ {\mathsf{H}}_{\kappa }(g^y)+\rho _3(y)=0\). Now, since \(\max (2d_{P^{\prime }},d)=4n\), we conclude that if \({\mathsf{H}}\) is at least \(4n\)-good, then its output can be considered independent of the encoding of its input, and hence we may treat it as a constant.

Now, assume that for a given random \({\kappa }\) and \(Y\), we wish to find a pre-image \(X\), such that \({\mathsf{H}}_{\kappa }(X)=Y\). Assume \(X=g^x\). If \({\mathsf{H}}\) is not a \(\delta \)-good hash family, for a random \({\kappa }\), there exists polynomials \(\rho _1,\,\rho _2\), and \(\rho _3\) of degree at most \(\delta \) such that with a non-negligible probability: \(\rho _1(x)\ Y^2+\rho _2(x)\ Y+\rho _3(x)=0\). This is a polynomial of order at most \(\delta \), and its roots can be found in time which is polynomial in \(\delta \) and \(\log p\) [4, 39]. For each root \(x\), one can check whether \({\mathsf{H}}_{\kappa }(g^x)=Y\) and find the pre-image \(X\) with at most \(\delta \) checks. Hence, if \({\mathsf{H}}\) is not a \(\delta \)-good hash family, then it is not a pre-image resistant (a.k.a. one-way) hash function. Since UOWHF implies pre-image resistance, we have the following lemma:

Lemma 1

Let \({\mathsf{H}}_{\kappa }:\mathbb{G }\mapsto \mathbb{Z _p}\) be hash function for which \(p\) is super-polynomial in \(k\). If \({\mathsf{H}}\) is a universal one-way hash function, then it is \(\delta \)-good (as per our definition above) for all \(\delta \) polynomial in \(k\).

Hence, if \({\mathsf{H}}\) is a UOWHF, then the following claim proves that the specific assumption above is an OBDHE assumption as per our definition in Sect. 6.1, in which the output of \({\mathsf{H}}\) is treated as a constant. Note that alternatively one may make the stronger assumption that \({\mathsf{H}}\) is modeled as a non-programmable random oracle [9, 29]. Also note that since the system is defined for \(n-1\) users, \(S\) and \(C\) are subsets of \(\{1,\ldots ,n-1\}\).

Claim

For the following polynomials and \(S,C\subseteq \{1,\ldots ,\) \(n-1\}\), and for any constant c, \(f\) is independent of \((P \parallel P^{\prime },Q)\) if \(C \cap S = \varnothing \).

$$\begin{aligned}&P = (\ 1,\ y,\ \{x^k\}_{k \in \{1,\ldots ,2n\} \setminus \{n+1\}},\ z,\\&\eta ,\ zy+{\mathrm{c}}xy+y\displaystyle \sum _{j \in S}{x^{n+1-j}}\ ), \\&P^{\prime }= \{zx^i\}_{i \in C}, \quad \quad Q = (1), \quad \quad \text{ and}\quad \quad f=yx^{n+1}. \end{aligned}$$

Proof

We have at most one multiplication of polynomials at our disposal. Let us define

$$\begin{aligned} \begin{array}{l} P_x=\{x^k\}_{k \in \{1,\ldots ,2n\} \setminus \{n+1\}}, \quad P_{zx}=\{zx^i\}_{i \in C}, \quad \text{ and} \\ P_{yx}=P_{yz}=zy+{\mathrm{c}}xy+y\displaystyle \sum _{j \in S}{x^{n+1-j}}. \end{array} \end{aligned}$$

To make \(f=yx^{n+1}\), since there is a \(y\) factor, one of our multiplicands needs to be either \(y\) or \(P_{yx}\). Choosing \(y\) will not help because we do not have an \(x^{n+1}\) to make \(f\), so one of our multiplicands is definitely \(P_{yx}\). The only choice for a second multiplicand that can give us \(f\) is one from \(P_x\). Multiplying these terms gives us terms of the form \(zyx^i+{\mathrm{c}}yx^{i+1}+y\sum _{j \in S}{x^{n+1-j+i}}\), which includes \(yx^{n+1}\) if \(i \in S\), but then we have to be able to produce the term \(zyx^i\) for some \(i \in S\) to be able to cancel it out.

