Modern Cryptography

with Proof Techniques

and Implementations
Modern Cryptography
with Proof Techniques
and Implementations

By
Seong Oun Hwang
Intae Kim
Wai Kong Lee
[First] edition published [2021]
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press

2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

© 2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

The right of Seong Oun Hwang to be identified as author of this work has been asserted by him in
accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

Reasonable efforts have been made to publish reliable data and information, but the author and pub-
lisher cannot assume responsibility for the validity of all materials or the consequences of their use.
The authors and publishers have attempted to trace the copyright holders of all material reproduced
in this publication and apologize to copyright holders if permission to publish in this form has not
been obtained. If any copyright material has not been acknowledged please write and let us know so
we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information stor-
age or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access www.copyright.
com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA
01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermissions@
tandf.co.uk

Trademark notice: Product or corporate names may be trademarks or registered trademarks and are
used only for identification and explanation without intent to infringe.

ISBN: 9781138584082 (hbk)

ISBN: 9780367723231 (pbk)
ISBN: 9781003152569 (ebk)

Typeset in Computer Modern font

by KnowledgeWorks Global Ltd.
To Moonja, Miyeon, and Hyunjun
Contents

Preface xvii

List of Figures xxi

List of Tables xxv

I Fundamentals of Cryptography 1
1 Introduction to Cryptography 3
1.1 History of Cryptography . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Classical Cryptography . . . . . . . . . . . . . . . . . 4
1.1.2 Modern Cryptography . . . . . . . . . . . . . . . . . . 7
1.2 Background Review . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.1 Big Oh Notation . . . . . . . . . . . . . . . . . . . . . 9
1.2.2 Polynomial . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.3 Super Polynomial . . . . . . . . . . . . . . . . . . . . . 10
1.2.4 Negligible . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Structure of Security Proof 13

2.1 Overview of Security Proof . . . . . . . . . . . . . . . . . . . 14
2.1.1 Why Proving Security? . . . . . . . . . . . . . . . . . 14
2.1.2 Security Goals . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3 Attack Models . . . . . . . . . . . . . . . . . . . . . . 16
2.1.4 How Can We Build a Cryptographic Scheme? Lego Ap-
proach! . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.5 Computational Assumptions . . . . . . . . . . . . . . 17
2.2 Proof by Reduction . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 What Is Reduction? . . . . . . . . . . . . . . . . . . . 19
2.2.2 Outline of Security Proof by Reduction . . . . . . . . 19
2.3 Random Oracle Methodology . . . . . . . . . . . . . . . . . . 20
2.3.1 Security Proof in the Random Oracle Model . . . . . . 21
2.4 Sequence of Games . . . . . . . . . . . . . . . . . . . . . . . 22
2.4.1 Hybrid Argument . . . . . . . . . . . . . . . . . . . . 24
2.5 The Generic Group Model . . . . . . . . . . . . . . . . . . . 25
Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

vii
viii Contents

3 Private-Key Encryption (1) 27

3.1 Defining Computationally-Secure Encryption . . . . . . . . . 27
3.2 Pseudorandomness . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 A Private-Key Encryption Scheme Based on Pseudorandom
Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 Private-Key Encryption (2) 35

4.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2 Stronger Security Notions . . . . . . . . . . . . . . . . . . . . 36
4.2.1 Security for Multiple Encryptions . . . . . . . . . . . . 36
4.2.2 Security for Chosen-Plaintext Attack . . . . . . . . . . 38
4.3 Constructing CPA-Secure Encryption Scheme . . . . . . . . 42
4.4 Advanced Encryption Standard . . . . . . . . . . . . . . . . 47
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5 Private-Key Encryption (3) 51

5.1 Block Ciphers and Modes of Operation . . . . . . . . . . . . 51
5.1.1 Electronic Code Book (ECB) Mode . . . . . . . . . . 52
5.1.2 Cipher Block Chaining (CBC) Mode . . . . . . . . . . 52
5.1.3 Counter (CTR) Mode . . . . . . . . . . . . . . . . . . 54
5.2 CPA-Securities of Modes of Operation . . . . . . . . . . . . . 55
5.2.1 IND-CPA Adversary . . . . . . . . . . . . . . . . . . . 55
5.2.2 A Block Cipher Per Se Is Not IND-CPA Secure . . . 56
5.2.3 ECB Is Not IND-CPA Secure . . . . . . . . . . . . . . 56
5.2.4 CBC Is IND-CPA Secure . . . . . . . . . . . . . . . . 57
5.2.5 CTR Is IND-CPA Secure . . . . . . . . . . . . . . . . 57
5.3 Security Against Chosen-Ciphertext Attack (CCA) . . . . . 59
5.3.1 IND-CCA Adversary . . . . . . . . . . . . . . . . . . . 61
5.3.2 A CPA-Secure Encryption Scheme from Any Pseudo-
random Function Is Not CCA-Secure . . . . . . . . . . 62
5.3.3 A CPA-Secure Encryption Scheme Using CBC Mode
(Random Version) Is Not CCA-Secure . . . . . . . . . 62
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6 Message Authentication Code 65

6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.1.1 Encryption vs. Message Authentication . . . . . . . . 66
6.2 Message Authentication Code . . . . . . . . . . . . . . . . . 67
6.3 Constructing Secure Message Authentication Code . . . . . . 70
6.3.1 Fixed-Length MAC . . . . . . . . . . . . . . . . . . . 70
6.3.2 Variable-Length MAC . . . . . . . . . . . . . . . . . . 72
6.4 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.5 Obtaining Encryption and Message Authentication . . . . . 77
Contents ix

6.5.1 Constructing CCA-Secure Encryption Schemes Using

MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7 Hash Function 87
7.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.1.1 Collision Resistance . . . . . . . . . . . . . . . . . . . 88
7.1.2 Weaker Notions of Security . . . . . . . . . . . . . . . 89
7.2 Design of Collision-Resistant Hash Functions . . . . . . . . . 90
7.2.1 Compression Function Proved Secure Under the Dis-
crete Log Assumption . . . . . . . . . . . . . . . . . . 90
7.2.2 Compression Functions Based on Secure Block Ciphers 92
7.2.3 Proprietary Compression Functions . . . . . . . . . . . 92
7.3 The Merkle-Damgard Transform . . . . . . . . . . . . . . . . 93
7.4 Generic Attacks on Hash Functions . . . . . . . . . . . . . . 95
7.4.1 Birthday Attacks for Finding Collisions . . . . . . . . 95
7.4.2 Small-Space Birthday Attacks . . . . . . . . . . . . . . 96
7.5 Message Authentication Using Hash Functions . . . . . . . . 96
7.5.1 Hash-and-MAC . . . . . . . . . . . . . . . . . . . . . . 96
7.5.2 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.6 Applications of Hash Function . . . . . . . . . . . . . . . . . 98
7.6.1 Fingerprinting and Deduplication . . . . . . . . . . . . 99
7.6.2 Merkle Trees . . . . . . . . . . . . . . . . . . . . . . . 99
7.6.3 Password Hashing . . . . . . . . . . . . . . . . . . . . 101
7.6.4 Key Derivation . . . . . . . . . . . . . . . . . . . . . . 101
7.6.5 Commitment Schemes . . . . . . . . . . . . . . . . . . 102
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

8 Introduction to Number Theory 103

8.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8.1.1 Division, Prime, and Modulo . . . . . . . . . . . . . . 104
8.1.2 Greatest Common Divisor . . . . . . . . . . . . . . . . 105
8.1.3 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . 105
8.1.4 Extended Euclidean Algorithm . . . . . . . . . . . . . 105
8.1.5 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . 105
8.1.6 Euler’s Theorem . . . . . . . . . . . . . . . . . . . . . 106
8.1.7 Exponentiation and Logarithm . . . . . . . . . . . . . 106
8.1.8 Set of Residues Zn . . . . . . . . . . . . . . . . . . . . 107
8.1.9 Inverse Modulo . . . . . . . . . . . . . . . . . . . . . . 108
8.1.10 Euler’s Criterion . . . . . . . . . . . . . . . . . . . . . 110
8.2 Algebraic Structure . . . . . . . . . . . . . . . . . . . . . . . 110
8.2.1 Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
8.2.2 Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
8.2.3 Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
8.2.4 GF(2n ) . . . . . . . . . . . . . . . . . . . . . . . . . . 113
8.2.5 Elliptic Curve . . . . . . . . . . . . . . . . . . . . . . . 114
x Contents

9 Public-Key Encryption 117

9.1 Discrete Logarithm and Its Related Assumptions . . . . . . . 118
9.2 The Diffie-Hellman Key Exchange Protocol . . . . . . . . . . 120
9.3 Overview of Public-Key Encryption . . . . . . . . . . . . . . 123
9.3.1 Security Against CPA . . . . . . . . . . . . . . . . . . 124
9.3.2 Security Against CCA . . . . . . . . . . . . . . . . . . 127
9.3.3 Hybrid Encryption and the KEM/DEM Paradigm . . 128
9.4 Public-Key Encryption Schemes . . . . . . . . . . . . . . . . 129
9.4.1 The El Gamal Encryption . . . . . . . . . . . . . . . . 129
9.4.2 The Plain (aka Textbook) RSA Encryption . . . . . . 133
9.4.2.1 RSA Cryptosystem Based on Elliptic Curve . 135
9.4.3 The Padded RSA Encryption . . . . . . . . . . . . . . 136
9.4.4 The CPA-Secure RSA Encryption Under the RSA As-
sumption in the Random Oracle Model . . . . . . . . 137
9.4.5 The CCA-Secure RSA Encryption Under the RSA As-
sumption in the Random Oracle Model . . . . . . . . 140
9.4.6 The RSA-OAEP Encryption . . . . . . . . . . . . . . 144
9.4.7 The Cramer-Shoup Encryption . . . . . . . . . . . . . 145
9.4.8 The Paillier Encryption . . . . . . . . . . . . . . . . . 155
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

10 Digital Signature 159

10.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.3 The El Gamal Signatures . . . . . . . . . . . . . . . . . . . . 162
10.4 The RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . 168
10.4.1 Plain RSA . . . . . . . . . . . . . . . . . . . . . . . . 169
10.4.2 Full Domain Hash RSA . . . . . . . . . . . . . . . . . 169
10.4.3 Probabilistic Signature Scheme (PSS) . . . . . . . . . 171
10.5 Blockchain: Application of Hash Function and Public-Key En-
cryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.5.1 Blockchain 1.0: Early Development of Blockchain Tech-
nology . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.5.1.1 The Use of Cryptography in Blockchain . . . 174
10.5.1.2 Other Consensus Algorithms . . . . . . . . . 175
10.5.2 Blockchain 2.0: Smart Contract Beyond Cryptocurrency 176
10.5.3 Private, Consortium, and Public Blockchain . . . . . . 176
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

II Identity-Based Encryption and Its Variants 179

11 Identity-Based Encryption (1) 181
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
11.2.1 Bilinear Map (Weil and Tate Pairing) . . . . . . . . . 183
Contents xi

11.2.2 Hardness Assumption . . . . . . . . . . . . . . . . . . 184

11.3 Identity-Based Encryption . . . . . . . . . . . . . . . . . . . 184
11.4 Boneh-Franklin IBE [24] . . . . . . . . . . . . . . . . . . . . 185

12 Identity-Based Encryption (2) 199

12.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . 201
12.2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . 202
12.2.3 How to Achieve a Tight Reduction? . . . . . . . . . . 204
12.3 Gentry’s IBE [48] . . . . . . . . . . . . . . . . . . . . . . . . 206
12.3.1 Construction 1: Chosen-Plaintext Security . . . . . . . 206
12.3.2 Security 1: Chosen-Plaintext Security . . . . . . . . . 208
12.3.3 Construction 2. Chosen-Ciphertext Security . . . . . . 213
12.3.4 Security 2: Chosen-Ciphertext Security . . . . . . . . . 215
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

13 Identity-Based Encryption (3) 227

13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
13.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
13.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . 230
13.2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . 230
13.3 Dual System Encryption . . . . . . . . . . . . . . . . . . . . 231
13.4 Waters’ IBE [99] . . . . . . . . . . . . . . . . . . . . . . . . . 235
13.4.1 Proof of IBE Security . . . . . . . . . . . . . . . . . . 240
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

14 Hierarchical Identity-Based Encryption 257

14.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.2.1 General Construction of HIBE . . . . . . . . . . . . . 259
14.2.2 Security Model for HIBE . . . . . . . . . . . . . . . . 260
14.2.3 Composite Order Bilinear Groups . . . . . . . . . . . 261
14.2.4 Hardness Assumptions . . . . . . . . . . . . . . . . . . 262
14.2.5 A “Master Theorem” for Hardness in Composite Order
Bilinear Groups [60] . . . . . . . . . . . . . . . . . . . 263
14.3 Waters’ Realization . . . . . . . . . . . . . . . . . . . . . . . 268
14.4 Waters’ HIBE with Composite Order . . . . . . . . . . . . . 269
14.4.1 Proof of HIBE Security . . . . . . . . . . . . . . . . . 274
14.5 The Generic Group Model . . . . . . . . . . . . . . . . . . . 284
14.5.1 The Decision Linear Diffie-Hellman Assumption . . . 284
14.5.2 The Linear Problem in Generic Bilinear Groups . . . . 285
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
xii Contents

15 Identity-Based Encryption (4) 289

15.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
15.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
15.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . 291
15.2.2 Hardness Assumption . . . . . . . . . . . . . . . . . . 293
15.3 Boneh-Boyen IBE [19] . . . . . . . . . . . . . . . . . . . . . . 293
15.3.1 Proof of IBE Security . . . . . . . . . . . . . . . . . . 295

16 Tight Reduction 299

16.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16.2 Why Is Tight Reduction Important? . . . . . . . . . . . . . . 300
16.3 Obstacles and Solutions in Tight Reduction . . . . . . . . . . 301
16.3.1 All-and-Any Strategy . . . . . . . . . . . . . . . . . . 301
16.3.1.1 Relationship Between Security Models and
Strategies . . . . . . . . . . . . . . . . . . . . 302
16.3.2 Searching Method . . . . . . . . . . . . . . . . . . . . 303
16.3.3 Self-Decryption Paradox . . . . . . . . . . . . . . . . . 304
16.4 All-and-Any Strategy Techniques in the Random Oracle Model 304
16.4.1 Katz-Wang Technique . . . . . . . . . . . . . . . . . . 305
16.4.2 Park-Lee Technique . . . . . . . . . . . . . . . . . . . 306
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

17 Transformation Technique 309

17.1 Canetti-Halevi-Katz Transformation [32] . . . . . . . . . . . 309
17.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . 310
17.1.1.1 Binary Tree Encryption . . . . . . . . . . . . 310
17.1.1.2 One-Time Signature . . . . . . . . . . . . . . 312
17.1.2 Chosen-Ciphertext Security from IBE . . . . . . . . . 312
17.1.3 Chosen-Ciphertext Security for BTE Schemes . . . . . 316

18 Broadcast Encryption 321

18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
18.2 Subset-Cover Revocation Framework [78] . . . . . . . . . . . 323
18.2.1 Problem Definition . . . . . . . . . . . . . . . . . . . . 323
18.2.2 The Framework . . . . . . . . . . . . . . . . . . . . . . 323
18.2.3 Two Subset-Cover Algorithms . . . . . . . . . . . . . . 325
18.2.3.1 Complete Subtree (CS) Method . . . . . . . 327
18.2.3.2 Subset Difference (SD) Method . . . . . . . . 330
18.3 Identity-Based Broadcast Encryption . . . . . . . . . . . . . 337
18.3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . 337
18.3.1.1 Definition . . . . . . . . . . . . . . . . . . . . 337
18.3.1.2 Security Model . . . . . . . . . . . . . . . . . 338
18.3.1.3 Hardness Assumptions . . . . . . . . . . . . 339
18.3.2 Delerablée’s Scheme [37] . . . . . . . . . . . . . . . . . 341
18.3.3 Security Analysis of Delerablée’s Scheme . . . . . . . . 342
Contents xiii

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

19 Attribute-Based Encryption 349

19.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
19.2 Access Structure . . . . . . . . . . . . . . . . . . . . . . . . . 351
19.2.1 Secret Sharing Scheme . . . . . . . . . . . . . . . . . . 351
19.2.2 Access Trees . . . . . . . . . . . . . . . . . . . . . . . 351
19.2.3 Satisfying the Access Tree . . . . . . . . . . . . . . . . 352
19.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
19.3.1 The Generic Bilinear Group Model . . . . . . . . . . . 354
19.3.2 The Decisional Bilinear Diffie-Hellman (DBDH) As-
sumption . . . . . . . . . . . . . . . . . . . . . . . . . 355
19.3.3 Selective-Set Model for KP-ABE . . . . . . . . . . . . 355
19.3.4 Security Model for CP-ABE . . . . . . . . . . . . . . . 355
19.4 KP-ABE [55] . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
19.4.1 Security Analysis of KP-ABE . . . . . . . . . . . . . . 359
19.4.2 Probability Analysis . . . . . . . . . . . . . . . . . . . 362
19.5 CP-ABE [14] . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

20 Secret Sharing 371

20.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
20.2 Efficient Secret Sharing . . . . . . . . . . . . . . . . . . . . . 372
20.2.1 Shamir’s Secret Sharing [90] . . . . . . . . . . . . . . . 372
20.2.1.1 Mathematical Definition . . . . . . . . . . . 373
20.2.1.2 The Construction . . . . . . . . . . . . . . . 373
20.2.1.3 Example . . . . . . . . . . . . . . . . . . . . 373
20.2.2 Blakley’s Secret Sharing [16] . . . . . . . . . . . . . . 375
20.2.2.1 The Construction . . . . . . . . . . . . . . . 375
20.2.2.2 Example . . . . . . . . . . . . . . . . . . . . 376
Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

21 Predicate Encryption and Functional Encryption 379

21.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
21.1.1 Predicate Encryption . . . . . . . . . . . . . . . . . . 380
21.1.2 Functional Encryption . . . . . . . . . . . . . . . . . . 381
21.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
21.2.1 Hardness Assumptions . . . . . . . . . . . . . . . . . . 383
21.2.2 Definition of Predicate Encryption . . . . . . . . . . . 385
21.2.3 Definition of Functional Encryption . . . . . . . . . . 387
21.3 Predicate-Only Encryption [62] . . . . . . . . . . . . . . . . . 388
21.3.1 Proof of Predicate-Only Encryption Security . . . . . 390
21.4 Predicate Encryption [62] . . . . . . . . . . . . . . . . . . . . 397
21.4.1 Proof of Predicate Encryption Security . . . . . . . . . 399
21.5 Functional Encryption . . . . . . . . . . . . . . . . . . . . . . 404
21.5.1 Proof of Functional Encryption Security . . . . . . . . 405
xiv Contents

21.5.2 Applications of Functional Encryption . . . . . . . . . 409

21.5.2.1 Distance Measurement . . . . . . . . . . . . 409
21.5.2.2 Exact Threshold . . . . . . . . . . . . . . . . 410
21.5.2.3 Weighted Average . . . . . . . . . . . . . . . 410

III Post-Quantum Cryptography 411

22 Introduction to Lattice 413
22.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
22.2 Lattice Problems . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.3 NTRU Cryptosystem . . . . . . . . . . . . . . . . . . . . . . 415
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

23 Lattice-Based Cryptography 419

23.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
23.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
23.2.1 Distributions . . . . . . . . . . . . . . . . . . . . . . . 421
23.3 Lattice-Based Cryptography . . . . . . . . . . . . . . . . . . 421
23.3.1 Learning with Errors (LWE) . . . . . . . . . . . . . . 422
23.3.2 Learning with Rounding (LWR) . . . . . . . . . . . . 424
23.3.3 Ring Variants of LWE and LWR . . . . . . . . . . . . 425
23.4 (LWE+LWR)-Based Public-Key Encryption [34] . . . . . . 425
23.4.1 The Construction . . . . . . . . . . . . . . . . . . . . . 426
23.4.2 Correctness . . . . . . . . . . . . . . . . . . . . . . . . 427
23.4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 427
23.5 Ring Variant of Lizard . . . . . . . . . . . . . . . . . . . . . 428
23.5.1 The Construction . . . . . . . . . . . . . . . . . . . . . 430

24 Introduction to Linear Codes 433

24.1 Fundamentals of Coding Theory . . . . . . . . . . . . . . . . 434
24.2 Basics of Linear Codes . . . . . . . . . . . . . . . . . . . . . 434
24.2.1 Generator Matrix and Parity-Check Matrix . . . . . . 435
24.3 Types of Decoding . . . . . . . . . . . . . . . . . . . . . . . . 439
24.3.1 Maximum-Likelihood Decoding . . . . . . . . . . . . . 439
24.3.2 Minimum-Distance Decoding . . . . . . . . . . . . . . 439
24.3.3 Syndrome Decoding . . . . . . . . . . . . . . . . . . . 440
24.4 Hamming Geometry and Code Performance . . . . . . . . . 440
24.5 Types of Codes . . . . . . . . . . . . . . . . . . . . . . . . . 441
24.5.1 Hamming Code . . . . . . . . . . . . . . . . . . . . . . 441
24.5.2 Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . 442
24.5.3 Generalized Reed-Solomon (GRS) Codes . . . . . . . . 442
24.5.4 Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . 443
24.5.4.1 Construction of Goppa Codes . . . . . . . . 443
24.5.4.2 Binary Goppa Codes . . . . . . . . . . . . . 443
24.5.4.3 Parity-Check Matrix of Goppa Codes . . . . 444
24.6 Hard Problems . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Contents xv

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

25 Code-Based Cryptography 449

25.1 McEliece Cryptosystem [75] . . . . . . . . . . . . . . . . . . 450
25.1.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . 450
25.1.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . 451
25.1.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . 451
25.2 Niederreiter Cryptosystem . . . . . . . . . . . . . . . . . . . 452
25.2.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . 452
25.2.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . 453
25.2.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . 453
25.3 Security Analysis of McEliece and Niederreiter . . . . . . . . 454
25.4 QC-MDPC McEliece Cryptosystem . . . . . . . . . . . . . . 454
25.4.1 MDPC and QC-MDPC Codes . . . . . . . . . . . . . 455
25.4.1.1 MDPC Code . . . . . . . . . . . . . . . . . . 455
25.4.1.2 MDPC Code Construction . . . . . . . . . . 456
25.4.1.3 QC-MDPC Code Construction . . . . . . . . 456
25.4.2 QC-MDPC McEliece Cryptosystem [101] . . . . . . . 456
25.4.2.1 Key Generation . . . . . . . . . . . . . . . . 456
25.4.2.2 Encryption . . . . . . . . . . . . . . . . . . . 457
25.4.2.3 Decryption . . . . . . . . . . . . . . . . . . . 457
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

IV Implementations of Selected Algorithms 461

26 Selected Algorithms 463
26.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
26.2 Boneh-Franklin IBE . . . . . . . . . . . . . . . . . . . . . . . 464
26.3 Boneh-Boyen IBE . . . . . . . . . . . . . . . . . . . . . . . . 464
26.4 Broadcast Encryption . . . . . . . . . . . . . . . . . . . . . . 464
26.5 Ciphertext-Policy Attribute-Based Encryption (CP-ABE) . . 465
26.6 Predicate Encryption (PE) . . . . . . . . . . . . . . . . . . . 465
26.7 Rivest-Shamir-Adleman (RSA) . . . . . . . . . . . . . . . . . 466
26.8 Elliptic Curve Digital Signature Algorithm (ECDSA) . . . . 466
26.9 QC-MDPC McEliece . . . . . . . . . . . . . . . . . . . . . . 466
26.10 NTRUEncrypt . . . . . . . . . . . . . . . . . . . . . . . . . 467
26.11 Number Theoretic Transform . . . . . . . . . . . . . . . . . 467
26.12 The Paillier Encryption . . . . . . . . . . . . . . . . . . . . 468
26.13 AES Block Cipher . . . . . . . . . . . . . . . . . . . . . . . 468
26.14 wolfSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Bibliography 471

Index 481
Preface

Security is critical in modern society, particularly in the Internet era, where

things as well as people are interconnected. Cryptography plays a critical role
to ensure the security of the society by serving as a primitive and building
block.

The goal of this book is to introduce the foundations of cryptography to

students, researchers, and practitioners so that they design their own secure
systems, analyze the existing cryptographic schemes, or apply the provably
secure cryptographic schemes to the real world.

Features of the Book Compared to other subjects, cryptography is gen-

erally accepted as “difficult to understand,” mainly because the underlying
proofs are kind of mental games, which may be hardly understandable. To
ease the understanding of cryptography, we introduced detailed-and-intuitive
explanations, relevant implementations, and extensible applications in this
book. Particularly, sometimes, but not always, we found that detailed-and-
intuitive explanations are especially helpful for beginners to figure out the
structural flow of security proof of cryptographic schemes; it becomes easier
to understand a specific complex theoretical concept by implementing itself or
constructing relevant applications. Specifically, this book is designed to have
the following in mind in detail:
1. giving a big picture of cryptography, wide and deep
(a) the basic building blocks
(b) various cryptographic schemes
(c) applications to the real world
2. providing fundamentals on cryptography
(a) formal definitions of security
(b) complexity assumptions of computational problems
(c) proof techniques
3. giving practice on how to implement cryptographic schemes effi-
ciently
(a) fundamental mathematical tools for efficient implementation
(b) efficient techniques to optimize the implementation based on
specific hardware

xvii
xviii Preface

(c) trade-off to be made during implementation (e.g., memory ver-

sus speed)
Structures of the Book In line with the above design purposes and features
of the book, the whole book comprises the following four parts:

1. Part I: Fundamentals of classical and modern cryptography are

explained including the structure of security proofs, private-key en-
cryption, message authentication code, hash function, basic number
theory, public-key encryption, and digital signature.
2. Part II: Identity-based encryption can use any arbitrary data for
an identity as public keys, which is one of the big differences from
traditional public-key encryption, which makes identity-based en-
cryption easier to use, less expensive, and more practical.
3. Part III: Post-quantum cryptography has emerged recently to pre-
pare for the near future, as existing conventional cryptography is ex-
pected to be broken by advanced algorithms executed on quantum
computers. Two representative post-quantum approaches, lattice-
based and code-based, are explored.
4. Part IV: Various popular cryptographic schemes are implemented
using the MIRACL library, which is based on C/C++ programming
language. Some post-quantum schemes are implemented with plain
C codes and evaluated on the Graphics Processing Units (GPU)
with massively parallel architecture. Mathematical tools like Mont-
gomery reduction, Chinese remainder theorem (CRT), and number
theoretic transform (NTT) are used to optimize the performance.
Guide to the Book Readers will get much help if they study considering
the following guidelines:
1. Proof: One of the key design issues of this book is how to introduce
seemingly hard security proofs of cryptographic schemes to readers,
particularly beginners and self-learners, in an intuitively easy and
detailed method so that they could completely understand them by
just following the book. Readers are first recommended to grasp
the big picture of security proofs by taking a look at Chapter 2 and
revisit this chapter whenever they study a specific security proof
techniques. Particularly, they are encouraged to walk through the
proofs in each chapter of Part 1 in sequence, which comprises the
fundamentals of cryptography. Readers will get many benefits by
referring to intuitions or outlines, if any, underlying a specific proof
before going deeper into the proof itself. When they go deeper into
a specific proof, they can easily understand it by just following
the detailed step-by-step explanations of the proof, unique feature
quite different from the other cryptography textbooks. If readers
Preface xix

fully understand the key proof techniques in Parts 1 and 2, they

can easily understand more complex proof techniques.
2. Implementation: Most of the implementations in this book are
based on the MIRACL library with detailed guidance on setting
up the compilation. The readers can first explore the implemen-
tation of ECDSA and Paillier, which are fundamental cryptogra-
phy. Next, readers may implement more advanced cryptographic
schemes including IBE, BE, CP-ABE, and PE. The implementa-
tion of RSA involves parallel programming using GPU, which can
be explored at the later stage. The readers can explore the imple-
mentation of lattice-based and code-based cryptography, wherein
various optimization techniques are presented. Finally, the read-
ers can also explore the implementation of AES and SSL. All im-
plementation source code can be accessible at https://ai-
security.github.io.
Comments and Errata We would appreciate it if you email any comments
or errata to sohwang@gachon.ac.kr. A list of errata will be maintained at
https://ai-security.github.io.

Seong Oun Hwang, Ph.D., Gachon University, Korea

Intae Kim, Ph.D., The University of Wollongong, Australia
Wai Kong Lee, Ph.D., Universiti Tunku Abdul Rahman, Malaysia
List of Figures

2.1 Comparison of iterated design and provable security. . . . . . 15

2.2 Lego approach. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3 A high level overview of a security proof by reduction. . . . . 20

4.1 Pseudorandom function. . . . . . . . . . . . . . . . . . . . . . 43

4.2 Design of AES encryption cipher. . . . . . . . . . . . . . . . . 47
4.3 AES round function. . . . . . . . . . . . . . . . . . . . . . . . 48
4.4 Overall design of AES. . . . . . . . . . . . . . . . . . . . . . . 49

5.1 ECB mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.2 CBC with random IV mode. . . . . . . . . . . . . . . . . . . . 53
5.3 CTR mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.4 IND-CPA adversary. . . . . . . . . . . . . . . . . . . . . . . . 55
5.5 IND-CCA adversary. . . . . . . . . . . . . . . . . . . . . . . . 61

6.1 Message authentication in a medical application. . . . . . . . 66

6.2 Authentication in ATM. . . . . . . . . . . . . . . . . . . . . . 68
6.3 Construction 3 is not secure for authentication of messages of
varying length . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.4 A secure CBC-MAC for authenticating arbitrary-length mes-
sages of three blocks, m = m1 m2 m3 by prepending the message
length. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.5 A secure CBC-MAC for authenticating arbitrary-length mes-
sages by applying two keys. . . . . . . . . . . . . . . . . . . . 78
6.6 Semantic view of DecryptListGame. . . . . . . . . . . . . . . 83

7.1 The Merkle-Damgard transform. . . . . . . . . . . . . . . . . 94

7.2 Birthday attack. . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.3 Merkle tree while computing root for x3 (a) with small files (b)
with large files. . . . . . . . . . . . . . . . . . . . . . . . . . . 101

9.1 The Diffie-Hellman key-exchange protocol. . . . . . . . . . . . 122

9.2 The man-in-the-middle attack. . . . . . . . . . . . . . . . . . 123
9.3 The station-to-station key agreement protocol. . . . . . . . . 123
9.4 Security proof of El Gamal encryption. . . . . . . . . . . . . . 133
9.5 Reduction from the DDH problem to an attack on Cramer-
Shoup scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . 147

xxi
xxii List of Figures

10.1 Forking lemma. . . . . . . . . . . . . . . . . . . . . . . . . . . 166

10.2 Simplified data flow in blockchain. . . . . . . . . . . . . . . . 172
10.3 Blockchain data structure. . . . . . . . . . . . . . . . . . . . . 174

11.1 Comparison of PKI and IBE. . . . . . . . . . . . . . . . . . . 182

11.2 Comparison of security models. . . . . . . . . . . . . . . . . . 182
11.3 Comparison of full vs. selective security. . . . . . . . . . . . . 185
11.4 High-level view of reductions (1). . . . . . . . . . . . . . . . . 188
11.5 Implicit partition of the identity space done by the security
reduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
11.6 Simulation of the attacker’s environment. . . . . . . . . . . . 192
11.7 High-level view of reductions (2). . . . . . . . . . . . . . . . . 195

12.1 Comparison of BF-IBE and Gentry’s IBE. . . . . . . . . . . . 200

12.2 Comparison of private key spaces in Gentry’s IBE. . . . . . . 205
12.3 Different decryption capabilities in Gentry’s IBE. . . . . . . . 206

13.1 Hybrid game. . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

13.2 Waters’ hybrid game. . . . . . . . . . . . . . . . . . . . . . . . 232
13.3 Comparison of normal and semi-functional forms. . . . . . . . 232
13.4 Change of secret keys and ciphertexts in Waters’ hybrid game. 233
13.5 Paradox between GameK−1 and GameK . . . . . . . . . . . . 235
13.6 Proof of IBE security. . . . . . . . . . . . . . . . . . . . . . . 241

14.1 Difference between IBE and HIBE. . . . . . . . . . . . . . . . 258

14.2 Proof of HIBE security. . . . . . . . . . . . . . . . . . . . . . 275

15.1 Comparison of the selectively secure and the fully secure mod-
els. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

16.1 Necessary conditions for tight security reduction to the

(D)BDH problem. In the reduction to DBDH, b outputted from
a solver is a bit that an attacker guessed. . . . . . . . . . . . 301

17.1 Binary tree encryption. . . . . . . . . . . . . . . . . . . . . . 311

17.2 CCA-secure PKE from CPA-secure IBE. . . . . . . . . . . . . 313
17.3 Grandchildren’s secret keys of w0 will be children’s secret keys
of w. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

18.1 Steiner tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

18.2 Subset Si at node vi in CS. . . . . . . . . . . . . . . . . . . . 327
18.3 Key assignment in CS. . . . . . . . . . . . . . . . . . . . . . . 328
18.4 Subset cover of non-revoked devices in CS. . . . . . . . . . . . 328
18.5 Example in CS. . . . . . . . . . . . . . . . . . . . . . . . . . . 329
18.6 Subsets in CS. . . . . . . . . . . . . . . . . . . . . . . . . . . 331
18.7 Step 1 in finding subset in SD. . . . . . . . . . . . . . . . . . 332
List of Figures xxiii

18.8 Step 2 in finding subset in SD. . . . . . . . . . . . . . . . . . 333

18.9 Step 3 in finding subset in SD. . . . . . . . . . . . . . . . . . 333
18.10 Subset Cover of non-revoked devices in SD. . . . . . . . . . . 334
18.11 Key assignment in SD. . . . . . . . . . . . . . . . . . . . . . 335
18.12 Providing keys to receiver u in SD. . . . . . . . . . . . . . . 336

19.1 Satisfying an access tree. . . . . . . . . . . . . . . . . . . . . . 353

21.1 Attribute-based encryption. . . . . . . . . . . . . . . . . . . . 382

21.2 Predicate encryption. . . . . . . . . . . . . . . . . . . . . . . . 382
21.3 Functional encryption. . . . . . . . . . . . . . . . . . . . . . . 383

24.1 A linear shift register for generating a [7, 4] binary code. . . . 438
24.2 Hamming sphere of radius e around adjacent codewords. . . . 441
List of Tables

1.1 Comparison of info-theoretic security and computational secu-

rity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

9.1 Comparison of private-key and public-key encryptions. . . . . 124

10.1 Comparison of digital signature and message authentication

code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.2 Evolution of hardware platform for PoW mining in bitcoin [2]. 174

11.1 Comparison of PKI and IBE. . . . . . . . . . . . . . . . . . . 183

15.1 Computational cost of Boneh-Boyen IBE [19]. . . . . . . . . . 295

16.1 IBE systems with tight security reduction to the (D)BDH prob-
lem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
16.2 Difference between Katz–Wang and Park–Lee techniques. . . 305

18.1 Performance trade-off for the Complete Subtree (CS) method

and the Subset Difference (SD) method (N is the number of all
users and r is the number of revocations). . . . . . . . . . . . 326

19.1 Flow of satisfying an access tree. . . . . . . . . . . . . . . . . 353

19.2 Possible query types from the adversary. . . . . . . . . . . . . 369

xxv
 Part I

Fundamentals of
Cryptography
1
Introduction to Cryptography

CONTENTS
1.1 History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Classical Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 Modern Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Background Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.1 Big Oh Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.2 Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.3 Super Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.4 Negligible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The chapter begins with the history of cryptography. Cryptography is divided

into two main classes, classical and modern cryptography. Classical crypto-
graphic schemes are mostly designed in an ad hoc way that they cannot
provide security proofs. In the modern cryptography, schemes are designed
in a structured way so that they could provide security proofs, which are
commonly based on rigorous definitions and hardness assumptions of under-
lying mathematical problems. One-time pad, a special example of classical
cryptographic scheme, provides perfect security, while modern cryptographic
schemes pursue computational security. The differences between the perfect
and computational security are explained further with the basic mathematical
background used in the computational security.

1.1 History of Cryptography

We classify cryptography into classical cryptography and modern cryptogra-
phy roughly according to the time of before and after the 1980s. In classical
cryptography, cryptographic schemes are designed in a non-rigorous way that
they are commonly breakable with an exemption of one-time pad which will
be explained shortly. Representative historical classical ciphers include shift
ciphers and substitution ciphers. A cipher means an algorithm for perform-
ing encryption or decryption. In contrast to classical cryptography, modern

3
4 1 Introduction to Cryptography

cryptographic schemes are designed in a rigorous way that they can provide
proofs of security, which are based on definitions and hardness assumptions
of underlying mathematical problems.

1.1.1 Classical Cryptography

Let us first formally define what an encryption scheme (i.e., cipher) is as fol-
lows.
The syntax of encryption Let K, M, C be the key, plaintext message, ci-
phertext message spaces, respectively. A basic encryption scheme Π is com-
prised of three algorithms.
1. The key-generation algorithm Gen is a probabilistic algorithm that
outputs a key k ∈ K chosen according to some distribution that is
deterministic by the scheme.
2. The encryption algorithm Enc takes as input a key k and a plaintext
message m and outputs a ciphertext c ∈ C. We denote by Enck (m)
the encryption of the plaintext m using the key k.
3. The decryption algorithm Dec takes as input a key k and a cipher-
text c and outputs a plaintext m ∈ M. We denote the decryption
of the ciphertext c using the key k by Deck (c).
The above scheme is also called the private-key encryption or the symmetric
encryption scheme.

Unlike the other classical ciphers, one-time pad (OTP, aka Vernam’s cipher
[97] in 1917) is perfectly secure regardless of the adversary’s computational
power in the sense that a ciphertext reveals nothing about the underlying
plaintext, or information-theoretically secure in the sense that the adversary
simply does not have enough “information” to succeed in its attack. Intu-
itively, the one-time pad is perfectly secure because given a ciphertext, there
is no way an adversary can know which plaintext it originated from.

The syntax of one-time pad Let K, M, C = {0, 1}l (that is, the set of all
binary strings of length l). The one-time pad is as follows.
1. Gen → k chosen uniformly at random from {0, 1}l (i.e., each of the
2l strings in the space is chosen as the key with probability exactly
2−l ).
2. Enck (m) = m ⊕ k = c.
3. Deck (c) = c ⊕ k = m.
Correctness is established by verifying that c ⊕ k = (m ⊕ k) ⊕ k = m. Since
we got some insight on perfect security of one-time pad, we can formally de-
fine the exact notion of perfect security and explore some properties as follows.
1.1 History of Cryptography 5

Definition 1 An encryption scheme (Gen, Enc, Dec) over a message space

M is perfectly secure if for every probability distribution over M, every
message m ∈ M, and every ciphertext c ∈ C: P r[M = m|C = c] = P r[M =
m].
The above definition can be interpreted as: A scheme is perfectly secure if
the distributions over messages and ciphertexts are independent. The follow-
ing lemmas give equivalent formulations of Definition 1.

Lemma 1 An encryption scheme (Gen, Enc, Dec) over a message space M

is perfectly secure if for every probability distribution over M, every message
m ∈ M, and every ciphertext c ∈ C: P r[C = c|M = m] = P r[C = c].

Lemma 2 An encryption scheme (Gen, Enc, Dec) over a message space

M is perfectly secure if and only if for every probability distribution over M,
every m0 , m1 ∈ M and every ciphertext c ∈ C: P r[C = c|M = m0 ] = P r[C =
c|M = m1 ].

The above lemmas imply that it is impossible to distinguish an encryption

of m0 ∈ M from an encryption of m1 ∈ M because for every m0 , m1 ∈ M,
the distributions C(m0 ) and C(m1 ) are identical. That is, the ciphertext con-
tains no information about the plaintext.

Adversarial indistinguishability is another equivalent definition of per-

fect security (aka perfect secrecy). This definition is based on hypothetical,
interactive experiment or game where an adversary tries to break a crypto-
graphic scheme and an imaginary tester (i.e., challenger) wishes to see if the
scheme is secure by computing the adversary’s success probability. Through
the experiment as follows, we prove the security of the underlying scheme by
showing that no adversary can succeed with probability higher than one half,
indicating that randomly guessing the plaintext is the best it can do.

eav
The eavesdropping indistinguishability experiment P rivKA,Π (n)
1. The adversary A outputs a pair of messages m0 , m1 ∈ M.
2. The challenger generates a random key k by running Gen,
and chooses a random bit b ∈ {0, 1}. Then, a ciphertext c →
Enck (mb ) is computed and given to A.
3. A outputs a bit b0 .
4. The output of the experiment is defined to be 1 if b = b0 (in this
eav
case, A was right) and 0 otherwise. We write P rivKA,Π (n) = 1 if
the output is 1, and in this case we say that A succeeded in breaking
the scheme Π.
6 1 Introduction to Cryptography

Challenger B Adversary A

m0 , m1


Gen → k
b ∈ {0, 1}
c → Enck (mb )
c
-

b0


If b = b0 , B outputs 1
6 b0 , B outputs 0
If b =

Definition 2 An encryption scheme (Gen, Enc, Dec) over a message

space M is perfectly secure if for every adversary A it holds that
eav
P r[P rivKA,Π (n) = 1] = 12 .

Note that the perfect security of one-time pad is established by showing

that P r[C = c|M = m] = ( 12 )l as follows.

Proposition 1 Let (Gen, Enc, Dec) be an encryption scheme over a mes-

sage space M. That is, (Gen, Enc, Dec) is perfectly secure with respect to
Definition 1 if and only if it is perfectly secure with respect to Definition 2.

In the above, we note that there is no limitation whatsoever on the compu-

tational power of A (e.g., probabilistic polynomial time adversary). Compare
this definition with that of Definition 2 in Chapter 3.

Limitations of one-time pad and perfectly secure schemes makes the one-time
pad or any other perfectly secure scheme unusable (i.e., impractical).
1. The key space should be as large as the message space (i.e., |K| ≥
|M|).
2. The key should be used only once. Otherwise, encrypting more than
one message with the same key leaks information about the mes-
sages.
It seems necessary to compromise on perfect security in order to achieve
1.1 History of Cryptography 7
TABLE 1.1
Comparison of info-theoretic security and computational
security.
Info-theoretic Security Computational Security
(Perfect security) (Practical security)
Adversary has unbounded Adversary has bounded
computational resources computational resources
Pursuing zero success Negligible success probability
probability is allowed
Ideal Practical

practical cryptographic schemes, which could arguably provide sufficient se-

curity in the real world.

1.1.2 Modern Cryptography

Modern cryptography is based on complexity theory (i.e., the theory of how
easy or difficult is to solve a given problem computationally). It should not
matter whether a ciphertext reveals information about the message. What
matters is whether this information can be efficiently extracted by an adver-
sary.
Modern cryptography takes computational approach which is weaker than
perfect (i.e., information-theoretic) but sufficient (i.e., practical) security. The
main differences between perfect security and computational security are sum-
marized in Table 1.1
“Practical” means that computationally secure schemes can be broken
given enough time and computation, but under certain assumptions, the
amount of time and computation needed to break the scheme would take
more than a person’s lifetime, for example.
The computational approach incorporates two relaxations of the notion of
perfect security.
1. Security is only guaranteed against “efficient” adversaries that run
in a feasible amount of time, and
2. Adversaries can potentially succeed with some “very small proba-
bility” (that is, small enough so that we are not concerned with the
probability that it will ever really happen).
How can we formally or rigorously define what is meant by the above?
There are two common approaches: the concrete approach and the asymp-
totic approach.

The concrete approach explicitly specifies the maximum success probability

of any adversary running for at most some specified amount of time. It takes
the following form.
8 1 Introduction to Cryptography

A scheme is (t, )-secure if every adversary running for time at most t

succeeds in breaking the scheme with probability at most .

For example, no adversary running for at most 280 CPU cycles can break
the scheme with probability better than 2−64 .

The asymptotic approach, rooted in complexity theory, views the running

time of the adversary as well as its success probability as functions of some
parameter n (that is, security parameters which are determined during initial-
ization of a scheme, for example, key length) rather than as concrete numbers.
1. We equate the notion of “feasible strategies” or “efficient algorithm”
or “practical algorithm” with probabilistic algorithms running in
time polynomial in n (PPT stands for probabilistic polynomial
time).
2. We equate the notion of “very small probability of success” with
success probabilities smaller than any inverse polynomial in n. A
function that grows slower than any inverse polynomial is called
negligible.
It takes the following form which is employed in the book.

A scheme is secure if every PPT adversary succeeds in

breaking the scheme with only negligible probability.

Modern cryptography takes a rigorous approach to security based upon

the following, which is the main theme of Chapter 2:
1. exact (i.e., formal) definitions of security including the attack goal
and model
2. precise assumptions on both the resources given to the adversary
and the hardness of the underlying computational problem(s)
3. proof techniques
1.2 Background Review 9

1.2 Background Review

Background knowledge useful in computational security is presented in this
section.

1.2.1 Big Oh Notation

Suppose we have a function f (n) : N → N. Then we say that f (n) = O(g(n))
if and only if there exist constants d, n0 ∈ Z such that ∀n ≥ n0 , f (n) ≤ d·g(n).
Big oh notation is a representation to show the time complexity of an algo-
rithm. It represents a worst-case time complexity. The highest leading term
determines the complexity of an algorithm.

Examples
As a simple example, we take f (n) = 3n2 + 3n, as the purpose of big oh
notation is to find the dominant factor in the polynomial or the function as
the value of variable reaches to infinity. In this case, the variable is n. If we
look at the function, some factors are more important than the others. As n
goes to infinity, n becomes less prominent as compared to n2 . Other terms
become less prominent. We neglect the less prominent terms. The only term
that defines the complexity is the highest leading term, which in this case is
n2 . The final complexity of 3n2 + 3n is O(n2 ). Similarly final complexity for
3n + 3 is O(n).

Properties
1. If k1 ∈ O(f1 ) and k2 ∈ O(f1 ), then k1 k2 ∈ O(f1 f2 ).
2. If k1 ∈ O(f1 ) and k2 ∈ O(f1 ), then k1 + k2 ∈ O(max(f1 , f2 )).

1.2.2 Polynomial
We say that f (n) : N → N is a polynomial if and only if f (n) = O(nc ) for
some c ∈ Z. In general, we say that an algorithm is efficient if its complexity
can be expressed as a polynomial of input size n.

Examples
1. F (n) = 3n2 + 3n is a polynomial as F (n) = O(n2 ),where c = 2.
2. G(n) = 3n + 3 is a polynomial as G(n) = O(n),where c = 1.
3. P (x) = 2x4 + x3 − 2x2 + 1 is a polynomial with integer coefficients
of degree c = 4.
Properties
10 1 Introduction to Cryptography

1. A polynomial cannot have fractional powers of the variable.

2. Exponents of the variables should not be negative.
3. Any two polynomials can be added, subtracted, or multiplied, and
the result will be a polynomial, too.

1.2.3 Super Polynomial

A function that is not polynomial is super polynomial.

Examples
1. F (x) = 8x−2 + 1 is a super polynomial as it has negative exponent,
which does not satisfy a property of a polynomial.
2. F (x) = 5x1/2 +4 is a super polynomial as it has fractional exponent,
which does not satisfy a property of a polynomial.
3. F (x) = (5x3 − 1)/3x is a super polynomial as it is in fractional
form, which does not satisfy a property of a polynomial.
Properties
1. A super polynomial may have fractional powers of the variable.
2. In super polynomial, exponents of the variables may be negative.
3. Any two super polynomials can be added, subtracted, or multiplied
and the result will be a super polynomial, too.

1.2.4 Negligible
We say that a function is negligible (negl) if for all polynomials p, there ex-
1
ists n0 ∈ Z such that ∀n ≥ n0 , f (n) < p(n) . Note that p(n) is not a specific
polynomial, but assumed to be an arbitrary one.

A negligible function is a function f (n) : N → R such that for every posi-

tive integer n there exists an integer no such that for all x > no , |f (x)| < x1n .

Examples
1. f (x) = x−n is negligible for any x ≥ 2.
√
2. f (x) = 2− x
is negligible.
Properties
1. If f and h are two negligible functions, the sum (f + h) of the two
function is also negligible.
1.2 Background Review 11

2. If f is non-negligible and h is negligible function, the difference

(f − h) of the two function is also non-negligible.
3. If f is a polynomial and h is a negligible function, (f h) is negligible.

Exercises
1.1 Prove that Definition 1 implies Definition 2.

1.2 Prove that Definition 2 implies Definition 1.

1.3 Explain why the one-time pad scheme is not perfectly secure if
1. The key space is shorter than the message space (i.e., |K| < |M |).
2. The key is not used only once.
1.4 Prove Lemma 1.

1.5 Prove Lemma 2.

2
Structure of Security Proof

CONTENTS
2.1 Overview of Security Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.1 Why Proving Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.2 Security Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3 Attack Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.4 How Can We Build a Cryptographic Scheme? Lego
Approach! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.5 Computational Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Proof by Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 What Is Reduction? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.2 Outline of Security Proof by Reduction . . . . . . . . . . . . . . . . . 19
2.3 Random Oracle Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.1 Security Proof in the Random Oracle Model . . . . . . . . . . . 21
2.4 Sequence of Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4.1 Hybrid Argument . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.5 The Generic Group Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

This chapter provides an overview of the structure of security proofs. In mod-

ern cryptography, one establishes a formal security notion of the scheme to
be designed, makes precise computational assumptions, builds the scheme
based on some existing atomic primitive(s), and finally proves its security by
exhibiting the so-called reduction between an algorithm which breaks the se-
curity notion and an algorithm that contradicts the assumptions. In relation
to security notion, security goals are defined for the encryption and signature
schemes, against which attack models are also described for the types of at-
tack scenarios. We discuss how higher cryptographic schemes could be built
by assembling the lower cryptographic schemes. The next part of the chapter
discusses reduction and various security proof techniques based on reduction
including the random oracle methodology, sequence of games, and the generic
group model. Readers are recommended to refer this chapter as frequent as
possible whenever encountering relevant security proof techniques.

13
14 2 Structure of Security Proof

2.1 Overview of Security Proof

In this chapter, we will look at the basic concepts of security proof and various
proof techniques.

2.1.1 Why Proving Security?

To answer this question, we consider different paradigms taken by classical
and modern cryptography. Classical cryptography takes an iterated design
approach, where tries to design a cryptographic scheme by endless iteration
of the process “attack found ⇒ revision to the scheme.” The problems with
this approach is that one never knows if things are right, and when dam-
aging attacks emerge, it is difficult or impossible to effectively fix them. On
the other hand, modern cryptography takes a completely different approach
called the provable security, where one tries to design a cryptographic scheme
by proving that no attack exists under some assumptions. In this approach,
one establishes a formal security notion of the scheme to be designed, makes
precise computational assumptions, builds the scheme based on some existing
atomic primitive(s), and finally proves its security by exhibiting the so-called
reduction between an algorithm which breaks the security notion and an al-
gorithm that contradicts the assumptions. A security notion is defined by
pairing a security goal of the designed scheme with an attack model, which
describes what means or information are available to attackers. You can see
an example of security notion in the eavesdropping indistinguishability ex-
eav
periment P rivKA,Π (n) in Chapter 1, where indistinguishability corresponds
to security goal and eavesdropping does attack model. Figure 2.1 shows the
comparison of the iterated design and provable security.

2.1.2 Security Goals

1. Security goals for encryption schemes
(a) Unbreakability It should not be feasible for an adversary to
compute the secret key from the public key (denoted UBK).
(b) One-wayness It should not be feasible to invert the encryp-
tion function over any ciphertext under any given key (denoted
OW).
(c) Indistinguishability1 It should not be feasible to distinguish
which of the two messages are encrypted given a ciphertext
(denoted IND).
1 Ciphertext indistinguishability is known to be equivalent to the so-called semantic se-

curity. It is the computational complexity analogue to perfect secrecy, which means that
the ciphertext reveals no information at all about the plaintext, whereas semantic security
implies that any information revealed cannot be feasibly extracted.
2.1 Overview of Security Proof 15

FIGURE 2.1
Comparison of iterated design and provable security.

(d) Non-malleability It should not be feasible to transform some

ciphertext into another ciphertext such that plaintext are mean-
ingfully related (denoted NM).
2. Security goals for signature schemes
(a) Unbreakability It should not be feasible to compute the secret
key from the public key (denoted UBK).
(b) Universal unforgeability It should not be feasible to produce
a valid signature of any message in the message space (denoted
UUF).
(c) Selective unforgeability It should not be feasible to produce
a valid signature of a message an attacker committed to before
knowing the public key (denoted SUF).
(d) Existential unforgeability It should not be feasible to pro-
duce a message and a valid signature of it (likely not of his
choosing) (denoted EUF).
(e) Non-malleability It should not be feasible to construct an-
other signature for the same message when given a pair of mes-
sage and signature (denoted NM).
Indistinguishability comes in different equivalent flavors:

1. Left-or-Right IND The adversary chooses two plaintexts. One

is selected at random and its encryption is given to the adversary.
16 2 Structure of Security Proof

It should be hard for the adversary to tell which one was selected
given the encryption.
2. Real-or-Random IND The adversary provides a plaintext. An
encryption of either this plaintext or a randomly selected one is
returned to the adversary. It should be hard for the adversary to
decide whether the encryption encrypts the plaintext or not.

2.1.3 Attack Models

1. Basic types of attack scenarios against encryption schemes
(a) Ciphertext-only attack The adversary just observes a ci-
phertext (or multiple ciphertexts) and attempts to determine
the underlying plaintext (or plaintexts)(denoted COA). Eaves-
dropping adversary in the book belongs to this category.
(b) Known-plaintext attack The adversary learns one or more
pairs of plaintexts/ciphertexts encrypted under the same key.
The aim of the adversary is then to determine the plaintext
that was encrypted in some other ciphertext (denoted KPA).
(c) Chosen-plaintext attack The adversary has the ability to
obtain the encryption of plaintexts of its choice. It then at-
tempts to determine the plaintext that was encrypted in some
other ciphertext (denoted CPA).
(d) Chosen-ciphertext attack The adversary has the ability to
obtain the decryption of ciphertexts of its choice. It then at-
tempts to determine the plaintext that was encrypted in some
other ciphertext (denoted CCA, aka lunchtime, or midnight at-
tack).
(e) Adaptive chosen-ciphertext attack The adversary has the
ability to obtain the decryption of ciphertexts of its choice adap-
tively (that is, it chooses next ciphertexts after viewing the
decryption of the previously selected ciphertexts). It then at-
tempts to determine the plaintext that was encrypted in some
other ciphertext (denoted CCA2).
2. Basic types of attack scenarios for signature schemes
(a) Key-only attack It should not be feasible to compute the
secret key from the public key (KOA).
(b) Known-message attack The adversary obtains signatures for
a set of known messages (KMA).
(c) Chosen-message attack The adversary chooses a set of mes-
sages and are given the corresponding signatures. The choice of
the set of messages are non-adaptive (CMA).
2.1 Overview of Security Proof 17

(d) Adaptive chosen-message attack The adversary is able to

obtain signatures on arbitrary messages chosen adaptively (that
is, it chooses the next message after viewing the signature of
the previous message) during its attack (Adaptive CMA).
As mentioned above, any notion (or definition) of a scheme consists of two
distinct components.
1. a specification of the adversary’s power (attack types such as eaves-
dropping attack, chosen plaintext attack, chosen ciphertext attack,
etc.; it runs in polynomial time; the number of queries is polynomial,
etc.)
2. a description of what constitutes a “break” of the scheme (indistin-
guishable encryption, existential unforgeability, etc.)

2.1.4 How Can We Build a Cryptographic Scheme? Lego

Approach!
We construct higher level schemes by assembling and connecting lower level
schemes or atomic primitives as
1. pseudorandom generators, pseudorandom functions
2. one-way functions, one-way trapdoor functions, one-way trapdoor
permutations
3. hash functions (e.g., SHA1, MD5)
4. private-key permutations (e.g., DES, AES)
5. message authentication codes
6. arithmetic or Boolean operations
7. and so on.
We typically design high-level primitives from the atomic ones and history
shows that the transformer is usually a weak link. The atomic primitives are
secure yet the higher-level primitives are insecure. This enables us to get the
transformers for which we can guarantee the atomic primitives are secure and
the high-level primitives are also secure. Figure 2.2 shows that how the atomic
primitives are linked to the high-level primitives through the transformers.

2.1.5 Computational Assumptions

Cryptographic primitives are connected to plenty of supposedly intractable
problems as
1. discrete log is hard
2. factoring is hard
18 2 Structure of Security Proof

3. RSA is hard
4. computational/decisional Diffie-Hellman is hard
5. computing residuosity classes is hard
6. deciding residuosity is hard
7. finding shortest lattice vector is hard
8. etc.

2.2 Proof by Reduction

Motivation A cryptographic scheme that is computationally secure (but not
perfectly secure) can always be broken given enough time. Then how can we
prove it? To prove that some scheme is computationally secure requires a lower
bound on the time needed to break the scheme, which is very hard to achieve
in the current state of the art. Instead, we take the following approach as

Assume that some low-level problem is hard to solve, and then prove that
the scheme in question is secure under this assumption.

Then how can we relate the scheme in question with the low-level problem?
It is by the concept of reduction which originates from complexity theory. Now
we walk through a high level outline of security proof by reduction.

FIGURE 2.2
Lego approach.
2.2 Proof by Reduction 19

2.2.1 What Is Reduction?

Suppose we want to build some cryptographic scheme Π and show that an
adversary A attacking Π under some security notion, e.g., IND-CPA, can be
used as a black box tool to answer some supposed hard problem, e.g., X, with
non-negligible probability (In this case, we say that Π is reducible to X). This,
however, contradicts to the computational assumption. Therefore, we could
conclude that Π is provably IND-CPA secure in the presence of the attacker
under the assumption that X is hard.

Note 1: The reduction has to simulate the attacker’s environment in a way

that preserves (or does not alter too much) the distribution of all random
variables which it interacts with.

Note 2: A reduction shows that the only way to defeat the scheme is to
break the underlying atomic primitive.

2.2.2 Outline of Security Proof by Reduction

1. Begin with an assumption that some problem X cannot be solved by
any polynomial time algorithm except with negligible probability.
2. Fix some efficient (i.e., probabilistic polynomial time) adversary A
attacking Π with success probability (n), where n is the input size
of the problem.
3. Construct an efficient algorithm B (called the “reduction,” “chal-
lenger,” or “simulator”) that attempts to solve the problem X using
A as a sub-routine. So, given some input instance x of X, B simu-
lates for A an instance of Π such that
(a) As far as A can tell, it interacts with Π. More formally, the
view of A when it is run as a sub-routine by B should be dis-
tributed identically to (or at least close to) the view of A when
it interacts with Π itself.
(b) If A succeeds in “breaking” the instance of Π that is being
simulated by B, this should allow B to solve the instance x, at
least with inverse polynomial probability 1/p(n).
4. Combining (a) and (b) together implies that if (n) is not negligible,
then B solves problem X with non-negligible probability (n)/p(n),
which contradicts the initial assumption.
5. We conclude that Π is computationally secure under the assump-
tion.
A high level overview of a security proof by reduction is shown in Figure 2.3.
20 2 Structure of Security Proof

FIGURE 2.3
A high level overview of a security proof by reduction.

2.3 Random Oracle Methodology

When designing and validating cryptographic schemes, we use two kinds of
models, standard model, where no random oracle is presented, and random
oracle model. Cryptographic schemes are usually based on complexity assump-
tions, which state that some problem, for example, factorization, cannot be
solved in polynomial time. Schemes which can be proven secure using only
complexity assumptions are said to be secure in the standard model. Un-
der the random oracle model, we construct and prove a scheme under the
assumption that the world contains a random oracle. A random oracle is a
powerful (i.e., producing deterministic, efficient, and uniform output, that is,
computationally indistinguishable from the uniform distribution), imaginary
(output of a random oracle has an entropy greater than that of its input; by
Shannon’s theory, deterministic function cannot amplify entropy; therefore a
random oracle does not exist) function. However, the difficulty arises when
we instantiate the scheme in the real world (for example, when replacing the
random oracle by a concrete hash function). In fact, it is known that there
exist contrived schemes that can be proven secure in the random oracle model
but are insecure no matter how the random oracle is instantiated.

For these reasons, a proof of security in the random-oracle model should

be viewed as providing evidence that a scheme has no “inherent design flaws,”
but is not a rigorous proof that any real world instantiation of the scheme is
secure.

Therefore, proofs of security in the random oracle model are less desirable
and less satisfying than those in the standard model. However, the random or-
acle model continues to be widely used. Why? Notwithstanding of limitations
in the random oracle model, it has some benefits as
2.3 Random Oracle Methodology 21

1. It enables the design of substantially more efficient schemes than

those we know how to construct in the standard model.
2. The schemes in the random oracle model are comparatively easier
to prove than in the standard model.

2.3.1 Security Proof in the Random Oracle Model

In the standard model, a definition of security for Π takes the following general
form: a scheme Π is secure if for any probabilistic polynomial-time (PPT)
adversaries A, the probability of some “bad” event is below some threshold
(for encryptions γ = 12 and for signatures γ = 0), in other words, we have

P r[ExperimentA,Π (n) = 1] ≤ γ + negl(n), (2.1)

where this probability is taken over the random choices of the parties running
Π and those of the adversary A. Assuming the honest parties who use Π in
the real world make random choices as directed by the scheme, satisfying a
definition of this sort guarantees security for real-world usage of Π.

In the random oracle model, in contrast, a scheme Π may rely on an oracle

H. As before, Π is secure if for all PPT adversaries A the probability of some
“bad” event is below some threshold, in other words,

P r[ExperimentAH ,ΠH (n) = 1] ≤ γ + negl(n), (2.2)

where AH denotes that A is given oracle access to H; ΠH denotes that a con-

crete scheme is obtained by fixing H. But now this probability is taken over
random choice of H as well as the random choices of the parties running Π and
those of the adversary A. When using Π in the real world, some (instantiation
of) H must be fixed. Unfortunately, security of Π is not guaranteed for any
particular choice of H.

Proofs in the random oracle model can exploit the fact that H is chosen
at random, and that the only way to evaluate H(x) is to explicitly query x to
H (e.g., the adversary is given only oracle access to H, but cannot evaluate
H on its own). The reduction can set the value of H(x) (i.e., the response to
query x) to a value of its choice, as long as this value is correctly distributed,
i.e., uniform, which is known as the programmability feature).

Examples
1. CPA-secure RSA Encryption in the random oracle model in Chapter
9
2. CCA-secure RSA Encryption in the random oracle model in Chap-
ter 9
22 2 Structure of Security Proof

3. CCA-secure RSA-OAEP in the random oracle model in Chapter 9

4. CMA-secure El Gamal Signature in the random oracle model in
Chapter 10
5. CMA-secure FDH-RSA Signature in the random oracle model in
Chapter 10
6. CPA-secure BF-IBE in the random oracle model in Chapter 11
7. CCA-secure Delerablee’s IBBE in the random oracle model in Chap-
ter 18

2.4 Sequence of Games

A convenient way to structure the reductionist proof is to consider a sequence
of games (aka Shoup’s Modular Proof).

Suppose a cryptographic protocol is built upon several other smaller pro-

tocols, which are presumed to be secure. One starts with the assumption
that there is an adversary who can break the main protocol with some non-
negligible advantage in the given security model. This adversary is then used
as a blackbox to construct an algorithm that either solves the underlying hard
computational problem X or breaks one of the smaller provably secure pro-
tocols with non-negligible probability of success. This contradicts the original
hypothesis.

It takes the following form:

If (smaller protocols are secure and) some problem X is computationally

hard, then the main protocol is secure.

To prove, for example, the indistinguishability of the encryption of two

equal length plaintexts, we construct a sequence of games of the following
form.
A Game Sequence
G0 ,
G1 ,
.
.
.
Gk .
2.4 Sequence of Games 23

Let Xi be the event that γ = γ 0 in Game Gi . We consider

P r[X0 ],
P r[X0 ] − P r[X1 ],
.
.
.
P r[Xk−1 ] − P r[Xk ],
P r[Xk ].
In the above sequence, the following points are to be noted
1. G0 is the game which defines the security of the protocol and so

Adv(A) = | P r[γ = γ 0 ] − 1/2 | = | P r[X0 ] − 1/2 | . (2.3)

2. Games Gi−1 and Gi differ:

(a) Game Gi is described as being an incrementally modified ver-
sion of Game Gi−1 .
(b) The difference is not too much (that is, Gi is described as being
incrementally modified version of Gi−1 ).
(c) The adversary should not be able to notice whether he is play-
ing Game Gi−1 or Game Gi .
3. Gk , the last game describing the complete reduction algorithm, is
designed such that the bit is statistically hidden from the adversary.
So
P r[Xk ] = 1/2. (2.4)

4. More precisely, P r[Xi−1 ] − P r[Xi ] is bounded above by

(a) either, the advantage of an adversary in breaking one of the
smaller protocols,
(b) or, the advantage of solving the problem P is as
Adv(A) = | P r[X0 ] − 1/2 | = | P r[X0 ] − P r[Xk ] |
≤| P r[X0 ] − P r[X1 ] |
+ | P r[X1 ] − P r[X2 ] |
+...
+ | P r[Xk−1 ] − P r[Xk ] | . (2.5)

If the adversary has a non-negligible advantage then there must be at least

two consecutive games, Xi−1 and Xi such that | P r[Xi−1 ] − P r[Xi ] | is non-
negligible which contradicts the original hypothesis (that is, small protocols
are secure).

This methodology allows us to

24 2 Structure of Security Proof

1. check proofs more easily (longer proofs are possible).

2. compare different proof strategies.
3. concatenate proofs in a modular way by re-using pre-existing parts.
It enables to build security reductions for cryptographic schemes that use
provably secure ingredients.

Examples
1. Waters’ IBE in Chapter 13
2. Waters’ HIBE in Chapter 14
3. Predicate Encryption in Chapter 21
4. Functional Encryption in Chapter 21

2.4.1 Hybrid Argument

Sequence of games is usually used in hybrid argument (aka hybrid proof). The
hybrid argument is a proof technique often used in cryptography to show that
two distributions are computationally indistinguishable. The name comes from
the process of defining several “hybrid” distributions built from the original
two distributions.
Proofs that use the hybrid argument follow this basic pattern.
1. Define a sequence of polynomially many (in the security parameter)
D0 , ..., Dt (called the hybrid distributions, or simply the hybrids) in
the following way.
(a) The extreme distributions D0 and Dt are the distributions we
wish to show computationally indistinguishable.
(b) Any adjacent distributions Di and Di+1 differ by only one ap-
plication of a cryptographic primitive. Often we replace a cryp-
tographic primitive by its idealization between adjacent distri-
butions (for example, replace the output of a pseudorandom
generator with a truly random string).
2. Since they differ only in one simple aspect, it is (comparatively)
easier to prove that adjacent distributions are computationally in-
distinguishable (in the security parameter).
3. Since computational indistinguishability is transitive across a poly-
nomial number of distributions, we conclude that the endpoints D0
and Dt are computationally indistinguishable, as desired.
Often the order in which the hybrids are defined is significant and the
proof will not work with a different hybridization of the two distributions.
2.5 The Generic Group Model 25

Example

1. Second proof of CCA-secure encryption scheme using MAC in

Chapter 6

2.5 The Generic Group Model

Until now, in order to prove a cryptographic scheme is secure under some well-
known hard assumption(s) such as discrete log, factoring, etc., we reduced the
scheme to the assumption(s). But how can we prove the security of the scheme
under new presumably hard assumption(s)? To do this, we should additionally
prove that the new assumptions are hard to solve computationally using the
generic group model.

One of the main uses of the generic group model is to analyze compu-
tational hardness assumptions. An analysis in the generic group model can
answer the question: “What is the fastest generic algorithm for breaking a
cryptographic hardness assumption?.” This question was answered for the
discrete logarithm problem by Victor Shoup using the generic group model
[92]. To solve the discrete logarithm and its related problems including the
Diffie-Hellman problem, it is known that any generic algorithm must perform
at least p1/2 group operations, where p is the largest prime dividing the order
of the group.
There are two basic requirements when the notion of generic group algo-
rithms is modeled formally.

1. The algorithm which intends to solve a given problem instance must

not be able to exploit any property of a given representation of
group elements, i.e., the group representation must be hidden.
2. Nevertheless, the algorithm must be able to perform computations
on group elements. That is, the algorithm must (at least) be able
to perform the group operation and check for equality of elements
without knowing a concrete representation of the group elements.
Shoup has modeled a generic group by only a few operations (i.e., perform-
ing the group operation) and relations (i.e., checking for equality of elements)
but it can be extended by additional operations or relations.

The generic group model is an idealized cryptographic model, where the

adversary is denoted by the generic algorithm. A generic algorithm is an al-
gorithm that is allowed to perform group operations by making queries to the
26 2 Structure of Security Proof

group operation oracle and equality test, but no other operations. That is,
it does not exploit any special properties of the encodings of group elements
(e.g., efficient encodings, such as those used by the finite field or elliptic curve
groups used in practice), other than the property that each group element is
encoded as a unique random binary string. Note that if special properties of
the encodings are available to the adversary, then the adversary can exploit
them. If the group should allow for a pairing operation, for example, this op-
eration would be modeled as an additional oracle.

The generic group model is motivated by the fact that the elements of a
group must be represented in some way in order to be able to perform com-
putations on group elements. A general way of representing elements, e.g., in
a computer, are bit strings. Thus, a representation of a group can be seen as a
bijective map from the group to the set of bit strings without loss of generality.

Let G be a group of order n and Sn be a subset of {0, 1}log|G| , a set of n

different bit strings. Let σ : G → Sn be a bijective encoding function, chosen
at random among all possible functions, which encodes group elements as ran-
dom, but unique binary strings. The random encoding ensures that the group
G has only the defined properties of an abstract group.

In order to be able to perform computations on randomly encoded group

elements, we assume an oracle O that computes operations (i.e., binary func-
tions) or relations (for instance, a query to a decisional Diffie-Hellman oracle
can be modeled as a relation) from some operation set on bit strings represent-
ing group elements. The equality relation is always included in the relation
set implicitly, since the bijectivity of the encoding function allows to check for
equality of elements by checking for equality of encodings.

The generic group model suffers from some of the same problems as the
random oracle model. Note that the generic group model uses random encod-
ing without planting any input instances, while the random oracle model uses
random hashing with planting input instances.

Examples
1. Waters’ HIBE in Chapter 14
2. CP-ABE in Chapter 19

Exercise
2.1 Compare the standard model with the random oracle model.
3
Private-Key Encryption (1)

CONTENTS
3.1 Defining Computationally-Secure Encryption . . . . . . . . . . . . . . . . . . . 27
3.2 Pseudorandomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 A Private-Key Encryption Scheme Based on Pseudorandom
Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

This chapter discusses private-key encryption schemes. The first part defines
a computationally secure private-key encryption as a tuple of probabilistic
polynomial-time algorithms for key generation, encryption, and decryption
and explains the differences with perfect secure counterparts. The next part of
the chapter introduces the notion of pseudo randomness and defines a pseudo
random generator. Subsequently, the construction of the private-key encryp-
tion scheme based on a pseudo random generator is presented with its security
proof.

3.1 Defining Computationally-Secure Encryption

In the previous chapter, we presented a definition of perfect security for
private-key encryption, where there is no computational restriction on the
adversary. To achieve a practical, but enough security, also called computa-
tional security, we need to relax the notion of perfect security: first, security is
guaranteed only against efficient (i.e., polynomial-time) adversaries; second,
a small (i.e., negligible) probability of success is allowed. To reflect, we in-
troduce a security parameter as 1n to parameterize a scheme as we usually
measure the running time of an algorithm as a function of the length of the
input. That is, the syntax of computationally-secure private-key encryption
will be the same as that of perfectly secure private-key encryption except for
the security parameter as follows.

Definition 1 A private-key encryption scheme is a tuple of probabilistic

polynomial-time algorithms (Gen, Enc, Dec) such that

27
28 3 Private-Key Encryption (1)

1. The key-generation algorithm Gen is a probabilistic (i.e., random-

ized) algorithm that takes input the security parameter 1n and out-
puts a key k ← Gen(1n ) (that is, chosen uniformly at random).
2. The encryption algorithm Enc takes as input a key k and a plaintext
message m and outputs a ciphertext c ← Enck (m).
3. The decryption algorithm Dec takes as input a key k and a cipher-
text c and outputs a plaintext m = Deck (c) where Dec is determin-
istic.
The definition of computationally-secure indistinguishable security will
also be syntactically identical to that of perfect security except that we now
parameterize the experiment by a security parameter n.

eav
The eavesdropping indistinguishability experiment P rivKA,Π (n)
1. The adversary A is given input 1n , and outputs a pair of messages
m0 , m1 of the same length.
2. The challenger generates a random key k by running Gen(1n ),
and chooses a random bit b ← {0, 1}.
Then, a ciphertext c ← Enck (mb ) is computed and given to A. We
call c the challenge ciphertext.
3. A outputs a bit b0 .
4. The output of the experiment is defined to be 1 if b = b0 (In this
eav
case, A was right) and 0 otherwise. We write P rivKA,Π (n) = 1 if
the output is 1 and in this case, we say that A succeeded in breaking
the scheme Π.

The above states that an encryption scheme is secure if the success prob-
ability of any PPT adversary in the above experiment is at most negligibly
greater than 1/2.

Definition 2 A private-key encryption scheme Π = (Gen, Enc, Dec) has

indistinguishable security (exactly speaking, indistinguishable en-
cryptions) in the presence of an eavesdropper if for all probabilistic
polynomial-time adversaries A, there exists a negligible function negl such
that
eav 1
P r[P rivKA,Π = 1] ≤ + negl(n), (3.1)
2
where the probability is taken over the random coins used by A as well as the
random coins used in the experiment (that is, the choice of m and the key k,
any random coins used in the encryption process).
3.2 Pseudorandomness 29

Note that in the above definition, computational restrictions (e.g., proba-

bilistic polynomial time adversary A) are placed on the adversary.

An equivalent way of formalizing the definition is to state that every ad-

versary behaves the same way whether it sees an encryption of m0 or an
encryption of m1 . Since A outputs a single bit, “behaving the same way”
means that it outputs 1 with almost the same probability in each case. The
following definition essentially states that A cannot determine whether it is
eav eav
running experiment P rivKA,Π (n, 0) or experiment P rivKA,Π (n, 1).

Definition 3 A private-key encryption scheme Π = (Gen, Enc, Dec) has

indistinguishable security in the presence of an eavesdropper if for all
probabilistic polynomial-time adversaries A, there exists a negligible function
negl such that
eav eav
P r[output(P rivKA,Π (n, 0)) = 1]−P r[output(P rivKA,Π (n, 1)) = 1] ≤ negl(n).
(3.2)

3.2 Pseudorandomness
We introduce the notion of pseudorandomness and define the basic crypto-
graphic primitive of pseudorandom generator. Pseudorandom functions and
permutations are introduced in Chapter 4.

Pseudorandomness refers to a distribution on strings. When D over strings

of length l is indistinguishable from the uniform distribution over strings of
length l, D is called pseudorandom (Strictly speaking, D = {Dn } is a se-
quence of distribution, where Dn is associated with security parameter n in
an asymptotic setting). A string sampled according to the uniform distribution
is called a “random string,” and a string sampled according to the pseudo-
random distribution is called a “pseudorandom string.” We can say that a
pseudorandom string is a string that looks like a random (that is, uniformly
distributed) string to a polynomial-time algorithm.

Usefulness Pseudorandomness is helpful in the construction of secure

private-key encryption schemes. It is because if a ciphertext looks random,
it is clear that no adversary can learn any information from it about the
plaintext. The one-time pad works by computing the XOR of a random string
(the key) with the plaintext. If a pseudorandom string were used instead, this
should not make any noticeable difference to a polynomial-time observer.
30 3 Private-Key Encryption (1)

Pseudorandom generator A pseudorandom generator is a deterministic

algorithm that receives a short truly random seed of length n and stretches
(amplifies) it into a long (e.g., a polynomial function l(n)) pseudorandom
string in a way that attackers can’t tell whether the expanded randomness is
amplified from some seed or true randomness. Here, n should be long enough
so that it is infeasible to try all possible seeds.

Similarly to the previous indistinguishable security, the definition of pseu-

dorandom can be formalized by requiring that every polynomial-time algo-
rithm outputs (interpreted as the algorithm’s “guess”) 1 with almost the same
probability when given a truly random string and when given a pseudorandom
one.

Definition 4 Let l(·) be a polynomial and let G be a deterministic polynomial

time algorithm such that for any input s ∈ {0, 1}n , algorithm G outputs a
string of length l(n) (l(n) is called the expansion factor of G, i.e., |G(s)| =
l(|s|)). We say that G is a pseudorandom generator if the following two
conditions hold.
1. (Expansion) For every n, it holds that l(n) > n.
2. (Pseudorandomness) For all probabilistic polynomial-time distin-
guishers D, there exists a negligible function negl such that

|P r[D(r) = 1] − P r[D(G(s)) = 1]| ≤ negl(n), (3.3)

l(n)
where r is chosen uniformly at random from {0, 1} , the seed s is chosen
uniformly at random from {0, 1}n , and the probabilities are taken over the
random coins used by D and the choice of r and s.

Existence of pseudorandom generators We do not know how to prove

the existence of pseudorandom generators. Nevertheless, we believe that pseu-
dorandom generators exist, based on the fact that they can be constructed
under the assumption that one-way functions (that is, easy to compute, but
hard to invert) exist [57]. Some candidates of one-way functions (e.g., factor-
ization, subset-sum, discrete log, etc.) have been known, but we cannot prove
that they are one-way functions. We just believe so.

3.3 A Private-Key Encryption Scheme Based on Pseu-

dorandom Generator
The encryption scheme to construct now is very similar to the one-time pad
encryption scheme, except that a pseudorandom string is used as the “pad”
3.3 A Private-Key Encryption Scheme Based on Pseudorandom Generator 31

rather than a random string. Since a pseudorandom string “looks random” to

any polynomial-time adversary, the encryption scheme can be proven to be
computationally secure.

Construction 1. A private-key encryption scheme Π from any

pseudorandom generator
1. Let G be a pseudorandom generator with expansion factor l.
2. Define a private-key encryption scheme for messages of length l(n)
as follows.
(a) Gen: on input the security parameter 1n , choose k ← {0, 1}n
uniformly at random and outputs it as the key.
(b) Enc: on input a key k ∈ {0, 1}n and a message m ∈ {0, 1}l(n) ,
output the ciphertext c = G(k) ⊕ m.
(c) Dec: on input a key k ∈ {0, 1}n and a ciphertext c ∈ {0, 1}l(n) ,
output the plaintext message m = G(k) ⊕ c.

Theorem 1 If G is a pseudorandom generator, then Construction 1 is a

private-key encryption scheme that has indistinguishable security (i.e., indis-
tinguishable encryptions) in the presence of an eavesdropper (i.e., ciphertext
only attack).

Outline of the Proof The proof is based on the “proof by reduction” tech-
nique introduced earlier.
1. Define an alternate encryption scheme (e.g., ideal encryption scheme
such as one-time pad).
2. Show that any attacker has at most negligible success probability in
breaking the original scheme by leading to contradiction with the
presumed assumption.
Proof
Intuition We show that if there exists a probabilistic polynomial-time ad-
versary A for which the indistinguishable security does not hold, then we
can construct a probabilistic polynomial-time algorithm that distinguishes
the output of G from a truly random string, which contracts the assumption
that G is a pseudorandom generator.

Outline 1 We define a modified encryption scheme Π e = (Gen,

g Enc,g Dec)
g
that is exactly OTP, except that we now incorporate a security parameter
that determines the length of the messages to be encrypted. By the perfect
security of OTP, we have that
32 3 Private-Key Encryption (1)

eav 1
P r[P rivKA,Πe = 1] =
. (3.4)
2
Outline 2 We show that any attacker has at most negligible success prob-
ability in breaking the original scheme as follows. Let A be a probabilistic
polynomial-time adversary with success probability (n) in breaking the orig-
inal scheme as

eav 1
P r[P rivKA,Π (n) = 1] =+ (n). (3.5)
2
We use A to construct a distinguisher D for the pseudorandom generator
G such that D “succeeds” with probability (n). The distinguisher is given
a string w as input, and its goal is to determine whether w was a “random
string” or “pseudorandom string.” D emulates the eavesdropping experiment
for A in the manner described below and guesses that w must be a pseudo-
random string if A succeeds, or a random string otherwise.

