Cryptography Reference
In-Depth Information
B.2 Proof of Theorem 3
We give a proof sketch of theorem 3 as follows.
Leak-Freeness.
For any adversary
running the
BlindKeyGen
protocol in the real game, we can construct a simulator
A
who is interacting with
KGC
im
who
interacts with a trusted party executing the ideal
KeyGen
protocol, such that no
ecient distinguisher can distinguish the real game and idea game.
S
S
im
plays the role of
KGC
in the real game, interacting with
A
,andsimultane-
ously interacts with
T
in the ideal game. Each time
A
engages
S
im
in a
BlindKey-
sends (
h
1
,...,h
t
)to
Gen
protocol,
S
im
behavesasfollows.
A
S
im
, and conducts
(
r
1
,...,r
t
,a
1
,...,a
t
):
j
=1
h
j
=
g
a
1
h
j
g
r
j
}
a proof of knowledge
PoK
{
.Ifthe
PoK does not verify,
S
im
aborts. Otherwise,
S
im
extracts (
r
1
,...,r
t
,ω
)and
submits
ω
to
T
.Then
T
returns the private keys
sk
ω
=(
d
0
,d
1
,...,d
t
)to
S
im
,
g
r
,
d
j
←
F
j
(
a
j
)
r
g
2
,
j
=1
,...,l
for some random
r
where
d
0
←
∈
Z
q
. Finally,
d
j
F
j
(
a
j
)
z
d
r
0
,
=(
d
0
,d
1
,...,d
t
), where
d
0
←
d
0
g
z
,
d
j
←
S
im
computs
sk
ω
j
=1
,...,l
for some random
z
Z
q
.
We can see that
sk
ω
is correctly formed and has the same distribution as that
∈
KGC
of
. Hence any ecient distinguisher cannot distinguish the real game and
ideal game.
Selective-Failure Blindness.
The adversary
A
plays the game defined in def-
inition 4.
first outputs
params
and two attributes set
ω
0
and
ω
1
. A random
bit
b
is chosen.
A
A
is given black-box access to two oracles
U
(
params, ω
b
)and
U
(
params, ω
1
−b
). Then
U
algorithms conduct
BlindKeyGen
protocol with
A
who
is playing the role of
KGC
. Finally
A
receives the outputs of
U
algorithms (The
outputs may be one of the four forms defined in definition 4).
then returns a
bit
b
as its answer. Since in the
BlindKeyGen
protocol, the blinded attributes are
h
1
,...,h
t
,where
h
j
=
g
a
1
h
j
g
r
j
,
j
=1
,...,t
. Clearly,
h
j
is uniformly distributed
in
G
. Moreover, the PoK of (
r
1
,...,r
t
,a
1
,...,a
t
) is zero-knowledge, so
A
A
can-
not determine which attributes the user requests, and
cannot cause failure
depending on the user's attributes. Furthermore, since there is a random value
z
in the unblinded private keys, we can finally conclude that
A
A
cannot distinguish
between
U
(
params, ω
b
)and
U
(
params, ω
1
−b
) with non-negligible probability.
B.3 Proof of Theorem 4
Suppose
has advantage
in attacking the ABE system. We show how to use
the adversary
A
A
to build an algorithm
B
that solves the DBDH problem with
is given as input a random tuple (
g, g
a
,g
b
,g
c
,Z
),
where
Z
=
e
(
g, g
)
abc
or is sampled from
G
T
. Algorithm
advantage
/
2. Algorithm
B
B
works by interacting
with
A
in a IND-sAtt-CPA game as follows:
chooses the challenge access tree
τ
∗
and sends it to
-
Initialization
A
B
.
selects random
α
1
,...,α
l
,t ∈ Z
p
.If
a
j
∈ τ
∗
,
-
Setup
B
B
sets
t
j
← a
j
,
g
t
1
g
α
j
,then
otherwise
t
j
←
(
a
j
−
t
),
∀
a
j
∈
Ω
.Let
h
j
←
Search WWH ::
Custom Search