WO2014177610A1 - Device and method for traceable group encryption - Google Patents

Device and method for traceable group encryption Download PDF

Info

Publication number
WO2014177610A1
WO2014177610A1 PCT/EP2014/058818 EP2014058818W WO2014177610A1 WO 2014177610 A1 WO2014177610 A1 WO 2014177610A1 EP 2014058818 W EP2014058818 W EP 2014058818W WO 2014177610 A1 WO2014177610 A1 WO 2014177610A1
Authority
WO
WIPO (PCT)
Prior art keywords
public key
ciphertext
signature
intermediary
key
Prior art date
Application number
PCT/EP2014/058818
Other languages
French (fr)
Inventor
Marc Joye
Benoît Libert
Original Assignee
Thomson Licensing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing filed Critical Thomson Licensing
Priority to US14/888,413 priority Critical patent/US20160105287A1/en
Priority to EP14722628.6A priority patent/EP2992641A1/en
Publication of WO2014177610A1 publication Critical patent/WO2014177610A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/606Traitor tracing

Definitions

  • the present invention relates generally to cryptography and in particular to group encryption.
  • Group encryption schemes involve a sender, a verifier, a group manager (GM) that manages the group of receivers and an opening authority (OA) that is able to uncover the identity of receivers of ciphertext.
  • a group encryption system GE is formally specified by the description of a relation R " as well as a collection of algorithms and protocols: SETUP, JOIN, (£ r , £, sample ⁇ ), ENC, DEC, ( , V), OPEN, REVEAL, TRACE, CLAIM/DISCLAIM, CLAIM-VERIFY, DISCLAIM-VERIFY.
  • SETUP is a set of initialization procedures SETUPinit(A) that take (explicitly or implicitly) a security parameter ⁇ as input.
  • the procedure can be split into a procedure that generates a set of public parameters param (a common reference string), one, SETUP G ivi(param), for the so-called Group Manager GM and another, SETUPo A (param), for the so-called Opening Authority OA.
  • the latter two procedures are used to produce a key pair (pk G M, sk G M) for the GM and a key pair, (pk 0 A, sk 0 A) the OA.
  • the parameter param is not always explicitly stated as input to the algorithms.
  • JOIN (J US er, JGM) is an interactive protocol between the GM and a prospective user. As shown by Kiayias and Yung [see A. Kiayias and M. Yung. Group signatures with efficient concurrent join. In Eurocrypt'05, Lecture Notes in Computer Science 3494, pages 198-214, Springer, 2005.], this protocol can have minimal interaction and consist of only two messages: the first message comprising the user's public key pk sent by J US e r to JGM and the latter's response comprising a certificate cert pk for pk that makes the user's group membership effective. It is then not required for the user to, for example, prove knowledge of its private key sk.
  • the GM After the execution of JOIN, the GM stores the public key pk with its certificate cert pk and the whole transcript transcript of the conversation in a public directory database. It is assumed that anyone can check the well- formedness of the public directory (for example, the fact that no two distinct users share the same public key) by means of a deterministic algorithm DATABASE-CHECK, which returns 1 or 0 depending on whether public directory is deemed valid or not.
  • Algorithm sample allows sampling pairs (x, w) ⁇ R (made of a public value x and a witness w using keys (pk K , sk K ) produced by Q r .
  • sk K may be the empty string.
  • the testing procedure R(x, w) returns 1 whenever (x, w) E R.
  • the sender obtains the pair (pk, cert pk ) from the public directory and runs a randomized encryption algorithm, which takes as input w, a label L, the receiver's pair (pk, cert pk ) as well as public keys pk G M and pk 0 A- Its output is a ciphertext ⁇ ⁇ - ENC(pk GM , pk 0A) pk, cert pk , w, L).
  • the non-interactive algorithm T On input of the same elements, the certificate cert pk , the ciphertext ⁇ and the random coins coins ⁇ that were used to produce it, the non-interactive algorithm T generates a proof ⁇ ⁇ that there exists a certified receiver whose public key was registered in public directory and that is able to decrypt and obtain a witness w such that (x, w) ⁇ R.
  • the verification algorithm V takes as input the ciphertext ⁇ , the public keys pkcM, pkoA, the proof ⁇ ⁇ and the description of R " , and outputs 0 or 1 .
  • OPEN takes as input a ciphertext/label pair (ip, L) and the OA's secret key skoA and returns a receiver's identity i and its public key pk.
  • Algorithm REVEAL takes as input the joining transcript transcript of user i and allows the OA to extract a tracing trapdoor trace using its private key sk 0 A- This tracing trapdoor can be subsequently used to determine whether or not a given ciphertext-label pair ( ⁇ , L) is a valid encryption under the public key pk, of user i: namely, algorithm TRACE takes in public keys pk G ivi and pk 0 A as well as the pair ciphertext-label pair (ip, L) and the tracing trapdoor trace; associated with user i. It returns 1 if and only if the ciphertext-label pair (ip, L) is believed to be a valid encryption intended for user i.
  • the tracing trapdoor trace only allows testing whether the receiver is user i: in particular, it does not allow decryption of the ciphertext-label pair ( ⁇ , L) and it does not reveal the receiver's identity.
  • the last three algorithms (CLAIM/DISCLAIM, CLAIM-VERIFY, DISCLAIM-
  • CLAIM/DISCLAIM implement functionality that allows user to convincingly claim or disclaim being the legitimate recipient of a given anonymous ciphertext.
  • CLAIM/DISCLAIM takes as input the public keys (pk G M, pkoA, pk), a ciphertext-label pair (ip, L) and a private key sk. It reveals a publicly verifiable piece of evidence ⁇ that the ciphertext-label pair (ip, L) is or is not a valid encryption under the public key pk.
  • Algorithms CLAIM-VERIFY and DISCLAIM- VERIFY are then used to verify the assertion established by the evidence ⁇ .
  • Kiayias, Tsiounis and Yung (KTY) [see A. Kiayias, Y. Tsiounis, and M.
  • the invention is directed to an device for encrypting a plaintext destined for a user having a public key.
  • the device comprises a processor configured to: obtain a tuple of traceability components for first elements of the public key; encrypt, using encryption exponents and second elements of the public key, the plaintext under a label to obtain a first intermediary ciphertext; generate commitments to the encryption exponents; generate second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and generate, using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts.
  • the device further comprises an interface configured to output a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature.
  • the processor is configured to obtain the traceability components by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
  • the public key comprises a Diffie-Hellman instance and wherein the tracability components enable recognition of the public key through the solution to the Diffie-Hellman instance.
  • the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents.
  • the verification key is a verification key of a onetime signature scheme. It is advantageous that the signature is a one-time signature obtained using the one-time signature scheme.
  • the invention is directed to a method for encrypting a plaintext destined for a user having a public key.
  • a processor obtains a tuple of traceability components for first elements of the public key; encrypts, using encryption exponents and second elements of the public key, the plaintext under a label to obtain a first intermediary ciphertext; generates commitments to the encryption exponents; generates second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and generates, using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts.
  • An interface outputs a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature.
  • the traceability components are obtained by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
