Transforming Hidden Vector Encryption Schemes from Composite to Prime Order Groups

Abstract

Predicate encryption is a new type of public key encryption that enables searches on encrypted data. By using predicate encryption, we can search keywords or attributes on encrypted data without decrypting ciphertexts. Hidden vector encryption (HVE) is a special kind of predicate encryption. HVE supports the evaluation of conjunctive equality, comparison, and subset operations between attributes in ciphertexts and attributes in tokens. In this paper, we construct efficient HVE schemes in prime order bilinear groups derived from previous HVE schemes in composite order bilinear groups, and prove their selective security under simple assumptions. To achieve this result, we present a conversion method that transforms HVE schemes from composite order bilinear groups into prime order bilinear groups. Our method supports any types of prime order bilinear groups and uses simple assumptions.

A Generic Group Model

In this section, we show that the P3DH assumption holds in the generic group model. The generic group model introduced by Shoup [23] is a tool for analyzing generic algorithms that work independently of the group representation.

1.1 A.1 Master Theorem

We generalize the master theorem of Katz et al. [14] to use prime order bilinear groups instead of composite order bilinear groups and to use multiple groups elements in the target instead of just one element.

Let \(\mathbb {G}, \mathbb {G}_T\) be cyclic bilinear groups of order p where p is a large prime. The bilinear map is defined as \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). In the generic group model, a random group element of \(\mathbb {G}, \mathbb {G}_T\) is represented as a random variable \(P_i, R_i\) respectively where \(P_i, R_i\) are chosen uniformly in \(\mathbb {Z}_p\). We say that a random variable has degree t if the maximum degree of any variable is t. Then we can naturally define the dependence and independence of random variables as in Definition 6.

Definition 6

Let \(P = \{P_1, \ldots , P_u\},~ T_0 = \{T_{0,1}, \ldots , T_{0,m}\},~ T_1 = \{T_{1,1}, \ldots , T_{1,m}\}\) be random variables over \(\mathbb {G}\) where \(T_{0,i} \ne T_{1,i}\) for all \(1\le i\le m\), and let \(R = \{R_1, \ldots , R_v\}\) be random variables over \(\mathbb {G}_T\). We say that \(T_b\) is dependent on A if there exists constants \(\{\alpha _i\}, \{\beta _i\}\) such that

$$\begin{aligned} \sum _i^m \alpha _i T_{b,i} = \sum _i^u \beta _i \cdot P_i \end{aligned}$$

where \(\alpha _i \ne 0\) for at least one i. We say that \(T_b\) is independent of P if \(T_b\) is not dependent on P.

Let \(S_1 = \{ (i,j) ~|~ e(T_{0,i}, T_{0,j}) \ne e(T_{1,i}, T_{1,j}) \}\) and \(S_2 = \{ (i,j) ~|~ e(T_{0,i}, P_j) \ne e(T_{1,i}, P_j) \}\). We say that \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is dependent on \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) if there exist constants \(\{\alpha _{i,j}\}, \{\alpha '_{i,j}\}, \{\beta _{i,j}\}, \{\beta '_{i,j}\}, \{\gamma _{i,j}\}, \{\delta _i\}\) such that

$$\begin{aligned}&\sum _{(i,j) \in S_1} \alpha _{i,j} \cdot e(T_{b,i}, T_{b,j}) + \sum _{(i,j) \notin S_1} \alpha '_{i,j} \cdot e(T_{b,i}, T_{b,j}) + \\&\sum _{(i,j) \in S_2} \beta _{i,j} \cdot e(T_{b,i}, P_j) + \sum _{(i,j) \notin S_2} \beta '_{i,j} \cdot e(T_{b,i}, P_j) \\&= \sum _i^u \sum _j^u \gamma _{i,j} \cdot e(P_i, P_j) + \sum _i^v \delta _i \cdot R_i. \end{aligned}$$

where \(\alpha _{i,j} \ne 0\) for at least one \((i,j) \in S_1\) or \(\beta _{i,j} \ne 0\) for at least one \((i,j) \in S_2\). We say that \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is independent of \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) if \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is not dependent on \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\).

Using the above dependence and independence of random variables, we can obtain the following theorem from the master theorem of Katz et al. [14].

