Cryptography Reference
In-Depth Information
ThCom
:
Given a set of all decryption shares
S
=(
δ
1
, ..., δ
n
). It outputs
m
=
Rec
(
s
1
, ..., s
n
).
Theorem 1.
THE
constructed above is a CCA secure threshold encryption with
thresholds
t
p
,
t
f
,
t
r
,
t
s
,if
TBE
is selective-tag CCA secure,
SS
is
(
t
p
,t
f
,t
r
,t
s
,n
)
secure, and
Σ
is one-time strongly unforgeable under chosen message attacks.
Robustness thresholds
t
f
,
t
r
,
t
s
follow immediately from those of the secret shar-
ing scheme. We now argue message privacy. We will use the following useful
lemma.
Lemma 1.
Let
S
1
,
S
2
and
R
be events defined on some probability space. Sup-
pose that the event
S
1
∧¬
R
occurs if and only if
S
2
∧¬
R
occurs. Then
Pr[
S
1
]
Pr[
S
2
]
≤
−
Pr[
R
]
.
We now define a sequence of games between a simulator and an adversary
.
Before defining the games, we define two “global” aspects in all the games. First,
the simulator chooses a one-time signature key pair (
vk
∗
,sk
∗
)
A
←
Gen
(
λ
). Second,
submits
m
0
,m
1
, the simulator uses (
vk
∗
,sk
∗
) instead of generating
a new one-time signature key pair to generate the challenge ciphertext
c
∗
.
whenever
A
Game
0
:
This game is identical to the threshold encryption CCA experiment.
At the beginning,
A
chooses
t
p
servers to corrupt. W.l.o.g we assume that
A
corrupts servers
. The simulator runs the key generation al-
gorithm
ThGen
to obtain the public key
PK
=(
pk
1
, ..., pk
n
), and decryption
keys
−−
SK
=(
dk
1
, ..., dk
n
). Then the simulator gives the public key
PK
,and
dk
n−t
p
+1
, ..., dk
n
to
{
n
−
t
p
+1
, ..., n
}
can make queries to uncorrupted servers with ci-
phertext
c
, and the simulator decrypts
c
with the corresponding decryption
key and returns the decryption share. After that
A
.
A
chooses two plaintexts
m
0
,
m
1
,
and gives them to the simulator. The simulator chooses
b
A
∈{
0
,
1
}
at random
and returns
c
∗
.Wedenote
c
∗
=(
c
1
, ..., c
n
,vk
∗
,σ
∗
).
=
ThEnc
(
PK,m
b
)to
A
obtains
c
∗
, it still can make queries to uncorrupted servers with cipher-
After
A
=
c
∗
, and obtains decryption shares. At the end of the game,
text
c
A
outputs
b
∈{
denote the event that
b
=
b
, apparently we
0
,
1
}
as the guess of
b
.Let
X
0
(
λ
)=
Pr[
X
0
]
2
.
have
Adv
the
-
cca
THE,A
1
−
Game
0
:
This Game is identical to Game
0
, except that when
A
queries
c
=
(
c
1
, ..., c
n
,vk,σ
), if
vk
=
vk
∗
, then the simulator outputs
. Otherwise out-
puts the decryption share. Let
X
0
denote the event
b
=
b
in this game. Let
F
denote the event that
⊥
=
c
∗
,
vk
=
vk
∗
and
Ver
(
vk, c
1
, ..., c
n
,σ
) = 1. Actually, if this event occurs with non-negligible prob-
ability, we can construct a adversary
A
queries
c
=(
c
1
, ..., c
n
,vk,σ
),
c
to attack the one-time signature scheme.
Obviously
X
0
and
X
0
are identical unless
F
occurs. We claim:
Lemma 2.
Pr[
F
]
is negligible.
The proof of this lemma is given in section 3.1. According to Lemma 1 and
B
Lemma 2, we have
Pr [
X
0
]
Pr [
X
0
]
is negligible.
−