Cryptography Reference
In-Depth Information
Note that the
Game 1
and
Game 2
differ only in the distribution of extracted
attribute set. We define a series of hybrids such that
Hybrid
0
=
Game 1
and
Hybrid
l
=
Game 2
,where
l
=
|
ω
|
and
ω
⊆
Ω
is an attribute set.
Hybrid
j−
1
and
Hybrid
j
only differ in the
j
th
attribute. If
D
can distinguish
Game 1
and
Game
2
, then there must exist a
j
∈{
1
,...,l
}
D
can distinguish
Hybrid
j−
1
, such that
and
Hybrid
j
. Then we can construct
A
as follows.
ˆ
A
runs
D
and conducts the protocol with the real world server
S
as in
Game 1
chooses a “real” attribute
a
j
(or a random
a
j
∈
except that
A
Ω
)for
Hybrid
j−
1
.
outputs (
params, a
j
,a
j
) and sends the outputs of the first oracle
Then
A
U
b
to
ˆ
returns
ˆ
S
.Afterthe
BlindKeyGen
protocol ends,
A
S
in the selective-failure
finally outputs a bit
b
,
outputs
b
as its guess. We
blindness game. When
D
A
assume that the probability that
outputs 1 when presented with
Hybrid
j−
1
is
a
, and the probability when presented with
Hybrid
j
D
is
b
, then the probability
wins the selective-failure blindness game is
|b−a|
2
that
A
.
B Security Proofs for Blind ABE
B.1 Definition of Leak-Freeness and Selective-Failure Blindness
Similarly to [20], we present the definition of leak-freeness for
BlindKeyGen
algo-
rithm associated with an ABE.
Definition 6.
(Leak-Freeness) A protocol
BlindKeyGen
associated with an ABE
scheme
(Setup, KeyGen, Encrypt, Decrypt)
is leak-free if for any ecient ad-
versary
A
, there exists an ecient simulator
S
im
such that for any ecient
D
distinguisher
, the probability to distinguish real game and ideal game is negli-
gible:
-
Real game:
A
chooses an attributes set
ω
and interacts with
KGC
by running
BlindKeyGen
on
ω
. As many times as
D
wants,
A
repeats the actions above.
outputs a list of attributes set and the corresponding private keys
extracted.
-
Ideal game:
Sim
chooses an attributes set
ω
andsendsittoatrustedparty
T
to obtain the output of
KeyGen
on
ω
. As many times as
D
wants,
A
repeats the actions above. Then
Then
A
im
outputs a list of attributes set and the
corresponding private keys extracted.
S
Next, we present the definition of selective-failure blindness similarly to [16,20].
Definition 7.
(Selective-Failure Blindness) A protocol
P
(
A
(
·
)
,
U
(
·
,
·
))
is said to
be selective-failure blind if for every PPT adversary
A
has a negligible advantage
in the following game: First,
A
outputs
params
and two attributes set
ω
0
,ω
1
∈
Ω
. A random bit
b
∈{
0
,
1
}
is chosen.
A
is given black-box access to two oracles
U
(
params, ω
b
)
and
U
(
params, ω
1
−b
)
.
U
algorithms produce local output
sk
b
and
sk
1
−b
respectively. If
sk
b
=1
and
sk
1
−b
A
receives
(
sk
0
,sk
1
)
.If
sk
b
=
⊥
=1
then
and
sk
1
−b
⊥
A
⊥
,ε
)
.If
sk
b
⊥
and
sk
1
−b
=
⊥
A
=
then
receives
(
=
then
receives
(
ε,
⊥
)
.If
sk
b
=
⊥
and
sk
1
−b
=
⊥
then
A
receives
(
⊥
,
⊥
)
.Finally,
A
outputs its
1
2
guess
b
. We define
A
's advantage in the above game as
|
Pr
[
b
=
b
]
−
|
.
Search WWH ::
Custom Search