  • the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents.
  • the verification key is a verification key of a onetime signature scheme. It is advantageous that the signature is a one-time signature obtained using the one-time signature scheme.
  • the signature is generated also over a label, and the label is further output by the interface.
  • Figure 1 illustrates an exemplary system 100 in which the invention may be implemented.
  • the system comprises a device of a group member ("group member") 1 10, a group manager device 120, an opening authority (OA) device 130, a sender device 140 and a tracing agent device 150.
  • group member a group member
  • OA opening authority
  • sender device 140 a sender device 140
  • tracing agent device 150 a device of a group member
  • PC Personal Computer
  • the devices each preferably comprise at least one processor 1 1 1 , 121 , 131 , 141 , 151 , RAM memory 1 12, 122, 132, 142, 152, a user interface 1 13, 123, 133, 143, 153, for interacting with a user, and a second interface 1 14, 124, 134, 144, 154 for interaction with other devices (such as those shown in the Figure) over some connection (not shown).
  • the group member device 1 10 is configured to, among other things, join a group, receive and decrypt ciphertexts, and claim or disclaim a ciphertext, as described hereinafter.
  • the group manager device 120 is configured to perform group manager functions described hereinafter.
  • the opening authority device 130 is configured to disclose user-specific trapdoors, as described hereinafter.
  • the sender device 140 is configured to encrypt a plaintext using a public key of a group member and output the resulting ciphertext to the group member, as described hereinafter.
  • the tracing agent device 150 is configured to use user- specific trapdoors to trace ciphertexts for specified users.
  • the devices also preferably comprise an interface for reading a software program from a non- transitory digital data support - 1 15, 125, 135, 145, and 155 respectively - that stores instructions that, when executed by a processor, performs the corresponding methods described hereinafter.
  • the skilled person will appreciate that the illustrated devices are very simplified for reasons of clarity and that real devices in addition would comprise features such as persistent storage.
  • a main inventive idea of the present invention is enabling the OA to disclose user-specific trapdoors, which make it possible to trace all the ciphertexts encrypted for that user and only those ciphertexts.
  • the prospective user provides the GM with an encryption ⁇ of g YlY2 under the OA's public key and generates a non-interactive proof that the encrypted value is indeed an element g YlY2 such that (g, g Yl , g Y2 , g YlY2 ) is a Diffie-Hellman tuple.
  • the REVEAL algorithm thus uses the private key of the OA to decrypt ⁇ S> venc so as to expose g YlY2 .
  • the present scheme provides extended tracing capabilities and further allows each user to non- interactively claim or disclaim that he is the intended recipient of a ciphertext.
  • the present scheme builds on the publicly verifiable variant of Cramer- Shoup [see the threshold variant of the Cramer-Shoup cryptosystem described in B. Libert, M. Yung. Non-Interactive CCA2-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions. In TCC 2012, Lecture Notes in Computer Science 7194, pp. 75-93, Springer, 2012.].
  • the scheme can simultaneously provide receiver anonymity and publicly verifiable ciphertexts.
  • anyone can publicly verify that a ciphertext is a valid ciphertext without knowing who the receiver is.
  • proofs are generated for the group encryption ciphertext, this saves the prover from having to provide evidence that the ciphertext is valid and thus yields shorter proofs.
  • the message is encrypted under the receiver's public key using the scheme of Libert-Yung.
  • the last two components of the receiver's public key are encrypted under the public key of the opening authority using Kiltz's encryption scheme [see E. Kiltz. Chosen-ciphertext security from tag-based encryption. In TCC'06, Lecture Notes in Computer Science 3876, pages 581 -600, Springer, 2006.].
  • This scheme is preferred because it is the most efficient Decision Linear (DLIN)-based CCA2-secure cryptosystem where the validity of ciphertexts is publicly verifiable and it is not needed to hide the public key under which it is generated.
  • DLIN Decision Linear
  • the GM When new users join the group, the GM provides them with a membership certificate consisting of a structure-preserving signature on their public key ( ⁇ 1 , ⁇ 2 , ⁇ 1 , ⁇ 2 ) .
  • the Abe-Haralambiev-Ohkubo (AHO) signature [briefly described in the Annexe; also see M. Abe, K. Haralambiev, M. Ohkubo. Signing on Elements in Bilinear Groups for Modular Protocol Design. Cryptology ePrint Archive: Report 2010/133, 2010. and M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo. Structure-Preserving Signatures and Commitments to Group Elements. In Crypto'10, Lecture Notes in Computer Science 6223, pp. 209-236, Springer, 2010.] is used because it allows working exclusively with linear pairing-product equations (and thus obtain a better efficiency) when non-interactive proofs are generated.
  • R 1 Choose bilinear groups (G, G T ) of prime order p > 2 A with g, g 1 ⁇ g 2 ⁇ - G.
  • one-time signature scheme ⁇ (Q,S,V) and a random member H ⁇ . ⁇ 0,1 ⁇ * ⁇ ⁇ 0,1 ⁇ of a collision-resistant hash family.
  • Q is an algorithm that generates a one-time signature key pair
  • S is a signature algorithm
  • V is a signature verification algorithm.
  • the obtained public key comprises
  • sk ( ⁇ 1 , ⁇ 2 , ⁇ , ⁇ 1 , ⁇ 2 ).
  • NIZK Non-Interactive Zero-Knowledge
  • neq-key,i incurs 42 elements.
  • I ⁇ ⁇ ⁇ eventually takes 128 elements.
  • L)) 1.
  • TRACE(pk GM ,pk 0 A, ⁇ traced : parse ⁇ as VK ⁇ (T lt T 2 ,T 3 ,T 4 ) ⁇ LY ⁇ Ki ⁇ K2 ⁇ a and the tracing trapdoor trace £ as a group element ⁇ £0 ⁇ G. If the equality e 7i > o) e (T 2 ,T 3 ) holds, it returns 1 (meaning that is indeed intended for user i). Otherwise, it outputs 0 (i.e., it is not intended for user i).
  • I (7 ⁇ , T 2 , T 3 ,T 4 ) I ⁇ ⁇ ⁇ ⁇ ⁇ 2 ⁇ ⁇ and the private key as sk ( ⁇ 1 , ⁇ 2 , ⁇ , ⁇ 1 , ⁇ 2 ).
  • compute a collision-resistant hash v ⁇ ( ⁇ , L, pk) ⁇ ⁇ 0,1 ⁇ .
  • the skilled person will appreciate that only group members using traceability components are able to claim or disclaim a ciphertext; indeed, serves this purpose.
  • the length of ciphertexts is about 2.18 kB in an implementation using symmetric pairings with a 512-bit representation for each group element (at the 128-bit security level), which is more compact than in the Paillier-based system of Kiayias-Tsiounis-Yung where ciphertexts already take 2.5 kB using 1024-bit moduli (and thus at the 80-bit security level).
  • Hi H u l for each ⁇ ⁇ 1,..., ⁇ .
  • the public key is defined to be
  • Verify(p/c, ⁇ , (M 1; ...,MJ): given ⁇ (Z,R,S,T,U,V,W), return 1 iff the following equalities hold:
  • signature components can be publicly randomized to obtain a different signature (Z',R',S',T',U',V',W) ⁇ ReRand(p/c,a) on (M 1; ...,M N ).
  • This re-randomization is performed by choosing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A group encryption system (100) comprising at least one group member device (110), a group manager device (120), an opening authority device (130), a sender device (140) and a tracing agent device (150). The sender device (140) is configured to encrypt a plaintext using the public key of a group member. The group member device (110) is configured to receive and decrypt the ciphertext using the corresponding private key, and also to claim or disclaim a ciphertext. The opening authority device (130) is configured to disclose at least one user- specific trapdoor that makes it possible to trace, by the tracing agent device (150), all the ciphertexts for the specified user and only those ciphertexts.

