Abstract
Predicate encryption is a new type of public key encryption that enables searches on encrypted data. By using predicate encryption, we can search keywords or attributes on encrypted data without decrypting ciphertexts. Hidden vector encryption (HVE) is a special kind of predicate encryption. HVE supports the evaluation of conjunctive equality, comparison, and subset operations between attributes in ciphertexts and attributes in tokens. In this paper, we construct efficient HVE schemes in prime order bilinear groups derived from previous HVE schemes in composite order bilinear groups, and prove their selective security under simple assumptions. To achieve this result, we present a conversion method that transforms HVE schemes from composite order bilinear groups into prime order bilinear groups. Our method supports any types of prime order bilinear groups and uses simple assumptions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). doi:10.1007/3-540-45682-1_33
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_14
Boneh, D., Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_30
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_13
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30576-7_18
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19571-6_16
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). doi:10.1007/978-3-540-70936-7_29
Ducas, L.: Anonymity from asymmetry: new constructions for anonymous HIBE. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 148–164. Springer, Heidelberg (2010). doi:10.1007/978-3-642-11925-5_11
Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_3
Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusion-resilient traitor tracing and revocation schemes. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 121–130. ACM (2010)
Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). doi:10.1007/3-540-36178-2_34
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2006)
Iovino, V., Persiano, G.: Hidden-vector encryption with groups of prime order. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 75–88. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85538-5_5
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_9
Katz, J., Yerukhimovich, A.: On black-box constructions of predicate encryption from trapdoor permutations. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 197–213. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_12
Lee, K., Lee, D.H.: Improved hidden vector encryption with short ciphertexts and tokens. Des. Codes Crypt. 58(3), 297–319 (2011)
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). doi:10.1007/978-3-642-11799-2_27
Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_13
Park, J.H.: Efficient hidden vector encryption for conjunctive queries on encrypted data. IEEE Trans. Knowl. Data Eng. 23(10), 1483–1497 (2011)
Park, J.H.: Inner-product encryption under standard assumptions. Des. Codes Crypt. 58(3), 235–257 (2011)
Shi, E., Bethencourt, J., Chan, T.H., Song, D., Perrig, A.: Multi-dimensional range query over encrypted data. In: 2007 IEEE Symposium on Security and Privacy (SP 2007), pp. 350–364. IEEE (2007)
Shi, E., Waters, B.: Delegating capabilities in predicate encryption systems. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 560–578. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70583-3_46
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_18
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_36
Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: NDSS, vol. 4, pp. 5–6 (2004)
Acknowledgements
This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by MSIP (NRF-2016M3C4A7937115).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Generic Group Model
A Generic Group Model
In this section, we show that the P3DH assumption holds in the generic group model. The generic group model introduced by Shoup [23] is a tool for analyzing generic algorithms that work independently of the group representation.
1.1 A.1 Master Theorem
We generalize the master theorem of Katz et al. [14] to use prime order bilinear groups instead of composite order bilinear groups and to use multiple groups elements in the target instead of just one element.
Let \(\mathbb {G}, \mathbb {G}_T\) be cyclic bilinear groups of order p where p is a large prime. The bilinear map is defined as \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). In the generic group model, a random group element of \(\mathbb {G}, \mathbb {G}_T\) is represented as a random variable \(P_i, R_i\) respectively where \(P_i, R_i\) are chosen uniformly in \(\mathbb {Z}_p\). We say that a random variable has degree t if the maximum degree of any variable is t. Then we can naturally define the dependence and independence of random variables as in Definition 6.
Definition 6
Let \(P = \{P_1, \ldots , P_u\},~ T_0 = \{T_{0,1}, \ldots , T_{0,m}\},~ T_1 = \{T_{1,1}, \ldots , T_{1,m}\}\) be random variables over \(\mathbb {G}\) where \(T_{0,i} \ne T_{1,i}\) for all \(1\le i\le m\), and let \(R = \{R_1, \ldots , R_v\}\) be random variables over \(\mathbb {G}_T\). We say that \(T_b\) is dependent on A if there exists constants \(\{\alpha _i\}, \{\beta _i\}\) such that
where \(\alpha _i \ne 0\) for at least one i. We say that \(T_b\) is independent of P if \(T_b\) is not dependent on P.
Let \(S_1 = \{ (i,j) ~|~ e(T_{0,i}, T_{0,j}) \ne e(T_{1,i}, T_{1,j}) \}\) and \(S_2 = \{ (i,j) ~|~ e(T_{0,i}, P_j) \ne e(T_{1,i}, P_j) \}\). We say that \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is dependent on \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) if there exist constants \(\{\alpha _{i,j}\}, \{\alpha '_{i,j}\}, \{\beta _{i,j}\}, \{\beta '_{i,j}\}, \{\gamma _{i,j}\}, \{\delta _i\}\) such that
where \(\alpha _{i,j} \ne 0\) for at least one \((i,j) \in S_1\) or \(\beta _{i,j} \ne 0\) for at least one \((i,j) \in S_2\). We say that \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is independent of \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) if \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is not dependent on \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\).