Distinguisher D
1. D is given as input a string w ∈ {0, 1}l(n) .
2. Run A(1n ) to obtain a pair of messages m0 , m1 ∈ {0, 1}l(n) .
3. Choose a random bit b ← {0, 1}. Set c = w ⊕ mb .
4. Give c to A and obtain output b0 from A .
5. Output “1” (“It’s a pseudorandom string”) if b0 = b (A was right),
and output “0” (“It’s a random string”) otherwise.

Distinguisher D Adversary A
w
-
m0 , m1


b ∈ {0, 1}
c → w ⊕ mb
c
-

b0


If b = b0 , D outputs 1
6 b0 , D outputs 0
If b =
1 or 0

3.3 A Private-Key Encryption Scheme Based on Pseudorandom Generator 33

In analyzing D, let us consider the two possibilities for the input string w
as follows.

Case I: w is a truly random string.

The view of A when run as a sub-routine by D is distributed identically to the
eav
view of A in experiment P rivKA, e (n). This is because A is given a ciphertext
Π
c = w ⊕ mb where w ∈ {0, 1}l(n) is a completely random string. It therefore
follows that for w ∈ {0, 1}l(n) chosen uniformly at random,

eav 1
P r[D(w) = 1] = P r[P rivKA,Πe = 1] = , (3.6)
2
where the second equality follows from Equation (3.4).

Case II: w is a pseudorandom string.

The view of A when run as a sub-routine by D is distributed identically to the
eav
view of A in experiment P rivKA,Π (n). This is because A is given a ciphertext
c = w ⊕ mb where w = G(k) for a uniformly distributed value k ← {0, 1}n .
Therefore, when w = G(k) for k ← {0, 1}n chosen uniformly at random, we
have

eav 1
P r[D(w) = 1] = P r[D(G(k)) = 1] = P r[P rivKA,Π = 1] = + (n), (3.7)
2
where the third equality follows from Equation (3.5).

Finally it remains to show that if we assume that (n) is non-negligible,

then it leads to a contradiction as follows. By combining Equations (3.6) and
(3.7), we get
|P r[D(w) = 1] − P r[D(G(k)) = 1]| = (n). (3.8)
Let’s suppose that (n) is non-negligible, which contradicts the assumption
that G is a pseudorandom generator. Therefore, it must be the case that (n)
should negligible, which implies that Π has indistinguishable security in the
presence of an eavesdropper. 2

Exercises
3.1 Why do we introduce alternate schemes in security proof methodologies?

3.2 Why do we simulate? What are we going to model through simulation?

Do we always need to simulate?
34 3 Private-Key Encryption (1)

3.3 Why is perfect or close perfect simulation important? What is the exact
meaning of the word “close”?

3.4 Give the attack scenario in the real world corresponding to the attacker
abilities as follows: (a) Ciphertext-only attack, (b) Chosen-plaintext attack,
and (c) Chosen-ciphertext attack

3.5 If you are modeling the security for a private key encryption scheme used
by SSL/TLS, what should the attacker’s ability be for the Denial of Service
attack on SSL/TLS? Justify your answer.
4
Private-Key Encryption (2)

CONTENTS
4.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2 Stronger Security Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.1 Security for Multiple Encryptions . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.2 Security for Chosen-Plaintext Attack . . . . . . . . . . . . . . . . . . . 38
4.3 Constructing CPA-Secure Encryption Scheme . . . . . . . . . . . . . . . . . . 42
4.4 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

The chapter provides further details about the private-key encryption schemes.
The first part is about the construction of a stream cipher that generates the
stream. In the next part, we consider two stronger security notions, mul-
tiple encryption, and chosen plaintext attack. In defining the first security
notion, we modify the security goal from single-message encryption distin-
guishability to multiple-message encryption distinguishability. For the second,
we strengthen the attack model from ciphertext only attack to chosen plain-
text attack. After defining the security notions, we introduce a construction of
CPA secure encryption scheme based on the pseudorandom function. Lastly,
as a representative block cipher, we introduce the overall design and detailed
components in AES.

4.1 Stream Ciphers

The term “stream cipher” refers to the algorithm that generates the stream
(e.g., the pseudorandom generator Gl as shown below) or to the entire en-
cryption scheme (e.g., Construction 1 in Chapter 3) instantiated with a pseu-
dorandom generator. In the first case, a stream cipher is not an encryption
scheme per se, but rather a tool for constructing encryption schemes as shown
in Algorithm 1.
We view a stream cipher as a pair of deterministic algorithms (Init, GetBits)
where,

35
36 4 Private-Key Encryption (2)

1. Init takes as input a seed s and an optional initialization vector IV,

and outputs an initial state st0 .
2. GetBits takes as input state information sti−1 , and outputs a bit y
and updated state sti . (In practice, y is a block of several bits; we
treat y as a single bit here for generality and simplicity.)
Given a stream cipher and any desired expansion factor `, we can define
an algorithm G` mapping inputs of length n to outputs of length `(n). The
algorithm simply runs Init, and then repeatedly runs GetBits a total of `(n)
times.

Algorithm Gl
1. Take seed s and optional initialization vector IV as input.
2. st0 =Init(s, IV).
3. for i = 1 to `(n)
(yi , sti )=GetBits(sti−1 ).
4. Output y1 , . . . , y`(n) .

Stream ciphers are typically extraordinarily fast compared to block ciphers

which encrypt a block of data. However, the securities of most stream ciphers
including RC4 [3] and LFSR [71] are not yet well established except for one-
time pad.

4.2 Stronger Security Notions

Until now we have considered a relatively weak notion of security in which
the adversary only passively eavesdrops on a single ciphertext. In this section,
we consider two stronger security notions. Recall that a security definition
specifies a security goal and an attack model. In defining the first new secu-
rity notion, we modify the security goal (i.e., from single-message encryption
distinguishability to multiple-message encryption distinguishability); for the
second we strengthen the attack model (i.e., from ciphertext only attack to
chosen-plaintext attack).

4.2.1 Security for Multiple Encryptions

In Chapter 3, we have dealt with the case that the adversary receives a single
ciphertext. In the real world, however, we usually use multiple ciphertexts
4.2 Stronger Security Notions 37

so that we need to extend the security goal from single-message encryption

distinguishability to multiple-message encryption distinguishability. The fol-
lowing experiment incorporates this extension by replacing a pair of message
and ciphertext with a vector of messages and ciphertexts, respectively.

mult
The multiple-message eavesdropping experiment P rivKA,Π (n)

1. The adversary A is given input 1n and outputs a pair of equal-

length lists of messages
−→ −→
M0 =(m0,1 , . . . , m0,t ) and M1 =(m1,1 , . . . , m1,t ), with |m0,i | = |m1,i |
for all i.
2. A key k is generated by running Gen(1n ) and a uniform bit b ∈ {0, 1}
is chosen. For all i, the ciphertext ci ←−Enck (mb , i) is computed and
→
−
the list C =(c1 , . . . , ct ) is given to A.
3. A outputs a bit b0 .
4. The output of the experiment is defined to be 1 if b0 = b, and 0
otherwise.

The definition of security for multiple messages is the same as before, ex-
cept that it now refers to the above experiment.

Definition 1 A private-key encryption scheme Π =(Gen,Enc,Dec) has indis-

tinguishable multiple encryptions in the presence of an eavesdrop-
per if for all probabilistic polynomial-time adversaries A there is a negligible
function negl such that

mult 1
Pr [P rivKA,Π (n) = 1] ≤ + negl(n), (4.1)
2
where the probability is taken over the randomness used by A and the random-
ness used in the experiment.

Let us recall that Construction 1 in Chapter 3 is secure for a single encryp-

tion. However, we can easily presume that the mere knowledge that the same
message has been re-sent can provide significant information, which can be
useful to cryptanalysts as the following proposition shows. So we can obtain
that any deterministic scheme including Construction 1 must be insecure for
multiple encryptions. Therefore, we need probabilistic encryption rather than
deterministic encryption.

Proposition 1 There is a private-key encryption scheme that has indistin-

guishable encryptions in the presence of an eavesdropper, but not indistin-
38 4 Private-Key Encryption (2)

guishable multiple encryptions in the presence of an eavesdropper.

Theorem 1 If Π is a stateless encryption scheme in which Enc is a determin-

istic function of the key and the message, then Π cannot have indistinguishable
multiple encryptions in the presence of an eavesdropper.

Proof is omitted.

We note that if the encryption scheme is stateful or randomized (which

means that each encryption of a message may be different each time), then
it is possible to securely encrypt multiple messages even if encryption itself
is deterministic. Here stateful means that information (a variable such as a
counter) stored in the memory is referenced whenever an algorithm is invoked.

4.2.2 Security for Chosen-Plaintext Attack

Until now we have considered a relatively weak adversary who only passively
eavesdrops on the communication between two honest parties. Therefore, the
previous definition of P rivK eav allows the adversary to choose the plaintexts
that are to be encrypted. In this section, we introduce a more powerful type of
adversarial attack, called chosen-plaintext attack (CPA), where the adversary
is allowed to ask for encryptions of multiple messages chosen adaptively.

Example To help understand the concept of chosen-plaintext attack, we start

with an example in the real world. In May 1942, US Navy cryptanalysts in-
tercepted an encrypted message from the Japanese which they were able to
partially decode. The result indicated that the Japanese were planning an at-
tack on AF, where AF was a ciphertext fragment that the US was unable to
decode. For other reasons, the US believed that Midway Island was the tar-
get. The Navy cryptanalysts instructed US forces at Midway to send a fake
message that their freshwater supplies were low. The Japanese intercepted
this message and immediately reported to their superiors that “AF is low on
water.” The Navy cryptanalysts now had their proof that AF corresponded
to Midway.

CPA-security In the formal definition we model chosen-plaintext attacks

by giving the adversary A access to an encryption oracle, viewed as a “black
box” that encrypts messages of A’s choice using a key k unknown to A.
That is, we imagine A has access to an “oracle” Enck (·); when A queries
this oracle by providing it with a message m as input, the oracle returns a
ciphertext c ← Enck (·) as the reply. The adversary is allowed to interact with
the encryption oracle adaptively as many times as it likes.
4.2 Stronger Security Notions 39

The CPA indistinguishability experiment P rivKA,Π cpa (n)

1. A key k is generated by running Gen(1n ).

2. The adversary A is given input 1n and oracle access to Enck (·), and
outputs a pair of messages m0 , m1 of the same length.
3. A uniform bit b ← {0, 1} is chosen and then a ciphertext c ←
Enck (mb ) is computed and given to A.
4. The adversary A continues to have oracle access to Enck (·), and
outputs a bit b0 .
5. The output of the experiment is defined to be 1 if b = b0 (In this
case, we say that A succeeds) and 0 otherwise.

The above experiment can also be described as follows:

1. Challenger runs Gen.
2. (Query Phase) Adversary is given access to an oracle Enck (·).
3. (Challenger Phase) Adversary produces two messages m0 and m1 .
The challenger returns the challenge ciphertext c = Enck (mb ).
4. Adversary outputs b0 .
We define the advantage of an adversary A in the IND-CPA security game to
be AdvA = P r[b0 = b] − 21 . We say that an encryption scheme is IND-CPA
secure if for any polynomial time adversary A, AdvA = negl(n).

Definition 2 A private-key encryption scheme Π = (Gen, Enc, Dec) has

indistinguishable security (or encryption) under a chosen-plaintext
attack, or is CPA-secure, if for all probabilistic polynomial-time adversaries
A, there exists a negligible function negl such that

cpa 1
P r[P rivKA,Π = 1] ≤ + negl(n), (4.2)
2
where the probability is taken over the randomness used by A, as well as the
randomness used in the experiment.

CPA-security for multiple encryptions The above definition can be ex-

tended to the case of multiple encryptions by using lists of plaintexts. In this
definition, we give the attacker access to a “left-or-right” oracle LRk,b that,
on input a pair of equal-length messages m0 , m1 , computes the ciphertext
c ← Enck (·) and returns c. That is, if b = 0 then the adversary receives an
encryption of the “left” plaintext, and if b = 1 then the adversary receives
an encryption of the “right” plaintext. Here, b is a random bit chosen at the
beginning of the experiment, and as in previous definitions the goal of the
40 4 Private-Key Encryption (2)

attacker is to guess b. Now we formally define this experiment, called the

LR-oracle experiment.

The LR-oracle experiment P rivKA,Π LR−cpa (n)

1. A key k is generated by running Gen(1n ).

2. A uniform bit b ← {0, 1} is chosen.
3. The adversary A is given input 1n and oracle access to LRk,b (·,·).
as defined above.
4. The adversary A outputs a bit b0 .
5. The output of the experiment is defined to be 1 if b = b0 (In this
case, we say that A succeeds) and 0 otherwise.

The L-oracle experiment P rivKA,Π L−cpa (n)

1. A key k is generated by running Gen(1n ).

2. The adversary A is given input 1n and oracle access to LRk,0 (·,·).
as defined above.
3. The adversary A outputs a bit b0 .
4. The output of the experiment is defined to be b0

The R-oracle experiment P rivKA,Π R−cpa (n)

1. A key k is generated by running Gen(1n ).

2. The adversary A is given input 1n and oracle access to LRk,1 (·,·)
as defined above.
3. The adversary A outputs a bit b0 .
4. The output of the experiment is defined to be b0

In the above L-oracle and R-oracle experiments, we define the advan-

tage of an adversary A in the IND-CPA security game to be AdvA =
R−cpa L−cpa
P r[P rivKA,Π = 1] − P r[P rivKA,Π = 1]. We say that an encryption
scheme is IND-CPA secure if for any polynomial time adversary A, AdvA =
negl(n).
4.2 Stronger Security Notions 41

Definition 3 A private-key encryption scheme Π = (Gen, Enc, Dec) has

indistinguishable multiple encryptions under a chosen-plaintext
attack, or is CPA-secure for multiple encryptions, if for all probabilistic
polynomial-time adversaries A, there exists a negligible function negl such
that
LR−cpa 1
P r[P rivKA,Π = 1] ≤ + negl(n), (4.3)
2
where the probability is taken over the randomness used by A, as well as the
randomness used in the experiment.

In the following, we can find that the advantages of A in L-oracle and

R-oracle experiments are equivalent to those of A in LR-oracle experiment as
AdvA,Π ind−cpa (A)
R−cpa L−cpa
= P r[P rivKA,Π = 1] − P r[P rivKA,Π = 1]
= P r[b0 = 1|b = 1] − P r[b0 = 1|b = 0]
= 2 · (P r[b0 = 1|b = 1] · 12 + (1 − P r[b0 = 1|b = 0]) · 12 ) − 1
= 2 · (P r[b0 = 1|b = 1] · 21 + P r[b0 = 0|b = 0] · 21 ) − 1
= 2 · (P r[b = b0 |b = 1] · 12 + P r[b = b0 |b = 0] · 12 ) − 1
= 2 · (P r[b = b0 |b = 1] · P r[b = 1] + P r[b = b0 |b = 0] · P r[b = 0]) − 1
= 2 · P r[b = b0 ] − 1
LR−cpa
= 2 · P r[P rivKA,Π = 1] − 1.

If a private-key encryption scheme is CPA-secure for multiple encryptions,

it is clearly CPA-secure for a single encryption as well. The converse also holds
as follows.

Theorem 2 A private-key encryption scheme that is CPA-secure a single en-

cryption is also CPA-secure for multiple encryptions.

Proof is omitted.

Fixed-length vs. arbitrary-length messages Given any CPA-secure

fixed-length encryption scheme Π = (Gen, Enc, Dec), it is possible to con-
struct a CPA-secure encryption scheme Π0 = (Gen0 , Enc0 , Dec0 ) for arbitrary-
length messages quite easily, by defining for any message m of length l as
Enck , (m) = Enck (m1 ) k · · · k Enck (ml ), where mi denotes the ith bit of m.
Decryption is done in the natural way.
42 4 Private-Key Encryption (2)

4.3 Constructing CPA-Secure Encryption Scheme

A random function can be thought of as a black box (meaning can only feed it
inputs and get outputs without looking inside) which given any input returns
a random number, except that if you give it the input you already gave before,
it returns the same output as previously. Here we should be cautious that the
randomness of the function refers to the way it was chosen from the function
family, not to an attribute of the selected function itself: it does not talk out
the randomness of an individual function.
∗ ∗ ∗
A keyed function F : {0, 1} × {0, 1} → {0, 1} is a two-input func-
tion, where the first input is called the key and denoted k (i.e., taking a
key as well as an input). If k is chosen and fixed, the single-input function
∗ ∗
F : {0, 1} → {0, 1} is defined by Fk (x) = F (k, x).

In the following, we assume that the key, input, and output lengths of F
are all the same as n, called length-preserving functions. In this case, we also
denote F as F uncn meaning the set of all functions mapping n-bit strings to n-
bit strings. We want to construct a keyed function F such that Fk (k ← {0, 1}n
chosen uniformly at random) is indistinguishable from f (f ← F uncn chosen
uniformly at random). Note that the former is chosen from a distribution over
(at most) 2n distinct functions, whereas the latter is chosen from a distribu-
n
tion over all 22 ·n functions in F uncn . Despite this, when the “behaviors” of
these functions look the same to any polynomial-time distinguisher, whether
it is interacting with Fk or f (Intuitively we can interpret this as follows: since
the two spaces have exponential numbers of elements, the selection behavior
looks the same to the polynomially bounded adversary), we call F pseudoran-
dom function.
∗ ∗ ∗
Definition 4 Let F : {0, 1} × {0, 1} → {0, 1} be an efficient, length-
preserving, keyed function. F is a pseudorandom function if for all prob-
abilistic polynomial-time distinguishers D, there is a negligible function negl
such that
|Pr [DFk (.) (1n ) = 1] − Pr [Df (.) (1n ) = 1]| ≤ negl(n), (4.4)
n
where the first probability is taken over uniform choice of k ∈ {0, 1} and the
randomness of D, and the second probability is taken over uniform choice of
f ∈ Funcn (the set of all functions mapping n-bit strings to n-bit strings) and
the randomness of D.

Note that the distinguisher D is not given the key k. Once k is revealed
to D, all claims to the pseudorandomness of Fk no longer hold. The pseudo-
random function generator is shown in Figure 4.1.
4.3 Constructing CPA-Secure Encryption Scheme 43

FIGURE 4.1
Pseudorandom function.

It is known that pseudorandom functions exist if and only if pseudoran-

dom generators exist [52]. A pseudorandom function is used to construct CPA-
secure encryption which will be shown below and message authentication codes
later.

A permutation is a function whose domain and range are the same set
D, and the function is a length-preserving (i.e., |f (x)| = |x| for all x ∈ D)
bijection (i.e., one-to-one and onto) on the set. Therefore, we can say that a
pseudorandom permutation is a kind of pseudorandom function.

If Fk should be used in an encryption scheme, honest parties should be

able to compute the inverse Fk−1 as well as Fk . Therefore, we need to impose
the stronger requirement that Fk should be indistinguishable from a random
permutation even if the distinguisher is given oracle access to the inverse of
the permutation as shown in the following definition.
∗ ∗ ∗
Definition 5 Let F : {0, 1} × {0, 1} → {0, 1} be an efficient, length-
preserving, keyed function. F is a strong pseudorandom permutation if
for all probabilistic polynomial-time distinguishers D, there exist a negligible
function negl such that
−1 −1
|Pr [DFk (.),Fk (.)
(1n ) = 1] − Pr [Df (.),f (.)
(1n ) = 1]| ≤ negl(n), (4.5)
n
where the first probability is taken over uniform choice of k ∈ {0, 1} and the
randomness of D, and the second probability is taken over uniform choice of
f ∈ Permn (the set of all permutations mapping n-bit strings to n-bit strings)
and the randomness of D.

As noted earlier, a stream cipher can be modeled as a pseudorandom gen-

erator, while a block cipher can be modeled as a strong pseudorandom per-
mutation.
44 4 Private-Key Encryption (2)

Construction 1. A CPA-secure private-key encryption scheme

Π from any pseudorandom function

1. Let F be a pseudorandom function.

2. Define a private-key encryption scheme for messages of length n as
follows.
(a) Gen: on input the security parameter 1n , choose k ← {0, 1}n
uniformly at random and outputs it as the key.
(b) Enc: on input a key k ∈ {0, 1}n and a message m ∈ {0, 1}n ,
choose r ← {0, 1}n uniformly at random and output the cipher-
text c = hr, Fk (r) ⊕ mi.
(c) Dec: on input a key k ∈ {0, 1}n and a ciphertext c = hr, si,
output the plaintext message m = Fk (r) ⊕ s.

Theorem 3 If F is a pseudorandom function, then Construction 1 is a CPA-

secure private-key encryption scheme for messages of length n.

Proof
Outline of the Proof The proof is based on the “proof by reduction” tech-
nique introduced earlier.
1. Define an alternate encryption scheme (e.g., Random Function En-
cryption)
2. Show that any attacker has at most negligible success probability
in breaking the original scheme.
Intuition Security holds because Fk (r) looks completely random to an ad-
versary who observes a ciphertext hr, si and thus the encryption scheme is
similar to the one-time pad as long as the value r was not used in some pre-
vious encryption. Moreover, this “bad event” (namely, a repeating value of r)
occurs with only negligible probability.

Outline 1 We define a modified encryption scheme Π e = (Gen,

g Enc,g Dec)g
that is exactly the same as Π = (Gen, Enc, Dec), except that a truly random
function f is used in place of Fk .
We claim that for every adversary A that make at most q(n) queries to its
encryption oracle, we have

cpa 1 q(n)
P r[P rivKA, e = 1] = + n . (4.6)
Π 2 2
Let r∗ denote the random string used when generating the challenge ci-
phertext c∗ = (r∗ , f (r∗ )⊕mb ). There are two interactive phases in the random
function game that we consider, the Query Phase and the Challenge Phase.
4.3 Constructing CPA-Secure Encryption Scheme 45

Query Phase: r1 , r2 , ..., rQ , where ci = hri , f (ri ) ⊕ mi i

Challenge Phase: c∗ = hr∗ , f (r∗ ) ⊕ mb i

Now we consider two subcases:

Case I (Bad) The value r∗ is used by the encryption oracle to answer at least
one of A’s queries:
A may easily determine which of its messages was encrypted because it learns
the value of f (r) (since f (r) = s ⊕ m). Since A makes at most q(n) queries to
its oracle and each oracle query is answered using a value r chosen uniformly
at random, the probability of this event is at most q(n)/2n .
Case II (Good) The value r∗ is never used by the encryption oracle to answer
any of A’s queries:
A learns nothing about the value of f (rc ) (since f is a truly random function).
Since f (r∗ ) that is XORed with mb is completely random, the probability that
A outputs b0 = b is exactly 1/2 (as in the case of one-time pad).
cpa cpa
P r[P rivKA, e = 1|CaseI] · P r[CaseI] +
e = 1] = P r[P rivKA,Π
Π
cpa
P r[P rivKA, e = 1|CaseII] · P r[CaseII]
Π
q(n) 1
≤1· 2n + 2 · 1 (in the worst case).

Outline 2 We show that any attacker has at most negligible success prob-
ability in breaking the original scheme as follows. Let A be a probabilistic
polynomial-time adversary with success probability (n) in breaking the orig-
inal scheme as

cpa 1
P r[P rivKA,Π (n) = 1] =+ (n). (4.7)
2
We use A to construct a distinguisher D for the random function F such
that D “succeeds” with probability (n). Now it remains to show that (n) is
negligible.

The distinguisher is given oracle access to some function, and its goal is
to determine whether this function is a “random” or “pseudorandom.” To do
this, D emulates the CPA indistinguishability experiment for A in the manner
described below and observes whether A succeeds or not. If A succeeds then
D guesses that its oracle must be a pseudorandom function, while if A does
not succeed then D guesses that its oracle must be a random function.
46 4 Private-Key Encryption (2)

Distinguisher D

1. D has oracle access to O either a PRF or a RF.

2. D “starts” A.
3. A asks for the encryption of messages m1 , m2 , ..., mq(n) .
4. For each mi , D chooses ri ∈ {0, 1}n and set ci = hri , O(ri ) ⊕ mi i.
5. A gives m0 , m1 .
6. D picks a random bit b ∈ {0, 1} and r∗ ∈ {0, 1}k and sends the
challenge ciphertext c∗ = hr∗ , O(r∗ ) ⊕ mb i to A.
7. Repeat the query phase from Step 3.
8. D gets guess b0 from A.
9. D outputs “1” (“It’s a PRF”) if b0 = b (A was right), and outputs
“0” (“It’s a RF”) otherwise.

In analyzing D, let us consider the two possibilities for D’s oracle as follows:

Case I: D’s oracle is a PRF.

The view of A when run as a sub-routine by D is distributed identically to the
cpa
view of A in experiment P rivKA,Π (n). This holds because a key k is chosen
at random and then every encryption is carried out by choosing a random r,
computing s0 = Fk (r), and setting the ciphertext equal to hr, s0 ⊕ mi, exactly
as in Construction 1. Thus
cpa
Pr [DFk (.) (1n ) = 1] = P r[P rivKA,Π = 1], (4.8)

where k ← {0, 1}n is chosen uniformly at random in the above.

Case II: D’s oracle is a RF.

The view of A when run as a sub-routine by D is distributed identically to
cpa
the view of A in experiment P rivKA, Πe (n). This can be seen exactly as above,
with the only difference being that a random function f is used instead of Fk .
Thus,
cpa
Pr [Df (.) (1n ) = 1] = P r[P rivKA, e = 1],
Π
(4.9)

where f ← F uncn is chosen uniformly with.

By combining Equations (4.6) and (4.7), we get

−1 −1 q(n)
|Pr [DFk (.),Fk (.)
(1n ) = 1] − Pr [Df (.),f (.)
(1n ) = 1]| ≥ (n) − . (4.10)
2n
By the assumption that F is a pseudorandom function, it follows that (n) −
4.4 Advanced Encryption Standard 47
q(n)
2n must be negligible. Since q is polynomial, this in turn implies that (n)
is negligible, and Π is CPA-secure. 

4.4 Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a specification for block cipher
standardized by NIST in 2001 [93]. As Figure 4.2 shows, AES processes data
blocks of 128 bits using a different key size (128, 192, or 256 bits), which
depends on the number of rounds (10, 12, or 14). But the round keys are
always 128 bits. The key expansion routine takes the input cipher key and
generates a key schedule, e.g., a total of 44 words in the case of 128-bit cipher
key.

FIGURE 4.2
Design of AES encryption cipher.

As Figure 4.3 shows, all round functions consist of four types of transforma-
tions such as SubBytes(), ShiftRows(), MixColumns(), and AddRoundKey(),
except for the final round, which does not include the MixColumns() trans-
formation. Individual transformations comprising the round function process
on a 4 × 4 array of bytes called the state:
48 4 Private-Key Encryption (2)

1. SubBytes(): a non-linear substitution step where each byte is re-

placed with another using an 8-bit substitution box (S-box) (the
substitution value would be determined by the intersection of the
row with index of left 4 bits of an input byte and the column with
index of right 4 bits of an input byte)
2. ShiftRows(): a permutation step where the last three rows of the
state are shifted cyclically depending on the row number of the state
matrix
3. MixColumns(): a mixing operation where each column of the state
is transformed to a new column by multiplying the column with a
constant matrix
4. AddRoundKey(): a key-adding operation where a round key is
added to each column of the state using an XOR operation

FIGURE 4.3
AES round function.

The round function is parameterized using a key schedule that consists

of a one-dimensional array of four-byte words W derived using the key ex-
pansion routine. These four-byte words are fed to AddRoundKey. The above
transformations can be inverted like InvSubBytes(), InvShiftRows(), InvMix-
Columns(), and AddRoundKey(), respectively, and then implemented in re-
verse order to produce a straightforward decryption algorithm for the AES
algorithm as shown in Figure 4.4.
4.4 Advanced Encryption Standard 49

FIGURE 4.4
Overall design of AES.

Exercises
4.1 Why should the success probability of an adversary be half in security
experiment? What will happen in case of 1 and 0 probability? Which is better
notion of security?

1
1. A scheme with 2 (random guessing) success probability of adver-
sary.
2. A scheme with 0 success probability of adversary.

4.2 Proposition 2 says that there exists a private-key encryption scheme that
is COA (ciphertext-only attack) secure for a single encryption but not COA
secure for multiple encryptions. Describe the reason behind it intuitively.

4.3 An encryption scheme that works by just computing c = Fk (m), where

Fk is a strong pseudo-random permutation, is not CPA-secure. Why not?

4.4 There is a private-key encryption scheme that has indistinguishable en-

cryptions in the presence of an eavesdropper, but not indistinguishable mul-
50 4 Private-Key Encryption (2)

tiple encryptions in the presence of an eavesdropper. Describe why it is.

R−cpa
4.5 Do both of the equations AdvA = P r[P rivKA,π = 1] −
L−cpa
P r[P rivKA,π eav
= 1] and P r[P rivKA,π (n) = 1] ≤ 21 mean the same?

4.6 A private-key encryption scheme that is CPA-secure is also CPA-secure

for multiple encryptions. Describe intuitively why it is so.
5
Private-Key Encryption (3)

CONTENTS
5.1 Block Ciphers and Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.1 Electronic Code Book (ECB) Mode . . . . . . . . . . . . . . . . . . . . 52
5.1.2 Cipher Block Chaining (CBC) Mode . . . . . . . . . . . . . . . . . . . . 52
5.1.3 Counter (CTR) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.2 CPA-Securities of Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2.1 IND-CPA Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2.2 A Block Cipher Per Se Is Not IND-CPA Secure . . . . . . . . 56
5.2.3 ECB Is Not IND-CPA Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2.4 CBC Is IND-CPA Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.5 CTR Is IND-CPA Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.3 Security Against Chosen-Ciphertext Attack (CCA) . . . . . . . . . . . . . 59
5.3.1 IND-CCA Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.3.2 A CPA-Secure Encryption Scheme from Any
Pseudorandom Function Is Not CCA-Secure . . . . . . . . . . . 62
5.3.3 A CPA-Secure Encryption Scheme Using CBC Mode
(Random Version) Is Not CCA-Secure . . . . . . . . . . . . . . . . . . 62
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

The private-key encryption schemes are further illustrated in this chapter.

Block ciphers themselves are not secure encryption schemes, but rather build-
ing blocks to construct secure private-key encryption schemes. To achieve
security, block ciphers are run in certain modes of operations including ECB,
CBC, and CTR mode. It concludes that the ECB mode is not IND-CPA se-
cure while CBC and CTR are IND-CPA secure. This is followed by a stronger
security notion, i.e., security against a chosen ciphertext attack and some
examples which are CPA-secure but not CCA-secure.

5.1 Block Ciphers and Modes of Operation

As with stream ciphers, block ciphers themselves are not secure encryption
schemes. Rather, they are building blocks that can be used to construct secure

51
52 5 Private-Key Encryption (3)

encryption schemes. A block cipher enables partiefs with sharing K to encrypt

a 1-block message. Then how do we build an encryption scheme that encrypts
arbitrary-length message using a block cipher? The answer is to divide the
entire message into multiple blocks and apply the block cipher blockwise. The
issue is how to apply the block cipher so that the resulting encryption scheme
can be secure. How to apply the block cipher to get an encryption scheme is
referred to as modes of operation.

For all of the following modes, we will use the notation.

1. n: keysize
2. m: block length
3. x[i]: i-th n-bit block of a string x

As defined earlier, a private-key (aka symmetric) encryption scheme SE =

(K, E, D) consists of three algorithms:
1. K is randomized.
2. E can be randomized (e.g., randomized IV ) or stateful (e.g.,
counter).
3. D is deterministic.

If E can be randomized or stateful, then each encryption of a message may

be different each time. If D is deterministic, it returns the same plaintext when
the same key and ciphertext are given as input.

5.1.1 Electronic Code Book (ECB) Mode

The is the most naive mode of operation possible. The key generation algo-
rithm simply returns a random key for the block cipher. The ciphertext block
is obtained by encrypting each plaintext block separately. Plaintext block is
obtained by decrypting each ciphertext block separately. Figure 5.1 shows the
ECB mode of operation.

5.1.2 Cipher Block Chaining (CBC) Mode

There are two variants of CBC mode, one random and the other stateful (i.e.,
counter).

The key generation algorithm simply returns a random key for the block
cipher. In the random version, a random initial vector (IV ) of length n is
first chosen. Then, each of the remaining ciphertext blocks is generated by
applying the block cipher to the XOR of the current plaintext block and the
5.1 Block Ciphers and Modes of Operation 53

FIGURE 5.1
ECB mode.

previous ciphertext block. Note that the IV is sent in the clear (that is, C[0])
as part of the ciphertext. Figure 5.2 shows the CBC with random IV mode.

A drawback of this mode is that encryption and decryption must be car-

ried out sequentially.

The following is CBC with counter mode. The C[0] is IV , which is set to
the current value of the counter. The counter is then incremented each time
a message is encrypted.

FIGURE 5.2
CBC with random IV mode.
54 5 Private-Key Encryption (3)

5.1.3 Counter (CTR) Mode

There are two variants of CTR mode, one stateful (i.e., counter) and the
other random. Figure 5.3 shows the counter mode.

FIGURE 5.3
CTR mode.

The key generation algorithm simply returns a random key for the block
cipher. In the stateful version, the encryptor maintains a counter ctr which is
initially zero. Position index ctr is not allowed to wrap around: the encryption
algorithm returns ⊥ if this would happen. The position index is included in
the ciphertext in order to enable decryption. The encryption algorithm up-
dates the position index upon each invocation, and begins with this updated
value the next time it is invoked.

Note that in the random version, the starting point R chosen randomly
by the encryption algorithm is included in the ciphertext, to enable decryption.

1. Decryptor does not maintain a counter (i.e., counter is transmitted

within the ciphertext).
2. D does not use EK −1 !
3. Encryption is parallelizable, which can be exploited to speed up the
process in the presence of hardware support.
5.2 CPA-Securities of Modes of Operation 55

5.2 CPA-Securities of Modes of Operation

How to show a cryptographic scheme is not secure against IND-CPA adver-
saries? It suffices to design (or construct) an adversary so that the adversary’s
IND-CPA advantage is close to 1.

5.2.1 IND-CPA Adversary

FIGURE 5.4
IND-CPA adversary.

Here we use left-or-right indistinguishability (initially introduced at CPA-

Security for Multiple Encryptions in Chapter 3) under a chosen-plaintext at-
tack. In the following, we will describe the CPA indistinguishability exper-
iment and define the adversary’s advantage in distinguishing encryptions of
two arbitrary messages, as shown in Figure 5.4.
Let SE = (K, E, D) be an encryption scheme. An IND-CPA adversary A
has an oracle LR.
1. It can make a query M0 , M1 consisting of any two equal-length
messages.
2. It can do this many times.
3. Each time it gets back a ciphertext.
4. It eventually outputs a bit.
Note that the adversary chooses the first pair, then receives C1 , then chooses
the second pair, then receives C2 , and so on. LR is a kind of encryption oracle.
Now let us formulate the following game between an adversary and LR
oracle (i.e., challenger). The adversary must complete the game and output a
guess.
1. The LR oracle generates the symmetric key based on some security
parameter during the initialization procedure.
2. The adversary performs polynomially bound number of encryptions.
56 5 Private-Key Encryption (3)

3. The adversary then submits two distinct chosen plaintexts M0 and

M1 to the LR oracle and repeats for q number of times.
4. The LR oracle sends the encryption result (i.e., the challenge ci-
phertext) of the message depending on the randomly chosen value
b ∈ {0, 1} back to the adversary.
5. The adversary outputs a guess b0 . If b0 = b then the adversary wins.
The advantage is defined as

AdvSE ind−cpa (A) = P r[RightSE A = 1] − P r[Lef tSE A = 1]. (5.1)

The scheme is IND-CPA secure if he is able to win the above game with
probability 12 + negl(n).

5.2.2 A Block Cipher Per Se Is Not IND-CPA Secure

We will construct an experiment where the adversary interacts with the LR
oracle, and finally show that the adversary can distinguish encryptions of two
arbitrary messages.

Let SE = (K, E, D) be a block cipher, which consists of key generation,

encryption, and decryption algorithms, and provides a 128-bit block of the
encrypted data. This scheme encrypts only one block of input message at a
time. The adversary provides the messages M0 and M1 and receives a cipher-
text C in each world. Note that two distinct input messages generates two
distinct output messages because block ciphers are deterministic. We design
the adversary so that if the two ciphertexts are equal, the adversary returns
1 and 0 otherwise. The advantage is calculated. If the two ciphertexts are not
equal, then the adversary returns 0 and the probability that the adversary
outputs 1 in the left world is 0. If the two ciphertexts are equal, then the
adversary returns 1 and the probability that the adversary outputs 1 in the
right world is 1. The chances of winning in this case is 1, hence the block
cipher is not IND-CPA secure. The reason for this is that block ciphers are
deterministic.

5.2.3 ECB Is Not IND-CPA Secure

The encryption process is deterministic and stateless, so that if the same mes-
sage is encrypted twice, the same ciphertext is returned. We can show that
this mode cannot possibly be CPA-secure. Even worse, ECB-mode encryption
does not have indistinguishable encryption in the presence of an eavesdropper.
ECB mode should therefore never be used.
5.2 CPA-Securities of Modes of Operation 57

By generalizing the case of ECB, we can get the following fact.

Proposition 1 Any deterministic, stateless scheme is not IND-CPA secure.

Proof is omitted.

5.2.4 CBC Is IND-CPA Secure

Theorem 1 If E is a pseudorandom permutation, then CBC-mode encryption
(random, counter version) is CPA-secure.

Proof is omitted.

However, note if the IV is not random, this mode is not CPA-secure.

5.2.5 CTR Is IND-CPA Secure

Theorem 2 If F is a pseudorandom permutation, then CTR-mode encryption
(random, counter version) is CPA-secure.

Proof This proof is for the random version of the CTR-mode encryption.
Outline of the Proof The proof is based on the “proof by reduction” tech-
nique introduced earlier.
1. Define an alternate encryption scheme (e.g., Random Function En-
cryption)
2. Show that any attacker has at most negligible success probability
in breaking the original scheme.
Outline 1 Let Π = (Gen, Enc, Dec) be the CTR mode encryption scheme,we
define a modified encryption scheme Π
e = (Gen,
g Enc,g Dec)g that is identical
to Π except that a truly random function f is used in place of Fk .

Outline 2 We show that any adversary has at most negligible success prob-
ability in breaking the original scheme, that is, there is negl(n) such that

cpa 1
P r[P rivKA,Π = 1] ≤ + negl(n). (5.2)
2
1. At the first step of the Outline 2, we claim that there is a negligible
function negl0 (n) such that

cpa cpa 0
P r[P rivKA,Π = 1] − P r[P rivKA,Πe = 1] ≤ negl (n). (5.3)
58 5 Private-Key Encryption (3)

This is proved by reduction in the similar way in the proof of The-

orem 3 in Chapter 4.
2. At the second step, we next claim that

cpa 1 2q(n)2
P r[P rivKA, e = 1] <+ , (5.4)
Π 2 2n
where q(n) is a polynomial upperbound on the number of
encryption-oracle queries made by A(1n ) as well as the maximum
number of blocks in any such query and the maximum number of
blocks in m0 and m1 .

We now prove this equation. Fix some value n for the security pa-
rameter.
Let l∗ ≤ q(n) denote the length (in blocks) of the messages m0 , m1
cpa ∗
output by A in experiment P rivKA, e (n), ctr denote the initial
Π
value used when generating the challenge ciphertext, li ≤ q(n) be
the length (in blocks) of the ith encryption-oracle query made by A,
and let ctri denote the initial value used when answering this query.
When the ith encryption-oracle query is answered, f is applied to
the values ctri + j with (j ≤ li ). When the challenge ciphertext is
encrypted, f is applied to the values ctr∗ + j ∗ with (j ∗ ≤ l∗ ) and
the ciphertext ci = f (ctr∗ + i) ⊕ mi . There are two cases:
(a) There do not exist any i, j, j ∗ ≥ 1 for which ctri + j = ctr∗ +
j ∗ , that is, the values f (ctr∗ + j ∗ ) used when encrypting the
challenge ciphertext are uniformly distributed and independent
of the rest of the experiment since f was not applied to any of
these inputs when encrypting the adversary’s oracle queries. In
this case, the probability that A outputs b0 = b is exactly 1/2
(as in the case of the one-time pad).
(b) There exists i, j, j ∗ ≥ 1 for which ctri +j = ctr∗ +j ∗ . We denote
this event by Overlap. The probability that Overlap occurs is
maximized if li = l∗ = q(n) for all i. Let Overlapi denote the
event that the sequence ctri + j overlaps ctr∗ + j ∗ .
Fixing ctr∗ , the event Overlapi occurs exactly when ctri satisfies

ctr∗ + 1 − q(n) ≤ ctri ≤ ctr∗ + q(n) − 1. (5.5)

n
Since ctri is chosen uniformly from {0, 1} and there are 2q(n)−
1 values for ctri , we see that

2q(n) − 1 2q(n)
P r[Overlapi ] = n
< . (5.6)
2 2n
5.3 Security Against Chosen-Ciphertext Attack (CCA) 59

Since there are most q(n) oracle queries, a union bound gives
q(n) 2
X 2q(n) 2q(n)
P r[Overlap] = P r[Overlapi ] < q(n) × n
= .
i=1
2 2n
(5.7)
Thus, we have the success probability of A in breaking the scheme
Π
e as Equation 5.4.
3. Finally, by combining Equations 5.3 and 5.4 and , we get

cpa 1 2q(n)2
P r[P rivKA,Π = 1] < + + negl0 (n). (5.8)
2 2n
2
Since q(n) is polynomial, then 2q(n)
2n + negl0 (n) is negligible. We
conclude that the scheme Π is CPA-secure. 2

5.3 Security Against Chosen-Ciphertext Attack (CCA)

Until now we have considered CPA-security in which the adversary is allowed
to ask for encryptions of multiple messages chosen adaptively. In this section,
we consider a stronger security notion, chosen-ciphertext attack, where the
adversary can inject his chosen messages into the communication stream be-
tween honest parties and also see how they are decrypted.

Example An ATM card contains a key K ← K known also to a bank, where

SE = (K, E, D) is a symmetric encryption scheme. Adversary transmits Alice’s
identity, but how can the adversary answer the challenge (meaning decrypt
C) without knowing Alice’s key? The adversary tries to learn how to decrypt
by creating ciphertexts and getting the card to decrypt them.
60 5 Private-Key Encryption (3)

The CCA indistinguishability experiment P rivKA,Π cca (n)

1. A key k is generated by running Gen(1n ).

2. The adversary A is given input 1n and oracle access to Enck (·) and
Deck (·). A outputs a pair of messages m0 , m1 of the same length.
3. A uniform bit b ← {0, 1} is chosen, and then a ciphertext c ←
Enck (mb ) (called the challenge ciphertext) is computed and given
to A.
4. The adversary A continues to have oracle access to Enck (·) and
Deck (·), but is not allowed to query Deck (·) on the challenge ci-
phertext itself. Eventually A outputs a bit b0 .
5. The output of the experiment is defined to be 1 if b = b0 (In this
case, we say that A succeeds.) and 0 otherwise.

The above experiment can also be described as follows.

1. Challenger runs Gen.
2. (Query Phase I) Adversary is given access to two oracles, Enck (·)
and Deck (·).
3. (Challenger Phase) Adversary produces two messages m0 and m1 .
The challenger returns the challenge ciphertext c∗ = Enck (mb ).
4. (Query Phase II) Same as Query Phase I except that the adversary
cannot query the decryption oracle on c∗ .
5. Adversary outputs b0 .
Definition 1 A private-key encryption scheme Π = (Gen, Enc, Dec) has
indistinguishable security (or encryption) under a chosen-ciphertext
attack, or is CCA-secure, if for all probabilistic polynomial-time adversaries
A, there exists a negligible function negl such that

cca 1
P r[P rivKA,Π = 1] ≤ + negl(n), (5.9)
2
where the probability is taken over the randomness used by A, as well as the
randomness used in the experiment.

Note that in the above experiment, the adversary is not allowed to request
decryption of the challenge ciphertext itself.

CCA-security Any encryption scheme that allows ciphertexts to be manipu-

lated in any “logical way” cannot be CCA-secure. It means that the ciphertext
should be “non-malleable” in the sense that if the adversary tries to modify a
5.3 Security Against Chosen-Ciphertext Attack (CCA) 61

given ciphertext, the result is either an invalid ciphertext or one that decrypts
to a plaintext having no relation to the original one. An encryption algorithm
is malleable if it is possible for an adversary to transform a ciphertext into
another ciphertext which decrypts to a related plaintext. That is, given an en-
cryption of a plaintext m, it is possible to generate another ciphertext which
decrypts to f (m), for a known function f , without necessarily knowing or
learning m.

5.3.1 IND-CCA Adversary

Let SE = (K, E, D) be an encryption scheme. An IND-CCA adversary A has
an oracle LR.
1. has access to an LR oracle.
2. has access to a decryption oracle Dec.
3. eventually outputs a bit.

FIGURE 5.5
IND-CCA adversary.

For the IND-CCA scheme, the adversary needs access to the decryption
oracle in addition to the encryption oracle (Note that a CPA-adversary is
given encryption oracle service only). This is shown in Figure 5.5. The de-
cryption oracle decrypts arbitrary ciphertexts on the request of the adversary
except for the challenge ciphertexts, which are the encryption results by the
LR oracle. If the output of the adversary is 1, this means that the adversary
is in the right world and if the output of the adversary is 0, this means that
the adversary is in the left world. The symmetric key is generated during the
initialization procedure. The adversary then may request a number of encryp-
tions and decryptions to the oracles (i.e., the adversary submits two distinct
chosen plaintexts to the LR oracle; the LR oracle then selects a bit b at ran-
dom and sends the challenge ciphertexts back to the adversary; the adversary
submits the resulting ciphertexts to the decryption oracle; the decryption or-
acle then sends the decryption results back to the adversary). Finally the
62 5 Private-Key Encryption (3)

adversary outputs a guess for the value of bit b. The scheme is IND-CCA se-
cure if no adversary has a non-negligible advantage in winning the above game.

5.3.2 A CPA-Secure Encryption Scheme from Any Pseudo-

random Function Is Not CCA-Secure
Let us consider an IND-CCA experiment, where an adversary A has access
to both the LR oracle and the decryption oracle. A sends messages m0 = 0n
and m1 = 1n to the LR oracle and gets back Enck (mb ) = (r, Fk (r) ⊕ mb ).
A has access to the decryption oracle, which will not allow the decryption
of the challenged messages (m0 and m1 ). So the idea is to slightly change
the ciphertext and query the decryption oracle. That is, A flip the first bit
in the encryption of challenged message mb and decryption oracle will accept
the changed ciphertext (c → c0 ), Note that as encryption scheme defined by
s = Fk (r)⊕m is bit wise operation, the change in nth bit of message (m → m0 )
will only affect corresponding bit in ciphertext (c → c0 ). Therefore, A can tell
whether m0 = 0n or m1 = 1n was encrypted because A can expect mb with
the first flipped bit to appear as response from the decryption oracle, where
in case of 10n−1 , b = 0 and in case of 01n−1 , b = 1. Hence, Construction 1 in
Chapter 4 is not CCA secure.

5.3.3 A CPA-Secure Encryption Scheme Using CBC Mode

(Random Version) Is Not CCA-Secure
In order to analyze the security of CBC (random mode) under the CCA indis-
tinguishably experiment, let us formulate an adversary A which is provided
with the LR oracle access and the decryption oracle. In this experiment, we
calculate the advantage of the adversary in succeeding in attacking the scheme
and show that the scheme is not CCA-secure.

Let SE = (K, E, D) be a block cipher, which consists of key generation,

encryption, and decryption algorithms, and provides a block of the encrypted
data using the CBC randomized mode. The adversary provides a message pair
(M0 , M1 ) and receives a ciphertext C in each world. We design the adversary
so that if the retrieved plaintext equals On , the adversary returns 0 and 1
otherwise. Note that the query for the challenge ciphertext C is not allowed
to the decryption oracle. Before receiving the decryption service, therefore,
the adversary needs to slightly modify the challenge ciphertext so that he
could finally retrieve the original plaintext from the decrypted result of the
modified ciphertext by the decryption oracle.1 The adversary finally retrieves
1 Let us say the encryption result of M is C = C[0]C[1]. The adversary modifies C =

C[0]C[1] into C 0 = (C[0] ⊕ ∆)C[1] = C 0 [0]C[1] and queries the modified ciphertext C 0 to
the decryption oracle, which returns M 0 = M ⊕ ∆ back to the adversary.
5.3 Security Against Chosen-Ciphertext Attack (CCA) 63

the original plaintext by XORing the decryption of the modified ciphertext

with ∆, i.e., M 0 ⊕ ∆ = M . Next we show that the adversary wins the game
with the advantage of 1.
1. In the Game RightSE , the LR encryption oracle returns hC[0]C[1]i
with
C[1] = EK (C[0] ⊕ M1 ) = EK (C[0] ⊕ 1n ). (5.10)
We have

M 0 = Dec(C 0 [0]C[1])
−1
= EK (C[1]) ⊕ C 0 [0]
−1
EK (C[0] ⊕ 1n ) ⊕ (C[0] ⊕ ∆)


= EK
= (C[0] ⊕ 1n ) ⊕ (C[0] ⊕ 1n )
= 0n .

Then, M = M 0 ⊕ ∆ = 0n ⊕ 1n = 1n . By comparing the retrieved

plaintext with 0n , the adversary will return 1, that is,

Pr[RightA
SE ⇒ 1] = 1.

2. In the Game LeftSE , the LR encryption oracle returns hC[0]C[1]i

with

C[1] = EK (C[0] ⊕ M0 ) = EK (C[0] ⊕ 0n ).

We have

M 0 = Dec(C 0 [0]C[1])
−1
= EK (C[1]) ⊕ C 0 [0]
−1
EK (C[0] ⊕ 0n ) ⊕ (C[0] ⊕ ∆)


= EK
= (C[0] ⊕ 0n ) ⊕ (C[0] ⊕ 1n )
= 1n .

Then, M = M 0 ⊕ ∆ = 1n ⊕ 1n = 0n . By comparing the retrieved

plaintext with 0n , the adversary will return 0, that is,

Pr[LeftA
SE ⇒ 1] = 0.
64 5 Private-Key Encryption (3)

Exercises
5.1 Explain why Construction 1 in Chapter 4 is not CCA-secure.

5.2 An adversary A chooses m0 = 0n , m1 = 1n . Upon receiving c = hr, si,

A flips the first bit of s, resulting s0 and asks for decryption of c0 = hr, s0 i.
The decryption oracle answers with either 10n−1 (in which case it is clear that
b = 0) or 01n−1 (in which case b = 1). Why?

Enc: c = hr, Fk (r) ⊕ mi = hr, si

Dec: m = Fk (r) ⊕ s

5.3 How are garbage messages different from messages chosen by an adversary
in the message authentication experiment M ac − f orgeA,Π (n)?
6
Message Authentication Code

CONTENTS
6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.1.1 Encryption vs. Message Authentication . . . . . . . . . . . . . . . . . 66
6.2 Message Authentication Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.3 Constructing Secure Message Authentication Code . . . . . . . . . . . . . 70
6.3.1 Fixed-Length MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.3.2 Variable-Length MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.4 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.5 Obtaining Encryption and Message Authentication . . . . . . . . . . . . . 77
6.5.1 Constructing CCA-Secure Encryption Schemes Using
MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

This chapter provides an overview of the message authentication code (MAC)

starting from the main goal of the message authentication code. Subsequently,
the difference between the encryption and the message authentication is ana-
lyzed. The next section of the chapter provides the formal definitions of MAC.
The construction of fixed length MAC from any pseudorandom function and
the construction of a variable length MAC from a fixed length MAC are dis-
cussed, respectively. The CBC-MAC construction that is similar to the CBC
mode of encryption is widely used in practice, producing fixed length MAC
for much longer messages. The final part of the chapter discusses how to guar-
antee data encryption and authentication at the same time and constructs a
CCA-secure private-key encryption scheme using MAC.

6.1 Overview
The goal of message authentication is to ensure that
1. Message M really originates with Alice and not someone else (“data
origin”).
2. Message M has not been modified in transit by an adversary (“data
integrity”).

65
66 6 Message Authentication Code

Example In a medical database application as shown in Figure 6.1, we need

to ensure that

1. Doctor is authorized to get Alice’s file.

2. FA , FA are not modified in transit.
3. FA is really sent by a database.
4. FA is really sent by an authorized doctor.

FIGURE 6.1
Message authentication in a medical application.

6.1.1 Encryption vs. Message Authentication

Does encryption provide message authentication? The answer is no.

Encryption using stream ciphers Consider the private-key encryption

scheme from any pseudorandom generator G, c = G(k) ⊕ m. Ciphertexts
are very easy to manipulate. Specifically, flipping any bit in the ciphertext c
results in the same bit being flipped in the message that is recovered upon
decryption - remaining parts are unchanged. The same attack applies to OTP
(i.e., the adversary can modify the message by picking ∆), showing that even
perfect secrecy is not sufficient to ensure message authentication. Now we ex-
plain in detail how OTP does not provide message authentication.

The encryption of the message M is given by K ⊕ M while the decryption

is given by K ⊕ C, where K is the key, M is the plaintext message and C
is the ciphertext. Here we assume that the adversary knows the message M .
Then he can derive the corresponding codes of the pad from the two known
elements (M and M  ). The adversary then replace the ciphertext with modi-
fied ciphertext of the same length. The adversary’s knowledge for the OTP is
limited and this must be maintained for any other content of the message to
6.2 Message Authentication Code 67

remain valid. The decryption of the modified ciphertext provides the modified
plaintext from which we can conclude that the OTP does not provide message
authentication.

Encryption using block ciphers Single-bit modifications of a ciphertext

still cause reasonably predictable changes in the plaintext. When using ECB
mode, flipping a bit in the i-th block of the ciphertext affects only the i-th
block of the plaintext – all other blocks remain unchanged. When using CBC
mode, flipping the j-th bit of the IV changes only the j-th bit of the first
message block m1 (since m1 = Fk (c1 ) ⊕ IV 0 , where IV 0 is the modified IV ) –
all plaintext blocks other than the first remain unchanged.

From the above, we can presume that if a scheme’s ciphertexts are easy
to manipulate (i.e., not CCA-secure; CCA-security means that modifying ci-
phertexts results in garbled or random message), encryption cannot provide
message authentication. Later it turns out that our presumption is right.

6.2 Message Authentication Code

Note that the aim of the message authentication code (MAC, interchangeably
used with message authentication scheme) is to prevent an adversary from
modifying a message sent by one party to another, without the parties detect-
ing that a modification has been made.

Definition 1 A message authentication code is a tuple of probabilistic

polynomial-time algorithms (Gen,Mac,Vrfy) such that
1. The key-generation algorithm Gen takes as input the security
parameter 1n and outputs a key k with |k| ≥ n.
2. The tag-generation algorithm Mac takes as input a key k and
a message m ∈ {0, 1}∗ , and outputs a message authentication code,
also called tag, t ← Mack (m).
3. The verification algorithm Vrfy takes as input a key k, a message
m and a tag t. It outputs a bit b = Vrfyk (m, t), with b = 1 meaning
valid and b = 0 meaning invalid.
Security of message authentication code The intuitive idea is that no
polynomial-time adversary should be able to generate a valid tag on any “new”
message that was not previously sent (and authenticated) by one of the com-
municating parties.
68 6 Message Authentication Code

Chosen-message attack in the real world In Figure 6.2, an ATM card

contains a key K ← K also known to a bank, where MAC = (Gen, Mac, Vrfy)
is a message authentication code. An adversary transmits Alice’s identity to
the bank in order to be accepted under Alice’s name. A Trojan horse ATM
can mount a chosen-message attack to find the valid tag.

FIGURE 6.2
Authentication in ATM.

The message authentication experiment M ac − f orgeA,Π (n)

1. A random key k is generated by running Gen(1n ).

2. The adversary A is given input 1n and oracle access to Mack (·).
A eventually outputs a pair (m, t).
Let Q denote the set of all queries that A asked to the its oracle.
3. The output of the experiment is defined to be 1
if and only if (1) Vrfyk (m, t)=1 and (2) m ∈
/ Q.

We define a message authentication code to be secure if no efficient adver-

sary can succeed in the above experiment with non-negligible probability.
6.2 Message Authentication Code 69

Definition 2 A message authentication code Π =(Gen,Mac,Vrfy) is existen-

tially unforgeable under an adaptive chosen-message attack, or just
secure if for all probabilistic polynomial-time adversaries A, there is a negli-
gible function negl such that

P r[M ac − f orgeA,Π (n) = 1] ≤ negl(n). (6.1)

A MAC satisfying above is said to be existentially unforgeable under an

adaptive chosen-message attack. “Existentially unforgeable” refers to the fact
that the adversary must not be able to forge a valid tag on any message1 and
“adaptive chosen-message attack” refers to the fact that the adversary is able
to obtain MAC tags on any messages it likes, where these messages may be
chosen adaptively during the attack.

Replay attack Suppose Alice transmits (M1 , T1 ) to a bank where M1 = “Pay

USD 100 to Bob.” An adversary captures (M1 , T1 ) and keeps re-transmitting
it to the bank. Then Bob gets USD 100, USD 200, USD 300, ... at each time.
Our notion, however, does not protect against such attacks since every time
a valid pair (M1 , T1 ) is presented to the verification algorithm, it will always
output 1. The decision as to whether or not a replayed message should be
treated as “valid” is considered to be entirely application-dependent.

Two common techniques for preventing replay attacks are

1. Time stamp
(a) A sender appends the current time to the message, and a re-
ceiver checks whether the included time stamp is within some
acceptable window of the current time.
(b) Both a sender and a receiver need to maintain closely synchro-
nized clocks.
(c) A replay attack are still possible as long as it is done quickly
(i.e., within the acceptable time window).
2. Sequence number
(a) A sender appends the MAC tag computed over m||i (i is a
sequence number) to the message and a receiver checks the
validity of the tag.
(b) The sender needs to assign a unique sequence number to each
message and the receiver keeps track of which sequence numbers
it has already seen.
(c) Both a sender and a receiver need to maintain sequence num-
bers.

1 It may not be chosen by the adversary. It may be a “garbage” message.

70 6 Message Authentication Code

6.3 Constructing Secure Message Authentication Code

We first show a general method for constructing a fixed length MAC from any
pseudorandom function. Then, we extend it into a variable length by breaking
the message into multiple blocks and including additional information in each
block to prevent attacks.

6.3.1 Fixed-Length MAC

Intuition If the MAC tag t is obtained by applying a pseudorandom function
to the message m, then forging a tag on a previously unauthenticated mes-
sage requires the adversary to guess the value of the pseudorandom function
at a “new” point (i.e., message). Now, the probability of guessing the value
of a random function on a new point is 2−n (when the output length of the
function is n). It follows that the probability of guessing such a value for a
pseudorandom function can be only negligibly greater.

Construction 1. A fixed-length MAC from any pseudorandom

function
1. Let F be a pseudorandom function.
2. Define a fixed-length MAC for messages of length n as follows.
(a) Gen: on input the security parameter 1n , choose k ← {0, 1}n
uniformly at random and outputs it as the key.
(b) Mac: on input a key k ∈ {0, 1}n and a message m ∈ {0, 1}n ,
output the tag t = Fk (m) (If |m| 6= |k|, then output nothing).
(c) Vrfy: on input a key k ∈ {0, 1}n , a message m ∈ {0, 1}n and a
tag t ∈ {0, 1}n , output 1 if and only if t = Fk (m) (If |m| 6= |k|,
then output 0).

Theorem 1 If F is a pseudorandom function, then Construction 1 is a fixed-

length MAC for messages of length n that is existentially unforgeable under
an adaptive chosen-message attack.

Proof

Outline of the Proof The proof is based on the “proof by reduction” tech-
nique introduced earlier.
1. Define an alternate message authentication code (e.g., by replacing
pseudorandom function with random function).
6.3 Constructing Secure Message Authentication Code 71

2. Show that any attacker has at most negligible success probability

in breaking the original scheme.
Outline 1 We define a modified message authentication code Π e = (Gen,
g M ] ac,
^
V rf y) that is exactly the same as Π = (Gen, M ac, V rf y), except that a truly
random function f is used in place of pseudorandom function Fk .
It is straightforward to see that
−n
P r[M ac − f orgeA,Π
e (n) = 1] ≤ 2 (6.2)

because for any message m ∈ / Q, the value t = f (m) is uniformly distributed

in {0, 1}n from the A’s viewpoint.

Outline 2 We show that any attacker has at most negligible success prob-
ability in breaking the original scheme as follows. Let A be a probabilistic
polynomial-time adversary with success probability (n) in breaking the orig-
inal scheme as
def
(n) = P r[M ac − f orgeA,Π (n) = 1]. (6.3)
In order to show that (n) is negligible, we use A to construct a dis-
tinguisher D that is given oracle access to some function, whose goal is to
determine whether this function is a “random’ ’or “pseudorandom.” To do
this, D emulates the message authentication experiment for A in the manner
described below and observes whether A succeeds in outputting a valid tag
on a “new” message or not. If A succeeds then D guesses that its oracle must
be a pseudorandom function, while if A does not succeed then D guesses that
its oracle must be a random function. D is given input 1n and accesses to an
oracle O : {0, 1}n → {0, 1}n and works as follows.

Distinguisher D

1. D has oracle access to O either a PRF or a RF.

2. D starts A.
3. while Query Phase do (repeat up to the number of messages)
4. A asks for a tag on mi .
5. Give ti = O(mi ) to A.
6. end while
7. A gives attempted forgery t∗ on m∗.
8. D outputs “1” if and only if (1) O(m∗) = t∗ and (2) A never queried
its MAC oracle on m∗ .
72 6 Message Authentication Code

In analyzing D, let us consider the two possibilities for D’s oracle as follows.

Case I: D’s oracle is a PRF

The view of A when run as a sub-routine by D is distributed identically to
the view of A in the experiment M ac − f orgeA,Π (n). Furthermore, D outputs
1 exactly when M ac − f orgeA,Π (n)=1. Thus

Pr [DFk (.) (1n ) = 1] = P r[M ac − f orgeA,Π (n) = 1] = (n), (6.4)

where k ← {0, 1}n is chosen uniformly at random in the above.

Case II: D’s oracle is a RF

The view of A when run as a sub-routine by D is distributed identically to
the view of A in the experiment M ac − f orgeA,Π
e (n). Furthermore, D outputs
1 exactly when M ac − f orgeA,Πe (n)=1. Thus,

1
Pr [Df (.) (1n ) = 1] = P r[M ac − f orgeA,Π
e (n) = 1] ≤ , (6.5)
2n
where f ← F uncn is chosen uniformly at random in the above.

By combining Equations (6.4) and (6.5), we get

1
|Pr [DFk (.) (1n ) = 1] − Pr [Df (.) (1n ) = 1]| ≥ (n) − . (6.6)
2n
By the assumption that F is a pseudorandom function, it follows that (n)− 21n
must be negligible. Since this in turn implies that (n) is negligible, Π is ex-
istentially unforgeable under an adaptive chosen-message attack. 2

6.3.2 Variable-Length MAC

Before constructing a secure variable-length MAC, we consider some examples
of insecure MACs and figure out what the problems are.

Some examples of insecure MACs

1. XOR all the blocks together and authenticate the result: Note that
E is a block cipher.

One example of insecure MAC is given. The message is first di-

vided into block of certain bit-length. Each block is then encrypted
separately using the block cipher and the result is then XORed to
generate the tag. However, this scheme is insecure as the advan-
tage of the adversary can be calculated equal to 1. Let x be a l-bit
string and the message is formed by the concatenation of x, i.e.,
6.3 Constructing Secure Message Authentication Code 73

M = x||x. Encrypting this will result in the same ciphertext from

both the blocks and then performing the xor operation will result
an l − bit string of 0. Hence, the adversary created a legitimate tag
that can be verified.
2. Authenticate each block separately: Compute ti = M ack (mi ) and
output ht1 , ..., td i as the tag. In this case, without knowledge of
the key k, the adversary can compute a valid tag htd , ..., t1 i on the
message md ,...,m1 by changing the order of the message blocks.
3. Authenticate each block along with a sequence number: Compute
ti = M ack (i||mi ) and output ht1 , ..., td i as the tag. This prevents
the re-ordering attack described above. However, the adversary can
compute a valid tag ht1 , ..., td−1 i on the message m1 ,...,md−1 by
dropping a block from the end of the message.

Construction 2. A variable-length MAC from any fixed-length

MAC

Let Π0 = (Gen’,Mac’,Vrfy’) be a fixed-length MAC for messages of length

n. Define a MAC as follows.
1. Gen: this is identical to Gen’.
n ∗
2. Mac: on input a key k ∈ {0, 1} and a message m ∈ {0, 1} of length
n
` < 2 4 , parse m into d blocks m1 , . . . , md , each of length n/4 (The
final block is padded with 0s if necessary). Next, choose a random
n
indentifier r ← {0, 1} 4 .
For i = 1, . . . , d, compute ti ← Mac’k (rk`kikmi ), where i and ` are
uniquely encoded as strings of length n/4. Finally, output the tag
t = hr, t1 , . . . , td i.
n ∗
3. Vrfy: on input a key k ∈ {0, 1} , a message m ∈ {0, 1} of length ` <
n
2 4 and a tag t = hr, t1 , . . . , t0d i, parse m into d blocks m1 , . . . , md ,
each of length n/4 (The final block is padded with 0s if necessary).
Output 1 if and only if d0 = d and Vrfy’k (rk`kikmi , ti ) = 1 for
1 ≤ i ≤ d.

Theorem 2 If Π0 is a secure fixed-length MAC for messages of length n, then

Construction 2 is a MAC that is existentially unforgeable under an adaptive
chosen-message attack.

Proof
Let Π denote the MAC in Construction 2. Let A be a probabilistic polynomial-
time adversary. We prove that P r[M ac − f orgeA,Π (n) = 1] is negligible.
74 6 Message Authentication Code

Let Repeat denote the event that the same message identifier in two of the
tags is returned by MAC oracles.
Let Forge denote the event that at least one of blocks rk`kikmi was never
previously authenticated by Mac’ in the course of answering A’s Mac queries
(i.e., Forge is the event that A tries to output a valid tag on a block that was
never authenticated by Mac’).

We have

P r[M ac − f orgeA,Π (n) = 1] =P r[M ac − f orgeA,Π (n) = 1 ∧ Repeat]

+P r[M ac−f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge]
+P r[M ac−f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge].

1. Let q(n) be the number of MAC oracle queries made by A. In the

n
i-th query, oracle chooses ri randomly from a set of size 2 4 . The
probability of event Repeat is the probability that ri = rj for some
i 6= j. By the “birthday bound,” we have

q(n)2
P r[M ac − f orgeA,Π (n) = 1 ∧ Repeat] ≤ n . (6.7)
24
Since A makes only polynomially many queries, then this probabil-
ity is negligible.
2. Next we consider that if M ac − f orgeA,Π (n) = 1, but Re-
peat did not occur, then Forge must have occurred. That is,
P r[M ac − f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge] = 0.
Let (m, t) be the final output of A (the forged message). Let its
length be ` and the identifier is r. Parse m into d blocks, each of
length n4 . Thus, t = hr, t1 , . . . , td i. We consider two cases as follows.
(a) Identifier r is different from all the identifiers used by the MAC
oracles. That is, (rk`k1km1 ) was never previously authenticated
by the MAC oracle. So, if M ac − f orgeA,Π (n) = 1, then there
exists Vrfy’k (rk`k1km1 , t1 ) = 1. Thus, Forge occurs.
(b) Identifier r was used in exactly one of the tags obtained by A
from the MAC oracles.
Denote (m0 , t0 ) be the query-response pair when the identifier
r occurs. Since m is not in the queries, then m 6= m0 . Let `0
denote the length of m0 . There are two subcases.
i. Case 1: ` 6= `0
Since all MAC oracles responses used different identifiers, the
one oracle using the same identifier has a different length
value. This implies that (rk`k1km1 ) was never previously
authenticated by the MAC oracle. Thus, Forge occurs.
6.4 CBC-MAC 75

ii. Case 2: ` = `0
In this case, the number of blocks in m and m0 are the
same. Since m 6= m0 , there exists i such that mi 6= m0i .
So, (rk`kikmi ) was never previously authenticated by MAC
oracle. Thus, Forge occurs.
3. The remainder of the proof is to claim that

P r[M ac − f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge] (6.8)

is negligible.

We construct the adversary A0 attacking to Π0 . A0 runs A as a sub-

routine. Whenever A output (m, t), A0 parses m and checks any mi
which did not occur in its previous oracle queries by Mac0 . If so, then
A0 outputs (rk`kikmi , ti ) as a valid tag. If not, A0 outputs nothing.
This means that whenever M ac − f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge
occurs, we have M ac − f orgeA0 ,Π0 (n) = 1. From the security proof
for Construction Π0 , we have that P r[M ac − f orgeA0 ,Π0 (n) = 1]
is negligible, then P r[M ac − f orgeA,Π (n) = 1 ∧ Repeat ∧ Forge] is
negligible.
Thus,
q(n)2
P r[M ac − f orgeA,Π (n) = 1] ≤ n + negl(n) (6.9)
24
is negligible. That is, Construction 2 is existentially unforgeable under an
adaptive chosen-message attack. 2

6.4 CBC-MAC
The following CBC-MAC construction is similar to the CBC mode of encryp-
tion and is widely used in practice, producing fixed-length MAC for much
longer messages.
76 6 Message Authentication Code

Construction 3. A CBC-MAC from fixed-length messages

Let F be a pseudorandom function and fix a length function `. The basic

CBC-MAC construction is as follows.

1. Gen: on input 1n , choose k ← {0, 1}n uniformly at random.

2. Mac: on input a key k ∈ {0, 1}n and a message m of length `(n)· n
(i.e., multiple of n), do the following (we set ` = `(n)) in what
follows.
(a) Parse m as m = m1 , . . . , m` , where each mi is of length n and
set t0 = 0n .
(b) For i = 1 to `, set ti = Fk (ti−1 ⊕ mi ).
Output t` as the tag.
3. Vrfy: on input a key k ∈ {0, 1}n , a message m of length `(n)· n and
?
a tag t of length n, output 1 if and only if t` = Mack (m).

Theorem 3 Let l be a polynomial. If F is a pseudorandom function, then

Construction 3 is a fixed-length MAC for messages of length l(n) · n that is
existentially unforgeable under an adaptive chosen-message attack.

Proof is omitted.

Construction 3 is not secure when used to authenticate messages of

different lengths
Let us consider CBC-MAC, where the tag of previous block is used to generate
a tag for the next block. On the left side of Figure 6.3, we can see that CBC-
MAC first generates a tag for message A and then XOR the tag of previous
message with message B to finally generate a tag, T agAB , for message AB.
This is how CBC-MAC works with varying length. The right side of Figure
6.3 shows that the adversary can get a tag T agAB on the modified version,
T agA ⊕ B, of the message B, which is a valid forgery. It shows that Construc-
tion 3 is insecure if it is used to authenticate messages of varying lengths.

Construction 3 is not secure against splicing attack

When two blocks of messages are injected into a CBC-MAC with the result-
ing MAC being the same, this is known as the CBC-MAC splicing attack.
When used to authenticate messages of different lengths, Construction 3 is
not secure because the tag of previous block is used to generate a tag for next
block, which allows the adversary to generate another valid tag of various
subsequent blocks. The adversary takes a random string x and generates the
tag T1 for it. The adversary then makes another message by concatenating
x and T1 XORed with x, and successfully creates a tag T1 for the message
6.5 Obtaining Encryption and Message Authentication 77

FIGURE 6.3
Construction 3 is not secure for authentication of messages of varying length.

x  (T1 ⊕ x).

Secure CBC-MAC for variable-length messages Three possible options

that can be proven secure are

1. Apply the pseudorandom function (block cipher) to the length l of

the input message in order to obtain a key kl (i.e., set kl = Fk (l)).
Then compute the basic CBC-MAC using the key kl .
2. Prepend the message with its length |m| (encoded as an n-bit string)
and then compute the basic CBC-MAC on the resulting message
(See Figure 6.4).
3. Apply two different keys kin , kout so that it first computes t =
Fkin (m) of the message m and then outputs the tag t̂ = Fkout (t)
using CBC-MAC. An example is ECBC-MAC (See Figure 6.5).

6.5 Obtaining Encryption and Message Authentication

Intuition We are interested in how to guarantee data encryption and authen-
tication at the same time.
78 6 Message Authentication Code

FIGURE 6.4
A secure CBC-MAC for authenticating arbitrary-length messages of three
blocks, m = m1  m2  m3 by prepending the message length.

FIGURE 6.5
A secure CBC-MAC for authenticating arbitrary-length messages by applying
two keys.

The unforgeable encryption experiment Enc-ForgeA,Π(n)

1. Run Gen(1n ) to obtain a key k.
2. The adversary A is given input 1n and access to encryption oracle
Enck (.). The adversary outputs a ciphertext c.
3. Let m = Deck (c) and let Q denote the set of all queries that A asked
its encryption oracle. The output of the experiment is 1 if and only
if (1) m = ⊥ and (2) m ∈ / Q.

Definition 3 A private-key encryption scheme Π is unforgeable if and only

if for all probabilistic polynomial-time adversaries A, there is a negligible func-
6.5 Obtaining Encryption and Message Authentication 79

tion negl such that

P r[Enc-ForgeA,Π (n) = 1] ≤ negl(n). (6.10)

Definition 4 A private-key encryption scheme Π is an authenticated en-

cryption scheme if it is CCA-secure and unforgeable.

Three approaches for combining encryption and authentication are as fol-

lows.
1. Encrypt-and-authenticate: Encryption and message authentica-
tion are computed independently in parallel. This is not IND-CCA
secure.
2. Authenticate-then-encrypt: Here a MAC tag t is first computed,
and then the message and tag are encrypted together. This is not
IND-CCA secure.
3. Encrypt-then-authenticate: The message m is first encrypted
and then a MAC tag is computed over the result.
The following section shows that the combined scheme derived by applying
the encrypt-then-authenticate approach is secure.

6.5.1 Constructing CCA-Secure Encryption Schemes Using

MAC
Intuition To achieve a CCA-secure encryption scheme, we should not allow
an adversary to manipulate a ciphertext. To prevent this type of manipulation
of the ciphertext, we can consider deploying a message authentication code to
the ciphertext. The followings show that this idea is right.

Construction 4. A CCA-secure private-key encryption scheme

Let ΠE = (GenE ,Enc,Dec) be a private-key encryption scheme and let

ΠM =(GenE ,Mac,Vrfy) be a message authentication code. Define an en-
cryption scheme Π0 = (Gen0 ,Enc0 ,Dec0 ) as follows

1. Gen0 : on input 1n , run GenE (1n ) and GenM (1n ) to obtain keys k1 , k2 ,
respectively.
2. Enc0 : on input a key (k1 , k2 ) and a plaintext message m, compute
c ← Enck1 (m) and t ← Mack2 (c). Output the ciphertext hc, ti.
3. Dec0 : on input a key (k1 , k2 ) and a ciphertext hc, ti, first check
?
whether Vrfyk2 (c, t) = 1. If yes, then output Deck1 (c); if no, then
output ⊥.
80 6 Message Authentication Code

Theorem 4 If ΠE is a CPA-secure private-key encryption scheme and ΠM

is a secure message authentication code with unique tags, then Construction
4 is an authenticated encryption scheme.

We provide two different versions of the security proof. The first proves
that the scheme is CCA-secure directly by using adversary A to build two
adversaries Amac (attacking to ΠM ) and Aenc (attacking to ΠE ). The second
proves that the scheme is CCA-secure by using hybrid proof technique (De-
cryptListGame is built between CCA and CPA).

First Proof
Intuition Since ΠM =(GenM ,Mac,Vrfy) is a secure message authentication
code with unique tags, we can argue that all responses of the decryption ora-
cle are invalid because it simply returns ⊥ unless the queried ciphertext was
previously obtained by the adversary from its encryption oracle. Therefore, the
security of the scheme Π0 = (Gen0 ,Enc0 ,Dec0 ) is reduced to the CPA-security
of ΠE because the decryption oracle is useless. So we prove that if the CCA
scheme is not secure, then neither is the underlying CPA-scheme ΠE .

Let A be any probabilistic polynomial-time CCA adversary attacking

scheme Π0 . Let Valid-Query define the event that A generates a query (c, t) to
the decryption oracle that was not obtained from the encryption oracle and
does not result ⊥ in the experiment PrivKcca A,Π0 (n) (that is, A submits a new
query (c, t) to oracle Dec’ and Vrfyk2 (c, t) = 1). We have

Pr[PrivKcca cca
A,Π0 (n) = 1] ≤ Pr[Valid-Query] + Pr[PrivKA,Π0 (n) = 1 ∧ Valid-Query].

We need to prove the following claims.

1. Pr[Valid-Query] is at most negligible.
1
2. Pr[PrivKcca
A,Π0 (n) = 1 ∧ Valid-Query] ≤ 2 + negl(n).
In the first claim, if oracle does not result ⊥, then t is a valid MAC tag
for c. Thus, if (c, t) was not obtained by querying the encryption oracle, this
means that A must have forged a MAC. Formally, we prove that if the prob-
ability that Valid-Query occurs is non-negligible, then we can construct an
adversary Amac that breaks the MAC as follows.

The adversary Amac , interacting in Mac-ForgeAmac ,ΠM (n), chooses a ran-

dom key k1 for Enc and a random value i from {1, . . . , q(n)}. Amac then
simulates the encryption and decryption oracles for A. When A queries the
encryption oracle with m, Amac computes c = Enck1 (m) and requests a tag t
for c. Then Amac returns the pair (c, t) to A as its oracle reply. In contrast,
in every decryption oracle query (c, t) from A apart from the i-th one, Amac
first checks if (c, t) was ever generated from an encryption query.
If yes, Amac returns the plaintext m that was queried by A when (c, t) was
6.5 Obtaining Encryption and Message Authentication 81

generated. If not, Amac returns ⊥. In contrast, for the i-th decryption oracle
query (c, t), Amac outputs (c, t) as its MAC forgery and stop. Thus, we have
Mac-ForgeAmac ,ΠM (n) = 1 occurs if Valid-Query occurs. That is,

Pr[Mac-ForgeAmac ,ΠM (n) = 1]=

Pr[Mac-ForgeAmac ,ΠM (n) = 1 ∧ Valid-Query]× Pr[Valid-Query].

Since A makes at most q(n) oracle queries, Pr[Mac-ForgeAmac ,ΠM (n) =

1|Valid-Query] ≤ 1/q(n). Furthermore, Amac can succeed in Mac-Forge with
at most negligible probability, that is Pr[Mac-ForgeAmac ,ΠM (n) = 1] is negli-
gible. Therefore, Pr[Valid-Query] is negligible.

In the second claim, we use A to construct Aenc for the CPA experiment
with ΠE . Aenc chooses a key k2 and invokes the adversary A. Whenever A
asks an encryption query m, Aenc queries its encryption oracle with m and
receives back some c. Then Aenc computes t = Mack2 (c) and hands A the pair
(c, t). Whenever A asks for a decryption query (c, t), Aenc checks if (c, t) was
generated in a previous encryption query. If yes, Aenc hands A the value m
that was queried when (c, t) was generated. If no, Aenc hands A the response
⊥. The success of Aenc in ΠE when Valid-Query does not occur equals the
success of A when Valid-Query does not occur. That is,

Pr[PrivKcpa cca
Aenc ,ΠE (n) = 1 ∧ Valid-Query] = Pr[PrivKA,Π0 (n) = 1 ∧ Valid-Query].

It implies that
cpa
Pr[PrivKcca
A,Π0 (n) = 1 ∧ Valid-Query] ≤ Pr[PrivKAenc ,ΠE (n) = 1].