Description

DEVICE AND METHOD FOR TRACEABLE GROUP ENCRYPTION
TECHNICAL FIELD
The present invention relates generally to cryptography and in particular to group encryption.
BACKGROUND
This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
Group encryption schemes involve a sender, a verifier, a group manager (GM) that manages the group of receivers and an opening authority (OA) that is able to uncover the identity of receivers of ciphertext. A group encryption system GE is formally specified by the description of a relation R " as well as a collection of algorithms and protocols: SETUP, JOIN, (£r, £, sample^), ENC, DEC, ( , V), OPEN, REVEAL, TRACE, CLAIM/DISCLAIM, CLAIM-VERIFY, DISCLAIM-VERIFY. Among these, SETUP is a set of initialization procedures SETUPinit(A) that take (explicitly or implicitly) a security parameter λ as input. The procedure can be split into a procedure that generates a set of public parameters param (a common reference string), one, SETUPGivi(param), for the so-called Group Manager GM and another, SETUPoA(param), for the so-called Opening Authority OA. The latter two procedures are used to produce a key pair (pkGM, skGM) for the GM and a key pair, (pk0A, sk0A) the OA. In the following, to simplify the description, the parameter param is not always explicitly stated as input to the algorithms.
JOIN = (JUSer, JGM) is an interactive protocol between the GM and a prospective user. As shown by Kiayias and Yung [see A. Kiayias and M. Yung. Group signatures with efficient concurrent join. In Eurocrypt'05, Lecture Notes in Computer Science 3494, pages 198-214, Springer, 2005.], this protocol can have minimal interaction and consist of only two messages: the first message comprising the user's public key pk sent by JUSer to JGM and the latter's response comprising a certificate certpk for pk that makes the user's group membership effective. It is then not required for the user to, for example, prove knowledge of its private key sk. After the execution of JOIN, the GM stores the public key pk with its certificate certpk and the whole transcript transcript of the conversation in a public directory database. It is assumed that anyone can check the well- formedness of the public directory (for example, the fact that no two distinct users share the same public key) by means of a deterministic algorithm DATABASE-CHECK, which returns 1 or 0 depending on whether public directory is deemed valid or not.
Algorithm sample allows sampling pairs (x, w) ε R (made of a public value x and a witness w using keys (pkK, skK) produced by Qr. Depending on the relation, skK may be the empty string. The testing procedure R(x, w) returns 1 whenever (x, w) E R. To encrypt a witness w such that (x, w) E R for some public x, the sender obtains the pair (pk, certpk) from the public directory and runs a randomized encryption algorithm, which takes as input w, a label L, the receiver's pair (pk, certpk) as well as public keys pkGM and pk0A- Its output is a ciphertext ψ <- ENC(pkGM, pk0A) pk, certpk, w, L). On input of the same elements, the certificate certpk, the ciphertext ψ and the random coins coins^ that were used to produce it, the non-interactive algorithm T generates a proof πψ that there exists a certified receiver whose public key was registered in public directory and that is able to decrypt and obtain a witness w such that (x, w) ε R. The verification algorithm V takes as input the ciphertext ψ, the public keys pkcM, pkoA, the proof πψ and the description of R " , and outputs 0 or 1 . Given the ciphertext ψ, the label L and the receiver's private key sk, the output of DEC is either a witness w such that (x, w) ε R or a rejection symbol 1. The next three algorithms provide explicit and implicit tracing capabilities. First, OPEN takes as input a ciphertext/label pair (ip, L) and the OA's secret key skoA and returns a receiver's identity i and its public key pk. Algorithm REVEAL takes as input the joining transcript transcript of user i and allows the OA to extract a tracing trapdoor trace using its private key sk0A- This tracing trapdoor can be subsequently used to determine whether or not a given ciphertext-label pair (ψ, L) is a valid encryption under the public key pk, of user i: namely, algorithm TRACE takes in public keys pkGivi and pk0A as well as the pair ciphertext-label pair (ip, L) and the tracing trapdoor trace; associated with user i. It returns 1 if and only if the ciphertext-label pair (ip, L) is believed to be a valid encryption intended for user i. It is particularly noted that the tracing trapdoor trace; only allows testing whether the receiver is user i: in particular, it does not allow decryption of the ciphertext-label pair (ψ, L) and it does not reveal the receiver's identity. The last three algorithms (CLAIM/DISCLAIM, CLAIM-VERIFY, DISCLAIM-
VERIFY) implement functionality that allows user to convincingly claim or disclaim being the legitimate recipient of a given anonymous ciphertext. Concretely, CLAIM/DISCLAIM takes as input the public keys (pkGM, pkoA, pk), a ciphertext-label pair (ip, L) and a private key sk. It reveals a publicly verifiable piece of evidence τ that the ciphertext-label pair (ip, L) is or is not a valid encryption under the public key pk. Algorithms CLAIM-VERIFY and DISCLAIM- VERIFY are then used to verify the assertion established by the evidence τ. They take as input the public keys, the ciphertext-label pair (ψ, L) and a claim/disclaimer τ and output 1 or 0. Kiayias, Tsiounis and Yung (KTY) [see A. Kiayias, Y. Tsiounis, and M.
Yung. Group encryption. In Asiacrypt'07, Lecture Notes in Computer Science 4833, pages 181-199, Springer, 2007.] formalized the concept of group encryption and provided a suitable security model (including four properties called 'correctness', 'message security', 'anonymity' and 'soundness'). They presented a modular design of GE system and proved that, beyond zero- knowledge proofs, anonymous public key encryption schemes with adaptive chosen-ciphertext (CCA2) security, digital signatures, and equivocal commitments are necessary to realize the primitive. They also showed how to efficiently instantiate their general construction using Paillier's cryptosystem [see P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Eurocrypt'99, Lecture Notes in Computer Science 1592, pages 223-238, Springer, 1999.]. While efficient, the scheme is not a single- message encryption scheme, since it requires the sender to interact with the verifier in an online 3-move conversation (or "∑-protocol") to be convinced that the aforementioned properties are satisfied. Interaction can be removed using the Fiat-Shamir paradigm [see A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Crypto'86, Lecture Notes in Computer Science 263, pages 186-194, Springer, 1986.] (and thus the random oracle model [see M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM CCS'93, pages 62-73, ACM Press, 1993.]), but only heuristic arguments [see S. Goldwasser and Y. Tauman-Kalai. On the (In)security of the Fiat-Shamir Paradigm In FOCS'03, pages 102-1 15, IEEE Press, 2003. and also [R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. Journal of the ACM, 51 (4):557-594, 2004.] are then possible in terms of security. Independently, Qin et al. [B. Qin, Q. Wu, W. Susilo, Y. Mu, Y. Wang.