To get \(zyx^i\), using only two multiplicands, we have the following four possibilities:

• use \(y\) and \(zx^i\) to get \(yzx^i\) for some \( i \in C\), but since \(C \cap S = \varnothing \) we cannot get \(yzx^i\) for any \(i \in S\).

• use \(x^i\) and \(P_{yz}\) again, but this cancels out our desired term \(yx^{n+1}\) as well since we have to use the same \(i\).

• use \(z\) and \(P_{yx}\) to get \(z^2y+{\mathrm{c}}xyz+zy\sum _{j \in S}{x^{n+1-j}}\), which includes \(zyx^i\) if \(n+1-i \in S\) or if \(i=1\), but then, in either case, we have to cancel \(z^2y\) and the only way to get \(z^2y\) is to use the same terms again which cancels our desired term \(zyx^i\) as well.

• use \(P_{zx}\) and \(P_{yx}\) to get \(z^2x^ky+{\mathrm{c}}x^{k+1}yz+zy\sum _{j \in S}\) \({x^{n+1-j+k}}\), which includes \(zyx^i\) if \(n+1-i+k \in S\) or if \(k+1=i\), but then, in either case, we have to cancel \(z^2x^ky\) and the only way to get \(z^2x^ky\) is to use the same terms again with the same \(k\) which cancels our desired term \(zyx^i\) as well.

Hence, \(f\) is independent of \((P \parallel P^{\prime },Q)\) and the proof of Claim 7 is complete. \(\square \)

Stage 2: Now, that we have proved our specific assumption is an OBDHE assumption, we prove that under this assumption, the GKEA assumption, and the UOWHF assumption OurBE is adaptive CCA secure.

Let \({\mathsf{A}}\) be an adaptive CCA adversary for OurBE. We construct an adversary \({\mathsf{B}}\) that successfully breaks our specific assumption, if \({\mathsf{A}}\) is successful in its attack against OurBE, the GKEA assumption holds, and \({\mathsf{H}}\) is a UOWHF.

First of all, note that, based on Lemma 1 and a discussion similar to that of Stage 1, as long as \({\mathsf{H}}_{\kappa }\) is a UOWHF, it can be indistinguishably simulated independently of its input in the generic group model, and hence hashed values can be considered constant for this proof. Jumping ahead, we treat \({\mathrm{c}}={\mathsf{H}}_{\kappa }(C_0)\) and \({\mathrm{c}}^*={\mathsf{H}}_{\kappa }(C_0^*)\) as constant coefficients for polynomials.

Let \({\mathsf{B}}\) be given the following quantities:

$$\begin{aligned} g,\ h,\ \{g_k=g^{\alpha ^k}\}_{k \in \{1,\ldots ,2n\} \setminus \{n+1\}},\ v,\ T, \end{aligned}$$

and (restricted) oracle access to \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}\) as specified by the assumption. It is supposed to distinguish whether \(T=e(g^{\alpha ^{n+1}},h)\) or \(T\) is random. As a UOWHF adversary, \({\mathsf{B}}\) gives out \(h\) as the first message on which it wishes to be challenged and receives a key \({\kappa }\) for the hash function. \({\mathsf{B}}\) runs \({\mathsf{A}}\) on input \({\textit{EK}}=(g,v,{\kappa })\).

On a join query for user \(i\) made by the adversary, \({\mathsf{B}}\) gives \(pk_i=(g_i,g_{n+1-i},g_{n+1+i})\) to \({\mathsf{A}}\).

On any private-key query for user \(i\) made by \({\mathsf{A}},\,{\mathsf{B}}\) queries the oracle \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}(g_i,v)\) and gives the oracle output to \({\mathsf{A}}\). Note that if we assume \(v=g^\gamma \), then the oracle output is equal to \(g_i^\gamma \).

