Cryptography Reference
In-Depth Information
TransmitOracle(m
1
,...,m
s
)
ReceiveOracle(c,u)
retrieve ek;
retrieve sk
u
;
c ← Transmit(ek,m
1
,...,m
s
);
return Receive(c,sk
u
);
return c;
Experiment Exp
M
A
(1
n
)
(tk,ek,sk
1
,...,sk
n
) ←KeyDist(1
n
)
aux ←A
TransmitOracle(·),ReceiveOracle(·)
(1
n
)
hm
1
,...m
s
i,hm
1
,...m
s
i ←M
s
b ←{0,1}; c ← Transmit(ek,hm
1
,...m
s
i)
b
0
←A
TransmitOracle(·)
(aux,hm
1
,...m
s
i,c)
return 1 if and only if b = b
0
Fig. 3.1. The CCA-1 security game for a multi user encryption scheme.
definition/game by not letting the attacker to access the ReceiveOracle on the
second line of the security game. In such case we say the multiuser encryption
scheme is CPA ε-insecure, if the above condition given in the definition holds
for a CPA adversary.
Note that typically key encapsulation mechanisms are defined without any
input beyond the encryption key (i.e., there is no plaintext part). For conve-
nience we take a different approach where we provide the input. In effect,
we state above that the encryption mechanism of the multiuser encryption
matches the syntax of regular encryption and is supposed to satisfy the secu-
rity requirements of a key encapsulation mechanism.
3.2 Constructions For Multiuser Encryption Schemes
In this section we will present some multiuser encryption schemes. The basic
characteristic in all these schemes is that the keys given to users are distinct.
For each scheme we will provide its definition and a proof of security. The
reader will observe that the key space is selected in some deliberate manner
to enforce some “separability” between the users. The exact benefits of the
user key space that the schemes of this section exhibit will become useful
when we introduce tracing games in the next section.
3.2.1 Linear Length Multiuser Encryption Scheme
We will now, present a straightforward multiuser encryption scheme that pro-
duces a ciphertext of length linear in number of receivers. We will name this
scheme by
ME
L
which will be a unary scheme that is transmitting a single en-
crypted message to the receivers. It is parameterized by an encryption scheme
(
E
,
D
).