Since ΠE is a CPA-secure scheme, therefore, we have

1
Pr[PrivKcca
A,Π0 (n) = 1 ∧ Valid-Query] ≤ 2 + negl(n).

Combining two above claims, we conclude that

1
Pr[PrivKcca
A,Π0 (n) = 1] ≤ 2 + negl(n)+ negl (n),

that is, the scheme Π0 is CCA-secure. 2

Second Proof
Recall that the system was defined as follows.
1. Gen0 : Let K 0 = KE , KM .
2. EncM ac0 (K 0 , M ) : C = (c1 = Enc(KE , M ), c2 = M AC(KM , c1 )).
3. V rf y 0 (KM , C) : V rf y(KM , c1 , c2 ).
4. Dec0 (K 0 , C) : If V rf y 0 (KM , C) = 1 output m = Dec(KE , c1 ), else
⊥.
82 6 Message Authentication Code

In order to prove the scheme is secure, we will give our proof using a hybrid
proof technique.

Intuition To prove the CCA security, we introduce DecryptListGame that

consists of both CPA-secure encryption scheme and secure MAC.

First, we show that

|P r[ACCA DecryptListGame
success ] − P r[Asuccess ]| = .
Next, to show  = negl(n), we describe the probability of breaking MAC
in DecryptListGame by using . Now, since we assume that MAC is secure,
we can say that  = negl(n). Therefore,
|P r[ACCA DecryptListGame
success ] − P r[Asuccess ]| = negl(n).
The detailed explanation is given in the lemma below.

Due to the following reasons, we can say that

|P r[ADecryptListGame
success ]| = |P r[ACP A
success ]|.

The difference between DecryptListGame and CPA game is the existence

of decryption phase and MAC. Since we assume MAC is secure, any difference
due to MAC between these two games does not happen. The difference during
the decryption phase is removed because DecryptListGame takes a limitation
that all ciphertexts must be made by the simulator. In other words, when the
simulator makes the ciphertext, it stores the ciphertext and its correspond-
ing message pairs in advance. Therefore, there is no problem at decryption
phase to be considered. So, we can conclude that the difference between De-
cryptListGame and CPA game does not exist. Therefore,

|P r[ACCA CP A
success ] − P r[Asuccess ]|

= |P r[ACCA DecryptListGame
success ]−P r[Asuccess ]|+|P r[ADecryptListGame
success ]−P r[ACP A
success ]|

= negl(n) + 0 = negl(n).
DecryptListGame

This game will define a different notion of security that is specific to our
encryption scheme and we will show that it is related to IND-CCA security
in our proof. The game is defined as follows. The semantic view is shown in
Figure 6.6.
1. Challenger runs Gen0 .
2. (Query Phase I) For each query Mi to the encryption oracle, return
the ciphertext Ci = (ci,1 , ci,2 ) and add (Mi , ci,1 ) to a list.
6.5 Obtaining Encryption and Message Authentication 83

DecryptListGame
Challenger Attacker
k1 , k2 ←− Gen0 (1n )
(Query Phase I)
 Mi
Ci = (ci,1 , ci,2 ) -
add (Mi , ci,1 ) to List
 Ci = (ci,1 , ci,2 )
if(ci,1 in List)
return Mi
else
return ⊥ Mi or ⊥ -
(Challenge Phase)
 m0 , m1
C ∗ = EncM ac0 (K 0 , mb ) -
(Query Phase II)
 Mi
Ci = (ci,1 , ci,2 ) -
add (Mi , ci,1 ) to List
 Ci 6= C ∗
if(ci,1 in List)
return Mi
else
return ⊥ Mi or ⊥ -
 b0

FIGURE 6.6
Semantic view of DecryptListGame.

3. (Query Phase I) For each query Ci = (ci,1 , ci,2 ) to the decryption

oracle, if ci,1 is on the list and Ci is verified, then return the corre-
sponding Mi , else return ⊥.
4. (Challenge Phase) The attacker produces two messages m0 and
m1 . The challenger returns the challenge ciphertext C ∗ =
EncM ac0 (K 0 , mb ).
84 6 Message Authentication Code

5. (Query Phase II) The same as Query Phase I except it cannot query
the decryption oracle on C ∗ .
6. The attacker outputs b0 .
In this new game, the attacker can only make decryption queries for ci-
phertexts that he already received. Hence, it should be harder to break this
game than the CCA game. 2 However, we want to show that if the MAC
scheme is secure then it isn’t any easier to break the CCA game than the
DecryptListGame. Once we have shown this, then we will argue that De-
cryptListGame is close to the IND-CPA security game since the decryption
oracle is essentially useless.

Lemma 1 If the MAC scheme is secure then for any efficient algorithm A,
P r[ACCA DecrpytListGame
success ] − P r[Asuccess ] = negl(n).
Proof

Suppose that there exists an efficient algorithm A such that

P r[ACCA DecrpytListGame
success ] − P r[Asuccess ] = .
Then there exists an algorithm, B, such that the advantage of B in the MAC
game is /Q, where Q is the number of decryption queries made by A. Letting
“new” be the event that a ci,1 query is verified and is not on the list of
encryption queries, and “new”
¯ be the event that the ciphertext is made by
the simulator, for the CCA game,
P r[ACCA CCA CCA
success ] = P r[Asuccess |new]P r[new] + P r[Asuccess |new]P
¯ r[new].
¯
Likewise, for DecryptListGame,
P r[ADecrpytListGame
success ]=
DecrpytListGame
P r[Asuccess |new]P r[new] + P r[ADecrpytListGame
success |new]P
¯ r[new].
¯
¯ occurs 3 , so
However, the games are identical when new
P r[ACCA ¯ = P r[ADecrpytListGame
success |new] success |new]
¯
and, of course, P r[new]
¯ does not change. So, when we subtract the two
values from each other the second term in each will cancel. So, we get 4
2 It is because the simulator in DecrpytListGame only makes the ciphertext which can

be decrypted only by itself. So, there exists no advantage to the attacker by querying the
ciphertexts during the decryption phase.
3 In the case of “new”
¯ event, CCA game and DecrpytListGame work the same way that
the ciphertext is made by the simulator. Therefore the probabilities of these two games are
the same.
4 Here, P r[ADecrpytListGame |new] is zero because DecrpytListGame does not generate
success
the “new” event. And, 0 ≤ P r[ACCAsuccess |new] ≤ 1 because the range of probability is from 0
DecrpytListGame
to 1 by definition. Therefore, (P r[ACCA
success |new] − P r[Asuccess |new]) is less than
or equal to 1.
6.5 Obtaining Encryption and Message Authentication 85

 = (P r[ACCA DecrpytListGame
success |new] − P r[Asuccess |new])P r[new] ≤ 1 · P r[new].

So, P r[new] ≥ . Now, we will define an algorithm, B that breaks the MAC
scheme with probability /Q. We define the algorithm as follows.

Algorithm B

1. Given oracle access to MAC and Verify KE = GenE ().

2. Runs A.
3. For query EncM ac0 (KE , M ), responds C = (c1 = Enc(KE , M ), c2 =
OracleM AC(c1 )).
4. For query Dec0 (c1 , c2 ), use V erif yOracle(c1 , c2 ).
5. If at any point a decryption query is verified and is not on the list,
return it as a forgery.
6. If V erif yOracle(c1 , c2 ) = ‘FALSE’ then
7. return ⊥
8. Else
9. return Dec(KE , c1 )
10. End if

Now, we must analyze B to see if it succeeds with non-negligible probabil-

ity, /Q.
Case 0: Decryption query is not verified.
In this case, the adversary does not have any advantage. Because
the adversary cannot succeed in attacking the algorithm B. So, the
probability of this case is 0.
Case 1: Query is verified but is on the list.
It means that C was already made from B. Since the adversary
cannot make a new valid ciphertext C into a new message, this is
not a forgery. So, the probability of this case is also 0.
Case 2: Query is verified and is not on the list (so, we can use it
as a forgery).
It is equal to P r[new] that it sends the query to the oracle only
once. So, the probability of this case is /Q.
Considering these cases, it is easy to see that B will succeed with proba-
bility /Q. 2
7
Hash Function

CONTENTS
7.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.1.1 Collision Resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.1.2 Weaker Notions of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.2 Design of Collision-Resistant Hash Functions . . . . . . . . . . . . . . . . . . . 90
7.2.1 Compression Function Proved Secure Under the
Discrete Log Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
7.2.2 Compression Functions Based on Secure Block Ciphers 92
7.2.3 Proprietary Compression Functions . . . . . . . . . . . . . . . . . . . . . 92
7.3 The Merkle-Damgard Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
7.4 Generic Attacks on Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.4.1 Birthday Attacks for Finding Collisions . . . . . . . . . . . . . . . . . 95
7.4.2 Small-Space Birthday Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
7.5 Message Authentication Using Hash Functions . . . . . . . . . . . . . . . . . . 96
7.5.1 Hash-and-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
7.5.2 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.6 Applications of Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
7.6.1 Fingerprinting and Deduplication . . . . . . . . . . . . . . . . . . . . . . . 99
7.6.2 Merkle Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
7.6.3 Password Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
7.6.4 Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.6.5 Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

This chapter begins with the introduction of the hash functions that take in-
puts of arbitrary length and compress them into short, fixed-length outputs.
The properties of the hash function, i.e., collision resistance and weaker no-
tions like the second pre-image and the pre-image resistance are discussed
along with the candidate solution to these problems. The next section shows
how to design a collision resistant hash function that generally takes two steps,
a compression function followed by the Merkle-Damgard transform. The se-
curity of the hash function along with the security proof based on proof by
reduction is presented. Subsequently, the construction of the hash functions
that can extend the fixed length input to variable length input are discussed.
This can be achieved using the Merkle-Damgard transform. The next section

87
88 7 Hash Function

provides the most common attacks on the hash functions. Further the mes-
sage authentication using the hash function is discussed. The approach “Hash
and MAC” is discussed for the message authentication. The final part of the
chapter presents the applications of the hash function.

7.1 Definitions
Hash functions are simply functions that take inputs of arbitrary length and
compress them into short, fixed-length outputs. The classic use of hash func-
tions is in data structures, where they can be used to build hash tables that
enable O(1) lookup time when storing a set of elements.

A “good” hash function H for this purpose is one that yields few collisions,
where a collision is a pair of distinct items x and x0 for which H(x) = H(x0 );
in this case, we also say that x and x0 collide.

In the context of data structures, we try to design hash functions to de-

crease collisions, which results in increasing the lookup time of the hash table.
In the context of cryptography, in contrast, we are faced with an adversary
who may select elements with the explicit goal of causing collisions. This
means that collision-resistant hash functions are pursued to achieve in secu-
rity aspects rather than performance in cryptography.

7.1.1 Collision Resistance

Informally, a function H is collision resistant if it is infeasible for any prob-
abilistic polynomial-time algorithm to find a collision in H. We will only be
interested in hash functions whose domain is larger than their range, therefore
collisions must exist, but such collisions should be hard to find.

Formally, we consider keyed hash functions. That is, H is a two-input

function that takes as input a key s (typically generated by Gen rather than
chosen uniformly and not kept secret) and a string x, and outputs a string
def
H s (x) = H(s, x).

Definition 1 A hash function (with output length `) is a pair of probabilistic

polynomial-time algorithms (Gen, H) satisfying the following.
1. Gen is a probabilistic algorithm which takes as input a security pa-
rameter 1n and outputs a key s. We assume that 1n is implicit in
s.
∗
2. H takes as input a key s and a string x ∈ {0, 1} , and outputs
7.1 Definitions 89
`(n)
a string H s (x) ∈ {0, 1} (where n is the value of the security
parameter implicit in s).
`0 (n)
If H s is defined only for inputs x ∈ {0, 1} and `0 (n) > `(n), then we say
that (Gen, H) is a fixed-length hash function for inputs of length `0 . In this
case, we also call H a compression function. Now we proceed to define an
experiment for a hash function in order to define its security.

The collision-finding experiment Hash-collA,Π(n)

1. A key s is generated by running Gen(1n ).

2. The adversary A is given s and outputs x, x0 . (If Π is a fixed-length
hash function for inputs of length `0 (n), then we require x, x0 ∈
`0 (n)
{0, 1} ).
3. The output of the experiment is defined to be 1 if and only if x 6= x0
and H s (x) = H s (x0 ). In such a case we say that A has found a
collision.

The definition of collision resistance states that no efficient adversary can

find a collision in the above experiment except with negligible probability.

Definition 2 A hash function Π = (Gen, H) is collision resistant if and

only if for all probabilistic polynomial-time adversaries A, there is a negligible
function negl such that

P r[Hash-collA,Π(n) = 1] ≤ negl(n). (7.1)

Notwithstanding the above, the cryptographic hash functions used in the real
world are collision resistant for all practical purposes since colliding pairs are
unknown (and computationally difficult to find) even though they must exist.

7.1.2 Weaker Notions of Security

In some applications, it suffices to rely on security requirements weaker than
collision resistance. These include
1. Second preimage or target-collision resistance: Informally, a hash
function is second preimage resistant if given s and a uniform x it is
infeasible for a PPT adversary to find x0 (6= x) such that H s (x0 ) =
H s (x).
2. Preimage resistance or one-wayness: Informally, a hash function is
preimage resistant if given s and a uniform y = H s (x) (note that
90 7 Hash Function

x is not given) for a randomly chosen x, it is infeasible for a PPT

adversary to find a value x0 such that H s (x0 ) = y.
Note that collision resistance is the strongest notion, and second preimage
resistance and preimage resistance comes next in order. Any hash function
that is collision resistant is also second preimage resistant. Likewise, any hash
function that is second preimage resistant is also preimage resistant. The other
directions, however, do not hold: second preimage resistance does not imply
collision resistance; preimage resistance does not imply second preimage re-
sistance.

7.2 Design of Collision-Resistant Hash Functions

Most hash functions are generally constructed in two steps. First, a compres-
sion function (i.e., a fixed-length hash function) h is designed; next, some
mechanism (e.g., the Merkle-Damgard transform explained later) is used to
extend h so as to handle arbitrary input lengths.

7.2.1 Compression Function Proved Secure Under the Dis-

crete Log Assumption
Now we consider a construction which is less efficient than the hash functions
(e.g., MD, SHA family) based on compression functions, but illustrates the
feasibility of achieving collision resistance based on standard and well-studied
number-theoretic assumptions.

Let G be a polynomial-time algorithm that, on input 1n , outputs a (de-

scription of a) cyclic group G, its order q (with kqk = n), and a generator g.
Here we also require that q is prime except possibly with negligible probabil-
ity. A fixed-length hash function based on G is given in Construction 1.

Construction 1. A fixed-length hash function

Let G be as described above. Define a fixed-length hash function (Gen, H)

as follows.
1. Gen: on input 1n , run G(1n ) to obtain (G, q, g) and then select a
uniform h ∈ G.
Output s = hG, q, g, hi as the key.
2. H: given a key s = hG, q, g, hi and input (x1 , x2 ) ∈ Zq × Zq , output
H s (x1 , x2 ) = g x1 hx2 ∈ G.
7.2 Design of Collision-Resistant Hash Functions 91

Theorem 1 If the discrete-logarithm problem is hard, then Construction 1 is

a fixed-length collision-resistant hash function.

Proof
Outline of the Proof The proof is based on the “proof by reduction” tech-
nique introduced earlier. That is, we reduce discrete-log problem to collision-
finding problem. It means that collision-finding problem is at least harder than
discrete-log (DL) problem, which is believed to be hard.

Now we show that A’s existence implies B’s existence if we can construct B
from any hypothetical A by converting a DL challenge into a collision-finding
challenge, feeding the challenge to A, and converting A’s result into a solution
to the DL challenge.

Reduction algorithm B
1. B accepts a DL challenge: (G, p, g, h) with h = g a .
2. B starts A and gives the key K = (G, p, g, h) to A.
3. B takes A’s output: m0 = (xa , xb ) and m1 = (ya , yb ) that collide in
HK .
4. If HK (m0 ) = HK (m1 ), m0 6= m1 (i.e., A was successful), continue;
else fail and quit.
5. B computes and returns a = (xa − ya )(yb − xb )−1 as the solution
to the DL challenge.

1. Correctness Whenever there is a collision, B returns the correct

answer logg h as follows.
Suppose A output a collision (m0 , m1 ) for H. In that case, B
does not abort. Since (m0 , m1 ) is a collision for H, we know that
H(m0 ) = g xa hxb = g ya hyb = H(m1 ). Therefore, g xa −ya = hyb −xb =
g a(yb −xb ) . Suppose, for the moment, that yb = xb , which implies
xa = ya . This is impossible because (m0 , m1 ) is a collision. There-
fore yb and xb should be distinct. Since yb 6= xb , B can compute
(yb − xb )−1 and then outputs a = (xa − ya )(yb − xb )−1 , the correct
answer to the DL problem.
2. Non-negligible advantage A succeeds with an  advantage and
we just illustrated that B succeeds if and only if A succeeds, so B’s
advantage is non-negligible.
3. Polynomial running time Steps 1–5 can be done in polynomial
time (Steps 1 & 2 take constant time; Step 3 takes polynomial time;
Step 4 requires two exponentiations, which can be done in polyno-
mial time; Step 5 requires a couple of additions, an inverse compu-
92 7 Hash Function

tation, and a multiplication, all of which can be done in polynomial

time).
Here is a schematic diagram of the reduction algorithm B.
Algorithm B Adversary A
DL challenge
(G, p, g, h) with h = g a
-
K = (G, p, g, h)
-

m0 = (xa , xb )
m1 = (ya , yb )

m0 , m1


If HK (m0 ) = HK (m1 ), m0 6= m1
Compute a = (xa − ya )(xb − yb )−1
Solution of DL challenge
a

Else fail and quit

In the above, we showed that using A’s non-negligible advantage, we can

construct a polynomial time algorithm that solves the DL problem, which con-
tradicts to the well-known assumption that the discrete log problem is hard. 2

Note that the proof technique shown in Theorem 1 is a little bit different
from others in the sense that it does not require any alternate scheme, but is
based on a supposedly hard problem.

7.2.2 Compression Functions Based on Secure Block Ciphers

One of the most common design is via the Davies-Meyer construction. Let F
be a block cipher with n-bit key length and l-bit block length. We can then
def
define the compression function h : {0, 1}n+l → {0, 1}l by h(k, x) = F k (x)⊕x.

We can prove collision resistance of the resulting compression function

based only on the assumption that F is a strong pseudorandom permutation.

Theorem 2 If F is modeled as an ideal cipher, then the Davies–Meyer con-

struction yields a collision–resistant compression function.

Proof is omitted.

7.2.3 Proprietary Compression Functions

MD5 [89] is a hash function with a 128-bit output length, designed in 1991.
In 2004 a team of Chinese cryptanalysts successfully presented a new method
7.3 The Merkle-Damgard Transform 93

for finding collisions in MD5. It is strongly recommended that MD5 should

not be used any more. The Secure Hash Algorithm (SHA) refers to a series
of cryptographic hash functions standardized by NIST (National Institute of
Standards and Technology). Perhaps the most well known of these is SHA-1
[41] with a 160-bit output length, which was introduced in 1995. An explicit
collision has yet to be found in SHA-1. However, collisions in SHA-1 can be
found theoretically using significantly fewer than the 280 hash function evalu-
ations that would be necessary using a birthday attack, and it is conjectured
that a collision will be found soon. It is therefore recommended to migrate to
SHA-2 [51], which does not currently appear to have the same weaknesses. In
the aftermath of the theoretical weaknesses found in SHA-1, NIST announced
in late 2007 a public competition to design a new cryptographic hash function
to be called SHA-3 [40]. In October 2012, NIST announced the selection of
Keccak as the winner of the competition.

7.3 The Merkle-Damgard Transform

Hash functions are often constructed by first designing a collision-resistant
compression function handling fixed-length inputs, and then using domain
extension to handle arbitrary-length inputs.

The Merkle-Damgard transform is a common approach for extending a

compression function to a full-fledged hash function, while maintaining the
collision-resistance property of the former. Due to it, when designing collision-
resistant hash functions, we can restrict our attention to the fixed-length case.
It is extensively used in practice for hash functions including MD5 and the
SHA family (See Figure 7.1).

Construction 2. The Merkle-Damgard transform

Let h be a fixed-length hash function for inputs of length 2n and with

output length n. Construct hash function H as follows.
1. Gen: remains unchanged.
∗
2. H: on input a key s and a string x ∈ {0, 1} of length L < 2n ,
do the following:
(a) Set B = [ L n ] (i.e., the number of blocks in x). Pad x with
zeros so its length is a multiple of n. Parse the padded result
94 7 Hash Function

as the sequence of n-bit blocks x1 , . . . , xB . Set xB+1 = L,

where L is encoded as an n-bit string.
(b) Set z0 = 0n (This is also called the IV. Any value can be
used instead of 0n ).
(c) For i = 1, . . . , B + 1, compute zi = hs (zi−1 xi ).
(d) Output zB+1 .

FIGURE 7.1
The Merkle-Damgard transform.

Theorem 3 If (Gen, h) is collision resistant, then so is (Gen, H).

Proof
Outline of the Proof Let us prove the contraposition of the theorem, easier
to show: If H is not collision-resistant, then h is not collision-resistant. In other
words, it suffices to show that we first assume that Hk is not collision-resistant,
and then finally reach the statement that hk is not collision-resistant. There
are two cases to consider: The lengths of two blocks is either equal or different.
In each case, we will trace the chains backwards to find h-collision.

Case 1: When the blocks are of different lengths:

In case when the blocks are of different lengths, the last step for the computa-
tion of Hk (M1 ) is v1 [3] = hk (v1 [2]|| 2 ), which is also termed as x1 . Similarly,
the last step for the computation of Hk (M2 ) is v2 [2] = hk (v2 [1]|| 1 ), which
is also termed as x2 . Let us suppose that a collision happens with Hk , i.e.,
Hk (M1 ) and Hk (M2 ) are equal, but M1 = M2 . It follows that hk (v1 [2]|| 2 )
and hk (v2 [1]|| 1 ) are equal. However, since 1 and 2 are not equal, x1 and
x2 are two different strings that collide for hk , which proves that hk is not
collision-resistant.
Case 2: When the blocks are of the same length:
Now we see the case in which the blocks are of equal length. Let v1 [i] and v2 [i]
are two intermediate hash values of M1 and M2 during the computation of
Hk (M1 ) and Hk (M2 ). Let us suppose that a collision happens with Hk , i.e.,
Hk (M1 ) and Hk (M2 ) are equal, but M1 = M2 , which means that there must
be at least one index i such that M1 [i] = M2 [i]. Starting from the last, the
7.4 Generic Attacks on Hash Functions 95

procedure calculates x1 = 2 ||v1 [2] and x2 = 2 ||v2 [2]. If x1 and x2 are not
equal, then (x1 , x2 ) is returned as a collision for hk , which proves that hk
is not collision-resistant. Otherwise, it moves down to the next block until it
returns (M1 [i], M2 [i]) as a collision for hk , which also proves that hk is not
collision-resistant. 

7.4 Generic Attacks on Hash Functions

The following attacks are generic in the sense that they apply to arbitrary
hash functions.

7.4.1 Birthday Attacks for Finding Collisions

A birthday attack is a type of cryptographic attack that exploits the mathe-
matics behind the birthday problem in probability theory. Let us assume that
we have a class of N students including Alice (Figure 7.2).

FIGURE 7.2
Birthday attack.

1. What is the minimum value of N where at least one person exists

with the same birthday with Alice (that is, how large should N
be in order that the probability his/her birthday be the same with
Alice is greater than 12 )? The probability that any selected person
would have different birthday from Alice is 364
365 ; the probability that
N persons would have different birthdays from Alice’s is ( 364 N
365 ) ;
therefore, the probability that any selected person would have the
same birthday with Alice is 1 − ( 364 N 364 N
365 ) ; setting 1 − ( 365 ) = 12
results in N = 253.
2. What is the minimum value of N where at least two persons have
the same birthday (that is, how large should N be in order that
the probability of existing at least two persons having the same
birthday is greater than 12 )? Let us first consider that all the persons
have different birthdays. The probability the first person will have
96 7 Hash Function

a specific birthday would be 365365 ; The probability the second person

will have a different birthday from the first person would be 365 364
365 · 365 ;
the probability that the last person will have a different birthday
365−(N −1)
from the previous N − 1 persons would be 365 364
365 · 365 · · · 365 ;
therefore, the probability that at least two persons have the same
−1)
birthday would be 1− 365 · 365 · · · 365−(N
365 364
365 , which results in N = 23
1
when set to 2 .
Note that finding a collision is simply to evaluate a hash function for dif-
ferent input values that may be chosen randomly or pseudorandomly until the
same result is found more than once. Because of the birthday problem, this
method can be rather efficient as follows.

7.4.2 Small-Space Birthday Attacks

The birthday attacks described above require a large amount of memory. A
better birthday attack with drastically reduced memory requirements is known
as improved birthday attack. The attack begins by choosing a random value
x0 and then computing xi = H(xi−1 ) and x2i = H(H(x2(i−1) )) for i > 1. In
each step, the values xi and x2i are compared; if they are equal then there is
a collision somewhere in the sequence x0 , x1 , ..., x2i−1 .

7.5 Message Authentication Using Hash Functions

In the previous chapter, we presented two constructions of message authen-
tication codes. The first approach was generic, but inefficient. The second
was CBC-MAC. Here we see another approach called “Hash-and-MAC” [65]
that relies on collision-resistant hashing along with any message authentica-
tion code. We then discuss a standardized and widely used construction called
HMAC that can be viewed as a specific instantiation of this approach.

7.5.1 Hash-and-MAC
First, an arbitrarily long message m is hashed down to a fixed-length string
H s (m) using a collision-resistant hash function. Then, a (fixed-length) MAC
is applied to the result.
7.5 Message Authentication Using Hash Functions 97

Construction 3. The hash-and-MAC paradigm

Let Π = (Gen,Mac,Vrfy) be a MAC for messages of length `(n) and let

ΠH = (GenH , H) be a hash function with output length `(n). Construct a
MAC Π0 = (Gen0 ,Mac0 ,Vrfy0 ) for arbitrary-length messages as follows.
1. Gen0 : on input 1n , run Gen to obtain k ∈ {0, 1}n and run GenH (1n )
to obtain s; the key is k 0 = hk, si.
∗
2. Mac0 : on input a key hk, si and a message m ∈ {0, 1} , output t ←
Mack (H s (m))
∗
3. Vrfy0 : on input a key hk, si, a message m ∈ {0, 1} and a MAC tag
?
t, output 1 if and only if Vrfyk (H s (m), t) = 1.

Theorem 4 If Π is a secure MAC for messages of length l and ΠH is collision

resistant, then Construction 3 is a secure MAC for arbitrary-length messages.

Proof is omitted.

7.5.2 HMAC
Is it possible to construct a secure MAC (for arbitrary-length messages) based
directly on a hash function? A first thought might be to define M ack (m) =
H(k||m). A MAC designed in this way, however, is completely insecure.

Instead, we can try using two layers of hashing called HMAC.

Construction 4. HMAC

Let (GenH , H) be a hash function constructed by applying the Merkle-

Damgard transform to a compression function (GenH , h) taking inputs of
length n + n0 . Let opad and ipad be fixed constants of length n0 . HMAC
defines a MAC as follows.
1. Gen: on input 1n , run GenH (1n ) to obtain a key s. Also choose
n0
uniform k ∈ {0, 1} . Output the key hs, ki.
∗
2. Mac: on input a key hs, ki and a message m ∈ {0, 1} , output


t = H s (k ⊕ opad)kH s (k ⊕ ipad)km .
98 7 Hash Function

∗
3. Vrfy: on input a key hs, ki, a message m ∈ {0, 1} , and a tag t,
?

output 1 if and only if t = H (k ⊕ opad)kH s (k ⊕ ipad)km .
s

HMAC blocksize is 64 bytes (the same as SHA, MD5); ipad = the byte
0x36 repeated 64 times; opad = the byte 0x5C repeated 64 times:
1. Append zeros to the end of the key k to create a 64 byte string.
2. XOR (bitwise exclusive-OR) the 64 byte string computed in Step
(1) with ipad.
3. Append the data stream to the 64 byte string resulting from Step
(2).
4. Apply the hash H to the stream generated in Step (3).
5. XOR (bitwise exclusive-OR) the 64 byte string computed in Step
(1) with opad.
6. Append the hash result from Step (4) to the 64 byte string resulting
from Step (5).
7. Apply the hash H to the stream generated in Step (6) and output
the result.
Theorem 5 If the underlying hash function H meets a certain kind of weak
collision-freeness and some limited unpredictability in Construction 4, then
HMAC is a secure MAC for arbitrary-length messages.

Proof is omitted.

HMAC in practice HMAC is an industry standard and widely used in prac-

tice (SSL/TLS, SSH, IPSec, FIPS 198, IEEE 802.11, IEEE 802.11b, etc.). It is
highly efficient and easy to implement, and is supported by a proof of security
based on assumptions that are believed to hold for practical hash functions.

7.6 Applications of Hash Function

Hash functions are one of widely applied cryptographic primitives in computer
science and network including computer security and cryptography.
7.6 Applications of Hash Function 99

7.6.1 Fingerprinting and Deduplication

When using a collision-resistant hash function H, the hash (or digest) of a file
serves as a unique identifier for that file.
1. Virus fingerprinting: Virus scanners identify viruses and block or
quarantine them.
2. Deduplication: Data deduplication is used to eliminate duplicate
copies of data, especially in the context of cloud storage where mul-
tiple users rely on a single cloud service to store their data. Dedu-
plication can be achieved by first having a user upload a hash of
the new file they want to store; if a file with this hash is already
stored in the cloud, then the cloud-storage provider can simply add
a pointer to the existing file to indicate that this specific user has
also stored this file, saving both communication and storage.
3. Peer-to-peer (P2P) file sharing: In P2P file-sharing systems, tables
are held by servers to provide a file-lookup service. These tables
contain the hashes of the available files, once again providing a
unique identifier without using much memory.

7.6.2 Merkle Trees

Consider a client who uploads a file x to a server. When the client later re-
trieves x, how to make sure that the server returns the original, unmodified
file x?

A natural solution is to use the “fingerprinting” approach described above:

The client can locally store the short digest h = H(x); when the server returns
?
a candidate file x0 , the client needs only to check that H(x0 ) = h. But when
the target consists of many (x1 , x2 , ..., xt ) and/or large sized files, it causes
storage (that is, growing linearly in t) and communication problems.

Another solution is to use “Merkle tree” approach. A Merkle tree computed

over input values x1 , ..., xt is simply a binary tree of depth log t in which the
inputs are placed at the leaves, and the value of each internal node is the hash
of the values of its two children.

Theorem 6 Let (GenH , H) be collision resistant. Then (GenH , MT t ) is also

collision resistant for any fixed t.

Proof is omitted.

Merkle tree basically makes it easy for a client to upload a file x to a server.
Because it will take less memory to store digest and less number of compu-
tation when the client wants to retrieve the file x. Merkle tree is computed
100 7 Hash Function

over input values (x1 , x2 , ...., xt ) and becomes a simple binary tree of depth
log t. Its inputs are placed at leaves. Value of the each node computed using
hash function is placed on its two children. Fixing some hash function H, we
denote by MT t the function that takes t input values x1 , ..., xt , computes the
resulting Merkle tree, and outputs the value of the root of the tree.

Let us check how Merkle trees work. Now, let say, a client computes
h1...8 = MT 8 (x1 , ..., x8 ), uploads x1 , ..., x8 to the server, and stores h1...8
locally. Now if the client wants to retrieve the x3 , the server sends x3 along
with x4 , H(x1 , x2 ), and h5...8 = H(H(x5 , x6 ), H(x7 , x8 )). Then the client us-
ing them through the Merkle tree do the following steps.

Small files case

Step 1: It will compute the node H(x3 , x4 ) using this node children(x3 , x4 ).
Step 2: Then it will compute the node h01...4 = H(H(x1 , x2 ), H(x3 , x4 )) using
this node children (H(x1 , x2 ), H(x3 , x4 )).
Step 3: Then it will compute the node h01...8 = H(h01...4 , h5...8 ) using this node
children(h01...4 , h5...8 ).
?
Step 4: After getting them, verifies these values with each other h1...8 = h01...8 .
All the steps are shown in Figure 7.3 (a) with circles for retrieving x3 .
If files are large we may wish to avoid sending any file other than the one
the client has requested. That can easily be done if we define the Merkle tree
over the hashes of the files rather than the files themselves.

Large files case

Step 1: It will compute the node H(x3 ) and H(x4 ) using this node children
x3 , x4 , respectively.
Step 2: It will compute the node H(H(x3 ), H(x4 )) using this node children
H(x3 ), H(x4 ).
Step 3: Then it will compute the node h01...4 = H(H(H(x1 ), H(x2 )), H(H(x3 ),
H(x4 ))) using this node children H(H(x1 ), H(x2 ), H(H(x3 ), H(x4 )).
Step 4: Then it will compute the node h01...8 = H(h01...4 , h5...8 ) using this node
children (h01...4 , h5...8 ).
?
Step 5: After getting them, verifies these values with each other h1...8 = h01...8 .
All the steps are shown in Figure 7.3 (b) with circles for retrieving x3 . So, we
saw that Merkle tree is very efficient and we do not need much computation.

Merkle trees provide an efficient solution to our original problem, since

the client’s local storage is constant (independent of the number of files t) and
the communication from server to client is very small, which is proportional
to log t. Note that Merkle trees thus provide an alternative to the Merkle-
Damgard transform for achieving domain extension for collision-resistant hash
functions (As described, however, Merkle trees are not collision resistant if the
number of input values t is allowed to vary).
7.6 Applications of Hash Function 101

FIGURE 7.3
Merkle tree while computing root for x3 (a) with small files (b) with large
files.

7.6.3 Password Hashing

Important uses of hash functions in computer security is for password protec-
tion. Usually the password is not stored at the authenticating server. It stores
only the value hpw = H(pw) in a password file; later, when the user enters its
?
password pw, the server checks whether H(pw) = hpw before granting access.

If we model H as a random oracle, then we can formally prove the security

we want, namely, recovering pw from hpw (assuming pw is chosen uniformly
from D) requires |D|/2 evaluations of H, on average.

One possible way of password cracking is done by preprocessing, which

can be used to generate large tables that enable inversion (even of a random
function!) faster than exhaustive search. This is a significant concern in prac-
tice.

One way to mitigate the threat of password cracking is to introduce a salt

(a long random value) stored with the hash value of the password in the form,
(s, hpw = H(s, pw)) in the password file. The best an attacker can do is to
obtain the password file and then do a linear-time exhaustive search over the
domain D as discussed before.

7.6.4 Key Derivation

All the symmetric-key cryptosystems we have seen require a uniformly dis-
tributed bit-string for the secret key. Often, however, it is more convenient
for two parties to rely on shared information such as a password or biometric
data that is not uniformly distributed, which will be fed into a hash function
to result in uniformly distributed string.
102 7 Hash Function

7.6.5 Commitment Schemes

A commitment scheme allows one party to “commit” to a message m by
sending a commitment value com, while obtaining the following seemingly
contradictory properties.

1. Hiding: the commitment reveals nothing about m.

2. Binding: it is infeasible for the committer to output a commitment
com that it can later “open” as two different messages m, m0 .
A commitment scheme can be seen as a digital envelope: sealing a message in
an envelope and handing it over to another party provides privacy (until the
envelope is opened) and binding (since the envelope is sealed).

Exercises
7.1 Second preimage resistance does not imply collision resistance; preimage
resistance does not imply second preimage resistance. Why not?

7.2 Explain how the Merkle-Damgard transform works for blocks of the same
lengths.

7.3 Explain how the Merkle-Damgard transform works for blocks of different
lengths.

7.4 Theorem 3 shows that the Merkle-Damgard transform preserves collision

resistance. Explain intuitively why it holds.

7.5 Survey cloud computing applications, find out existing problems, and then
fix them by using the original Merkle tree or devising your own variants of
the Merkle tree.
8
Introduction to Number Theory

CONTENTS
8.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8.1.1 Division, Prime, and Modulo . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
8.1.2 Greatest Common Divisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.1.3 Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.1.4 Extended Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.1.5 Fermat’s Little Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.1.6 Euler’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8.1.7 Exponentiation and Logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . 106
8.1.8 Set of Residues Zn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
8.1.9 Inverse Modulo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
8.1.10 Euler’s Criterion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
8.2 Algebraic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
8.2.1 Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
8.2.2 Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
8.2.3 Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
8.2.4 GF(2n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
8.2.5 Elliptic Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

This chapter serves as a basis to the underlying mathematical concepts, the-

orems, and algorithms for cryptography including division, prime, modulo,
exponentiation, logarithm, and residue. The next section discusses the alge-
braic structures used in mathematics for cryptography including groups, rings,
and fields, followed by Galois Field. Elliptic curves are then defined along with
the basic operations like point addition and point multiplication.

8.1 Preliminaries
We review basic mathematical concepts, theorems, and algorithms for cryp-
tography.

103
104 8 Introduction to Number Theory

8.1.1 Division, Prime, and Modulo

We shall denote the set of integers by Z, the set of positive integers by Z+ ,
the set of natural numbers by N, and the set of rational numbers by Q, and
the set of real numbers by R.
Theorem 1 For all a ∈ Z and n ∈ Z+ , there exist unique integers q and r
such that
a = q × n + r, 0 ≤ r < n. (8.1)
In this relation, a is called the dividend; q, the quotient; n, the divisor; r, the
remainder.
Example We have 20 = 3 × 6 + 2. We can say that 20 is the dividend, 3 is
the quotient, 6 is the divisor, and 2 is the remainder.
In Theorem 1, if a is not zero and we let r = 0, we get

a = q × n. (8.2)

We then say that n divides a and we write n | a. If the remainder is not zero,
then n does not divide a and we write n - a.
Example We have 20 = 4 × 5, then we can say that 5 divides 20 and we write
5 | 20. We also have 20 = 3 × 6 + 2, then we can say that 6 does not divide 20
and we write 6 - 20.

Definition 1 (Prime) A positive integer is a prime if and only if it is exactly

divisible by two integers, 1 and itself.

Definition 2 (Factorization) Any positive integer n greater than one can be

written uniquely in the following prime factorization form, where p1 , p2 ,. . . ,pk
are primes and e1 , e2 ,. . . ,ek are positive integers as

n = p1 e1 × p2 e2 × · · · × pk ek . (8.3)

No such perfect algorithm has been found to factor large compositive integers
efficiently. This is good for cryptography because some modern cryptography
relies on this fact.

In Theorem 1, the division relation has two inputs (a and n) and two
outputs (q and r). In modular arithmetic, we are interested in only one of the
outputs, the remainder r. This binary operator is called the modulo operator
and is shown as mod. We can write

a mod n = r. (8.4)

Example We have 27 mod 5 = 2.

Example Find 56 mod 7. The result can be found later by using Fermat’s
Little Theorem.
8.1 Preliminaries 105

8.1.2 Greatest Common Divisor

Definition 3 (Greatest Common Divisor) The greatest common divisor
of two non-negative integers a and b is the largest integer that can divide both
a and b, is denoted by gcd(a,b). We say that a and b are relatively prime or
coprime if gcd(a, b) = 1.
Example The greatest common divisor of 24 and 36 is 12. We can write
gcd(24,36)=12. The greatest common divisor of 24 and 35 is 1, then we say
24 and 35 are relatively prime.

8.1.3 Euclidean Algorithm

The Euclidean algorithm is based on the following two facts.
Fact 1. gcd(a, 0) = a.
Fact 2. gcd(a, b) = gcd(b, r), where r is the remainder of dividing a by b.
Example gcd(45, 20) = gcd(20, 5) = gcd(5, 0) = 5.

8.1.4 Extended Euclidean Algorithm

Given two integers a and b, we often need to find other two integers, s and t,
such that
s × a + t × b = gcd(a, b). (8.5)
Example Given a = 161 and b = 28, we get gcd(161, 28) = 7, s = −1 and
t = 6. The answer can be tested because we have (−1) × 161 + 6 × 28 = 7.

8.1.5 Fermat’s Little Theorem

Fermat’s little theorem plays a very important role in number theory and
cryptography. There are two versions of this theorem.

Theorem 2 If p is a prime and a is an integer, then ap ≡ a mod p.

Theorem 3 If p is a prime and a is not divisible by p, then ap−1 ≡ 1 mod p.

Note that Theorem 2 holding for any integer a, which is equivalent to The-
orem 3 holding for a not divisible by p.

Example Find the result of 610 mod 11.

Example Find the result of 312 mod 11.

Theorem 4 If p is a prime and a is an integer such that p does not divide a,

then
a−1 mod p = ap−2 mod p. (8.6)
106 8 Introduction to Number Theory

We can use the above theorem to find some multiplicative inverse instead of
using the extended Euclidean algorithm.
Example Find the multiplicative inverse of 8 with modulus is 17. The result
is 15.

8.1.6 Euler’s Theorem

Euler’s phi function, denoted by φ(n), which is sometimes also called the
Euler’s quotient function plays a very important role in cryptography. This
function finds the number of integers that are both smaller than n and rela-
tively prime to n. The four following properties helps to find the value of φ(n):

1. φ(0) = 1.
2. φ(p) = p − 1 if p is a prime.
3. φ(m × n) = φ(m) × φ(n) if m and n are relatively prime.
4. φ(pe ) = pe − pe−1 if p is a prime.
Example What is the value of φ(14)? The result is 6. The number of elements
in Z14 ∗ is 6. There are 1, 3, 5, 9, 11, and 13.

The modulus in Fermat’s Little Theorem is a prime, the modulus in Eu-

ler’s theorem is an integer. There are two versions of Euler theorem.

Theorem 5 If a and n are coprime, then aφ(n) ≡ 1 mod n.

Example What is the value of 624 mod 35? The result is 1.

Theorem 6 If n = p × q, a < n, and k is an integer, then

ak×φ(n)+1 ≡ a mod n. (8.7)

62
Example What is the value of 20 mod 77? The result is 15.

8.1.7 Exponentiation and Logarithm

In cryptography, exponentiation operation is frequently used to calculate

y = ax mod n. (8.8)

If exponentiation operation is used to encrypt or decrypt, the adversary can

use logarithm to attack as

x = loga y mod n. (8.9)

8.1 Preliminaries 107

The number x is called the discrete logarithm of y to the base a.

Fast exponentiation is possible using the square-and-multiply method. We can
write y = ax as
n−1
+xn−2 ×2n−2 +···+x1 ×21 +x0 ×20
y = axn−1 ×2 , (8.10)

where xi is 0 or 1.

Example Compute 541 mod 9. We have two ways to compute as follows.

1. Straightforward approach
541 mod 9 = 45474735088646411895751953125 mod 9 = 2.
2. Using fast exponentiation
We write 41 = 101001(2) , then we have 541 = 532+8+1 = 532 ×58 ×51 .
We have: 51 mod 9 = 5 mod 9 = 5,
52 mod 9 = (51 ×51 ) mod 9 = (51 mod 9×51 mod 9) mod 9 = (5×5)
mod 9 = 7,
54 mod 9 = (52 ×52 ) mod 9 = (52 mod 9×52 mod 9) mod 9 = (7×7)
mod 9 = 4,
58 mod 9 = (54 ×54 ) mod 9 = (54 mod 9×54 mod 9) mod 9 = (4×4)
mod 9 = 7,
516 mod 9 = (58 × 58 ) mod 9 = (58 mod 9 × 58 mod 9) mod
9 = (7 × 7) mod 9 = 4,
532 mod 9 = (516 × 516 ) mod 9 = (516 mod 9 × 516 mod 9) mod
9 = (4 × 4) mod 9 = 7,
then
541 mod 9 = (532 × 58 × 51 ) mod 9 = (532 mod 9 × 58 mod 9 × 51
mod 9) mod 9
=(7 × 7 × 5) mod 9 = ((7 × 7) mod 9 × 5 mod 9) mod 9 = (4 × 5)
mod 9 = 2.

8.1.8 Set of Residues Zn

Definition 4 (Set of Residues Zn ) Let n be a positive integer and Zn be
the set {0, 1, 2 . . . n − 1} with the following operations.
1. (a + b) mod n = [(a mod n) + (b mod n)] mod n

2. (a − b) mod n = [(a mod n) - (b mod n)] mod n

3. (a × b) mod n = [(a mod n) × (b mod n)] mod n

The result of modulo operator is always an integer between 0 and n − 1. We
say that the set of all these integers is the set of least residues modulo n or
Zn .
108 8 Introduction to Number Theory

Example We have Z6 ={0, 1, 2, 3, 4, 5}.

Definition 5 (Modulus) Let a, b ∈ Z, and n ∈ Z+ . We say that a is con-
gruent to b modulo n if n | (a − b), in which case we can write a ≡ b (mod n).
If a is not congruent to b modulo n, then we write a 6≡ b (mod n). The integer
n is called modulus.

Example We have 2 ≡ 12( mod 10) or 3 6≡ 12 (mod 10).

8.1.9 Inverse Modulo

Definition 6 (Additive Inverse) In modular arithmetic, each integer has
an additive inverse. The sum of an integer and its additive inverse is congru-
ent to 0 modulo n.
We say that two numbers a and b are additive inverse of each other if (a+b) ≡ 0
(mod n).
Example If the modulus is 10, then the additive inverse of 2 is 8. In other
words, we have 2 + 8 ≡ 0 (mod 10).

Definition 7 (Multiplicative Inverse) Let a ∈ Z and n ∈ Z+ . A multi-

plicative inverse of a modulo n is an integer b such that a × b ≡ 1 (mod n).
Example If the modulus is 10, then the multiplicative inverse of 3 is 7. In
other words, we have 3 × 7 ≡ 1 (mod 10).

Definition 8 (Z∗n ) Z∗n is the set of all elements in Zn with a multiplicative

inverse, that is,
Z∗n = {a ∈ Zn : gcd(a, n) = 1}.
There are two more sets often used in cryptography: Zp and Z∗p . The mod-
ulus in these two sets is a prime number which has only two divisors: 1 and
itself. Prime number will be discussed later. Zp is the same as Zn except that
p is a prime. Each member in Zp has an additive inverse. Z∗p is the same as
Z∗n except that p is a prime. Each member in Z∗p has an additive inverse and
a multiplicative inverse.

Note that 1 is relatively prime for all natural numbers.

Zp = {0, 1, 2, . . . , p − 1},
Z∗p = {1, 2, . . . , p − 1}.

Example Z13 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},

Z∗13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}.
8.1 Preliminaries 109

Properties

1. x has an inverse in Zn if x and n are relatively prime.

2. Z∗n is the set of invertible elements in Zn .
3. Let a, m ∈ Z and p is a prime. If p - a, then am ≡ am mod(p−1)

(mod p).

Proof Let q = [m/(p − 1)] and r = m mod (p − 1). Recall that

m = q(p − 1) + r by the division algorithm. If p - a, then Fermat’s
Little Theorem (will be discussed later) implies
q
am ≡ aq(p−1)+r ≡ aq(p−1) ar ≡ (ap−1 ) ar ≡ 1q ar ≡ ar (mod p).
(8.11)
Example Suppose we wish to compute 583315563 mod 11. Note that 11 is
prime and 11 - 5, so we can apply the above property. We calculate
583315563 mod 11 ≡ 583315563mod10 ≡ 53 ≡ 125 ≡ 4 (mod 11).
Therefore, 583315563 mod 11 = 4. We have another representation of this prop-
erty as the following.

Fact If p is a prime and g is a generator of Z∗p , then

g c = g a g b mod p ⇔ c = (a + b) mod (p − 1). (8.12)

Proof Let c = q1 (p − 1) + r1 and (a + b) = q2 (p − 1) + r2 .

g c mod p = g q1 (p−1)+r1 mod p = (g q1 (p−1) × g r1 ) mod p = (g q1 (p−1) mod

p × g r1 mod p)
q1
= ((g p−1 ) mod p × g r1 mod p) mod p = 1q1 mod p × g r1 mod p = g r1
mod p,

g a+b mod p = g q2 (p−1)+r2 mod p = (g q2 (p−1) × g r2 ) mod p = (g q2 (p−1) mod

p × g r2 mod p)
q2
= ((g p−1 ) mod p × g r2 mod p) mod p = 1q2 mod p × g r2 mod p = g r2
mod p.

Thus, we have
g c = g a g b mod p ⇔ g r1 mod p = g r2 mod p ⇔ c = (a + b) mod (p − 1).
Theorem 7 For x, y ∈ Zp , y is a square root of x if y 2 ≡ x mod p.
An element has either 0 or 2 square roots in Zp . If y is a square root of x, so
is −y.
110 8 Introduction to Number Theory

Definition 9 (QR and QNR) In the equation y 2 ≡ x mod p, for x ∈

Z∗p , y ∈ Zp , y is called a quadratic residue (QR) if the equation has two square
roots in Zp , while y is called a quadratic nonresidue (QNR) if the equation
has no square root.

8.1.10 Euler’s Criterion

Euler’s criterion gives some specific conditions to check if an integer is a QR
modulo p.

1. If y (p−1)/2 ≡ 1 (mod p), y is a quadratic residue modulo p.

2. If y (p−1)/2 ≡ −1 (mod p), y is a quadratic nonresidue modulo p.
It can be proved that in Zp , with p − 1 elements, exactly (p − 1)/2 elements
are quadratic residues and (p − 1)/2 elements are quadratic nonresidues.

8.2 Algebraic Structure

This section discusses the algebraic structures used in cryptography including
groups, rings and fields, Galois field, and elliptic curve.

8.2.1 Group
Definition 10 (Group) A hG, •i is a set of elements with a binary operation
• that satisfies four properties.
1. Closure: If a and b are elements of G, then c = a • b is also an
element of G.
2. Associativity: If a, b, and c are elements of G, then (a • b) • c =
a • (b • c).
3. Identity element: For all a in G, there exists an element e, called
the identity element, such that e • a = a • e = a.
4. Existence of inverse: For each a in G, there exists an element a0 ,
called the inverse of a, such that a • a0 = a0 • a = e.
Definition 11 (Abelian Group) A group hG, •i is called abelian or com-
mutative if
a•b=b•a for all a,b in G.
Theorem 8 Let hG, •, ei be a group. Then
1. There exists a unique identity element of G under •.
2. For each a ∈ G, there exists a unique inverse of a under •.
8.2 Algebraic Structure 111

Multiplicative and Additive Notation

In multiplicative notation, the group operation is denoted by ×, the iden-

tity element by 1, the inverse of a by a−1 , and m applications of the operation
× to a by am .

In additive notation, the group operation is denoted by +, the identity

element by 0, the inverse of a by −a, and m applications of the operation +
to a by ma.
Example hZn , +i, hZ∗n , ×i, hQ − {0}, ×i and hR, +i are commutative groups.
hZn ,+ mod ni and hZ∗n ,+ mod ni are groups, while hZn ,× mod ni and hZ∗n ,×
mod ni are not groups. hZn ,× mod ni and hZ∗n ,× mod ni become groups, if n
is a prime. Thus, hZp ,× mod pi and hZ∗p ,× mod pi are groups for a prime p.

Definition 12 (Finite and Infinite Group) A group is called a finite group

if the set has a finite number of elements; otherwise, it is called an infinite
group.

Definition 13 (Order of a Group) The order of a group, denoted by |G|

or ||G||, is the number of elements in the group G. If the group is finite, its
order is finite; if the group is infinite, its order is infinite.

Definition 14 (Subgroup) Let G be a group and H be a subset of G. We

say that H is a subgroup of G if H is also a group under the same operation
as G.
Example. Is the group H = hZ10 , +i a subgroup of the group G = hZ12 , +i?

Definition 15 (Cyclic Subgroup) If a subgroup of a group can be generated

using the power of an element, the subgroup is called the cyclic subgroup. The
term power here is repeatedly applying the group operation to the element a:
an = a • a • · · · • a (n times). A cyclic group is a group that has its own cyclic
subgroup. The element is referred as a generator.

Example The group G = hZ6 , +i is a cyclic group with two generators, a = 1

and a = 5. The group G = hZ∗10 , ×i is a cyclic group with two generators,
a = 3 and a = 7.

Theorem 9 For all primes p, the group hZ∗p , ×i is cyclic with identity element
of 1.

Definition 16 (Order of an Element) The order of an element a in a

group, denoted by ord(a), is the smallest integer n such that an = e.

Example In the group G = hZ∗10 , ×i, the order of elements are: ord(1)=1,
ord(3)=4, ord(7)=4, ord(9)=2.
112 8 Introduction to Number Theory

Primitive root In the group G = hZ∗n , ×i, when the order of an element is
the same as φ(n), the element is called the primitive root of the group.

The idea of discrete logarithm The group G = hZ∗p , ×i has several prop-
erties as
1. Its elements include all integers from 1 to p − 1.
2. It always has primitive roots.
3. It is a cyclic group. The element can be generated using g x where
x is an integer from 1 to φ(n) = p − 1.
4. If the group has k primitive roots, calculations can be done in k
different bases.

8.2.2 Ring
Definition 17 (Ring) A ring, denoted by hR, •, ◦i, is an algebraic structure
with two operations. The first operation must satisfy all five properties required
for an abelian group. The second operation must satisfy only the first two. A
commutative ring is a ring in which the commutative property is also satisfied
for the second operation.
Example hZ, +, ×i is a ring. hZn , + mod n, × mod ni and hZ∗n , + mod n, ×
mod ni are important rings in cryptography.

8.2.3 Field
Definition 18 (Field) A field, denoted by hF, •, ◦i, is a commutative ring
in which the second operation satisfies all five properties defined for the first
operation except that the identity of the first operation has no inverse.

Example hZ5 , +, ×i is a field, but hZ6 , +, ×i is not a field.

Are hZn , + mod n, × mod ni and hZp , + mod p, × mod pi fields? Why?

Definition 19 (Finite Field) A finite field is a field with a finite number

of elements (Galois showed that the number of elements should be pn ) and
usually called Galois field and denoted by GF(pn ), where p is a prime and n
is a positive integer.

When n = 1, we have GF(p) as the set Zp of integers {0, 1, 2 . . . , p − 1}

together with the arithmetic operation modulo p. The operations are defined
as: for all a, b ∈ GF(p), we have a + b = (a + b) mod p and a × b = (a × b) mod
p. The identity element for additive operation is integer 0 and the identity
element for multiplicative operation is integer 1.
8.2 Algebraic Structure 113

8.2.4 GF(2n )
A polynomial of degree n − 1 is an expression of the form

f (x) = an−1 xn−1 + an−2 xn−2 + . . . a0 x0 , (8.13)

where xi is called the i-th term and ai is called the coefficient of the i-th term.

When p = 2 in Galois field, we have GF(2n ). An element of GF(2n ) can be

expressed as a bit string of length n. An element of GF(2n ) is can also be
expressed as a polynomial. There is an one-to-one correspondence between
n-bit string expression and (n − 1) degree polynomial expression. The power
of x defines the position of the bit in n-bit word. The coefficients of the terms
define the values of the bits.

Example For n = 5, we can represent 5-bit word (10111) using a polynomial

is 1x4 + 0x3 + 1x2 + 1x1 + 1x0 . After simplification, we have x4 + x2 + x + 1.

Before defining the operations on polynomials, we need to define a modu-

lus polynomial in the set of GF(2n ) which is referred to as prime polynomial
or irreducible polynomial.

Definition 20 (Irreducible or Prime Polynomial) A irreducible or prime

polynomial is a polynomial that no polynomials in the set can divide this poly-
nomial.

Example For n = 3, we have GF(23 ). There are two irreducible polynomials:

(x3 + x2 + 1) and (x3 + x + 1).

We find the result of addition for polynomial, denoted by ⊕, by adding

the coefficients of the corresponding terms.

Example The result of (x7 +x2 +1)⊕(x5 +x2 +x) in GF(28 ) is x7 +x5 +x+1.

The addition operation for the n-bit string can also be calculated by
exclusive-or (XOR). The additive identity in a polynomial is a zero poly-
nomial (a polynomial with all coefficients set to zero). For the n-bit string, we
have the identity is (000 . . . 000) with length of n bits. The additive inverse of
a polynomial with coefficient in GF(2) is polynomial itself. Note that addition
and subtraction operations on polynomials are the same operation.

Multiplication in polynomials, denoted by ⊗, is the sum of the multi-

plication of each term of the first polynomial with each term of the second
polynomial, then to be reduced by using a modulus polynomial.
114 8 Introduction to Number Theory

Example The result of (x5 + x2 + x) ⊗ (x7 + x4 + x3 + x2 + x) with irreducible

polynomial (x8 + x4 + x3 + x + 1) is x5 + x3 + x2 + x + 1.

The multiplicative identity in polynomials is always 1. For the n-bit string,

we have the identity is (000 . . . 001) with length of n bits and the first n − 1
bits set to zero. The multiplicative inverse of a polynomial can be calculated
by using the extended Euclidean algorithm.

In the GF(2n ) with the irreducible polynomial f (x), an element in the

field, a must satisfy the relation f (a) = 0. If g is a generator of the field, then
f (g) = 0. The elements of the field can be generated as

{0, g, g 2 , g 3 , . . . , g N }, where N = 2n − 2. (8.14)

Example Generate the elements of GF(23 ) using the irreducible polynomial

x3 + x + 1.

8.2.5 Elliptic Curve

Definition 21 (Elliptic Curve) An elliptic curve E is the set of all points
over GF(p) satisfying the Weierstrass equation

y 2 = x3 + ax + b, (8.15)

together with an extra point O (point at infinity or zero point), where the con-
stant a and b must satisfy 4a3 + 27b2 6= 0.

Operation

Let E be an elliptic curve and P = (x1 , y1 ) and Q = (x2 , y2 ) be two points on

E. There are three cases to find R = (x3 , y3 ) = P + Q.

1. If P and Q have different x-coordinates and y-coordinates (x1 6= y1 )

and (x2 6= y2 ), then calculate λ (the slope of the line) and x3 , y3 as
below.

λ = (y2 − y1 )/(x2 − x1 ),
x3 = λ2 − x1 − x2 , y3 = λ(x1 − x3 ) − y1 .

2. If P and Q are two points overlap, R = P + P , then

λ = (3x1 2 + a)/(2y1 ),
2
x3 = λ − 2x1 , y3 = λ(x1 − x3 ) − y1 .
8.2 Algebraic Structure 115

3. If P and Q are additive inverses of each other, then R = P +Q = O,

where O is the additive identity of the group.

Theorem 10 Let P, Q, R be the points on E. The addition operation make

the points of the elliptic curve E into an abelian group with the following prop-
erties.

1. Closure: The addition operation between two points creates another

point on the curve.
2. Associativity: (P + Q) + R = P + (Q + R).
3. Commutiativity: P + Q = Q + P .
4. Existence of identity: P + O = O + P = P .
5. Existence of inverse: P + (−P ) = O.

Elliptic Curve Over GF(2n )

The equation y 2 + xy = x3 + ax2 + b, where b 6= 0 is used for GF(2n ). Note

that the values of x, y, a, and b are polynomials representing n-bit words.
Addition and multiplication on the elements are the same as addition and
multiplication on polynomial.
1. Finding the inverse If P = (x, y), then −P = (x, x + y).
2. Finding the points on the curve Using generators.
3. Adding two points Let P = (x1 , y1 ) and Q = (x2 , y2 ) be two
points on the curve. R = P + Q = (x3 , y3 ) can be found as
(a) If Q 6= P and Q 6= −P , then
λ = (y2 + y1 )/(x2 + x1 ),
x3 = λ2 + λ + x1 + x2 + a, y3 = λ(x1 + x3 ) + x3 + y1 .
(b) If Q = P , then R = 2P as
λ = (x1 + y1 )/x1 ,
x3 = λ2 + λ + a, y3 = x1 2 + (λ + 1)x3 .
4. Multiplying a point by a constant Multiplication with constant
k is defined as k-times repeated addition, kP = P + P + · · · + P .
9
Public-Key Encryption

CONTENTS
9.1 Discrete Logarithm and Its Related Assumptions . . . . . . . . . . . . . . . 118
9.2 The Diffie-Hellman Key Exchange Protocol . . . . . . . . . . . . . . . . . . . . . 120
9.3 Overview of Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
9.3.1 Security Against CPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
9.3.2 Security Against CCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
9.3.3 Hybrid Encryption and the KEM/DEM Paradigm . . . . . 128
9.4 Public-Key Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
9.4.1 The El Gamal Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
9.4.2 The Plain (aka Textbook) RSA Encryption . . . . . . . . . . . . 132
9.4.2.1 RSA Cryptosystem Based on Elliptic Curve . 135
9.4.3 The Padded RSA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
9.4.4 The CPA-Secure RSA Encryption Under the RSA
Assumption in the Random Oracle Model . . . . . . . . . . . . . . 137
9.4.5 The CCA-Secure RSA Encryption Under the RSA
Assumption in the Random Oracle Model . . . . . . . . . . . . . . 140
9.4.6 The RSA-OAEP Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
9.4.7 The Cramer-Shoup Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 145
9.4.8 The Paillier Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

This chapter provides an overview of the public-key cryptography. The chapter

starts with the discrete logarithm and its related assumptions. The next part
of the chapter provides the details about the Diffie-Hellman key exchange
protocol since the key exchange is important in the public-key cryptosystems.
The public-key encryption scheme is then defined as a triple of probabilistic
polynomial-time algorithms for key generation, encryption, and decryption. A
comparison of private and public key encryptions is then presented. The next
section provides the security of the public key encryption schemes against CPA
and CCA. This is followed by the hybrid encryption using the KEM/DEM
paradigm. The last part of the chapter introduces several public key encryption
schemes that include the El Gamal encryption, the plain (aka textbook) RSA
encryption, the padded RSA encryption, the Cramer-Shoup encryption, and
the Paillier encryption scheme. The constructions, security proofs, and related
examples for each scheme are given as well.

117
118 9 Public-Key Encryption

9.1 Discrete Logarithm and Its Related Assumptions

We let G denote a generic, polynomial-time, group-generation algorithm. This
is an algorithm that, on input 1n , outputs a description of a cyclic group
G, its order q (with kqk = n), and a generator g ∈ G. The description of a
cyclic group specifies how elements of the group are represented as bit-strings.

Let p be a prime of the form p = 2q + 1, where q is also a prime. Recall

that such a prime p is called a strong prime. The group Z∗p has a subgroup G
of order q. The group G is known as the group of quadratic residues modulo
p. Every element of G except for 1 is a generator of G.

We define the algorithm G as follows.

Algorithm G
1. Take 1n as input (where n is a security parameter).
2. Randomly choose an (n + 1)-bit prime p of the form p = 2q + 1,
where q is also a prime.
3. Let G denote the subgroup of Z∗p of order q.
4. Randomly choose a generator g of G.
5. Output (p, g).

Remark: This book considers a more general case in which G outputs a

polynomial-sized description of a cyclic group G of order q ≥ 2n−1 . For ex-
ample, suppose G chooses a prime p of the form p = 2q + 1, where q is also
a prime, and an element g ∈ Z∗p of order q. Then the pair (p, g) would be a
polynomial-sized description of the group G. Since g is already included in
(p, g) and q can be derived from p, it suffices for G to just output (p, g).

If G is a cyclic group of order q with generator g, then G =

{g 0 , g 1 , ..., g q−1 }. Equivalently, for every h ∈ G, there is a unique x ∈ Zq
such that g x = h. We call this x the discrete logarithm of h with respect to g
and write x = logg h. The discrete-logarithm problem in a cyclic group G with
a generator g is to compute x = logg h when given a unique element h ∈ G.
9.1 Discrete Logarithm and Its Related Assumptions 119

The discrete-logarithm experiment DLogA,G (n)

1. Run G(1n ) to obtain (G, q, g), where G is a cyclic group of order q

(with kqk = n), and g is a generator of G.
2. Choose a uniform h ∈ G.
3. A is given G, q, g, h and outputs x ∈ Zq .
4. The output of the experiment is defined to be 1 if g x = h, and 0
otherwise.

Definition 1 We say that the discrete logarithm problem is hard rel-

ative to G if for all probabilistic polynomial-time algorithms A there exists a
negligible function negl such that

Pr[DLogA,G (n) = 1] ≤ negl(n). (9.1)

Fix a cyclic group G and a generator g ∈ G. Given elements h1 , h2 ∈ G,

def
define DHg (h1 , h2 ) = g logg h1 .logg h2 . That is, if h1 = g x1 and h2 = g x2 then

DHg (h1 , h2 ) = g x1 .x2 = hx1 2 = hx2 1 . (9.2)

The CDH (computational Diffie-Hellman) problem is to compute DHg (h1 , h2 )

for uniform h1 and h2 .

The DDH (decisional Diffie-Hellman) problem, roughly speaking, is to dis-

tinguish DHg (h1 , h2 ) from a uniform group element when h1 , h2 are uniform.
That is, given uniform h1 , h2 , and a third group element h0 , the problem is to
decide whether h0 = DHg (h1 , h2 ) or whether h0 was chosen uniformly from G.
It is formally defined as follows.

Definition 2 We say that the DDH problem is hard relative to G if for

all probabilistic polynomial-time algorithms A there exists a negligible function
negl such that

Pr[A(G, q, g, g x , g y , g z ) = 1] − Pr[A(G, q, g, g x , g y , g xy ) = 1] ≤ negl(n),

(9.3)
where in each case the probabilities are taken over the experiment in which
G(1n ) outputs (G, q, g) and then uniform x, y, z ∈ Zq are chosen (Note that
when z is uniform in Zq , then g z is uniformly distributed in G).
120 9 Public-Key Encryption

9.2 The Diffie-Hellman Key Exchange Protocol

Intuitively, a key-exchange protocol is secure if the key output by two commu-
nicating parties, Alice and Bob, is completely unguessable by an eavesdrop-
ping adversary. This is formally defined by requiring that an adversary who
has eavesdropped on an execution of the protocol should be unable to dis-
tinguish the key k generated by that execution from a uniform key of length
n (This is much stronger than simply requiring that the adversary should
be unable to compute k exactly, and this stronger notion is necessary if the
parties will subsequently use k for some cryptographic application, e.g., as
a key for a private-key encryption scheme). Formalizing the above, let Π be
a key-exchange protocol, A an adversary, and n the security parameter. We
have the following experiment.

The key-exchange experiment KEeav

A,Π (n)

1. Two parties holding 1n execute protocol Π. This execution results in

a transcript trans containing all the messages sent by the parties,
and a key k output by each of the parties.
2. A uniform bit b ∈ {0, 1} is chosen. If b = 0, set b
k = k, and if b = 1,
n
k ∈ {0, 1} uniformly at random.
then choose b
k, and outputs a bit b0 .
3. A is given trans and b
4. The output of the experiment is defined to be 1 if b = b0 , and 0
otherwise. In case KEeav
A,Π (n) = 1, we say that A succeeds.

In the real world, A would not be given any key; in the experiment the ad-
versary is given k̂ only as a means of defining what it means for A to “break”
the security of Π. The adversary succeeds in “breaking” Π if it can correctly
determine whether the key k̂ is the real key corresponding to the given execu-
tion of the protocol, or a uniform key that is independent of the transcript. As
expected, we say Π is secure if the adversary succeeds with probability that
is at most negligibly greater than 1/2. That is:

Definition 3 A key-exchange protocol Π is secure in the presence of an

eavesdropper if for all probabilistic polynomial-time adversaries A there is
a negligible function negl such that
1
Pr[KEeav
A,Π (n) = 1] ≤ + negl(n). (9.4)
2
9.2 The Diffie-Hellman Key Exchange Protocol 121

The Diffie-Hellman key-exchange protocol Let G be a polynomial-time

algorithm that, on input 1n , outputs a (description of a) cyclic group G, its or-
der q (with kqk = n), and a generator g ∈ G. The Diffie-Hellman key-exchange
protocol is described formally as Construction 1 and illustrated in Figure 9.1.

Construction 1. The Diffie-Hellman key-exchange protocol

1. Input The security parameter 1n
2. The protocol
(a) Alice runs G(1n ) to obtain (G, q, g).
(b) Alice chooses a uniform x ∈ Zq , and computes hA = g x .
(c) Alice sends (G, q, g, hA ) to Bob.
(d) Bob receives (G, q, g, hA ). He chooses a uniform y ∈ Zq , and
computes hB = g y . Bob sends hB to Alice and outputs the key
kB = hyA .
(e) Alice receives hB and outputs the key kA = hxB .

d eav (n) denote a modified experiment where if b = 1 the adversary

Let KE A,Π
is given b
k chosen uniformly from G instead of a uniform n-bit string.

Theorem 1 If the decisional Diffie-Hellman problem is hard relative to G,

then the Diffie-Hellman key-exchange protocol Π is secure in the presence of
d eav ).
an eavesdropper (with respect to the modified experiment KE A,Π

Proof is omitted.

Uniform group elements vs. uniform bit-strings The previous theo-

rem shows that the key output by Alice and Bob in the Diffie-Hellman pro-
tocol is indistinguishable from a uniform group element. In order to use the
key to meet Definition 3, the key output by the parties should instead be
indistinguishable from a uniform bit-string of the appropriate length. The
Diffie–Hellman protocol can be modified to achieve this by having the par-
ties apply an appropriate key-derivation function (cf. hash functions) to the
shared group element g xy they each compute.

Active adversaries The Diffie-Hellman protocol is completely insecure

against man-in-the-middle attacks. In fact, a man-in-the-middle adversary
can act in such a way that Alice and Bob terminate the protocol with differ-
ent keys K1 and K2 that are both known to the adversary, yet neither Alice
nor Bob can detect that any attack was carried out as shown in Figure 9.2.
122 9 Public-Key Encryption

The adversary Eve intercepts Alice’s public value R1 = g x mod p, generates

her own public value R2 = g z mod p and sends it to Alice and Bob. When
Bob sends his public value R3 = g y mod p to Alice, Eve intercepts it. As a
result, Alice and Eve agree on one shared key K1 , and Bob and Eve agree
on the other shared key K2 . After that, Eve can decrypt, read and modify
the messages communicated between Alice and Bob. This vulnerability occurs
because the Diffie-Hellman protocol does not authenticate the participants.

FIGURE 9.1
The Diffie-Hellman key-exchange protocol.

Diffie-Hellman key exchange in practice The Diffie-Hellman protocol

serves as the first demonstration that asymmetric techniques could be used
to alleviate the problems of key distribution in cryptography. Furthermore, to
make the Diffie-Hellman protocol resilient to man-in-the-middle attacks, we
adopt the station-to-station protocol which is in wide use today (e.g., SSL).
Figure 9.3 describes the station-to-station protocol step by step. First of all,
Alice generates her public value R1 = g x mod p and transmits it to Bob. Bob
then generates his public value R2 = g y mod p and then computes the shared
secret key K = (R1 )y mod p. Bob now concatenates Alice, R1 and R2 , signs
it with his private key, and encrypts the signature 1 with K, he sends his
ciphertext along with R2 and his certificate to Alice. Alice then computes the
secret shared key K = (R2 )x mod p and verifies Bob’s signature. Alice then
concatenates Bob, R1 and R2 , signs it with her private key, encrypts the sig-
nature using K, and transmits it to Bob. Bob then verifies Alice’s signature.
Alice and Bob are now mutually authenticated and have a shared secret K.

1 Details of signature will be explained later.

9.3 Overview of Public-Key Encryption 123

FIGURE 9.2
The man-in-the-middle attack.

FIGURE 9.3
The station-to-station key agreement protocol.

9.3 Overview of Public-Key Encryption

Definition 4 A public-key encryption scheme is a triple of probabilistic
polynomial-time algorithms (Gen, Enc, Dec) such that
124 9 Public-Key Encryption
TABLE 9.1
Comparison of private-key and public-key encryptions.
Private-Key Encryption Public-Key Encryption
the same key used for enc/dec two different keys used for enc/dec,
respectively
fast speed slow speed
simple computations heavy computations
no encoding problems encoding problems involved

1. The key-generation algorithm Gen takes as input the security

parameter 1n and outputs a pair of keys (pk, sk). We refer to the
first of these as the public key and the second as the private key. We
assume for convenience that pk and sk each has length at least n,
and that n can be determined from pk and sk.
2. The encryption algorithm Enc takes as input a public key pk and
a message m from some message space (that may depend on pk).
It outputs a ciphertext c and we write this as c ← Encpk (m) (Look-
ing ahead, Enc will need to be probabilistic to achieve meaningful
security).
3. The deterministic decryption algorithm Dec takes as input a pri-
vate key sk and a ciphertext c, and outputs a message m or a special
symbol ⊥ denoting failure. We write this as m = Decsk (c).
It is required that, except possibly with negligible probability over (pk, sk) out-
put by Gen(1n ), we have Decsk (Encsk (m)) = m for any (legal) message m.

In private-key encryptions, encryption is made on bit string. Public-key

encryption, however, we usually encode strings as group elements (that is,
integers; for example, Zp in El Gamal, ZN in RSA) on which encryption is
made. This encoding must be both efficiently computable and reversible. Gen-
erally, we can encode strings of length n − 1 as elements of ZN (where, N is
an n-bit integer) in the natural way, by interpreting any such string as an
integer strictly less than N . The comparison of public-key and private-key
encryptions are given in Table 9.1.

9.3.1 Security Against CPA

Given a public-key encryption scheme Π = (Gen,Enc,Dec) and an adversary
A, consider the following experiment.
9.3 Overview of Public-Key Encryption 125

The eavesdropping indistinguishability experiment PubKeav

A,Π (n)

1. Gen(1n ) is run to obtain keys (pk, sk).

2. Adversary A is given pk, and outputs a pair of equal-length messages
m0 , m1 in the message space.
3. A uniform bit b ∈ {0, 1} is chosen, and then a ciphertext c ←
Encpk (mb ) is computed and given to A. We call c the challenge
ciphertext.
4. A outputs a bit b0 . The output of the experiment is 1 if b0 = b, and
0 otherwise. If b0 = b, we say that A succeeds.

Definition 5 A public-key encryption scheme Π = (Gen,Enc,Dec) has in-

distinguishable encryptions in the presence of an eavesdropper if for
all probabilistic polynomial-time adversaries A there is a negligible function
negl such that
1
Pr[PubKeav
A,Π (n) = 1] ≤ + negl(n). (9.5)
2
The main difference between the public-key and private-key encryptions is
that A in the public-key encryptions is given the public key pk. Furthermore,
we allow A to choose its messages m0 and m1 based on this public key.

Proposition 1 If a public-key encryption scheme has indistinguishable en-

cryptions in the presence of an eavesdropper, it is CPA-secure.

Proof is omitted.

This is in contrast to the private-key setting, where there exist schemes

that have indistinguishable encryptions in the presence of an eavesdropper
but are insecure under a chosen-plaintext attack.

Theorem 2 No deterministic public-key encryption scheme is CPA-secure.

Proof is omitted.

For encrypting multiple messages, we could formulate security in such a set-

ting by having an adversary output two lists of plaintexts. However, we choose
instead to use a definition in which the attacker is given access to an LR ora-
cle (“left-or-right” oracle LRpk,b on input a pair of equal-length messages m0 ,
m1 , computes the ciphertext c ← Encpk (mb ) and returns c) because instead of
outputting the lists (m0,1 , ..., m0,t ) and (m1,1 , ..., m1,t ), one of whose messages
126 9 Public-Key Encryption

will be encrypted, the attacker can now sequentially query LRpk,b (m0,1 , m1,1 ),
· · · , LRpk,b (m0,t , m1,t ).

Formally, consider the following experiment defined for a public-key en-

cryption scheme Π = (Gen,Enc,Dec) and adversary A.

The LR-oracle experiment PubKLR−cpa

A,Π (n)
1. Gen(1n ) is run to obtain keys (pk, sk).
2. A uniform bit b ∈ {0, 1} is chosen.
3. The adversary A is given input pk and oracle access to LRpk,b (., .).
4. The adversary A outputs a bit b0 .
5. The output of the experiment is 1 if b0 = b, and 0 otherwise. If
PubKLR−cpa
A,Π (n) = 1, we say that A succeeds.

Definition 6 A public-key encryption scheme Π = (Gen,Enc,Dec) has indis-

tinguishable multiple encryptions if for all probabilistic polynomial-time
adversaries A there exists a negligible function negl such that
1
Pr[PubKLR−cpa
A,Π (n) = 1] ≤ + negl(n). (9.6)
2
Theorem 3 If public-key encryption scheme Π is CPA-secure, then it also
has indistinguishable multiple encryptions.

Proof is omitted.

Theorem 4 If a fixed-length public-key encryption scheme Π is CPA-secure,

then the arbitrary-length public-key encryption scheme Π0 constructured as be-
low is also CPA-secure.

Proof is omitted.

For simplicity, say Π = (Gen, Enc, Dec) is an encryption scheme for single-
bit messages. We can construct a new scheme Π0 = (Gen0 , Enc0 , Dec0 ) for
arbitrary-length messages quite easily, by defining for any message m of length
l as Enc0k (m) = Enck (m1 ) k · · · k Enck (ml ), where mi denotes the ith bit of
m. Decryption is done in the natural way.
9.3 Overview of Public-Key Encryption 127

9.3.2 Security Against CCA

Assume an eavesdropper A observes a ciphertext c sent by a sender S to a
receiver R. Broadly speaking, in the public-key setting there are two classes
of chosen-ciphertext attacks.

1. A might send a modified ciphertext c0 to R on behalf of S. In this

case, although it is unlikely that A would be able to obtain the
entire decryption m0 of c0 , it might be possible for A to infer some
information about m0 based on the subsequent behavior of R. Based
on this information, A might be able to learn something about the
original message m. (Scenario: Say a user S logs in to her bank
account by sending to her bank an encryption of her password pw
concatenated with a timestamp. Assume further that there are two
types of error messages the bank sends: it returns “password incor-
rect” if the encrypted password does not match the stored password
of S, and “timestamp incorrect” if the password is correct but the
timestamp is not. If an adversary obtains a ciphertext c sent by S to
the bank, the adversary can now mount a chosen-ciphertext attack
by sending ciphertexts c0 to the bank on behalf of S and observing
the error messages that result.)
2. A might send a modified ciphertext c0 to R in its own name. This
class is specific to the context of public-key encryption. In this case,
A might obtain the entire decryption m0 of c0 if R responds directly
to A (Scenario: Say S sends an encrypted email c to R, and this
email is observed by A. If A sends, in its own name, an encrypted
email c0 to R, then R might reply to this email and quote the de-
crypted text m0 corresponding to c0 . In this case, R is essentially
acting as a decryption oracle for A and might potentially decrypt
any ciphertext that A sends). Even if A learns nothing about m0 ,
this modified message may have a known relation to the original
message m that can be exploited by A (Scenario: Let an encryption
scheme be malleable. For example, suppose that given an encryp-
tion of m, it is possible for A to construct an encryption of 2m. Now
imagine that R is running an auction, where two parties S and A
submit their bids by encrypting them using the public key of R.
It may be possible for an adversary A to always place the highest
bid (without bidding the maximum) by carrying out the following
attack: wait until S sends a ciphertext c corresponding to its bid m
(that is unknown to A); then send a ciphertext c0 corresponding to
the bid m0 = 2m. Note that m (and m0 , for that matter) remains
unknown to A until R announces the results).
128 9 Public-Key Encryption

Given a public-key encryption scheme Π and an adversary A, consider the

following experiment.

The CCA indistinguishability experiment PubKcca

A,Π (n)

1. Gen(1n ) is run to obtain keys (pk, sk).

2. The adversary A is given pk and access to a decryption oracle
Decsk (·). It outputs a pair of messages m0 , m1 of the same length
(These messages must be in the message space associated with pk).
3. A uniform bit b ∈ {0, 1} is chosen, and then a ciphertext c ←
Encpk (mb ) is computed and given to A.
4. A continues to interact with the decryption oracle, but may not
request a decryption of c itself. Finally, A outputs a bit b0 .
5. The output of the experiment is defined to be 1 if b0 = b, and 0
otherwise.