On a decryption oracle query \((i,S,H)\), where \(H=(C_0,C_1),\,{\mathsf{B}}\) first checks the ciphertext validity. If the ciphertext is invalid, it replies with \(\perp \). Let \({\mathrm{c}}={\mathsf{H}}_{\kappa }(C_0)\). If the ciphertext is valid, then it is in the following form:

$$\begin{aligned} H=(C_0,C_0^q), \quad \quad \text{ where}\quad q=\gamma +{\mathrm{c}}\alpha +\sum _{j\in S}{\alpha ^{n+1-j}}. \end{aligned}$$

(3)

Let us assume, without the loss of generality, that all the potential \(n-1\) users are initiated. Let \(C\) denotes the set of corrupted users by \({\mathsf{A}}\) and \(N^*=\{1,\ldots ,2n\}\setminus \{n+1\}\). Now, \({\mathsf{A}}\) can be viewed as an algorithm that on input \(g,\,v,\,{\kappa },\,\{g_i\}_{i\in N^*}\), and \(\{d_i\}_{i\in C}\) outputs \(H=(C_0,C_0^q)\) as above. Note that the input to \({\mathsf{A}}\) (excluding \({\kappa }\notin \mathbb{G }\)) can be written as follows:

$$\begin{aligned} g^P, \quad \quad \text{ where}\quad P=(\ 1,\ \gamma ,\ \{\alpha ^i\}_{i\in N^*},\ \{\gamma \alpha ^i\}_{i\in C}\ ). \end{aligned}$$

To apply the GKEA assumption, note that here \({\mathrm{Span}}(P)\) includes all the elements of the following form:

$$\begin{aligned}&\rho =u+x\gamma +\sum _{i\in N^*}{y_i\alpha ^i}+\gamma \sum _{i\in C}{z_i\alpha ^i},\nonumber \\&\text{ for} \text{ random}\ u, x, y_i, z_i. \end{aligned}$$

(4)

Consider \(\rho q\) for some \(\rho \) and the \(q\) defined above, respectively, in Eqs. 3 and 4. For \(\rho q\) to be in \({\mathrm{Span}}(P)\), we should have \(x=0\) and \(\forall i\in C: z_i=0\) because otherwise \(\rho q\) will have either the factor \(x\gamma ^2\) or \(z_i\gamma ^2\alpha ^i\) for some \(i\) and would not fall in \({\mathrm{Span}}(P)\). Hence, any \(\rho \) satisfying \(\rho q \in {\mathrm{Span}}(P)\) should be in the form

$$\begin{aligned} \rho =u+\sum _{i\in N^*}{y_i\alpha ^i}, \quad \quad \text{ for} \text{ random}\ u, y_i. \end{aligned}$$

(5)

A basis for such a subspace is the set \(\{1,\{\alpha ^i\}_{i\in N^*}\}\). Therefore, the GKEA assumption guarantees that there exists an extractor that outputs the values \(\{\beta ,\{b_i\}_{i\in N^*}\}\) such that

$$\begin{aligned} C_0=g^{\beta +\displaystyle \sum _{i\in N^*}{b_i\alpha ^i}}=g^{\beta }\prod _{i\in N^*}{g_i^{b_i}}. \end{aligned}$$

Now, note that \(K=e(g_{n+1},C_0)\). Hence, the session key can be calculated based on the known representation of \(C_0\) in terms of \(g\) and \(g_i\), e.g., as follows:

$$\begin{aligned} K&= e(g_{n+1},g^{\beta }\prod _{i\in N^*}{g_i^{b_i}})= e(g_{n+1},g)^{\beta } \prod _{i\in N^*}{e(g_{n+1},g_i)^{b_i}} \\&= e(g_n,g_1)^{\beta } e(g_{2n},g_1)^{b_n} e(g_{n+2},g_{2n-1})^{b_{2n}}\\&\quad \prod _{i\in N^*\setminus \{n,2n\}}{e(g_n,g_{i+1})^{b_i}}. \end{aligned}$$