Publicly Verifiable Privacy-Preserving Group Decryption. In lnscrypt'08, Lecture Notes in Computer Science 5487, pages 72-83, Springer, 2008.] considered a closely related primitive with non-interactive proofs and short ciphertexts. However, they avoid interaction by explicitly employing a random oracle and also rely on strong interactive assumptions.
Recently, El Aimani and Joye [L. El Aimani, M. Joye. Toward Practical Group Encryption. Cryptology ePrint Archive: Report 2012/155, 2012.] considered more efficient interactive and non-interactive constructions using various optimizations. However, as it turns out, none of the above constructions makes it possible to trace a specific user's ciphertexts and only those. In these constructions, if messages encrypted for a specific misbehaving user have to be identified within a collection of, say n = 10000 ciphertexts, then the opening authority has to open all of these in order to find those it is looking for. This is clearly harmful to the privacy of honest users. Kiayias, Tsiounis and Yung [see A. Kiayias, Y. Tsiounis, and M. Yung. Traceable signatures. In Eurocrypt 2004, Lecture Notes in Computer Science 3027, pages 571 -589. Springer, 2004.] suggested a technique to address this concern in the context of group signatures, but no real encryption analogue of their primitive has been provided so far.
The closest work addressing this problem is that of Izabachene, Pointcheval and Vergnaud [M. Izabachene, D. Pointcheval, D. Vergnaud. Mediated Traceable Anonymous Encryption. In Latincrypt'08, Lecture Notes in Computer Science 6212, pages 40-60, Springer, 2010.]. However, their "mediate traceable anonymous encryption" primitive is somewhat limited. First, their scheme only provides message confidentiality and anonymity against passive adversaries, who have no access to decryption oracles at any time. Second, while their constructions enable individual user traceability, they do not provide a mechanism allowing the authority to identify the receiver of a ciphertext in O(1 ) time. If their scheme is set up for groups of up to n users, their opening algorithm requires O(n) operations in the worst case. Finally, their schemes provide no method allowing users to claim or disclaim that they are the recipients of ciphertexts without disclosing their private keys. It will thus be appreciated that there is a need for a solution that overcomes at least some of the drawbacks of the scheme of Izabachene et al., in particular a solution that simultaneously: (i) allows tracing specific users' ciphertexts and only those; and (ii) provides an explicit opening algorithm which can identify the receiver of a ciphertext in O(1 ) time. The present invention provides such a solution. SUMMARY OF INVENTION
In a first aspect, the invention is directed to an device for encrypting a plaintext destined for a user having a public key. The device comprises a processor configured to: obtain a tuple of traceability components for first elements of the public key; encrypt, using encryption exponents and second elements of the public key, the plaintext under a label to obtain a first intermediary ciphertext; generate commitments to the encryption exponents; generate second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and generate, using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts. The device further comprises an interface configured to output a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature. In a first embodiment, the processor is configured to obtain the traceability components by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
In a second embodiment, the public key comprises a Diffie-Hellman instance and wherein the tracability components enable recognition of the public key through the solution to the Diffie-Hellman instance.
In a third embodiment, the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents. In a fourth embodiment, the verification key is a verification key of a onetime signature scheme. It is advantageous that the signature is a one-time signature obtained using the one-time signature scheme.
In a fifth embodiment, wherein the signature is generated also over a label, and the interface is further configured to output the label. In a second aspect, the invention is directed to a method for encrypting a plaintext destined for a user having a public key. A processor obtains a tuple of traceability components for first elements of the public key; encrypts, using encryption exponents and second elements of the public key, the plaintext under a label to obtain a first intermediary ciphertext; generates commitments to the encryption exponents; generates second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and generates, using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts. An interface outputs a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature.
In a first embodiment, the traceability components are obtained by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
In a second embodiment, the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents. In a third embodiment, the verification key is a verification key of a onetime signature scheme. It is advantageous that the signature is a one-time signature obtained using the one-time signature scheme.
In a fourth embodiment, the signature is generated also over a label, and the label is further output by the interface. BRIEF DESCRIPTION OF DRAWINGS
Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which Figure 1 illustrates an exemplary system in which the invention may be implemented. DESCRIPTION OF EMBODIMENTS
Figure 1 illustrates an exemplary system 100 in which the invention may be implemented. The system comprises a device of a group member ("group member") 1 10, a group manager device 120, an opening authority (OA) device 130, a sender device 140 and a tracing agent device 150. It will be understood that there normally is more than one group member device, but only one is illustrated in the Figure. These devices can be any kind of suitable computer or device capable of performing calculations, such as a standard Personal Computer (PC) or workstation. The devices each preferably comprise at least one processor 1 1 1 , 121 , 131 , 141 , 151 , RAM memory 1 12, 122, 132, 142, 152, a user interface 1 13, 123, 133, 143, 153, for interacting with a user, and a second interface 1 14, 124, 134, 144, 154 for interaction with other devices (such as those shown in the Figure) over some connection (not shown). The group member device 1 10 is configured to, among other things, join a group, receive and decrypt ciphertexts, and claim or disclaim a ciphertext, as described hereinafter. The group manager device 120 is configured to perform group manager functions described hereinafter. The opening authority device 130 is configured to disclose user-specific trapdoors, as described hereinafter. The sender device 140 is configured to encrypt a plaintext using a public key of a group member and output the resulting ciphertext to the group member, as described hereinafter. The tracing agent device 150 is configured to use user- specific trapdoors to trace ciphertexts for specified users. The devices also preferably comprise an interface for reading a software program from a non- transitory digital data support - 1 15, 125, 135, 145, and 155 respectively - that stores instructions that, when executed by a processor, performs the corresponding methods described hereinafter. The skilled person will appreciate that the illustrated devices are very simplified for reasons of clarity and that real devices in addition would comprise features such as persistent storage.