Definition 7 A public-key encryption scheme Π = (Gen,Enc,Dec) has in-

distinguishable encryptions under a chosen-ciphertext attack (or is
CCA-secure) if for all probabilistic polynomial-time adversaries A there ex-
ists a negligible function negl such that
1
Pr[PubKcca
A,Π (n) = 1] ≤ + negl(n). (9.7)
2
If a scheme has indistinguishable encryptions under a chosen-ciphertext
attack, then it has indistinguishable multiple encryptions under a chosen ci-
phertext attack. Interestingly, however, the analogue of Theorem 4 does not
hold for CCA-security.

9.3.3 Hybrid Encryption and the KEM/DEM Paradigm

It is possible to use private-key encryption in tandem with public-key encryp-
tion. This improves efficiency because private-key encryption is significantly
faster than public-key encryption, improves bandwidth because private-key
schemes have lower ciphertext expansion, and overcomes the limitation of
plaintext size a public-key encryption can take in (For instance, RSA’s plain-
text m can have length |m| = N or m will be corrupted). The resulting
combination is called hybrid encryption and is used extensively in practice.
The basic idea is to use public-key encryption to obtain a shared key k, and
then encrypt the message m using a private-key encryption scheme with key
k. The receiver uses its long-term (asymmetric) private key to derive k, and
then uses private-key decryption with key k to recover the original message.
9.4 Public-Key Encryption Schemes 129

A more direct approach to hybrid encryption is to use a public-key primi-

tive called a key-encapsulation mechanism (KEM) to accomplish both of these
“in one shot.”
A KEM has three algorithms similar in spirit to those of a public-key
encryption scheme. As before, the key-generation algorithm Gen is used to
generate a pair of public and private keys. In place of encryption, we now
have an encapsulation algorithm Encaps that takes only a public key as input
(and no message), and outputs a ciphertext c along with a key k. A corre-
sponding decapsulation algorithm Decaps is run by the receiver to recover k
from the ciphertext c using the private key. Formally:

Construction 2. Hybrid encryption using the KEM/DEM

paradigm

Let Π = (Gen,Encaps,Decaps) be a KEM with key length n, and Π0 =

(Gen’,Enc’,Dec’) be a private-key encryption scheme. Construct a public-
key encryption scheme Πhy = (Genhy ,Enchy ,Dechy ) as follows.
1. Genhy : on input 1n , run Gen(1n ) and use the public and private keys
(pk, sk) that are output.
∗
2. Enchy : on input a public key pk and a message m ∈ {0, 1} do
(a) Compute (c, k) ← Encapspk (1n ).
(b) Compute c0 ← Enc’k (m).
(c) Output the ciphertext hc, c0 i.
3. Dechy : on input a private key sk and a ciphertext hc, c0 i do
(a) Compute k = Decapssk (c).
(b) Output the message m = Dec’k (c0 ).

9.4 Public-Key Encryption Schemes

The section introduces several public key encryption schemes and discusses
their security issues.

9.4.1 The El Gamal Encryption

Let G be a polynomial-time algorithm that takes as input 1n and (except pos-
sibly with negligible probability) outputs a description of a cyclic group G, its
order q (with ||q|| = n), and a generator g.
130 9 Public-Key Encryption

Construction 3. The El Gamal encryption scheme

Let G be defined as above. Define a public-key encryption scheme as

follows.

1. Gen: on input 1n , run G(1n ) to obtain (G, q, g). Then choose a uni-
form x ∈ Zq and compute h = g x . The public key is hG, q, g, hi and
the private key is hG, q, g, xi. The message space is G.
2. Enc: on input a public key pk = hG, q, g, hi and a message m ∈ G,
choose a uniform y ∈ Zq and output the ciphertext

hg y , hy · mi.

3. Dec: on input a private key sk = hG, q, g, xi and a ciphertext hc1 , c2 i,

output

b = c2 /cx1 .
m

Example of El Gamal encryption on a group

1. Public Parameter Creation
Let p = 23, g = 2, Z23 ∗ = {0, 1, 2, . . . , 22}.
2. Key Creation
Let x = 5, then h = 25 mod 23 = 9.
3. Encryption
Let plaintext m = 7 and y = 3.
Calculate C1 and C2 as C1 = 23 mod 23 = 8, C2 = (7 × 93 ) mod
23 = 20.
(8, 20) is sent to Alice.
4. Decryption
m = (20 × (85 )−1 ) mod 23. By using multiplicative inverse a−1 mod
p = ap−2 mod p, and then Fast Exponentiation, Alice can get the
plaintext m = (20 × (85 )21 ) mod 23 = 7.

ElGamal encryption on elliptic curve

1. Public Parameter Creation Let p be a prime, E be an elliptic

curve and be a point P ∈ E.

2. Key Creation Alice chooses a private key nA , then computes and

publishes QA = nA P .
9.4 Public-Key Encryption Schemes 131

3. Encryption For plaintext M , Bob chooses an ephemeral key k and

computes two quantities as

C1 = kP and C2 = M + kQA (9.8)

and then sends C1 and C2 to Alice.

4. Decryption Alice computes the value P 0 = C2 − nA C1 = P .

Note that the operations such as addition and multiplication are over an el-
liptic curve.

Theorem 5 If the DDH problem is hard relative to G, then the El Gamal

encryption scheme is CPA-secure.

Proof Assume that the DDH assumption is true for G. Recall that the DDH
challenger works as follows: runs G(1n ) to generate (p, g); chooses x, y, z ∈ Zq
uniformly at random, where q = ( p−12 ); chooses d ∈ {0, 1} uniformly at ran-
dom; sets T = g xy if d = 0 and T = g z if d = 1; and finally, gives (p, g x , g y , T )
to the attacker.

Let Π (Gen, Enc, Dec) be the El Gamal encryption scheme. Let A be a

polynomial-time algorithm attacking Π. Let  denote the advantage of A in
the IND-CPA security game against Π. We construct an algorithm B for solv-
ing the DDH problem as follows.

Reduction algorithm B
1. Receive (p, g, g x , g y , T ) from the DDH challenger (Note that B
knows neither x nor y).
(p−1)
2. Let q = 2 and n be the length of q in bits.
3. Let pk = (p, g, g x ).
4. Give 1n and pk to A.
5. Receive messages m0 and m1 from A.
6. Choose b ∈ {0, 1} uniformly at random.
7. Let c∗ = (g y , T mb ) and give c∗ to A.
0
8. Let b denote the guess output by A.
9. If b = b0 , then set d0 = 0. If b 6= b0 , then set d0 = 1.
10. Output d0 .
132 9 Public-Key Encryption

Algorithm B runs in polynomial time, because A runs in polynomial time

and because operations in Z∗p can be performed in polynomial time. The prob-
ability that B wins the DDH security game is

P r[d = d0 ] = P r[d = 0]P r[d = d0 |d = 0] + P r[d = 1]P r[d = d0 |d = 1]

1 1
= P r[d0 = 0|d = 0] + P r[d0 = 1|d = 1]
2 2
1 1
= P r[b = b |d = 0] + P r[b 6= b0 |d = 1].
0
(9.9)
2 2
When d = 0, the DDH challenger sets T = g xy , so the view that B presents
to A is identical to the actual IND-CPA security game against Π. Therefore,
the probability that b = b0 given d = 0 is the same as the probability that A
wins the IND-CPA security game against Π; in other words,
1
P r[b = b0 |d = 0] = + . (9.10)
2
When d = 1, the DDH challenger sets T = g z . Recall that G denotes the
subgroup of Z∗p of order q. Since z is uniformly distributed in Zq , it follows
that g z mb is uniformly distributed in the group G, independently of g, m0 ,
m1 , and b. Moreover, the random variables g, g x , g y , g z mb , and b are jointly
independent. Hence, pk and c∗ reveal no information about b, so the guess
b0 output by A must be independent of b. Since b is either 0 or 1, each with
probability 12 , it follows that

1
P r[b 6= b0 |d = 1] = . (9.11)
2
It follows from Equations (9.8), (9.9), and (9.10) that
1 1 1 1 1 
P r[d = d0 ] = ( + ) + . = + .
2 2 2 2 2 2
Thus, B wins the DDH security game with advantage 2 . By the DDH as-
sumption, algorithm B can win the DDH security game with only negligible
advantage, so 2 must be negligible. This implies that  is also negligible.
Therefore, the algorithm A has only negligible advantage  in the IND-CPA
game against Π (See Figure 9.4). 2
Note that it is not CCA-secure.
9.4 Public-Key Encryption Schemes 133

FIGURE 9.4
Security proof of El Gamal encryption.

9.4.2 The Plain (aka Textbook) RSA Encryption

RSA key generation GenRSA

Input: Security parameter 1n

Output: N, e, d as described as below
(N, e, d) ← GenModulus(1n )
φ(N ) = (p − 1)(q − 1) for two large primes p and q
choose e > 1 such that gcd(e, φ(N )) = 1
compute d = [e−1 mod φ(N )]
return N, e, d

Construction 4. The plain RSA encryption scheme

Let GenRSA be as in Chapter 8. Define a public-key encryption scheme

as follows.

1. Gen: on input 1n , run GenRSA(1n ) to obtain N, e, and d. The

public key is N, e and the private key is N, d .
2. Enc: on input a public key pk = N, e and a message m ∈ Z∗N ,
compute the ciphertext

c = [me mod N ].
134 9 Public-Key Encryption

3. Dec: on input a private key sk = hN, di and a ciphertext c ∈ Z∗N

compute the message

m = [cd mod N ].

In RSA, encryption and decryption are done over the multiplicative group
of integers hZN , ×i. However, zero is always encrypted to zero, which can be
trivially decrypted without knowledge of the private key. Hence, it seems more
safe to exclude zero from the plaintext space. Therefore, hZN ∗ , ×i is mostly
used. Keys are generated by using a multiplicative group G = hZφ(N ) ∗ , ×i.

Example
1. Key Generation
Let p = 7 and q = 11. Then N = p × q = 7 × 11 = 77.
φ(n) = (p − 1)(q − 1) = 60.
Select e = 13 (e is coprime to φ(N )), and then d = e−1 mod φ(N ) =
13−1 mod 60 = 37.
Open (77, 13) to the public.
2. Encryption
Plaintext m = 5
Calculate c = 513 mod 77 = 26 mod 77 = 26.
3. Decryption
Calculate m0 = 2637 mod 77 = 5 mod 77 = 5 = m.

The RSA problem is to find x such that xe = y mod N when given (N, e, y),
where e is relatively prime to φ(N ), and y ∈ ZN ∗ .

Consider the following experiment for a given algorithm A and parameter

n.

The RSA experiment RSA-invA,GenRSA (n)

1. Run GenRSA to obtain (N,e,d).
2. Choose y ← Z∗N .
3. A is given N, e, d and outputs x ∈ Z∗N .
4. The output of the experiment is defined to be 1 if xe = y mon N ,
and 0 otherwise.
9.4 Public-Key Encryption Schemes 135

Definition 8 We say that the RSA problem is hard relative to GenRSA

if for all probabilistic polynomial-time algorithms A there exists a negligible
function negl such that

Pr[RSA-invA,GenRSA (n) = 1] ≤ negl(n). (9.12)

The RSA assumption means that there exists a GenRSA relative to which
the RSA problem is hard.

9.4.2.1 RSA Cryptosystem Based on Elliptic Curve

It is well known that the RSA cryptosystem based on elliptic curve has not
much benefits compared to the original RSA cryptosystem.
1. Key Generation
Select an elliptic curve En (a, b) with a, b satisfying 4a3 + 27b2 6= 0.
Select two primes p and q such that gcd(4a3 + 27b2 , n) = 1.
Compute n = p × q and #Ep (a, b), #Eq (a, b), where #Ep (a, b) de-
notes the number of points on Ep (a, b).
Calculate Nn = lcm[#Ep (a, b), #Eq (a, b)], where lcm denotes
least common multiple.
Select e such that 1 ≤ e ≤ Nn and e is coprime to Nn .
Compute d = e−1 (mod Nn ) as the private key.
Publish (n, e) as the public key.
2. Encryption
Let P = (x, y) is a point on an elliptic curve (which corresponds to
a plaintext).
Calculate C = e × P .
3. Decryption
Calculate P 0 = d × C = d × e × P = P .
It is well-known that
√
#Ep (a, b) = p + 1 + t where |t| ≤ 2 p,
√
#Eq (a, b) = q + 1 + t where |t| ≤ 2 q.
Lemma 1 Let En (a, b) be an elliptic curve such that gcd(4a3 + 27b2 , n) = 1
and n = pq (p, q: prime). Let Nn be lcm[#Ep (a, b), #Eq (a, b)]. Then, for any
P ∈ En (a, b) and any integer k,

(k.Nn + 1).P = P. (9.13)

Lemma 2 Let p be an odd prime satisfying p ≡ 2 mod 3. Then for 0 < b < p,
Ep (0, b) is a cyclic group of order

#Ep (0, b) = p + 1. (9.14)

136 9 Public-Key Encryption

Lemma 3 Let p be a prime satisfying p ≡ 3 mod 4. Then for 0 < a < p, we

have
#Ep (a, 0) = p + 1. (9.15)
Example

1. Key Generation
Select a = 0, b = 1, we have an elliptic curve y 2 = x3 + 1.
Select two primes p = 2 and q = 5.
Compute n = p × q = 10, #E2 (0, 1) = 2 + 1 = 3, and #E5 (0, 1) =
5 + 1 = 6.
Calculate Nn = lcm(3, 6) = 6.
Select e = 5.
Compute d = e−1 (mod 6)= 5 as the private key.
Publish (n, e) as the public key.
2. Encryption
Let P = (2, 3) is a point on an elliptic curve (which corresponds to
a plaintext).
Calculate C = e × P = 5 × (2, 3) = [(2, 3) + · · · + (2, 3)].
Return C = (2, −3).
3. Decryption
Calculate P 0 = d × C = 5 × (2, −3) = (2, 3) = P .

9.4.3 The Padded RSA Encryption

For the above RSA scheme to be CPA-secure, the mapping from messages to
elements of ZN ∗ must be randomized so that encryption is not deterministic.

One simple implementation of the above idea is to randomize the plain-

text message before encrypting. That is, to map a message m (viewed as
a bit-string) to an element of ZN ∗ , the sender chooses a uniform bit-string
r ∈ {0, 1}l (for some appropriate l) and sets m̂ = rkm; the resulting value
can naturally be interpreted as an integer in ZN ∗ , and this mapping is clearly
reversible. This idea was standardized as The RSA Laboratories Public-Key
Cryptography Standard (PKCS) #1 version 1.5 in 1993 [59], which is vulner-
able to CCA [17].
9.4 Public-Key Encryption Schemes 137

Construction 5. The Padded RSA encryption scheme

Let GenRSA be as before, and let ` be a function with `(n) ≤ 2n − 4 for

all n. Define a public-key encryption scheme as follows.

1. Gen: on input 1n , run GenRSA(1n ) to obtain (N, e, d). Output the

public key pk = hN, ei and the private key sk = hN, di.
2. Enc: on input a public key pk = hN, ei and a message m ∈
kN k−`(n)−2 `(n)
{0, 1} , choose a uniform string r ∈ {0, 1} and inter-
∗
pret mb = rkm as an element of ZN . Output the ciphertext

b e mod N ].
c = [m

3. Dec: on input a private key sk = hN, di and a ciphertext c ∈ Z∗N ,

compute

b = [cd mod N ]
m

and output the kN k − `(n) − 2 least-significant bits of m.

b

Theorem 6 If the RSA problem is hard relative to GenRSA , then the Padded
RSA encryption with l(n) = O(log n) is CPA-secure.

Proof is omitted.

9.4.4 The CPA-Secure RSA Encryption Under the RSA As-

sumption in the Random Oracle Model

Construction 6. CPA-secure RSA encryption in the random

oracle model

Let GenRSA be as before, and let `(n) be an arbitrary polynomial. Let

H be a function whose domain can be set to ZN ∗ for any N , and whose
`(n)
range can be set to {0, 1} for any n. Construct a public-key encryption
scheme as follows.
1. Gen: on input 1n , run GenRSA(1n ) to obtain hN, e, di. The pub-
lic key is hN, ei and the private key is hN, di.
`(n)
2. Enc: on input a public key hN, ei and a message m ∈ {0, 1} ,
choose a random r ← ZN ∗ and output the ciphertext
138 9 Public-Key Encryption

h[re mod N ], H(r) ⊕ mi.

3. Dec: on input a private key hN, di and a ciphertext hc1 , c2 i,

compute r = [cd1 mod N ], and then output the message H(r) ⊕
c2 .

Theorem 7 If the RSA problem is hard relative to GenRSA and H is modeled

as a random oracle, then Construction 6 is CPA-secure.

Proof
Outline of the Proof The proof is based on the “proof by reduction” in
the random oracle model. Since r is chosen at random, it is infeasible for an
eavesdropping adversary to recover r from c1 = [re mod N ]. The adversary
will therefore never query r to the random oracle, and so the value H(r) is
completely random from the adversary’s point of view. But then c2 is just
a “one-time pad”-like encryption of m using the random value H(r), so the
adversary gets no information about m.

Let Π denote the above construction. We prove that Π has indistinguish-

able encryptions in the presence of an eavesdropper, which implies that Π is
CPA-secure.
def
Let A be a probabilistic polynomial-time adversary and define (n) =
P r[PubKeav eav
A,Π (n) = 1]. We describe the steps of experiment PubKA,Π (n) as
follows.

The eavesdropping indistinguishability experiment PubKeav

A,Π (n) in
the ROM
1. A random function H is chosen.
2. GenRSA(1n ) is run to generate (N, e, d). Adversary A is given pk =
hN, ei, and may query H(·). Eventually A outputs two messages
m0 , m1 ∈ {0, 1}l(n) .
3. A random bit b ∈ {0, 1} and a random r ← ZN ∗ are chosen. A is
given the ciphertext h[re mod N ], H(r) ⊕ mb i. The adversary may
continue to query H(·).
4. A outputs a bit b0 . The output of the experiment is defined to be 1
if b0 = b and 0 otherwise.

Let Query denote that A queries r to the random oracle H. We also use
Success as shorthand for the event that PubKeav
A,Π (n) = 1. Then
9.4 Public-Key Encryption Schemes 139

P r[Success] =P r[Success ∧ Query] + P r[Success ∧ Query]

≤ P r[Success ∧ Query] + P r[Query],
where all probabilities are taken over the randomness used in the exper-
1
iment PubKeav
A,Π (n). We show that P r[Success ∧ Query] ≤ 2 and P r[Query] is
negligible.

P r[Success ∧ Query] =P r[Success|Query] · P r[Query]

≤ P r[Success|Query]
1
= ,
2
because, if A does not explicitly query r to the oracle, then H(r) is completely
random from A’s point of view, so A has no information as to whether m0 or
m1 was encrypted.

Now it remains to show that if the RSA problem is hard relative to GenRSA
and H is modeled as a random oracle, then P r[Query] is negligible.

Assume there exists a probabilistic polynomial-time adversary A in the

random oracle model that breaks the IND-EAV security of the scheme. We
construct B as follows to defeat the RSA challenge using A.

Reduction algorithm B
1. B accepts a RSA challenge: (N, e, cˆ1 ).
2. B chooses a random k̂ ← {0, 1}l(n) . (B implicitly sets
H(r̂) = k̂, where r̂ = [cˆ1 1/e mod N ]. Note, however, that B
def

does not know r̂.)

3. B starts A on input the public key pk = hN, ei and prepares a
table, initially empty.
4. When A makes a query x to the random oracle H, B answers
it as follows.
(a) If there is an entry (x, k) in the table, B returns k to A.
(b) If xe = cˆ1 mod N , B returns k̂ and stores (x, k̂) in the table.
B outputs x as the answer to the RSA challenge and quits.
(c) Otherwise, B chooses a random k ← {0, 1}l(n) , returns k
and stores (x, k) in the table.
140 9 Public-Key Encryption

5. At some points, A outputs messages m0 , m1 ∈ {0, 1}l(n) .

6. B chooses b ← {0, 1}, sets c2 = k̂ ⊕ mb , and gives hcˆ1 , c2 i to A.
B goes to Step 4.

Say the input to B is generated by running GenRSA(1n ) to obtain (N, e, d)

and then choosing cˆ1 ← ZN ∗ at random (See Definition 8). Then the view
of A when run as a subroutine by B is distributed identically to the view of
A in experiment PubKeav A,Π (n) (In each case hN, ei is generated the same way;
cˆ1 is equal to [re mod N ] for a randomly chosen r ← ZN ∗ ; and the random
oracle queries of A are answered with random strings). Thus, the probability
of event Query remains unchanged. Furthermore, B correctly solves the RSA
instance whenever Query occurs. That is,
P r[RSA-invB,GenRSA (n) = 1] = P r[Query]. (9.16)
Since the RSA problem is hard relative to GenRSA, it must be the case that
P r[Query] is negligible by Definition 8. 2

9.4.5 The CCA-Secure RSA Encryption Under the RSA As-

sumption in the Random Oracle Model

Construction 7. CCA-secure RSA encryption in the random or-

acle model

Let GenRSA be as usual and let `(n) be an arbitrary polynomial. Let

Π0 = (Gen’,Enc’,Dec’) be a private-key encryption scheme for messages of
length `(n). Let H be a function whose domain can be set to ZN ∗ for
`(n)
any N , and whose range can be set to {0, 1} for any n. Construct a
public-key encryption scheme as follows.

1. Gen: on input 1n , run GenRSA(1n ) to obtain hN, e, di. The public

key is hN, ei and the private key is hN, di.
`(n)
2. Enc: on input a public key hN, ei and a message m ∈ {0, 1} ,
choose a random r ← ZN ∗ , compute k = H(r) and output the
ciphertext

h[re mod N ], Enc’k (m)i.

3. Dec: on input a private key hN, di and a ciphertext hc1 , c2 i, compute

r = [cd1 mod N ] and set k = H(r), and then output the message
Dec’k (c2 ).
9.4 Public-Key Encryption Schemes 141

Theorem 8 If the RSA problem is hard relative to GenRSA, the private-

key encryption scheme Π0 has indistinguishable encryptions under a chosen-
ciphertext attack and H is modeled as a random oracle, then Construction 7
is CCA-secure.

Proof
Let Π denote the above construction. Let A be a probabilistic polynomial-
time adversary and define (n) = P r[PubKcca
def
A,Π (n) = 1]. We describe the steps
cca
of experiment PubKA,Π (n) as follows.

The CCA-secure experiment PubKcca

A,Π (n) in the ROM

1. A random function H is chosen.

2. GenRSA(1n ) is run to generate (N, e, d).
Adversary A is given pk = hN, ei, and may query H(·) and the
decryption oracle DechN,di (·).
Eventually A outputs two messages m0 , m1 ∈ {0, 1}l(n) .
3. A random bit b ∈ {0, 1} and a random r ← ZN ∗ are chosen. A is
given the ciphertext h[re mod N ], Enc’H(r) (mb )i.
The adversary may continue to query H(·) and the decryption ora-
cle.
4. A outputs a bit b0 . The output of the experiment is defined to be 1
if b0 = b, and 0 otherwise.

Let Query denote that A queries r to the random oracle H. We also use
Success as shorthand for the event that PubKcca
A,Π (n) = 1. Then

P r[Success] =P r[Success ∧ Query] + P r[Success ∧ Query]

≤ P r[Success ∧ Query] + P r[Query],

where all probabilities are taken over the randomness used in the experiment
1
PubKcca
A,Π (n). We show that P r[Success ∧ Query] ≤ 2 + negl (n) and P r[Query]
is negligible.

For the first claim: If the private-key encryption scheme Π0 has indistin-
guishable encryptions under a chosen-ciphertext attack and H is modeled as
a random oracle, then there exists a negligible function negl such that
1
P r[Success ∧ Query] ≤ + negl(n). (9.17)
2
Consider the following adversary A0 carrying out a chosen-ciphertext attack
142 9 Public-Key Encryption

on Π0 . A0 has access to an encryption oracle Enck (·) and a decryption oracle

Deck (·).

1. Run GenRSA(1n ) to compute (N, e, d). Choose r ← ZN ∗ and set

c1 = [re mod N ] (A0 is implicitly setting H(r) = k).
2. Run A on input pk = hN, ei. Pairs of strings (·; ·) are stored in a ta-
ble, initially empty. When A makes a query hc1 , c2 i to its decryption
oracle, answer it as follows.
(a) If c1 = c1 , then A0 queries c2 to its own decryption oracle and
returns the result Dec’k (c2 ) to A.
(b) If c1 6= c1 , then compute r = [cd1 mod N ]. Then compute k =
H(r) using the procedure discussed below. Return the result
Dec’k (c2 ) to A.
k = H(r) is computed as follows.
(a) If there is an entry (r, k) in the table, return k.
n
(b) Otherwise, choose a random k ← {0, 1} , return it, and store
(r, k) in the table.
`(n)
3. At some point, A outputs m0 , m1 ∈ {0, 1} . Adversary A0 outputs
these same messages, and is given in return a ciphertext c2 . Then
A0 gives the ciphertext hc1 , c2 i to A, and continues to answer the
oracle queries of A as before.
4. When A outputs its guess b0 , this value is output by A0 .
Let P r0 [·] refer to the probability of an event in the experiment PrivKcca
A0 ,Π0 (n).
We define Query and Success as above. Then we can intuitively note that as
long as Query does not occur, decryption queries by A of the ciphertext hc1 , c2 i
are answered in PubKcca cca
A,Π (n) and PrivKA0 ,Π0 (n). Therefore, we have

P r[Success ∧ Query] + P r0 [Success ∧ Query] ≤ P r0 [Success]. (9.18)

Since Π0 has indistinguishable encryptions under a chosen-ciphertext attack,

then
1
P r0 [Success] ≤ + negl(n). (9.19)
2
Therefore, we claim that
1
P r[Success ∧ Query] ≤ + negl(n). (9.20)
2
For the next claim: If the RSA problem is hard relative to GenRSA and H
is modeled as a random oracle, then P r[Query] is negligible.

Intuitively, P r[Query] is negligible for the same reason as in the proof

of CPA-secure RSA in Theorem 7. In the formal proof, however, additional
9.4 Public-Key Encryption Schemes 143

difficulties arise due to the fact that the decryption queries of A must somehow
be answered without knowledge of the private (decryption) key. Fortunately,
the random oracle model enables a solution: to decrypt a ciphertext hc1 , c2 i
(where no prior decryption query was made using the same initial component
c1 ), we generate a random key k and return the message Dec’k (c2 ). To generate
the key k = H(r), we need to query r to random oracle. Thus, the reduction
must ensure consistency with both prior and later queries of A to the random
oracle (in the case r is ever queried to the random oracle in the future).
Actually, a simple data structure handles both cases: maintain a table storing
all the random oracle queries and answers as in the proof of Theorem 7 (and
as in the proof of the previous claim), except that now the table will contain
triples rather than pairs. Two types of entries will appear in the table as
follows.
1. The first type of entry has the form (r, c1 , k) with c1 = [re mod N ].
This entry means that we have defined H(r) = k.
2. The second type of entry has the form (·, c1 , k), which means that
def
the value r = [c1/e mod N ] is not yet known. If A ever asks the
random oracle query H(r), we will return the correct answer k be-
cause we will check the table for any entry having [re mod N ] as
its second component.
Now we implement the above ideas as the following algorithm A0 as follows.
The algorithm is given (N, e, c1 ) as input.
n
1. Choose random k ← {0, 1} . Triple (·, ·, ·) is stored in a table that
initially contains only (·, c1 , k). When A makes a query hc1 , c2 i to
its decryption oracle, answer it as follows.
(a) If there is an entry in the table whose second component is c1
(either (r, c1 , k) or (·, c1 , k) is in the table), let k be the third
component of this entry. Return the result Dec’k (c2 ).
n
(b) Otherwise, choose k ← {0, 1} , return the result Dec’k (c2 ) to
A and store (·, c1 , k) in the table.
When A makes a query r to the random oracle, compute c1 = [re
mod N ] and answer the query as follows.
(a) If there is an entry (r, c1 , k) in the table, return k.
(b) If there is an entry (·, c1 , k) in the table, return k, and store
(r, c1 , k) in the table.
n
(c) Otherwise, choose a random k ← {0, 1} , return k, and store
(r, c1 , k) in the table.
`(n)
2. At some point, A outputs m0 , m1 ∈ {0, 1} . Choose random
b ∈ {0, 1} and set ciphertext c2 ←Enc’k (mb ). Then A0 gives the
ciphertext hc1 , c2 i to A, and continues to answer the oracle queries
of A as before.
144 9 Public-Key Encryption

3. When A outputs its guess b0 , this is equivalent to that there exists

an entry (r, c1 , k) in the table. That is, A0 successfully outputs r in
the RSA problem.
Thus, we have A0 correctly solve the given RSA instance whenever Query
occurs. That is,

P r[RSA-invA0 ,GenRSA (n) = 1] = P r[Query]. (9.21)

Since the RSA problem is hard relative to GenRSA, it must be the case that
P r[Query] is negligible by Definition 8.
By combining two claims above, we have Construction 7 is CCA-secure. 2

9.4.6 The RSA-OAEP Encryption

We explore a construction of RSA-based CCA-secure encryption using optimal
asymmetric encryption padding (OAEP). The resulting RSA-OAEP scheme
follows the idea of taking a message m, transforming it to an element m̂ ∈ ZN ∗ ,
and then letting c = [m̂e mod N ] be the ciphertext. The transformation here,
however, is more complex than before. A version of RSA-OAEP has been stan-
dardized as part of RSA PKCS #1, which is widely used in practice.

Construction 8. The RSA-OAEP encryption scheme

Let GenRSA be as usual and let `, k0 , k1 be as described in the text.

k `+k `+k k
Let G : {0, 1} 0 → {0, 1} 1 and H : {0, 1} 1 → {0, 1} 0 be functions.
Construct a public-key encryption scheme as follows.
1. Gen: on input 1n , run GenRSA(1n ) to obtain (N, e, d). The public
key is hN, ei and the private key is hN, di.
`
2. Enc: on input a public key hN, ei and a message m ∈ {0, 1} , set
k
m0 = mk0k1 and choose a uniform r ∈ {0, 1} 0 . Then compute

s = m0 ⊕ G(r), t = r ⊕ H(s)

and set m b e mod N ].

b = skt. Output the ciphertext c = [m
3. Dec: on input a private key hN, di and a ciphertext c ∈ Z∗N , compute
b = [cd mod N ]. If kmk
m b > ` + k0 + k1 , output ⊥. Otherwise, parse
`+k k
b as skt with s ∈ {0, 1} 1 and t ∈ {0, 1} 0 . Compute r = H(s)⊕t
m
and m0 = G(r) ⊕ s. If the least-significant k1 bits of m0 are not all
0, output ⊥. Otherwise, output the ` most-significant bits of m. b
9.4 Public-Key Encryption Schemes 145

Theorem 9 If the RSA problem is hard relative to GenRSA, and G and H

are modeled as independent random oracles, then RSA-OAEP can be proven
CCA-secure for certain types of public exponents e (including the common
case when e = 3).

Proof is omitted.

9.4.7 The Cramer-Shoup Encryption

The Cramer-Shoup encryption scheme [36] is a CCA enhancement of the CPA-
secure El Gamal encryption scheme.

The Diffie-Hellman decision problem

Let G be a group of large prime order q, and consider the following two dis-
tributions.
1. the distribution R of random quadruples (g1 , g2 , u1 , u2 ) ∈ G4 ;
2. the distribution D of quadruples (g1 , g2 , u1 , u2 ) ∈ G4 , where g1 , g2
are random, and u1 = g1 r and u2 = g2 r for random r ∈ Zq .
Given a quadruple coming from one of the two distributions, an algorithm
that solves the Diffie-Hellman decision problem is a statistical test that can
effectively distinguish these two distributions. It should output 0 or 1, and
these should be a non-negligible difference between (a) the probability that it
outputs a 1 given an input from R, and (b) the probability that it outputs a
1 given an input from D. We say the Diffie-Hellman decision problem is hard
if there is no such polynomial-time statistical test.

Collision-resistant hash functions

A family of hash functions is said to be collision resistant if upon drawing a
function H at random from the family, it is infeasible for an adversary to find
two different inputs x and y such that H(x) = H(y).

Construction 9. The Cramer-Shoup public-key scheme

Let G be a group of prime order q, where q is large.

1. Gen: The key generation algorithm runs as follows.
(a) Choose g1 , g2 ∈ G randomly.
(b) Pick random integers x1 , x2 , y1 , y2 , z ∈ Zq .
146 9 Public-Key Encryption

(c) Compute
c = g1 x1 g2 x2 , d = g1 y1 g2 y2 , h = g1 z .
(d) Choose a hash function H from the family of universal one-
way hash functions.
(e) The public key is (g1 , g2 , c, d, h, H).
(f) The private key is (x1 , x2 , y1 , y2 , z).
2. Enc: For given message m ∈ G and the public key
(g1 , g2 , c, d, h, H), the encryption algorithm runs as follows.
(a) Choose r ∈ Zq randomly.
(b) Compute
u1 = g1 r , u2 = g2 r , e = hr m, α = H(u1 , u2 , e), v = cr drα .
(c) The ciphertext is (u1 , u2 , e, v).
3. Dec: For given ciphertext (u1 , u2 , e, v) and the private key
(x1 , x2 , y1 , y2 , z), the decryption algorithm runs as follows.
(a) Compute α = H(u1 , u2 , e).
?
(b) Check u1 x1 +y1 α u2 x2 +y2 α = v.
(c) If yes, output m = e/u1 z ; otherwise, output ⊥.

Theorem 10 Construction 9 is secure against adaptive chosen ciphertext at-

tack assuming that (1) the hash function H is chosen from a universal one-way
family, and (2) the Diffie-Hellman decision problem is hard in the group G.

Proof
Outline of the Proof To prove the theorem, we will assume that there is an
adversary that can break the Cramer-Shoup scheme, and that the hash family
is universal one-way, and show how to use this adversary to construct a sta-
tistical test for the Diffie-Hellman decision problem, that is, reduction from
the DDH problem to an attack on the Cramer-Shoup scheme, which shows
that if Cramer-Shoup is not IND-CCA secure, then the DDH problem can be
solved, or equivalently, if DDH problem is hard to solve, then Cramer-Shoup
is IND-CCA secure (i.e., the adversary’s advantage is negligible in the IND-
CCA game against the Cramer-Shoup scheme).

For the statistical test, we build a simulator B (as shown in Figure 9.5)
which are given (g1 , g2 , u1 , u2 ) coming from either the distribution R or D
and provides cryptanalysis training to A so that A should output 0 or 1, and
there should be a negligible difference between the probability that it outputs
1 given an input from R and the probability that it outputs 1 given an input
from D. When the input comes from D, B provides perfect simulation and the
success probability of A in actual construction is identical with the success
9.4 Public-Key Encryption Schemes 147

probability of A in the simulation (Lemma 1). When the input comes from R,
the success probability of A is negligible (Lemma 2). That is, A obtains no
advantage from the cryptanalysis training courses. Finally, we translate the
advantage of A in guessing hidden bit b to B’s capability in distinguishing
between D and R: if B outputs b and A outputs b , the distinguisher outputs
1 if b = b , and 0 otherwise.

FIGURE 9.5
Reduction from the DDH problem to an attack on Cramer-Shoup scheme.

The simulator B

Setup

B is given (g1 , g2 , u1 , u2 ).

Gen

1. Choose x1 , x2 , y1 , y2 , z1 , z2 ∈ Zq randomly.
2. Compute c = g1 x1 g2 x2 , d = g1 y1 g2 y2 , h = g1 z1 g2 z2 .
3. Choose a hash function H at random.
4. The public key is (g1 , g2 , c, d, h, H).
5. The private key is (x1 , x2 , y1 , y2 , z1 , z2 ).
Decryption Queries
For given ciphertext (u1 , u2 , e, v), B runs as follows.

1. Compute α = H(u1 , u2 , e).

148 9 Public-Key Encryption

?
2. Check u1 x1 +y1 α u2 x2 +y2 α = v.
3. If yes, B outputs m = e/(u1 z1 u2 z2 ); otherwise, B outputs ⊥.
Challenge Phase
1. A sends two messages m0 and m1 to B.
2. B chooses a bit b ∈ {0, 1}.
3. B encrypts message mb as follows: e = u1 z1 u2 z2 mb , α =
H(u1 , u2 , e), v = u1 x1 +y1 α u2 x2 +y2 α .
4. Send the challenge ciphertext (u1 , u2 , e, v) to A.
Guess
1. A outputs bit b0 for b.
2. If b = b0 , it outputs 1; otherwise, it outputs 0.

Simulation of decryption procedure

When receiving the ciphertext (u1 , u2 , e, v) from A, the simulator will first
?
conduct the check of integrity u1 x1 +y1 α u2 x2 +y2 α = v. That is,
?
u1 x1 +y1 α u2 x2 +y2 α = (g1 x1 g2 x2 )r (g1 y1 g2 y2 )rα .
If the check passes, then the ciphertext is valid. In this case, there exists r ∈ Zq
such that u1 x1 +y1 α u2 x2 +y2 α = (g1 r )x1 +y1 α (g2 r )x2 +y2 α . Then, the simulator
will decrypt as follows.
m0 = e/(u1 z1 u2 z2 ) = hr m/(g1 r )z1 (g2 r )z2 = hr m/hr = m.
Simulation of encryption procedure
In the case (g1 , g2 , u1 , u2 ) comes from D, the encrypted simulation is exactly
a valid Cramer-Shoup encryption under the given public key (detail is given
in Proof of Lemma 1).
In the case (g1 , g2 , u1 , u2 ) comes from R, there exist r1 , r2 ∈ Zq with r1 6= r2
such that u1 = g1 r1 and u2 = g2 r2 . Since g1 is a generator of G, there exists
w = logg1 g2 .
From h = g1 z1 g2 z2 , we have logg1 h = z1 + wz2 .
From e = u1 z1 u2 z2 mb , we have
logg1 (e/m0 ) = r1 z1 + wr2 z2 ,
logg1 (e/m1 ) = r1 z1 + wr2 z2 .
Since either m0 or m1 is chosen to encrypt by B, we have

z1 + wz2 = logg1 h
(9.22)
r1 z1 + wr2 z2 = logg1 (e/m0 )
9.4 Public-Key Encryption Schemes 149

or 
z1 + wz2 = logg1 h
(9.23)
r1 z1 + wr2 z2 = logg1 (e/m1 ).
There is no way for the adversary A to verify which one of the messages is
encrypted.

Intuition Note that B cannot determine whether the input distribution comes
from D or R because it can decrypt the valid ciphertexts in both cases2 . Let
us suppose A can break Cramer-Shoup. Then B, given the input distribution,
can construct challenge ciphertext C ∗ , which encrypts one of messages m0 , m1
given by A and asks A to release its attacking advantage. If the distribution
comes from D, A can use its attacking advantage. If not, mb is encrypted in
perfectly secure sense (that is, in Shannon’s information theoretically secure
sense) and thus cannot be decrypted, and therefore A cannot have any ad-
vantage whatsoever. If A is about 50% right, the input is probably from R.

Theorem 10 follows from the following two lemmas.

Lemma 1 When the simulator’s input comes from D, the joint distribution
of the adversary’s view and the hidden bit b is statistically indistinguishable
from that in the actual attack.

Lemma 1 says that when the simulator’s input comes from D, the simula-
tor can provide perfect simulation to the adversary like in the actual system
and the adversary’s advantage is identical with the simulator’s advantage in
distinguishing whether the input comes from D.

Proof of Lemma 1 Consider the joint distribution of the adversary’s view

and the bit b when the input comes from the distribution D. In this case,
because there exists r ∈ Zq such that u1 = g1 r and u2 = g2 r , we have

u1 z1 u2 z2 = g1 rz1 g2 rz2 = hr . (9.24)

First, we show that the simulated encryption and decryption distributions

are appropriately (i.e., indistinguishably) distributed from A’s view. It is
clear in this case that the output of the encryption oracle has the right
distribution, since ux1 1 ux2 2 = cr , uy11 uy22 = dr , and uz11 uz22 = hr ; indeed,
these equations imply that e = mb hr and v = cr drα , and α itself is al-
ready of the right form. We also argue that the output of the decryption
oracle has the right distribution. Let us call (u01 , u02 , e0 , v 0 ) ∈ G4 a valid
2 Since the simulator knows the private key, it can decrypt the valid ciphertexts. If the

simulator can decrypt the challenge ciphertext in case D but cannot decrypt the challenge
ciphertext in case R, then the simulator can distinguish D and R, itself, which removes the
need to use the attacker.
150 9 Public-Key Encryption

ciphertext if logg1 u01 = logg2 u02 3 . Note that if a ciphertext is valid, then
0 0 0 z1 0 z2 z z
hr = (g1 z1 g2 z2 )r = (g1 r ) (g2 r ) = u01 1 u02 2 . Therefore, the decryption
0
r
oracle outputs e/h as in the actual construction.

Next we show the adversary’s advantage in simulation is identical with one

from the actual construction.

Claim 1 The decryption oracle in both an actual attack against the scheme
and in an attack against the simulator rejects all invalid ciphertexts, except
with negligible probability.

We now prove this claim by considering the distribution of the point P =

(x1 , x2 , y1 , y2 ) ∈ Z4q , conditioned on A’s view. Let log(·) denote logg1 (·) and
w = log g2 . From A’s view, P is a random point on the plane P formed by
intersecting the hyperplanes

log c = x1 + wx2 (9.25)

and
log d = y1 + wy2 . (9.26)
These two equations come from the public key 4 . The output from the en-
cryption oracle does not constrain P any further, as the hyperplane defined
by
log v = rx1 + wrx2 + αry1 + αrwy2 (9.27)
contains P.5

Now suppose the adversary submits an invalid ciphertext (u01 , u02 , e0 , v 0 ) to

the decryption oracle, where log u01 = r10 and log u02 = r20 with r10 6= r20 . The
decryption oracle will reject, unless P happens to lie on the hyperplane H
defined by
log v 0 = r10 x1 + wr20 x2 + α0 r10 y1 + α0 r20 wy2 , (9.28)
where α0 = H(u01 , u02 , e0 ). 6 It clear to see that the Equations (9.25), (9.26),
and (9.28) are linearly independent, and so H intersects the plane P at a line.7

We assume that the adversary queries at most qD to decryption oracle.

For the first invalid ciphertext, the decryption will accept this ciphertext with
0 0
3 Because in this case, there exist r0 ∈ Zq such that u01 = g1 r and u02 = g2 r .
4c x x x w x x wx
= g1 1 g2 2 = g1 1 (g1 ) 2 . Thus, log c = logg1 (g1 1 ) + logg1 (g1 2 ) = x1 + wx2
d = g1 y1 g2 y2 = g1 y1 (g1 w )y2 . Thus, log d = logg1 (g1 y1 ) + logg1 (g1 wy2 ) = y1 + wy2
5 v = u x1 +y1 α u x2 +y2 α = g rx1 g αry1 g rx2 g αry2 = g rx1 g αry1 g wrx2 g αwry2 .
1 2 1 1 2 2 1 1 1 1
Therefore, log v = logg1 (g1 rx1 ) + logg1 (g1 αry1 ) + logg1 (g1 wrx2 ) + logg1 (g1 αwry2 ) = rx1
+
wrx2 + αry1 + αrwy2
6 Equation (9.28) is equivalent with v 0 = u0 x1 +y1 α u0 x2 +y2 α , similar to Equation (9.27).
1 2
7 Since there are 3 independent equations with 4 variables, the solution space is a line.
9.4 Public-Key Encryption Schemes 151

probability 1/q. That is, the first invalid ciphertext is rejected with probability
1 − 1/q. The ith invalid ciphertext submitted by the adversary will be rejected
with probability at least 1 − 1/(q − i + 1). Therefore, the probability the
decryption oracle rejects all invalid ciphertexts is
1 1 1 1 qD
(1 − )(1 − ) . . . (1 − ) . . . (1 − )=1− . (9.29)
q q−1 q−i+1 q − qD + 1 q
The probability of the actual attack is also the same. Since q is a large prime,
the adversary’s advantage both in simulation and in actual attack are negli-
qD
gible ( ).
q
Lemma 2 When the simulator’s input comes from R, the distribution of the
hidden bit b is (essentially) independent from the adversary’s view.

Lemma 2 says that when the input comes from R, the adversary’s ad-
vantage is negligible. Note that unlike in Lemma 1 in this case the simulator
cannot provide perfect simulation to the adversary8 , and therefore the distri-
bution of the adversary’s view is not described here.

Proof of Lemma 2
Let u1 = g1 r1 and u2 = g1 wr2 . We assume that r1 6= r2 , since this occurs
except with negligible probability. The lemma follows immediately from the
following two claims.

Claim 2 If the decryption oracle rejects all invalid ciphertexts during the
attack, then the distribution of the hidden bit b is independent of the adver-
sary’s view.

Claim 3 The decryption oracle will reject all invalid ciphertexts, except with
negligible probability.

Regarding Claim 2, consider the point Q = (z1 , z2 ) ∈ Z2q . At the beginning

of the attack, this is a random point on the line

log h = z1 + wz2 , (9.30)

determined by the public key.9 Moreover, if the decryption oracle only decrypts
valid ciphertexts (u01 , u02 , e0 , v 0 ), then the adversary obtains only linearly de-
z z r0 z r 0 wz2 0
pendent relations r0 log h = r0 z1 +r0 wz2 (since u01 1 u02 2 = g10 1 g20 = hr ).
Thus, no further information about Q is leaked.

8 Since (g , g , u , u ) ∈ R, there exists r , r ∈ Z with r 6= r such that u = g r1 and

1 2 1 2 1 2 q 1 2 1 1
u2 = g2 r2 . Letting r1 = βr2 (β 6= 1), we have
u1 z1 u2 z2 = (g1 r1 )z1 (g2 βr1 )z2 = (g1 z1 )r1 (g2 z2 )βr1 6= (g1 z1 )r1 (g2 z2 )r1 = (g1 z1 g2 z2 )r1 =
hr1 . Thus, e = u1 z1 u2 z2 mb 6= hr1 mb . As seen from the above result, the simulated encryp-
tion is not the same as in Cramer-Shoup scheme.
9 Since h = g z1 g z2 = g z1 g wz2 , we have log h = z + wz .
1 2 1 1 1 2
152 9 Public-Key Encryption

Consider now the output (u1 , u2 , e, v) of the simulator’s encryption oracle.

We have e/mb = u1 z1 u2 z2 . That is,

log (e/mb ) = r1 z1 + wr2 z2 . (9.31)

Clearly, (9.30) and (9.31) are linearly independent, so the conditional distribu-
tion of e/mb - conditioning on b and everything in the adversary’s view other
than e - is uniform. In other words, e/mb is a perfect one-time pad. There is
no way for A to verify which of the two cases of b is the correct one. It follows
that b is independent of the A’s view.

Regarding Claim 3, consider the point P = (x1 , x2 , y1 , y2 ) ∈ Z4q . From the

A’s view, this is a random point on the line L formed by intersecting the
hyperplanes (9.25), (9.26) and

log v = r1 x1 + wr2 x2 + αr1 y1 + wαr2 y2 . (9.32)

This equation comes from the output of the encryption oracle.

For any valid ciphertext submitted by A, the returned result of decryption

will only confirm rlog h = r1 z1 +r2 wz2 . Therefore, no information about z1 , z2
in addition to what has already been shown in the public key can be obtained
by A. Therefore, if A submits valid ciphertexts, then A learns nothing from
these.

Now assume that A submits an invalid ciphertext (u01 , u02 , e0 , v 0 ) 6=

(u1 , u2 , e, v), where log u01 = r10 and log u02 = r20 with r10 6= r20 . Let
α0 = H(u01 , u02 , e0 ) (A is very clever and the returned decryption result of
this invalid ciphertext may relate to the challenge ciphertext in some way).
There are three cases to consider.
1. (u01 , u02 , e0 ) = (u1 , u2 , e). In this case, α = α0 , but v 6= v 0 , which
implies that the decryption oracle will certainly reject.
2. (u01 , u02 , e0 ) 6= (u1 , u2 , e) and α 6= α0 . The decryption oracle will re-
ject the invalid ciphertext unless the point P lies on the hyperplane
H defined by (9.28). However, the equations (9.25), (9.26), (9.32),
and (9.28) are linearly independent. We can express these equations
as

     
1 w 0 0 x1 log c
0 0 1 w   . x2  =  log d  .
   

r1 wr2 αr1 αwr2   y1   log v 
r10 wr20 α0 r10 0
α wr20
y2 log v 0
9.4 Public-Key Encryption Schemes 153

We have

   
1 w 0 0 1 0 w 0
0 0 1 w  0 1 0 w 
det 
r1
 = det  
wr2 αr1 αwr2  r1 αr1 wr2 αwr2 
r10 wr20 α0 r10 0
αwr2 r1 α0 r10 wr20 α0 wr20
 
1 0 w 0
0 1 0 w 
= det  
0 0 w(r2 − r1 ) wα(r2 − r1 ) 
0 0 0 w(r2 − r1 )(r20 − r10 )(α − α0 )
2
= w2 (r20 − r10 )(r2 − r1 ) (α − α0 ) 6= 0.

Thus, H intersects the line L at a point.10 It follows that the decryp-

tion oracle rejects the invalid ciphertext, except with probability
1/q.
3. (u01 , u02 , e0 ) 6= (u1 , u2 , e) and α = α0 . We argue that if this hap-
pens with non-negligible probability, then in fact, the family of hash
functions is not universal one-way, which is a contradiction to the
assumption of H of Theorem 10. We use the adversary to break the
universal one-way hash functions as follows. We modify the encryp-
tion oracle at Decryption Queries in the simulator, so that it outputs
(u1 , u2 , e, v) as before, except that now, e ∈ G is simply chosen com-
pletely at random. Up until such time that a collision occurs, the
adversary’s view in the modified simulation is statistically indistin-
guishable from the view in the original simulation. Therefore, the
adversary will also find a collision with non-negligible probability
in the modified simulation. But the argument (u1 , u2 , e) to H is in-
dependent of H, and in particular, we can choose it before choosing
H.
1
The A’s advantage in the case the input comes from R is at most .
q
Conclusion of Theorem 10 From the proofs of two lemmas, we can conclude
that: A’s capability in guessing hidden bit b, i.e., in attacking the scheme, is
identically translated to B’s capability in determining whether given quadru-
ples comes from D or R. Since the Diffie-Helman decision problem is hard, the
probabilities of distinguishing between D and R is negligible, then the scheme
10 The determinant of the first matrix (coefficient matrix of (x , x , y , y )) is not 0 because
1 2 1 2
r1 6= r2 , r10 6= r20 , α 6= α0 , w 6= 0. By a simple fact in linear algebra that an inverse matrix
exists when its determinant is not 0, for any fixed private key (x1 , x2 , y1 , y2 ) and its resulting
public key c and d, there exists only one single v 0 , a component of a ciphertext. Therefore,
the adversary cannot set v 0 unambiguously and the probability for constructing invalid
ciphertext and escaping rejection is 1/q.
154 9 Public-Key Encryption

is secure as shown in detail as follows.

Let  denote the advantage of polynomial time A in breaking the Cramer-

Shoup scheme (denoted by Π). The probability A can break the IND-CCA
1
game against Π is + .
2
In Lemma 1, we only show that when the quadruple comes from D, the
probability that A outputs hidden bit b0 correctly is the same as the proba-
bility that B outputs 1. Let 0 denote the gap between an attack against the
actual construction and an attack against the simulation. Through the proof
of Lemma 1, we have

|P r[Aoutputs b0 = b|D] − P r[Boutputs 1|D]| = 0 . (9.33)

Thus,
1
P r[Boutputs 1|D] = P r[Aoutputs b0 = b|D] +  = +  + 0 . (9.34)
2
In Lemma 2, we have the probability that B outputs 1 when the quadruple
comes from R is
1 1
P r[Boutputs 1|R] = + . (9.35)
2 q
The probability that B can solve the Diffie-Hellman decision problem is
1 1 1 1
|P r[Boutputs 1|D]−P r[Boutputs 1|R]| = ( ++0 )−( + ) = +0 − , (9.36)
2 2 q q
1
with 0 and are negligible. Since the Diffie-Hellman Decision Problem is
q
hard, B cannot solve it except with negligible probability. That implies  is
negligible. Therefore, the Cramer-Shoup scheme is secure. 2

In the conclusion of Theorem 10, we showed that if the Diffie-Helman de-

cision problem is hard, the probabilities of distinguishing between D and R
is negligible, and therefore the scheme is secure. In the following, we give its
alternate proof, which makes use of the proof of ElGamal encryption scheme
shown before.

Assume that the Diffie-Hellman decision problem is hard for G. Recall that
the Diffie-Hellman decision problem challenger works as follows: runs G(1n )
to generate (p, g); chooses x, y, z ∈ Zq uniformly at random, where q = ( p−1 2 );
chooses d ∈ {0, 1} uniformly at random; sets g1 = g, g2 = g x , u1 = g y , u2 = g xy
if d = 0 and g1 = g, g2 = g x , u1 = g y , u2 = g z if d = 1; and finally, gives
(g1 , g2 , u1 , u2 ) to the attacker.
9.4 Public-Key Encryption Schemes 155

Let Π (Gen, Enc, Dec) be the Cramer-Shoup scheme. Let A be a

polynomial-time algorithm attacking Π. Let  denote the advantage of A in
the IND-CCA security game against Π. We construct an algorithm B for solv-
ing the Diffie-Hellman decision problem.

Algorithm B runs in polynomial time, because A runs in polynomial time

and because operations in Z∗p can be performed in polynomial time. The prob-
ability that B wins the security game is
P r[d = d0 ] = P r[d = 0]P r[d = d0 |d = 0] + P r[d = 1]P r[d = d0 |d = 1]
1 1
= P r[d0 = 0|d = 0] + P r[d0 = 1|d = 1]
2 2
1 1
= P r[b = b |d = 0] + P r[b 6= b0 |d = 1].
0
(9.37)
2 2
When d = 0, the challenger sets g1 = g, g2 = g x , u1 = g y , u2 = g xy , so
the view that B presents to A is identical to the actual IND-CCA security
game against Π except with 0 through the proof of Lemma 1, where 0 is the
gap between an actual attack against the scheme and an attack against the
simulator. Therefore, the probability that b = b0 given d = 0 is the same as
the probability that A wins the IND-CCA security game against Π; in other
words,
1
P r[b = b0 |d = 0] = +  + 0 . (9.38)
2
When d = 1, the challenger sets g1 = g, g2 = g x , u1 = g y , u2 = g z . Through
the proof of Lemma 2, pk and the challenge ciphertext reveal no information
about b except with 1q , so the guess b0 output by A is independent of b except
with 1q . Since b is either 0 or 1, each with probability 21 , it follows that
1 1
P r[b 6= b0 |d = 1] = + . (9.39)
2 q
It follows from (9.37), (9.38), and (9.39) that
1 1 1 1 1 1  0 1
P r[d = d0 ] = ( +  + 0 ) + · ( + ) = + + + . (9.40)
2 2 2 2 q 2 2 2 2q
0 0
Thus, B wins the security game with advantage 2 − 2 + 2 + 2q 1
. By Diffie-
Hellman decision assumption, algorithm B can win the security game with
0 0
only negligible advantage, so 2 − 2 + 2 + 2q
1
must be negligible where 0 and
1
2q is negligible. This implies that  is also negligible. Therefore, algorithm A
has only negligible advantage  in the IND-CCA game against Π. 2

9.4.8 The Paillier Encryption

The Paillier scheme [81] is designed based on the composite residuosity class
problem (computing n-th residue classes), which is believed to be computa-
tionally difficult. Paillier scheme also exhibits additive homomorphic property,
156 9 Public-Key Encryption

which makes it attractive to many privacy preservation applications. It is cur-

rently one of the homomorphic encryption schemes standardized by ISO/IEC
18033-6:2019. The algorithms for key generation, encryption, homomorphic
operation, and decryption are briefly described below.

Construction 10. The Paillier encryption scheme

1. Gen: on input 1n , select two random prime numbers p and q, and

compute the value N = p × q. This generates the modulus N which
will be shared publicly.
(p − 1)(q − 1)
Compute λ = lcm (p − 1, q − 1) = where lcm
gcd(p − 1, q − 1)0
stands for “least common multiple” and gcd refers to “greatest com-
mon multiple.”
Choose an integer g that lies within the set Z∗n2 and satisfies the
g λ mod n2 − 1
condition gcd ( , N) = 1
N
x−1
Compute µ = (L(g λ mod N 2 ))−1 mod n, where L(x) = .
N
Output the public key pk = hN, gi and private key sk = hλ, µi.
2. Enc: on input public key pk = hN, ki and a message m ∈ Z∗N , choose
a uniform random string r ∈ Z∗n . Output the ciphertext

c = g m × rn modN 2 .

3. Dec: on input private key sk = hλ, µi and a ciphertext c ∈ Z∗N 2 , com-

L(cλ modN 2 )
pute the plaintext m = = L(cλ modN 2 ) ∗ µ mod N .
L(g λ modN 2 )

The Paillier encryption scheme is a probabilistic cryptosystem. Given

the plaintext m, there could be many possible valid ciphertexts c generated
through the encryption, due to the introduction of a random string r. In other
words, given two known plaintexts m1 and m2 together with the ciphertext c
generated from either m1 or m2 , it is hard to determine if c is produced by
which plaintexts. Hence, the Paillier scheme is proven to be CPA-secure un-
der the decisional composite residuosity assumption. Unlike the Padded RSA,
the introduction of random string r does not destroy its homomorphism. This
makes the Paillier scheme an attractive public-key scheme for applications
that require privacy preservation.

Homomorphic addition of plaintexts Given two ciphertexts c1 and c2

generated through the encryption of two plaintexts m1 and m2 , the product
of c1 and c2 will decrypt to the sum of m1 and m2 as
9.4 Public-Key Encryption Schemes 157

Dec(Enc(m1 ) × Enc(m2 )) = m1 + m2 mod N. (9.41)

For additive homomorphic property, the two plaintexts are first encrypted,
followed by the homomorphic addition. But for multiplicative property, only
one plaintext is encrypted, the other one is in plaintext form (not encrypted).

Homomorphic multiplication of plaintexts A ciphertext c (encryption

of plaintext m) raised to the power of a constant k will decrypt to the multi-
plication of k and c as

Dec(Enc(m)k mod N 2 ) = km mod N. (9.42)

Exercises
9.1 Note that the DDH, CDH, DL problems are harder in this order: If the
DL problem is easy, so is the CDH problem; If the CDH problem is easy, so
is the DDH problem. Why?

9.2 The DDH assumption that the DDH problem is hard to solve is used as a
basis to prove the security of many cryptographic protocols, most notably the
ElGamal and Cramer–Shoup schemes. However, the DDH assumption does
not hold in the multiplicative group Zp ∗ , where p is prime (even though DL
and CDH are conjectured to be hard). Why not?

9.3 El Gamal Encryption is not CCA-secure. Explain why not.

10
Digital Signature

CONTENTS
10.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.3 The El Gamal Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.4 The RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.4.1 Plain RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.4.2 Full Domain Hash RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.4.3 Probabilistic Signature Scheme (PSS) . . . . . . . . . . . . . . . . . . 171
10.5 Blockchain: Application of Hash Function and Public-Key
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.5.1 Blockchain 1.0: Early Development of Blockchain
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.5.1.1 The Use of Cryptography in Blockchain . . . . . 174
10.5.1.2 Other Consensus Algorithms . . . . . . . . . . . . . . . . . 175
10.5.2 Blockchain 2.0: Smart Contract Beyond Cryptocurrency 176
10.5.3 Private, Consortium, and Public Blockchain . . . . . . . . . . . . 176
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

An overview of digital signatures has been presented in this chapter. Integrity

or authenticity is the main purpose of the digital signatures. In the first part,
digital signatures are being compared to the message authentication codes.
This is followed by some formal definitions being presented for digital signa-
tures and security of signature schemes. The next part of the chapter gives a
detailed discussion about the El Gamal signatures providing its formal con-
struction and security proofs. The final part of the chapter discusses the RSA
signature schemes. Among them, the first is the plain RSA signature scheme
that is existentially forgeable under arbitrary message attack. The full domain
hash RSA is then presented. Subsequently, the probabilistic signature scheme
is given that provides the advantage of improved security over full domain
hash RSA with the same signature size. The final part of the chapter presents
blockchain as an application of hash function and public-key encryption.

159
160 10 Digital Signature
TABLE 10.1
Comparison of digital signature and message authentication code.
Message Authentication Code Digital Signature
private-key (aka symmetric) setting public-key (aka asymmetric) setting
complex key distribution and easier key distribution and manage-
management ment (good for broadcast, group)
not publicly verifiable publicly verifiable (a third party ver-
ifies it as legitimate)
repudiable non-repudiable (a signer cannot later
deny his signing, goof for legal)
very simple computations comparatively heavy computations

10.1 Overview
In the public-key settings, public-key encryption can be used to achieve
secrecy, and integrity (or authenticity) is provided using digital signature
schemes. Note that message authentication codes provide integrity in the
private-key settings. Table 10.1 compares message authentication code with
digital signature.

10.2 Definitions
Since digital signatures are the public-key counterpart of message authentica-
tion codes, their syntax and security guarantees are analogous. The algorithm
that a sender applies to a message is here denoted Sign (rather than Mac),
and the output of this algorithm is now called a signature (rather than a tag).
The algorithm that a receiver applies to a message and a signature in order
to verify its validity is still denoted Vrfy.

Definition 1 A (digital) signature scheme consists of three probabilistic

polynomial-time algorithms (Gen,Sign,Vrfy) such that
1. The key-generation algorithm Gen takes as input a security parameter
1n and outputs a pair of keys (pk, sk). These are called the public
key and the private key, respectively. We assume that pk and sk each
has length at least n, and that n can be determined from pk or sk.
2. The signing algorithm Sign takes as input a private key sk and a
message m from some message space (that may depend on pk). It
outputs a signature σ and we write this σ ← Signsk (m).
10.2 Definitions 161

3. The deterministic verification algorithm Vrfy takes as input a public

key pk, a message m and a signature σ. It outputs a bit b, with
b = 1 meaning valid and b = 0 meaning invalid. We write this as
b =Vrfypk (m, σ).
It is required that except with negligible probability over (pk, sk) output by
Gen(1n ), it holds that Vrfypk (m,Signsk (m)) = 1 for every (legitimate) message
m.
If there is a function ` such that for every (pk, sk) output by Gen(1n ) the
`(n)
message space is {0, 1} , then we say that (Gen,Sign,Vrfy) is a signature
scheme for messages of length `(n).
We call σ a valid signature on a message m (with respect to some public
key pk that is understood from the context) if Vrfypk (m, σ) = 1.

Security of signature schemes For a fixed public key pk generated by a

signer S, a forgery is a message m along with a valid signature σ, where m
was not previously signed by S. Security of a signature scheme means that
an adversary should be unable to output a forgery even if he or she obtains
signatures on many other messages of his choice.

Let Π = (Gen,Sign,Vrfy) be a signature scheme and consider the following

experiment for an adversary A and parameter n.

The signature experiment Sig-forgeA,Π (n)

1. Gen(1n ) is run to obtain keys (pk, sk).
2. Adversary A is given pk and access to an oracle Signsk (· ).
The adversary then outputs (m, σ). Let Q denote the set of all
queries that A asked to its oracle.
3. A succeeds if and only if (1) Vrfypk (m, σ) = 1 and (2) m ∈ / Q.
In this case, the output of the experiment is defined to be 1.

Definition 2 A signature scheme Π = (Gen,Sign,Vrfy) is existentially un-

forgeable under an adaptive chosen-message attack, or just secure, if
for all probabilistic polynomial-time adversaries A, there is a negligible func-
tion negl such that

P r[Sig-forgeA,Π (n) = 1] ≤ negl(n). (10.1)

162 10 Digital Signature

10.3 The El Gamal Signatures

Let G be a polynomial-time algorithm that takes as input 1n and (except pos-
sibly with negligible probability) outputs a description of a cyclic group G, its
order q (with |q| = n) and a generator g.

Construction 1. The original El Gamal signature scheme

Let G be defined as above.

1. Gen: on input 1n , run G(1n ) to obtain (G, q, g). Then choose a uni-
form x ∈ Zq and compute h = g x . The public key is hG, q, g, hi and
the private key is hG, q, g, xi. The message space is G.
2. Sign: on input a private key sk = hG, q, g, xi and a message m ∈ G,
choose a uniform l ∈ Z∗q−1 (i.e., l < q − 1, gcd(l, q − 1) = 1) and
output (r,s) as

r = g l (mod q),
s = l−1 (m − xr) (mod q − 1),

where l−1 can be computed using the extended Euclid’s algorithm.

3. Vrfy: on input a public key pk = hG, q, g, hi and a signature (r,s),
output 1 if and only if
?
hr rs = g m (mod q).

Theorem 1 Construction 1 is existentially forgeable under a known message

attack.

Proof is omitted.

Now we introduce a typical version of the El Gamal-family signature schemes

(e.g., Schnorr signature, Digital Signature Algorithm, etc.) which can be prov-
ably unforgeable in the random oracle model. It replaces m by the hash value
of both the message and random number, and outputs a signature as a triplet
(r,e,s).
10.3 The El Gamal Signatures 163

Construction 2. The triplet El Gamal signature scheme

Let G be as in the text.

1. Gen: on input 1n , run G(1n ) to obtain (G, q, g). Then choose a uni-
form x ∈ Zq and compute h = g x . The public key is hG, q, g, hi and
the private key is hG, q, g, xi. The message space is G.
2. Sign: on input a private key sk = hG, q, g, xi and a message m ∈ G,
choose a uniform l ∈ Z∗q−1 (i.e., l < q − 1 and gcd(l, q − 1) = 1) and
output a triplet (r,e,s) as

r = g l (mod q),
e = H(m, r),
s = l−1 (e − xr) (mod q − 1),

where H is a cryptographic hash functions, |e|=n, and l−1 can be

computed using the extended Euclid’s algorithm.
3. Vrfy: on input a public key pk = hG, q, g, hi and a signature (r,e,s),
output 1 if and only if

e = H(m, r),
?
hr rs = g e (mod q).

Theorem 2 If the DL problem is hard relative to G, then Construction 2 is

existentially unforgeable under a non-adaptive chosen-message attack.

Proof Assume that the DL assumption is true for G. Let Π (Gen, Enc, Dec)
be the triplet El Gamal signature scheme. Let A be a polynomial-time algo-
rithm attacking Π. We construct an algorithm B for solving the DL problem
relative to G as follows.

Reduction algorithm B

The algorithm is given G, q, g, h as input.

1. Run A, answering all its queries as described below: When A
outputs (i.e., queries) (mi , ri ) (actually, ri is a random value
created by B), choose a random oracle answer ei and give it to
A.
2. Eventually, A returns (r, e, s).
 164 10 Digital Signature

3. Run A second time, using the same randomness as before ex-

cept for uniform and independent ej .
4. Eventually, A returns (r, e0 , s0 ).
0 0
5. If hr rs = g e (mod q) and hr rs = g e (mod q) and e 6= e0 then
output e−ls
r (mod p). Otherwise output nothing.

In the above reduction algorithm, why does the simulator run the adversary
twice? It is intended to simulate a forgery case, i.e., the adversary successfully
generates another message of its choice with the same valid signature, which
is originally made by the legitimate signer for a message.

Here is a schematic diagram of the reduction algorithm.

Algorithm B Adversary A
(G, q, g, h)
-
(G, q, g, h)
-

mi , ri
r, e, s

mi , ri
r, e , s0
0


If hr rs = g e (mod q) and
0 0
hr rs = g e (mod q) and e 6= e0
Output e−ls
r (mod p)

otherwise output nothing

Under the non-adaptive attack scenario, A does not request a signature to

B, who operates as simulated random oracle for H queries. Note that under
the adaptive one, A can adaptively choose messages to be signed, even after
observing previous signatures.

Let A’s successful probability for signature forgery be Adv(n) and his spent
time on signature forgery be t(n).
10.3 The El Gamal Signatures 165

First runs of A

1
Now B runs A Adv(n) times. Since A is a successful forger, he will output
with probability 1 a valid signature (r,e,s) of message m under the scheme.
That is,

e = H(m, r),
?
hr rs = g e (mod q). (10.2)
Under the random oracle model, A makes random oracle queries to B,
whose response is via the simulation of the random oracle: it simulates H by
maintaining an H-list of sorted elements ((mi ,ri ), ei ) (e.g., sorted by mi ),
where (mi ,ri ) are queries and ei are random answers.

Since A is polynomially bounded, he can only make k = qH queries where

k is polynomially (in n) bounded. Let

Q1 = (m1 , r1 ), Q2 = (m2 , r2 ), ..., Qk = (mk , rk ) (10.3)

be k distinct queries. Let

R1 = e1 , R2 = e2 , ..., Rk = ek (10.4)

be answers. Since |H|=n, B’s answers are uniformly random in the set
{1, 2, 3, ..., 2n }.

The essential intuition is, due to the uniform randomness of B’s answers,
when A outputs a valid forgery (r,e,s) on m, he must have queried (m,r)
and obtained the answer e = H(m, r). That is, it must be the case that
(m, r) = (mi , ri ) for some i ∈ [1, k]. The probability for (m, r) not having
been queried is 2−n (i.e., A has guessed B’s uniformly random answer Ri = ei
correctly without making a query to B). Considering the quantity 2−n being
negligible, we know that ((m,r), e) are in B’s H-list.

Note that without making queries to B and without using B’s answer, A
cannot be successful except for a minute probability value 2−n which is neg-
ligible. With this observation, we can imagine as if A has been “forced” to
forge a signature on one of the k messages.

Second runs of A to achieve a successful forking

1
Now B reruns A Adv(n) times under the same condition. However, this
time B resets his k random oracle answers at uniformly random. We must no-
tice that since the reset answers still follow the uniform distribution in the set
{1, 2, 3, ..., 2n }, these answers remain being the correct ones since they have
the correct distribution.
166 10 Digital Signature

After having been fed the second lot of k correct answers, A must again
fully release his forgery capacity and output, with probability 1, a new forgery
(r0 ,e0 ,s0 ) on m0 . Note again that (m0 ,r0 ) must be a Qj for some j ∈ [1, k] except
for a minute probability value 2−k .

An event of “successful forking of A’s random oracle queries” occurs when

two forged message-signature pairs (m,(r,e,s)) and (m0 ,(r0 ,e0 ,s0 )) satisfy (m,r)
= (m0 ,r0 ). Applying the birthday paradox, we know√ that the probability for
this event to occur (i.e., i = j = b) is roughly 1/ k where i, j are uniformly
random and needn’t be fixed.
√
That is, with the non-negligible probability 1/ k, B obtains two valid
forgeries (r,e,s) and (r0 ,e0 ,s0 ). Furthermore, because in the second run B has
reset his answers at uniformly random (i.e., erase the previous H-list), we
must have with the overwhelming probability e 6= e0 (mod p), where p is a
n-bit prime dividing q − 1 and (q − 1/p) has no large prime factors. 2

Forking lemma [87] says that if a PPT adversary can forge a signature with
non-negligible probability, then there is a non-negligible probability that the
same adversary with the same random tape can create a second forgery in
an attack with a different random oracle (i.e., by resetting and replaying the
random oracle) as shown in Figure 10.1.

FIGURE 10.1
Forking lemma.

The oracle replay attack:

1. Adversary re-wound to Qb .
2. Simulate the first run from Qb using a different random oracle.
10.3 The El Gamal Signatures 167

Extraction of discrete logarithm

From the two valid forgeries, B can compute

hr rs = g e (mod q),
0 0
hr rs = g e (mod q).
Since g is a generator element modulo q, we can write r = g l (mod q) for
some integer l < q − 1. Also noticing h = g x (mod q), we have

xr + ls = e (mod p),
xr + ls0 = e0 (mod p).
Since e 6= e0 (mod p) implies s 6= s0 (mod p), we have
e−e0
l= s−s0 (mod p).
With an overwhelming probability r is relatively prime to p and hence B
can extract x (mod p) as
e−ls
x= r (mod p).
Recall that (q − 1)/p has no large prime factors and x (mod q − 1) can easily
be further extracted.

Since the numbers r, e, and e0 are in H’s two random oracle lists, and
s, s0 are A’s output, B can use the described method to extract the discrete
logarithm of h to the base g modulo q.

Reduction result
Adv(n)
B’s advantage for extracting discrete logarithm ≈ √
qH is non-negligible. B’s
2(t(n)+qH )
time cost is ≈ Adv(n) , where t is the adversary’s time for forging a signa-
ture.
2
Theorem 3 If the DL problem is hard relative to G, then Construction 1 is
existentially unforgeable under an adaptive chosen-message attack.

Proof The reduction technique will be essentially the same as that in the case
of non-adaptive attack. However, now A is also allowed to make qS signing
queries in addition to random oracle queries. Hence B must, in addition to
responding to random oracle queries, also respond the signing queries with
answers which can pass A’s verification steps using Vrfypk . H must do so even
though he does not have possession of the signing key. The signing is the very
piece of information he is trying to obtain with A’s help. B’s procedure for
signing is done via simulation. Therefore it suffices to show that under the
168 10 Digital Signature

random oracle model, B can indeed satisfy A’s signing queries with the per-
fect quality.

Since the signing algorithm uses a hash function which is modeled by a

random oracle under the random oracle model, for each signing query m, B
will choose a random element r < q and make the random query (m, r) on
behalf of A and then returns both the random oracle answer and the signing
answer to A as follows.

B picks random integers u, v less than q − 1, and sets

r ← g u hv (mod q),
s ← −rv −1 (mod q − 1),
e ← −ruv −1 (mod q − 1).
Note that the generation of a new r by B for each signing query follows
exactly the signing procedure; B should never reuse any r which has been used
previously.

B returns e as the random oracle answer and (r,e,s) as the signing answer.
Note that the returned signature is indeed valid. Under the random oracle
model, this simulated signature has the identical distribution as one issued
by the signing algorithm which uses an random oracle in place of the hash
function H. Therefore, A’s forgery capacity should be fully released and the
same reduction used should also lead to a contradiction as desired.

B’s advantage for extracting discrete logarithm ≈ √1 is non-negligible.

qH
3
·τ )+OB (qS ·n )
B’s time cost is ≈ 2(t(n)+qHAdv(n) , where τ is time for answering an H
query and OB denotes bitwise order notation. 2

10.4 The RSA Signatures

The section discusses various RSA signature schemes including plain RSA,
full domain hash RSA, and probabilistic signature scheme.
10.4 The RSA Signatures 169

10.4.1 Plain RSA

Construction 3. The plain RSA signature scheme

Let GenRSA be as in the text. Define a signature scheme as follows.

1. Gen on input 1n , run GenRSA(1n ) to obtain (N, e, d). The public
key is hN, ei and the private key is hN, di.
2. Sign on input a private key sk = hN, di and a message m ∈ Z∗N ,
compute the signature as

σ = [md mod N ].

3. Vrfy on input a public key pk = hN, ei, a message m ∈ Z∗N and a

signature σ ∈ Z∗N , output 1 if and only if
?
m = [σ e mod N ].

Theorem 4 The plain RSA signature scheme is existentially forgeable under

no-message attack.

Proof is omitted.

Theorem 5 The plain RSA signature scheme is existentially forgeable under

arbitrary message attack.

Proof is omitted.

10.4.2 Full Domain Hash RSA

Construction 4. The full domain hash RSA signature scheme

Let GenRSA be as in the text.

1. Gen: on input 1n , run GenRSA(1n ) to compute (N, e, d). The
public key is hN, ei and the private key is hN, di.
∗
As part of key generation, a function H : {0, 1} → Z∗N is
specified, but we leave this implicit.
170 10 Digital Signature

∗
2. Sign: on input a private key hN, di and a message m ∈ {0, 1} ,
compute

σ = [H(m)d mod N ].

3. Vrfy: on input a public key hN, ei, a message m and a signature

?
σ, output 1 if and only if σ e = H(m) mod N .
Note that this is called full domain hash because H hashes a message
to an image whose size equals the size of the RSA modulus.

Theorem 6 The full domain hash RSA signature scheme is existentially un-
forgeable under an adaptive chosen message attack.

Proof We establish the security of the full domain hash RSA under the ran-
dom oracle model by giving a describing an algorithm B that would break the
RSA assumption using a black box algorithm A that breaks the security of
FDH with at most Q = poly(N ). As usual, the proof establishes B’s efficiency
and non-negligible advantage.

Description of B

1. B gets an RSA challenge N, e, and h ∈ Z∗N . B wins if it produces σ

such that σ e = h.
2. B gives N and e to A as the inputs for an FDH challenge.
3. B chooses k ∈u {1, . . . , Q} as guess for which random oracle query
A will use to produce a forgery.
4. When A makes a random oracle query for the hash of m, B de-
termines an output as follows: If A has previously queried on m,
returns the previous answer. If not, returns H(m) = h if it is the
k-th query and H(m) = xei for a random xi ∈ Z∗N otherwise.
5. When A makes a signature request for m, B quits if m was the k-th
random oracle query and returns σm = xj if m was the query j 6= k.
6. If A forges σ 0 on m0 for m0 not the kth oracle query, quits. Other-
wise B outputs σ ∗ = h1/e to the RSA challenger.

Since there is constant time setup, a polynomial number of iterations of

constant time steps 4 and 5, and step 6 are bounded by the (polynomial) run-
time of A and B. B breaks the RSA assumption with non-negligible advantage
10.5 Blockchain: Application of Hash Function and Public-Key Encryption 171

/Q because B has probability at least 1/Q of planting h in the correct ran-
dom oracle query and A (independent of B’s construction) has non-negligible
advantage  of being successful. 2

10.4.3 Probabilistic Signature Scheme (PSS)

PSS [12] [35] has the signature size as FDH-RSA but improved security over
FDH-RSA. It has two variants: PSS (with appendix) and PSS-R (with mes-
sage recovery). With minor modifications, these were standardized in IEEE
P1363a and PKCS#1 v2.1, which are widely used in the real world.

Theorem 7 The probabilistic signature scheme is existentially unforgeable

under an adaptive chosen message attack.

Proof is omitted.

Theorem 8 The probabilistic signature scheme with message recovery is ex-

istentially unforgeable under an adaptive chosen message attack.

Proof is omitted.

10.5 Blockchain: Application of Hash Function and

Public-Key Encryption
This section provides an overview of blockchain by dividing the history of
blockchain.

10.5.1 Blockchain 1.0: Early Development of Blockchain

Technology
Blockchain had caught the attention of many people since its inception,
through the very first concrete example of such technology: bitcoin [77]. There
are many motivations to have blockchain, which itself combines several exist-
ing technologies: distributed ledgers, public-key encryption, Merkle tree hash-
ing and consensus protocols. The first motivation originates from existing
financial transaction mechanism, wherein the financial institutions (a trusted
third party (TTP)) charge high fees for financial transactions. There could
be problems if this TTP is being compromised by malicious attackers, which
creates financial to the involved parties. It can be viewed as a typical “single
172 10 Digital Signature

point of failure.” Besides, there is also rising needs in public auditability, in

which all the participating nodes are collaborative auditing the transaction to
ensure no fraud happens. Another motivation to have blockchain is to enable
immutable traceability in transaction. The traceability in blockchain is made
possible through the use of cryptographic hash function, wherein each block
is linked with the previous block, creating almost irreversible records.

FIGURE 10.2
Simplified data flow in blockchain.

