Cryptography Reference
In-Depth Information
Summing the differences between the above games, we can conclude that
|≤ O (2 −κ ) .
| Pr [ Real A ( κ )=1]
− Pr [ Ideal A ( κ )=1]
O (2 −κ ) holds based on
Lemma 1.
|
Pr [ Game 2
=1]
Pr [ Game 1
=1]
|≤
l -SDH assumption.
Proof. If Game 1 and Game 2 are distinguishable, then we can construct a forger
A
who can break the existential unforgeability under chosen-message attack of
the credential signature scheme [2].
The challenger of the credential signature scheme first generates the system
parameters and sends the public parameters to A .Then A can make signature
queries to the challenger. Here we let A make queries for the messages in Ω where
|
Ω
|
= l . Simultaneously
A
runs a server and plays the Game 2 with the user.
extracts the ( id i ,cred i ) from the zero-knowledge
proof conducted with the user. If Game 1 and Game 2 are distinguishable, then
it means that
In the transfer phase,
A
ω i
A
can extract at least one credential ( a, cred a )where a
but a/
outputs ( a, cred a ) to the challenger as a forgery. Since the
credential signature scheme has been proved to be existentially unforgeable under
chosen-message attack under the l -SDH assumption, we have the conclusion in
the lemma 1.
Ω . Finally
A
Lemma 2. (Indistinguishability of Ciphertexts)
|
Pr [ Game 4 =1]
Pr [ Game 3 =
O (2 −κ ) if the based blind ABE is IND-sAtt-CPA secure and leak-free and
the PoK 1 of sk DB is zero-knowledge.
Proof. If a PPT distinguisher
|≤
1]
can distinguish Game 3 and Game 4 with a
non-negligible probability, then we can construct an adversary
D
that wins the
IND-sAtt-CPA game against the blind ABE with the same probability. We use
a hybrid proof as follows.
We define a series of hybrids such that Hybrid 0 = Game 3 and Hybrid N = Game
4 . Hybrid j− 1 and Hybrid j
A
only differ in the distribution of j th
ciphertext vector,
where (1
j
N ). If Game 3 and Game 4 can be distinguished by
D
, then there
must exist a j such that
D
can distinguish Hybrid j− 1 and Hybrid j .Weconstruct
and conducts the protocol with ˆ
outputs τ
A
as follows.
A
= τ j . It runs
D
R
selects a random message m from the message space,
outputs ( m j ,m ) to the challenger and obtains a challenge ciphertext C .Then
it constructs a ciphertext vector ( C 1 ,...,C N )asin Game 3 expect that at the
j th position, sets C j
as in Game 3 .Then
A
C .
When the distinguisher
D
returns a bit b , the adversary
A
returns b to the
challenger as its answer.
In addition, since the PoK of sk DB is zero-knowledge and the blind AEB
scheme is leak-free, the distinguisher clearly cannot distinguish the two games.
A.2 Proof of Theorem 2
who corrupts the issuer ˆ
,theserver ˆ
For any real world adversary
A
I
S
and a
U 1 ,..., ˆ
ˆ
collection of cheating users
{
U t }
, we can construct an ideal world adver-
 
Search WWH ::




Custom Search