Cryptography Reference
In-Depth Information
The adversary may have at its disposal the following resources that can
be thought of as oracles it can query and obtain a response.
1. Chosen Plaintext. The adversary can obtain valid plaintext-ciphertext
pairs. In the case that broadcast encryption is used only for cryptographic
key distribution the adversary may not be able to influence the distrib-
ution of plaintext - nevertheless allowing this capability only makes the
security property stronger. When the adversary requests an encryption it
will also be allowed to specify the set of revoked users or even choose the
revocation information ψ that is passed to the encryption algorithm.
2. Chosen Ciphertext. The adversary can obtain output about how a certain
uncorrupted user responds to a decryption request. The query may not
necessarily contain a valid ciphertext but rather it can be an arbitrary
bitstring created by the adversary to see how a user reacts in decryption.
3. User Corruption. In the static corruption setting, the adversary obtains
the key material of all users in a set T ⊆ [n]. In the adaptive corruption
setting, the adversary corrupts each user one by one after performing other
operations as allowed in the course of the attack.
The security of a broadcast encryption scheme will be defined using a game
between the adversary and the challenger. We say the adversary has broken
the scheme when the revocation list contains all of the corrupted users, but the
adversary, still, is capable of distinguishing a valid plaintext-ciphertext pair
from a pair where the plaintext is independent of the ciphertext and uniformly
random. In figure
2.1
we present the security game that captures the security
for key-encapsulation that we require from a broadcast encryption scheme in
order to be useful in a hybrid encryption setting.
EncryptOracle(m,ψ)
DecryptOracle(c,u)
CorruptOracle(u)
retrieve ek;
retrieve sk
u
;
T ← T∪{u}
c ← Encrypt(ek,m,ψ);
return Decrypt(c,sk
u
);
retrieve sk
u
;
return c;
return sk
u
;
Experiment Exp
re
A
(1
n
)
(ek,sk
1
,...,sk
n
) ←KeyGen(1
n
); T ←∅
ψ ←A
EncryptOracle(),DecryptOracle(),CorruptOracle()
(1
n
)
M
0
,M
1
←M
s
; b ←{0,1}; c ← Encrypt(ek,M
1
,ψ)
b
0
←A
EncryptOracle()
({sk
i
}
i∈T
,M
b
,c)
return 1 if and only if b = b
0
and
ψ excludes all members of T.
Fig. 2.1. The security game for key encapsulation.
In the definition below we introduce the notion of ε-insecurity that cap-
tures the advantage the adversary may have in distinguishing valid plaintext
ciphertext pairs from those that are independently chosen.