Figure 10.2 shows the simplified data flow in blockchain network. A trans-
action can be initialized by any node in the blockchain network (Step 1). This
transaction is first verified by the peers to ensure that it is coming from the
legitimate node within the blockchain network (Step 2). A number of transac-
tions are accumulated over time to form a large transaction block with a fixed
size. This transaction block contains the hash of previous transaction block,
together with other relevant information (e.g., transaction data, public key of
sender, etc.). Based on this information, consensus process is carried out to
create a new block in the blockchain network (Step 3). Common consensus
algorithms include Proof of Work, Proof of Stake, Practical Byzantine Fault
Tolerance, etc. The consensus algorithm is sometimes referred as the “min-
ing” process, which becomes a popular topic due to the widespread of bitcoin.
Once the consensus process completes, a new block is created (Step 4) and the
successful miner gets reward in terms of cryptocurrency or other incentives.
Finally, the new block is added into the blockchain network; all distributed
ledger in the peer nodes are then updated with this new information (new
block in the blockchain).
The first generation of blockchain is inspired by the seminal work [77] from
Satoshi Nakamoto, which demonstrated a cryptocurrency that first solved
the double spending problem. In bitcoin, elliptic curve cryptography (e.g.,
10.5 Blockchain: Application of Hash Function and Public-Key Encryption 173

ECDSA) is usually used as the signature scheme. The public key in ECDSA
is a unique address that serves as an identity for the specific node, while private
key is used to sign every transaction. The digital signature is used to allow
the nearby nodes to verify that the transaction is originated from a valid and
trusted node within the blockchain network. This consensus algorithm used
in bitcoin is Proof of Work (PoW), which is used to approve the transaction;
only the member who can solve a difficult puzzle can add this block into the
blockchain. This consensus process is designed to protect against the Sybil
attack, in which the minority can create a lot of pseudonymous identities to
seize control of the network. PoW used in bitcoin requires the participating
nodes to solve a computationally difficult problem, which is explained briefly
in the following paragraphs.
To allow a valid transaction block to be added into the blockchain, PoW
consensus requires the participating nodes to compute a hash value that satisfy
the relationship provided as

F inal T arget Hash = SHA − 512(P revBlock + T X + N once). (10.5)

A hash value is generated using SHA-512 algorithm, which operates on the

hash of previous block, current transaction, and a nonce (random number).
The final target hash is a long random number with a predetermined trailing 0.
With this requirement, it is very difficult for a node to generate the final target
hash; it has to keep changing the nonce until the final target hash is found.
Bitcoin adjust the difficulty of finding the final target hash by controlling the
number of trailing 0. In this way, only the node that has done sufficient work
to successfully generate the final target hash can add this new block into the
blockchain.
PoW in bitcoin is an expensive operation; it consumes a lot of computa-
tional power, which translate into enormous electrical energy consumption.
Moreover, special equipment (e.g., Graphics Processing Unit (GPU), Field
Programmable Gate Array (FPGA), and Application Specific Integrated Cir-
cuits (ASIC) chip) is required to perform PoW due to its complexity, which
translate to huge monetary investment. To encourage more participants to
contribute to PoW (and maintain the operation of blockchain consensus), bit-
coin provide monetary reward (in bitcoin currency) to the first node that
successfully generate the final target hash. Table 10.2 shows the evolution of
various hardware platforms used to perform PoW mining. It shows that the
CPU alone is no longer a viable mining device since 2010, in which GPU gain
popularity through its massively parallel architecture. Many mining activities
make use of parallel implementation of SHA-512 algorithm on GPU to per-
form PoW. However, FPGA overtaken GPU within a year, due to its flexibil-
ity in designing energy efficient hardware for computing SHA-512. Since 2013,
ASIC becomes dominant in mining bitcoin; specialized chips are developed
every year with many start-up companies/individuals joining this business.
174 10 Digital Signature

Although GPU is out of favour in mining bitcoin, it is still popular among the
niche communities that mine alternative crypto-currencies.

TABLE 10.2
Evolution of hardware platform for PoW mining in bitcoin [2].
Hardware Introduction Hash Rate (h/s) Energy Efficiency (h/J)
CPU 2009 105 − 108 104 − 105
6 9
GPU Late 2010 10 − 10 105 − 106
8 10
FPGA Mid 2011 10 − 10 107
10 13
ASIC Early 20013 10 − 10 108 − 1010

10.5.1.1 The Use of Cryptography in Blockchain

Block n-1 Block n Block n+1

Hash Hash Hash
Block n-2 Block n-1 Block n

Merkle Root Merkle Root Merkle Root

Hash Hash Hash

Hash 1-2 Hash 3-4

Merkle Tree
TX1 TX2 TX3 TX4

Transaction List

FIGURE 10.3
Blockchain data structure.

Referring to Figure 10.3, each transaction block is linked with the block
before it through the use of cryptographic hash function. Moreover, the Merkle
root hash is built upon the Merkle Tree which consists of many transactions’
information. To modify one of the transaction records in the blockchain, one
must generate a lot of valid blocks through PoW and overwrite the subsequent
blocks. This is too costly to achieve as the PoW is very time/energy/money
consuming. Hence, blockchain can be viewed as an immutable solution to
many applications: a clever use of the pre-image resistance property of hash
function. On the other hand, public-key cryptography is used as digital sig-
nature to authenticate the transactions in blockchain. Each blockchain node
(user) is identified through the public key, which served as an address in com-
munication.
10.5 Blockchain: Application of Hash Function and Public-Key Encryption 175

10.5.1.2 Other Consensus Algorithms

Besides PoW, there are other popular consensus algorithms like Proof-of-Stake
(PoS) and Proof-of-Storage (PoSt). PoS allows a node to generate a new block
with probability proportional to the proof of ownership of digital assets (e.g.,
digital currencies). When the share of assets that a node within the system
grows, it has higher chance to approve the next generated block. This consen-
sus algorithm is developed based on the assumption that users with a more
share of the digital assets are more trustworthy during the verification pro-
cess. On the other hand, PoSt uses the storage space as a proof to gain higher
probability in successfully generating a new block. Compared to PoW, these
two consensus algorithms do not need to perform a lot of computation, so
they are more energy friendly.
The strength of bitcoin as cryptocurrency includes:
1. Cryptographically secure with the use of public-key cryptography
(authentication).
2. Publicly verifiable transactions through public distributed ledger.
This is a decentralized currency, which contrasts with conventional
currency.
3. Resist Sybil attack: we need at least 51% of malicious nodes to
break the consensus process.
4. (Almost) Impossible to tamper the public ledger, due to the prop-
erties (pre-image and collision resistance) in hash function.
However, bitcoin also comes with a lot of limitations:
1. Slow transaction due to the time taken to organize many transac-
tions into a block, and the time for performing PoW consensus.
2. Huge amount of energy required to store the public distributed
ledger.
3. Enormous energy consumed to perform PoW mining: the energy is
spent to perform meaningless computation!
4. Bitcoin identify each node (user) through the public key, not the
real personal identity. Hence, it is difficult to trace the real identity
of a bitcoin user: will this encourage illegal activities like money
laundering or ransomware? [96]
Bitcoin is the first version of blockchain that utilize such communica-
tion framework to exchange money. Hence, it is also the first cryptocurrency,
which is designed to challenge the traditional monetary system. However, is
blockchain only good at trading money?
176 10 Digital Signature

10.5.2 Blockchain 2.0: Smart Contract Beyond Cryptocur-

rency
Smart contract is a concept introduced after the proliferation of bitcoin, which
marks the evolution of blockchain 1.0 into blockchain 2.0. Instead of trading
money as in cryptocurrencies, smart contract can be used to trade “com-
puter program.” This opens up many innovative applications wherein the
blockchain is employed to manage the trading of various data. Ethereum [1]
is one of the earliest platforms that provide smart contract services. Smart
contract inspired still works under the same blockchain framework wherein
the transactions are validated by peer nodes and agreed through the consen-
sus algorithm. The key feature that separate smart contract from the earlier
blockchain, is the automation of some agreed work between many parties that
do not trust each other. For instance, the smart contract can be in the form
of computer scripts or codes that execute some functions when the conditions
are met. It can also be contracts that can be partially or fully executed or
enforced without human interaction. One example is the use of smart con-
tract in supply chain and logistics industry. Supposed that the supply chain
network employs blockchain in their management system. We can use robots
with artificial intelligence (AI) to inspect the container and rank the quality
of delivered goods, then execute the smart contract based on the outcome of
inspection. The payment will be transferred automatically or withheld due to
quality issues.

10.5.3 Private, Consortium, and Public Blockchain

In practical applications, blockchain can be implemented in three architec-
tures: private, consortium, and public blockchain [95]. Bitcoin is the most
successful example of public blockchain, wherein the transactions are com-
pletely decentralized through establishing a distributed P2P network. Direct
transactions are allowed between every node within the network. The valida-
tion process is also achieved through the decentralized consensus, in which
the miner who successfully mined the valid block occurs in a random way.
This fully decentralized architecture is generally slower in transaction speed,
but it is very flexible as anyone can join the network and transact freely. This
also makes it a popular choice for implementing cryptocurrencies. However,
such architecture is difficult to scale when the number of users increases. In
other words, it may not be suitable for applications that have many users and
require fast transaction speed.
On the other hand, private blockchain does not allow public participation;
only limited trusted nodes can access it. This would normally be considered a
non-properly working design in blockchain, as it is contrast to the principle of
blockchain (decentralization). However, it is useful when the applications do
not involve many parties. Since all nodes are trusted, lightweight consensus
can be employed to improve the communication efficiency. Such architecture
10.5 Blockchain: Application of Hash Function and Public-Key Encryption 177

also allows the user to preserve privacy (important for enterprises) and at
the same time enjoy other features in blockchain (e.g., verifiability and anti-
tampering). It is popular among enterprises and organizations that only use
blockchain for their own business operations.
Consortium blockchain lies between private and public blockchain: it is
fully decentralized (like public blockchain) but the number of participating
nodes is limited (like private blockchain). This architecture allows faster trans-
action speed compared to public blockchain, because the node size is not grow-
ing dynamically, so a simpler consensus algorithm can be used. Consortium
blockchain may assign different roles to the participating nodes in hierarchi-
cal form. For instance, the participating nodes are divided into validating and
transaction nodes, in which only validating nodes involved in consensus pro-
cess. This can effectively govern the transactions, at the same time maintain
certain degree of decentralization. It is commonly used for transactions across
multiple enterprises and organizations.

Exercises
10.1 Describe intuitively why RSA one-wayness does not guarantee the un-
forgeability of RSA signature when it uses non-full domain hash.

10.2 Prove Theorem 1.

10.3 Prove Theorem 4.

10.4 Prove Theorem 5.

10.5 Prove Theorem 7.

10.6 Prove Theorem 8.

 Part II

Identity-Based Encryption
and Its Variants
11
Identity-Based Encryption (1)

CONTENTS
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
11.2.1 Bilinear Map (Weil and Tate Pairing) . . . . . . . . . . . . . . . . . . 183
11.2.2 Hardness Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
11.3 Identity-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
11.4 Boneh-Franklin IBE [24] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

The basics of the identity-based encryption (IBE) is studied in this chapter.

The chapter begins with the comparison between the public-key infrastructure
and the identity-based encryption. The next part of the chapter defines the
preliminaries that include the bilinear map and hardness assumptions. Subse-
quently, the identity-based encryption is defined. Identity-based encryption is
a type of public key encryption in which the public key is based on the unique
information of the owner’s identity. The construction of Boneh-Franklin IBE
scheme is then proceeded in two steps, BasicIdent and FullIdent.

11.1 Overview
Comparison of PKI and IBE Figure 11.1 and Table 11.1 compares PKI
and IBE. Note that the key escrow problem is inherent in IBE because the
PKG (Private Key Generator) obtaining a secret key of any user can decrypt
any ciphertext.

Comparison of security models between PKI and IBE. Unlike PKIs,

the adversary in IBEs is allowed to place an additional key extraction query,
with identity as input and receive the corresponding private key as the output
as shown in Figure 11.2.

181
182 11 Identity-Based Encryption (1)

FIGURE 11.1
Comparison of PKI and IBE.

FIGURE 11.2
Comparison of security models.
11.2 Preliminaries 183
TABLE 11.1
Comparison of PKI and IBE.
Public-key infrastructure Identity-based encryption
Public-key is represented ID string can serve
by a random string as a public key
Key pairs are generated by IDs can be selected by
users users
Certificate Authority issues Private Key Generator
certificates for the public keys generates private keys for users

11.2 Preliminaries
This section defines preliminaries that are frequently used in identity-based
encryptions.

11.2.1 Bilinear Map (Weil and Tate Pairing)

Let G1 , G01 ,
and G2 be three groups of order q for some large prime q. A bilinear
map eb is a map eb: G1 × G01 → G2 , which satisfies the following properties:
1. Bilinear: For all P ∈ G1 , Q ∈ G01 , and a, b ∈ Z∗q , eb(aP, bQ) =
eb(P, Q)ab .
2. Non-degeneracy: eb(P, Q) 6= 1. That is, the map does not send all
pairs in G1 × G01 to the identity in G2 .
3. Computability: There exists an efficient algorithm to compute
eb(P, Q), for all P ∈ G1 and Q ∈ G01 .
There are three types of bilinear maps as follows:
1. Type-1: G1 = G01 .
2. Type-2: G1 6= G01 and there is an efficiently computable homomor-
phic function φ : G01 → G1 .
3. Type-3: G1 6= G01 and there is no efficiently computable homomor-
phic function.

Decisional Diffie-Hellman problem is easy The decisional Diffie-Hellman

problem in G1 is to distinguish between the distributions hP, aP, bP, abP i and
hP, aP, bP, cP i, where a, b, c are random in Z∗q and P is random in G∗1 . DDH
in G1 is easy because given P, aP, bP, cP ∈ G∗1 , we have c = ab mod q ⇔
eb(P, cP ) = eb(aP, bP ). Note that G∗1 = G \{O} where O is the identity element
in the group G1 .
184 11 Identity-Based Encryption (1)

11.2.2 Hardness Assumption

Since the DDH problem in G1 is easy, we cannot use DDH to build cryp-
tosystems in the group G1 . Instead, the security of the Boneh-Franklin IBE
scheme is based on a variant of the CDH assumption called the BDH (Bilinear
Diffie-Hellman) assumption.

Bilinear Diffie-Hellman problem Let G1 and G2 be two groups of large

prime order q for some large prime q. Let eb: G1 × G1 → G2 be a bilinear map
and let P be a generator of G1 . Given hP, aP, bP, cP i for some a, b, c, ∈ Z∗q , it
is hard to compute W = eb(P, P )abc ∈ G2 .

Bilinear Diffie-Hellman assumption Let G be a BDH parameter genera-

tor. We say that an algorithm A has an advantage (k) in solving the BDH
problem for G if for sufficiently large k,
AdvG,A (k) = P r[A(q, G1 , G2 , eb, P, aP, bP, cP )
= eb(P, P )abc | hq, G1 , G2 , ebi ← G(1k ), P ← G∗1 , a, b, c ← Z∗q ] ≥ (k)
We say that G satisfies the BDH assumption if for any randomized polynomial
time (in k) algorithm A we have that AdvG,A (k) is a negligible function. When
G satisfies the BDH assumption, we say that BDH is hard in groups generated
by G.

11.3 Identity-Based Encryption

Identity based encryption is a type of public key encryption. In this case, the
public key is based on unique information about the owner’s identity such
as name, email address, or employee ID of the user. Identity based encryp-
tion uses the central authority to generate the user’s private keys that are
based on their unique identification. This central authority also generates the
master public key and master private key. The master public key is used by
all the users to compute another user’s public key without requiring them to
communicate with each other. In order to setup a new user in identity-based
encryption, the new user must contact the central authority to retrieve the
master public key. After that the user combines the master public key with
their identity value to create their public key. Afterward, the user must simply
contact the central authority to generate their private key.
11.4 Boneh-Franklin IBE [24] 185

11.4 Boneh-Franklin IBE [24]

Construction of the IBE scheme proceeds in two steps. In the first step a
scheme called BasicIdent is developed and shown to be secure in IND-ID-CPA.
The security analysis of this scheme showed how to simulate key extraction
queries made by an adversary. In the next step, this was further developed
to obtain a scheme, called FullIdent, which is secure IND-ID-CCA. In both
schemes, certain hash functions are used and the security reduction models
these hash functions as random oracles.

Full-ID (aka Adaptive-ID) security vs. selective-ID security In

selective-ID model, the adversary commits to a target identity at initialization
step before the system is set up. Compared to the security model where the
adversary can choose the target identity adaptively, this is a weaker notion of
security for identity-based encryption schemes (See Figure 11.3).

FIGURE 11.3
Comparison of full vs. selective security.
186 11 Identity-Based Encryption (1)

IND-ID-CCA game for a IBE scheme1

1. Setup Given the security parameter k, the challenger runs the Setup
algorithm of the IBE. It provides A with the public system param-
eters PP while keeping the master key msk to itself.
2. Phase I A makes a finite number of queries where each query is
one of the following two types:
(a) key-extraction query (id): This query is placed to the key-
extraction oracle Ok . Questioned on id, Ok generates a private
key did of id and returns it to A. The Key-Gen algorithm is
probabilistic and so if it is queried more than once on the same
identity, then it may provide different (but valid) decryption
keys.
(b) decryption query (id,C): This query is placed to the decryp-
tion oracle Od . It returns the resulting plaintext or ⊥ if the
ciphertext cannot be decrypted.
A is allowed to make these queries adaptively, i.e., any query may
depend on the previous queries as well as their answers.
3. Challenge A outputs an identity id∗ and two equal length messages
M0 ,M1 under the (obvious) constraint that it has not asked for the
private key of id∗ . The challenger responds with C ∗ , the output of
Encrypt algorithm on input (Mγ , id∗ , PP), where γ is a random bit.
4. Phase II A issues additional queries just like Phase I, with the
obvious restriction that it cannot place a decryption query for the
decryption of C ∗ under id∗ or any of its prefixes nor a key-extraction
query for the private key of id∗ . The challenger responds as in Phase
I.
5. Guess A outputs its guess γ 0 of γ.
Definition 1 The advantage of A in attacking an IBE scheme Π is defined
as

AdvA,Π = |P r[(γ = γ 0 )] − 1/2|. (11.1)

Definition 2 An IBE scheme Π = (Key-Gen, Encrypt, Decrypt) is said to
be (t, qid , qC , )-secure against adaptive chosen ciphertext attack if
for any t-time adversary A that makes at most qid private-key queries and at
most qC decryption queries,

AdvA,Π ≤ . (11.2)

1 The description of the IND-ID-CPA game for a IBE scheme is similar to this game,

except that the adversary is not allowed access to the decryption oracle Od . The description
of the IND-sID-CCA game for a IBE scheme is similar to this game, except that (1) at
additional stage of initialization before the setup stage, the adversary A outputs a target
identity tuple id∗ = (id∗1 , id∗2 , ..., id∗u ) on which it will attack before even seeing the systems’s
public parameters, (2) at challenge stage, the adversary outputs two messages M0 ,M1 only.
11.4 Boneh-Franklin IBE [24] 187

Construction 1. BasicIdent

Setup Given a security parameter k ∈ Z+

1. Run G on input k to generate a prime q (|q| = k), two groups G1 ,
G2 of order q, and eb: G1 × G1 → G2 . Choose a random generator
P ∈ G1 .
2. Pick a random s ∈ Z∗q and set Ppub = sP .
∗ n
3. Choose hash functions H1 : {0, 1} → G∗1 and H2 : G2 → {0, 1} .
4. The system parameters are params = (q,G1 ,G2 ,b
e,n, P, Ppub , H1 , H2 ).
5. The master-key is s ∈ Z∗q .
Note 1: G1 is a subgroup of the additive group of points of an elliptic curve
E/Fp . G2 is a subgroup of the multiplicative group of a finite field Fp2 .
∗
Extract For a given string ID ∈ {0, 1}
1. Compute QID = H1 (ID) ∈ G∗1 .
2. Set the private key dID to be dID = sQID where s is the master key.
Note 2: H1 is not a general hash function to map strings to integers, but a
map-to-point hash function to map strings to points in G1 .

Encrypt Message M ∈ M and public key ID

1. Compute QID = H1 (ID) ∈ G∗1 .
2. Choose a random r ∈ Z∗q .
3. Set the ciphertext to be
r
C = hrP, M ⊕ H2 (gID )i where gID = eb(QID , Ppub ) ∈ G∗2 .

Decrypt Ciphertext C = hU, V i ∈ C, public key ID and private key dID ∈

G∗1 , compute
V ⊕ H2 (b
e(dID , U )) = M .

Theorem 1 (Cascade Reduction) Construction 1 is IND-ID-CPA-secure

in the random oracle model. That is, suppose the hash functions H1 , H2 are
random oracles. Then BasicIdent is a semantically secure identity-based en-
cryption scheme (IND-ID-CPA) assuming BDH is hard in groups generated by
G. Concretely, suppose there is an IND-ID-CPA adversary A that has advan-
tage (k) against the scheme BasicIdent. Suppose A makes at most qE > 0
private key extraction queries and qH2 > 0 hash queries to H2 . Then there is
an algorithm B that solves BDH in groups generated by G with advantage at
188 11 Identity-Based Encryption (1)

least
2(k)
AdvG,B (k) ≥ , (11.3)
e(1 + qE ) · qH2
where e ≈ 2.71 is the base of the natural logarithm. The running time of B is
O(time(A)).

Proof

Outline of the Proof IND-ID-CPA security of BasicIdent is proved assum-

ing H1 and H2 to be random oracles. The proof uses a public key encryption
scheme called BasicPub. Let A1 be an IND-ID-CPA adversary against Ba-
sicIdent and A2 is an IND-CPA adversary against BasicPub, while B be an
algorithm that solves the given BDH problem. The reduction proceeds in two
steps as shown in Figure 11.4. In the first game in Lemma 1, A1 is used to con-
struct A2 . In the next step in Lemma 2, A2 is used to construct B. Through
this two stage reduction, an advantage of A1 against BasicIdent can be con-
verted to (roughly) an advantage of B against the BDH problem. It means
that if the advantage of A1 is non-negligible, then one can solve the BDH
problem with non-negligible probability of success. However, the existence of
such a B contradicts the assumption that the BDH problem is computation-
ally hard. So there is no such B and hence A2 and A1 .

FIGURE 11.4
High-level overview of reductions (1).

Given an instance of the BDH problem, the challenger sets up the IBE
scheme and provides the public parameters of the PKG to the adversary. The
solution to the BDH problem corresponds to the master secret key of the
PKG. But, the challenger does not actually know the master secret key. To
make the adversary be forced to output the solution, the challenger should
satisfy the adversary’s queries with some quality (Note that in this case the
quality may not be perfect).
11.4 Boneh-Franklin IBE [24] 189

Partitioning the identity space The problem is, how does the challenger
answer key extraction queries made by the adversary and also generate a
proper challenge ciphertext even without the knowledge of the master secret
key of the PKG? This is handled by randomly partitioning the identity space
into two disjoint subsets as shown in Figure 11.5. For one part, the challenger
generates challenge ciphertexts while for the other part the challenger answers
key extraction queries. If the adversary asks for a private key of an identity
for which it is not possible to generate the private key, the simulator aborts
(i.e., reports failure and terminates). Similarly, if the adversary provides a
challenge identity for which the simulator is unable to generate a ciphertext,
the simulator aborts.

FIGURE 11.5
Implicit partition of the identity space done by the security reduction.

Construction 2. BasicPub

Gen Given a security parameter k ∈ Z+

1. Run G on input k to generate a prime q (|q| = k), two groups

G1 , G2 of order q, and a bilinear map e: G1 × G1 → G2 . Choose
a random generator P ∈ G1 .
2. Pick a random s ∈ Z∗q and set Ppub = sP . Pick a random
QID ∈ G∗1 .
n
3. Choose hash function H2 : G2 → {0, 1} .
190 11 Identity-Based Encryption (1)

4. The public key is (q,G1 ,G2 ,b

e,n,P, Ppub , QID , H2 ). The private
key is dID = sQID ∈ G∗1 .
n
Encrypt Message M ∈ {0, 1} and a random r ∈ Z∗q , set the ciphertext
to be
C = hrP, M ⊕ H2 (g r )i where g = eb(QID , Ppub ) ∈ G∗2 .

Decrypt Ciphertext C = hU, V i ∈ C, public key

e,P, Ppub , QID , H2 ) and private key dID ∈ G∗1 , compute
(q,G1 ,G2 ,b
V ⊕ H2 (b
e(dID , U )) = M .

Note: For some identity id in BasicIdent, H1 (id) is mapped to Qid of Ba-

sicPub. The Gen, Encrypt, and Decrypt algorithms of BasicPub essentially
corresponds to those of BasicIdent for the identity id, respectively.
∗
Lemma 1 Let H1 be a random oracle from {0, 1} → G∗1 . Let A1 be an
IND-ID-CPA adversary that has advantage (k) against BasicIdent. Suppose
A1 makes at most qE > 0 private key extraction queries. Then there is an
IND-CPA adversary A2 that has advantage at least (k)/e(1 + qE ) against
BasicPub. Its running time is O(time(A1 )).

Note that although A2 solves the problem for the given (i.e., fixed) ID, A1
cannot solve the problem for any ID (i.e., IDch ) of its own selection.

Definition 3 If A2 does not abort the above game, then from the view point
of A1 the situation is identical to that of a real attack. Furthermore, if A2
does not abort then we have

|P r[(γ = γ 0 )] − 1/2| ≥ , (11.4)

where  is the advantage of A1 against BasicIdent by Definition 1.

Now it remains to calculate the probability that A2 does not abort dur-
ing the simulation. Suppose A1 makes a total of qE private key extraction
queries. The probability that A2 does not abort in phases I or II is δ qE . The
probability that A2 does not abort in challenge step is 1 − δ. Therefore, the
probability that A2 does not abort during the simulation is δ qE (1 − δ), which
is maximized when setting δopt = 1 − 1/(qE + 1) = qEqE+1 . Using δopt , the prob-
qE
when δ =
q +1
ability that A2 does not abort is δ qE (1 − δ) = E ( qEqE+1 )qE ( qE1+1 ) =
(1 + q1E )−qE ( qE1+1 ) > e(1+q
1
E)
, where e is the base of natural logarithms. This

shows that A2 ’s advantage is at least e(1+q E)
.
11.4 Boneh-Franklin IBE [24] 191
n
Lemma 2 Let H2 be a random oracle from G∗2 to {0, 1} . Let A2 be an IND-
CPA adversary that has advantage (k) against BasicPub. Suppose A2 makes
a total of qH2 > 0 queries to H2 . Then there is an algorithm B that solves
the BDH problem for G with advantage at least 2(k)/qH2 and a running time
O(time(A2 )).

Algorithm B is simulating a real attack environment for algorithm A2 (it

simulates the challenger and the oracle for H2 ) as shown in Figure 11.6. We
show that B outputs the correct answer D with probability at least 2/qH2 as
required. The proof is based on comparing A2 ’s behavior in the simulation to
its behavior in a real IND-CPA attack game (against a real challenger and a
real random oracle for H2 ).

Let H be the event that algorithm A2 issues a query for H2 (D) at some
point during the simulation above (this implies that at the end of the simu-
lation D appears in some tuple on the H2list ). By Claims 1 and 2 as below,
we know that Pr[H] ≥ 2 in the simulation above. Hence, at the end of the
simulation, D appears in some tuple on the H2list with probability at least 2.

Claim 1 Pr[H] in the simulation above is equal to Pr[H] in the real attack.

Proof Let H` be the event that A2 makes a query for H2 (D) in one of its
first ` queries to the H2 oracle. We prove by induction on ` that Pr[H` ] in the
real attack is equal to Pr[H` ] in the simulation for all ` > 0. Clearly Pr[H0 ]
= 0 in both the simulation and in the real attack. Now suppose that for some
` > 0 we have that Pr[H`−1 ] in the simulation is equal to Pr[H`−1 ] in the real
attack. We show that the same holds for Pr[H` ]. We know that

P r[H` ] = P r[H` |H`−1 ]P r[H`−1 ] + P r[H` |¬H`−1 ]P r[¬H`−1 ] (11.5)

= P r[H`−1 ] + P r[H` |¬H`−1 ]P r[¬H`−1 ].

We argue that Pr[H` |¬H`−1 ] in the simulation is equal to Pr[H` |¬H`−1 ] in

the real attack. To see this observe that as long as A2 does not issue a query
for H2 (D) its view during the simulation is identical to its view in the real
attack (against a real challenger and a real random oracle for H2 ). Indeed, the
public-key and the challenge are distributed as in the real attack. Similarly,
n
all responses to H2 -queries are uniform and independent in {0, 1} . Therefore,
Pr[H` |¬H`−1 ] in the simulation is equal to Pr[H` |¬H`−1 ] in the real attack.
It follows by (1) and the inductive hypothesis that Pr[H` ] in the real attack
is equal to Pr[H` ] in the simulation. By induction on ` we obtain that Pr[H]
in the real attack is equal to Pr[H] in the simulation.

Claim 2 In the real attack we have Pr[H] ≥ 2.

192 11 Identity-Based Encryption (1)

Proof In the real attack, if A2 never issues a query for H2 (D) then the
decryption of C is independent of A2 ’s view (since H2 (D) is independent of
A2 ’s view). Therefore, in the real attack Pr[γ = γ  |¬H] = 1/2. By definition
3 of A2 , we know that in the real attack Pr[γ = γ  ] − 1/2 ≥ . We show that
these two facts imply that Pr[H] ≥ 2. To do so we first derive simple upper
and lower bounds on Pr[γ = γ  ]:

P r[γ = γ  ] = P r[γ = γ  |¬H]P r[¬H] + P r[γ = γ  |H]P r[H]

≤ P r[γ = γ  |¬H]P r[¬H] + P r[H]
1
= P r[¬H] + P r[H]
2
1 1
= + P r[H],
2 2
P r[γ = γ  ] ≥ P r[γ = γ  |¬H]P r[¬H]
1 1
= − P r[H].
2 2
It follows that  ≤ |P r[γ = γ  ] − 1/2| ≤ 12 P r[H] . Therefore, in the real attack
Pr[H] ≥ 2.

The probability that B produces the correct answer D = e(P, P )abc

≥ (the probability that A2 makes a H2 -query of D to B) · (the probability
that B selects D from all the entries of H2 -list)
≥ 2 · qH1 .
2

FIGURE 11.6
Simulation of the attacker’s environment.
Proof of Theorem 1 The theorem follows directly from Lemma 1 and
Lemma 2. Composing both reductions shows that an IND-ID-CPA adversary
on BasicIdent with advantage (k) gives a BDH algorithm for G with advan-
tage at least 2(k)/e(1 + qE )qH2 as required. 
11.4 Boneh-Franklin IBE [24] 193

Why is BasicIdent not CCA-Secure? BasicIdent, though secure against

a IND-ID-CPA adversary, is not secure against IND-ID-CCA adversary be-
r
cause the value of gID is not a function of the plaintext M . So if adversary
wants to decrypt the ciphertext (C1 , C2 ) which encrypts the message M , he
can do this by issuing to decryption oracle the ciphertext (C1 , C2 ⊕ ∆) to get
the plaintext M ⊕ ∆ and then recover M as M = (M ⊕ ∆) ⊕ ∆. The Fujisaki-
Okamoto transformation can easily eliminate this vulnerability by adding two
more hash functions to create a scheme that is secure under chosen-ciphertext
attacks.

What is the Fujisaki-Okamoto transformation? Let Epk (M, r) be the

encryption of M under the public key pk using random bits r where E is some
public key encryption scheme. Let H1 , H2 be cryptographic hash functions.
Fujisaki-Okamoto transformation defines a hybrid scheme as
hy
Epk (M, r) = hEpk (r, H1 (r, M )), H2 (r) ⊕ M i. (11.6)
One implication of the Fujisaki-Okamoto transformation is that if Epk is secure
hy
against chosen plaintext attack, then Epk is secure against chosen ciphertext
attack with H1 and H2 which are random oracles.

Construction 3. FullIdent

Setup Given a security parameter k ∈ Z+

1. Run G on input k to generate a prime q (|q| = k), two groups
G1 , G2 of order q, and a bilinear map eb: G1 × G1 → G2 . Choose
a random generator P ∈ G1 .
2. Pick a random s ∈ Z∗q and set Ppub = sP .
∗ n
3. Choose hash functions H1 : {0, 1} → G∗1 , H2 : G2 → {0, 1} ,
n n n n
H3 : {0, 1} × {0, 1} → Z∗q and H4 : {0, 1} → {0, 1} .
4. System parameters: params =
(q,G1 ,G2 ,b
e,n, P, Ppub , H1 , H2 , H3 , H4 ).
5. The master-key is s ∈ Z∗q .
∗
Extract For a given string ID ∈ {0, 1}
1. Compute QID = H1 (ID) ∈ G∗1 .
2. Set the private key dID to be dID = sQID where s is the master
key.
Encrypt Message M ∈ M and public key ID
1. Compute QID = H1 (ID) ∈ G∗1 .
194 11 Identity-Based Encryption (1)

n
2. Choose a random σ ∈ {0, 1} .
3. Set r = H3 (σ, M ).
4. Set the ciphertext to be
r
C = hrP, σ ⊕ H2 (gID ), M ⊕ H4 (σ)i where
gID = eb(QID , Ppub ) ∈ G2 .

Decrypt Ciphertext C = hU, V.W i, public key ID and private key dID ∈
G∗1 . If U ∈
/ G∗1 , reject the ciphertext, otherwise
1. Compute V ⊕ H2 (b
e(dID , U )) = σ.
2. Compute W ⊕ H4 (σ) = M .
3. Set r = H3 (σ, M ). Test that U = rP . If not, reject the cipher-
text.
4. Output M .

Theorem 2 Construction 3 is IND-ID-CCA-secure in the random oracle

model. That is, suppose the hash functions H1 , H2 , H3 , H4 are random oracles.
Then FullIdent is secure under chosen-ciphertext attacks (IND-ID-CCA) as-
suming BDH is hard in groups generated by G. Concretely, suppose there is an
IND-ID-CCA adversary A that has advantage (k) against the scheme FullIdent
and its running time is at most t. Suppose A makes at most qE > 0 private
key extraction queries, qD > 0 decryption queries and qH1 , qH2 , qH3 , qH4 > 0
hash queries to H1 , H2 , H3 , H4 , respectively. Then there is an algorithm B that
solves BDH in groups generated by G with advantage and time where
(k) qE
(k)
B (k) ≥ 2F Oadv (1 − ), qH3 , qH4 , qD /qH2 ≈ 3 ,
qH1 qH1 qH
tB (k) ≤ F Otime (t(k), qH3 , qH4 ),
where the function F Oadv and F Otime are defined in Lemma 4.

Proof

Outline of the Proof IND-ID-CCA security of F ullIdent is proved assum-

ing H1 , H2 , H3 , and H4 to be random oracles. The proof uses a scheme called
BasicP ubhy which is the result of applying the Fujisaki-Okamoto transforma-
tion to BasicP ub. Let A01 be an IND-ID-CCA adversary against F ullIdent,
A02 is an IND-CCA adversary against BasicP ubhy , A2 is an IND-CPA adver-
sary against BasicP ub, while B be an algorithm that solves the given BDH
problem. The reduction proceeds in three steps as shown in Figure 11.7. In
the first game in Lemma 3, A01 is used to construct A02 . In the next step in
Lemma 4, A02 is used to construct A2 . In the last step in Lemma 2, A2 is used
11.4 Boneh-Franklin IBE [24] 195

to construct B. Through this three stage reduction, an advantage of A01 against

F ullIdent can be converted to (roughly) an advantage of B against the BDH
problem. It means that if the advantage of A01 is non-negligible, then one can
solve the BDH problem with non-negligible probability of success. However,
the existence of such a B contradicts the assumption that the BDH problem
is computationally hard. So there is no such B and hence A2 , A02 and A01 .

FIGURE 11.7
High-level overview of reductions (2).

Lemma 3 Let A01 be an IND-ID-CCA adversary that has advantage (k)

against F ullIdent. Suppose A01 makes at most qE > 0 private key extraction
queries, at most qD > 0 decryption queries and qH1 queries. Then there is an
(k) qE (k)
IND-CCA adversary A02 that has advantage A02 (k) ≥ (1 − )≈
qH1 qH1 qH1
against BasicP ubhy . Its running time is O(time(A01 )).

Proof

Galindo’s Observation [46]

At P haseI − Decryption Queries, Galindo pointed at a flaw in the origi-

nal analysis of Boneh-Franklin. Galindo observed that the original argument
does not take into account the fact that the decryption algorithm performs a
ciphertext integrity check before returning the message. He showed that given
the ciphertext Ci0 = hbi Ui , Vi , Wi i, the BasicP ubhy decryption algorithm will
reject it with overwhelming probability.

Given Ci0 = hbi Ui , Vi , Wi i, BasicP ubhy decryption algorithm will do as

follows:
1. Compute Vi ⊕ H2 (b
e(di , bi Ui )) = σ.
2. Compute Wi ⊕ H4 (σ) = Mi .
3. Set r = H3 (σ, Mi ). Test that bi Ui = rP . If not, reject the ciphertext.
4. Output Mi .
196 11 Identity-Based Encryption (1)

In the third step, if bi Ui 6= rP , BasicP ubhy decryption algorithm will

reject the ciphertext Ci0 . Recall Ui = ri P , so bi Ui = bi ri P . The decryption
? ?
algorithm is going to check bi ri P = rP , that is, bi ri = H3 (σ, Mi ). Since bi
∗
is uniformly random in Zq and ri = H3 (σ, Mi ) so bi ri is uniformly random
in Z∗q . On the other hand, H3 is a random oracle not controlled by A02 , then
we intuitively have the probability in setting a value r = H3 (σ, Mi ) in Z∗q
such that bi ri = H3 (σ, Mi ) is 1/q. Therefore, the probability of the event
bi ri 6= H3 (σ, Mi ), that is, BasicP ubhy decryption algorithm will reject the
ciphertext is (1 − 1/q).

Fixing the flaw From Galindo’s observation, a decryption query hIDi , Ci i

can be answered only if it is possible to form a proper private key correspond-
ing to IDi or H1 (IDi ) = QID . Based on this observation, Galindo suggests
the following modification in the simulation.

If A02 does not abort the game, then the view with respect to A01 is the
same as that in a real IND-ID-CCA attack: H1 behaves as random oracle,
and extraction as well as decryption queries are valid. Therefore, |P r[(γ =
γ 0 )] − 1/2| ≥ , where this probability is over the random bits of A01 , A02 and
the challenger for the IND-ID-CCA game.
It remains to bound the probability P r[abort]. The algorithm can abort for
two reasons: (1) it is asked in Phase I for the private key query corresponding
to IDj , or (2) the challenge identity ID∗ 6= IDj . Note that A02 cannot abort
in Phase II, since in this case A01 is not allowed to query the private key for
IDj = ID∗ . Let E1 be the event that A02 aborts due to (1), and define E2 in
the obvious way. Then

P r[abort] = P r[E1 ∧ E2 ] = P r[E2 |E1 ]P r[E1 ]. (11.7)

We can upper bound for P r[E1 ] ≤ qE /qH1 , which is the probability that A01
makes a extraction query for IDi in Phase I, since the maximum number of
such queries is qE .
On the other hand, a lower bound for P r[E2 |E1 ], that is the probability that
A01 chooses IDj as the challenge identity, is 1/qH1 . Therefore,
1 qE
P r[abort] ≥ (1 − ). (11.8)
qH1 qH1
(k) qE
Since A01 ’s advantage is (k), A02 ’s advantage is at least (1 − ).
qH1 qH1
Lemma 4 (Fujisaki-Okamoto) Suppose A02 is an IND-CCA adversary that
achieves advantage (k) when attacking BasicP ubhy . Suppose A02 has running
time t(k), makes at most qD decryption queries, and makes at most qH3 , qH4
queries to the hash functions H3 , H4 , respectively. Then there is an IND-
CPA adversary A2 against BasicP ub with running time tA2 (k) and advantage
A2 (k), where
11.4 Boneh-Franklin IBE [24] 197
1
A2 (k) ≥ F Oadv ((k), qH3 , qH4 , qD ) = [((k) + 1)(1 − 2/q)qD − 1],
2(qH3 + qH4 )
tA2 (k) ≥ F Otime (t(k), qH3 , qH4 ) = t(k) + O((qH4 + qH3 ) · n),
q is the size of the groups G1 , G2 and n is the length of σ.

Proof
This result is obtained from Theorem 14 in [44].

Proof of Theorem 2 The theorem follows directly from Lemma 3, Lemma 4,

and Lemma 2. By Lemma 3, an IND-ID-CCA adversary on FullIdent implies
an IND-CCA adversary on BasicPubhy . By Lemma 4, an IND-CCA adversary
on BasicPubhy implies an IND-CCA adversary on BasicPub. By Lemma 2, an
IND-CCA adversary on BasicPub implies an algorithm for BDH. Composing
all these reductions gives the required bounds. 2
12
Identity-Based Encryption (2)

CONTENTS
12.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.2.3 How to Achieve a Tight Reduction? . . . . . . . . . . . . . . . . . . . . 204
12.3 Gentry’s IBE [48] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
12.3.1 Construction 1: Chosen-Plaintext Security . . . . . . . . . . . . . . 206
12.3.2 Security 1: Chosen-Plaintext Security . . . . . . . . . . . . . . . . . . . 207
12.3.3 Construction 2. Chosen-Ciphertext Security . . . . . . . . . . . . 213
12.3.4 Security 2: Chosen-Ciphertext Security . . . . . . . . . . . . . . . . . 215
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

The concept of identity-based encryption is further enhanced by discussing

more about the Gentry’s identity based encryption. The chapter starts with
the proof of security of IBE scheme using the partitioning approach causing
loose reduction. The discussion is further carried out on loose and tight reduc-
tion. The preliminaries are then explained that includes the security model for
the IBE scheme, hardness assumptions, and the techniques that can be used
to achieve the tight reduction. The final part of this chapter is dedicated to the
Gentry’s IBE that has certain advantages over previous schemes in terms of
computational efficiency, shorter public parameters, recipient anonymity, and
tight security reduction. The constructions for the chosen plaintext security is
explained and then the security proof using the reduction algorithm is given.
Similarly, the construction for the chosen ciphertext security for IBE is given
along with the security proof using reduction algorithm.

12.1 Overview
Before this Gentry’s scheme, in order to prove the security of an IBE scheme,
we have used the partitioning approach that divides identity space into two.

199
200 12 Identity-Based Encryption (2)

But, it has a problem that the resulting reduction is lossy or loose.

What is lossy and tight reduction? Suppose that the adversary A wins
with probability 0 in the security game of Π during time t0 . Suppose also
that the simulator B solves some problem P with probability  during time
t. B utilizes A to solve P. If B has quite similar success probability and time
complexity in comparison with A’s one, i.e.,  ≈ 0 and t ≈ t0 , then it is called
tight reduction. On the other hand, if B has much lower success probability
and takes much longer time complexity, i.e.,   0 and t  t0 , then it is called
lossy reduction.

FIGURE 12.1
Comparison of BF-IBE and Gentry’s IBE.

Comparison of reductions between CPA-secure BF-IBE and Gen-

try’s IBE The reduction of BF-IBE is lossy reduction as shown in Figure
12.1. Because the simulator B has much lower success probability (i.e., the
security degrades by roughly a factor of qE qH2 ) in comparison with adversary
A1 ’s. On the other hand, the reduction of Gentry’s IBE is tight as shown
in Figure 12.1. Because the success probability and time complexity of the
simulator B are the same as the adversary A’s, except for additive factors
depending on p.

Why is tight reduction important? In general, if a reduction is tight, we

commonly say that the security definition of the scheme is meaningful. Be-
cause, the scheme whose reduction is not tight is impractical. If a reduction is
tight, we know that to break the scheme is as hard as to solve some relevant
12.2 Preliminaries 201

hard problem. It means that the scheme is secure even if we use the current
security parameter.

Why is lossy reduction problematic? In the case of lossy reduction, the

security proof implies that the scheme needs higher security parameter than
the one used in the scheme. In the time complexity aspect, the time needed for
breaking the scheme is less than the time needed for solving the hard problem.
Or in the advantage aspect, the lossy reduction shows that the scheme can be
broken with lower probability than the probability to solve the hard problem.
Due to this two reasons, to achieve a basic security level, the lossy scheme
must take much higher security parameter than the original one. Because, if
the security parameter is bigger, then the adversary’s advantage decreases and
the time complexity increases. Using this fact, the advantage and time com-
plexity of adversary can be made similar to those of the simulator. However,
having higher security parameter means that the scheme will become ineffi-
cient. If the scheme uses the security parameter of the lossy reduction, it may
be insecure in practice. Therefore, the security parameter must be increased
for security.

12.2 Preliminaries
This section explains the security model for the IBE scheme, hardness as-
sumptions, and techniques that can be used to achieve the tight reduction.

12.2.1 Security Model

ANON-IND-ID-CCA game for an anonymous-IBE scheme1
1. Setup: Given the security parameter k, the challenger runs the
Setup algorithm of the IBE. It provides A with the system param-
eters params while keeping the master key master-key to itself.
2. Phase I: A makes a finite number of queries where each query is
one of the following two types:
(a) key-extraction query (ID): The challenger runs Key-Gen on ID
and forwards the resulting private key to A. The Key-Gen algo-
rithm is deterministic and so it does not query more than once
on the same identity.
1 The description of the ANON-IND-ID-CPA game for an IBE scheme is similar to this

game, except that the adversary is not allowed to ask to the decryption oracle.
202 12 Identity-Based Encryption (2)

(b) decryption query (ID,C): The challenger runs Key-Gen on ID,

decrypts C with the resulting private key, and sends the result
to the adversary. It returns the resulting plaintext or ⊥ if the
ciphertext cannot be decrypted.
A is allowed to make these queries adaptively, i.e., any query may
depend on the previous queries as well as their answers.
3. Challenge: A outputs two identities2 ID0 , ID1 and two equal length
messages M0 ,M1 must not have appeared in any key generation
query in Phase I. The simulator selects a random bit b, c ∈ {0, 1},
and responds with C ∗ , the output of Encrypt algorithm on input
(IDb , Mc , params).
4. Phase II: A issues additional queries just like Phase I, except that
A may not request a private key for ID0 and ID1 or the decryption
of (ID0 , C ∗ ) and (ID1 , C ∗ ). The challenger responds as in Phase I.
5. Guess: A outputs its guess b0 of b and c0 of c.
Definition 1 The advantage of A in attacking the anonymous-IBE scheme Π
is defined as

AdvA,Π = |P r[[(b = b0 ) ∧ (c = c0 )] − 1/4|. (12.1)

Definition 2 An IBE scheme Π = (Key-Gen, Encrypt, Decrypt) is said to be
(t, , qid , qC )-secure against adaptive chosen ciphertext attack if for
any t-time adversary A that makes at most qid private-key queries and at most
qC decryption queries,

AdvA,Π ≥ . (12.2)

12.2.2 Hardness Assumptions

For proving this scheme, Gentry uses a non-static hardness assumption. This
is a variant of bilinear Diffie-Hellman exponent problem. For making hard-
ness assumptions, we drive a truncated decision q-augmented bilinear Diffie-
Hellman exponent problem from q-bilinear Diffie-Hellman exponent problem.
Here q is a parameter of the problem instance (q = 2n+1 − 2 where n ∈ Z and
n > 0).

q-Bilinear Diffie-Hellman exponent problem Let G and GT be two

groups of order p for some large prime p. Let e: G × G → GT be a bilin-
ear map and let g, g 0 be a generator of G.
2 Why does A output two identities? It is for support of anonymity of identities. In

relation to this, A outputs two values instead of one value in Guess Stage below and the
probability that A’s guesses are both correct can be expressed as AdvA,Π +1/4 as shown in
Definition 1.
12.2 Preliminaries 203
 2 q q+2 2q

Given g 0 , g, g α , g α , · · · , g α , g α , · · · , g α ∈ G2q+1 for some α ∈ Zp , it is
q+1
hard to compute Z = e(g, g 0 )α ∈ GT .
q+1
Since the input vector is missing the term g (α )
, the bilinear map does
q+1
not seem to help compute e(g, g 0 )α .

We define the q-ABDHE problem almost identically.

q-augmented bilinear Diffie-Hellman exponent problem Let G and GT

be two groups of order p for some large prime p. Let e: G × G → GT be a
bilinear map and let g, g 0 be a generator of G. 
q+2 2 q q+2 2q
Given g 0 , g 0(α ) , g, g α , g α , · · · , g α , g α , · · · , g α ∈ G2q+2 for some α ∈
q+1
Zp , it is hard to compute Z = e(g, g 0 )α ∈ GT .
q+2
In q-ABDHE problem, even if the additional term g 0(α ) is introduced
q+1
(i.e., augmented), we still cannot compute Z = e(g, g 0 )α ∈ GT easily.

The q-ABDHE problem is actually more than we need for this IBE system.
Instead,
 we use a truncated
 version of the q-ABDHE problem, in which the
αq+2 α2q
terms g ,··· ,g are omitted from the input vector.

Truncated decision q-augmented bilinear Diffie-Hellman exponent

problem Let G and GT be two groups of order p for some large prime p.
Let e: G × G → GT be a bilinear map and let g, g 0 be a generator of G. An
algorithm A has advantage  in solving truncated decision q-ABDHE if

|P r[A(g 0 , gq+2
0
, g, g1 , · · · , gq ) = e(gq+1 , g 0 )]| ≥ , (12.3)
i i
where we use gi and gi0 to denote g (α ) and g 0(α ) , the probability is over the
random choice of generators g, g 0 in G, the random choice of α in Zp , and the
random bits used by A.

The decisional version of truncated q-ABDHE is defined as one would ex-

pect.

Truncated decision q-augmented bilinear Diffie-Hellman exponent

assumption (truncated decision q-ABDHE) Let G and GT be two groups
of order p for some large prime p. Let e: G × G → GT be a bilinear map and
let g, g 0 be a generator of G. An algorithm B that outputs b ∈ {0, 1} has
advantage  in solving truncated decision q-ABDHE if

|P r[B(g 0 , gq+2
0
, g, g1 , · · · , gq , e(gq+1 , g 0 )) = 1]
− P r[B(g 0 , gq+2
0
, g, g1 , · · · , gq , Z) = 1]| ≥ , (12.4)
204 12 Identity-Based Encryption (2)
i i
where we use gi and gi0 to denote g (α ) and g 0(α ) , the probability is over the
random choice of generators g, g 0 in G, the random choice of α in Zp , the
random choice of Z ∈ GT , and the random bits consumed by B.

Definition 3 We say that the truncated decision (t, , q)-ABDHE as-

sumption holds in G if no t-time algorithm has advantage at least  in
solving the truncated decision q-ABDHE problem in G.

12.2.3 How to Achieve a Tight Reduction?

When the partitioning approach is used for security proof, a simulator has
much lower success probability compared with the adversary. The reason why
this happen is that the simulator stochastically chooses the space which in-
cludes identity. Due to this, as shown in the Boneh-Franklin IBE scheme, the
probability of non-abort by the simulator is δ q (1 − δ) ≈ 1/q where q is the
number of key extraction queries from the adversary. The reduction loses a
multiplicative factor of q.

The reason that we divide the identity space is that the simulator cannot
generate the private key which can decrypt the challenge ciphertext. For ex-
ample, in the Boneh-Franklin IBE scheme, the adversary can ask H1 oracle
about the challenge identity before the challenge phase. Computation of H1
on the challenge identity must be different from the computation of H1 on the
other identities. But, the simulator does not know what the challenge identity
is in Phase I. To resolve this problem, the Boneh-Franklin IBE scheme used
the partitioning approach.

However, Gentry overcomes this problem. To overcome this problem, Gen-

try allows the simulator to generate a valid private key for all identities in-
cluding the challenge identity. And a private key generation process works
identically for all identities including the challenge identity. So, unlike the par-
titioning approach, before a challenge ciphertext is generated, this approach
does not need to select the challenge identity stochastically.

Here, we should consider the purpose of the simulator. The purpose of

the simulator is to solve the truncated decision q-ABDHE problem, i.e., to
distinguish whether Z is e(gq+1 , g 0 ) or random from the instance of truncated
decision q-ABDHE problem, (g 0 , gq+2 0
, g, g1 , · · · , gq , Z). On the other hand,
the purpose of the adversary is to distinguish which id and message the chal-
lenge ciphertext is encrypted from. Since the simulator cannot distinguish, it
tries to solve it by using the adversary whose attacking capability against the
scheme is presumably improved through the simulation training. Therefore,
the simulator makes its own new setup, extract and encrypt algorithms from
the setup, extract, and encrypt algorithms of the scheme in order to simulate
the public parameters, public keys, private keys from the truncated decision
12.2 Preliminaries 205

q-ABDHE problem instances to the adversary. But the issue here is that even
if the simulator does not use the adversary’s ability, the simulator can distin-
guish whether Z is e(gq+1 , g  ) or not. It is possible because the challenger can
generate a valid private key for the challenge identity, which in turn allows it
to distinguish by decrypting the challenge ciphertext itself. In this case, we
cannot prove that the scheme is hard to break, which makes the security game
invalid. Therefore, we have to make sure that the simulator cannot distinguish
whether Z is e(gq+1 , g  ) or not.

To resolve this issue, Gentry sets that (1) if Z = e(gq+1 , g  ), the simulator
and the adversary can decrypt the challenge ciphertext; (2) if Z is random,
the simulator can decrypt the challenge ciphertext, but the adversary still
cannot decrypt the challenge ciphertext except with a trivial (i.e., negligible)
probability. The detailed method is as follows.

Since the key extraction algorithm is probabilistic, we can imagine that a

space of possible private keys for each identity, Skey , exists as shown in Figure
12.2. The key extraction algorithm can be seen to sample from Skey . Now, let
us suppose that the simulator generates exactly one valid private key for all
identities including the challenge identity. Then the space of valid private keys
that can be selected by the simulator, Ssim , is included in Skey . But, |Ssim | is
much smaller than |Skey | that is quite large.

FIGURE 12.2
Comparison of private key spaces in Gentry’s IBE.

As above, Gentry limits the range of valid private keys generated by the
simulator. In addition, a challenge ciphertext is generated so that that a valid
private key which corresponds to the challenge identity generated by the sim-
ulator can decrypt it as shown in Figure 12.3. Therefore, even if Z is a random
value, the private key generated by the simulator can decrypt the challenge ci-
phertext. So, the simulator cannot take any advantage from this. And it must
use the adversary to solve the underlying hard problem. On the other hand,
since the adversary does not know which keys (out of the possible large space
of private keys) the simulator can generate, it can generate a valid private key
206 12 Identity-Based Encryption (2)

that is not equal to the one made by the simulator with a quite high proba-
bility. If Z is random, this adversary cannot decrypt the challenge ciphertext
except with trivial probability.

Thus the simulator obtains some non-trivial information from the adver-
sary which it can utilize to attack the underlying hard problem.

FIGURE 12.3
Different decryption capabilities in Gentry’s IBE.

From this, we can distinguish the underlying assumption (truncated deci-

sion q-ABDHE) by using the adversary.

12.3 Gentry’s IBE [48]

In 2006, Gentry proposed the IBE scheme [48] that is fully secure without
random oracles and has several advantages over previous such systems. Sev-
eral advantages are computational efficiency (i.e., only one pairing in De-
crypt), shorter public parameters (i.e., just three parameters such as params
= (g, g1 , h)), recipient anonymity, and a “tight” security reduction.

12.3.1 Construction 1: Chosen-Plaintext Security

Now present an efficient IBE system that is ANON-IND-ID-CPA secure with-
out random oracles under the truncated decision (qID + 1)-ABDHE assump-
tion.
12.3 Gentry’s IBE [48] 207

Construction 1. Chosen-plaintext security

Let G, GT be groups of order p and let e: G × G → GT be the bilinear

map. The IBE system works as follows.

Setup Given a security parameter k ∈ Z+ , where k = |p|:

1. Pick a random generators g, h ∈ G.
2. Pick a random α ∈ Zp .
3. Set g1 = g α ∈ G.
4. The system parameters are params = (g, g1 , h).
5. The master-key is α.
Note: G is a subgroup of the additive group of points of an elliptic curve
E/Fp . GT is a subgroup of the multiplicative group of a finite field Fp2 .

Extract For a given identity ID ∈ Zp

1. Generate random rID ∈ Zp .
2. Compute hID = (hg −rID )1/(α−ID) ∈ G where α is the master-key.
3. Set the private key dID = (rID , hID ).
Note: If ID = α, the PKG aborts. We require that the PKG always use
the same random value rID for ID. This can be accomplished, for example,
using a PRF to ensure consistency.

Encrypt Message M ∈ GT and identity ID ∈ Zp

1. Generate random s ∈ Zp .
2. Compute u = g1s g −s·ID ∈ G.
3. Compute v = e(g, g)s ∈ GT .
4. Compute w = M · e(g, h)−s ∈ GT .
5. Set the ciphertext to be C = hu, v, wi.
Note: Encryption does not require any pairing computations once e(g, g)
and e(g, h) have been pre-computed. Alternatively, e(g, g) and e(g, h) can
be included in the system parameters, in which case h can be dropped.

Decrypt Ciphertext C = hu, v, wi, identity ID and private key dID , com-
pute
w · e(u, hID )v rID = M .
208 12 Identity-Based Encryption (2)

12.3.2 Security 1: Chosen-Plaintext Security

Now prove that the above IBE system is ANON-IND-ID-CPA secure under
the truncated decision (qID + 1)-ABDHE assumption.

It uses a stronger assumption that depends on the number of private key

generation queries made by the adversary (It means that the number of private
key generation queries made by the adversary is already fixed before security
game is started).

Theorem 1 Let q = qID + 1. Assume the truncated decision (t, , q)-ABDHE

assumption holds for (G, GT , e). Then, Construction 1 is (t0 , 0 , qID )-ANON-
IND-ID-CCA secure for t0 = t − O(texp · q 2 ) and 0 =  + 2/p, where texp is
the time required to exponentiate in G.

Proof Let A be an adversary that (t0 , 0 , qID )-breaks the ANON-IND-ID-

CPA security of the IBE system described above. We construct an algo-
rithm, B, that solves the truncated decision q-ABDHE problem, as fol-
lows. B takes as input a random truncated decision q-ABDHE challenge
(g 0 , gq+2
0
, g, g1 , · · · , gq , Z), where Z is either e(gq+1 , g 0 ) or a random element
i
of GT (recall that gi = g (α ) ). Algorithm B proceeds as follows.

Reduction algorithm B

Setup
1. Generate a random polynomial f (x) ∈ Zp [x] of degree q.
2. Set h = g f (α) , computing h from (g, g1 , · · · , gq ).
3. Send the public key (g, g1 , h) to A.
Note: Since g, α, f (x) are chosen uniformly at random, h is uniformly
random and this public key has a distribution identical to that in the
actual construction.

Phase I

1. A makes key generation queries.

2. B responds to a query on ID ∈ Zp as follows.
If ID = α, B uses α to solve truncated decision q-ABDHE
immediately.
Else, let FID (x) denote the (q − 1)-degree polynomial
(f (x)−f (ID))
(x−ID) .
B sets the private key (rID , hID ) to be (f (ID), g FID (α) ).
12.3 Gentry’s IBE [48] 209

(f (α)−f (ID))
Note: This is a valid private key for ID, since g FID (α) = g (α−ID) =
1
−f (ID) (α−ID)
(hg ) , as required. We will describe why this private key
appears to A to be correctly distributed below.

Challenge
1. A outputs identities ID0 , ID1 and messages M0 , M1 .
2. Again, if α ∈ {ID0 , ID1 }, B uses α to solve the truncated deci-
sion q-ABDHE immediately.
3. Else, B generates bits b, c ∈ {0, 1}, and computes a private key
(rIDb , hIDb ) for IDb as in Phase I.
4. Let f2 (x) = xq+2 .
(f2 (x)−f2 (IDb )) (xq+2 −IDq+2 )
5. Let F2,IDb (x) = (x−IDb ) = b
(x−IDb ) = xq+1 + IDb xq +
··· + IDqb x + IDq+1
b , which is a polynomial of degree q + 1.
Qq i
6. B sets u = g 0f2 (α)−f2 (IDb )
, v = Z · e(g , i=0 g F2,IDb ,i ·α ),
0

w = Mc /e(u, hIDb )v rIDb .

F2,ID ,i = IDq+1−i as the coefficient of xi in F2,IDb (x).
Qq b F2,ID ,ib·αi −1 q+1
i=0 g
b = g F2,IDb (α) gq+1 = g F2,IDb (α)−α
q
+···+IDqb α+IDq+1 IDqb q+1
= g IDb α b = gqIDb × · · · × g1 × g IDb .

7. Send (u, v, w) to A as the challenge ciphertext.

Note: Let s = (logg g 0 )F2,IDb (α). If Z = e(gq+1 , g 0 ), then u = g s(α−IDb ) ,

v = e(g, g)s , and Mc /w = e(u, hIDb )v rIDb = e(g, h)s ; thus (u, v, w) is
a valid ciphertext for (IDb , Mc ) under randomness s. Since logg g 0 is
uniformly random, s is uniformly random, and so (u, v, w) is a valid,
appropriately-distributed challenge to A.

Phase II

1. A makes key generation queries and B responds as in Phase I.

Guess
1. Finally, the adversary outputs guesses b0 , c0 ∈ {0, 1}.
2. If b = b0 and c = c0 , B outputs 1 (indicating that Z =
e(gq+1 , g 0 )); otherwise, it outputs 0.
210 12 Identity-Based Encryption (2)

Simulation of private key generation

Now, we explain how to generate a valid private key without knowledge of the
master-key α. Before explaining, look again a valid private key:
1
dID = (rID , hID ) = (rID , (hg −f (ID) ) (α−ID) ). (12.5)

As seen from above, the simulator must know α for generating a valid private
key. The difficulty is that the simulator does not know α. But, it can generate
a valid private key by using the problem instance only as below. We set h as
below in the setup stage
h = g f (α) , (12.6)
where f (x) ∈ Zp [x] of degree q.

We can generate a valid private key by using h and f (x). As a simple

4
example, we assume q = 4, f (x) = x4 and set h = g α . Also, set rID = ID4 .
Then we can generate
1 4 4 1 α4 −ID4
hID = (hg −f (ID) ) (α−ID) = (g α g −ID ) (α−ID) = g (α−ID) =
2
+ID2 ) 3
+IDα2 +ID2 α+ID3 3 2 2 3 2 3
g (α+ID)(α = gα = g α g IDα g ID α g ID = g3 g2ID g1ID g ID .
Thus the simulator can generate a valid private key without knowledge of α.

The private keys issued by B are appropriately distributed

We want to show that the keys issued by B are appropriately distributed

from A’s view. It suffices to show that the values {f (a) : a ∈ I} are uniformly
random and independent, where I is a set consisting of α, IDb , and the iden-
tities queried by A. We can observe that |I| ≤ q + 1 = qID + 2 because of
q = qID + 1. This follows from the fact that f (x) is a uniformly random poly-
nomial of degree q whose coefficients are chosen independently and uniformly
at random from Zp . So, rID and hID are random, because rID = f (ID) and
hID is generated by using f (x). Therefore, the private keys issued by B are
appropriately distributed.

Simulation of challenge ciphertext generation

Now, we explain how to generate a valid challenge ciphertext without

knowledge of α. First of all, we must keep in mind that the simulator must
generate a valid private key for a challenge identity and decrypt the challenge
ciphertext. Before we talk about this issue, we arrange four functions.
1. f2 (x) = xq+2 .
(f2 (x)−f2 (IDb )) (xq+2 −IDq+2 )
2. F2,IDb (x) = (x−IDb ) = b
(x−IDb ) = xq+1 + IDb xq + · · · +
IDqb x + q+1
IDb , which is a polynomial of degree q + 1.
12.3 Gentry’s IBE [48] 211

3. F2,IDb ,i = IDq+1−i
b is the coefficient of xi in F2,IDb (x).
q q+1
F2,IDb ,i ·αi q+1 q
Qq −1
4. i=0 g = g F2,IDb (α) gq+1 = g F2,IDb (α)−α = g IDb α +···+IDb α+IDb
IDqb q+1
= gqIDb × · · · × g1 × g IDb .
(f2 (α)−f2 (IDb ))
Let s = (logg g 0 )F2,IDb (α) = (logg g 0 ) (f2 (α)−f2 (IDb ))
(α−IDb ) . Then g s = (g 0 ) (α−IDb )
.

Now let’s see the challenge ciphertext.

(f2 (α)−f2 (IDb ))
0 (α−ID )
u = g1s g −s·IDb = g s(α−IDb ) = g (α−IDb ) b
= g 0f2 (α)−f2 (IDb ) =
0f2 (α) 0f2 (−IDb ) 0αq+2 0−(IDb )q+2 0 0 −(IDb )q+2
g g =g g = gq+2 (g ) .
Qq i IDqb q+1
v = Z · e(g 0 , i=0 g F2,IDb ,i ·α ) = Z · e(g 0 , gqIDb × · · · × g1 × g IDb ).
Mc Mc Mc
w= r
e(u,hIDb )v IDb
= 1
r
= r
e(g s ,(hg −f (IDb ) )v IDb
e(g s(α−IDb ) ,(hg −f (IDb ) ) (α−IDb ) )v IDb
Mc Mc
= r
e(g s ,h)e(g s ,g −f (IDb ) )v IDb
= e(g,h)s e(g,g) −sf (IDb ) rIDb
v
.

As shown above, the challenge ciphertext can be made by using the prob-
lem instance only3 .

Now check whether it is a valid challenge ciphertext or not in two cases:

(1)Z is real and (2)Z is random, respectively. First, in the case that Z is real
(i.e., Z = e(gq+1 , g 0 )), v and w are computed as below.
Qq i IDqb
v = Z · e(g 0 , i=0 g F2,IDb ,i ·α ) = e(gq+1 , g 0 ) · e(g 0 , gqIDb × · · · × g1 ×
IDq+1 0 IDq IDq+1 0 F2,IDb (α)
g b ) = e(g , gq+1 × gqIDb × ··· × g1 b ×g b ) = e(g , g ) =
(f2 (α)−f2 (IDb )) (f2 (α)−f2 (IDb ))
e(g 0 , g (α−IDb )
) = e((g 0 ) (α−IDb )
, g) = e(g s , g) = e(g, g)s .

w = Mc /e(u, hIDb )v rIDb = Mc /e(g, h)s e(g, g)−sf (IDb ) (e(g, g)s )rIDb =
Mc /e(g, h)s e(g, g)s(f (IDb )−f (IDb )) = Mc · e(g, h)−s .
As shown above, a valid challenge ciphertext is made. Therefore the simulator
can decrypt it by using the appropriate private key.

Next, in the case that Z is random, even if the challenge ciphertext is

random, the simulator can decrypt it by using the appropriate private key.
Decryption is computed as below.

Mc = w · e(u, hIDb )v rIDb = Mc (e(g, h)s e(g, g)−sf (IDb ) v rIDb )−1 · e(g 0f2 (α)−f2 (IDb ) ,
(f (α)−f (IDb ))
g (α−IDb )
) · v rIDb

3 The simulator can generate u by using the problem instances g 0 0

q+2 , g instead of s
without knowledge of α. Similarly, v and w can also be generated by using the values
generated previously
212 12 Identity-Based Encryption (2)
f2 (α)−f2 (IDb )
0
= Mc e(g, h)−s e(g, g)sf (IDb ) · e(g (α−IDb )
, g (f (α)−f (IDb )) )

= Mc e(g, h)−s e(g, g)sf (IDb ) · e(g s , g f (α) g −f (IDb ) )

= Mc e(g, h)−s e(g, g)sf (IDb ) · e(g s , g f (α) ) · e(g s , g −f (IDb ) )

= Mc e(g, h)−s · e(g, h)s = Mc .

As shown above, even if the challenge ciphertext is random, the simulator can
decrypt it by using the appropriate private key. The reason is that v including
Z is canceled out in the decryption process. But the adversary cannot decrypt
it without negligible probability.

The challenge ciphertext are appropriately distributed

We want to show that the challenge ciphertext are appropriately dis-

tributed from A’s view. The challenge ciphertext consists of three elements:
u, v and w. Since logg g 0 is uniformly random, s is uniformly random. And
(u, v, w) is uniformly random because it is made by using s. Therefore the
challenge ciphertext are appropriately distributed.

Probability analysis

Remember that all private keys and challenge ciphertext are appropriately
distributed.

Before doing analysis, let’s define three events:

1. Let X0 be the event that A’s guesses are correct when Z is real.
2. Let X1 be the event that A’s guesses are correct when Z is a uniform
random element of GT .
3. Let E be the event that v = e(u, g)1/(α−ID0 ) or v = e(u, g)1/(α−ID1 ) .
It means that regardless of whether Z is real or random, the chal-
lenge ciphertext is valid because
v = e(u, g)1/(α−IDb ) = e((g 0 )f2 (α−f2 (IDb ) , g)1/(α−IDb )
= e((g 0 )(f2 (α−f2 (IDb ))/(α−IDb ) , g) = e(g s , g) = e(g, g)s .
When Z is random, since |v| = p, and at most two cases are cor-
responded to this event, P r[E] ≤ 2/p. However, when Z is real,
P r[E] = 1.
Clearly, we can see that A’s advantage, 0 , is great than or equal to the gap
of two event’s probabilities, B’s advantage,  because
 = P r[X0 ] − P r[X1 ] = P r[B outputs 1|Z is real]
− P r[B outputs 1|Z is random] ≤ 0 .
12.3 Gentry’s IBE [48] 213

First, let us compute P r[X1 ] for computing . We can show P r[X1 ] as

P r[X1 ] = P r[X1 |E]P r[E] + P r[X1 |E]P r[E] ≤ P r[E] + P r[X1 |E]
= 2/p + P r[X1 |E].
If E does not occur, then the elements of the challenge ciphertext are
uniform random elements of G and GT . So, these perfectly hide the bits b and
c from A. It means that P r[X1 |E] is the success probability of A when b and
c are randomly chosen from A. Therefore, P r[X1 |E] = 1/4. So,
P r[X1 ] = 2/p + 1/4.
Next, let us compute P r[X0 ] for computing . If Z is real, e(gq+1 , g 0 ), then the
distribution of the ciphertext is also the same as in the actual scheme. So we
can get P r[X0 ] = 0 + 1/4 from Definition 1. It means that since B identically
behaves as the actual scheme, P r[X0 ] = P r[[(b = b0 ) ∧ (c = c0 )].

Finally, we can get B’s advantage, , by combining these two probabilities,

P r[X0 ] and P r[X1 ] as
 = P r[X0 ] − P r[X1 ] = 0 + 1/4 − (2/p + 1/4) = 0 − 2/p.
Time complexity

In the simulation, B’s overhead is dominated by computing g FID (α) in re-

sponse to A’s key generation query on ID, where FID (x) is a polynomial of
degree q − 1. Each such computation requires O(q) exponentiations in G.
Since A makes at most q − 1 such queries, t = t0 + O(texp · q 2 ) where texp is
the time required to exponentiate in G. 2

The security of Gentry’s scheme is based on the assumption that the trun-
cated decision q-ABDHE problem is hard. This is a non-static hardness as-
sumption where the size of an instance depends on some parameter of the
scheme (i.e., the number of queries that an adversary is allowed to make).

12.3.3 Construction 2. Chosen-Ciphertext Security

Now we present an efficient IBE system that is ANON-IND-ID-CCA secure
without random oracle under the truncated decision (qID + 2)-ABDHE as-
sumption.

Construction 2. Chosen-ciphertext security

Let G, GT be groups of order p, and let e: G × G → GT be the

bilinear map. The IBE system works as follows.

Setup Given a security parameter k ∈ Z+ , where k = |p|:

214 12 Identity-Based Encryption (2)

1. Pick a random generators g, h1 , h2 , h3 ∈ G.

2. Pick a random α ∈ Zp .
3. Set g1 = g α ∈ G.
4. Choose hash function H : G × GT × GT → Zp .
5. The system parameters are params = (g, g1 , h1 , h2 , h3 , H).
6. The master-key is α.
Note: G is a subgroup of the additive group of points of an elliptic curve
E/Fp . GT is a subgroup of the multiplicative group of a finite field Fp2 .

Extract For a given identity ID ∈ Zp

1. Generate random rID,1 , rID,2 , rID,3 ∈ Zp .
2. Compute hID,i = (hi g −rID,i )1/(α−ID) ∈ G for i ∈ {1, 2, 3}.
3. Set the private key dID = (rID,1 , rID,2 , rID,3 , hID,1 , hID,2 , hID,3 ).
Note: If ID = α, the PKG aborts. We require that the PKG always uses
the same random value rID,i for ID.

Encrypt Message M ∈ GT and identity ID ∈ Zp

1. Generate random s ∈ Zp .
2. Compute u = g1s g −s·ID ∈ G.
3. Compute v = e(g, g)s ∈ GT .
4. Compute w = M · e(g, h1 )−s ∈ GT .
5. Compute y = e(g, h2 )s e(g, h3 )sβ where β = H(u, v, w).
6. Set the ciphertext to be C = hu, v, w, yi.
Note: Encryption does not require any pairing computations once e(g, g)
and {e(g, hi )} have been pre-computed or alternatively included in
params.

Decrypt Ciphertext C = hu, v, w, yi, identity ID and private key dID

1. Set β = H(u, v, w).
2. Test y = e(u, hID,2 hβID,3 )v rID,2 +rID,3 β .
3. If the check fails, the recipient outputs ⊥.
4. Otherwise, it outputs M = w · e(u, hID,1 )v rID,1 .
12.3 Gentry’s IBE [48] 215

Correctness of decryption algorithm

After receiving (ID, C) with C = (u, v, w, y), the receiver generates private
key for ID, then uses this private key to decrypt C. Since
β
e(u, hID,2 hID,3 β )v rID,2 +rID,3 β = e(g s(α−ID) , h2 g −rID,2 h3 g −rID,3 )v rID,2 +rID,3 β
1/(α−ID)
= e(g s(α−ID) , (h2 h3 β ) g −(rID,2 +rID,3 β)/(α−ID) )e(g, g)s(rID,2 +rID,3 β)
β 1/(α−ID)
= e(g s(α−ID)
, (h2 h3 )) = e(g s , (h2 h3 β )) = e(g, h2 )s e(g, h3 )sβ ;
β rID,2 +rID,3 β
then, if y = e(u, hID,2 hID,3 )v , the check passes. Moreover,
e(u, hID,1 )v rID,1 = e(g s(α−ID) , h1 1/(α−ID) g −rID,1 /(α−ID) )e(g, g)srID,1 = e(g, h1 )s ,
as required.

12.3.4 Security 2: Chosen-Ciphertext Security

Now prove that the above IBE system is ANON-IND-ID-CCA secure under
the truncated decision (qID + 2)-ABDHE assumption.

Theorem 2 Let q = qID + 2. Assume the truncated decision (t, , q)-ABDHE

assumption holds for (G, GT , e). Then, Construction 2 is (t0 , 0 , qID , qC )-
ANON-IND-ID-CCA secure for t0 = t − O(texp · q 2 ) and 0 =  + 4qC /p,
where texp is the time required to exponentiate in G.

Outline of the Proof Since the difference between chosen-ciphertext secu-

rity and chosen-plaintext security (as in Theorem 1) is querying to decryption
oracle, in the security proof of Theorem 2, we only consider decryption queries.

Proof Let A be an adversary that (t0 , 0 , qID , qC )-breaks the ANON-IND-

ID-CCA security of the IBE system described above. We construct an al-
gorithm, B, that solves the truncated decision q-ABDHE problem, as fol-
lows. B takes as input a random truncated decision q-ABDHE challenge
(g 0 , gq+2
0
, g, g1 , · · · , gq , Z), where Z is either e(gq+1 , g 0 ) or a random element
i
of GT (recall that gi = g (α ) ). Algorithm B proceeds as follows.

Reduction algorithm B

Setup

1. Generate a random polynomial fi (x) ∈ Zp [x] of degree q for

i ∈ {1, 2, 3}.
2. Set hi = g fi (α) .
3. Send the public key (g, g1 , h1 , h2 , h3 ) to A.
216 12 Identity-Based Encryption (2)

Note: Since g, α, fi (x) are chosen uniformly at random and hi is

uniformly random, this public key has a distribution identical to that in
the actual construction.

Phase I (key generation queries)

1. A makes key generation queries.
2. B responds to a query on ID ∈ Zp as follows.
If ID = α, B uses α to solve the truncated decision q-ABDHE
immediately.
Else, set rID,1 = f1 (ID) and compute hID,1 = (h1 g −rID,1 )1/(α−ID) .
B sets the private key pairs (rID,i , hID,i ) to be (fi (ID), g FID,i (α) ).

(fi (α)−fi (ID))

Note: These are valid private keys for ID, since g FID,i (α) = g (α−ID) =
1
(hi g −fi (ID) ) (α−ID) , as required.

Phase I (decryption queries)

1. A makes decryption queries.
2. B responds to a query on (ID, C) as follows.
B generates private keys for ID.
Decrypt C = (u, v, w, y) by performing the usual Decrypt
algorithm with this private key.
Set β = H(u, v, w).
Test y = e(u, hID,2 hID,3 β )v rID,2 +rID,3 β .
If the check fails, output ⊥.
Otherwise, output M = w · e(u, hID,1 )v rID,1 .

Challenge
1. A outputs identities ID0 , ID1 , and messages M0 , M1 .
2. Again, if α ∈ {ID0 , ID1 }, B uses α to solve the truncated deci-
sion q-ABDHE immediately.
3. Else, B generates bits b, c ∈ {0, 1}, and computes a private key
(rIDb ,i , hIDb ,i ) for IDb as in Phase I (key generation queries).
4. Let f20 (x) = xq+2 .
(f20 (x)−f20 (IDb )) (xq+2 −IDq+2 )
5. Let F2,IDb (x) = (x−IDb ) = (x−IDbb) = xq+1 + IDb xq +
··· + IDqb x + IDq+1
b , which is a polynomial of degree q + 1.
12.3 Gentry’s IBE [48] 217

0 0 Qq i
6. B sets u = g 0f2 (α)−f2 (IDb ) , v = Z · e(g 0 , i=0 g F2,IDb ,i ·α ),
w = Mc /e(u, hIDb ,1 )v rIDb ,1 . F2,IDb ,i = IDq+1−i b is
F2,IDb ,i ·αi
i
Qq
the coefficient of x in F2,IDb (x). i=0 g =
q+1 q q q+1
−1
g F2,IDb (α) gq+1 = g F2,IDb (α)−α = g IDb α +···+IDb α+IDb =
IDq q+1
gqIDb × · · · × g1 b × g IDb .
Set β = H(u, v, w), compute y =
e(u, hIDb ,2 hIDb ,3 β )v rIDb ,2 +rIDb ,3 β .
7. Send (u, v, w, y) to A as the challenge ciphertext.
Note: Let s = (logg g 0 )F2,IDb (α). If Z = e(gq+1 , g 0 ), then
u = g s(α−IDb ) , v = e(g, g)s , Mc /w = e(u, hIDb ,1 )v rIDb ,1 = e(g, h1 )s
and y = e(u, hIDb ,2 hIDb ,3 β )v rIDb ,2 +rIDb ,3 β = e(g, h2 )s e(g, h3 )sβ . Thus
(u, v, w, y) is a valid ciphertext for (IDb , Mc ) under randomness s. Since
logg g 0 is uniformly random, s is uniformly random, and so (u, v, w, y) is
a valid, appropriately-distributed challenge to A.

Phase II
1. A makes key generation queries and B responds as in Phase I
(key generation queries).
2. A makes decryption queries and B responds as in Phase I (de-
cryption queries).
Guess
1. Finally, the adversary outputs guesses b0 , c0 ∈ {0, 1}.

2. If b = b0 and c = c0 , B outputs 1 (indicating that Z =

e(gq+1 , g 0 )); otherwise, it outputs 0.

Simulation of private key generation

Now, we explain how to generate a valid private key without knowledge of

the master-key α. Before explaining, look again a valid private key
1
dID,i = (rID,i , hID,i ) = (fi (ID), (hi g −fi (ID) ) (α−ID) ). (12.7)

As seen from above, the simulator must know the α for generating a valid
private key. The difficulty is that the simulator does not know α. But, it can
generate a valid private key by using the problem instance only as below. We
set hi in the setup stage as
hi = g fi (α) , (12.8)
where fi (x) ∈ Zp [x] of degree q.
218 12 Identity-Based Encryption (2)

We can generate a valid private key by using hi and fi (x). Thus the simulator
can generate a valid private key without knowledge of α.

The private keys issued by B are appropriately distributed

We want to show that the keys issued by B are appropriately distributed

from A’s view. It suffices to show that the values {fi (a) : a ∈ I} are uni-
formly random and independent , where I is a set consisting of α, IDb and
the identities queried by A. We can observe that |I| ≤ q = qID + 2 because of
q = qID + 2. This follows from the fact that fi (x) is a uniformly random poly-
nomial of degree q whose coefficients are chosen independently and uniformly
at random from Zp . So, rID,i , and hID,i are random, because rID,i = fi (ID) and
hID,i is generated by using fi (x). Therefore the private keys issued by B are
appropriately distributed.