A main inventive idea of the present invention is enabling the OA to disclose user-specific trapdoors, which make it possible to trace all the ciphertexts encrypted for that user and only those ciphertexts. To this end, a pair (Γ1; Γ2) is included in each membership certificate; (Γ1; Γ2) = (gYl, gY2) ε <G2, where (/-,_, y2) ε ¾ are part of the user's private key. When users join the group, they are thus requested to produce a pair (Γ1; Γ2) = (gYl, gY2) for which gYlY2 will serve as a tracing trapdoor. Since gYlY2 cannot be publicly revealed, appeal is made to a verifiable encryption mechanism [see J. Camenish, V. Shoup. Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Crypto 2003, Lecture Notes in Computer Science 2729, pages 126-144, Springer, Springer, 2003.] as was suggested by Benjumea et al . [see V. Benjumea, S.-G. Choi, J. Lopez, M. Yung. Fair Traceable Multi-Group Signatures. In Financial Cryptography 2008, Lecture Notes in Computer Science 5143, pages 231 -246, Springer, 2008.] in a related context: namely, the prospective user provides the GM with an encryption νβηε of gYlY2 under the OA's public key and generates a non-interactive proof that the encrypted value is indeed an element gYlY2 such that (g, gYl, gY2, gYlY2) is a Diffie-Hellman tuple. The REVEAL algorithm thus uses the private key of the OA to decrypt <S>venc so as to expose gYlY2. Armed with the information trace = gYlY2 , a tracing agent can test whether a ciphertext is prepared for user /' as follows. It is required that each ciphertext contain tracability elements of the form (Τ^ ^, Τ^ = (gs, r /e, r^ where δ, ρ eR TLV are chosen by the sender. Since (Γ1; Γ2) = (gYl, gY2), the TRACE algorithm concludes that user /' is indeed the receiver if e(Tlt gYlY2) = e(T2, T3) . At the same time, it can be shown that recognizing ciphertexts encrypted for user /' without trace; is as hard as solving the Decision 3-party Diffie-Hellman (D3DH) problem [called BDDH in section 8 of D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computing, vol . 32, no. 3, pp 586-615, 2003. Extended abstract in Crypto 2001, Lecture Notes in Computer Science 2139, pages 213-229, Springer, 2001 ].
An extra traceability component T is introduced in the ciphertext; T =
(AQ K ■ A-L)5 , where ΛΟ, Λ-L G G are part of common public parameters and VK is the verification key of a one-time signature. The reason for this is that, in order to prove anonymity in the considered model, the elements (T1, T2, T3) need to be bound to the one-time verification key VK in a non-malleable way. Otherwise, an anonymity adversary would be able to break the anonymity by having access to a CLAIM/DISCLAIM oracle.
In order for user i to prove or disprove that it is the intended recipient of a given ciphertext-label pair (ψ, L) , the user can use the traceability elements of the form (Γ1; T2, T3) = gs, i ?) of the ciphertext xp and its private key γ1 to compute r = r 1 (even without knowledge of δ), which allows anyone to realize that (g, Tlt Tlt if) forms a Diffie-Hellman tuple and that e (l , r2) = e (T2, T3) . This is sufficient for proving that (ψ, L) , was created for the public key pk = (Χ1, Χ2, Γ1, Γ2) . In order to make sure that only the user will be able to compute non-interactive claims, it is also required that the user provide a non- interactive proof of knowledge of = g1/Yl satisfying e (r , Γ_]_) = e (Tlt g) . Moreover, the claim is non-malleably bound to (ψ, L) , by generating the non- interactive Groth-Sahai proof [see J. Groth and A. Sahai. Efficient non- interactive proof systems for bilinear groups. In Eurocrypt'08, Lecture Notes in Computer Science 4965, pages 415-432, Springer, 2008] for a Common Reference String (CRS) which depends on (ψ, L) (this technique was originally described in [T. Malkin, I. Teranishi, Y. Vahlis, M. Yung. Signatures resilient to continual leakage on memory and computation. In TCC'11, Lecture Notes in Computer Science, vol. 6597, pp. 89-106, Springer, 201 1 .]). Preferred embodiment
Like the scheme described by Cathalo-Libert-Yung [J. Cathalo, B. Libert,
M. Yung. Group Encryption: Non-Interactive Realization in the Standard Model.
In Asiacrypt'09, Lecture Notes in Computer Science 5912, pp. 179-196,
Springer, 2009.], the preferred embodiment is a non-interactive group encryption scheme for the Diffie-Hellman relation 3i = {(A, B), M] where e (g, M) = e (A, B) .
Unlike Cathalo-Libert-Yung's scheme, however, the present scheme provides extended tracing capabilities and further allows each user to non- interactively claim or disclaim that he is the intended recipient of a ciphertext. The present scheme builds on the publicly verifiable variant of Cramer- Shoup [see the threshold variant of the Cramer-Shoup cryptosystem described in B. Libert, M. Yung. Non-Interactive CCA2-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions. In TCC 2012, Lecture Notes in Computer Science 7194, pp. 75-93, Springer, 2012.]. Advantage is taken of the observation that, if public key components (Jh> lh> lh) are shared by all users as common public parameters, the scheme can simultaneously provide receiver anonymity and publicly verifiable ciphertexts. In other words, anyone can publicly verify that a ciphertext is a valid ciphertext without knowing who the receiver is. When proofs are generated for the group encryption ciphertext, this saves the prover from having to provide evidence that the ciphertext is valid and thus yields shorter proofs.
The message is encrypted under the receiver's public key using the scheme of Libert-Yung. At the same time, the last two components of the receiver's public key are encrypted under the public key of the opening authority using Kiltz's encryption scheme [see E. Kiltz. Chosen-ciphertext security from tag-based encryption. In TCC'06, Lecture Notes in Computer Science 3876, pages 581 -600, Springer, 2006.]. This scheme is preferred because it is the most efficient Decision Linear (DLIN)-based CCA2-secure cryptosystem where the validity of ciphertexts is publicly verifiable and it is not needed to hide the public key under which it is generated.
When new users join the group, the GM provides them with a membership certificate consisting of a structure-preserving signature on their public key (Χ1, Χ2, Γ1, Γ2) . In this case, the Abe-Haralambiev-Ohkubo (AHO) signature [briefly described in the Annexe; also see M. Abe, K. Haralambiev, M. Ohkubo. Signing on Elements in Bilinear Groups for Modular Protocol Design. Cryptology ePrint Archive: Report 2010/133, 2010. and M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo. Structure-Preserving Signatures and Commitments to Group Elements. In Crypto'10, Lecture Notes in Computer Science 6223, pp. 209-236, Springer, 2010.] is used because it allows working exclusively with linear pairing-product equations (and thus obtain a better efficiency) when non-interactive proofs are generated.
SETUPinit( ): let £ ε poly(l) be a polynomial, where λ E N is the security parameter. Generate public parameters as follows:
, R 1. Choose bilinear groups (G, GT) of prime order p > 2A with g, g1} g2 <- G.
Define vectors ~9l = {g , ,9)>lh = >9i>9) and lh=~afx Olf'1 with ^,<2
R
<-Zp, which form a perfectly sound Groth-Sahai common reference string
R →
