Cryptography Reference
In-Depth Information
Summing the differences between the above games, we can conclude that
|≤ O
(2
−κ
)
.
| Pr
[
Real
A
(
κ
)=1]
− Pr
[
Ideal
A
(
κ
)=1]
O
(2
−κ
)
holds based on
Lemma 1.
|
Pr
[
Game 2
=1]
−
Pr
[
Game 1
=1]
|≤
l
-SDH assumption.
Proof. If
Game 1
and
Game 2
are distinguishable, then we can construct a forger
A
who can break the existential unforgeability under chosen-message attack of
the credential signature scheme [2].
The challenger of the credential signature scheme first generates the system
parameters and sends the public parameters to
A
.Then
A
can make signature
queries to the challenger. Here we let
A
make queries for the messages in
Ω
where
|
Ω
|
=
l
. Simultaneously
A
runs a server and plays the
Game 2
with the user.
extracts the (
id
,ω
i
,cred
i
) from the zero-knowledge
proof conducted with the user. If
Game 1
and
Game 2
are distinguishable, then
it means that
In the transfer phase,
A
ω
i
A
can extract at least one credential (
a, cred
a
)where
a
∈
but
a/
outputs (
a, cred
a
) to the challenger as a forgery. Since the
credential signature scheme has been proved to be existentially unforgeable under
chosen-message attack under the
l
-SDH assumption, we have the conclusion in
the lemma 1.
∈
Ω
. Finally
A
Lemma 2.
(Indistinguishability of Ciphertexts)
|
Pr
[
Game 4
=1]
−
Pr
[
Game 3
=
O
(2
−κ
)
if the based blind ABE is IND-sAtt-CPA secure and leak-free and
the
PoK
1
of
sk
DB
is zero-knowledge.
Proof. If a PPT distinguisher
|≤
1]
can distinguish
Game 3
and
Game 4
with a
non-negligible probability, then we can construct an adversary
D
that wins the
IND-sAtt-CPA game against the blind ABE with the same probability. We use
a hybrid proof as follows.
We define a series of hybrids such that
Hybrid
0
=
Game 3
and
Hybrid
N
=
Game
4
.
Hybrid
j−
1
and
Hybrid
j
A
only differ in the distribution of
j
th
ciphertext vector,
where (1
≤
j
≤
N
). If
Game 3
and
Game 4
can be distinguished by
D
, then there
must exist a
j
such that
D
can distinguish
Hybrid
j−
1
and
Hybrid
j
.Weconstruct
and conducts the protocol with
ˆ
outputs
τ
∗
A
as follows.
A
=
τ
j
. It runs
D
R
selects a random message
m
∗
from the message space,
outputs (
m
j
,m
∗
) to the challenger and obtains a challenge ciphertext
C
∗
.Then
it constructs a ciphertext vector (
C
1
,...,C
N
)asin
Game 3
expect that at the
j
th
position, sets
C
j
←
as in
Game 3
.Then
A
C
∗
.
When the distinguisher
D
returns a bit
b
, the adversary
A
returns
b
to the
challenger as its answer.
In addition, since the PoK of
sk
DB
is zero-knowledge and the blind AEB
scheme is leak-free, the distinguisher clearly cannot distinguish the two games.
A.2 Proof of Theorem 2
who corrupts the issuer
ˆ
,theserver
ˆ
For any real world adversary
A
I
S
and a
U
1
,...,
ˆ
ˆ
collection of cheating users
{
U
t
}
, we can construct an ideal world adver-
Search WWH ::
Custom Search