Simulation of challenge ciphertext generation

Now, we explain how to generate a valid challenge ciphertext without

knowledge of α. First of all, we must keep in mind that the simulator must
generate a valid private key for a challenge identity and decrypt the challenge
ciphertext. Before we talk about this issue, we arrange four functions.
1. f20 (x) = xq+2 .
(f20 (x)−f20 (IDb )) (xq+2 −IDq+2 )
2. F2,IDb (x) = (x−IDb ) = b
(x−IDb ) = xq+1 + IDb xq + ··· +
IDqb x + IDq+1
b , which is a polynomial of degree q + 1.
q+1−i
3. F2,IDb ,i = IDb is the coefficient of xi in F2,IDb (x).
F2,IDb ,i ·αi q+1 q
+···+IDqb α+IDq+1
Qq −1
4. i=0 g = g F2,IDb (α) gq+1 = g F2,IDb (α)−α = g IDb α b =
q
ID q+1
gqIDb × · · · × g1 b × g IDb .
0 (α)−f 0 (ID ))
(f2
(f20 (α)−f20 (IDb )) 2 b
Let s = (logg g 0 )F2,IDb (α) = (logg g 0 ) (α−IDb ) . Then g s = (g 0 ) (α−IDb )
.

Now let us see the challenge ciphertext.

0 (α)−f 0 (ID ))
(f2 2 b
0 (α−ID ) 0 0
u = g1s g −s·IDb = g s(α−IDb ) = g (α−IDb ) b
= g 0f2 (α)−f2 (IDb ) =
0f20 (α) 0f20 (−IDb ) 0αq+2 0−(IDb )q+2 0 0 −(IDb )q+2
g g =g g = gq+2 (g ) .
Qq i IDqb q+1
v = Z · e(g 0 , i=0 g F2,IDb ,i ·α ) = Z · e(g 0 , gqIDb × · · · × g1 × g IDb ).
Mc Mc
w= r
e(u,hIDb ,1 )v IDb ,1
= 1
r
= e(gs ,(h g−fM1c(IDb ) )vrIDb ,1
1
e(g s(α−IDb ) ,(h1 g −f1 (IDb ) ) (α−IDb ) )v IDb ,1
= e(gs ,h )e(gs ,gM−f
c
r
1 (IDb ) )v IDb ,1
= Mc
r
e(g,h1 )s e(g,g)−sf1 (IDb ) v IDb ,1
.
1

y = e(u, hIDb ,2 hIDb ,3 β )v rIDb ,2 +rIDb ,3 β = e(u, h2 g −f2 (IDb ) (h3 g −f3 (IDb ) )β )v rIDb ,2 +rIDb ,3 β ,
where β = H(u, v, w).
12.3 Gentry’s IBE [48] 219

As shown above, the challenge ciphertext can be made by using the prob-
lem instance only.

Now we check whether it is a valid challenge ciphertext or not in two cases:

(1)Z is real (2)Z is random, respectively. First, in the case that Z is real (i.e.,
Z = e(gq+1 , g 0 )), u, v, w, and y are computed as below.

u = g1s g −s·IDb = g s(α−IDb ) .

Qq i IDq
v = Z · e(g 0 , i=0 g F2,IDb ,i ·α ) = e(gq+1 , g 0 ) · e(g 0 , gqIDb × · · · × g1 b ×
q+1 IDqb q+1
g IDb ) = e(g 0 , gq+1 × gqIDb × · · · × g1 × g IDb ) = e(g 0 , g F2,IDb (α) ) =
0 (α)−f 0 (ID ))
(f2 0 (α)−f 0 (ID ))
(f2
2 b 2 b
e(g 0 , g (α−IDb )
) = e((g 0 ) (α−IDb )
, g) = e(g s , g) = e(g, g)s .

w = Mc /e(u, hIDb ,1 )v rIDb ,1 = Mc /e(g, h1 )s e(g, g)−sf1 (IDb ) (e(g, g)s )rIDb ,1 =
Mc /e(g, h1 )s e(g, g)s(f1 (IDb )−f1 (IDb ,1)) = Mc · e(g, h1 )−s .
y = e(u, hIDb ,2 hIDb ,3 β )v rIDb ,2 +rIDb ,3 β =
β 1/(α−IDb )
e(g s(α−IDb ) , (h2 g −rIDb ,2 )1/(α−IDb ) (h3 g −rIDb ,3 ) )v rIDb ,2 +rIDb ,3 β
1/(α−IDb ) −(r
= e(g s(α−IDb ) , (h2 h3 β ) IDb ,2 +rIDb ,3 β)/(α−IDb )
g )e(g, g)s(rIDb ,2 +rIDb ,3 β)
β 1/(α−IDb )
= e(g s(α−IDb ) , (h2 h3 ) ) = e(g s , (h2 h3 β )) = e(g, h2 )s e(g, h3 )sβ .

As shown above, a valid challenge ciphertext is made. Therefore the simu-

lator can decrypt it by using the appropriate private key.

Next, in the case that Z is random, even if the challenge ciphertext is

random, the simulator can decrypt it by using the appropriate private key.
Decryption is computed as below.
0 0
Mc = w · e(u, hIDb ,1 )v rIDb ,1 = Mc /e(g s , h1 g −f1 (IDb ) )v rIDb ,1 · e(g 0f2 (α)−f2 (IDb ) ,
(f1 (α)−f1 (IDb ))
g (α−IDb )
)·
0 (α)−f 0 (ID )
f2 2 b
0
v rIDb ,1 = Mc /e(g, h1 )s e(g, g)−sf1 (IDb ) · e(g (α−IDb ) , g (f1 (α)−f1 (IDb )) ) =
Mc /e(g, h1 )s e(g, g)−sf1 (IDb ) · e(g s , g f1 (α) g −f1 (IDb ) ).
= Mc /e(g, h1 )s e(g, g)−sf1 (IDb ) · e(g s , g f1 (α) ) · e(g s , g −f1 (IDb ) ) = Mc /e(g, h1 )s ·
e(g, h1 )s = Mc .

As shown above, even if the challenge ciphertext is random, the simulator

can decrypt it by using the appropriate private key. The reason is that v in-
cluding Z is canceled out in the decryption process. But the adversary cannot
decrypt it without negligible probability (We can easily see that in this case
the challenge ciphertext is generated by using Encryption algorithm, then y
will pass the Decrypt Check).
220 12 Identity-Based Encryption (2)

The challenge ciphertext is appropriately distributed

We want to show that the challenge ciphertext is appropriately distributed

from A’s view. The challenge ciphertext consists of three elements u, v, w, and
y. Since logg g 0 is uniformly random, s is uniformly random. And (u, v, w, y)
is uniformly random because it is made by using s. Therefore the challenge
ciphertext is appropriately distributed.

PABDHE and RABDHE distributions

As mentioned in the security proof of Theorem 1, we have an algorithm B

that outputting (b, c) has advantage  in solving truncated decision q-ABDHE
if
 ≤ |P r[B outputs 1|Z is real] − P r[B outputs 1|Z is random]|. (12.9)
We refer to the distribution on the left as PABDHE and the distribution on
the right as RABDHE .

Now, since the time-complexity analysis is as in the proof of Theorem 1,

Theorem 2 follows from the following lemmas.

Lemma 1 When B’s input is sampled according to PABDHE , the joint dis-
tribution of A’s view and the bits (b, c) is indistinguishable from that in the
actual construction, except with probability 2qC /p.

Proof of Lemma 1 When B’s input is sampled according to PABDHE , B’s

simulation appears perfect to A if A makes key generation queries only, as in
the proof of Theorem 1. B’s simulation still appears perfect if A makes decryp-
tion queries only on identities for which it queries the private key, since B’s re-
sponses give A no additional information. Furthermore, querying well-formed
ciphertexts to the decryption oracle does not help A distinguish between the
simulation and the actual construction, since by the correctness of Decrypt,
well-formed ciphertexts will be accepted in either case. Finally, querying a
non-well-formed ciphertext (u0 , v 0 , w0 , y 0 ) (unaccepted ciphertexts) for ID will
be divided into two cases:
1. v 0 = e(u0 , g)1/(α−ID) : it does not help A distinguish, since this ci-
phertext will fail the Decrypt check (w0 can be correct for some m,
but y 0 makes the Decrypt check fail).
2. v 0 6= e(u0 , g)1/(α−ID) : in this case, we say the ciphertext is invalid
and accepted with negligible probability as in following claim.
Claim 1 The decryption oracle, in the simulation and in the actual construc-
tion, rejects all invalid ciphertexts under identities not queried by A, except
with probability qC /p.
12.3 Gentry’s IBE [48] 221

Let (u0 , v 0 , w0 , y 0 ) for ID be “invalid” ciphertext queried by A for ID, an

unqueried identity. Let {(rID,i , hID,i ) : i ∈ {1, 2, 3}} be B’s private key for ID.
Let au0 = logg (u0 ), av0 = loge(g,g) (v 0 ), and ay0 = loge(g,g) (y 0 ). For (u0 , v 0 , w0 , y 0 )
to be accepted, we must have
0 0
y 0 = e(u0 , hID,2 hID,3 β )v 0rID,2 +rID,3 β (12.10)

with β 0 = H(u0 , v 0 , w0 ). That is,

ay0 = au0 (logg hID,2 + β 0 logg hID,3 ) + av0 (rID,2 + β 0 rID,3 ). (12.11)

To compute the probability that A can generate such a y 0 , we must consider

the distribution of {(rID,i , hID,i ) : i ∈ {2, 3}} from A’s view (since hID,i is com-
puted from rID,i and hi ; and rID,i is set by B).
First, from the followings by construction of the private key hID,i =
(hi g −rID,i )1/(α−ID) , A knows that

logg h1 = (α − ID)logg hID,1 + rID,1 , (12.12)

logg h2 = (α − ID)logg hID,2 + rID,2 , (12.13)

logg h3 = (α − ID)logg hID,3 + rID,3 . (12.14)
Putting (12.13), (12.14) into (12.11), we get
log h2 −rIDb ,2
ay0 = au0 (logg (hID,2 + β 0 logg (hID,3 )) + av0 (rID,2 + rID,3 β 0 ) = au0 ( g α−ID +
logg h3 −rIDb ,3 0
α−ID β ) + av0 (rID,2 + rID,3 β 0 )
au0 au0
= α−ID (logg h2 + logg h3 ) − α−ID (rID,2 + rID,3 β 0 ) + av0 (rID,2 + rID,3 β 0 ).
That is,

ay0 = (au0 /(α − ID))(logg h2 + β 0 logg h3 ) + (av0 − au0 /(α − ID))(rID,2 + β 0 rID,3 ).
(12.15)
Note that av0 − au0 /(α − ID) 6= 0 since the ciphertext is invalid (i.e., since
v 0 6= e(u0 , g)1/(α−ID) , av0 6= au0 /(α − ID)). Let z 0 = av0 − au0 /(α − ID).

In the actual construction, the values of rID,i for i ∈ {2, 3} are cho-
sen independently for different identities; however, this is not true in the
simulation. Since fi (ID) = rID,i , A could conceivably gain information re-
garding (rID,2 , rID,3 ) from its information regarding (f2 (x), f3 (x)), which in-
cludes the evaluations of (f2 (x), f3 (x)) at α (from the public key components
(h2 , h3 )) and at qID = q − 2 identities (from its key generation queries). As
seen from Equation (5), we can get information from (rID,2 + β 0 rID,3 ), i.e.,
(f2 (x) + β 0 f3 (x)). Since fi (x) is a random polynomial of degree q, then we can
write as
f2 (xk ) = f2,0 xk 0 + f2,1 xk 1 + · · · + f2,q xk q , (12.16)
f3 (xk ) = f3,0 xk 0 + f3,1 xk 1 + · · · + f3,q xk q . (12.17)
222 12 Identity-Based Encryption (2)

Therefore

(f2 (xk ) + β 0 f3 (xk )) = f2,0 xk 0 + f2,1 xk 1 + · · · + f2,q xk q

+ β 0 (f3,0 xk 0 + f3,1 xk 1 + · · · + f3,q xk q ), (12.18)

where fi,j is the coefficient of xj in fi (x), xk is the k-th identity queried by A

to the key generation oracle, and xq−1 = α. We may represent the knowledge
gained from these evaluations as a matrix product as follows.

 
1 1 ... 1 0 0 ... 0
x1 x2 . . . xq−1 0 0 ... 0 
 .. .. .. .. .. .. .. ..
 

.
 q .q . . . . . . 
. . . xqq−1 0 0

  x1 x2 ... 0 
f2,0 , f2,1 , . . . , f2,q , f3,0 , f3,1 , . . . , f3,q 0 0

 ... 0 1 1 ... 1 
0 0 ... 0 x1 x2 ... xq−1 
 
. .. .. .. .. .. .. .. 
 .. . . . . . . . 
0 0 ... 0 xq1 xq2 ... q
xq−1

Let f denote vector on the left and V denote the matrix on the right. Since
fi (x) is a random polynomial of degree q, then the number of values in f cor-
responds to the number of rows in V are 2(q + 1); and if A makes qID = q − 2
queries in key generation queries along with α, then we have the number of
columns in V is 2(q − 1). Note that V contains two (q + 1) × (q − 1) Vander-
monde matrices; its columns are linearly independent. From A’s view, since V
has four more rows than columns, the solution space for f is four-dimensional 4 .

Let γID denote the vector (1, ID, . . . , IDq ). When we re-phrase Equation
(5) in terms of the simulator’s private key vector f , we obtain

ay0 = public terms 5

+ z 0 (f · γID ||β 0 γID ), (12.19)

where “·” denote the dot product (e.g., [a, b] · [c, d] = (ac + bd)) and γID ||β 0 γID
denotes the 2q + 2 - dimensional vector formed by concatenating the coeffi-
cients of γID and β 0 γID (we easily see that γID ||β 0 γID is linearly independent).

We have A query invalid ciphertexts on the same ID. If the invalid cipher-
text C1 is the first ciphertext queried by A for ID, then C1 can be accepted
with probability at most 1/p (since ID ∈ Zp and there is only 1/p chance
that f is contained in the 3-dimensional solution space (p3 points) defined
by Equation (12.15) and the columns of V , given that f is contained in the
4 Since we have 2q + 2 variables while the number of equation is only 2q − 2, then solution

space is four-dimensional.
5 Since h , h are included in system parameters. Although α is secret, but g α is known.
2 3
12.3 Gentry’s IBE [48] 223

4-dimensional solution space (p4 points) defined by the columns of V )6 . If the

invalid ciphertext C2 is the second ciphertext queried by A for ID, then C2
can be accepted with probability at most 1/(p − 1). So, the i-th invalid cipher-
text Ci queried for ID can be accepted with probability at most 1/(p − i + 1).
Therefore A’s i-th is rejected at least 1 − 1/(p − i + 1). Since A makes at most
qC queries, we have probability that A’s qC invalid ciphertexts are all rejected
at least
1 1 1 qC
(1 − )(1 − ) . . . (1 − )=1− . (12.20)
p p−1 p − qc + 1 q
Thus A’s invalid ciphertexts are all rejected, except with probability at most
qC
q . The actual construction is the same. So in this case, we have the prob-
ability of the joint distribution A’s invalid ciphertexts are all rejected in the
simulation and in the actual construction as
qC qC 2qC q2 2qC
(1 − )(1 − )=1− + C2 > 1 − . (12.21)
q q q q q
That is, A cannot distinguish the simulator and the actual construction, ex-
cept with the probability 2qqC .

Lemma 2 When B’s input is sampled according to RABDHE , the distribu-

tion of the bits (b, c) is independent from the adversary’s view, except with
probability 2qC /p.

Proof of Lemma 2 In the case B’s input is sampled according to RABDHE ,

since valid ciphertext is normally decrypted, we should prove all invalid ci-
phertexts will be rejected, except with negligible probability. Then, in the case
the decryption oracle rejects all invalid ciphertexts, guessing (b, c) should be
independent from A’s view as in Construction 1. The Lemma 2 follows from
the following claims.

Claim 2 The decryption oracle rejects all invalid ciphertexts, except with
probability qC /p.

Claim 3 If the decryption oracle rejects all invalid ciphertexts, then A has
advantage at most qC /p in guessing the bits (b, c).

Let au = logg (u), av = loge(g,g) (v) and ay = loge(g,g) (y) for challenge cipher-
text C = (u, v, w, y) on (IDb , Mc ). Since (u, v, w, y) is generated by sampling
from RABDHE in this case, (au , av ) is a uniformly random element of Zp × Zp
in A’s view. From Mc = w · e(u, hIDb ,1 )v rIDb ,1 and Equations 12.12–12.14, A
obtains the following equation
6 Since the line (1-dimensional) intersects the plane (2-dimensional) at a point, the plane

intersects the 3-dimensional space in a line and the 3-dimensional space intersects the 4-
dimensional space in a plane.
224 12 Identity-Based Encryption (2)

loge(g,g) (Mc /w) = (au /(α − ID))logh1 + (av − au /(α − ID))rIDb ,1 7 . (12.22)

Since y = e(u, hID,2 hID,3 β )v rID,2 +rID,3 β , then

ay = (au /(α − ID))(logg h2 + βlogg h3 ) + (av − au /(α − ID))(rIDb ,2 + rIDb ,3 ),

(12.23)
where β = H(u, v, w).

Regarding Claim 2, suppose that A submits an invalid cipher-

text (u0 , v 0 , w0 , y 0 ) for unqueried identity ID, where (u0 , v 0 , w0 , y 0 , ID) 6=
(u, v, w, y, IDb ). Let β 0 = H(u0 , v 0 , w0 ). There are three cases to consider:
1. (u0 , v 0 , w0 ) = (u, v, w) and β 0 = β:
If ID = IDb , but y 6= y 0 , then the ciphertext will certainly rejected.
If ID 6= IDb , A must generate a y 0 that satisfies Equation (7) for the
invalid ciphertext to be accepted. However, in this case, the columns
of V , γID ||βγID , γIDb ||βγIDb , are linearly independent, implying that
A cannot generate solution for y 0 , except with probability at most
1/(p − i + 1). Why?8 . Then, A’s invalid ciphertext are all rejected,
except with probability at least qC /p.
2. (u0 , v 0 , w0 ) 6= (u, v, w) and β 0 = β:
This violates the one-wayness of the hash function H.
3. (u0 , v 0 , w0 ) 6= (u, v, w) and β 0 6= β:
In this case A must generate, for some ID, y 0 that satisfies Equation
(7). A can do this with only negligible probability when ID 6= IDb .
If ID = IDb , then γID ||β 0 γID and γIDb ||βγIDb can generate γIDb ||0q+1
and 0q+1 ||γIDb since β 6= β 0 . These vectors are linearly independent
to each other and the columns of V . Thus, similar to the first case,
A’s invalid ciphertext are all rejected, except with probability at
least qC /p.
Therefore, since these cases cannot happen at the same time, the probabil-
ity that A submits an invalid ciphertext and it can be accepted is at least qC /p.

Regarding Claim 3, if no invalid ciphertexts are accepted, then B’s re-

sponses to decryption queries leak no information about rIDb ,1 . Thus the dis-
tribution of Mc /w – conditioning on (b, c) and everything in A’s view other
than w- is uniform. Mc /w serves as a perfect one-time pad; w is uniformly
7 log rID ,1
e(g,g) (Mc /w) = loge(g,g) [e(u, hIDb ,1 )v b ] = (logg (u)logg (hIDb ,1 )) +
r u
a
loge(g,g) (v IDb ,1 ) = α−ID
− rIDb ,1 ) + rIDb ,1 av = (au /(α − ID))logh1 + (av −
(logg h1
au /(α − ID))rIDb ,1
8 In order to generate y 0 , the adversary can get information from f which has solution

space defined by the columns of V and Equation (12.15) or Equation (12.19). By similar
way in Claim 1, we can get the probability is at most 1/(p − i + 1).
12.3 Gentry’s IBE [48] 225

random and independent, and c is independent of A’s view.

The only part of the ciphertext that can reveal information about b is y,
since A views (u, v, w) as a uniformly random and independent element of
G × GT × GT . The 2q − 2 equations corresponding to the columns of V in-
tersecting Equation (9) is at least three-dimensional solution space. A views
f as being contained in one of two three-dimensional space, since b has two
possible values. Each of A’s invalid ciphertext queries punctures each of these
three-dimensional space in a plane, removing each of the two planes from con-
sideration as containing f . Since no valid ciphertext is accepted, each three-
dimensional space is left with at least p3 − qC p2 (out of p3 ) candidates. Thus,
A cannot distinguish b, except with probability at most qC /p.

Conclusion of Proof of Lemma 2 From Claim 2, we have probability

that decryption oracle rejects all invalid ciphertexts is at least (1 − qC /p).
From Claim 3, in the case decryption oracle rejects all invalid ciphertext, A
cannot guess (b, c) with probability (1 − qC /p). So, when B’s input is sampled
according to RABDHE , the probability B cannot guess (b, c) is at least

(1 − qC /p)(1 − qC /p) > 1 − 2qC /p. (12.24)

Therefore, the probability B can guess (b, c) correctly in this case is at most
2qC /p.

Conclusion of Proof of Theorem 2 We have P r[X0 ] + 2qC /p = 0 + 41

and P r[X1 ] = 2qC /p + 41 . Thus, as in security proof of Theorem 1, B’s advan-
tage is

 = P r[X0 ]−P r[X1 ] = 0 +1/4−2qC /p−(2qC /p+1/4) = 0 −4qC /p. (12.25)

Time complexity is as in Theorem 1.

This concludes the proof of Theorem 2. 2

Exercises
12.1 The columns of V, γkβγID , γIDb kβγIDb are linearly independent, imply-
0
ing that the adversary A cannot generate solution for y , except with proba-
1
bility at most (p−i+1) . Why?

12.2 The distribution of Mc /w – conditioning on (b, c) and everything in A’s

view other than w – is uniform. Why?
13
Identity-Based Encryption (3)

CONTENTS
13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
13.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
13.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
13.2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
13.3 Dual System Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
13.4 Waters’ IBE [99] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
13.4.1 Proof of IBE Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

This chapter provides the details of the Waters’ identity based encryption
scheme. The drawbacks from the Gentry’s scheme that involves using the
non-static assumptions for the security proofs has been replaced by using
the static assumptions in the standard model through hybrid games. The
problems of the non-static assumptions are stated and then the hybrid proof
technique is discussed. The next part of the chapter provides the preliminaries
including the security model and hardness assumptions for the Waters’ IBE
scheme. Waters’ scheme uses two static hardness assumptions: Decisional bi-
linear Diffie-Hellman and decisional linear. The next portion of the chapter
gives the dual system encryption followed by the Waters’ IBE. The methodol-
ogy proposed is called dual system encryption allows to prove that an IBE is
fully secured based on the static assumptions without random oracle. This is
further explained using the formal construction and the security proof using
the reduction algorithm.

13.1 Overview
Previously we pointed out the problems of the partitioning paradigm and in-
troduced the Gentry’s proof methodology to resolve them. However, since the
Gentry’s proof methodology is based on non-static assumptions, it also has
problems. This time we explain the Waters’ proof methodology called Dual
System Encryption to present fully secure solutions based on static assump-
tions in the standard model through hybrid games.
227
228 13 Identity-Based Encryption (3)

Why is a non-static assumption problematic?

The instances of typical standard assumptions like DDH and CDH always
have fixed sizes. As a result, when we use proof by reduction, the assumptions
are only related to security parameters regardless of some system parameters
(e.g., q of q-bilinear Diffie-Hellman exponent problem) or oracle queries (e.g.,
the number of queries).

On the other hand, non-static assumptions do not have fixed sizes and
are related to some system parameters or oracle queries. It means that the
instance of the assumption used in the proof is dependent on the number of
queries made by an adversary, q, for example. The problem here is, since the
instance of non-static assumptions is proportional to q; as a result, non-static
assumptions require more instances and stronger assumptions, which is con-
trary to standard assumptions, where the number of group elements used as
public parameters in the real scheme is fixed. Generally, since it means that
the strongest assumption should be selected among many assumptions, non-
static assumptions are not desirable. Also, it means that group elements as
public parameters have to be made by using polynomial f of degree q. This
may just cause a substantial overhead.

What is a hybrid argument (or proof, game)?

The natural way of security proof goes as follows. First, assume two oracles
or functions, Π0 and Π1 , and then show that a distinguisher D, probabilistic
polynomial time (PPT) algorithm, can distinguish Π0 and Π1 with at most
negligible probability as

P r DΠ0 = 1 − P r DΠ1 = 1 ≤ negligible.

   
(13.1)

However, if we cannot reduce a scheme by using only one assumption or the-

orem, then how can we do? Hybrid argument can help us reduce by using the
above procedure multiple times.

The hybrid argument technique is as follows:

1. Define the number of hybrid oracles or functions as polynomial
size. In detail, if q(n) is a polynomial function in some security
parameter, then we have q(n) + 1 hybrid oracles or functions,
(H0 , · · · , Hq(n) ), where H0 = Π0 and Hq(n) = Π1 . Here, hybrid
oracles or functions located between Π0 and Π1 , (H1 , · · · , Hq(n)−1 ),
must be indistinguishably selected.
13.2 Preliminaries 229

2. Following triangle inequality, specify the following inequality

q(n)
 Π0  Π1 X
P r DHi − P r DHi−1 .
     
Pr D = 1 − Pr D = 1 ≤
i=1
(13.2)
This can be shown as in Figure 13.1.

FIGURE 13.1
Hybrid game.

3. For each i = {1, 2, · · · , q(n)}, by using reduction or probabilistic

argument, show that all PPT distinguishers D cannot distinguish
Hi−1 and Hi as

P r DHi − P r DHi−1 = negligible.

   
(13.3)

Here, we can proceed the proof by using the same or different ar-
guments at each step.
4. Finally, show that the below holds by using the two steps above as
q(n)
 Π0  Π1 X
P r DHi − P r DHi−1
     
Pr D = 1 − Pr D = 1 ≤
i=1
(13.4)
q(n)
X
= negligible = q(n) × negligible = negligible,
i=1

where q(n) is a polynomial function in n.

This completes the proof.

13.2 Preliminaries
This section provides preliminaries including the security model and hardness
assumptions for the Waters’ IBE scheme.
230 13 Identity-Based Encryption (3)

13.2.1 Security Model

IND-ID-CPA game for an IBE scheme
1. Setup Given the security parameter k, the challenger runs the Setup
algorithm of the IBE. It provides A with the system parameters
params while keeping the master key MSK to itself.
2. Phase I A makes a finite number of key-extraction queries. Then
the challenger runs Extract on ID and forwards the resulting private
key to A. The Extract algorithm is probabilistic and if it is queried
more than once on the same identity, then it may provide different
(but valid) decryption keys.
A is allowed to make these queries adaptively, i.e., any query may
depend on the previous queries as well as their answers.
3. Challenge A outputs two equal length messages M0 , M1 , and a
challenge identity ID∗ must not have appeared in any key generation
query in Phase I. The simulator selects a random bit β ∈ {0, 1}, and
responds with CT ∗ on input (ID∗ , Mβ , params).
4. Phase II A issues additional queries just like Phase I, except that
the adversary may not request a private key for ID∗ . The challenger
responds as in Phase I.
5. Guess A outputs its guess β 0 of β.

Definition 1 The advantage of A in attacking the IBE scheme Π is defined as

AdvA,Π = |P r[(β = β 0 )] − 1/2|. (13.5)

Definition 2 An IBE scheme Π is said to be (t, , q)-secure against adaptive
chosen ciphertext attack if for all polynomial t-time adversaries A that makes
at most q secret-key queries,

AdvA,Π ≥ . (13.6)

13.2.2 Hardness Assumptions

For proving his scheme, Waters uses two static hardness assumptions.

Decisional bilinear Diffie-Hellman (DBDH) assumption

Let G and GT be two groups of prime order p, where the size of p is a

function of the security parameters. Let e: G × G → GT be a bilinear map
and let g be a generator of G.
13.3 Dual System Encryption 231

Given (g, g c1 , g c2 , g c3 , T ) ∈ G4 × GT for some c1 , c2 , c3 ∈ Zp , it must re-

main hard to distinguish T = e(g, g)c1 c2 c3 ∈ GT from a random element in GT .

An algorithm B that outputs z ∈ {0, 1} has advantage dbdh in solving the

decisional BDH problem in G if
|P r [B(g, g c1 , g c2 , g c3 , T = e(g, g)c1 c2 c3 ) = 0]−P r [B(g, g c1 , g c2 , g c3 , T = R) = 0]|
≥ dbdh .
Definition 3 We say that the decisional BDH assumption holds if no
polytime algorithm has a non-negligible advantage in solving the decisional
BDH problem.

Decisional linear (DLin) assumption

Let G and GT be two groups of prime order p, where the size of p is a

function of the security parameters. Let e: G × G → GT be a bilinear map
and let g, f, ν, be random generators of G.

Given (g, f, ν, g c1 , f c2 , T ) ∈ G6 for some c1 , c2 ∈ Zp , it must remain hard

to distinguish T = ν c1 +c2 ∈ G from a random element in G.

An algorithm B that outputs z ∈ {0, 1} has advantage dlin in solving the

decisional linear problem in G if
P r B(g, f, ν, g c1 , f c2 , T = ν c1 +c2 ) = 0 − P r [B(g, f, ν, g c1 , f c2 , T = R) = 0]
 

≥ dlin .
Definition 4 We say that the decisional linear assumption holds if
no polytime algorithm has a non-negligible advantage in solving the decisional
linear problem.

13.3 Dual System Encryption

In general, it is not easy to prove that a scheme is fully (or adaptively) secure.
The reason behind this is, in the reduction the simulator should be able to
create the secret key for all identities, which do not decrypt the challenge
ciphertext. However, it is hard to achieve this because the secret key(s) and
the challenge ciphertext have some relationship. So, Waters removes the rela-
tionship between them by slightly modifying the games at each step using the
hybrid argument. Eventually, in the last game, which removes the relation-
ship, even if the challenge ciphertext is changed to random, the simulation
232 13 Identity-Based Encryption (3)

still works. Waters proceeds the hybrid argument as in Figure 13.2

FIGURE 13.2
Waters’ hybrid game.

In Figure 13.2, GameReal means a real scheme, and GameF inal means an
ideal scheme that the adversary’s advantage is 0. Also, Waters makes secret
key and ciphertext generation algorithms to proceed the proof, where they
generate two types (or forms) of secret keys and ciphertexts, respectively. The
first type called normal is generally used in IBE system. The second type called
semi-functional is only used in the proof. A normal secret key can decrypt all
ciphertexts, normal or semi-functional. A semi-functional secret key can de-
crypt normal ciphertexts only. A semi-functional secret key cannot decrypt
semi-functional ciphertexts. Let us apply these to hybrid argument proof.

FIGURE 13.3
Comparison of normal and semi-functional forms.

Intuition We define a sequence of games arguing that an attacker cannot dis-

tinguish one game from the next. The first game will be the real security game
in which the challenge ciphertext and all secret keys are distributed normally.
Next we switch our normal challenge ciphertext with a semi-functional one.
We argue that no adversary can detect this (under our complexity assumption)
since all secret keys given can decrypt the challenge ciphertext regardless of
whether it is normal or semi-functional. In the next series of games, we change
the secret keys in one game at a time from normal to semi-functional, again
arguing indistinguishability. In both the above proof arguments, our reduc-
tion algorithm will be able to provide secret keys for any identity and use any
identity as a challenge identity – eliminating the need to worry about an abort
13.3 Dual System Encryption 233

condition. By repeating the above processes, we change all secret key and the
challenge ciphertext to semi-functional. Finally, we end up in a game where
the challenge ciphertext is random, and all secret keys are semi-functional. At
this point, proving security is straightforward since the challenge ciphertext
becomes random.

Let us detail the above intuition in concrete . In GameReal , the simulator

generates normal secret keys and normal challenge ciphertext. In Game0 , the
simulator generates normal secret keys and semi-functional challenge cipher-
text. And in Gamei , the simulator generates semi-functional secret keys for
j-th identity, normal secret keys for j 0 -th identity and semi-functional chal-
lenge ciphertext, where i ∈ {0, · · · , q}, j ∈ {0, · · · , i}, and j 0 ∈ {i + 1, · · · , q}.
In Gameq , the simulator generates semi-functional secret keys and semi-
functional challenge ciphertext. Lastly, in GameF inal , the simulator generates
semi-functional secret keys and random challenge ciphertext.

FIGURE 13.4
Change of secret keys and ciphertexts in Waters’ hybrid game.

As shown in Figure 13.4, GameReal and Game0 are the same except
with a little bit difference internally. It is identically applied among other
Games. And the probability distinguishing between GameReal and Game0 is
GameReal AdvA − Game0 AdvA = 1 . The sum of all games’ advantages is as
follows.
q
X
GameReal AdvA − Game0 AdvA + (Gamei−1 AdvA − Gamei AdvA )+
i=1

Gameq AdvA − GameF inal AdvA

q+2
X
= GameReal AdvA − GameF inal AdvA = i
i=1

. The probability that we want to obtain is

q+2
X q+2
X
GameReal AdvA = i + GameF inal AdvA = i . (13.7)
i=1 i=1
234 13 Identity-Based Encryption (3)

Now, we have to show that GameReal AdvA is negligible. To show that each
i is small than , we embed T0 in GameReal and T1 in Game0 . To distin-
guish the two games, the adversary must solve the aforementioned assump-
tion. Therefore, |GameReal AdvA −Game0 AdvA | becomes the advantage of the
assumption. Like this, the same applies to all the subsequent games. In dual
system, in the cases from Game1 to Gameq , if T0 is embedded then the secret
key is normal, and if T1 is embedded then the secret key is semi-functional.
On the other hand, in the cases of Gameq and GameF inal , if T0 is embedded
then the challenge ciphertext is semi-functional, and if T1 is embedded then
the challenge ciphertext is random.

Now, we only have to show the proof in GameF inal . However, when the
session key changes to random, a problem occurs because the session key has
some relationship with both challenge ciphertext and secret key. Thus, we
cannot just change the session key to random. To address this problem, the
partitioning methodology in BF-IBE or Gentry’s methodology can be used.
On the other hand, Waters uses the semi-functional methodology.

In other words, the reason why the proof is difficult is due to the relation-
ship between challenge ciphertext and secret key. As shown in Figure 13.3, a
normal secret key can decrypt normal ciphertexts. It means that there exist
some relationships to consider during the proof. On the other hand, a semi-
functional secret key cannot decrypt semi-functional challenge ciphertexts.
Therefore there rarely exists a relationship to consider during the proof. In
conclusion, if we can change normal to semi-functional, the proof becomes
easier.

So, we must change normal to semi-functional. We change normal challenge

ciphertext to semi-functional challenge ciphertext at first. Next, we change
normal secret key to semi-functional secret key one by one. As shown in Fig-
ure 13.5, there are GameK−1 and GameK . Note that the k-th secret key is
normal in Gamek−1 and the k-th secret key is semi-functional in Gamek . But,
the i-th secret key for i = {1, · · · , k − 1} is semi-functional in both games.
Here, a contradiction called paradox occurs between GameK−1 and GameK :
because the simulator in these games can generate normal secret keys, semi-
functional secret keys, and semi-functional challenge ciphertext by itself, it
can know that the secret key generated by itself is normal or semi-functional.
It means that the simulator can distinguish, which is a contradiction.

To overcome this contradiction (i.e., in order not to allow the simulator

to distinguish), in the proof, we use a tag method to ensure that the normal
secret key cannot decrypt semi-functional challenge ciphertext. The method
is as follows: We embed tagk and tagc in secret keys and challenge ciphertext,
respectively. The tags are generated using some function F (), which implies
13.4 Waters’ IBE [99] 235

FIGURE 13.5
Paradox between GameK−1 and GameK .

that 1/(tagc − tagk ) cannot be computed1 . Note that if 1/(tagc − tagk ) cannot
be computed, the simulator cannot decrypt the challenge ciphertext. For more
details, refer to “How to generate tags” in Lemma 2.

Since the contradiction is resolved as above, we have no problem in chang-

ing the normal ciphertext and secret key to the semi-functional ciphertext and
secret key in the proof from GameReal to GameF inal .

Therefore, the proof in GameF inal can be shown easily and we can get
GameReal AdvA .

13.4 Waters’ IBE [99]

In 2009, Waters proposed a new methodology called Dual System Encryption
that allows us to prove that an IBE scheme is fully (adaptively) secure based
on static assumptions without random oracle.

Construction 1. IBE

Let G, GT be groups of order p, and let e: G × G → GT be the bilinear

map. The IBE system works as follows.

Setup Given a security parameter k ∈ Z+ , where k = |p|

1 In this case, tag = tag because C ∗ for ID ∗ , SK ∗ for ID ∗ , then tag = F (ID ∗ ), tag
k c c k
= F (ID∗ ).
236 13 Identity-Based Encryption (3)

1. Pick a random generators g, v, v1 , v2 , w, u, h ∈ G.

2. Pick a random a1 , a2 , b, α ∈ Zp .
3. Set τ1 = vv1a1 and τ2 = vv2a2 .
b a1 a2 b·a1 b·a2


4. The system parameters are params
= g ,g ,g ,g ,g
b b α·a1 ·b
τ1 , τ2 , τ1 , τ2 , w, u, h, e(g, g) .
5. The master secret key is MSK = (g, g α , g α·a1 , v, v1 , v2 ).
The identity space for the described scheme will be Zp , although we note
in practice one can apply a collision resistant hash function to identities
of arbitrary lengths.

Extract For a given identity ID ∈ Zp

1. Generate random r1 , r2 , z1 , z2 , tagk ∈ Zp .
2. Let r = r1 + r2 .
3. Compute D1 = g α·a1 v r , D2 = g −α v1r g z1 .
4. Compute D3 = (g b )−z1 , D4 = v2r g z2 .
5. Compute D5 = (g b )−z2 , D6 = g r2 ·b .
6. Compute D7 = g r1 , K = (uID wtagk h)r1 .
7. Set the secret key SKID = (D1 , · · · D7 , K, tagk ).
Encrypt Message M ∈ GT and identity ID ∈ Zp
1. Generate random s1 , s2 , t, tagc ∈ Zp .
2. Let s = s1 + s2 .
3. Compute C0 = M · (e(g, g)α·a1 ·b )s2 , C1 = (g b )s .
4. Compute C2 = (g b·a1 )s1 , C3 = (g a1 )s1 , C4 = (g b·a2 )s2 .
5. Compute C5 = (g a2 )s2 , C6 = τ1s1 τ2s2 .
6. Compute C7 = (τ1b )s1 (τ2b )s2 w−t .
7. Compute E1 = (uID wtagc h)t , E2 = g t .
8. Set the ciphertext to be CT = hC0 , · · · , C7 , E1 , E2 , tagc i.
(e(g, g)α·a1 ·b )s2 is called the session key. C1 , · · · , C7 , E1 , and E2 are called
the header information necessary to retrieve the session key.

Decrypt Ciphertext CT and secret key SKID

1. Compute A1 = e(C1 , D1 ) · e(C2 , D2 ) · e(C3 , D3 ) · e(C4 , D4 ) ·
e(C5 , D5 ).
13.4 Waters’ IBE [99] 237

2. Compute A2 = e(C6 , D6 ) · e(C7 , D7 ).

3. Compute A3 = A1 /A2 .
4. Compute A4 = (e(E1 , D7 )/e(E2 , K))1/(tagc −tagk ) .
5. Compute M = C0 /(A3 /A4 ).
The ciphertext tagc is not equal to the private key tagk . Since both tags
are chosen randomly, decryption will succeed with all but a negligible
1/p probability.

Computations between normal ciphertext and normal secret key

1. A1 = e(C1 , D1 ) · e(C2 , D2 ) · e(C3 , D3 ) · e(C4 , D4 ) · e(C5 , D5 )

= e(g b·s , g α·a1 v r )·e(g b·a1 ·s1 , g −α v1r g z1 )·e(g a1 ·s1 , g −b·z1 )·e(g b·a2 ·s2 , v2r g z2 )·
e(g a2 ·s2 , g −b·z2 )

= e(g b·s , g α·a1 ) · e(g b·s , v r ) · e(g b·a1 ·s1 , g −α g z1 ) · e(g b·a1 ·s1 , v1r ) ·
e(g a1 ·s1 , g −b·z1 ) · e(g b·a2 ·s2 , v2r ) · e(g b·a2 ·s2 , g z2 ) · e(g a2 ·s2 , g −b·z2 )

= e(g, g)α·a1 ·b·s ·e(g, v)b·s·r ·e(g, g)−b·a1 ·s1 ·α+b·a1 ·s1 ·z1 ·e(g, v1 )b·a1 ·s1 ·r ·
e(g, g)−a1 ·s1 ·b·z1 · e(g, v2 )b·a2 ·s2 ·r · e(g, g)b·a2 ·s2 ·z2 · e(g, g)−a2 ·s2 ·b·z2 ,

where s = s1 + s2

= e(g, g)α·a1 ·b·s1 ·e(g, g)α·a1 ·b·s2 ·e(g, v)b·(s1 +s2 )·r ·e(g, g)−b·a1 ·s1 ·α+b·a1 ·s1 ·z1 ·
e(g, v1 )b·a1 ·s1 ·r · e(g, g)−a1 ·s1 ·b·z1 · e(g, v2 )b·a2 ·s2 ·r · e(g, g)b·a2 ·s2 ·z2 ·
e(g, g)−a2 ·s2 ·b·z2

= e(g, g)α·a1 ·b·s2 · e(v, g)b(s1 +s2 )r · e(v1 , g)a1 ·b·s1 ·r · e(v2 , g)a2 ·b·s2 ·r .

2. A2 = e(C6 , D6 )·e(C7 , D7 ) = e(τ1s1 τ2s2 , g r2 ·b )·e((τ1b )s1 (τ2b )s2 w−t , g r1 )

= e(τ1 , g)s1 ·r2 ·b · e(τ2 , g)s2 ·r2 ·b · e(τ1 , g)b·s1 ·r1 · e(τ2 , g)b·s2 ·r1 ·
e(w, g)−t·r1 ,

where τ1 = vv1a1 and τ2 = vv2a2

= e(vv1a1 , g)s1 ·r2 ·b · e(vv2a2 , g)s2 ·r2 ·b · e(vv1a1 , g)b·s1 ·r1 · e(vv2a2 , g)b·s2 ·r1 ·
e(w, g)−t·r1
238 13 Identity-Based Encryption (3)

= e(v, g)s1 ·r2 ·b · e(v1 , g)a1 ·s1 ·r2 ·b · e(v, g)s2 ·r2 ·b · e(v2 , g)a2 ·s2 ·r2 ·b ·
e(v, g)b·s1 ·r1 ·e(v1 , g)a1 ·b·s1 ·r1 ·e(v, g)b·s2 ·r1 ·e(v2 , g)a2 ·b·s2 ·r1 ·e(w, g)−t·r1

= e(v, g)s1 ·r2 ·b ·e(v, g)s2 ·r2 ·b ·e(v, g)b·s1 ·r1 ·e(v, g)b·s2 ·r1 ·e(v1 , g)a1 ·s1 ·r2 ·b ·
e(v1 , g)a1 ·b·s1 ·r1 · e(v2 , g)a2 ·s2 ·r2 ·b · e(v2 , g)a2 ·b·s2 ·r1 · e(w, g)−t·r1 ,

where r = r1 + r2

= e(v, g)b(s1 +s2 )r · e(v1 , g)a1 ·b·s1 ·r · e(v2 , g)a2 ·b·s2 ·r · e(g, w)−r1 ·t .

3. A3 = A1 /A2 = e(g, g)α·a1 ·b·s2 · e(g, w)r1 ·t .

4. A4 = (e(E1 , D7 )/e(E2 , K))1/(tagc −tagk )

= (e((uID wtagc h)t , g r1 )/e(g t , (uID wtagk h)r1 ))1/(tagc −tagk )

= (e((uID wtagc h)t , g r1 ) · e(g t , (uID wtagk h)r1 )−1 )1/(tagc −tagk )

= (e(w, g)tagc ·t·r1 · e(g, w)−tagk ·t·r1 )1/(tagc −tagk )

= e(g, w)r1 ·t .

5. M = C0 /(A3 /A4 ) = M · (e(g, g)α·a1 ·b )s2 /(e(g, g)α·a1 ·b·s2 ·

e(g, w)r1 ·t /e(g, w)r1 ·t )

= M · e(g, g)α·a1 ·b·s2 · e(g, g)−α·a1 ·b·s2 · e(g, w)−r1 ·t · e(g, w)r1 ·t

Construction 2. Semi-functional algorithms

We will define them as algorithms that are executed with knowledge of

the secret exponents. However, in a real system they will not be used.
Their main purpose is to define the structures that will be used in the
proof. We define both semi-functional ciphertexts and keys in terms of a
transformation on a normal ciphertext or key.

Semi-functional ciphertexts The algorithm first runs the

encryption algorithm to generate a normal ciphertext CT =
hC00 , · · · , C70 , E10 , E20 , tagc i.
1. Pick a random x ∈ Zp .
13.4 Waters’ IBE [99] 239

2. Set C0 = C00 , C1 = C10 , C2 = C20 , C3 = C30 , E1 = E10 , E2 = E20 ,

leaving these elements and the tagc unchanged.
3. Set C4 = C40 · g b·a2 ·x , C5 = C50 · g a2 ·x , C6 = C60 · v2a2 ·x , C7 =
C70 · v2a2 ·b·x .
4. The semi-functional ciphertext is hC0 , · · · , C7 , E1 , E2 , tagc i.
Semi-functional secret keys The algorithm first runs the extract al-
gorithm to generate a normal secret key SKID = (D10 , · · · D70 , K 0 , tagk ).
1. Pick a random γ ∈ Zp .
2. Set D3 = D30 , D5 = D50 , D6 = D60 , D7 = D70 , K = K 0 , leaving
these elements and the tagk unchanged.
3. Set D1 = D10 · g −a1 ·a2 ·γ , D2 = D20 · g a2 ·γ , D4 = D40 · g a1 ·γ .
4. The semi-functional secret key is (D1 , · · · D7 , K, tagk ).

Computations between normal and semi-functional

Here we show the semi-functional ciphertext and secret key work as ex-
pected.
1. Decrypt a semi-functional ciphertext with a normal key.

e(g b·a2 ·x , D4 ) · e(g a2 ·x , D5 ) · e(v2a2 ·x , D6 )−1 · e(v2a2 ·b·x , D7 )−1

= e(g b·a2 ·x , v2r g z2 ) · e(g a2 ·x , g −b·z2 ) · e(v2a2 ·x , g r2 ·b )−1 · e(v2a2 ·b·x , g r1 )−1

= e(g, v2 )b·a2 ·x·r · e(g, g)b·a2 ·x·z2 · e(g, g)−a2 ·x·b·z2 · e(v2 , g)−a2 ·x·r2 ·b ·
e(v2 , g)−a2 ·b·x·r1 = 1

2. Decrypt a normal ciphertext with a semi-functional key.

e(C1 , g −a1 ·a2 ·γ ) · e(C2 , g a2 ·γ ) · e(C4 , g a1 ·γ )

= e(g b(s1 +s2 ) , g −a1 ·a2 ·γ ) · e(g b·a1 ·s1 , g a2 ·γ ) · e(g b·a2 ·s2 , g a1 ·γ )

= e(g, g)−b(s1 +s2 )·a1 ·a2 ·γ · e(g, g)b·a1 ·s1 ·a2 ·γ · e(g, g)b·a2 ·s2 ·a1 ·γ = 1

3. Decrypt a semi-functional ciphertext with a semi-functional key.

e(C1 , g −a1 ·a2 ·γ ) · e(C2 , g a2 ·γ ) · e(C4 · g b·a2 ·x , D4 · g a1 ·γ ) · e(g a2 ·x , D5 ) ·

e(v2a2 ·x , D6 )−1 · e(v2a2 ·b·x , D7 )−1
240 13 Identity-Based Encryption (3)

= e(C1 , g −a1 ·a2 ·γ )·e(C2 , g a2 ·γ )·e(C4 , D4 )·e(C4 , g a1 ·γ )·e(g b·a2 ·x , D4 )·

e(g b·a2 ·x , g a1 ·γ ) · e(g a2 ·x , D5 ) · e(v2a2 ·x , D6 )−1 · e(v2a2 ·b·x , D7 )−1

By using the above two results in 1 and 2, the computation below

is possible.

= e(C4 , D4 ) · e(g b·a2 ·x , g a1 ·γ )

= e(g b·a2 ·s2 , v2r g z2 ) · e(g b·a2 ·x , g a1 ·γ ) = e(g b·a2 ·s2 , v2r ) · e(g b·a2 ·s2 , g z2 ) ·
e(g b·a2 ·x , g a1 ·γ )

= e(g, v2 )b·a2 ·s2 ·r · e(g, g)b·a2 ·s2 ·z2 · e(g, g)b·a2 ·x·a1 ·γ 6= 1
As shown above, in the cases of 1 and 2, since the additional parts (i.e., parts
added to the normal secret key and normal ciphertext, for example, g b·a2 x )
are removed, the computation results of 1 and 2 become 1. Therefore, we can
know that the case of 1 and 2 do not affect the decryption computation as ex-
pected. However, in the case of 3, since the additional parts are not removed,
we can know that the decryption does not work as expected. In conclusion,
we know that only the decryption of the semi-functional ciphertext using the
semi-functional secret key is not valid.

13.4.1 Proof of IBE Security

As mentioned above, the proof is organized as a sequence of games as shown
in Figure 13.6. We define the first game as the real identity-based encryption
game and the last one as the ideal encryption game in which the adversary has
no advantage unconditionally. Now we show that each game is indistinguish-
able from the next (under a complexity assumption). As stated before, the
crux of Waters’ strategy is to move to a security game where both the chal-
lenge ciphertext and secret keys are semi-functional. At this point, any keys
the challenger gives out are not useful in decrypting the ciphertext. First, let
us define the games as:

1. GameReal : The actual IBE security game defined in Section 13.2.1

Security Model.
2. Gamei : The real security game with the following two exceptions:
(1) The challenge ciphertext will be a semi-functional ciphertext
on the challenge identity ID∗ ; (2) The first i private key queries
will return semi-functional private keys. The rest of the keys will
be normal. For an adversary that makes at most q queries we will
be interested in Game0 , · · · , Gameq . We note that in Game0 the
13.4 Waters’ IBE [99] 241

challenge ciphertext is semi-functional, but all keys are normal and

in Gameq all secret keys are semi-functional.
3. GameF inal : The real security game with the following exceptions:
(1) The challenge ciphertext is a semi-functional encryption on a
random group element of GT ; (2) All of the secret key queries result
in semi-functional keys.
We now prove a set of Lemmas that argue the indistinguishability of these
games. For each proof we need to build a reduction simulator that answers
private key queries and creates a challenge ciphertext.

FIGURE 13.6
Proof of IBE security.

Lemma 1 Suppose that there exists an algorithm A where GameReal AdvA −

Game0 AdvA = dlin . Then we can build an algorithm B that has advantage
dlin in the decision linear game.

Proof The algorithm B begins by taking in an instance (G, g, f, ν, g c1 , f c2 , T )

of the decision linear problem. We now describe how it executes the Setup,
Key Phase, and Challenge phases of the IBE game with A.

Reduction algorithm B in Lemma 1

Setup
1. Choose a random exponents b, α, yv , yv1 , yv2 ∈ Zp , and random
group elements w, u, h ∈ G.
2. Set g = g, g a1 = f , g a2 = ν where a1 and a2 are the exponents
that reduction cannot know itself.
3. Set g b , g b·a1 = f b , g b·a2 = ν b , v = g yv , v1 = g yv1 , v2 = g yv2 .
242 13 Identity-Based Encryption (3)

4. Compute τ1 = g yv f yv1 , τ2 = g yv ν yv2 , τ1b = g b·yv f b·yv1 , τ2b =

g b·yv ν b·yv2 , e(g, g)α·a1 ·b = e(g, f )α·b .


5. Send the public parameters params = g b , g a1 , g a2 , g b·a1 , g b·a2
τ1 , τ2 , τ1b , τ2b , w, u, h, e(g, g)α·a1 ·b .

6. Set the master secret key MSK = (g, g α , f α , v, v1 , v2 ).

Phase I
1. Choose a random exponents r1 , r2 , z1 , z2 ∈ Zp and define r =
r1 + r2 .
2. Compute D1 = f α v r , D2 = g −α v1r g z1 , D3 = (g b )−z1 , D4 =
v2r g z2 , D5 = (g b )−z2 , D6 = g r2 ·b , D7 = g r1 , K = (uID wtagk h)r1 .
3. Send the secret key SKID = (D1 , · · · D7 , K, tagk ).
Challenge
1. A outputs messages M0 , M1 and challenge identity ID∗ .
2. B generates bit β ∈ {0, 1}.
3. Create a normal ciphertext using the real Encrypt algorithm,
CT = (C00 , · · · , C70 , E10 , E20 , tagc ).
4. Let s01 , s02 , t be the random exponents used in creating the ci-
phertext.
5. Modify components of the ciphertext as follows.
C0 = C00 · (e(g c1 , f ) · e(g, f c2 ))b·α , C1 = C10 · (g c1 )b , C2 = C20 ·
(f c2 )−b , C3 = C30 · (f c2 )−1 , C4 = C40 · (T )b , C5 = C50 · T , C6 =
C60 ·(g c1 )yv ·(f c2 )−yv1 ·T yv2 , C7 = C70 ·((g c1 )yv ·(f c2 )−yv1 ·T yv2 )b ,
E1 = E10 , E2 = E20 .
6. Send (C0 , · · · , C7 , E1 , E2 , tagc ) to A as the challenge ciphertext.
Note: If T = ν c1 +c2 , then s1 = −c2 + s01 , s2 = s02 + c1 + c2 , and
s = s1 + s2 = c1 + s01 + s02 are implicitly set. If T = ν c1 +c2 , it will have
the same distribution as a standard ciphertext; otherwise, it will be
distributed identically to a semi-functional ciphertext.

Phase II
1. A makes key generation queries, and B responds as in Phase I.
Guess
1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.
13.4 Waters’ IBE [99] 243

2. If β = β 0 outputs 0 (indicating that T = ν c1 +c2 ); otherwise, it

outputs 1.

Simulation of secret key generation in Lemma 1

Extract algorithm in Lemma 1 only generates normal secret keys. The

secret key simulation is the same as original one except with D1 = f α v r =
(g a1 )α v r = g α·a1 v r .

Simulation of challenge ciphertext generation in Lemma 1

The difference between GameReal and Game0 is whether the challenge ci-
phertext is normal or semi-functional. So T must be embedded in the challenge
ciphertext because only challenge ciphertext is different. And the challenge
ciphertext is normal if T is real, otherwise the challenge ciphertext is semi-
functional. Therefore, generation of the challenge ciphertext is complicated
compared with secret generation. Here, we demonstrate that the challenge
ciphertext is well generated as normal or semi-functional one according to T ;
if T is real, then it computes the normal ciphertext and if T is random, then
it computes the semi-functional ciphertext.

The generated real ciphertext by using s01 , s02 , t is as follows. Since B knows
the public parameters and the master secret key, it can generate the real
ciphertext as
0 0 0 0 0
C00 = M · (e(g, g)α·a1 ·b )s2 , C10 = (g b )s1 +s2 . C20 = (g b·a1 )s1 , C30 = (g a1 )s1 ,
0 0 0 0 0 0
s s
C40 = (g b·a2 )s2 , C50 = (g a2 )s2 , C60 = τ1 1 τ2 2 . C70 = (τ1b )s1 (τ2b )s2 w−t , E10 =
ID tagc t 0 t
(u w h) , E2 = g .

In Lemma 1, the ciphertext is generated as

C0 = C00 · (e(g c1 , f ) · e(g, f c2 ))b·α , C1 = C10 · (g c1 )b , C2 = C20 · (f c2 )−b ,
C3 = C30 · (f c2 )−1 , C4 = C40 · (T )b ,

C5 = C50 · T , C6 = C60 · (g c1 )yv · (f c2 )−yv1 · T yv2 , C7 = C70 · ((g c1 )yv · (f c2 )−yv1 ·

T yv2 )b , E1 = E10 , E2 = E20 .

First, in the case of T = ν c1 +c2 , let us compute the ciphertext.

Do not forget that s1 = −c2 +s01 , s2 = s02 +c1 +c2 , and s = s1 +s2 = c1 +s01 +s02
are implicitly set.
0
C0 = C00 · (e(g c1 , f ) · e(g, f c2 ))b·α = M · (e(g, g)α·a1 ·b )s2 · (e(g c1 , g a1 ) ·
0
e(g, (g a1 )c2 ))b·α = M · e(g, g)α·a1 ·b·s2 · (e(g, g)c1 ·a1 · e(g, g a1 ·c2 ))b·α = M ·
0 0
e(g, g)α·a1 ·b·s2 · e(g, g)c1 ·a1 ·b·α · e(g, g)a1 ·c2 ·b·α = M · e(g, g)α·a1 ·b·(s2 +c1 +c2 ) =
244 13 Identity-Based Encryption (3)

M · e(g, g)α·a1 ·b·s2 ,

0 0 0 0 0 0
C1 = C10 · (g c1 )b = (g b )s1 +s2 · (g c1 )b = g b(s1 +s2 ) · g c1 ·b = g b(s1 +s2 )+c1 ·b =
0 0
g b(s1 +s2 +c1 ) = g b·s ,
0 0 0
C2 = C20 · (f c2 )−b = (g b·a1 )s1 · ((g a1 )c2 )−b = g b·a1 ·s1 · g −a1 ·c2 ·b = g b·a1 ·(s1 −c2 ) =
g b·a1 ·s1 ,
0 0 0
C3 = C30 · (f c2 )−1 = (g a1 )s1 · ((g a1 )c2 )−1 = g a1 ·s1 · g −a1 ·c2 = g a1 ·s1 −a1 ·c2 =
0
g a1 ·(s1 −c2 ) = g a1 ·s1 ,
0 0 0
C4 = C40 · (T )b = (g b·a2 )s2 · (ν c1 +c2 )b = g b·a2 ·s2 · ((g a2 )c1 +c2 )b = g b·a2 ·s2 ·
0
g b·a2 (c1 +c2 ) = g b·a2 ·(s2 +c1 +c2 ) = g b·a2 ·s2 ,
0 0 0
C5 = C50 · T = (g a2 )s2 · ν c1 +c2 = g a2 ·s2 · (g a2 )c1 +c2 = g a2 ·s2 · g a2 (c1 +c2 ) =
0
g a2 ·(s2 +c1 +c2 ) = g a2 ·s2 ,
s0 s0
C6 = C60 · (g c1 )yv (f c2 )−yv1 T yv2 = τ1 1 τ2 2 · (g c1 )yv (f c2 )−yv1 (ν c1 +c2 )yv2 =
s0 s0 s0 s0
τ1 1 τ2 2 · g c1 ·yv f −c2 ·yv1 ν c1 ·yv2 +c2 ·yv2 = τ1 1 τ2 2 · g c1 ·yv f −c2 ·yv1 ν c1 ·yv2 ν c2 ·yv2 ·
s0 s0 s0
g c2 ·yv g −c2 ·yv = (τ1 1 · g −c2 ·yv f −c2 ·yv1 )(τ2 2 · g c1 ·yv ν c1 ·yv2 ν c2 ·yv2 g c2 ·yv ) = (τ1 1 ·
s0 s0 −c s0 +c +c
τ1−c2 )(τ2 2 · τ2c1 +c2 ) = (τ1 1 2 )(τ2 2 1 2 ) = τ1s1 τ2s2 ,
0 0 0
C7 = C70 ·((g c1)yv (f c2)−yv1 T yv2)b = (τ1b )s1 (τ2b )s2 w−t ·((g c1 )yv (f c2 )−yv1 (ν c1 +c2 )yv2)b
s0 s0 0 0
= (τ1 1 τ2 2 · (g c1 )yv (f c2 )−yv1 (ν c1 +c2 )yv2 )b · w−t = (C6 )b · w−t = (τ1s1 τ2s2 )b ·
0 s ·b s ·b
w−t = τ1 1 τ2 2 w−t ,

E1 = E10 = (uID wtagc h)t ,

E2 = E20 = g t .

As shown above, in the case of T = ν c1 +c2 , a normal ciphertext is com-

puted.

On the other hand, in the case where T is random, some additional ran-
dom values are multiplied by C4 , C5 , C6 , and C7 . Let C4 , C5 , C6 , C7 denote
C40 , C50 , C60 , and C70 , respectively. Let an additional random value be g a2 ·x . It
means that T = ν c1 +c2 · g a2 ·x . We can compute each value as follows. Here,
the reason that an additional random value is g a2 ·x is that x is a randomly
chosen value.

C4 = C40 · (g a2 ·x )b = C40 · g b·a2 ·x ,

C5 = C50 · g a2 ·x ,
13.4 Waters’ IBE [99] 245

C6 = C60 · (g a2 ·x )yv2 = C60 · (g yv2 )a2 ·x = C60 · v2a2 ·x ,

C7 = C70 · ((g a2 ·x )yv2 )b = C70 · (g yv2 )b·a2 ·x = C70 · v2b·a2 ·x .

As shown above, in the case of T = ν c1 +c2 · g a2 ·x , a semi-functional cipher-

text is computed.

Probability analysis in Lemma 1 The probability computation is simple

as
GameReal AdvA − Game0 AdvA = dlin . (13.8)
Lemma 2 Suppose that there exists an algorithm A that makes at most q
queries and Gamek−1 AdvA −Gamek AdvA = dlin for some k where 1 ≤ k ≤ q.
Then we can build an algorithm B that has advantage dlin in the decision
linear game.

Proof The algorithm B begins by taking in an instance (G, g, f, ν, g c1 , f c2 , T )

of the decision linear problem. We now describe how it executes the Setup,
Key Phase, and Challenge phases of the IBE game with A.

Reduction algorithm B in Lemma 2

Setup
1. Choose a random exponents α, a1 , a2 , yv1 , yv2 , yw , yu , yh , A, B ∈
Zp .
2. Set g = g, g b = f , g b·a1 = f a1 , g b·a2 = f a2 , v = ν −a1 ·a2 ,
v1 = ν a2 · g yv1 , v2 = ν a1 · g yv2 , e(g, g)α·a1 ·b = e(f, g)α·a1 ,
w = f g yw , u = f −A g yu , h = f −B g yh .
3. Compute τ1 = g yv1 ·a1 , τ2 = g yv2 ·a2 , τ1b = f yv1 ·a1 , τ2b = f yv2 ·a2 .
b a1 a2 b·a1 b·a2


4. Send the public parameters params = g , g , g , g , g
τ1 , τ2 , τ1b , τ2b , w, u, h, e(g, g)α·a1 ·b .

5. Set the master secret key MSK = (g, g α , g α·a1 , v, v1 , v2 ).

Note: For any identity ID, define tagc = F (ID) = A · ID + B.

(uID wtag h) = f tag−A·ID−B g ID·yu +yh +tag·yw = g ID·yu +yh +tag·yw . A and B
are initially information theoretically hidden from A. This F is a pairwise
independent function and so if A is given F (ID) for some identity ID,
then for some ID 6= ID0 , F (ID0 ) is uniformly distributed over Zp .
246 13 Identity-Based Encryption (3)

Phase I Break the Key Generation algorithm into three cases. Consider
the i-th query made by A.

Case 1: i > k
B generate a normal key for the requested identity ID.
Since it has the master secret key MSK, it can run that algorithm.

Case 2: i < k
B generate a semi-functional key for the requested identity ID. It first
creates a normal key using MSK. Then it makes it semi-functional using
the procedure from Construction 2.
It can run this procedure since it knows g a1 ·a2 , g a1 , g a2 .

Case 3: i = k
1. Create a normal secret key using the real Extract algorithm
and tagk = F (ID), SKID = (D10 , · · · D70 , K 0 , tagk ).
2. Let r10 , r20 , z10 , z20 ∈ Zp be the random exponents used in creating
the secret key.
3. Set D1 = D10 ·T −a1 ·a2 , D2 = D20 ·T a2 (g c1 )yv1 , D3 = D30 ·(f c2 )yv1 ,
D4 = D40 · T a1 (g c1 )yv2 , D5 = D50 · (f c2 )yv2 , D6 = D60 · f c2 ,
D7 = D70 · (g c1 ), K = K 0 · (g c1 )ID·yu +yh +tagk ·yw .
4. Send the secret key SKID = (D1 , · · · D7 , K, tagk ).

Note: tagk = F (ID) allows us to create the component K. z1 = z10 −yv1 ·c2
and z2 = z20 − yv2 · c2 are implicitly set in order to be able to create D2
and D4 . If T = ν c1 +c2 , then the k-th query results in a normal key under
randomness r1 = r10 + c1 and r2 = r20 + c2 . Otherwise, if T is a random
group element, then we can write T = ν c1 +c2 g γ for random γ ∈ Zp . This
forms a semi-functional key where γ is the added randomness to make it
semi-functional.

Challenge

B does not have the group element v2b , so it cannot directly create
such a ciphertext. However, in the case where tagc∗ = F (ID∗ ) it will have
a different method of doing so.
1. A outputs messages M0 , M1 and challenge identity ID∗ .
2. B generates a bit β ∈ {0, 1}.
13.4 Waters’ IBE [99] 247

3. Create a normal ciphertext using the real Encrypt algorithm

and tagc∗ = F (ID∗ ), CT = (C00 , · · · , C70 , E10 , E20 , tagc∗ ).
4. Choose a random exponents s1 , s2 , t0 ∈ Zp .
5. Set C0 = C00 , C1 = C10 , C2 = C20 , C3 = C30 leaving these
elements and tagc∗ unchanged.
6. Modify components of the ciphertext as follows. C4 = C40 ·f a2 ·x ,
C5 = C50 · g a2 ·x , C6 = C60 · v2a2 ·x , C7 = C70 · f yv2 ·x·a2 ν −a1 ·x·yw ·a2 ,
∗
E1 = E10 · (ν ID·yu +yh +tagc ·yw )a1 a2 x , E2 = E20 · ν a1 ·a2 ·x .
7. Send (C0 , · · · , C7 , E1 , E2 , tagc ) to A as the challenge ciphertext.
0
Note: This algorithm implicitly sets g t = g t ν a1 ·a2 ·x . This allows for
the cancellation of the term v2a1 ·a2 ·b·x by w−t in constructing C7 . The
generation of E1 is problematic. However, since tagc∗ = F (ID∗ ), B is able
to create this term. If T = ν c1 +c2 , then we are in Gamek−1 , otherwise
we are in Gamek . A cannot detect any special relationship between tagc∗
and tagk∗ since F (ID) = A · ID + B is a pairwise independent function and
A, B are hidden from its view.

Phase II
1. A makes key generation queries and B responds as in Phase I.
Guess
1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.
2. If β = β 0 outputs 0 (indicating that T = ν c1 +c2 ); otherwise, it
outputs 1.

Simulation of secret key generation in Lemma 2

The secret key generation proceeds as divided into 3 parts. However, the
parts of i > k and i < k only need to generate normal or semi-functional secret
key by using its own master secret key, respectively. On the other hand, the
case of i = k is different. In the case of i = k, the simulator must generate a
normal secret key if T is real, and a semi-functional secret key if T is random.
Therefore, it is significantly complicated. Here we check whether a normal or
semi-functional secret key is generated correctly by embedding T : if T is real,
then it computes a normal secret key or if T is random, then it computes a
semi-functional secret key.

The generated real secret key by using r10 , r20 , z10 , z20 is as follows. Since B
knows the public parameters and the master secret key, it can generate the
248 13 Identity-Based Encryption (3)

real secret key as

0 0 r 0 +r 0 0 0 r 0 +r20 z 0
D10 = g α·a1 v r1 +r2 , D20 = g −α v11 2 g z1 , D30 = (g b )−z1 , D40 = v21 g ,
2
0 0 0 0
D50 = (g b )−z2 , D60 = g r2 ·b , D70 = g r1 , K 0 = (uID wtagk h)r1 .

In Lemma 2, the secret key is generated as

D1 = D10 · T −a1 ·a2 , D2 = D20 · T a2 (g c1 )yv1 , D3 = D30 · (f c2 )yv1 , D4 =

D40 · T a1 (g c1 )yv2 , D5 = D50 · (f c2 )yv2 , D6 = D60 · f c2 , D7 = D70 · (g c1 ),
K = K 0 · (g c1 )ID·yu +yh +tagk ·yw .

First, in the case of T = ν c1 +c2 , let us compute the secret key.

Do not forget that z1 = z10 − yv1 · c2 , z2 = z20 − yv2 · c2 , r1 = r10 + c1 , and

r2 = r20 + c2 are implicitly set.
0 0 0 0
D1 = D10 ·T −a1 ·a2 = g α·a1 v r1 +r2 ·(ν c1 +c2 )−a1 ·a2 = g α·a1 v r1 +r2 ·(ν −a1 ·a2 )c1 +c2 =
0 0 0 0
g α·a1 v r1 +r2 · v c1 +c2 = g α·a1 v r1 +r2 +c1 +c2 = g α·a1 v r1 +r2 ,
r 0 +r 0 0 r 0 +r 0 0
D2 = D20 · T a2 (g c1 )yv1 = g −α v11 2 g z1 · (ν c1 +c2 )a2 (g c1 )yv1 = g −α v11 2 g z1 ·
r 0 +r 0
ν a2 (c1 +c2 ) g yv1 ·c1 · g yv1 ·c2 g −yv1 ·c2 = g −α · v11 2 ν a2 (c1 +c2 ) g yv1 ·c1 g yv1 ·c2 ·
0 r 0 +r 0
(g z1 g −yv1 ·c2 ) = g −α · v11 2 (ν a2 ·c1 g yv1 ·c1 )(ν a2 ·c2 g yv1 ·c2 ) · g z1 = g −α ·
r 0 +r 0 r 0 +r 0 +c +c
v11 2 v1c1 v1c2 · g z1 = g −α · v11 2 1 2 · g z1 = g −α v1r1 +r2 g z1 ,
0 0
D3 = D30 · (f c2 )yv1 = (g b )−z1 · ((g b )c2 )yv1 = (g b )−z1 · (g b )yv1 ·c2 =
0
(g b )−z1 +yv1 ·c2 = (g b )−z1 ,
r 0 +r 0 0 r 0 +r 0 0
D4 = D40 · T a1 (g c1 )yv2 = v21 2 g z2 · (ν c1 +c2 )a1 (g c1 )yv2 = v21 2 g z2 ·
r 0 +r 0 0
(ν a1 )c1 +c2 g yv2 ·c1 ·g yv2 ·c2 g −yv2 ·c2 = (v21 2 ν a1 (c1 +c2 ) g yv2 (c1 +c2 ) )·(g z2 g −yv2 ·c2 ) =
0 0
r +r
(v21 2 v2c1 +c2 ) · g z2 = v2r1 +r2 g z2 ,
0 0
D5 = D50 · (f c2 )yv2 = (g b )−z2 · ((g b )c2 )yv2 = (g b )−z2 · (g b )yv2 ·c2 =
0
(g b )−z2 +yv2 ·c2 = (g b )−z2 ,
0 0 0
D6 = D60 · f c2 = g r2 ·b · (g b )c2 = g r2 ·b · g c2 ·b = g (r2 +c2 )b = g r2 ·b ,
0 0
D7 = D70 · (g c1 ) = g r1 · (g c1 ) = g r1 +c1 = g r1 ,
0
K = K 0 · (g c1 )ID·yu +yh +tagk ·yw = (uID wtagk h)r1 · (uID wtagk h)c1 =
0
(uID wtagk h)r1 +c1 = (uID wtagk h)r1 .

As shown above, in the case of T = ν c1 +c2 , a normal secret key is computed.

13.4 Waters’ IBE [99] 249

On the other hand, in the case where T is random, some additional random
values are multiplied by D1 , D2 , D4 . Let D1 , D2 , D4 denote D10 , D20 , D40 re-
spectively. Let an additional random value be g γ . It means that T = ν c1 +c2 ·g γ .
We can compute each value as follows. Here, the reason that an additional
random value is g γ is that γ is randomly chosen value.

D1 = D10 · (g γ )−a1 ·a2 = D10 · g −a1 ·a2 ·γ ,

D2 = D20 · (g γ )a2 = D20 · g a2 ·γ ,

D4 = D40 · (g γ )a1 = D40 · g a1 ·γ .

As shown above, in the case of T = ν c1 +c2 · g γ , a semi-functional secret

key is computed.

Simulation of challenge ciphertext generation in Lemma 2

The Encrypt algorithm in Lemma 2 only generates semi-functional cipher-

texts.

The generated real ciphertext by using s1 , s2 , t0 is as follows. Since B knows

the public parameters and master secret key, it can generate the real cipher-
text as

C00 = M · (e(g, g)α·a1 ·b )s2 , C10 = (g b )s1 +s2 . C20 = (g b·a1 )s1 , C30 = (g a1 )s1 ,
0
C40 = (g b·a2 )s2 , C50 = (g a2 )s2 , C60 = τ1s1 τ2s2 . C70 = (τ1b )s1 (τ2b )s2 w−t , E10 =
0 0
(uID wtagc h)t , E20 = g t .

In Lemma 2, the ciphertext is generated as

C0 = C00 , C1 = C10 , C2 = C20 , C3 = C30 , C4 = C40 · f a2 ·x , C5 = C50 · g a2 ·x , C6 =

∗
C60 · v2a2 ·x , C7 = C70 · f yv2 ·x·a2 ν −a1 ·x·yw ·a2 , E1 = E10 · (ν ID·yu +yh +tagc ·yw )a1 a2 x ,
E2 = E20 · ν a1 ·a2 ·x .

Let’s compute the ciphertext.

0
Do not forget that g t = g t ν a1 ·a2 ·x and (uID wtag h) = g ID·yu +yh +tag·yw are
implicitly set.

C0 = C00 , C1 = C10 , C2 = C20 , C3 = C30 ,

C4 = C40 · f a2 ·x = C40 · (g b )a2 ·x = C40 · g b·a2 ·x ,

C5 = C50 · g a2 ·x ,
250 13 Identity-Based Encryption (3)

C6 = C60 · v2a2 ·x .

Up to this point is a general semi-functional ciphertext.

0
C7 = C70 · f yv2 ·x·a2 ν −a1 ·x·yw ·a2 = (τ1b )s1 (τ2b )s2 w−t · f yv2 ·x·a2 ν −a1 ·x·yw ·a2 =
0 0
(τ1b )s1 (τ2b )s2 w−t · f yv2 ·x·a2 ν −a1 ·x·yw ·a2 · ν a1 ·a2 ·b·x ν −a1 ·a2 ·b·x = (τ1b )s1 (τ2b )s2 w−t ·
0
(f yv2 ·x·a2 ν a1 ·a2 ·b·x ) · ν −a1 ·x·yw ·a2 ν −a1 ·a2 ·b·x = (τ1b )s1 (τ2b )s2 w−t · ((g b )yv2 ·x·a2
0
ν a1 ·a2 ·b·x ) · ν −a1 ·x·a2 ·(yw +b) = (τ1b )s1 (τ2b )s2 w−t · ((g yv2 )b·x·a2 (ν a1 )a2 ·b·x ) ·
0
ν −a1 ·x·a2 ·(yw +b) = (τ1b )s1 (τ2b )s2 w−t · ((g yv2 ν a1 )a2 ·b·x ) · ν −a1 ·x·a2 ·(yw +b) =
0 0
(τ1b )s1 (τ2b )s2 w−t · v2a2 ·b·x · ν −a1 ·x·a2 ·(yw +b) = (τ1b )s1 (τ2b )s2 · v2a2 ·b·x · w−t
ν −a1 ·x·a2 ·(yw +b) ,
0 0 0
where w−t ν −a1 ·x·a2 ·(yw +b) = (f g yw )−t ν −a1 ·x·a2 ·(yw +b) = (g b g yw )−t
0 0
ν −a1 ·x·a2 ·(yw +b) = g −t (b+yw ) ν −a1 ·x·a2 ·(yw +b) = (g t ν a1 ·x·a2 )−(yw +b) =
(g t )−(yw +b) = (g yw +b )−t = w−t .

C7 = (τ1b )s1 (τ2b )s2 v2a2 ·b·x w−t = (τ1b )s1 (τ2b )s2 w−t v2a2 ·b·x ,
∗ 0 ∗
E1 = E10 · (ν ID·yu +yh +tagc ·yw )a1 a2 x = (uID wtagc h)t · (ν ID·yu +yh +tagc ·yw )a1 a2 x =
∗ 0 ∗ 0 ∗
(g ID·yu +yh +tagc ·yw )t · (ν ID·yu +yh +tagc ·yw )a1 a2 x = (g t ν a1 a2 x )ID·yu +yh +tagc ·yw =
∗ ∗ ∗
(g t )ID·yu +yh +tagc ·yw = (g ID·yu +yh +tagc ·yw )t = (uID wtagc h)t ,
0
E2 = E20 · ν a1 ·a2 ·x = g t · ν a1 ·a2 ·x = g t .

As shown above, a semi-functional ciphertext is computed.

How to generate tags?

First, we explain why tags should not be random and draw a conclusion
that we should use F () to generate tag.

The simulator sets F () and (uID wtag h) as follows in Lemma 2:

F (x) = A · x + B, (13.9)

(uID wtag h) = f tag−A·ID−B g ID·yu +yh +tag·yw . (13.10)

tag−A·ID−B
If the tag is random, the f part remains, which is added to original
semi-functional secret key and challenge ciphertext as below, where we can
figure out that the f tag−A·ID−B part works as a hindrance to decryption.
∗ ∗ 0 ∗
E1 = E10 · (ν ID·yu +yh +tagc ·yw )a1 a2 x = (uID wtagc h)t · (ν ID·yu +yh +tagc ·yw )a1 a2 x
∗ ∗ 0 ∗ ∗
= (g ID·yu +yh +tagc ·yw f tagc −A·ID−B )t · (ν ID·yu +yh +tagc ·yw )a1 a2 x ((ν b )tagc −A·ID−B
∗
(ν b )−tagc +A·ID+B )a1 a2 x
∗ ∗ 0 ∗ ∗
= (g ID·yu +yh +tagc ·yw (g b )tagc −A·ID−B )t ·(ν ID·yu +yh +tagc ·yw (ν b )tagc −A·ID−B )a1 a2 x ·
∗
((ν b )−tagc +A·ID+B )a1 a2 x
∗ ∗ ∗
= (g ID·yu +yh +tagc ·yw (g b )tagc −A·ID−B )t · ((ν b )−tagc +A·ID+B )a1 a2 x
∗ ∗
= (uID wtagc h)t · ((ν b )−tagc +A·ID+B )a1 a2 x
13.4 Waters’ IBE [99] 251
∗ ∗
= (uID wtagc h)t · ((f logg ν )−tagc +A·ID+B )a1 a2 x
∗ ∗
= (uID wtagc h)t · (f tagc −A·ID−B )−a1 a2 xlogg ν .

K = K 0 · (g c1 )ID·yu +yh +tagk ·yw

= K 0 · (g ID·yu +yh +tagk ·yw )c1 · (f tagk −A·ID−B f −tagk +A·ID+B )c1
0
= (uID wtagk h)r1 · (g ID·yu +yh +tagk ·yw )c1 (f tagk −A·ID−B )c1 · (f −tagk +A·ID+B )c1
0
= (uID wtagk h)r1 · (uID wtagk h)c1 · (f −tagk +A·ID+B )c1
0
= (uID wtagk h)r1 +c1 · (f −tagk +A·ID+B )c1
= (uID wtagk h)r1 · (f tagk −A·ID−B )−c1 .

As shown above, invalid semi-functional secret key and challenge cipher-

text are generated. So, we can conclude that we should not use a random tag.

On the other hand, if the tag is F (ID) = A · ID + B, i.e., not ran-

dom, then f tag−A·ID−B = 1, (uID wtag h) = f tag−A·ID−B g ID·yu +yh +tag·yw =
g ID·yu +yh +tag·yw , and valid semi-functional secret key and challenge cipher-
text are generated. In conclusion, we should use F () to generate tags.