2. For ί = lto£ choose ζ^,ζ^ and set ht = g^ 1,1 Q g2 ,2 so as to obtain a set of £ + 1 vectors \hi}._Q.
R →
3. Choose Ύ\ ,Ύ\ ^Έρ and compute / = g~ l Qgf2 = (fz. .f h, )∞ as to form yet another Groth-Sahai CRS f = (Jh>lh>f)-
R
4. Choose ΛΟ,Λ-L <- G at random.
5. Select a strongly unforgeable (as defined in [J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Eurocrypt'02,
Lecture Notes in Computer Science 2332, pages 83-107, Springer, 2002.]) one-time signature scheme∑ = (Q,S,V) and a random member H ·. {0,1}*→ {0,1}^ of a collision-resistant hash family. (Q is an algorithm that generates a one-time signature key pair, S is a signature algorithm and V is a signature verification algorithm.)
The public parameters param resulting from SETUPinit( ) comprise {λ, G, Gt, g, g~, g , g~, f, {¾}i=0, Λ„, ALT∑, H}.
SETUPGivi(param): runs the setup algorithm of the AHO structure-preserving signature with n = 4. The obtained public key comprises
pkGM = (Gr,Hu,Gz,Hz,{Git
Figure imgf000014_0001
Qa,Qb) E G8 x GT 2 while the corresponding private key is skGM = {aa, b,yz, δΖ,{γι, 5J=1) . SETUPoA(param): generates pk0A = 0Ί, Y2, Y3, ¾ = (gyi,gy2,gy3,gy4), as a public key for Kiltz's encryption scheme, and the private key as sk0A =
Figure imgf000015_0001
JOIN: the prospective user!/ and the GM run the following protocol:
R
1. The user chooses χ12,ζ,γ12 <-Έρ at random and computes a public key pk = {X1,X2, rlt r2) ε G where
Xi = 9 -gz, x2
Figure imgf000015_0002
The corresponding private key is defined to be sk = (χ12,ζ,γ12). Here, form a public key for the Libert-Yung encryption scheme already mentioned whereas (Ι , Γ2) will be used to provide user traceability.
2. User V.t defines Γ0 = gYlY2 and generates a verifiable encryption of Γ0
R
under k0A- To this end, the user chooses wltw2 -Zp and computes <&venc =
Figure imgf000015_0003
User lit then generates a Non-Interactive Zero-Knowledge (NIZK) proof TiVenc that νβηο encrypts r0 £G such that e(T0,g) = e(rlJr2). Namely, user V.t uses the CRS f = (jh>lh>D to generate Groth-Sahai commitments CWl,CWl to the group elements W1 = gWl and W2 = gW2, respectively, and to prove non- interactively that
Figure imgf000015_0004
^2>g) = e{Y2,W2)
These three equations are linear pairing product equations. However, since their proofs must be NIZK proofs, they cost 16 group elements to prove altogether (as the prover actually introduces an auxiliary variable X to prove that
e{^o>g) = e X,Y2) e g,W1) e g,W2) and X = nvenc denotes the resulting NIZK proof. The prospective user V.t then sends the certification request comprising (pk = (X1,X2,T1,T2)^venc,CWi,CW2,nvenc) to the group manager GM.
3. If database already contains a record transcript,- for which the certified public key pk,- = (χ^,Χ^,Γ^,Γ^) is such that e(r,-1,r,-2) = β(Γ12), the GM returns l. Otherwise, the GM generates a certificate certpk = (Z,R,S, T, U, V, W) ε G7 for pk, which consists of an AHO signature on the 4-uple (Χ121, Γ2). Then, the GM stores the entire interaction transcript transcriptj = (pk = {X1,X2,
Figure imgf000016_0001
in database. DATABASE-CHECK is an algorithm that allows running a sanity check on database. This algorithm returns 0 (meaning that database is not well- formed) if database contains two distinct records transcript and transcript,- for which the public keys pk; = ru, Γ£2) and pkj = (^,^,Γ/^,Ι)^) are such that e(r£jlJr£j2) = e(r,-1; Γ,·2). Otherwise, it returns 1.
ENC(pkGM,pk0A,pk,certpk,M,L): to encrypt M E G such that ((A,B),M) E¾
(for public elements A,B E G), parse pkGM,pk0A and pk as (Χ1212) ε G4. Then:
1. Generate a one-time signature key pair (SK, VK) <- Q( ).
2. Generate a tuple (TLT T2, T3, Γ4) ε G of traceability components by
R
choosing δ,ρ <-Έρ and computing
=3 δ Γ2 = Γι δ/ρ Γ3 = Γ2 ρ Τ^ ^ -Α,)5.
Compute a Libert-Yung encryption of M under the label L:
3. Generate a partial Libert-Yung ciphertext:
R
a. Choose θχ, θ2 - TLV and compute
C0 = M-X^ -X°> C =g{- C2 =g? C3 =g°^. b. Construct a vector gVK = g~ ■ (1,1,#)νκ and use gVK = 0ι> ~92>9νκ) as a Groth-Sahai CRS to generate a NIZK proof that
(g,g1,g2>C1,C2,C3) form a valid tuple, by generating commitments Q ,CQ2 to encryption exponents θ12 Ε Έν (in other words, compute Ce. = g^ -g^1 -g~^Si, with r£js£<-.Zp for each i ε {1,2}) and a proof π Ν that they satisfy
Figure imgf000017_0001
The whole proof consists of C01, C02 and nLm is obtained as
7rLIN = π^π^π^,π^,π^π^ = (g{ g[ g2 r , g2 , gTl+r2 , gSl+S2)■ c. Define the partial Libert-Yung ciphertext ^LY = (^OJ Ci> C2, C3, CQx, g2,nUN).
R
4. For i = 1,2, choose z ,zi2 and encrypt Ι under pk0A using Kiltz's encryption scheme using the same one-time verification key VK as in step 1. Let {ψκι)ί_12 be the resulting ciphertexts.
5. Set the GE ciphertext ψ as Φ = VK\\(T1,T2,T3,T4)\\x LY\\x Ki\\x K2\\a where σ is a one-time signature obtained as ff = 5(sKJ((7' lJ7'2 3 )II^LYll^K1II^K2ll^))- [S is described in SETUPinit(A) step 5.] Return (ip,L) and coins^ consist of δ,ρ,{ζίΛίι2} and (elte2). If the one-time signature described by Groth [see J. Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In Asiacrypt'06, Lecture Notes in Computer Science 4284, pages 444-459, 2006.13] is used, VK and σ take 3 and 2 group elements, respectively, so that ψ consists of 35 group elements of G.
J>(pkGM,pk0A,pk,certpk,
Figure imgf000017_0002
parse pkGM, pk0A, pk and ψ as described. Using f = (j >lh>D as a Groth-Sahai CRS, generate a non- interactive proof πψ for the ciphertext ψ. In the process hereinafter, all commitments and proofs are generated using the CRS f = ( ,g~2*,f).
1. Parse the certificate certpk as (Z,R,S,T, U,V,W) ε G7 and re-randomize it to obtain (Z',R',S',T',U',V',W) <- ReRand(pkGM, (Z,R,S,T,U,V,W)). Then, generate Groth-Sahai commitments CZ,CR,,CU, to Z' , R' and U'. The resulting overall commitment to certpk consists of comcertpk = ζζκ„ζυι,5' ,Τ' , V',W ') ε
2. Generate Groth-Sahai commitments to the components of the public key pk = (Χ1212) and obtain the set compk = {cx.,Cr.} which consists of 12 group elements.
3. Generate a proof 7 tpk that comcertpk is a commitment to a valid certificate for the public key contained in compk. The proof 7 tpk is a non- interactive proof that committed group elements (Z',R',U') satisfy the relations
Ωα e(S',7")_1
Figure imgf000018_0001
= e{Gz,Z') e{Gr,R'), ab eiV'.W'Y1■ YlUeCHi.Xi)-1
Figure imgf000018_0002
= e{Hz,Z') e{Hu,U'). which cost 3 elements each. The whole proof 7 tpk thus takes 6 group elements.
4. Generate a NIZK proof πτ that (Γ1; T2, T3) satisfies {T^T^) =
( δ ,Y^/Q ,vf for some δ, ρ ε TLV. To this end, generate a commitment CY to the group element Y = gs/e and generate a NIZK proof that
e(Y,T3) = e(rlJr2) and
e{T2,g) = e{V1,Y).
Since πτ must include CY and must be a NIZK proof, it requires 21 group elements. Specifically, 3 elements suffice for the first linear equation whereas the second requires to prove e(T2,XT) = eCr^Y) and e(XT,g) = e(g,g) using an auxiliary variable XT = g.
5. For i = 1,2, generate NIZK proofs neq_key i that Cr. (which are part of compk) and ψκ. are encryptions of the same Γέ. If ψκ. = (yi:0,Vi:1,Vi:2,Vi3,ViA) comprises
(y0,vul,v2) = (r g^+^,Y^,Y^) and CTi is parsed as = {g^ -f3l3,g2 i2 -f3 ,Vi gp^ fp ), where ¾,¾ ε coins^p^p&pnEl^ and f = (h^h^h. ), this amounts to prove knowledge of values z l,z 2 ,Ρη,Ρα,ρ ε v such that
Figure imgf000018_0003
Committing to exponents z l,z 2 , pu_, pi2, Pi3 introduces 30 group elements whereas the above relations only require two elements each. Together with their corresponding commitments to {z l,z 2 the proof element