Theorem 7

Let \(P = \{P_1, \ldots , P_u\},~ T_0 = \{T_{0,1}, \ldots , T_{0,m}\},~ T_1 = \{T_{1,1}, \ldots , T_{1,m}\}\) be random variables over \(\mathbb {G}\) where \(T_{0,i} \ne T_{1,i}\) for all \(1\le i\le m\), and let \(R = \{R_1, \ldots , R_v\}\) be random variables over \(\mathbb {G}_T\). Consider the following experiment in the generic group model:

An algorithm is given \(P = \{P_1, \ldots , P_u\}\) and \(R = \{R_1, \ldots , R_v\}\). A random bit b is chosen, and the adversary is given \(T_b = \{T_{b,1}, \ldots , T_{b,m}\}\). The algorithm outputs a bit \(b'\), and succeeds if \(b'=b\). The algorithm’s advantage is the absolute value of the difference between its success probability and 1/2.

Let \(S_1 = \{ (i,j) ~|~ e(T_{0,i}, T_{0,j}) \ne e(T_{1,i}, T_{1,j}) \}\) and \(S_2 = \{(i,j) ~|~ e(T_{0,i}, P_j) \ne e(T_{1,i}, P_j)\}\). If \(T_b\) is independent of P for all \(b \in \{0,1\}\), and \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is independent of \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) for all \(b \in \{0,1\}\), then any algorithm \(\mathcal {A}\) issuing at most q instructions has an advantage at most \(O(q^2t/p)\).

Note that this theorem that is a slight modification of that of Katz et al. [14] still holds in prime order bilinear groups since the dependent equation of an adversary can be used to distinguish the target \(T_b\) of the assumption. Additionally, it still holds when the target consists of multiple group elements since the adversary can only make a dependent equation in Definition 6.

1.2 A.2 Analysis of P3DH Assumption

To analyze the P3DH assumption in the generic group model, we only need to show the independence of \(T_0, T_1\) random variables. Using the notation of previous section, the P3DH assumption can be written as follows

$$\begin{aligned} P =&\{ 1, X, A, XA, B, XB, AB + XZ_1, Z_1, C + XZ_2, Z_2 \},~ R = \{ 1 \} \\ T_0 =&\{ ABC + XZ_3, Z_3 \},~ T_1 = \{ D + XZ_3, Z_3 \}. \end{aligned}$$

The \(T_1\) has a random variable D that does not exist in P. Thus the independence of \(T_1\) is easily obtained. Therefore, we only need to consider the independence of \(T_0\). First, \(T_0\) is independent of P since \(T_0\) contains \(Z_3\) that does not exist in P. For the independence of \(\{ e(T_{0,i},T_{0,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{0,i},P_j) \}_{(i,j) \in S_2}\), we should define two sets \(S_1, S_2\). We obtain that \(S_1 = \{(1,1), (1,2), (2,1), (2,2)\}\). However, \(e(T_{0,i},T_{0,j})\) contains \(Z_3^2\) because of \(Z_3\) in \(T_0\), and \(Z_3^2\) can not be obtained from the right part of the equation in Definition 6. Thus, the constants \(\alpha _{i,j}\) should be zero for all (i, j). From this, we obtain the simple equations as follows

$$\begin{aligned}&\sum _{(i,j) \in S_2} \beta _{i,j} \cdot e(T_{b,i}, P_j) + \sum _{(i,j) \notin S_2} \beta '_{i,j} \cdot e(T_{b,i}, P_j) \\&= \sum _i^u \sum _j^u \gamma _{i,j} \cdot e(P_i, P_j) + \sum _i^v \delta _i \cdot R_i. \end{aligned}$$

The set \(S_2\) is defined as \(\{(i,j) ~|~ \forall i,j\}\) because of D in \(T_1\). However, \(Z_3\) in \(T_0\) should be removed to construct a dependent equation since \(Z_3\) does not exists in P, R. To remove \(Z_3\) from the left part of the above simple equation, two random variables Y, XY should be paired with \(T_{0,i}\) for some \(Y \in P\). If \(Z_3\) is remove in the left part of the above simple equation, then the left part has at least a degree 3 and it contains ABC. To have a degree 3 in the right part of the above simple equation, \(AB+XZ_1, Z_1\) should be used. However, the right part of the above equation can not contain ABC since C, XC do not exist in P. Therefore, the independence of \(T_0\) is obtained.