Probability analysis in Lemma 2 The probability computation is simple

as
Gamek−1 AdvA − Gamek AdvA = dlin . (13.11)
Lemma 3 Suppose that there exists an algorithm A that makes at most q
queries and Gameq AdvA − GameF inal AdvA = dbdh . Then we can build an
algorithm B that has advantage dbdh in the decision BDH game.

Proof The algorithm B begins by taking in an instance (g, g c1 , g c2 , g c3 , T ) of

the decision BDH problem. We now describe how it executes the Setup, Key
Phase, and Challenge phases of the IBE game with A.

In both of these games, the challenge ciphertexts and all the private keys
are semi-functional. Therefore, B only needs to be able to generate semi-
functional private keys.

Reduction algorithm B in Lemma 3

Setup
1. Choose a random exponents a1 , b, yv , yv1 , yv2 , yw , yh , yu ∈ Zp .
2. Let α = c1 · c2 and a2 = c2 , where c1 and c2 are the exponents
that reduction cannot know itself.
3. Set g = g, g b , g a1 , g a2 = g c2 , g b·a1 , g b·a2 = (g c2 )b , v = g yv , v1 =
252 13 Identity-Based Encryption (3)

g yv1 , v2 = g yv2 . w = g yw , u = g yu , h = g yh , e(g, g)a1 ·α·b =

e(g c1 , g c2 )a1 ·b .
4. Compute τ1 = vv1a1 , τ2 = v(g c2 )yv2 , τ1b = v b v1a1 ·b , τ2b =
v b (g c2 )yv2 ·b .
b a1 a2 b·a1 b·a2


5. Send the public parameters params = g , g , g , g , g
τ1 , τ2 , τ1b , τ2b , w, u, h, e(g, g)α·a1 ·b .

6. B has partial information of the master secret key MSK, in-

stead of constructing a MSK = (g, g α , g α·a1 , v, v1 , v2 ), because
g α , g α·a1 cannot be computed.
Phase I
1. Choose a random exponents r1 , r2 , z1 , z2 , γ 0 , tagk ∈ Zp and de-
fine r = r1 + r2 .
2. This algorithm implicitly sets γ = c1 + γ 0 .
0
3. Compute D1 = (g c2 )−γ ·a1 v r , D2 = (g c2 )γ v1r g z1 , D3 = (g b )−z1 ,
0
D4 = (g c1 )a1 g a1 ·γ v2r g z2 , D5 = (g b )−z2 , D6 = g r2 ·b , D7 = g r1 ,
K = (uID wtagk h)r1 .
4. Send the secret key SKID = (D1 , · · · D7 , K, tagk ).
Challenge B creates a challenge ciphertext that is a semi-functional ci-
phertext of either Mβ or a random message, depending on T .
1. A outputs messages M0 , M1 and challenge identity ID∗ .
2. B generates bit β ∈ {0, 1}.
3. Choose a random exponents s1 , t, tagc , x0 ∈ Zp .
4. This algorithm implicitly sets s2 = c3 and x = −c3 + x0 .
5. Compute C0 = Mβ · T a1 ·b , C1 = g s1 ·b (g c3 )b , C2 = g b·a1 ·s1 ,
0 0
C3 = g a1 ·s1 , C4 = (g c2 )x ·b , C5 = (g c2 )x ,
0 0
C6 = τ1s1 (g c3 )yv (g c2 )yv2 ·x , C7 = (τ1b )s1 (g c3 )yv ·b (g c2 )yv2 ·x ·b w−t ,
E1 = (uID wtagc h)t , E2 = g t .
6. Send (C0 , · · · , C7 , E1 , E2 , tagc ) to A as the challenge ciphertext.
Note If T = e(g, g)c1 ·c2 ·c3 , then we are in Gameq , otherwise we are in
GameF inal .

Phase II
1. A makes key generation queries, and B responds as in Phase I.
Guess
1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.
13.4 Waters’ IBE [99] 253

2. If β = β 0 outputs 0 (indicating that T = ν c1 +c2 ); otherwise, it

outputs 1.

Simulation of secret key generation in Lemma 3

The Extract algorithm in Lemma 3 only generates semi-functional secret

keys.

The generated real semi-functional secret key by using r1 , r2 , z1 , z2 , γ 0 , tagk

is as follows. Since B does not know the master secret key, it cannot gen-
erate the real secret key unlike previous two lemmas. However, in Lemma
3, a semi-functional secret keys can be generated without knowledge of the
master secret key as follows: For convenience, let normal secret keys denote
(D10 , D20 , D30 , D40 , D50 , D60 , D70 , K 0 ). Do not forget that γ = c1 + γ 0 , α = c1 · c2 ,
a2 = c2 are implicitly set.
0 0
D1 = (g c2 )−γ ·a1 v r = (g c2 )−γ ·a1 v r · g α·a1 g −α·a1 = (g α·a1 v r ) ·
0 0 0
(g −α·a1 (g c2 )−γ ·a1 ) = D10 g −α·a1 −c2 ·γ ·a1 = D10 g −a1 (α+c2 ·γ )
= D10 g −a1 (c1 ·c2 +c2 ·(γ−c1 )) = D10 g −a1 ·c2 ·γ = D10 g −a1 ·a2 ·γ ,
0 0 0
D2 = (g c2 )γ v1r g z1 = (g c2 )γ v1r g z1 · g α g −α = g −α v1r g z1 · g α (g c2 )γ =
0
D20 g α+c2 ·γ = D20 g c1 ·c2 +c2 (γ−c1 ) = D20 g c2 ·γ = D20 g a2 ·γ ,

D3 = (g b )−z1 = D30 ,
0 0
D4 = (g c1 )a1 g a1 ·γ v2r g z2 = v2r g z2 · g a1 (c1 +γ ) = D40 g a1 (c1 +γ−c1 ) = D40 g a1 ·γ ,

D5 = (g b )−z2 = D50 ,

D6 = g r2 ·b = D60 ,

D7 = g r1 = D70 ,

K = (uID wtagk h)r1 = K 0 .

As shown above, the simulator can generate semi-functional secret key

without knowledge of the master secret key.

Simulation of challenge ciphertext generation in Lemma 3

The difference between Gameq and GameF inal is whether the challenge ci-
phertext is semi-functional or random. So T must be embedded in the chal-
lenge ciphertext. The challenge ciphertext is semi-functional if T is real, oth-
erwise the challenge ciphertext is random. Here check that if T is real, then it
254 13 Identity-Based Encryption (3)

computes the semi-functional ciphertext, or if T is random, then it computes

the random ciphertext.

Since B does not know the master secret key, it cannot generate the real ci-
phertext unlike previous two lemmas. However, in Lemma 3, a semi-functional
ciphertext can be generated without the knowledge of the master secret key as
0
C0 = Mβ · T a1 ·b , C1 = g s1 ·b (g c3 )b , C2 = g b·a1 ·s1 , C3 = g a1 ·s1 , C4 = (g c2 )x ·b ,
0
C5 = (g c2 )x ,
0 0
C6 = τ1s1 (g c3 )yv (g c2 )yv2 ·x , C7 = (τ1b )s1 (g c3 )yv ·b (g c2 )yv2 ·x ·b w−t , E1 =
(uID wtagc h)t , E2 = g t .

First, in the case of T = e(g, g)c1 ·c2 ·c3 , let us compute the ciphertext by
using s1 , t, tagc as follows.

For convenience, let a normal ciphertext denoted by (C00 , C10 , C20 , C30 , C40 , C50 ,
C60 , C70 , E10 , E20 ).
Do not forget that s2 = c3 , x = −c3 + x0 , α = c1 · c2 are im-
plicitly set.

C0 = Mβ · T a1 ·b = Mβ · (e(g, g)c1 ·c2 ·c3 )a1 ·b = Mβ · e(g, g)c1 ·c2 ·a1 ·b·c3 =
Mβ · e(g, g)α·a1 ·b·s2 = C00 ,

C1 = g s1 ·b (g c3 )b = g s1 ·b g c3 ·b = g b(s1 +c3 ) = g b(s1 +s2 ) = C10 ,

C2 = g b·a1 ·s1 = C20 ,

C3 = g a1 ·s1 = C30 ,
0 0 0
C4 = (g c2 )x ·b = (g a2 )x ·b = g a2 ·x ·b = g a2 ·(c3 +x)·b = g a2 ·(s2 +x)·b =
g a2 ·s2 ·b g a2 ·x·b = C40 g b·a2 ·x ,
0 0 0
C5 = (g c2 )x = (g a2 )x = g a2 ·x = g a2 ·(c3 +x) = g a2 ·(s2 +x) = g a2 ·s2 g a2 ·x =
C50 g a2 ·x = C50 g a2 ·x ,
0
C6 = τ1s1 (g c3 )yv (g c2 )yv2 ·x = τ1s1 g c3 ·yv g c2 ·yv2 ·(x+c3 ) = τ1s1 g c3 ·yv g c2 ·yv2 ·x g c2 ·yv2 ·c3 =
τ1s1 (g c3 ·yv g c2 ·yv2 ·c3 )g c2 ·yv2 ·x

= τ1s1 g c3 (yv +c2 ·yv2 ) (g c2 )yv2 ·x = τ1s1 g s2 (yv +c2 ·yv2 ) (g a2 )yv2 ·x = τ1s1 (g yv +c2 ·yv2 )s2
(g yv2 )a2 ·x = τ1s1 (τ2 )s2 (v2 )a2 ·x = C60 v2a2 ·x ,
0
C7 = (τ1b )s1 (g c3 )yv ·b (g c2 )yv2 ·x ·b w−t = (C6 )b w−t = (τ1s1 τ2s2 v2a2 ·x )b w−t =
τ1s1 ·b τ2s2 ·b w−t v2a2 ·x·b = C70 v2a2 ·b·x ,
13.4 Waters’ IBE [99] 255

E1 = (uID wtagc h)t = E10 ,

E2 = g t = E20 .

As shown above, in the case of T = e(g, g)c1 ·c2 ·c3 , a semi-functional cipher-
text is computed as expected.
On the other hand, in the case that T is random, some additional random
values are multiplied by the computed value C0 . Therefore, we know that
random ciphertext is computed in the case that T is random.

Probability analysis in Lemma 3 The probability computation is simple

as
|Gameq AdvA − GameF inal AdvA | = dbdh . (13.12)
Probability analysis of Waters’ IBE scheme

Theorem 1 If the decisional Linear and decisional BDH assumptions hold,

then no polynomial-time algorithm can break Waters’ IBE system.

Proof The proof proceeds through a total of (q + 3) games. The ini-

tial game GameReal is the actual security game used in defining CPA-
security of IBE. Then there are (q + 1) security games from Game0
to Gameq followed by GameF inal . Suppose GameReal AdvA , Game0 AdvA ,
· · · ,Gameq AdvA , GameF inal AdvA be the events that the adversary’s guesses
in games GameReal , Game0 to Gameq , and GameF inal respectively are cor-
rect.

A sequence of lemmas below shows the following results.

1. GameReal AdvA − Game0 AdvA = dlin .

2. Gamek−1 AdvA − Gamek AdvA = dlin for k = 1, · · · , q.
3. Gameq AdvA − GameF inal AdvA = dbdh .
The probability of GameF inal AdvA is 0 and so

|GameReal AdvA − GameF inal AdvA |

q
X
= |GameReal AdvA − Game0 AdvA | + |Gamek−1 AdvA − Gamek AdvA |
k=1

+|Gameq AdvA − GameF inal AdvA |

= (q + 1)dlin + dbdh .
2
256 13 Identity-Based Encryption (3)

Exercises
13.1 Why is static assumption preferred compared to non-static assumption?

13.2 In Setup Phase of Waters’ IBE scheme, describe why we cannot use
identity space Zp for arbitrary length strings.
14
Hierarchical Identity-Based Encryption

CONTENTS
14.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.2.1 General Construction of HIBE . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.2.2 Security Model for HIBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
14.2.3 Composite Order Bilinear Groups . . . . . . . . . . . . . . . . . . . . . . . 261
14.2.4 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
14.2.5 A “Master Theorem” for Hardness in Composite Order
Bilinear Groups [60] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.3 Waters’ Realization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
14.4 Waters’ HIBE with Composite Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
14.4.1 Proof of HIBE Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
14.5 The Generic Group Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
14.5.1 The Decision Linear Diffie-Hellman Assumption . . . . . . . . 284
14.5.2 The Linear Problem in Generic Bilinear Groups . . . . . . . . 285
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

This chapter provides the details of the hierarchical identity based encryption
(HIBE). The overview section introduces the existing problems with the IBE
schemes and provides the solutions that can be obtained using HIBE. Certain
advantages and differences of HIBE over the IBE are discussed. The next
portion of the chapter presents the preliminaries starting from the general
construction of HIBE. This is followed by the security model of the HIBE.
HIBE has three static hardness assumptions that are discussed in detail in
the chapter. The master theorem for hardness in composite order bilinear
groups is presented. The concept of normally semi-functional keys are then
discussed in the Waters’ realization. Subsequently, the Waters’ HIBE with
composite order is presented along with the formal construction. The proof of
HIBE security is then given as a hybrid argument over a sequence of games
in detail. The final part of this chapter discusses the generic group model. In
order to understand this, the decisional linear Diffie-Hellman assumption and
linear problem in generic bilinear groups are discussed.

257
258 14 Hierarchical Identity-Based Encryption

14.1 Overview
In IBE schemes, there is a common property: they use a single PKG to gen-
erate all private keys. This has some disadvantages. The first is that the PKG
knows Bob’s private key, i.e., key escrow is inherent in IBE systems. Clearly,
escrow may be a serious problem for some applications. Moreover, having a
single PKG is undesirable for a large network because the PKG has as much
management overhead as the size increases. Not only is private key generation
computationally expensive, but also the PKG must verify proofs of identities
and must establish secure channels to transmit private keys to users.

Hierarchical Identity-Based Encryption (HIBE) allows a root PKG to dis-

tribute the workload by delegating private key generation and identity au-
thentication to lower-level PKGs. In a HIBE scheme, a root PKG generates
private keys for domain-level PKGs only, who in turn generate private keys
for users in their domains at the next level. Authentication and private key
transmission can be done locally. To encrypt a message to Bob, Alice obtains
only the public parameters of Bob’s root PKG (and Bob’s identifying infor-
mation); there are no “lower-level parameters.” That is, public parameters
are shared throughout the entire level. Another advantage of HIBE schemes
is damage control: disclosure of a domain PKG’s secret does not compromise
the secrets of higher-level PKGs. Thus, recovering from a compromise is also
easier, because it only needs to recreate the affected parts of the hierarchy
instead of the entire system. The difference between IBE and HIBE is shown
in Figure 14.1.

FIGURE 14.1
Difference between IBE and HIBE.
14.2 Preliminaries 259

In an HIBE scheme, a single user can have different identities for each
level of the HIBE, so that for an HIBE scheme with a maximum of j levels,
→
−
an identity can have the form ID = (ID1 , ID2 , . . . , IDj ), where each of the IDi
are potentially different.

A user at level i can delegate secret keys to descendant identities at lower

levels, but cannot decrypt messages intended for a recipient that is not among
its descendants. For example, a user with the identity “Gachon University:
Department of Computer Engineering”can delegate a key for the identity
“Gachon University: Department of Computer Engineering: undergraduate
student,” but cannot delegate keys for identities that do not begin with
“Gachon University: Department of Computer Engineering.” A more formal
definition of an HIBE system is given later.

14.2 Preliminaries
This section presents preliminaries including general construction and security
model of HIBE, composite order bilinear groups and hardness assumptions.

14.2.1 General Construction of HIBE

A Hierarchical Identity Based Encryption scheme has five algorithms: Setup,
Encrypt, Gen, Decrypt, and Delegate which are described as follows.

Setup The setup algorithm takes a security parameter k as input and outputs
the public parameters params and a master secret key M SK.

Gen The key generation algorithm takes the master secret key and an identity
→
−
vector ID as input and outputs a private key SK→
−.
ID

Delegate The delegation algorithm takes a secret key for the identity vec-
→
−
tor ID of depth d and an identity I as input and outputs a secret key for the
→
− →
−
depth d+1 identity vector ID : I formed by concatenating I onto the end of ID.

Encrypt The encryption algorithm takes the public parameters parmas, a

→
−
message M and an identity vector ID as input, and outputs a ciphertext CT .

Decrypt The decryption algorithm takes the public parameters params, a

ciphertext CT and a secret key SK→
− as input, and outputs the message M ,
ID
260 14 Hierarchical Identity-Based Encryption
→
−
if the ciphertext was an encryption to an identity vector ID and the secret key
is for the same identity vector.

Notice that the decryption algorithm works only when the identity vector
of the ciphertext matches the secret key exactly. However, someone who has
a secret key for a prefix of the identity vector can delegate it for generating
the required secret key and also decrypt the ciphertext by themselves.

14.2.2 Security Model for HIBE

In HIBE, the intermediate user can generate the private keys of users at lower
level. Therefore, it needs to be applied in secure games.

IND-ID-CPA game for an HIBE scheme

1. Setup The challenger runs the Setup algorithm to generate public
parameters params which it gives to the adversary. We let S denote
the set of private keys that the challenger has created but not yet
given to the adversary. At this point, S = ∅.
2. Phase I The adversary makes repeated queries of one of three
types1 :
(a) Create To make a Create query, the attacker specifies an iden-
→
−
tity vector ID. In response, the challenger creates a key for this
vector by calling the Key Generation algorithm, and places this
key in the set S. It only gives the attacker a reference to this
key, not the key itself.
(b) Delegate To make a Delegate query, the attacker specifies a
key SK→ − in the set S and specifies an identity I 0 . In response,
ID
→
−
the challenger appends I 0 to ID and makes a key for this new
identity by running the Delegation algorithm on SK→ − and I 0 .
ID
It adds this key to the set S and again gives the attacker only
a reference to it, not the actual key.
1 Why the challenger gives the attacker a reference to the key, not the key itself during

Create and Delegate queries?

In a real scheme, for generating the private key, PKG that is not root must run the
Delegate algorithm. On the other hand, in the security game, for generating the private
key, not only root PKG, but also PKG that is not root runs the Gen algorithm instead
of the Delegate algorithm. However, even if the Delegate algorithm is included, it should
show that the scheme is secure. The problem occurs in the process that the simulator
simulates both the Gen and the Delegate algorithms as follows. If the simulator performs
the Gen algorithm rather than the Delegate algorithm and gives the private key, then the
scheme would be different from the original scheme. Therefore, the reveal query is made. The
attacker must use the Reveal query to get the private key, and we should take the limitation
that the attacker cannot request the Delegate query to get the private key anymore.
14.2 Preliminaries 261

(c) Reveal To make a Reveal query, the attacker specifies an ele-

ment of the set S. The challenger gives this key to the attacker
and removes it from the set S. We note that the attacker no
longer need to make a delegation query for this key because it
can run the Delegation algorithm on the revealed key for itself.
3. Challenge The adversary gives the challenger two messages M0
→
−
and M1 , and a challenge identity vector ID∗ . This identity vector
must satisfy the property that no revealed identity in Phase I was
a prefix of it. The challenger sets β ∈ {0, 1} randomly and encrypts
→
−
Mβ under ID∗ . It sends the ciphertext to the adversary.
4. Phase II This is the same as Phase I, with the added restriction
→
−
that any revealed identity vector must not be a prefix of ID∗ .
5. Guess The adversary must output a guess β 0 for β.
The advantage of an adversary A is defined to be P r[β 0 = β] − 21 .
Definition 1 A hierarchical identity-based encryption scheme is se-
cure if all polynomial time adversaries achieve at most a negligible advantage
in the security game.

14.2.3 Composite Order Bilinear Groups

Let G and GT be cyclic groups of order N = p1 p2 p3 , where p1 , p2 , p3 are
distinct primes. A bilinear map e is a map: G × G → GT , which satisfies the
following properties:
1. Bilinear: For all g, h ∈ G, and a, b ∈ ZN , e(g a , hb ) = e(g, h)ab .
2. Non-degenerate: There exists g ∈ G such that e(g, g) has order N
in GT .
3. Computation in groups: Let Gp1 , Gp2 and Gp3 denote the subgroups
of order p1 , p2 and p3 in G, respectively. We note that when hi ∈ Gpi
and hj ∈ Gpj for i 6= j, e(hi , hj ) is the identity in GT . To see this,
suppose h1 ∈ Gp1 and h2 ∈ Gp2 . Let g denote a generator of G.
Then, g p1 p2 generates Gp3 , g p1 p3 generates Gp2 , and g p2 p3 generates
α α
Gp1 . Hence, for some α1 , α2 , h1 = (g p2 p3 ) 1 and h2 = (g p1 p3 ) 2 . We
note that
p1 p2 p3
e(h1 , h2 ) = e(g p2 p3 α1 , g p1 p3 α2 ) = e(g α1 , g p3 α2 ) = 1. (14.1)

This property will be used in security proof of HIBE with composite

order in Section 14.2.7 (The final result of computation will be given
after applying this property).
262 14 Hierarchical Identity-Based Encryption

14.2.4 Hardness Assumptions

Let G and GT be cyclic groups of order N = p1 p2 p3 , where p1 , p2 , p3 are
distinct primes. Let e is a bilinear map: G × G → GT . Let Gp1 p2 denote the
subgroup of order p1 p2 in G. We have three assumptions below. Note that
they are static (for example, not dependent on the depth of the hierarchy or
the number of queries made by an attacker).

Assumption 1 (Subgroup decision problem for 3 primes)

Given g ∈ Gp1 , X3 ∈ Gp3 , an algorithm A has advantage  in solving

extended subgroup decision problem in a composite group G if

|P r[A(G, g, X3 , T ∈ Gp1 p2 ) = 0] − P r[A(G, g, X3 , T ∈ Gp1 ) = 0]| ≥ . (14.2)

The problem basically states that if we are given generators in the p1 , p3 but
not p2 subgroup then we cannot distinguish a random element in the Gp1 p2
subgroup from the Gp1 subgroup. (We note that T ∈ Gp1 p2 can be written
(uniquely) as the product of an element of Gp1 and an element of Gp2 ).

Definition 2 We say that Assumption 1 holds if no polynomial time algo-

rithm A has a non-negligible advantage in solving Assumption 1.

Assumption 2

Given g, X1 ∈ Gp1 , X2 , Y2 ∈ Gp2 , X3 , Y3 ∈ Gp3 , an algorithm A has

advantage  in solving the extended subgroup decision problem in a composite
group G if
|P r[A(G, g, X1 X2 , X3 , Y2 Y3 , T ∈ G) = 0] − P r[A(G, g, X1 X2 , X3 , Y2 Y3 , T ∈
Gp1 p3 ) = 0]| ≥ .
The problem basically states that if we are given generators in the p1 , p2 , p3 ,
p1 p2 , p2 p3 subgroups but not p1 p3 subgroup, then we cannot distinguish a
random element in the G from the Gp1 p3 subgroup. (We note that T ∈ Gp1 p3
can be written (uniquely) as the product of an element of Gp1 and an element
of Gp3 ).

Definition 3 We say that Assumption 2 holds if no polynomial time algo-

rithm A has a non-negligible advantage in solving Assumption 2.

Assumption 3

Given g ∈ Gp1 , X2 , Y2 , Z2 ∈ Gp2 , X3 ∈ Gp3 , α, s ∈ ZN , an algorithm A has

advantage  in solving the extended subgroup decision problem in a composite
group G if
14.2 Preliminaries 263
αs
|P r[A(G, g, g α X2 , X3 , g s Y2 , Z2 , T = e(g, g) ) =
0] − P r[A(G, g, g α X2 , X3 , g s Y2 , Z2 , T ∈ GT ) = 0]| ≥ .
αs
In Assumption 3, it must remain hard to distinguish T = e(g, g) from a
random element in GT .

Definition 4 We say that Assumption 3 holds if no polynomial time algo-

rithm A has a non-negligible advantage in solving Assumption 3.

14.2.5 A “Master Theorem” for Hardness in Composite Or-

der Bilinear Groups [60]
Before stating the theorems that shows the above assumptions are hard, we
introduce some Qm notation. We will consider cyclic bilinear groups of order N ,
where N = i=1 pi is the product of m distinct primes, each larger than 2n .
Let G denote the “base group” and let GT denote the “target group;” i.e., the
bilinear map e is from G × G to GT . Each element g ∈ G can be written as
g = gpa11 gpa22 · · · gpam
m
, where ai ∈ Zpi and gpi denotes some fixed generator of the
subgroup of order pi . We can therefore represent each element g ∈ G as an
m-tuple (a1 , · · · , am ). We can do the same with elements in GT (with respect
to the generators e(pi , pi )), and will represent elements in GT as bracketed
tuples [a1 , · · · , am ].

Using the notation above, the product of (a1 , · · · , am ) and (b1 , · · · , bm ) is

the element (a1 + b1 , · · · , am + bm ), where addition in component i is done
modulo Zpi . Similarly (a1 , · · · , am ) raised to the power γ ∈ Z is the ele-
ment (γa1 , · · · , γam ) (Analogous results hold for elements of GT ). There-
fore, it will be convenient to treat these tuples as “vectors” where vec-
tor addition corresponds to multiplication in the group and vector multi-
plication by a scalar corresponds to group exponentiation. The pairing of
(a1 , · · · , am ), (b1 , · · · , bm ) ∈ G gives the element [a1 b1 , · · · , am bm ] ∈ GT .

In an experiment involving the generic group, we will present an algorithm

with a set of elements generated at random according to some distributions.
We will describe these random variables using formal variables (written using
capital letters) that are each chosen independently and uniformly at random
from the appropriate domain. For example, a random element A of G would
be described as (X1 , · · · , Xm ), where each Xi is chosen uniformly from Zpi .
We say a random variable expressed in this way has degree t if the maximum
degree of any variable is t.

Dependencies are made explicit by re-using the same formal variable; for
example, a random “Diffie-Hellman-like” tuple (with m = 2) would be de-
scribed by the three elements (X1 , X2 ), (Y1 , Y2 ), and (X1 Y1 , X2 Y2 ). Random
264 14 Hierarchical Identity-Based Encryption

variables taking values in GT are expressed in the same way, but using the
bracket notation.

Given random variables X, B1 , · · · , Bl (expressed as above) over the same

group,Pwe say that X is dependent on {Bi } if there exist γi ∈ Z∗N such that
X = i γi Bi , where equality refers to equality in terms of the underlying
formal variables. If no such {γi } exist, then X is said to be independent of
{Bi }.

Given a random variable A = (X1 , · · · , Xm ), when we say that an algo-

rithm is given A, we mean that random x1 , · · · , xm are chosen appropriately
and the adversary is given (the handle for) the element (x1 , · · · , xm ).

We may now state our theorems.

Qm
Theorem 1 Let N = i=1 pi be a product of distinct primes, each greater
than 2n . Let {Ai } be random variables over G, and let {Bi }, T0 , T1 be random
variables over GT , where all random variables have degree at most t. Consider
the following experiment in the generic group model:

An algorithm is given N , {Ai } and {Bi }. A random bit b is chosen, and

the adversary is given Tb . The algorithm outputs bit b0 and succeeds if b0 = b.
The algorithm’s advantage is the value of the difference between its success
probability and 12 .

Say each of T0 and T1 is independent of {Bi } ∪ {e(Ai , Ai )}. Then given

any algorithm A issuing at most q instructions and having advantage δ in
the above experiment, A can be used to find a non-trivial factor of N (in
time polynomial in k and the running time of A) with probability at least
δ − O(q 2 t/2n ), where t and q are polynomial-time.

Thus, if N is generated in such a way that it is hard to find a non-trivial

factor of N , the advantage of any polynomial-time algorithm A is negligible
in n.

Proof
Game 1 In the original game, each of the random variables {Ai }, {Bi }, T0 , T1
are instantiated by choosing random values for each of the formal variables
and giving the handles of {Ai }, {Bi }, and Tb to the algorithm A.

The algorithm then issues a sequence of multiplication, exponentiation,

and pairing instructions, and is given in return the appropriate handles. Fi-
nally, the algorithm outputs a bit b0 and its advantage is measured as defined
above.
14.2 Preliminaries 265

Game 2 We next define a second game in which the formal variables are
never concretely instantiated, but instead the game only keeps track of the
formal polynomials themselves.

Furthermore the game now uses identical handles for two elements only if
these elements are equivalent to the formal polynomials in each of their com-
ponents (So, in the original game the random variables X = (X1 , · · · , Xm )
and Y = (Y1 , · · · , Ym ) could be assigned the same handle if it happened to
be the case that Xi = Yi for all i. In this game, however, these two tuples
of formal polynomials are always treated as different). This only introduces
a difference in case it happens during the course of the experiment that two
different formal polynomials would take on the same value.

For any particular pair of elements, the probability that this occurs is
bounded by 2t/2n (since the maximum degree of any polynomial constructed
during the course of the experiment is 2t).2
Summing over all pairs of elements produced during the course of the ex-
periment shows that the statistical difference between these experiments is
O(q 2 · t/2n ).

Game 3 In the third game, we record the formal polynomials as before except
that now all computation, in each of the m components, is done modulo N
rather than modulo the appropriate pi . That is, until second game, each of
the m components is computed by modulo pi , but, from third game, each of
the m components is computed modulo by N .

Now, two elements are assigned identical handles only if they are equivalent
as (tuples of) formal polynomials over ZN . This only introduces a difference
in case two polynomials are generated during the course of the experiment
that are different modulo N but would have been identical modulo one of the
pi . But whenever this occurs, a non-trivial factor of N can be recovered from
the coefficients of any two such polynomials.

Finally, we observe that in the third game the only possible way in which
the algorithm can distinguish whether it is given T0 or T1 is if the algorithm
is able to generate a formal polynomial that would be symbolically equivalent
to some previously-generated polynomial for one value of b but not the other.

But in this case, we can write (for some b)

X X
γ · Tb = γi,j · e(Ai , Aj ) + γ i · Bi , (14.3)
i,j i

2 The reason that the maximum degree of any polynomial is 2t is that during the course

of the experiment, the algorithm issues some instructions, one of which occurs 2t degree
(e.g., the pairing operation of two polynomials).
266 14 Hierarchical Identity-Based Encryption

where γ 6= 0 and equality denotes symbolic equality in terms of the formal

variables constituting the different random variables. By assuming indepen-
dence of T0 and T1 , it must be the case that one of the coefficients of the
above equation is not in Z∗N .

But then a non-trivial factor of N can be recovered. 2

Qm
Theorem 2 Let N = i=1 pi be a product of distinct primes, each greater
than 2n . Let {Ai }, T0 , T1 be random variables over G, and let {Bi } be random
variables over GT , where all random variables have degree at most t. Consider
the same experiment as in the theorem above.
def
Let S = {i | e(T0 , Ai ) 6= e(T1 , Ai )} (where inequality refers to in-
equality as formal polynomial). Say each of T0 and T1 is independent of
{Ai }, and furthermore that for all k ∈ S it holds that e(T0 , Ak ) is inde-
pendent of {Bi } ∪ {e(Ai , Aj )} ∪ {e(T0 , Ai )}i6=k , and e(T1 , Ak ) is independent
of {Bi } ∪ {e(Ai , Aj )} ∪ {e(T1 , Ai )}i6=k . Then given any algorithm A issuing
at most q instructions and having advantage δ, the algorithm can be used to
find a non-trivial factor of N (in time polynomial in k and the running time
of A) with probability at least δ − O(q 2 t/2n ).

Thus, if N is generated in such a way that it is hard to find a non-trivial

factor of N , the advantage of any polynomial-time algorithm A is negligible
in n.

Proof
The proof is identical to the proof of the theorem above except for the analysis
of the third game. As in the earlier proof, in the third game the only possible
way in which the algorithm can distinguish whether it is given T0 or T1 is if the
algorithm is able to generate a formal polynomial that would be symbolically
equivalent to some previously generated polynomial for one value of b but not
the other. But then we either have (for some b)
X
γ · Tb = γi Ai (14.4)
i

(with γ 6= 0), or else we have

X X X X
αi · e(Tb , Ai ) + βi · e(Tb , Ai ) = γ i · Bi + γi,j · e(Ai , Aj ), (14.5)
i∈S i∈S
/ i i,j

where αi 6= 0 for at least one i ∈ S (otherwise, symbolic equality would hold

for both values of b). By the independence assumptions, this implies that a
non-trivial factor of N can be recovered.
14.2 Preliminaries 267

We apply these theorems to prove the security of three assumptions in the

generic group model.

Assumption 1 By applying Theorem 2, we can express this assumption as

A1 = (1, 0, 0), A2 = (0, 0, 1),
T0 = (X1 , X2 , 0), T1 = (X1 , 0, 0).
We note that S = ∅ in this case. It is clear to see that T0 and T1 are both
independent of {A1 , A2 } because X1 does not appear in A1 and A2 . Thus,
Assumption 1 is generically secure, assuming it is hard to find a non-trivial
factor of N .

Assumption 2 By applying Theorem 2, we can express this assumption as

A1 = (1, 0, 0), A2 = (X1 , 1, 0), A3 = (0, 0, Y3 ), A4 = (0, X2 , 1),
T0 = (Z1 , Z2 , Z3 ), T1 = (Z1 , 0, Z3 ).
We note that S = {2, 4} in this case. It is clear to see that T0 and T1 are both
independent of {Ai } because Z1 does not appear in Ai ’s, for example.

e(T0 , A2 ) is independent of {e(Ai , Aj )} ∪ {e(T0 , Ai )}i6=2 because it is im-

possible to obtain X1 Z1 in the first coordinate of a combination of elements
of {e(Ai , Aj )} ∪ {e(T0 , Ai )}i6=2 .

e(T1 , A2 ) is independent of {e(Ai , Aj )} ∪ {e(T1 , Ai )}i6=2 because it is im-

possible to obtain X1 Z1 in the first coordinate of a combination of elements
of {e(Ai , Aj )} ∪ {e(T1 , Ai )}i6=2 .

e(T0 , A4 ) is independent of {e(Ai , Aj )} ∪ {e(T0 , Ai )}i6=4 and e(T1 , A4 ) is

independent of {e(Ai , Aj )} ∪ {e(T1 , Ai )}i6=4 because it is impossible to obtain
Z3 in the third coordinate.

Thus, Assumption 2 is generically secure, assuming it is hard to find a

non-trivial factor of N .

Assumption 3 By applying Theorem 1, we can express this assumption as

A1 = (1, 0, 0), A2 = (B, 1, 0), A3 = (0, 0, 1), A4 = (S, X2 , 0), A5 = (0, Y2 , 0),
T0 = [BS, 0, 0], T1 = [Z1 , Z2 , Z3 ].
We have T1 independent of {e(Ai , Aj )} because Z1 , Z2 , Z3 do not appear in
Ai . T0 is independent of {e(Ai , Aj )} because the only way to obtain BS in the
first coordinate is to take e(A2 , A4 ), but then we are left with an X2 in the
second coordinate that cannot be canceled. Thus, Assumption 3 is generically
secure, assuming it is hard to find a non-trivial factor of N . 2
268 14 Hierarchical Identity-Based Encryption

14.3 Waters’ Realization

As in Chapter 13, there exists a paradox problem between Gamek−1 and
Gamek , and the tag method is used to resolve this problem. Decryption works
only when the tag values of the ciphertext and decrypting key are unequal. If
the simulator attempted to test semi-functionality of key k for itself by creat-
ing a semi-functional ciphertext for the same identity, it would only be able to
create one with an equal tag, and hence decryption would unconditionally fail.
This correlation of tags is hidden from an attacker who cannot request a key
with the same identity as the challenge ciphertext, so the tags look randomly
distributed from the attacker’s point of view.

In the new technique, instead of using tag method, that is, having de-
cryption unconditionally fail when the simulator attempts to test semi-
functionality of the k th key, the system is designed so that decryption will
unconditionally succeed. A variant of semi-functional keys introduced is called
nominally semi-functional keys. These keys are semi-functional in name only,
meaning that they are distributed like semi-functional keys, but are actually
correlated with semi-functional ciphertexts. In such case, when a nominally
semi-functional key is used to decrypt a semi-functional ciphertext, the in-
teraction of the two semifunctional components results in cancelation and
decryption is successful.
→
−
For given kth identity ID = (ID1 , . . . , IDj ) in Gen queries,

set zk = a1 ID1 + · · · + aj IDj + b for ai , b ∈ ZN .

−→
The identity in Challenge phase is ID∗ = (ID∗1 , . . . , ID∗j ).

Set zc = a1 ID∗1 + · · · + aj ID∗j + b.

In the case the simulator tries to test itself whether the key k is semi-
→
−
functional by creating a semi-functional ciphertext for ID and trying to de-
crypt, the decryption algorithm will work, regardless of whether the key k is
semi-functional or not, because zk = zc (the key is nominally semi-functional).
This nominally semi-functional key will appear to be distributed like a reg-
ular semi-functional key to the attacker, who cannot request a key that can
decrypt the challenge ciphertext. That is, the simulator cannot distinguish
between the semi-functional keys and the normal keys.
14.4 Waters’ HIBE with Composite Order 269

14.4 Waters’ HIBE with Composite Order

HIBE construction will use composite order groups of order N = p1 p2 p3 and
identities in ZN . We note that the subgroup Gp2 is not used in our actual
scheme, instead it serves as semi-functional space. Keys and ciphertexts will
be semi-functional when they include terms in Gp2 and decryption will pro-
ceed by pairing key elements with ciphertext elements. When we pair a normal
key with a semi-functional ciphertext or a normal ciphertext with a semi-
functional key, the terms in Gp2 are orthogonal to terms in Gp1 and Gp3
under the pairing and will cancel out. When we pair a semi-functional key
with a semi-functional ciphertext, we will get an additional term arising from
the pairing of the terms in Gp2 .

Construction 1. HIBE

Let G, GT be groups of order N , and let e: G × G → GT be the bilinear

map. The HIBE system works as follows.

Setup Choose a bilinear group of order N = p1 p2 p3 and let ` denote the

maximum depth of the HIBE.
1. Choose g, h, u1 , . . . , u` ∈ Gp1 .
2. Choose X3 ∈ Gp3 .
3. Choose α ∈ ZN .
4. The system parameters are params =
(N, g, h, u1 , . . . , u` , X3 , e(g, g)α ).
5. The master secret key is α.
→
−
Extract For a given identity ID = (ID1 , . . . , IDj ) and master key α ∈ ZN
1. Choose r ∈ ZN randomly.
2. Choose random elements R3 , R30 , Rj+1 , . . . , R` of Gp3 .
3. Set K1 = g r R3 .
ID r
4. Set K2 = g α (uID j 0
1 · · · uj h) R3 .
1

5. Set Ej+1 = urj+1 Rj+1 , . . . , E` = ur` R` .

6. Set the secret key SK→
− = (K1 , K2 , Ej+1 , . . . , E` ).
ID
→
−
Encrypt For a message M ∈ GT and an identity ID = ID1 , . . . , IDj
1. Choose s ∈ ZN randomly.
270 14 Hierarchical Identity-Based Encryption

2. Compute C0 = M · e(g, g)αs .

ID s
3. Compute C1 = (uID j
1 · · · uj h) .
1

4. Compute C2 = g s .
5. Set the ciphertext to be CT = hC0 , C1 , C2 i.
Delegate For given secret key SK→ − = (K10 , K20 , Ej+10
, . . . , E`0 ), the dele-
ID
−→
gation algorithm creates a key for ID’ = (ID1 , . . . , IDj , IDj+1 ) as follows.
1. Choose r0 ∈ ZN randomly.
2. Choose random elements R f0 , R
f3 , R ej+1 of Gp .
3 3
0
3. Set K1 = K10 g r Rf3 .
ID r0 IDj+1 r 0 IDj+1 f0
4. Set K2 = K20 (uID j 0
1 · · · uj h) (Ej+1 )
1
uj+1 R3 .
0
0
5. Set Ej+2 = Ej+2 ej+2 , . . . , E` = E 0 ur0 R
urj+2 R e` .
` `
6. Set the secret key SK−→ = (K1 , K2 , Ej+2 , . . . , E` ).
ID’
Note that this new key is fully re-randomized: it is only tie to the
previous key in the values (ID1 , . . . , IDj ).

Decrypt The decryption algorithm assumes that the key and ciphertext
CT both correspond to the same identity (ID1 , . . . , IDj ). If the key identity
is a prefix of this instead, then the decryption algorithm starts by run-
ning the key delegation algorithm to create a key with identity matching
the ciphertext identity exactly. The decryption algorithm is computed as
follows:
e(K2 , C2 )
1. Compute KEM = = e(g, g)αs .
e(K1 , C1 )
2. Compute M = C0 /KEM .
Note that even though a PKG comes under the attacker’s control and
generates a different secret key to a user by using different random val-
ues, the ciphertext before the attack can be decrypted using the newly
generated secret key.

Computation between normal ciphertext and normal secret key

ID r
e(K2 , C2 ) e(g α (uID1 j 0
1 · · · uj h) R3 , g )
s
= IDj s =
e(K1 , C1 ) e(g r R3 , (uID
1 · · · uj h) )
1

αs ID rs s
e(g, g) e(uID j 0
1 · · · uj h, g) e(R3 , g)
1
αs
ID rs ID s = e(g, g) .
e(uID
1
1
· · · uj j h, g) e(R30 , uID
1
1
· · · uj j h)
14.4 Waters’ HIBE with Composite Order 271

Computation between level j and level j + 1

→
−
1. The delegation algorithm is used when the identity ID =
(ID1 , . . . , IDj ) is a prefix of (ID1 , . . . , IDj+1 ), that is, the user level j
wants to delegate the identity level j + 1 to decrypt the ciphertext
of lower level j + 1. In this case, we have the ciphertext of level j + 1
is formed as
C0 = M · e(g, g)αs ,
IDj+1 s
C1 = (uID 1 · · · uj+1 h) ,
1

C2 = g s .

The components K1 , K2 in the secret key created by the delega-

tion algorithm is as
0
K1 = K10 g r Rf3 = g r R3 g r0 R
f3 ,
0
r
ID ID r 0 ID
K2 = K 0 (uID1 · · · u j h) (E 0 ) j+1 u j+1 R f0 = g α (uID1 · · · uIDj h)r ,
2 1 j j+1 j+1 3 1 j
IDj r0 ID r 0
ID
R30 (uID
1
1
· · · uj h) (urj+1 Rj+1 ) j+1
uj+1 R j+1 f0 .
3

We have

ID r ID r0 IDj+1 r 0 IDj+1 f0
e(K2 , C2 ) e(g α (uID j 0 ID1 j r
1 · · · uj h) R3 (u1 · · · uj h) (uj+1 Rj+1 )
1
uj+1 R3 , g s )
= IDj+1 s
e(K1 , C1 ) r r 0 f ID1
e(g R3 g R3 , (u1 · · · uj+1 h) )
ID r ID r0 rID
e(g α , g s )e((uID j s 0 s ID1 j s j+1 s
1 · · · uj h) , g )e(R3 , g )e((u1 · · · uj h) , g )e(uj+1 , g )
1

= IDj+1 s IDj+1 s IDj+1 s

e(g r , (uID 1 ID1
1 · · · uj+1 h) )e(R3 , (u1 · · · uj+1 h) )e(g r0 , (uID
1
1
· · · uj+1 h) )
0
r ID f0 , g s )
e(Rj+1 , g s )e(uj+1j+1 , g s )e(R 3
. ID s
f3 , (uID1 · · · u j+1 h) )
e(R 1 j+1

αs ID rs s ID r0 s rsIDj+1
e(g, g) e(uID1 j 0 ID1 j
1 · · · uj h, g) e(R3 , g) e(u1 · · · uj h, g) e(uj+1 , g)
= rs s r0 s
IDj+1 IDj+1 IDj+1
e(uID1 ID1
1 · · · uj+1 h, g) e(R3 , u1 · · · uj+1 h) e(g, uID
1
1
· · · uj+1 h)
sIDj+1 r 0 sIDj+1 f0 , g s )
e(Rj+1 , g) e(uj+1 , g) e(R 3
. IDj+1 s
f3 , uID1
e(R · · · uj+1 h)
1

αs ID rs ID r0 s r 0 sIDj+1 rsIDj+1
e(g, g) e(uID j ID1 j
1 · · · uj h, g) e(u1 · · · uj h, g)
1
e(uj+1 , g) e(uj+1 , g)
= rs r0 s
ID ID
e(uID j+1 ID1 j+1
1 · · · uj+1 h, g) e(g, u1 · · · uj+1 h)
1

αs ID rs ID r0 s r 0 sIDj+1
e(g, g) e(uID 1 j ID1 j
1 · · · uj h, g) e(u1 · · · uj h, g) e(uj+1 , g)
= rs r0 s
ID r 0 sIDj+1 ID
e(uID j
1 · · · uj h, g) e(uj+1 , g)
1
e(uID j
1 · · · uj h, g)
1

rsIDj+1
e(uj+1 , g) αs
. rsIDj+1
= e(g, g)
e(uj+1 , g)
Thus, the user at level j can decrypt the ciphertext at level j + 1.
272 14 Hierarchical Identity-Based Encryption

2. However, the user at lower level j + 1 cannot use the secret key at
level j to decrypt the ciphertext at higher level j. We can see this
fact by computing as follows:
The ciphertext at level j:
C0 = M · e(g, g)αs ,
IDj s
C1 = (uID1 · · · uj h) ,
1

C2 = g s .

The components K1 , K2 of secret key at level j + 1:

0
K1 = K10 g r Rf3 = g r R3 g r0 R
f3 .

ID r0
IDj+1 r 0 IDj+1 f0
K2 = K20 (uID j 0
1 · · · uj h) (Ej+1 )
1
uj+1 R3
IDj r IDj r0 ID r 0 ID
α ID1 0 ID1 f0 .
= g (u1 · · · uj h) R3 (u1 · · · uj h) (urj+1 Rj+1 ) j+1 uj+1j+1 R 3

We have
ID r ID r0 IDj+1 r 0 IDj+1 f0
e(K2 , C2 ) e(g α (uID j 0 ID1 j r
1 · · · uj h) R3 (u1 · · · uj h) (uj+1 Rj+1 )
1
uj+1 R3 , g s )
= s
e(K1 , C1 ) 0
e(g r R3 g r Rf3 , (uID1 · · · uIDj h) )
1 j

ID r ID r0 rID
e(g α , g s )e((uID j s 0 s ID1 j s j+1 s
1 · · · uj h) , g )e(R3 , g )e((u1 · · · uj h) , g )e(uj+1 , g )
1

= ID s ID s ID s
e(g r , (uID j ID1 j r0 ID1 j
1 · · · uj h) )e(R3 , (u1 · · · uj h) )e(g , (u1 · · · uj h) )
1

r 0 ID f0 , g s )
e(Rj+1 , g s )e(uj+1j+1 , g s )e(R 3
. ID s
f3 , (uID1 · · · u j h) )
e(R 1 j

αs ID rs s ID r0 s rsIDj+1
e(g, g) e(uID 1 j 0 ID1 j
1 · · · uj h, g) e(R3 , g) e(u1 · · · uj h, g) e(uj+1 , g)
= rs s r0 s
ID ID ID
e(uID j ID1 j ID1 j
1 · · · uj h, g) e(R3 , u1 · · · uj h) e(g, u1 · · · uj h)
1

sIDj+1 r 0 sIDj+1 s
e(Rj+1 , g) e(uj+1 , g) f0 , g)
e(R 3
. ID s
f3 , uID1 · · · u j h)
e(R 1 j

αs ID rs ID r0 s r 0 sIDj+1 rsIDj+1
e(g, g) e(uID j ID1 j
1 · · · uj h, g) e(u1 · · · uj h, g)
1
e(uj+1 , g) e(uj+1 , g)
= rs r0 s
ID ID
e(uID
1
1
· · · uj j h, g) e(g, uID j
1 · · · uj h)
1

αs r 0 sIDj+1 rsIDj+1 αs (r+r 0 )sIDj+1 αs

= e(g, g) e(uj+1 , g) e(uj+1 , g) = e(g, g) e(uj+1 , g) 6= e(g, g) .
→
− −→
3. In the case ID = (ID1 , . . . , IDj ) is not the prefix of ID0 =
(ID1 , . . . , IDj 0 , IDj 0 +1 ), the delegation algorithm is not used, that
is, it cannot use SK→ − at level j to create the secret key for a user
ID
0
at level j + 1.
14.4 Waters’ HIBE with Composite Order 273

Construction 2. Semi-functional algorithms

To prove the security of our HIBE system, we again rely on the static
Assumptions 1, 2, and 3. We first define two additional structures: semi-
functional ciphertexts and semi-functional keys. These will not be used
in the real system, but will be used in our proof. We define both semi-
functional ciphertexts and semi-functional keys in terms of a transforma-
tion on a normal ciphertext or key.

Semi-functional ciphertexts Let g2 denote a generator of Gp2 . The al-

gorithm first runs the encryption algorithm to generate a normal ciphertext
CT = (C00 , C10 , C20 ).
1. Choose random exponents x, zc ∈ ZN .
2. Set C0 = C00 .
3. Set C1 = C10 g2 xzc .
4. Set C2 = C20 g2 x .
5. The semi-functional ciphertext is (C0 , C1 , C2 ).
Semi-functional secret keys The algorithm first runs the extract algo-
rithm to generate a normal secret key (K10 , K20 , Ej+1
0
, . . . , E`0 ).
1. Choose random exponents γ, zk , zj+1 , . . . , z` ∈ ZN .
2. Set K1 = K10 g2 γ .
3. Set K2 = K20 g2 γzk .
0
4. Set Ej+1 = Ej+1 g2 γzj+1 , . . . , E` = E`0 g2 γz` .
5. The semi-functional secret key is (K1 , K2 , Ej+1 , . . . , E` ).

Computation between semi-functional ciphertext and normal secret

key
ID r
e(K20 , g2 x ) e(g α (uID j 0 x
1 · · · uj h) R3 , g2 )
1

0 xz
= r xz
e(K1 , g2 c ) e(g R3 , g2 c )
αx ID rx x
e(g, g2 ) e(uID j 0
1 · · · uj h, g2 ) e(R3 , g2 )
1

= rxz xz =1
e(g, g2 ) c e(R3 , g2 ) c

Computation between normal ciphertext and semi-functional secret

key
sγz
e(g2 γzk , C20 ) e(g2 γzk , g s ) e(g2 , g) k
γ 0 = ID s = IDj γs = 1
e(g2 , C1 ) e(g2 γ , (uID j
e(g2 , uID
1 · · · uj h) ) 1 · · · uj h)
1 1
274 14 Hierarchical Identity-Based Encryption

Computation between semi-functional ciphertext and

semi-functional secret key

e(K20 , g2 x )e(g2 γzk , C20 )e(g2 γzk , g2 x ) e(K20 , g2 x ) e(g2 γzk , C20 ) e(g2 γzk , g2 x )
0 0 = . .
xz γ γ
e(K1 , g2 c )e(g2 , C1 )e(g2 , g2 c ) xz e(K10 , g2 xzc ) e(g2 γ , C10 ) e(g2 γ , g2 xzc )
Applying two results above, we have the computation as
xγz
e(g2 γzk , g2 x ) e(g2 , g2 ) k xγ(zk −zc )
= γ xz
= xγz = e(g2 , g2 ) .
e(g2 , g2 c ) e(g2 , g2 ) c
If zk = zc , the decryption algorithm still works. In this case, the key is nomi-
nally semi-functional: it has terms in Gp2 , which do not hinder decryption.

14.4.1 Proof of HIBE Security

The proof of security will again be structured as a hybrid argument over a
sequence of games as shown in Figure 14.2. Let q denote the number of key
queries the attacker makes. Let us define the games as:
1. GameReal : is the real HIBE security game.
2. GameReal0 : is the same as GameReal except that all key queries
will be answered by fresh calls to the key generation algorithm (the
challenger will not be asked to delegate keys in a particular way).
3. GameRestricted : is the same as GameReal0 except that the attacker
cannot ask for keys for identities which are prefixes of the challenge
identity modulo p2 .
4. Gamek (for k from 0 to q): This is like GameRestricted , except that
the ciphertext given to the attacker is semi-functional and the first
k keys are semi-functional. The rest of the keys are normal.
In Game0 , only the challenge ciphertext is semi-functional.
In Gameq , the challenge ciphertext and all of the keys are semi-
functional.
5. GameF inal : is the same as Gameq except that the challenge cipher-
text is a semi-functional encryption of a random message, not one
of the messages provided by the attacker.
We will show these games are indistinguishable in the following five lemmas.

Lemma 1 For any algorithm A, GameReal AdvA = GameReal0 AdvA .

14.4 Waters’ HIBE with Composite Order 275

FIGURE 14.2
Proof of HIBE security.

Proof of Lemma 1

We note that keys are identically distributed whether they are produced
by the key delegation algorithm from a previous key or from a fresh call to the
key generation algorithm. Thus, in the attacker’s view, there is no difference
between these games.

Lemma 2 Suppose there exists an algorithm A such that GameReal AdvA -

GameRestricted AdvA = . Then we can build an algorithm B with advantage
≥ 2 in breaking Assumption 2.

The algorithm begins by taking in an instance (G, g, X1 X2 , X3 , Y2 Y3 ). Now

algorithm B can use algorithm A to simulate GameReal . A has probability 
in producing ID and ID∗ given ID − ID∗ mod N = 0 and ID − ID∗ mod p2 = 0.
Using ID and ID∗ , B can produce the non-trivial factors of N by computing
a = gcd(ID − ID∗ , N ) and b = N/a. Now we have three cases.
1. a is p1 and b is p2 p3 or conversely b is p1 and a is p2 p3
2. a is p2 and b is p1 p3 or conversely b is p2 and a is p1 p3
3. a is p3 and b is p1 p2 or conversely b is p3 and a is p1 p2
For case 1, B proceed as follows:

1. It is case 1 if either (Y2 Y3 )a or (Y2 Y3 )b is the identity element.

2. Suppose a = p1 and b = p2 p3 .
3. If e(T a , X1 X2 ) is identity element, T do not have Gp2 component.
Conversely, if e(T a , X1 X2 ) is not identity element, T has Gp2 com-
ponent.
For case 2, B proceed as follows:

1. Check if (X1 X2 )a or (X1 X2 )b is the identity element. If it was not

276 14 Hierarchical Identity-Based Encryption

case 1 and neither of these is the identity element, then this is case
2.
2. a = p1 p3 if g a is identity. Conversely if b = p1 p3 then g b is identity.
3. Suppose a = p2 and b = p1 p3 .
4. If T b is the identity element, T do not have Gp2 component. Con-
versely, if T b is not the identity element, T has Gp2 component.
For case 3, B proceed as follows:
1. If it was neither case 1 nor case 2, it is case 3.
2. a = p3 if X3b is not identity. Conversely b = p3 if X3a is identity.
3. Suppose a = p3 .
4. If e(T a , Y2 Y3 ) is the identity element, T does not have Gp2 compo-
nent. Conversely, if e(T a , Y2 Y3 ) is not the identity element, T has
Gp2 component.
Lemma 3 Suppose there exists an algorithm A such that GameRestricted AdvA
- Game0 AdvA = . Then we can build an algorithm B with advantage  in
breaking Assumption 1.

Proof of Lemma 3
The algorithm B begins by taking in an instance (G, g, X3 , T ) of Assumption
1. It simulates GameReal or Game0 with A.

Reduction algorithm B in Lemma 3

Setup
1. Choose random exponents α, a1 , . . . , a` , b ∈ ZN .
2. Set g = g, ui = g ai for i ∈ {1, . . . , `} and h = g b .
3. Send the public parameters params =
(N, g, u1 , . . . , u` , h, e(g, g)α ) to A.
4. Set the master secret key MSK is α.
Phase I For an identity (ID1 , . . . , IDj )
1. Choose a random exponents r, t, w, vj+1 , . . . , v` ∈ ZN .
2. Compute K1 = g r X3 t .
ID r
3. Compute K2 = g α (uID j w
1 · · · uj h) X3 .
1

4. Compute Ej+1 = uj+1 r X3 vj+1 , . . . , E` = u` r X3 v` .

5. Send the secret key SKID = (K1 , K2 , Ej+1 , . . . , E` ).
14.4 Waters’ HIBE with Composite Order 277

Challenge
1. A outputs messages M0 , M1 and challenge identity
(ID∗1 , . . . , ID∗j ).
2. B generates bit β ∈ {0, 1}.
3. The ciphertext (C0 , C1 , C2 ) is formed as follows:
α
C0 = Mβ e(T, g) ,
(a1 ID∗ +···+a ∗
j IDj +b)
C1 = T 1 ,
C2 = T .
Note: This implicitly sets g s equal to the Gp1 part of T .
If T ∈ Gp1 p2 , then this is a semi-functional ciphertext with
zc = a1 ID∗1 + · · · + aj ID∗j + b. If T ∈ Gp1 , then this is a normal ci-
phertext.

Phase II
1. A makes key generation queries, and B responds as in Phase I.
Guess
1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.
2. If β = β 0 , it outputs 0 (indicating that T ∈ Gp1 p2 ); otherwise,
it outputs 1.

Simulation of secret key generation in Lemma 3

Key generation algorithm in Lemma 3 generates normal secret keys.

Simulation of challenge ciphertext generation in Lemma 3

The difference between GameReal and Game0 is whether the challenge cipher-
text is normal or semi-functional.

In the case T ∈ Gp1 , there exists s, x ∈ ZN such that T = g s . The nor-

mal ciphertext is computed as follows:
α α αs
C0 = Mβ e(T, g) = Mβ e(g s , g) = Mβ e(g, g) = C00 ,
∗ ∗ (a1 ID∗ ∗
1 +b+···+aj IDj +b)
∗ ∗ s
C1 = T (a1 ID1 +···+aj IDj +b) = (g s ) = (g a1 ID1 · · · g aj IDj ) =
∗ ∗ s
(u1 ID1 · · · uj IDj ) = C10 ,

C2 = T = g s = C20 .

In the case T ∈ Gp1 p2 , there exists s, x ∈ ZN such that T = g s g2 x . First,

run the encryption algorithm to generate a normal ciphertext (C00 , C10 , C20 ).
278 14 Hierarchical Identity-Based Encryption

The semi-functional ciphertext is computed as follows:

α α αs αx αs
C0 = Mβ e(T, g) = Mβ e(g s g2 x , g) = Mβ e(g, g) e(g2 , g) = Mβ e(g, g) =
C00 ,
∗ ∗ (a1 ID∗ ∗
1 +b+···+aj IDj +b)
C1 = T (a1 ID1 +···+aj IDj +b) = (g s g2 x )
(a1 ID∗ ∗
1 +···+aj IDj +b)
= C10 (g2 x ) = C10 g2 xzc ,

C2 = T = g s g2 x = C20 g2 x .

Since the normal keys can decrypt both normal and semi-functional cipher-
text, B can use the output of A to distinguish if T is from Gp1 p2 subgroup or
Gp1 subgroup.

Probability analysis in Lemma 3 The probability computation is simple

as
GameRestricted AdvA − Game0 AdvA = . (14.6)
Lemma 4 Suppose there exists an algorithm A such that Gamek−1 AdvA -
Gamek AdvA = . Then we can build an algorithm B with advantage  in
breaking Assumption 2.

Proof of Lemma 4

The algorithm B begins by taking in an instance (G, g, X1 X2 , X3 , Y2 Y3 , T )

of Assumption 2. It simulates Gamek−1 or Gamek with A.

Reduction algorithm B in Lemma 4

Setup
1. Pick random exponents a1 , . . . , a` , b ∈ ZN .
2. Set g = g, ui = g ai for i ∈ {1, . . . , `} and h = g b .
3. Send the public parameters params = (g, u1 , . . . , u` , h, e(g, g)α )
to A.
4. Set the master secret key MSK is α.
Phase I
1. When A requests the ith (i < k) identity (ID1 , . . . , IDj ), B cre-
ates a semi-functional key as follows.
(a) Choose a random exponents r, z, t, zj+1 , . . . , z` ∈ ZN .
14.4 Waters’ HIBE with Composite Order 279

t
(b) Compute K1 = g r (Y2 Y3 ) .
ID r z
(c) Compute K2 = g α (uID j
1 · · · uj h) (Y2 Y3 ) .
1

zj+1 z
(d) Compute Ej+1 = uj+1 r (Y2 Y3 ) , . . . , E` = u` r (Y2 Y3 ) ` .
(e) Send the secret key SKID = (K1 , K2 , Ej+1 , . . . , E` ). This is
a properly distributed semi-functional key with g2 γ = Y2 t .
2. When A requests the ith (i > k) identity (ID1 , . . . , IDj ), B cre-
ates a normal key by using the key generation algorithm.
3. When A requests the k th for (ID1 , . . . , IDj ):
(a) Let zk = a1 ID1 + · · · + aj IDj + b.
(b) Choose a random exponents wk , wj+1 , . . . , w` ∈ ZN .
(c) Compute K1 = T .
(d) Compute K2 = g α T zk X3 wk .
(e) Compute Ej+1 = T aj+1 X3 wj+1 , . . . , E` = T a` X3 w` .
(f) Send the secret key SKID = (K1 , K2 , Ej+1 , . . . , E` ).
Note: If T ∈ Gp1 p3 , then this is a normal key with g r equal to the Gp1
part of T . If T ∈ G, then this is a semi-functional key.

Challenge
1. A outputs messages M0 , M1 and challenge identity
(ID∗1 , . . . , ID∗j ).
2. B generates a bit β ∈ {0, 1}.
3. The ciphertext (C0 , C1 , C2 ) is formed as
α
C0 = Mβ e(X1 X2 , g) ,
∗
(a ID +···+aj ID∗
j +b)
C1 = (X1 X2 ) 1 1 ,
C2 = X1 X2 .
Note: This implicitly sets g s = X1 and zc = a1 ID∗1 + · · · + aj ID∗j + b.

Phase II

1. A makes key generation queries and B responds as in Phase I.

Guess

1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.

2. If β = β 0 , it outputs 0 (indicating that T ∈ Gp1 p3 ); otherwise,
it outputs 1.
280 14 Hierarchical Identity-Based Encryption

Simulation of secret key generation in Lemma 4

The secret key generation process is divided into 3 parts. However, the
parts of i > k and i < k only need to generate normal or semi-functional
secret key by using its own master secret key, respectively. On the other hand,
the case of i = k is different. Letting (K10 , K20 , Ej+1
0
, . . . , E`0 ) denote the normal
key generated by using the key generation algorithm, the key generated in the
case i = k is computed as follows.

If T ∈ Gp1 p3 , there exists R3 ∈ Gp3 such that T = g r R3 . The a normal

key is computed as follows:

K1 = T = g r R3 .
z r
K2 = g α T zk X3 w α r
k = g (g R3 ) X3
k wk
= g α (g zk ) R3 zk X3 wk
r IDj r
= g α (g a1 ID1 +···+aj IDj +b ) R3 zk X3 wk = g α (uID
1 · · · uj h) R3 X3
1 zk wk
;
0 zk wk
since R3 , X3 ∈ Gp3 , there exists R3 = R3 X3 ∈ Gp3 . Therefore, we have
IDj r
K2 = g α (uID 1 · · · uj h) R3 .
1 0

a r
Ej+1 = T aj+1 X3 wj+1 = (g r R3 ) j+1 X3 wj+1 = (g aj+1 ) R3 aj+1 X3 wj+1 =
uj+1 r R3 aj+1 X3 wj+1 ; since R3 , X3 ∈ Gp3 , then there exists R f0 j+1 =
R3 aj+1 X3 wj+1 ∈ Gp3 . Therefore, we have Ej+1 = uj+1 r R
f0 j+1 .

...
a r
E` = T a` X3 w` = (g r R3 ) ` X3 w` = (g a` ) R3 a` X3 w` = u` r R3 a` X3 w` ; since
R3 , X3 ∈ Gp3 , there exists R f0 = R3 a` X3 w` ∈ Gp . Therefore, we have
` 3

E` = u` r R
f0 ` .

If T ∈ G, then there exists g2 γ ∈ Gp2 such that T = g r R3 g2 γ . The semi-

functional key is computed as follows:

K1 = T = g r R3 g2 γ = K10 g2 γ .
z r
K2 = g α T zk X3 w
k = g α (g r R3 g2 γ ) k X3 w
k = g α (g zk ) R3 zk X3 wk g2 γzk =
K20 g2 γzk .
aj+1 r
Ej+1 = T aj+1 X3 wj+1 = (g r R3 g2 γ ) X3 wj+1 = (g aj+1 ) R3 aj+1 X3 wj+1 g2 γaj+1 =
K20 g2 γaj+1 .

...
a r
E` = T a` X3 w` = (g r R3 g2 γ ) ` X3 w` = (g a` ) R3 a` X3 w` g2 γa` = K20 g2 γa` .
14.4 Waters’ HIBE with Composite Order 281

Simulation of challenge ciphertext generation in Lemma 4

The encryption algorithm in Lemma 4 only generates semi-functional ci-

phertext. Letting (C00 , C10 , C20 ) denote the normal ciphertext generated by using
the encryption algorithm, the ciphertext in Lemma 4 is computed as follows in
both cases: T from Gp1 p3 and T from G. Since X2 ∈ Gp2 , there exists x ∈ ZN
such that X2 = g2 x .
α α α α
C0 = Mβ e(X1 X2 , g) = Mβ e(g s X2 , g) = Mβ e(g s , g) = Mβ e(X2 , g) =
αs
Mβ e(g, g) .
(a ID∗ +···+a ID∗ +b) (a ID∗ +···+aj ID∗
j +b)
C1 = (X1 X2 ) 1 1 j j
= (g s g2 x ) 1 1
∗ ∗ ∗ ∗
s (a1 ID1 +···+aj IDj +b) x (a1 ID1 +···+aj IDj +b)
= (g ) (g2 )
ID∗ s
ID∗
= (u1 1 · · · uj j h) g2 xzc = C10 g2 xzc ;

C2 = X1 X2 = g s g2 x = C20 g2 x .

For i = k, zk and zc are randomly distributed to A. Though it is hidden

from A, in the case the simulator attempts to test itself whether key k is
semi-functional by creating a semi-functional ciphertext for this identity and
trying to decrypt, then the decryption will work regardless of whether key k
is semi-functional or not (because zk = zc , the simulator can only create a
nominally semi-functional key k). That is, the attacker cannot request a key
that can decrypt the challenge ciphertext.

In the case T ∈ Gp1 p3 , the normal key is used to decrypt the semi-
functional ciphertext. Then B has properly simulated Gamek−1 . In the case
T ∈ G, B has properly simulated Gamek . Hence, B can use the output of A
to distinguish between these possibilities for T .

Probability analysis in Lemma 4 The probability computation is simple

as
Gamek−1 AdvA − Gamek AdvA = . (14.7)
Lemma 5
Suppose there exists an algorithm A such that Gameq AdvA -
GameF inal AdvA = . Then we can build an algorithm B with advantage 
in breaking Assumption 3.

Proof of Lemma 5

The algorithm B begins by taking in an instance (G, g, g α X2 , X3 , g s Y2 ,

Z2 , T ) of Assumption 3. It simulates Gameq or GameF inal with A.
282 14 Hierarchical Identity-Based Encryption

Reduction algorithm B in Lemma 5

Setup
1. Pick random exponents a1 , . . . , a` , b ∈ ZN .
2. Set g = g, ui = g ai for i ∈ {1, . . . , `}, h = g b and e(g, g)α =
e(g α X2 , g).
3. Send the public parameters params = (g, u1 , . . . , u` , h, e(g, g)α ) to
A.
4. Set the master secret key MSK is α.
Phase I When A requests a key for identity (ID1 , . . . , IDj ), B creates a
semi-functional key as follows.
1. Choose a random exponents c, r, t, w, z, zj+1 , . . . , z` , wj+1 , . . . , w` ∈
ZN .
2. Compute K1 = g r Z2 X3 t .
ID r
3. Compute K2 = g α X2 Z2 c (uID j w
1 · · · uj h) X3 .
1

4. Compute Ej+1 = uj+1 r Z2 zj+1 X3 wj+1 , . . . , E` = u` r Z2 z` X3 w` .

5. Send the secret key SKID = (K1 , K2 , Ej+1 , . . . , E` ).
Challenge
1. A outputs messages M0 , M1 and challenge identity (ID∗1 , . . . , ID∗j ).
2. B generates bit β ∈ {0, 1}.
3. The ciphertext (C0 , C1 , C2 ) is formed as
(a ID∗ +···+aj ID∗
j +b)
C0 = Mβ T , C1 = (g s Y2 ) 1 1 , C2 = g s Y2 .
Note: This implicitly sets zc = a1 ID∗1 + · · · + aj ID∗j + b. We note that the
value of zc only matters modulo p2 , whereas u1 = g a1 , . . . , u` = g a` , and
h = g b are elements of Gp1 , so when a1 , . . . , a` and b are chosen randomly
modulo N , there is no correlation between the values of a1 , . . . , a` , b mod-
ulo p1 and the value zc = a1 ID∗1 + · · · + aj ID∗j + b modulo p2 .

Phase II
1. A makes key generation queries, and B responds as in Phase I.
Guess
1. Finally, the adversary outputs guesses β 0 ∈ {0, 1}.
2. If β = β 0 , it outputs 0 (indicating that T = e(g, g)αs ); otherwise, it
outputs 1.
14.4 Waters’ HIBE with Composite Order 283

Simulation of secret key generation in Lemma 5

The key generation algorithm in Lemma 5 generates only semi-functional

keys. Since B does not know the master secret key, it cannot generate the real
secret key as in previous Lemmas. However, in Lemma 5, the semi-functional
keys can be generated without knowledge of the master secret key. For conve-
nience, let (K10 , K20 , Ej+1
0
, . . . , E`0 ) denote the normal key generated by using
the key generation algorithm. There exist γ ∈ ZN and R3 , R30 , Rj+1 ∈ Gp3
such that Z2 = g2 γ , R3 = X3 t , R30 = X3 w , X3 wj+1 = Rj+1 , X2 Z2 c = g2 γzk ,
Y2 zc = g2 γzk . We have the semi-functional key as follows:

K1 = g r Z2 X3 t = g r g2 γ R3 .
ID r ID r
K2 = g α X2 Z2 c (uID j w α ID1 j 0
1 · · · uj h) X3 = g (u1 · · · uj h) R3 g2
1 γzk
= K20 g2 γzk .

Ej+1 = uj+1 r Z2 zj+1 X3 wj+1 = uj+1 r g2 γzj+1 Rj+1 = Ej+1

0
g2 γzj+1 .

...

E` = u` r Z2 z` X3 w` = u` r g2 γz` R` = E`0 g2 γz` .

Simulation of challenge ciphertext generation in Lemma 5

The difference between Gameq and GameF inal is whether the challenge ci-
phertext is semi-functional or random. So, T must be embedded in the chal-
lenge ciphertext. The challenge ciphertext is semi-functional if T is real; oth-
erwise, the challenge ciphertext is random. Here check that if T is real, then
it computes the semi-functional ciphertext, or if T is random, it computes the
random ciphertext. Since B does not know the master secret key, it cannot
generate the real ciphertext as in previous Lemmas. However, in Lemma 5, the
semi-functional ciphertext can be generated without knowledge of the master
secret key. For convenience, let (C00 , C10 , C20 ) denote the normal ciphertext gen-
erated by using the encryption algorithm. Since Y2 ∈ Gp2 , there exist x ∈ ZN
such that Y2 = g2 x .

In the case T = e(g, g)αs , the ciphertext is computed as follows:

C0 = Mβ e(g, g)αs = C00 .

(a ID∗ +···+a ID∗ +b) (a ID∗ +···+a ID∗ +b)
C1 = (g s Y2 ) 1 1 j j
= (g s g2 x ) 1 1 j j
=
∗ ∗ ∗ ∗
(a ID +···+a ID +b) (a ID +···+a ID +b)
(g s ) 1 1 j j
(g2 x ) 1 1 j j
= C10 g2 xzc .

C2 = g s Y2 = g s g2 x = C20 g2 x .
284 14 Hierarchical Identity-Based Encryption

In the case T is a random element from GT , then some additional random

values are multiplied by the computed value of C0 . Therefore, we know that
the ciphertext computed in this case is random.

Probability analysis in Lemma 5 The probability computation is simple

as
Gameq AdvA − GameF inal AdvA = . (14.8)
Theorem 3 If Assumptions 1, 2, and 3 hold, then our HIBE system is secure.

Proof of Theorem 3

If Assumptions 1, 2, and 3 hold, then we have shown by the previous lem-

mas that the real security game is indistinguishable from GameF inal , in which
the value of B is information theoretically hidden from the attacker. Hence
the attacker can attain no advantage in breaking the HIBE system. 2

14.5 The Generic Group Model

To understand the generic group model more easily, we introduce [22].

14.5.1 The Decision Linear Diffie-Hellman Assumption

With g1 ∈ G1 , along with arbitrary generators u, v, and h of G1 , consider the
following problem.

Decision linear problem in G1 . Given u, v, h, ua , v b , hc ∈ G1 as input, out-

put yes if a + b = c and no otherwise.

One can easily show that an algorithm for solving the decision linear problem
in G1 gives an algorithm for solving DDH in G1 . The converse is believed to
be false. That is, it is believed that decision linear is a hard problem even in
bilinear groups where DDH is easy (e.g., when G1 = G2 ). More precisely, we
define the advantage of an algorithm A in deciding the decision linear problem
in G1 as
R R
def P r[A(u, v, h, ua , v b , ha+b ) = yes : u, v, h ← G1 , a, b ← Zp ]
Adv LinearA = R R .
−P r[A(u, v, h, ua , v b , η) = yes : u, v, h, η ← G1 , a, b ← Zp ]
The probability is over the uniform random choice of the parameters to
A, and over the coin tosses of A. We say that an algorithm A (t, )-decides
decision linear in G1 if A runs in time at most t, and Adv LinearA is at least
.
14.5 The Generic Group Model 285

Definition 5 We say that the (t, )-decision linear assumption holds

in G1 if no t-time algorithm has advantage at least  in solving the decision
linear problem in G1 . In the next section, we show that the decision linear
assumption holds in generic bilinear groups [92].

14.5.2 The Linear Problem in Generic Bilinear Groups

To provide more confidence in the decision linear assumption, we prove a
lower bound on the computational complexity of the decision linear problem
for generic groups in the sense of Shoup [92]. In this model, elements of G1 ,
G2 , and GT appear to be encoded as unique random strings, so that no prop-
erty other than equality can be directly tested by the adversary.

Five oracles are assumed to perform operations between group elements,

such as computing the group action in each of the three groups G1 , G2 ,
GT , as well as the isomorphism ψ : G2 → G1 , and the bilinear pairing
e : G1 × G2 → GT (where possibly G1 = G2 ).

The opaque encoding of the elements of G1 is modeled as an injective func-

tion ξ1 : Zp → Ξ1 , where Ξ1 ⊂ {0, 1}∗ , which maps all a ∈ Zp to the string
representation ξ1 (a) of g a ∈ G1 . Analogous maps ξ2 : Zp → Ξ2 for G2 and
ξT : Zp → ΞT for GT are also defined. The attacker A communicates with the
oracles using the ξ-representations of the group elements only.
R R
Let x, y, z, a, b, c ← Z∗p , T0 ← g z(a+b) , T1 ← g c , and d ← {0, 1}.
We show that no generic algorithm A that is given the encodings of
g x , g y , g z , g xa , g yb , Td , T1−d and makes up to q oracle queries can guess the
value of d with probability greater than 21 + O(q 2 /p). Note that here g x ,
g y ,and g z play the role of the generators u, v, and h in the decision linear
problem definition.

Theorem 4 Let A be an algorithm that solves the decision linear problem

in the generic group model. Assume that ξ1 , ξ2 , ξT are random encoding
functions for G1 , G2 , GT . If A makes a total of at most q queries to the
oracles computing the group action in G1 , G2 , GT , the isomorphism ψ, and
the bilinear pairing e, then
 
p, ξ1 (1), ξ1 (x), ξ1 (y), ξ1 (z),
 
A =d:
 ξ1 (xa), ξ1 (yb), ξ1 (t0 ), ξ1 (t1 ), ξ2 (1)  1
− 8(q + 9)2
Pr  R R ≤ .
 x, y, z, a, b, c ← Z∗p , d ← {0, 1}, 2 p
td ← z(a + b), t1−d ← c

Proof Consider an algorithm B that plays the following game with A.

286 14 Hierarchical Identity-Based Encryption

B maintains three lists of pairs, L1 = {(F1,i , ξ1,i ) : i = 0, ..., τ1 − 1}, L2 =

{(F2,i , ξ2,i ) : i = 0, ..., τ2 − 1}, LT = {(FT,i , ξT,i ) : i = 0, ..., τT − 1}, un-
der the invariant that, at step τ in the game, τ1 + τ2 + τT = τ + 9. Here,
the F?,? ∈ Zp [X, Y, Z, A, B, T0 , T1 ] are polynomials in the indeterminates
X, Y, Z, A, B, T0 , T1 with coefficients in Zp . The ξ?,? ∈ {0, 1}∗ are arbitrary
distinct strings.

The lists are initialized at step τ = 0 by initializing τ1 ← 8, τ2 ← 1,

τT ← 0, and setting F1,0 = 1, F1,1 = X, F1,2 = Y , F1,3 = Z, F1,4 = XA,
F1,5 = Y B, F1,6 = T0 , F1,7 = T1 , and F2,0 = 1, where the degrees of F1,1 ,
F1,2 , F1,3 , F1,6 , F1,7 are 1, and the degrees of F1,4 and F1,5 are 2. The corre-
sponding strings are set to arbitrary distinct strings in {0, 1}∗ .

We may assume that A only makes oracle queries on strings previously

obtained from B, since B can make them arbitrarily hard to guess. We note
that B can determine the index i of any given string ξ1,i in L1 (resp. ξ2,i in
L2 , or ξT,i in LT ), where ties between multiple matches are broken arbitrarily.

B starts the game by providing A with the encodings ξ1,0 , ξ1,1 , ξ1,2 , ξ1,3 ,
ξ1,4 , ξ1,5 , ξ1,6 , ξ1,7 , and ξ2,0 . The simulator B responds to algorithm A’s queries
as follows.

Group action Given a multiply/divide selection bit and two operands ξ1,i
and ξ1,j with 0 ≤ i, j < τ1 , compute F1,τ1 ← F1,i ± F1,j depending on
whether a multiplication or a division is requested. If F1,τ1 = F1,l for some
l < τ1 , set ξ1,τ1 ← ξ1,l ; otherwise, set ξ1,τ1 to a string in {0, 1}∗ distinct from
ξ1,0 , · · · , ξ1,τ1 −1 . Add (F1,τ1 , ξ1,τ1 ) to the list L1 and give ξ1,τ1 to A, then in-
crement τ1 by one. Group action queries in G2 and GT are treated similarly.

Isomorphism Given a string ξ2,i with 0 ≤ i < τ2 , set F1,τ1 ← F2,i . If

F1,τ1 = F1,l for some l < τ1 , set ξ1 , τ1 ← ξ1,l ; otherwise, set ξ1,τ1 to a string
in {0, 1}∗ \ {ξ1,0 , · · · , ξ1,τ1 −1 }. Add (F1,τ1 , ξ1,τ1 ) to the list L1 , and give ξ1,τ1
to A, then increment τ1 by one.

Pairing Given two operands ξ1,i and ξ2,j with 0 ≤ i < τ1 and 0 ≤ j < τ2 ,
compute the product FT,τT ← F1,i F2,j . If FT,τT = FT,l for some l < τT , set
ξT,τT ← ξT,l ; otherwise, set ξT,τT to a string in {0, 1}∗ \ {ξT,0 , · · · , ξT,τ1 −1 }.
Add (FT,τT , ξT,τT ) to the list LT , and give ξT,τT to A, then increment τT by
one.