Figure imgf000019_0001
neq-key,i incurs 42 elements.
6. Generate a NIZK proof 7¾ that the ciphertext nLY encrypts a group element MEG such that (( ,β), ) ε l. To this end, generate a commitment comM = (cMil, cMi2, cMi3) = {gpl■ f3 Pl,g2 p2■ f3 ,M gp^ /3¾) and prove that the underlying M is the same as the one for which CQ = M■ 1■
X2 2 in ifjLY. In other words, prove knowledge of exponents θ12123 such that
(r r -^- -^- c° ^ — (ηθ ηθ η θι~Ρι ■ f~P3 η θ2~Ρ2 ■ f~P3 ΠΡΙ-Ρ2 . f~P3 . γθί . γθΑ
\ CM,1 CM,2 CM,3/ V
Committing to θ12123 takes 15 elements. Proving the first four relations of the equation requires 8 elements whereas the last one is quadratic and its proof is 9 elements. Proving the linear pairing-product relation e(g,M) = e(A,B) in NIZK demands 9 elements. (It requires the introduction of an auxiliary variable Λ and proof that e(g,M) = β Λ,Β) and A = Λ, for variables Μ,Λ and constants g,A,B. The two proofs take 3 elements each and 3 elements are needed to commit to Λ.) Since 7¾ includes comM, it entails a total of 34 elements.
The entire proof πψ =
Figure imgf000019_0002
I\πΚ eventually takes 128 elements.
V(param,^L,7^,pkGM,pk0A): parse pkGM,pk0A,pk,/> and πψ as already described. Return 1 if and only if the conditions below are all satisfied.
1. V (VK, σ, ((7Ί, T2, T3, T4) \ \φ^\\φΚι \ \ψΚ2 \ |L)) = 1.
2. The equality e(r1;AoK■ A ) = e(g,T4) is satisfied and ifjLY is a valid Libert-Yung ciphertext.
3. All proofs verify and ψΚιΚ2 are valid Kiltz encryption w.r.t. VK.
Figure imgf000020_0001
Return if either: (i) V^VK^^C^^rs ll^LYll^Kjl^Kjl^^O, (ii) e{T1,A K- )≠e{g ) or ipLY and {Φκι)ί_12 are not all valid ciphertexts. Otherwise, use sk to decrypt
(^LY^)- REVEAL (transcript^ sk0A): parse transcript^ as
((Xi,l> Xi,2> Γί,ΐ' ^£,2)' (®venc,i> ^wi > ^Wi 2> nvenc,i)> certpk,i)-
Parse νβη as (Φ£,0,Φ;,ΐ'φ;,2) e and verifY that {cWii,CWi2,nven ) form a valid proof for the linear pairing product statements in JOIN. If not, return 1. Otherwise, use sk0A = {yi.yz.y .y ) to compute r£j0 = Φ£,0 ■ /yi ' 2/y2- Return the resulting plaintext trace£ = Γ£0 ε G which can serve as a tracing trapdoor for user i as it is of the form Γ£ 0 = Γ?°8^Γι'^.
TRACE(pkGM,pk0A,^ traced : parse φ as VK\\(TltT2,T3,T4)\^LY\^Ki\^K2\\a and the tracing trapdoor trace£ as a group element Γ£0 ε G. If the equality e7i> o) = e(T2,T3) holds, it returns 1 (meaning that is indeed intended for user i). Otherwise, it outputs 0 (i.e., it is not intended for user i).
OPEN(skOA,</a): parse φ as VK| | (7 , Γ2, 7-3j Γ4) | |¾^LY| | Kl | | Κζ | |σ. Return if φκ is not a valid ciphertext w.r.t. VK or if ν^νκ,σ,^ΤΊ,Γζ,^,^ΙΙ^γΙΙ^ΙΙ^ΙΙ^)) = 0. Otherwise, decrypt {φΚι}ί=12 to obtain group elements Γ1;Γ2 Ε Ε and look up database to find a record transcript^ containing a public key pk£ = (Χί:1ί:2, Γ£ι1, Γ£ι2) such that (r£jlJr£j2) = (Γι,Γ2) - (it is to be noted that, unless database is ill-formed, such a record is unique if it exists). If such a record is found, output the matching i. Otherwise, output 1.
CLAIM/DISCLAIM(pkGM,pkoA, />, ,sk): parse φ as VK| I (7Ί, T2, T3,T4) I \φ^\\φΚι \ \φΚ2 \ \σ and the private key as sk = (χ12,ζ,γ12). To generate a claim/disclaimer τ for ψ. Compute Γδ1 = T^1 = r , where δ = loggiTi). Then, compute a collision-resistant hash v = Η(ψ, L, pk) ε {0,1}^.
Then, parse v as v[l] ...v[£] ε {0,1}{ and assemble the vector hv = h0O
Figure imgf000021_0001
as a Groth-Sahai CRS, generate a commitment Cr_l to r_i = and a NIZK proof that T_ satisfies e Ts^T^ = e T^g). To this end, generate a commitment CXT to the auxiliary variable χτ = g and non- interactive proofs πτ1τ2 for the equations
e(js,i'r-i) = βθΊ,Χτ) e{g,xT = e{g,g).
The claim/disclaimer τ consists of τ = {τδ1Γ ιχττ1τ2 ) ε G13. The skilled person will appreciate that only group members using traceability components are able to claim or disclaim a ciphertext; indeed, serves this purpose.
CLAIM-VERIFY(pkGM,pk0A, />,^pk,i"): parse ψ as
VK| |(7Ί, r2,
Figure imgf000021_0002
1 Ik and the public key pk as (X1,X2,T1,T2). Parse τ as (τδ1Γ ιχττ1τ2). Return 1 if and only if the relations
β(7δ,ι,Γ2) = e T2,T3) eiT^T = e(g,TS ) hold and πτ1τ2 are valid proofs for the relations e( s i, = eiT^x^ and e(g,xT) = e(g,g) w.r.t. the CRS {g1,g2, )> where hv = h0 Q
Figure imgf000021_0003
and v = H(^,L,pk) G{0,1}^.
DISCI_AIM-VERIFY(pkGMjpkoA,^,^pk,T): parse ip as
Figure imgf000021_0004
and the public key pk as
Parse τ as (τδ1Γ ιχττ1τ2). Return 1 if and only if it holds that
e{Ts,i,T2)≠ e(T2,T3) eiT^T = e(g,TS ) and πτ1τ2 are valid proofs for the relations
Figure imgf000021_0005
and e(g> Χτ) = e(g>g) and the Groth-Sahai CRS (g!,g2>K), where hv = h0O
Figure imgf000021_0006
ε {0,1}'. From an efficiency point of view, the length of ciphertexts is about 2.18 kB in an implementation using symmetric pairings with a 512-bit representation for each group element (at the 128-bit security level), which is more compact than in the Paillier-based system of Kiayias-Tsiounis-Yung where ciphertexts already take 2.5 kB using 1024-bit moduli (and thus at the 80-bit security level). Moreover, the proofs only require 8 kB (against roughly 32 kB for the same security in Cathalo-Libert-Yung), which is significantly cheaper than in the original GE scheme of Kiayias-Tsiounis-Yung, where interactive proofs reach a communication cost of 70 kB to achieve a 2"50 knowledge error. Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.
ANNEXE - AHO Structure-Preserving Signature Scheme
The description assumes public parameters pp = ((G,GT),g) consisting of bilinear groups (G,GT of prime order p > 2λ, where λ E N and a generator g E G. Keygen(pp,n): given an upper bound n ε N on the number of group elements
R R
per signed message, choose generators Gr,Hu <-G. Pick γζζ<-Έρ and
Υί,δί ^-Έρ, for i = lton. Then, compute Gz = G.z, Hz = H^z and Gi = Gr Yi, s- R
Hi = Hu l for each ί ε{1,...,η}. Finally, choose aa,ab <-∑p and define Ωα = e(Gr,gaa) and Ωϋ = e(Hu,gab). The public key is defined to be
pk = (6Γ,¾,6ζζ,{6^}?=1αϋ) ε G2n+4 x G2 T while the private key is sk = {aa, b,yz, δζ,{γι, 5J=1).
Sign(s/c, (Mlt ..., J): to sign a vector (M1; ..., J ε Gn using sk, choose
R ,
ζ> Pa> Pb> ωα> ωυ ¾ and compute Z = g<> as well as
m
Figure imgf000023_0001
The signature consists of σ = (Z, R, S, T, U, V, W) E G7.
Verify(p/c, σ, (M1; ...,MJ): given σ = (Z,R,S,T,U,V,W), return 1 iff the following equalities hold:
n
Ωα = e{Gz,Z) e{Gr,R) e{S,T) J" | e(G Μέ),
i=l
n
ilb = e{Hz,Z) e{Hu, U) e(V, W) ^ e{H Mf).
i=l The scheme has been proved existentially unforgeable under chosen- message attacks under the so-called Q-SFP assumption, where q is the number of signing queries.
Also, signature components can be publicly randomized to obtain a different signature (Z',R',S',T',U',V',W) ^ ReRand(p/c,a) on (M1; ...,MN). After randomization, Z' = Z while (R',S',T', U',V',W) are uniformly distributed among the values such that e(GR,R') e(S',T') = e(GR,R) e(S,T) and e(Hu,U') e(y',W) = e(Hu,U) -e(V,W). This re-randomization is performed by choosing
R
Q2, Q , μ, v <- TLV and computing
R' = R TQ2, s' = (S-G 62)1^, T' = T^ u' = u w^, v = (y H~es)1/V, w = wv. As a result, (S,T,V, W) are statistically independent of (M1; ...,MN) and the rest of the signature. This implies that, in privacy-preserving protocols, re- randomized (S',T',V',W) can be safely given out as long as (MLT ...,MN) and (Z',R',U') are given in committed form.