Using the above dependence and independence of random variables, we can obtain the following theorem from the master theorem of Katz et al. [14].
Theorem 7
Let \(P = \{P_1, \ldots , P_u\},~ T_0 = \{T_{0,1}, \ldots , T_{0,m}\},~ T_1 = \{T_{1,1}, \ldots , T_{1,m}\}\) be random variables over \(\mathbb {G}\) where \(T_{0,i} \ne T_{1,i}\) for all \(1\le i\le m\), and let \(R = \{R_1, \ldots , R_v\}\) be random variables over \(\mathbb {G}_T\). Consider the following experiment in the generic group model:
An algorithm is given \(P = \{P_1, \ldots , P_u\}\) and \(R = \{R_1, \ldots , R_v\}\). A random bit b is chosen, and the adversary is given \(T_b = \{T_{b,1}, \ldots , T_{b,m}\}\). The algorithm outputs a bit \(b'\), and succeeds if \(b'=b\). The algorithm’s advantage is the absolute value of the difference between its success probability and 1/2.
Let \(S_1 = \{ (i,j) ~|~ e(T_{0,i}, T_{0,j}) \ne e(T_{1,i}, T_{1,j}) \}\) and \(S_2 = \{(i,j) ~|~ e(T_{0,i}, P_j) \ne e(T_{1,i}, P_j)\}\). If \(T_b\) is independent of P for all \(b \in \{0,1\}\), and \(\{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \in S_2}\) is independent of \(P \cup R \cup \{ e(T_{b,i}, T_{b,j}) \}_{(i,j) \notin S_1} \cup \{ e(T_{b,i},P_j) \}_{(i,j) \notin S_2}\) for all \(b \in \{0,1\}\), then any algorithm \(\mathcal {A}\) issuing at most q instructions has an advantage at most \(O(q^2t/p)\).
Note that this theorem that is a slight modification of that of Katz et al. [14] still holds in prime order bilinear groups since the dependent equation of an adversary can be used to distinguish the target \(T_b\) of the assumption. Additionally, it still holds when the target consists of multiple group elements since the adversary can only make a dependent equation in Definition 6.
1.2 A.2 Analysis of P3DH Assumption
To analyze the P3DH assumption in the generic group model, we only need to show the independence of \(T_0, T_1\) random variables. Using the notation of previous section, the P3DH assumption can be written as follows
The \(T_1\) has a random variable D that does not exist in P. Thus the independence of \(T_1\) is easily obtained. Therefore, we only need to consider the independence of \(T_0\). First, \(T_0\) is independent of P since \(T_0\) contains \(Z_3\) that does not exist in P. For the independence of \(\{ e(T_{0,i},T_{0,j}) \}_{(i,j) \in S_1} \cup \{ e(T_{0,i},P_j) \}_{(i,j) \in S_2}\), we should define two sets \(S_1, S_2\). We obtain that \(S_1 = \{(1,1), (1,2), (2,1), (2,2)\}\). However, \(e(T_{0,i},T_{0,j})\) contains \(Z_3^2\) because of \(Z_3\) in \(T_0\), and \(Z_3^2\) can not be obtained from the right part of the equation in Definition 6. Thus, the constants \(\alpha _{i,j}\) should be zero for all (i, j). From this, we obtain the simple equations as follows
The set \(S_2\) is defined as \(\{(i,j) ~|~ \forall i,j\}\) because of D in \(T_1\). However, \(Z_3\) in \(T_0\) should be removed to construct a dependent equation since \(Z_3\) does not exists in P, R. To remove \(Z_3\) from the left part of the above simple equation, two random variables Y, XY should be paired with \(T_{0,i}\) for some \(Y \in P\). If \(Z_3\) is remove in the left part of the above simple equation, then the left part has at least a degree 3 and it contains ABC. To have a degree 3 in the right part of the above simple equation, \(AB+XZ_1, Z_1\) should be used. However, the right part of the above equation can not contain ABC since C, XC do not exist in P. Therefore, the independence of \(T_0\) is obtained.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lee, K. (2017). Transforming Hidden Vector Encryption Schemes from Composite to Prime Order Groups. In: Hong, S., Park, J. (eds) Information Security and Cryptology – ICISC 2016. ICISC 2016. Lecture Notes in Computer Science(), vol 10157. Springer, Cham. https://doi.org/10.1007/978-3-319-53177-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-53177-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-53176-2
Online ISBN: 978-3-319-53177-9
eBook Packages: Computer ScienceComputer Science (R0)