At some point, the adversary \({\mathsf{A}}\) terminates the first query phase and outputs a set \(S^*\) on which it wants to be challenged. \({\mathsf{B}}\) calculates \(w=v g_1^{{\mathsf{H}}_{\kappa }(h)} \prod _{j \in S^*}{g_{n+1-j}}\), makes the oracle query \({{\fancyscript{O}_{g,e}^\mathrm{DH}}}(w,h)\), receives the oracle output \(h^{\prime }\), sets the challenge ciphertext as \(H^*=(C_0^*,C_1^*)=(h,h^{\prime })\), and gives \(H^*\) along with \(K=T\) to \({\mathsf{A}}\). Let \({\mathrm{c}}^*={\mathsf{H}}_{\kappa }(C_0^*)\). Note that Eq. 1 (see page 5) holds, hence \(C\) is a valid ciphertext, and \(C_1^*\) should be equal to \(C_0^*\) raised to a power of the following form:

$$\begin{aligned} \gamma +{\mathrm{c}}^*\alpha +\sum _{j\in S^*}{\alpha ^{n+1-j}}. \end{aligned}$$

Furthermore, if \(T=e(g_{n+1},h)\), then \(K\) is the correct key corresponding to the ciphertext \(H^*\), and if \(T\) is random, then \(K\) is a random key.

In the second phase of the attack, \({\mathsf{B}}\) answers \({\mathsf{A}}\)’s join and corruption oracle queries as in the first phase, and \({\mathsf{A}}\)’s decryption oracle queries, in a fashion similar to that of prior to the challenge, as follows.

On a decryption oracle query \((i,S,H)\), where \(H=(C_0,C_1),\,{\mathsf{B}}\) first checks its validity, and if valid, it is in the form of Eq. 3.

Now, the input to \({\mathsf{A}}\) can be listed as \(g,\,v,\,{\kappa },\,\{g_i\}_{i\in N^*}\), and \(\{d_i\}_{i\in C}\), plus \(H^*=(C_0^*,C_1^*)\). Let \(C_0^*=g^{t^*}\). The input to \({\mathsf{A}}\) can be written as \(g^P\), where \(P\) is as follows (\({\kappa },\,K_0\), and \(K_1\) can be disregarded as they are not in \(\mathbb{G }\)):

$$\begin{aligned} P&= \left(\ 1,\ \gamma ,\ \{\alpha ^i\}_{i\in N^*},\ \{\gamma \alpha ^i\}_{i\in C}, \times t^*,\right.\\&\left.\ t^*\left(\gamma +{\mathrm{c}}^*\alpha +\sum _{j\in S^*}{\alpha ^{n+1-j}}\right)\right). \end{aligned}$$

\({\mathrm{Span}}(P)\) includes all the linear combinations \(\rho \) of the above terms. Similarly, we argue that \(\rho \) cannot include any \(\gamma \) or \(\gamma \alpha ^i\) terms because they would induce \(\gamma ^2\) or \(\gamma ^2\alpha ^i\) terms, respectively, in the product \(\rho q\). Furthermore, \(\rho \) cannot include the last term because it would induce a non-cancelable \(t^*\gamma ^2\) term in the product \(\rho q\). In addition, note that if \(\rho \) includes the term \(t^*\), then \(\rho q\) would include the term

$$\begin{aligned} t^*\left(\gamma +{\mathrm{c}}\alpha +\sum _{j\in S}{\alpha ^{n+1-j}}\right). \end{aligned}$$

The only way a \(\rho \) including this term can be contained in \({\mathrm{Span}}(P)\) is if \({\mathrm{c}}^*={\mathrm{c}}\) (i.e., \({\mathsf{H}}_{\kappa }(C_0^*)={\mathsf{H}}_{\kappa }(C_0)\)) and \(S=S^*\) (note that \(j \le n-1\), so \(n+1-j \ge 2\)), which contradicts \({\mathsf{H}}\) being a UOWHF. Therefore, \(\rho \) cannot include the term \(t^*\), and again \(\rho \) should be in the form of Eq. 5, and hence the session key can be calculated similarly as before.

At the end, \({\mathsf{A}}\) outputs its guess \(b\). \({\mathsf{B}}\) outputs \(b\) as its decision for its received challenge. Based on the above discussion, if \({\mathsf{A}}\) is successful in its adaptive CCA attack, then \({\mathsf{B}}\) is able to either contradict \({\mathsf{H}}\) being a UOWHF or distinguish \(T=e(g_{n+1},h)\) from a random element successfully. Hence, the proof of Theorem 4 is complete. \(\square \)