Claims

1 . A device (140) for encrypting a plaintext destined for a user having a public key, the device (140) comprising:
a processor (141 ) configured to:
obtain a tuple of traceability components for first elements of the public key;
encrypt, using encryption exponents and second elements of the public key, the plaintext to obtain a first intermediary ciphertext;
generate commitments to the encryption exponents;
generate second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and
generate, using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts; and
an interface (144) configured to output a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature.
2. The device of claim 1 , wherein the processor is configured to obtain the traceability components by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
3. The device of claim 1 , wherein the public key comprises a Diffie-Hellman instance and wherein the tracability components enable recognition of the public key through the solution to the Diffie-Hellman instance.
4. The device of claim 1 , wherein the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents.
5. The device of claim 1 , wherein the verification key is a verification key of a one-time signature scheme.
6. The device of claim 5, wherein the signature is a one-time signature obtained using the one-time signature scheme.
7. The device of claim 1 , wherein the processor is further configured to generate the signature also over a label, and wherein the interface is further configured to output the label.
8. A method for encrypting a plaintext destined for a user having a public key, the method comprising, in a device (140):
obtaining, by a processor (141 ), a tuple of traceability components for first elements of the public key;
encrypting, by the processor (141 ) using encryption exponents and second elements of the public key, the plaintext to obtain a first intermediary ciphertext;
generate, by the processor (141 ), commitments to the encryption exponents;
generate, by the processor (141 ), second intermediary ciphertexts by encrypting the first elements of the user's public key under a public key of an opening authority using a verification key; and
generate, by the processor (141 ) using a signature key, a signature over the tuple of traceability components, the first intermediary ciphertext, and the second intermediary ciphertexts; and
outputting, by an interface (144), a ciphertext comprising the tuple of traceability components, the first intermediary ciphertext, the second intermediary ciphertexts, and the signature.
9. The method of claim 8, wherein the traceability components are obtained by calculating a plurality of values, wherein each value is obtained by taking a generator or an element of the public key to the power of a value involving at least one random number.
10. The method of claim 8, wherein the first intermediary ciphertext is obtained by multiplication between the plaintext and elements of the public key raised to the power of encryption exponents.
1 1 . The method of claim 8, wherein the verification key is a verification key of a one-time signature scheme.
12. The method of claim 1 1 , wherein the signature is a one-time signature obtained using the one-time signature scheme.
13. The method of claim 8, wherein the signature is generated also over a label, and wherein the label is further output by the interface (144).
PCT/EP2014/058818 2013-04-30 2014-04-30 Device and method for traceable group encryption WO2014177610A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/888,413 US20160105287A1 (en) 2013-04-30 2014-04-30 Device and method for traceable group encryption
EP14722628.6A EP2992641A1 (en) 2013-04-30 2014-04-30 Device and method for traceable group encryption

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP13305572.3 2013-04-30
EP13305572 2013-04-30

Publications (1)

Publication Number Publication Date
WO2014177610A1 true WO2014177610A1 (en) 2014-11-06

Family

ID=48470872

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2014/058818 WO2014177610A1 (en) 2013-04-30 2014-04-30 Device and method for traceable group encryption

Country Status (4)

Country Link
US (1) US20160105287A1 (en)
EP (1) EP2992641A1 (en)
TW (1) TW201505412A (en)
WO (1) WO2014177610A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378212A (en) * 2020-03-10 2021-09-10 深圳市网心科技有限公司 Block chain system, information processing method, system, device and computer medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790185B (en) * 2016-12-30 2021-06-15 深圳市风云实业有限公司 CP-ABE-based method and device for safely accessing authority dynamic update centralized information
JP7065887B2 (en) * 2017-06-07 2022-05-12 エヌチェーン ホールディングス リミテッド Methods and systems for establishing reliable peer-to-peer communication between nodes in a blockchain network
CN107733870B (en) * 2017-09-14 2020-01-17 北京航空航天大学 Auditable traceable anonymous message receiving system and method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BENOÃ TM T LIBERT ET AL: "Efficient traceable signatures in the standard model", THEORETICAL COMPUTER SCIENCE, AMSTERDAM, NL, vol. 412, no. 12, 27 December 2010 (2010-12-27), pages 1220 - 1242, XP028139399, ISSN: 0304-3975, [retrieved on 20110107], DOI: 10.1016/J.TCS.2010.12.066 *
MALIKA IZABACHÃNE ET AL: "Mediated Traceable Anonymous Encryption", 8 August 2010, PROGRESS IN CRYPTOLOGY Â LATINCRYPT 2010, SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 40 - 60, ISBN: 978-3-642-14711-1, XP019147846 *
MAN HO AU ET AL: "Traceable and Retrievable Identity-Based Encryption", 5 June 2007, APPLIED CRYPTOGRAPHY AND NETWORK SECURITY; [LECTURE NOTES IN COMPUTER SCIENCE], SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 94 - 110, ISBN: 978-3-540-68913-3, XP019076294 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378212A (en) * 2020-03-10 2021-09-10 深圳市网心科技有限公司 Block chain system, information processing method, system, device and computer medium
CN113378212B (en) * 2020-03-10 2023-04-28 深圳市迅雷网络技术有限公司 Block chain system, information processing method, system, device and computer medium

Also Published As

Publication number Publication date
TW201505412A (en) 2015-02-01
US20160105287A1 (en) 2016-04-14
EP2992641A1 (en) 2016-03-09

Similar Documents

Publication Publication Date Title
Groth Fully anonymous group signatures without random oracles
Lindell Fast secure two-party ECDSA signing
Lyubashevsky et al. One-shot verifiable encryption from lattices
Boneh et al. Using level-1 homomorphic encryption to improve threshold DSA signatures for bitcoin wallet security
Di Raimondo et al. Deniable authentication and key exchange
Abe et al. Tagged one-time signatures: Tight security and optimal tag size
Barbosa et al. Delegatable homomorphic encryption with applications to secure outsourcing of computation
Couteau et al. Shorter non-interactive zero-knowledge arguments and ZAPs for algebraic languages
Garms et al. Group signatures with selective linkability
Diemert et al. More efficient digital signatures with tight multi-user security
Cathalo et al. Group encryption: Non-interactive realization in the standard model
Camenisch et al. Anonymous attestation with subverted TPMs
Ghadafi Efficient distributed tag-based encryption and its application to group signatures with efficient distributed traceability
Libert et al. Practical" signatures with efficient protocols" from simple assumptions
Abe et al. Fully structure-preserving signatures and shrinking commitments
Bradley et al. Strong asymmetric PAKE based on trapdoor CKEM
Damgård et al. Compact zero-knowledge proofs of small hamming weight
EP2992641A1 (en) Device and method for traceable group encryption
Bellare et al. Key-versatile signatures and applications: RKA, KDM and joint enc/sig
Franklin et al. Unique group signatures
Fraser et al. Selectively linkable group signatures—stronger security and preserved verifiability
Ma A new construction of identity-based group signature
Abdolmaleki et al. DL-extractable UC-commitment schemes
Derler et al. Practical witness encryption for algebraic languages or how to encrypt under Groth–Sahai proofs
Arfaoui et al. How to (legally) keep secrets from mobile operators

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14722628

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2014722628

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014722628

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 14888413

Country of ref document: US