Observe that at any time in the game, the total degree of any polynomial
in each of the three lists is bounded as follows: deg(F1,i ) ≤ 2, deg(F2,i ) = 0 (or
deg(F2,i ) ≤ 2 if G1 = G2 ), and deg(FT,i ) ≤ 2 (or deg(FT,i ) ≤ 4 if G1 = G2 ).
14.5 The Generic Group Model 287

After at most q queries, A terminates and returns a guess dˆ ∈ {0, 1}. At

R
this point B chooses random x, y, z, a, b, c ← Zp . Consider td ← z(a + b) and
t1−d ← c for both choices of d ∈ {0, 1}. The simulation provided by B is
perfect and reveals nothing to A about d unless the chosen random values
for the indeterminates give rise to a non-trivial equality relation between the
simulated group elements that was not revealed to A, i.e., when we assign
X ← x, Y ← y, Z ← z, A ← a, B ← b, and either T0 ← z(a + b), T1 ← c or
the converse T0 ← c, T1 ← z(a + b).

This happens only if for some i, j one of the following holds:

1. F1,i (x, y, z, a, b, z(a + b), c) − F1,j (x, y, z, a, b, z(a + b), c) = 0, yet
F1,i 6= F1,j ,
2. F2,i (x, y, z, a, b, z(a + b), c) − F2,j (x, y, z, a, b, z(a + b), c) = 0, yet
F2,i 6= F2,j ,
3. FT,i (x, y, z, a, b, z(a + b), c) − FT,j (x, y, z, a, b, z(a + b), c) = 0, yet
FT,i 6= FT,j ,
4. any relation similar to the above in which z(a + b) and c have been
exchanged.
We first need to argue that the adversary is unable to engineer any of the
above equalities, so that they can only occur due to an unfortunate random
choice of x, y, z, a, b, c. First, observe that the adversary can only manip-
ulate the polynomials on the three lists through additions and subtractions
(disguised as multiplications and divisions in the groups G1 , G2 , and GT )
as well as multiplications between polynomials which are not the result of a
previous multiplication (disguised as pairings between elements of G1 and G2 ).

Now, notice that in the initial population of the lists, the only occurrence
of the variable A is within the monomial XA, the only occurrence of the vari-
able B is within the monomial Y B, and the only occurrence of the variable
Z is by itself.

Given the available operations, it is easy to see that, in the three group
representations:

1. The adversary is unable to generate any polynomial that contains at

least one of the monomials mZA and mZB for any integer m 6= 0,
which is a prerequisite to synthesize a multiple of Z(A + B) in G1
or G2 (recall that the maximum degree in those groups is 2);
2. The adversary is unable to simultaneously generate the terms F ZA
and F ZB for any non-zero monomial F of degree at most 2, which
is a prerequisite to synthesize a multiple of the polynomial Z(A+B)
in GT (the maximum degree in this group being 4).
288 14 Hierarchical Identity-Based Encryption

Since in the above polynomial differences all arguments to the polynomials

are independent except for z(a+b), it is easy to see that the adversary will not
be able to cause any of them to cancel identically and non-trivially without
knowledge of a multiple of Z(A + B). The adversary is thus reduced to find a
numeric cancellation for random assignments of the variables.

We now determine the probability of a random occurrence of a non-trivial

numeric cancellation. Since F1,i − F1,j for fixed i and j is a polynomial of
degree at most 2, it vanishes for random assignment of the indeterminates in
Zp with probability at most 2/p. Similarly, for fixed i and j, the second case
occurs with probability 0 (or ≤ 2/p when G1 = G2 ), and the third with prob-
ability ≤ 2/p (or ≤ 4/p when G1 = G2 )3 . The same probabilities are found in
the analogous cases where z(a + b) and c have been exchanged.

Now, absent any of the above events, the distribution of the bit d in A’s
view is independent, and A’s probability of making a correct guess is exactly
1
2 . Thus, by summing over all valid pairs i, j
 in
each case, we findthat A
makes a correct guess with advantage  ≤ 2 · τ21 p2 + τ22 p2 + τ2T p4 . Since

τ1 + τ2 + τT ≤ q + 9, we have  ≤ 8(q + 9)2 /p, as required. 2

Exercises
14.1 Explain the random variables, formal variables, and handles of the ran-
dom variables with concrete examples.

14.2 Show concrete examples about the differences between Game 1 and 2.

14.3 Give a concrete example of formal polynomials.

3 To understand this, refer to the Schwartz–Zippel lemma.

15
Identity-Based Encryption (4)

CONTENTS
15.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
15.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
15.2.1 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
15.2.2 Hardness Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
15.3 Boneh-Boyen IBE [19] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
15.3.1 Proof of IBE Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

This chapter introduces the concept of Boneh and Boyen’s identity based
encryption scheme. Although the Waters’ proof methodology of dual system
encryption is able to resolve the issue of the non-static assumptions to provide
fully secure proof, it also raises a problem of efficiency degradation, which is
not a problem in a selectively secure model. The Boneh and Boyen’s scheme
is presented to give a selectively secure solution based on static assumption
in the standard model. The differences between selectively secure and fully
secure models are then discussed. The next part of the chapter introduces the
preliminaries starting from the security model for selective identity IBE. A
static hardness assumption for the Boneh and Boyen scheme is then discussed
called decisional bilinear Diffie-Hellman (DBDH) assumption. The final part
of this chapter introduces the formal construction of the Boneh and Boyen
scheme. This version is an efficient IBE system that is selective identity and
CPA-secure IBE based on DBDH without random oracles.

15.1 Overview
Previously, we pointed out the problems of the non-static assumption in Gen-
try’s scheme and introduced the Waters’ proof methodology of Dual System
Encryption to resolve them. Waters’ scheme presents fully (adaptively) secure
solutions based on static assumptions in the standard model through hybrid
games. On the other hand, the Waters’ proof methodology allows us to easily
provide fully secure proof, it also raises a problem of efficiency degradation.
On the other hand, the selectively secure model is easy to prove with greater

289
290 15 Identity-Based Encryption (4)

efficiency, but it’s security is lower than the fully secure model. In this chap-
ter, we explain the Boneh and Boyen’s scheme to present selectively secure
solution based on static assumption in the standard model.

What are differences between selectively secure and fully (adap-

tively) secure models?

FIGURE 15.1
Comparison of the selectively secure and the fully secure models.

In the selectively secure model, an adversary must commit ahead of time to

the identity, called challenge identity that it intends to attack, whereas in the
fully secure model the adversary is allowed to choose this identity adaptively
during the game. So, the biggest difference is whether the adversary publishes
the challenge identity or not before starting the game. This seemingly minor
difference decides the complexity level (i.e., level of difficulty) of a proof as a
result. Figure 15.1 shows the comparison of selectively secure and fully secure
models.

Before explaining why this difference in complexity level happens when

proving, we have to consider once more: a simulator should not solve a hard
problem by itself, but use an adversary to solve it instead. If the simulator
solves it by itself, the proof fails because the security game is not valid (i.e.,
does not establish). Normally, the simulator solves it by embedding the in-
stances of the hard problem into the challenge ciphertext as well as the private
keys, and then by reducing the adversary’s decryption of the challenge cipher-
text to solving the hard problem.
15.2 Preliminaries 291

To proceed a valid proof, therefore, the simulator should not decrypt the
challenge ciphertext by itself. For example, if the underlying hard problem is
to distinguish whether the input instance is random or not, we should make
sure that the simulator cannot distinguish them by itself. This can be achieved
by allowing the simulator to either decrypt in both cases or not to decrypt
in both cases, where the input instance comes from random or non-random
distribution.

If the simulator knows the challenge identity in advance, we only have to

make sure that the simulator cannot generate the corresponding private key for
the challenge identity (and in turn cannot decrypt the challenge ciphertext).
Instead, if the simulator does not know the challenge identity in advance, all
possible identities can be candidates to be challenged, which makes the sim-
ulation very complex. This renders a proof in fully secure model difficult or
degrades the efficiency of the scheme.

Note that in [48] and [99], the simulator can decrypt the challenge cipher-
text by itself, whereas [19] and [24] construct reduction algorithms so that
simulators cannot generate the corresponding private key for the challenge
identity and cannot decrypt the challenge ciphertext accordingly.

15.2 Preliminaries
This section provides a security model and hardness assumption for identity-
based encryption.

15.2.1 Security Model

The selective identity IBE security is defined using the following game.

IND-sID-CCA game for an IBE scheme

1. Init The adversary outputs an identity ID∗ where it wishes to be
challenged.
2. Setup The challenger runs the Setup algorithm. It gives the adver-
sary the resulting system parameters params. It keeps the master-key
to itself.
3. Phase I The adversary issues queries q1 , · · · , qm where query qi is
one of:
(a) Private key query (IDi ) where IDi 6= ID∗ . The challenger re-
sponds by running the Gen algorithm to generate the private
292 15 Identity-Based Encryption (4)

key di corresponding to the public key (IDi ). It sends di to the

adversary.
(b) Decryption query (Ci ) where IDi 6= ID∗ . The challenger re-
sponds by running the Gen algorithm to generate the private
key di corresponding to IDi (or the relevant prefix thereof as
requested). It then runs the Decrypt algorithm to decrypt the
ciphertext Ci using the private key di . It sends the resulting
plaintext to the adversary.
These queries may be asked adaptively, that is, each query qi may
depend on the replies to q1 , · · · , qi−1 .
4. Challenge Once the adversary decides that Phase I is over it out-
puts two equal length plaintexts M0 , M1 ∈ M on which it wishes to
be challenged. The challenger picks a random bit b ∈ {0, 1} and sets
the challenge ciphertext to C = Encrypt(params, ID∗ , Mb ). It sends
C as the challenge to the adversary.
5. Phase II The adversary issues additional queries qm+1 , · · · , qn
where qi is one of:
(a) Private key query (IDi ) where IDi =6 ID∗ . The challenger re-
sponds as in Phase I.
(b) Decryption query (Ci ) for identity IDi where IDi 6= ID∗ . The
challenger responds as in Phase I.
These queries may be asked adaptively as in Phase I.
6. Guess Finally, the adversary outputs a guess b0 ∈ {0, 1}. The ad-
versary wins if b = b0 .
We refer to such an adversary A as an IND-sID-CCA adversary. We define
the advantage of the adversary A in attacking the scheme Π as

AdvΠ,A = |P r[(b = b0 )] − 1/2|. (15.1)

The probability is over the random bits used by the challenger and the adver-
sary.

Definition 1 We say that an IBE system Π is (t, qID , qC , )-selective iden-

tity, adaptive chosen ciphertext secure if for any t-time IND-sID-CCA
adversary A that makes at most qID chosen private key queries and at most
qC chosen decryption queries we have that AdvΠ,A < . As shorthand, we say
that Π is (t, qID , qC , )-IND-sID-CCA secure.

Definition 2 We say that an IBE system Π is (t, qID , )-selective identity,

chosen plaintext secure if Π is (t, qID , )-selective identity, chosen cipher-
text secure. As shorthand, we say that Π is (t, qID , )-IND-sID-CPA secure.
15.3 Boneh-Boyen IBE [19] 293

15.2.2 Hardness Assumption

For proving their scheme, Boneh and Boyen use a static hardness assumption.

Decisional bilinear Diffie-Hellman (DBDH) assumption

Let G and G1 be two groups of prime order p, where the size of p is a

function of the security parameters. Let e: G × G → G1 be a bilinear map and
let g be a generator of G.


Given g, g a , g b , g c , T ∈ G4 × G1 for some a, b, c ∈ Zp , it must remain
hard to distinguish T = e(g, g)abc ∈ G1 from a random choice (i.e., element)
R ∈ G1 .

An algorithm B that outputs b ∈ {0, 1} has advantage  in solving the

DBDH problem in G if
P r B(g, g a , g b , g c , T = e(g, g)abc ) = 0 − P r B(g, g a , g b , g c , T = R) = 0 ≥ .
   

(15.2)
We refer to the distribution on the left as PBDH and the distribution on the
right as RBDH .

Definition 3 We say that the (t, )-DBDH assumption holds in G if no t-

time algorithm has an advantage at least  in solving the DBDH problem in G.

Occasionally we drop the t and  when referring to the BDH and DBDH
assumptions in G.

15.3 Boneh-Boyen IBE [19]

In 2004, Boneh and Boyen proposed an efficient HIBE system that is selective
identity secure without random oracles based on the DBDH assumption. In
particular, this implies an efficient selective identity, chosen ciphertext secure
IBE based on DBDH without random oracles.

Construction 1. Boneh-Boyen IBE

Let G and G1 be groups of order p and let e: G × G → G1 be the bilinear

map. The IBE system works as follows.

Setup Given a security parameter k ∈ Z+ , where k = |p|:

294 15 Identity-Based Encryption (4)

1. Pick a random generators g, h1 ∈ G, and g2 ∈ G∗ .

2. Pick a random α ∈ Z∗p .
3. Set g1 = g α .
4. The public parameters are params = (g, g1 , g2 , h1 ).
5. The master secret key is master-key = (g2α ).
We define F1 : Zp → G to be the function: F1 (x) = g1x h1 .

Extract For a given identity ID ∈ Zp

1. Pick a random r1 ∈ Zp .
2. Compute d0 = g2α · F1 (ID)r1 .
3. Compute d1 = g r1 .
4. Set the secret key dID = (d0 , d1 ).
Encrypt Message M ∈ G1
1. Pick a random s ∈ Zp .
2. Compute A = e(g1 , g2 )s · M .
3. Compute B = g s .
4. Compute C1 = F1 (ID)s .
5. Set the ciphertext to be: C = hA, B, C1 i.
Note that e(g1 , g2 ) can be precomputed once and for all so that the
encryption does not require any pairing computations. Alternatively,
e(g1 , g2 ) can be included in the system parameters.

Decrypt Ciphertext C and secret key dID

e(C1 ,d1 )
1. Compute M = A · e(B,d0 ) .

Correctness:
e(C1 ,d1 ) e(F1 (ID)s ,g r1 )
A· e(B,d0 ) = e(g1 , g2 )s · M · e(g s ,g2α ·F1 (ID)r1 )
e(F1 (ID),g)s·r1
= e(g1 , g2 )s · M · e(g s ,g2α )e(g s ,F1 (ID)r1 )
e(F1 (ID),g)s·r1
= e(g1 , g2 )s · M · e(g,g2 )s·α e(g,F1 (ID))s·r1
1
= e(g1 , g2 )s · M · e(g α ,g2 )s
1
= e(g1 , g2 )s · M · e(g1 ,g2 )s =M
15.3 Boneh-Boyen IBE [19] 295
TABLE 15.1
Computational cost of Boneh-Boyen IBE [19].
Public Parameters 4|G| + |G1 |
Secret Key 2|G|
Communication 2|G| + |G1 |
Gen 2M + 3E
Encrypt 1M + 3E + M1 + E1
Decrypt 2M1 + 2P

The computational cost of Boneh-Boyen IBE [19] is shown in Table 15.1.

Note that this is the most efficient identity-based encryption scheme published
until now.

15.3.1 Proof of IBE Security

Theorem 1 Suppose the (t, )-DBDH assumption holds in G. Then the previ-
ously defined IBE system is (t0 , qS , )-selective identity, chosen plaintext (IND-
sID-CPA) secure for arbitrary qS and any t0 < t − O(t).

Intuition of the Proof As mentioned earlier, the advantage of a selectively

secure proof is to obtain the target identity (also called challenge identity)
to be attacked by the adversary, which is the central pillar of the proof. In
short, we only have to make sure that the simulator cannot generate the cor-
responding private keys for the challenge identity, but can generate challenge
ciphertext for the challenge identity instead. This will be enabled by a func-
tion F1 (x) and a generator h1 as follows.
∗
F1 (x) is defined as F1 (x) = g1x h1 . h1 is defined as h1 = g1−ID g α1 . From
the above, F1 (x) can be defined as
∗ ∗
F1 (x) = g1x g1−ID g α1 = g1x−ID g α1 . (15.3)
∗
When x is ID , ∗
−ID∗ α1
F1 (ID∗ ) = g1ID g = g α1 . (15.4)
By making use of these, we make sure that when F1 (x) is calculated to
be g α1 , a private key cannot be generated but a challenge ciphertext can be
generated, which resolves the issue that the simulator can solve the problem
by itself. Therefore, the security game becomes valid.

Proof Suppose A has advantage  in attacking the IBE system. We build an

algorithm B that solves the DBDH problem in G. On input (g, g a , g b , g c , T ),
B’s goal is to output 1 if T = e(g, g)abc and 0 otherwise. Let g1 = g a , g2 =
g b , g3 = g c . Algorithm B works by interacting with A in a selective identity
game as follows.
296 15 Identity-Based Encryption (4)

Reduction algorithm B

Initialization
1. Choose a random exponent α1 ∈ Zp .
2. Set g = g, g1 = g a , g2 = g b where a and b are the exponents which
are unknown to B.
∗
3. Define h1 = g1−ID g α1 .
4. Send the public parameters params = (g, g1 , g2 , h1 ).


5. Set the master key master-key = g2a = g ab which is unknown to
B.
∗
6. Define F1 : Zp → G to be the function F1 (x) = g1x h1 = g1x−ID g α1 .
Phase I
1. Choose a random exponent r1 ∈ Zp .
−α1 −1
∗ ∗
2. Set d0 = g2ID−ID F1 (ID)r1 and d1 = g2ID−ID g r1 .
3. Send the private key dID = (d0 , d1 ).
Challenge
1. A outputs messages M0 , M1 .
2. B generates a bit b ∈ {0, 1}.
3. Set A = Mb · T , B = g c , C1 = (g c )α1 .
4. Send the challenge ciphertext C = (A, B, C1 ).
Note: If T = e(g, g)abc , then the challenge ciphertext is valid. If T is ran-
dom, then the challenge ciphertext is invalid.

Phase II
1. A issues its complement of private key queries not issued in Phase
I.
Guess
1. Finally, the adversary outputs guesses b0 ∈ {0, 1}.
2. If b = b0 , it outputs 1 (indicating that T = e(g, g)abc ); otherwise, it
outputs 0 (indicating that T 6= e(g, g)abc ).
15.3 Boneh-Boyen IBE [19] 297

Simulation of secret key generation in Theorem 1

The original private key is set as follows.

d0 = g2α · F1 (ID)r1 , d1 = g r1 .

In the above reduction algorithm, the private key is set as follows.

−α1 −1
∗ ∗
d0 = g2ID−ID F1 (ID)r1 , d1 = g2ID−ID g r1 .

The private key must be generated in the case of ID 6= ID∗ .

If ID 6= ID∗ and r10 = r1 − ID−ID
b
∗ , then d0 and d1 are valid and computed as

follows.
−α1 −α1 −α
∗ ∗
∗ )r1 α1 r1 b ID−ID1∗
d0 = g2ID−ID F1 (ID)r1 = g b ID−ID∗ g a(ID−ID )r1 α1 r1
g = g a(ID−ID g g
∗ 1 ∗ 1 ∗ −α1
= g a(ID−ID )b ID−ID∗ g −a(ID−ID )b ID−ID∗ g a(ID−ID )r1 g α1 r1 g b ID−ID∗
∗ 1 ∗ 1 ∗ b
= g a(ID−ID )b ID−ID∗ g −a(ID−ID )b ID−ID∗ g a(ID−ID )r1 g α1 (r1 − ID−ID∗ )
∗ 1 ∗ b
= g ab g −a(ID−ID )b ID−ID∗ g a(ID−ID )r1 g α1 (r1 − ID−ID∗ )
∗ b b ∗ 0 0 0
= g ab g a(ID−ID )(r1 − ID−ID∗ ) g α1 (r1 − ID−ID∗ ) = (g b )a g a(ID−ID )r1 g α1 r1 = g2a F1 (ID)r1
−1 −1 b 0
d1 = g2ID−ID g r1 = g b ID−ID∗ g r1 = g r1 − ID−ID∗ = g r1 .
∗

If ID = ID∗ and r10 = r1 − ID−ID b

∗ , then d0 and d1 cannot be computed,
∗ ∗ 1
because ID − ID = 0 and 0 cannot be computed. So, the private key for the
challenge identity ID∗ cannot be generated.

Simulation of challenge ciphertext generation in Theorem 1

The original ciphertext is set as follows.

A = e(g1 , g2 )s · M , B = gs , C1 = F1 (ID∗ )s .

In the above reduction algorithm, the challenge ciphertext is set as follows.

A = T · M, B = gc , C1 = F1 (ID∗ )c , where c = s.

If T = e(g, g)abc , then A is valid, because T = e(g, g)abc = e(g a , g b )c =

e(g1 , g2 )s , and can set A by using the instance of the problem, T . On the
other hand, if T is random, then naturally A is invalid.

Since c = s, B is valid (B = g c = g s ) and can set B by using the instance

of the problem, g c .
298 15 Identity-Based Encryption (4)
(ID∗ −ID∗ )c
Since F1 (ID∗ )c = g1 g α1 c = g α1 c , C1 is also valid and can set
C1 = (g ) by using the instance of the problem, g c .
c α1

Even though B tries to generate the challenge ciphertext of other iden-

tity ID, it cannot generate it. It is because in order to generate the chal-
lenge ciphertext of other identity ID, B has to know g ac as follows: F1 (ID)c =
(ID−ID∗ )c α1 c ∗
g1 g = (g ac )(ID−ID ) (g c )α1 . But, B does not know g ac . So, the chal-
lenge ciphertext of other identity ID cannot be generated.

In conclusion, we can say that:

1. If T = e(g, g)abc ), then the challenge ciphertext is a valid encryption
of Mb under ID∗ (In this case, B can make use of A’s capability).
2. If T is random, then the challenge ciphertext is independent of Mb
under ID∗ (In this case, B cannot make use of A’s capability).
Probability analysis in Theorem 1

When the input 5-tuple is sampled from PBDH (where T = e(g, g)abc ),
then A’s view is identical to its view in a real attack game and therefore A
must satisfy |P r[b = b0 ] − 21 | > , which means P r[b = b0 ] ≥ | 21 ± |1 . On
the other hand, when the input 5-tuple is sampled from RBDH (where T
is uniform in G1 ), then P r[b = b0 ] = 21 (i.e., no distinguishing capability).
Therefore, with g uniform in G∗ , a, b, c uniform in Z∗p and T is uniform in G∗1 ,
we have that
1 1
|P r[B(g, g a , g b , g c , e(g, g)abc ) = 0]−P r[B(g, g a , g b , g c , T ) = 0]| ≥ |( ±)− | = .
2 2
(15.5)
2

1 Because P r[b = b0 ] − 1 < − and P r[b = b0 ] − 1 > . It holds that P r[b = b0 ] < 1
−
2 2 2
and P r[b = b0 ] > 12 + . Therefore P r[b = b0 ] ≥ | 21 ± |.
16
Tight Reduction

CONTENTS
16.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16.2 Why Is Tight Reduction Important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16.3 Obstacles and Solutions in Tight Reduction . . . . . . . . . . . . . . . . . . . . . 301
16.3.1 All-and-Any Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
16.3.1.1 Relationship Between Security Models and
Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
16.3.2 Searching Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
16.3.3 Self-Decryption Paradox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
16.4 All-and-Any Strategy Techniques in the Random Oracle Model 304
16.4.1 Katz-Wang Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
16.4.2 Park-Lee Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

This chapter provides an overview of reduction algorithms that shows us how

an attack on the crypto systems by a polynomial-time adversary can be em-
ployed to solve some underlying hard computational problem in polynomial
time. The crypto system studied in this chapter is an IBE system. The im-
portance of tight reduction is explained in the next section. There are several
obstacles in achieving the tight reduction that involves an all-and-any strategy,
in which the reduction algorithm must be able to answer private key queries
for all identities as the challenge identity. The next is the relationship between
the security models and the strategies followed by the need for a searching
method and solving a self-decryption paradox. The final part of this chap-
ter discusses two all-and-any strategy techniques in the random oracle model.
The first is Katz-Wang technique that requires cryptographic hash function
that maps a string to a group element. The second is Park-Lee technique that
makes use of two cryptographic hash functions that are modeled as random
oracles, in order to generate a group element.

299
300 16 Tight Reduction

16.1 Overview
We will study a reduction algorithm that demonstrates how an attack by a
polynomial-time adversary can be employed to solve some underlying hard
computational problems. Because the security proof for a crypto system is
given by describing a reduction algorithm, it is important to research the
reduction algorithms in cryptography. Here, we instantiate the case of an
identity-based encryption (IBE) system as one of the crypto systems.

16.2 Why Is Tight Reduction Important?

Typically, security proofs for IBE systems [24, 91] are given by describing a
reduction algorithm. The existence of such a reduction algorithm shows that
if some underlying problem is assumed to be difficult to solve, the IBE sys-
tem is secure under some appropriately defined security model. The results of
such a reduction can be measured by time and advantage functions that are
determined by some security parameter. Here, the advantage can be roughly
interpreted as the maximum possible bound on the probability of either break-
ing the IBE system or solving some hard computational problem.

For a security parameter, let (t, ) be an assumed time and advantage for
breaking an IBE system, and similarly let (t0 , 0 ) be an assumed time and
advantage for solving an instance of a particular problem. The ideal case for
a security reduction is that t ≈ t0 and  ≈ 0 simultaneously. This means that
the IBE system is as secure as the underlying hard computational problem.
Therefore, to achieve a certain level of security, the IBE system can be de-
signed on the basis of algebraic groups (or other settings) in which a certain
instance of the hard computational problem is justified at the same level of
security. Such an ideal security reduction is said to be tight.

When designing an IBE system, a tight security reduction is an accepted

goal as described in [10]. If a security reduction is not tight, the IBE system
must be based on algebraic groups in which an instance of the hard compu-
tational problem is justified at a higher security level. In most cases, a larger
security parameter results in inefficiency and costlier operations. For instance,
assume that a security reduction is given by  ≈ c · 0 for a large reduction
coefficient c. If c = 260 , then aiming for  = 2−80 as the desired security level
(by expending some amount of time) implies that a security parameter on
which an IBE system is constructed must, in reality, be chosen for a particu-
16.3 Obstacles and Solutions in Tight Reduction 301

lar instance of a hard computational problem that satisfies  = 2−140 .

The bilinear Diffie–Hellman (BDH) problem [24] is considered to be the

standard underlying hard computational problem for IBE systems, and has
been well studied. Therefore, building an IBE system with a tight security
reduction to the BDH problem is a significant concern.

16.3 Obstacles and Solutions in Tight Reduction

FIGURE 16.1
Necessary conditions for tight security reduction to the (D)BDH problem. In
the reduction to DBDH, b outputted from a solver is a bit that an attacker
guessed.

To obtain such a tight security reduction, several obstacles must be over-

come. Figure 16.1 summarizes the conditions necessary for a tight security
reduction to the DBDH or BDH problem when designing an IBE system.

16.3.1 All-and-Any Strategy

The first is to provide what is known as an all-and-any strategy in security anal-
ysis. According to this strategy, a reduction algorithm must be able to answer
private key queries for all identities and handle any identity ID∗ (not queried
for a private key) as the challenge identity. Indeed, the all-and-any strategy
truly reflects the security model [24] for an IBE system, where a challenger
interacting with an adversary behaves in the same manner as the reduction
302 16 Tight Reduction

algorithm. Implementing an all-and-any strategy becomes the first step toward

removing a large reduction coefficient c (explained above), even though an
additional strategy is required. This is contrary to the previous partitioning
strategy1 used for proving adaptive [24, 33, 98] or selective security [19, 20],
where the identity space is partitioned into two parts beforehand. One part is
used for key generation and the other part is used for generating the challenge
ciphertext. If any identity chosen by the adversary does not fall favorably in
the partition, the reduction algorithm should abort; this causes significant
security degradations2 (i.e., large reduction coefficients). When using the all-
and-any strategy, it is important to note that the reduction algorithm can
create a private key for all identities, including any challenge identity ID∗ . As
a result, the reduction algorithm can easily manage decryption queries made
by an adversary when proving chosen-ciphertext security.

16.3.1.1 Relationship Between Security Models and Strategies

To define and understand this relationship by yourself is one of the most im-
portant things in proving a cryptography scheme. Therefore, when we think
over what kinds of proof may be possible before proving, this action could
be very useful. Furthermore, it would be also good if you figure out which of
the two proof techniques (i.e., all-and-any and partitioning strategies) fits the
proposed private key structures which will be explained shortly.

The relationship from the simulator’s viewpoint

Solving the all-and-any and self-decryption paradox is fundamental in

proving the selectively secure as well as fully secure models based on the
decisional assumption. It is because that in order to solve the issue (i.e., self-
decryption paradox) that the simulator can make a challenge private key by
itself, when the scheme is proved by using an all-and-any strategy, those two
secure models devise an equipment that keeps the simulator from generat-
ing a challenge private key. We can see that this equipment solves the self-
decryption paradox. The only difference between selectively and fully secure
models is that, before starting the security game, whether the challenge iden-
tity becomes known to the simulator or not.
The partitioning strategy does not solve the self-decryption paradox but only
depends on luck. Therefore it does not achieve a tight reduction because the
probability to abort is high. In other words, the partitioning strategy can be
defined as the opposite of what can resolve the self-decryption paradox.

1 The term partitioning was first introduced in [99].

2 Hereinafter, a reduction coefficient c such that  ≈ c · 0 is considered a security degra-
dation.
16.3 Obstacles and Solutions in Tight Reduction 303

The relationship from the prover’s viewpoint

The partitioning strategy can be defined as a generic term of the proof

techniques that allocate the challenge identity space and the other space be-
fore starting the security game. It can be used to prove in fully secure as well
as selectively secure models. When it is used to prove in a selectively secure
model, we can achieve a tight reduction by reducing the probability of abort
event. However, when it is used to prove in a fully secure model, we cannot
achieve a tight reduction because we cannot reduce the abort probability. In
addition, because selectively secure model sets the challenge identity space in
advance, it is more suitable to use the partitioning strategy in order to achieve
a tight reduction.

On the other hand, the all-and-any strategy can be defined as a generic

term of the proof techniques that decide the challenge identity space during
the security game. Therefore, it is more suitable to prove a scheme in a fully
secure model for achieving a tight reduction because in the case using the
all-and-any strategy, the probability of abort event is low.

16.3.2 Searching Method

One of the obstacles to overcome is to search for the solution to a single in-
stance of the BDH problem. In order to analyze a security of a scheme by
proving under the BDH problem, a reduction algorithm must obtain the cor-
rect answer based on certain values issued by an adversary. However, searching
the correct answer is not easy because the reduction algorithm does not know
the correct answer in advance. Thus, a search method should be provided
to the reduction algorithm; otherwise, it has no option but to choose among
the entire set of candidate values. If the number of values is small, a tight
reduction can still hold. However, in the most pessimistic cases, the adversary
issues a large number of values, which means that a tight reduction can no
longer be guaranteed. For instance, during a security analysis in which the
correct answer is randomly chosen from q random oracle queries made by an
adversary, the reduction coefficient becomes (at least) c = q for q queried
values. If q = 250 is the accepted number [11] of random oracle queries, then
the reduction at least causes a 50 bit security loss. Note that a search strat-
egy is not relevant to an all-and-any strategy; this means that even if private
keys are known for all identities, it will not help the reduction algorithm to
solve the BDH problem. If private keys created by the reduction algorithm
can be used to obtain the correct answer, then the decisional BDH (DBDH)
problem3 is easily solved by using private keys to test whether a target value
of the DBDH problem is the solution to the BDH problem.

3 Informally, the DBDH problem is defined as follows: given (g, g a , g b , g c , T ) ∈ G4 × G

T
as input, determine whether T = e(g, g)abc .
304 16 Tight Reduction
TABLE 16.1
IBE systems with tight security reduction to the (D)BDH problem.
To the DBDH To the BDH
Problem Problem
Based on Katz– ACF + -IBE [6] Nishioka-F OID IBE [64], [79]
Wang technique[61]
Based on Park– PL-IBE [82] PLL-IBE [83]
Lee technique

16.3.3 Self-Decryption Paradox

When attempting to achieve a tight security reduction to the DBDH prob-
lem, a distinct obstacle known as a self-decryption paradox must be overcame.
This arises from the fact that (1) a target value of the DBDH problem is
embedded in the challenge ciphertext CT ∗ corresponding to ID∗ , and (2) a
reduction algorithm can generate a private key for the same identity ID∗ .
The self-decryption paradox occurs because the reduction algorithm can gen-
erate a private key for the challenge identity ID∗ , simply decrypt CT ∗ itself
by using the key for ID∗ , and solve the DBDH problem without adversary’s
help. To solve the self-decryption paradox, some reasonable technique must
be devised, either prevents the decryption from being performed normally or
allows decryption that is not relevant to the target value of the DBDH prob-
lem. Nevertheless, decrypting ciphertexts other than CT ∗ must normally be
performed with the private key for ID∗ . Several techniques have been sug-
gested [6],[48],[82], each of which works differently according to its underlying
all-and-any strategy. The ideas behind each technique will be explained when
analyzing each all-and-any strategy.

16.4 All-and-Any Strategy Techniques in the Random

Oracle Model
Table 16.1 shows that there exist two techniques for the all-and-any strategy
in the random oracle model, and five IBE systems that have been suggested
to achieve tight security reductions to the (D)BDH problem. F OID [64] is
another tight variant of the Fujisaki–Okamoto transform [33] that can be
applied to some chosen-plaintext secure IBE system.
Table 16.2 briefly shows the difference between these techniques. We de-
scribe the ideas behind these techniques, and then we discuss how each IBE
system can solve the self-decryption paradox or provide a search method.
16.4 All-and-Any Strategy Techniques in the Random Oracle Model 305
TABLE 16.2
Difference between Katz–Wang and Park–Lee techniques.
Katz–Wang Technique Park–Lee Technique
Mandatory full domain hash, two equation technique
requirement two public keys
Private key H(ID, bID )s , bID g α us , g s ,
α s s
structure (H(ID)uh(g u ||g ) )s
Ciphertext two ciphertext elements a parallel private key
structure EncK (m), g r , e(g, g α )r m, g r
α r r
G(e(g α , H(ID, 0))r , ID, 0), (H(ID)uh(e(g,g ) m||g ) )r
G(e(g α , H(ID, 1))r , ID, 1),
(Note: H is map-to-point hash, G is hash, bID ∈ {0, 1}, α, s, r ∈ Zp , g, u ∈ G)

16.4.1 Katz-Wang Technique

The Katz–Wang technique [61] is based on the BF-IBE scheme. It requires
a cryptographic hash function H that maps a string to a group element; the
function is modeled as a random oracle for security analysis. However, the dif-
ference is that the BF-IBE scheme uses one public key, H(ID), and one private
key corresponding to the public key. On the other hand, the Katz–Wang tech-
nique uses two public keys, H(ID, 0) and H(ID, 1), when encrypting a message
for one identity ID. However, its private key paired to one of the two public
keys is given and known to a user with ID. In security analysis, one public
key H(ID, b) chosen according to a randomly chosen b ∈ {0, 1} is controlled
under the simulator in order to be able to answer to extract queries for all ID
except for an challenge identity ID∗ . On the other hand, H(ID∗ , 1-b) is used
to simulate the challenge ciphertext for the challenge identity ID∗ in the chal-
lenge phase. Therefore, even if a reduction algorithm can only use H(ID, b)
for computing a private key, it is sufficient to respond a private key query for
all non-challenge identities ID. In addition, for the challenge identity ID∗ ,
H(ID∗ , 1-b) will be used to calculate a computational Diffie–Hellman (CDH)
value. This shows that the reduction algorithm can answer private key queries
for all identities and use any identity as the challenge ID∗ .

Compared to the BF-IBE scheme, the Katz-Wang technique causes inef-

ficiency in terms of encryption cost and ciphertext size. Moreover, the en-
cryption in the Nishioka-F OID IBE system becomes increasingly expensive,
because it requires the dual form. Furthermore, when obtaining IND-ID-CCA
security, the decryption algorithm in F OID requires re-encryption to deter-
mine whether a ciphertext is well formed. This is because each user is assigned
a private key for one H(ID, b) for a random b ∈ {0, 1}. Thus, ciphertext ele-
ments for H(ID, b) cannot be decrypted directly. Instead, decrypting cipher-
text elements for H(ID, b) can yield a random value (and message) that is
the same as that used in encryption. By using the random value to re-encrypt
306 16 Tight Reduction

the message, a user can determine whether the other ciphertext part corre-
sponding to H(ID, b) is also well formed. Such a re-encryption doubles the
running time of the security reduction when relying on F OID ; however, this
is not overly costly and still allows for a relatively tight reduction.

16.4.2 Park-Lee Technique

The main idea behind the Park-Lee technique [82] is to make use of two cryp-
tographic hash functions H and h that are modeled as random oracles, in
order to generate an element in the form of (H(ID)uh(A) )r . Here, u is a pub-
lic parameter, A refers to other key elements, and r is a randomly chosen
exponent. Let (g, g a , g b , g c ) be an instance of the BDH problem given to the
reduction algorithm. In security analysis, H(ID) is programmed to embed
an information-theoretically hidden exponent γ in the element g a for some
unknown a; that is, H(ID) = (g a )γ g τ for a randomly chosen τ . When gen-
erating a private key for any ID, the random exponent r of (H(ID)uh(A) )r
should include an unknown exponent b that entails computing the CDH value
g ab . However, when u = (g a )−1 g δ for a random δ, programming h(A) = γ
can make it possible to avoid computing the CDH value g ab and thus the
reduction algorithm can generate the crucial element (H(ID)uh(A) )r . Using
this technique, the reduction algorithm can create a private key for all identi-
ties. A similar method is applied to construct a challenge ciphertext element
(H(ID∗ )uh(B) )c for any identity ID∗ , where B refers to other ciphertext ele-
ments and c comes from g c . In that case, h(B) is programmed to be γ ∗ when
∗ ∗
H(ID∗ ) = (g a )γ g τ for randomly chosen γ ∗ and τ ∗ , and thus the reduction
algorithm can avoid computing the CDH value g ac .

Park and Lee [82] proved that their IBE system is tightly IND-ID-CCA se-
cure under the DBDH assumption. The manner in which the self-decryption
paradox is resolved comes from the idea that, when generating the private
key for the challenge identity ID∗ , the reduction algorithm should set h(A)
to be γ ∗ and therefore h(A) = γ ∗ = h(B). That is, the same information-
theoretically hidden exponent γ ∗ should be used twice for generating both
the private key for ID∗ as h(A) and the challenge ciphertext as h(B). In that
case, decrypting the challenge ciphertext using the private key for ID∗ is im-
possible, because the decryption algorithm in the Park-Lee IBE system must
1
calculate a value h(A)−h(B) using the values h(A) and h(B).

A primary advantage of the Park-Lee technique is that it provides an easy

and efficient scheme to obtain chosen-ciphertext security. This can be achieved
by simply hashing other ciphertext elements B (including the message en-
cryption portion) into h(B) and embedding the result in (H(ID)uh(B) )s for
a randomly chosen exponent s. Specifically, this can be performed without
the assistance of conversions such as F OID or the Encrypt-then-authenticate
16.4 All-and-Any Strategy Techniques in the Random Oracle Model 307

paradigm. Hence, the decryption algorithm does not require an additional

computation, such as the re-encryption that is necessary with the Katz-Wang
technique.

Exercises
16.1 Why is the all-and-any strategy required for supporting tight reduction?

16.2 Can a proof technique using the partitioning strategy achieve tight re-
duction?
17
Transformation Technique

CONTENTS
17.1 Canetti-Halevi-Katz Transformation [32] . . . . . . . . . . . . . . . . . . . . . . . . 309
17.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
17.1.1.1 Binary Tree Encryption . . . . . . . . . . . . . . . . . . . . . . 310
17.1.1.2 One-Time Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 312
17.1.2 Chosen-Ciphertext Security from IBE . . . . . . . . . . . . . . . . . . 312
17.1.3 Chosen-Ciphertext Security for BTE Schemes . . . . . . . . . . 316

The chapter begins with the introduction of the Canetti-Halevi-Katz (CHK)

transformation. CHK transformation puts forward an efficient construction
for a CCA-secure public-key encryption scheme from any CPA-secure iden-
tity based encryption scheme. The construction is extended from CPA-secure
binary tree encryption (BTE) scheme to CCA-secure one. A BTE scheme is
a variant of HIBE scheme. The next part of the chapter gives some basic
definitions. A BTE is defined as a 4-tuple of PPT algorithms such as setup,
key derivation, encryption, and decryption. Then one-time signature is de-
fined. The next part of the chapter discusses how to generate CCA-secure
PKE from the CPA-secure IBE and CCA-secure BTE from CPA-secure BTE.
Both of these transformations are given along with the formal construction
and security proof using the reduction algorithms.

17.1 Canetti-Halevi-Katz Transformation [32]

Canetti-Halevi-Katz [32] proposed a simple and efficient construction of a
CCA-secure public-key encryption scheme from any CPA-secure identity-
based encryption (IBE) scheme. In the paper, they prove the construction
satisfies only a relatively “weak” notion, which is “selective-ID” in standard
model where the adversary needs to provide the challenge identity in advance.
The transformation in this paper can be used to construct any CPA-secure
(H)IBE scheme to CCA-secure (H)IBE scheme in standard model.
Making a CPA-secure IBE scheme is considered to be easier than CCA-
secure one. The construction is quite efficient so that it allows cryptographers

309
310 17 Transformation Technique

to focus on making CPA-secure schemes and then transform it to CCA-secure

schemes easily.

In this chapter, we show how to achieve a CCA-secure PKE scheme from

a CPA-secure IBE one. The construction is extended from CPA-secure (BTE-
secure) binary tree encryption (BTE) scheme to CCA-secure one. The BTE
scheme [31] is known as a variant of HIBE scheme. The difference between
BTE and HIBE is:

1. In BTE each node has only two children, whereas in HIBE each
node has arbitrarily-many children.
2. In BTE the children is labeled as “0” and “1,” whereas in HIBE
the children have arbitrary strings.
As a result, there is an important application of this transformation: We
derive a CCA-secure HIBE scheme from a CPA-secure HIBE scheme. Here we
only mention about the CCA-secure BTE but the result also implies CCA-
secure HIBE.

17.1.1 Definitions
This section defines binary tree encryption and one-time signature.

17.1.1.1 Binary Tree Encryption

Definition 1 A binary tree encryption scheme (BTE) is a 4-tuple of
PPT algorithms (Setup, Der, E, D) such that:
1. The randomized setup algorithm Setup takes as input a security
parameter 1k and a value l representing the maximum tree depth.
It outputs some system-wide parameters P K along with a master
(root) secret key SK (we assume that k and l are implicit in P K
and all secret keys).
2. The (possibly randomized) key derivation algorithm Der takes as
input the name of a node w ∈ {0, 1}≤l and its associated secret key
SKw . It returns secret keys SKw0 ,SKw1 for the two children of w.
3. The randomized encryption algorithm E takes as input P K, the
name of a node w ∈ {0, 1}≤l , and a message m, and returns a
ciphertext C. We write C ← EP K (w, m).
4. The decryption algorithm D takes as input the name of a node
w ∈ {0, 1}≤l , its associated secret key SKw , and a ciphertext C.
It returns a message m or the distinguished symbol ⊥. We write
m ← DSKw (w, C).
17.1 Canetti-Halevi-Katz Transformation [32] 311

We require that for all (P K, SK ) output by Setup, any w ∈ {0, 1}≤l , and
any correctly-generated secret key SKw for this node, any message m, and all
C output by EP K (w, m), we have DSKw (w, C) = m.

FIGURE 17.1
Binary tree encryption.

Definition 2 A binary tree encryption scheme (BTE) is secure against

selective-node, chosen-plaintext attacks if for all polynomially-bounded
functions l(·), the advantage of any PPT adversary A in the following game
is negligible in the security parameter k:

1. A(1k , l(k)) outputs a node label w∗ ∈ {0, 1}≤l(k) .

2. Setup(1k , l(k)) outputs (P K, SK ). In addition, algorithm Der is
used to generate the secret keys of all the nodes on the path P from
the root to w∗ , and also the secret keys for the two children of w∗
(if | w∗ |< l). The adversary is given P K and the secret keys SKw
for all nodes w of the following form as shown in Figure 17.1.
(a) w = w b̄, where w b is a prefix of w∗ and b ∈ {0, 1}(i.e., w is
a sibling of prefix nodes of the challenge node in P )1 ; or
(b) w = w∗ 0 or w = w∗ 1 (i.e., w is a child of w∗ ; this assumes
| w∗ |< l)2 .
Note that this allows the adversary to compute SKw for any node
w ∈ {0, 1}≤l(k) that is not a prefix of w∗ .
3. At some point, A outputs two messages m0 ,m1 with | m0 |=| m1 |.
A bit b is randomly chosen and the adversary is given a “challenge
ciphertext” C ∗ ← EP K (w∗ , mb ).
1 It means that query of prefixes of the challenge node is not allowed.
2 It means that query of secret keys of two children of the challenge node is allowed.
312 17 Transformation Technique

4. Finally, A outputs a guess b0 .

We say that A succeeds if b0 = b, and denote the probability of this event
by P rA,BT E [Succ]. The adversary’s advantage is defined as | P rA,BT E [Succ]−
1/2 |.

17.1.1.2 One-Time Signature

Definition 3 A signature scheme is defined by three PPT algorithms as
follows:
1. G(1k ): On input the security parameter 1k , this probabilistic poly-
nomial time algorithm outputs a pair of signing key (sk) and veri-
fication key (vk).
2. Sign: This algorithm takes as input a signing key sk and a message
M from the appropriate message space M and outputs a signature
σ.
3. Vrfy: This is a deterministic algorithm which on input a verification
key vk, a message M and a signature σ on M outputs accept or
reject (⊥ symbol), depending on whether σ is a valid signature on
M or not.
Definition 4 A signature scheme (G, Sign, Vrfy) is a strong, one-time
signature scheme if the success probability of any PPT adversary A is neg-
ligible in the following game.
1. G(1k ) outputs (vk, sk). The adversary A is given vk.
2. A(1k , vk) may take one of the following actions:
(a) A outputs a message M and in return is given a signature of
M under the signing key sk, i.e., σ ← Signsk (M ). Then A
outputs a pair (M ∗ , σ ∗ ).
(b) A outputs a pair (M ∗ , σ ∗ ) and halts. In this case (M, σ) is
undefined, i.e., the adversary outputs a possible forgery without
even seeing a single valid message-signature pair.
A succeeds in the game if σ ∗ is a proper signature of M ∗ under the verifi-
cation key vk, i.e., Vrfyvk (M ∗ , σ ∗ ) = 1 but (M ∗ , σ ∗ ) 6= (M, σ). Note that, A
may succeed even if M ∗ = M , which is the reason to call the scheme a strong
one-time signature.

17.1.2 Chosen-Ciphertext Security from IBE

Given:
1. ID-based encryption scheme Π0 = (Setup, Der, E 0 , D0 ) secure
against selective-identity chosen-plaintext attacks.
17.1 Canetti-Halevi-Katz Transformation [32] 313

FIGURE 17.2
CCA-secure PKE from CPA-secure IBE.

2. One-time signature scheme Sig = (G, Sign, Vrfy) in which the ver-
ification key output by G(1k ) has length ls (k).
We construct a (standard) public-key encryption scheme Π = (Gen, E, D)
secure against chosen-ciphertext attacks.

Construction 1. CCA-secure PKE

Construction of CCA-secure PKE from CPA-secure IBE

Setup Gen(1k ) runs Setup(1k , ls (k)) to obtain (P K, msk). The public key
is P K and the secret key is msk.

Encrypt EP K (m) encrypts message m using public key P K.

1. Sender first runs G(1k ) to obtain verification key vk and signing
key sk (with | vk |= ls (k)).
2. Compute C ← EP0 K (vk, m) (i.e., the sender encrypts m with respect
to “identity” vk).
3. Compute σ ← Signsk (C).
4. Output ciphertext CT = hvk, C, σi.
Decrypt Dmsk (CT ) decrypts ciphertext CT .
1. Check whether Vrfyvk (C, σ) = 1. If not, output ⊥.
0
2. Compute SKvk = Dermsk (vk).
0
3. Output m ← DSKvk
(vk, C).
314 17 Transformation Technique

Let us suppose that Alice securely sends a message m to Bob as shown

Figure 17.2. We note that Bob is the one who has the msk so that Bob can
generate public key P K and send to Alice. Before encrypting a message m for
Bob, Alice first runs one-time signature scheme to get a signing key sk and a
verification key vk. As the name of one-time signature implies, the keys will
be different every time Bob runs one-time signature scheme. The vk will be
used (or served) as the “identity” of Bob in the IBE scheme. At the second
step, Alice encrypts the message by using the encryption function of the IBE
scheme under the P K. After that, the encrypted message C is signed by sk.
Finally, the ciphertext is a tuble hvk, C, σi which is sent to Bob.

At the receiver’s side, receiving the ciphertext, Bob first verifies whether
the ciphertext is valid or not. If the ciphertext is not valid, then he rejects this
one. Otherwise, he moves to the next step, where he runs the Der0 algorithm
under msk to derive the decryption key SKvk , which will be used to decrypt
C together with vk.

What is the role of the signature? If we do not use the signature, the
adversary can get some information from decryption query; or it can modify
the challenge ciphertext and then submit the modified ciphertext to the de-
cryption oracle to get the correct answer of the bit b. The signature is the key
point to make the scheme to be CCA-secure.

Why do we use one-time signature instead of normal signatures?

If we use a normal signature, the vk will be the same in every ciphertext. In
general, one-time signature is stronger notion than normal signatures, i.e., the
adversary will win even if it can forge a signature of message m where m is
the previously submitted query to the Sign oracle3 . That is, in this case, the
adversary will win if he can forge vk ∗ such that Vrfyvk∗ (C, σ) = 1. As we will
see in the security proof, the one-time signature will be the key point to make
the scheme to be CCA-secure (If it is not “one-time,” then the scheme is only
CPA-secure, i.e., in the reduction below. If we always have vk = vk ∗ then the
adversary cannot have the result for decryption query)4 .

Theorem 1 If Π0 is an IBE scheme which is secure against selective-identity,

chosen-plaintext attacks and Sig is a strongly unforgeable one-time signature
scheme, then Π is a PKE scheme which is secure against adaptive chosen-
ciphertext attacks.

3 This is called strong unforgeability. Unforgeability requires the adversary to be unable

to forge a signature for “new” message. On the other hand, strong unforgeability requires
the adversary to be unable to forge “new” signature even for an “old” message as well
as unable to forge a signature for an “new” message. Note that if a scheme is not strong
unforgeability-secure, then it may be vulnerable to replay attack.
4 In [32], they construct a CCA-secure public-key encryption from a CPA-secure IBE

using a digital signature. This is very similar to Chapter 6, where they construct a CCA-
secure private-key encryption from a CPA-secure private-key encryption using MAC in the
symmetric key setting.
17.1 Canetti-Halevi-Katz Transformation [32] 315

Proof Given any PPT adversary A attacking Π in an adaptive chosen-

ciphertext attack, we construct a PPT adversary A0 attacking Π0 in a selective-
identity, chosen-plaintext attack. We denote the challenge ciphertext received
by A by hvk ∗ , C ∗ , σ ∗ i.

Forge event
1. A submits a ciphertext hvk ∗ , C, σi with Vrfyvk (C, σ) = 1 to its
decryption oracle before receiving the challenge ciphertext.
2. A submits to its decryption oracle a ciphertext hvk ∗ , C, σi with
(C, σ) 6= (C ∗ , σ ∗ ) and Vrfyvk (C, σ) = 1 after receiving the challenge
ciphertext.
We will use A to break the underlying one-time signature scheme Sig with
probability P rA [F orge]; since Sig is a strongly unforgeable one-time signa-
ture scheme, we have P rA [F orge] is negligible.

Reduction

Initialization A0 (1k , ls (k)) runs G(1k ) to generate (vk ∗ , sk ∗ ). It then out-

puts the “target identity” ID∗ = vk ∗ .

Setup Setup(1k , ls (k)) outputs (P K, msk) and A0 is given P K. A0 , in

turn, runs A on input 1k and P K.

Phase I When A makes decryption oracle query D(vk, C, σ), A0 proceeds

as follows.
1. If Vrfyvk (C, σ) 6= 1, then A0 simply returns ⊥.
2. If Vrfyvk (C, σ) = 1 and vk = vk ∗ (i.e., event Forge occurs), then A0
terminates and outputs a random bit.
3. If Vrfyvk (C, σ) = 1 and vk 6= vk ∗ , then A0 makes the oracle query
0
Dermsk (vk) to obtain SKvk . It then computes m ← DSK vk
(vk, C)
and returns m.
Challenge A outputs two equal-length messages m0 , m1 . These messages
are output by A0 . In return, A0 is given a challenge ciphertext C ∗ . A0 then
computes σ ∗ ← Signvk∗ (C ∗ ) and returns hvk ∗ , C ∗ , σ ∗ i to A.

Phase II A may continue to make decryption oracle queries, and these are
answered as before (Recall that A may not query the decryption oracle on
the challenge ciphertext itself).

Guess A outputs a guess b0 ; this same guess is output by A0 .

316 17 Transformation Technique

We have:

1. A0 represents a legal adversarial strategy for attacking Π0 in a

selective-identity, chosen-plaintext attack.
2. A0 never requests the secret key corresponding to “target identity”
vk ∗ .
We can claim that A0 provides a perfect simulation for A (and thus A0
succeeds whenever A succeeds) unless event F orge occurs. Therefore
P rA0 ,Π0 [Succ] ≥ P rA,Π [Succ] − 1/2 · P rA [F orge]
⇔ P rA,Π [Succ] − P rA0 ,Π0 [Succ] ≤ 1/2 · P rA [F orge]
Note that in the case of F orge the adversary will output a random
bit so that the probability that A guesses correctly bit b0 in this case is
1/2 · P rA [F orge].

Since | PrA0 ,Π0 [Succ] − 1/2 | is negligible ( or we can say that PrA0 ,Π0 [Succ]
is negligibly close to 1/2) and P rA [F orge] is negligible, we have

| P rA,Π [Succ] − 1/2 |≤ negl. (17.1)

2

17.1.3 Chosen-Ciphertext Security for BTE Schemes

Given:
1. BTE scheme Π0 = (Setup, Der0 , E 0 , D0 ) secure against selective-
identity chosen-plaintext attacks.
2. One-time signature scheme Sig = (G, Sign, Vrfy) in which the ver-
ification key output by G(1k ) has length ls (k).
3. Encode function as

(
, if w = 
Encode(w) =
1w1 1w2 ...1wt , if w = w1 ...wt (wi ∈ {0, 1}).

We construct a BTE scheme Π = (Gen, Der, E, D) secure against chosen-

ciphertext attacks.
17.1 Canetti-Halevi-Katz Transformation [32] 317

Construction 2. CCA-secure BTE

Construction of CCA-secure BTE from CPA-secure BTE

Setup Setup(1k , l) runs Setup0 (1k , 2l + ls (k) + 1) to obtain (P K, SK ).

The system-wide public key is P K and the root secret key is SK .

Derivation Der(w, SKw ) proceeds as follows.

1. Set w0 = Encode(w).
0 0 0 0 0
2. Compute SKw 0 1 using DerSK (w ), (SKw 0 10 , SKw 0 11 ) ←
w
0 0
DerSK 0
0
(w 1).
w 1
0 0
3. Set SKw0 = SKw 0 10 and SKw1 = SKw 0 11 .

Encrypt EP K (w, m) encrypts message m for a node w ∈ {0, 1} ≤ l using

public parameters P K.
1. First run G(1k ) to obtain verification key vk and signing key sk
(with | vk |= ls (k)).
2. Set w0 = Encode(w).
3. Compute C ← EP0 K (w0 | 0 | vk, m) (i.e., the sender encrypts m with
respect to “identity” vk).
4. Compute σ ← Signsk (C).
5. Output ciphertext CT = hvk, C, σi.
Decrypt DSKw (w, CT ) decrypts ciphertext CT at node w with secret key
SKw .
1. Check whether Vrfyvk (C, σ) = 1. If not, output ⊥. Else, do the
following steps.
0
2. Derive the secret key SKw 0 |0|vk .

0
3. Output m ← DSK 0
0
(w0 | 0 | vk, C).
w |0|vk

In order to understand the Derivation please refer to Figure 17.3, where

the secret key of grandchildren of node w0 in CPA-secure BTE will be set for
the secret key of children of node w in CCA-secure BTE.

Theorem 2 If Π0 is a BTE scheme which is secure in the sense of selec-

tive node, chosen-ciphertext attack and Sig is a strongly unforgeable one-time
signature scheme, then Π is a BTE scheme which is secure in the sense of
selective node, chosen-ciphertext attack.
318 17 Transformation Technique

FIGURE 17.3
Grandchildren’s secret keys of w0 will be children’s secret keys of w.

Proof Given any PPT adversary A attacking Π in a selective node, chosen-

ciphertext attack, we construct a PPT adversary A0 attacking Π0 in a selective
node, chosen-plaintext attack.

We denote the node initially output by A by w∗ and the challenge cipher-

text received by A by hvk ∗ , C ∗ , σ ∗ i.

Forge event
1. A submits a ciphertext (hw∗ , < vk ∗ , C, σi) with Vrfyvk (C, σ) = 1 to
its decryption oracle before receiving the challenge ciphertext.
2. A submits to its decryption oracle a ciphertext (w∗ , hvk ∗ , C, σi) with
(C, σ) 6= (C ∗ , σ ∗ ) and Vrfyvk (C, σ) = 1 after receiving the challenge
ciphertext.
We will use A to break the underlying one-time signature scheme Sig with
probability P rA [F orge]; since Sig is a strongly unforgeable one-time signa-
ture scheme, we have P rA [F orge] is negligible.
17.1 Canetti-Halevi-Katz Transformation [32] 319

Reduction

Initialization A0 (1k , l0 ) sets l = (l0 − ls (k) − 1)/2 and runs A(1k , l) who,
in turn, outputs a node w∗ ∈ {0, 1}≤l .
A0 sets w0 = Encode(w∗ ), runs G(1k ) to generate (vk ∗ , sk ∗ ), and outputs
0
the node w∗ = w0 | 0 | vk ∗ .

Setup Setup(1k , l) outputs (P K, msk) and A0 is given P K. A0 , in turn,

runs A on input 1k and P K.

Phase I A0 is given secret keys SKw0 for all nodes w of the following form.

0
1. w = v b̄, where vb is a prefix of w∗ and b ∈ {0, 1}.
0 0 0
2. w = w∗ 0 or w = w∗ 1 (in case | w∗ |< l0 ).
Using these, A0 can compute and give to A all the relevant secret keys
that A expects. When A makes decryption oracle query D(w, hvk, C, σi),
A0 proceeds as follows.
1. If Vrfyvk (C, σ) 6= 1, then A0 simply returns ⊥.
2. If Vrfyvk (C, σ) = 1 and vk = vk ∗ (i.e., event F orge occurs), then
A0 terminates and outputs a random bit.
3. If Vrfyvk (C, σ) = 1 and vk 6= vk ∗ , set w̃ = Encode(w), then A0
makes the oracle query Der(w̃ | 0 | vk) to obtain SKw̃|0|vk .
0
It then computes m ← DSK w̃|0|vk
(w̃ | 0 | vk, C) and returns m.
Challenge A outputs two equal-length messages m0 , m1 . These messages
are output by A0 .
In return, A0 is given a challenge ciphertext C ∗ .
A0 then computes σ ∗ ← Signvk∗ (C ∗ ) and returns hvk ∗ , C ∗ , σ ∗ i to A.

Phase II A may continue to make decryption oracle queries, and these are
answered as before (Recall that A may not query the decryption oracle on
the challenge ciphertext itself).

Guess A outputs a guess b0 ; this same guess is output by A0

We have:
1. A0 represents a legal adversarial strategy for attacking Π0 in a
selective-node, chosen-plaintext attack.
2. A0 never requests the secret key corresponding to “target node”
0
w∗ = w0 | 0 | vk ∗ .
320 17 Transformation Technique

We can claim that A0 provides a perfect simulation for A (and thus A0

succeeds whenever A succeeds) unless event Forge occurs. Therefore

P rA0 ,Π0 [Succ] ≥ P rA,Π [Succ] − 1/2 · P rA [F orge]

⇔ P rA,Π [Succ] − P rA0 ,Π0 [Succ] ≤ 1/2 · P rA [F orge]
Note that in the case of Forge the adversary will output a random
bit so that the probability that A guesses correctly bit b0 in this case is
1/2 · P rA [F orge].

Since | PrA0 ,Π0 [Succ] − 1/2 | is negligible (or we can say that PrA0 ,Π0 [Succ]
is negligibly close to 1/2) and P rA [F orge] is negligible, we have

| P rA,Π [Succ] − 1/2 |≤ negl. (17.2)

2
From the theorem above, we have:

Theorem 3 If there exists a BTE scheme secure in the sense of selective

node, chosen-plaintext attack, then there exists a BTE scheme secure in the
sense of selective node, chosen-ciphertext attack.

Proof is omitted.
18
Broadcast Encryption

CONTENTS
18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
18.2 Subset-Cover Revocation Framework [78] . . . . . . . . . . . . . . . . . . . . . . . 323
18.2.1 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
18.2.2 The Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
18.2.3 Two Subset-Cover Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 325
18.2.3.1 Complete Subtree (CS) Method . . . . . . . . . . . . . . 326
18.2.3.2 Subset Difference (SD) Method . . . . . . . . . . . . . . 330
18.3 Identity-Based Broadcast Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
18.3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
18.3.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
18.3.1.2 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
18.3.1.3 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . 339
18.3.2 Delerablée’s Scheme [37] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
18.3.3 Security Analysis of Delerablée’s Scheme . . . . . . . . . . . . . . . 342
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

This chapter presents broadcast encryption (BE). BE is a type of encryp-

tion in which the encrypted content is delivered over a broadcast channel in
such a way that only the authorized users can decrypt the content. It can be
considered as a revocation scheme where the revoked users find insufficient
information to recover the key. The subset-cover algorithms to find the effi-
cient revocation scheme are discussed in detail. The next part of the chapter
presents the identity-based broadcast encryption, where a broadcasting sender
typically encrypts a message by combining public identities of receivers and
system parameters. Dynamic BE is then discussed in which the total number of
users are not fixed. The preliminaries and the security model of the identity-
based BE is then discussed. One important scheme regarding the identity
based BE is the Delerablée’s scheme. The formal construction and the secu-
rity analysis using the reduction algorithm are then discussed in detail at the
end of the chapter.

321
322 18 Broadcast Encryption

18.1 Introduction
In any large scale public key infrastructure (PKI), there will be users whose
private keys will be compromised. In order to mitigate the damage that a
compromised key can cause, any certificates associated with a compromised
key should be revoked. The purpose of revocation is to inform relevant parties
that certain certificates should no longer be accepted as valid even though
they have not yet expired.

Broadcast Encryption In Broadcast Encryption (BE), we consider a sce-

nario where there is a center and a set of users. The center provides the users
with prearranged keys when they join. BE deals with methods to efficiently
broadcast information to a dynamically changing group of users who are al-
lowed to receive the data. It is often convenient to think of it as a revocation
scheme, which enables some subset of the users (non-members) to be excluded
from receiving the information. Naturally, the non-members are curious about
the contents of the message that is being broadcasted, and may try to learn it.

One special case in BE is when the receivers are stateless. In such a sce-
nario, a (legitimate) receiver is not capable of recording the past history of
transmissions and change its state accordingly. Instead, its operation must
be based on the current transmission and its initial configuration. Stateless
receivers are important for the case where the receiver is a device that is not
constantly on-line, such as a media player (e.g., a CD or DVD player where
the “transmission” is the current disc), a satellite receiver (GPS), and so on.

Therefore, one of the goals in BE is to find efficient revocation schemes

which are suitable for stateless receivers.

Issues with broadcast encryption

1. Tracing mechanism It is a mechanism which enables the efficient
tracing of leakage, specially, the source of keys used by illegal devices
such as pirate decoders or clones.
2. Preventing leakage of keys The idea is to provide a user with
personal keys that contain some sensitive information about the
user which the user will be reluctant to disclose.
3. Content tracing In addition to tracing leakers who give away their
private keys, there are methods that attempt to detect illegal users
who redistribute the content after it is decoded.
4. Integration of tracing and revocation Broadcast encryption
can be combined with tracing schemes to yield trace-and-revoke
schemes. The “Trace-and-revoke” approach is to design a method
18.2 Subset-Cover Revocation Framework [78] 323

that can trace the identity of the user whose key was leaked; in
turn, this user’s key is revoked from the system for future uses.
Classification of broadcast encryption Broadcast encryption started from
Secret Key Broadcast Encryption [78]. Later Public Key Broadcast Encryp-
tion [25] was constructed following the hierarchical identity-based encryption
scheme [21]. Identity-Based Broadcast Encryption was proposed in [37] and
[50], respectively.

18.2 Subset-Cover Revocation Framework [78]

In order to find an efficient revocation scheme, the framework of such algo-
rithms is defined, called the Subset-Cover algorithms which are based on the
principle of covering all non-revoked users by disjoint subsets from a predefined
collection, together with a method for assigning (long-lived) keys to subsets
in the collection.

18.2.1 Problem Definition

Let N be the set of all users, |N | = N , and R ⊂ N be a group of |R| = r
users whose decryption privileges should be revoked. The goal of a revocation
algorithm is to allow a center to transmit a message M to all users such that
any user u ∈ N \ R can decrypt the message correctly, while even a coalition
consisting of all members of R cannot decrypt it.

The system consists of three parts.

1. An initiation scheme assigns the receivers secret information that
will allow them to decrypt.
2. A broadcast algorithm, given a message M and the set R of users
that should be revoked, outputs a ciphertext message M 0 that is
broadcast to all receivers.
3. A decryption algorithm allows a (non-revoked) user that receives
ciphertext M 0 to retrieve the original message M using his or her
secret information .

18.2.2 The Framework

In the framework for the Subset-Cover algorithm, let S1 , . . . , Sw be a collection
of subsets with Sj ⊆ N . Each subset Sj is assigned a long-lived key Lj ; each
324 18 Broadcast Encryption

member u of Sj should be able to deduce Lj from its secret information.

Given a revoked set R, the remaining users N \ R are partitioned into disjoint
subsets Si1 , . . . , Sim 1 so that

N \ R = ∪m
j=1 Sij (18.1)

and a session key K is encrypted m times with Li1 , . . . , Lim .

Specifically, an algorithm in the framework uses two encryption schemes.
∗ ∗
1. A method FK : {0, 1} → {0, 1} to encrypt the message itself. The
key K used will be chosen fresh for each message M as a random
bit string. FK should be a fast method and should not expand the
plaintext. The simplest implementation is to XOR the message M
with a stream cipher generated by K.
2. A method EL to deliver the session key to the receivers, for which we
will employ for an encryption scheme. The key L here is long-lived.
` `
The simplest implementation is to make EL : {0, 1} → {0, 1} a
block cipher.
The system consists of three components as mentioned above.
1. Scheme initiation
Every receiver u is assigned private information Iu . For all 1 ≤ i ≤ w
such that u ∈ Si , Iu allows u to deduce the key Li corresponding
to the set Si . Note that the keys Li can be chosen either

(a) uniformly at random and independently from each other (which

we call the information-theoretic case) or
(b) as a function of other (secret) information (which we call the
computational case), and thus may not be independent of each
other.
2. Broadcast algorithm at the center:
(a) Choose a session encryption key K.
(b) Given a set R of revoked receivers, the center finds a partition
of the users in N \ R into disjoint subsets Si1 , . . . , Sim . Let
Li1 , . . . , Lim be the keys associated with the above subsets.
(c) The center encrypts K with keys Li1 , . . . , Lim and sends the
ciphertext
h[i1 , i2 , . . . , im , ELi1 (K), ELi2 (K), . . . , ELim (K)], FK (M )i
The portion in square brackets preceding FK (M ) is called the
header and FK (M ) is called the body.
3. Decryption algorithm at the receiver u, upon receiving a broad-
cast message
1i
1 , i2 , . . . , im are indices. Refer to Figure 18.5 for example.
18.2 Subset-Cover Revocation Framework [78] 325

h[i1 , i2 , . . . , im , Ci1 , Ci2 , . . . , Cim ], M 0 i:

(a) Find ij such that u ∈ Sij (in case, u ∈ R the result is null).
(b) Extract the corresponding key Lij from Iu .
(c) Compute DLij (Cij ) to obtain K.
(d) Compute DK (M 0 ) to obtain and output M .
We can see that BE is symmetric since both the encryption at the center and
the decryption at the receiver u use the same key(s).

A particular implementation of such scheme is specified by

1. the collection of subsets S1 , . . . , Sw ,

2. the key assignment to each subset in the collection,
3. a method to cover the non-revoked receivers N \ R by disjoint sub-
sets from this collection,
4. a method that allows each user u to find its cover Sj and compute
its key Lij from Iu .
Such scheme is evaluated based upon three parameters.
1. Message length - the length of the header that is attached to
FK (M ), which is proportional to m, and the number of sets in
the partition covering N \ R.
2. Storage size at the receiver - how much private information (typ-
ically, keys) a receiver needs to store. For instance, Iu can simply
consists of all the keys Si such that u ∈ Si , or if the key assignment
is more sophisticated it should allow the computation of all such
keys.
3. Message processing time at the receiver. We often distinguish be-
tween decryption and other types of operations.
It is important to characterize the dependence of the above three parameters
in both N and r. Specifically, we say that a revocation scheme is flexible with
respect to r if the storage at the receiver is not a function of r. Note that the
efficiency of setting up the scheme and computing the partition (given R) is
not taken into account in the scheme’s analysis.

18.2.3 Two Subset-Cover Algorithms

Two different methods in the Subset-Cover algorithm are defined with differ-
ent performance trade-off as in Table 18.1.

Each method is defined over a different collection of subsets. Both meth-

ods are r-flexible, namely they work with any number of revocations. In the
326 18 Broadcast Encryption
TABLE 18.1
Performance trade-off for the Complete Subtree (CS) method and the
Subset Difference (SD) method (N is the number of all users and r is the
number of revocations).
Method Message Length Storage at Receiver Processing Time
Complete r log (N/r) log N O(log log N )
Subtree
1 2 1
Subset 2r − 1 2 log N + 2 logN + 1 O(log N )
Difference
Note: In the CS method, the message length is r log (N/r) on average and
grows too rapidly in r. Each receiver needs to store log N keys, wherein
number grows with N . Therefore, when N is big, a receiver’s storage cost
increases. In the SD method, the message length also grows in r, but it is
substantially improved compared to CS: 2r − 1 in the worst case and 1.38r
in the average case. This improvement is (provably) due to the fact that the
key assignment is computational and not information theoretic. A receiver’s
storage cost, however, is greater than that in CS.

first method, the key assignment is information-theoretic whereas in the other

method the key assignment is computational. While the first method is rela-
tively simple, the second method is more complex.

In both schemes, the subsets and the partitions are obtained by imagining
the receivers as the leaves in a rooted full binary tree with N leaves (assume
that N is a power of 2). Such a tree contains 2N −1 nodes (leaves plus internal
nodes) and for any 1 ≤ i ≤ 2N − 1, assume that vi is a node in the tree. Let
ST (R) denote for the Steiner Tree induced by the set R of vertices and the
root, i.e., the minimal subtree of the full binary tree that connects all the
leaves in R (ST (R) is unique) as shown in Figure 18.1.

FIGURE 18.1
Steiner tree.
18.2 Subset-Cover Revocation Framework [78] 327

18.2.3.1 Complete Subtree (CS) Method

The collection of subsets S1 , . . . , Sw corresponds to all complete subtrees in
the full binary tree with N leaves. For any node vi in the full binary tree
(either an internal node or a leaf, 2N − 1 altogether) let the subset Si be the
collection of receivers u that correspond to the leaves of the subtree rooted at
node vi as in Figure 18.2. In other words, u ∈ Si iff vi is an ancestor of u.

FIGURE 18.2
Subset Si at node vi in CS.

Key assignment

The key assignment method in CS is simple; it is shown in Figure 18.3.

1. Assign an independent and random key Li to every node vi in the
complete tree.
2. Provide every receiver u with the log N + 1 keys2 associated with
the nodes along the path from the root to leaf u.
Subset-Cover of non-revoked devices
For a given set R of revoked receivers, let u1 , . . . , ur be the leaves correspond-
ing to the elements in R. The method to partition N \ R into disjoint subsets
is as follows:

Let Si1 , . . . , Sim be all the subtrees whose roots v1 , . . . , vm are adjacent to
2 Here we assume that N is a power of 2. If N = 2k , then the binary tree has k levels.

Therefore, the receiver u is given k + 1 keys, that is, log N + 1 keys.

328 18 Broadcast Encryption

FIGURE 18.3
Key assignment in CS.

nodes of outdegree 1 in ST (R), but they are not in ST (R). It follows imme-
diately that this collection covers all nodes in N \ R and only them.

In Figure 18.4, the nodes with grid pattern are nodes of outdegree 1 in ST (R).
So we can determine the nodes with lines pattern, which are adjacent to the
grid pattern ones, but they are not in ST (R). Therefore, we can induce 5 sub-
trees from these lines pattern nodes. These subtree cover all non-revoked users.

FIGURE 18.4
Subset cover of non-revoked devices in CS.

Cover size

The Steiner tree ST (R) has r leaves. An internal node is in ST (R) iff it
is on some path to a point in R, therefore there are at most r log N nodes in
ST (R).
18.2 Subset-Cover Revocation Framework [78] 329

However, there could be double counting when the nodes are closer to the
root and a node of outdegree 2 in ST (R) does not produce a subset. There-
fore, the number of subsets is at most r log (N/r).

Decryption step

Given a ciphertext

h[i1 , i2 , . . . , im , ELi1 (K), ELi2 (K), . . . , ELim (K)], FK (M )i,

a receiver u needs to find if any of its ancestors is among i1 , i2 , . . . , im . Note
that there can be only one such ancestor, so u may belong to at most one
subset. Then, the receiver can decrypt to obtain key K and finally obtain
plaintext M .

Example

FIGURE 18.5
Example in CS.

By using the CS method as in Figure 18.4, subsets of non-revoked users

can be covered as in Figure 18.5. In this example, there are 5 subsets
(S31 , S42 , S43 , S54 , S55 ).

Non-revoked users receive private information from a center, while revoked

users are not given this information. Here u1 is a non-revoked user while u2
is a revoked user. Therefore, user u1 will be given the corresponding private
information as
Iu1 = {I1 , I2 , I3 , I4 , I5 , I6 }.3
3I
1 , I2 , I 3 , I4 , I 5 , I6 are parts of the private information sent from the center to receiver
u1 .
330 18 Broadcast Encryption

This private information will allow user u1 to deduce the key L55 .
Upon receiving the ciphertext

h[31 , 42 , 43 , 54 , 55 , C31 , C42 , C43 , C54 , C55 ], M 0 i,

u1 uses the key L55 to decrypt the corresponding part DL55 (C55 ) 4 to obtain
session key K. Finally, it uses key K in decrypting DK (M 0 ) to obtain the
original message M .

The receiver u2 is also receiving the ciphertext h[31 , 42 , 43 , 54 , 55 , C31 , C42 ,

C43 , C54 , C55 ], M 0 i. However, since it is in revocation list, it is not given the
private information. Thus, it cannot extract the long-lived key to obtain K
and decrypt the ciphertext.

Summary
In the Complete Subtree method, the result can be obtained from [78] as
follows.
1. The message header consists of at most r log (N/r) indices and
encryptions of the session key.
2. Receivers have to store log N keys.
3. Processing a message requires O(log log N ) operations plus a single
decryption operation.

18.2.3.2 Subset Difference (SD) Method

The main disadvantage of the Complete Subtree method is that N \ R may
be partitioned into a number of subsets that is too large. The goal is now to
reduce the partition size. In the Subset-Difference method below, the number
of subsets is improved into 2r − 1, thus got rid of a log N factor and effectively
reduced the message length. The number of keys stored by each receiver in-
creases by a factor of 21 log N .

Subset description

As in the previous method, the receivers are viewed as leaves in a complete

binary tree. The collection of subsets S1 , . . . , Sw corresponds to subsets of the
form “a group of receivers G1 minus another group G2 ” where G2 ⊂ G1 . The
two groups G1 and G2 correspond to leaves in two full binary subtrees. There-
fore a valid subset S is represented by two nodes in the tree (vi , vj ) such that
vi is an ancestor of vj . We denote such subset as Si,j . A leaf u is in Si,j iff
it is in the subtree rooted at vi but not in the subtree rooted at vj . In other
words u ∈ Si,j iff vi is an ancestor of u but vj is not as shown in Figure 18.6.

4D
L55 (C55 ) = DL55 (EL55 (K)) = K
18.2 Subset-Cover Revocation Framework [78] 331

FIGURE 18.6
Subsets in CS.

Finding the cover

For a given set R of revoked receivers, let u1 , . . . , ur be the leaves cor-

responding to the elements in R. A cover is a collection of disjoint subsets
Si1 ,j1 , . . . , Sim ,jm which partitions N \ R. Below is an algorithm for finding
the cover, and an analysis of its size (number of subsets).

The method partitions N \ R into disjoint subsets Si1 ,j1 , . . . , Sim ,jm as
follows.
Let ST (R) be the (directed) Steiner Tree induced by R and the root. We build
the subsets collection iteratively, maintaining a tree T which is a subtree of
ST (R) with the property that any u ∈ N \ R that is below a leaf of T has
been covered. We start by making T be equal to ST (R) and then iteratively
remove nodes from T (while adding subsets to the collection) until T consists
of just a single node.
1. Find two leaves va and vb in T such that the least-common-ancestor
v of va and vb does not contain any other leaf of T in its subtree.
Let vl and vk be the two children of v such that va a descendant
of vl and vb a descendant of vk . (If there is only one leaf left, make
va = vb to the leaf, v to be the root of T and vl = vk = v).
332 18 Broadcast Encryption

Example: We start by making T be equal ST (R) as in Figure 18.7.

For the Case 1 and Case 2 5 , we can determine va , vb , v, vk , vl .

FIGURE 18.7
Step 1 in finding subset in SD.

2. If vl 6≡ va , then add the subset Sl,a to the collection; likewise, if

vk 6≡ vb , add the subset Sk,b to the collection.

Example: After Step 1, we can see that for the Case 1, we cannot
find vl and vk which are two children of v such that va a descendant
of vl and vb a descendant of vk . Therefore, Step 2 shown in Figure
18.8 is omitted for Case 1.
In Case 2, we can see that vl 6≡ va and if vk 6≡ vb , so we add Sl,a
(equivalent with Sk,b ) to the collection of subsets.
3. Remove from T all the descendants of v and make it a leaf.

Example: After Step 2, by removing from T all the descendants of

v and by making it a leaf, we have a new subtree T as in Figure 18.9.

We continue to perform Step 1 to Step 3 for the new subtree T as above.

Finally we have the result of finding the cover as in Figure 18.10.

From the proof of lemmas in [78], we have the number of disjoint subsets
of at most 2r − 1.

5 Case 1: There are two leaves. Case 2: There is only one leaf left.
18.2 Subset-Cover Revocation Framework [78] 333

FIGURE 18.8
Step 2 in finding subset in SD.

FIGURE 18.9
Step 3 in finding subset in SD.

Key assignment

If we apply the information theoretic approach of the previous method,

then it is impractical in this method. If every pair (vi , vj ) is assigned a key
Li,j , then each receiver must store O(N ) keys. Therefore, we need to devise a
key assignment method that requires a receiver to store only O(log N ) keys
per subtree, for a total of O(log 2 N ) keys 6 .

6 Note that a receiver u has log N subtrees because the subtrees contain the receiver

can be formed up to the number of the level of the tree. Every subtree has log N keys.
Therefore, the total number of keys of u is log 2 N .
334 18 Broadcast Encryption

FIGURE 18.10
Subset Cover of non-revoked devices in SD.

The idea of key assignment in SD is to employ the method used by Gol-

dreich, Goldwasser and Micali [53] as follows.
Let G be a (cryptographic) pseudo-random sequence generator7 that triples
the input, i.e., the output length is three times the length of the input. Let
GL (S) denotes the left third of the output of G on seed S, GM (S) the middle
third and GR (S) the right third.

Consider now the subtree Ti (rooted at vi ) as shown in Figure 18.11. We

will use the following top-down labeling process.
1. The root vi is labeled S and assigned a label LABELi .
2. S’s two children are labeled GL (S) and GR (S), respectively.
3. Let LABELi,j be the label of node vj derived in the subtree Ti
from LABELi .
4. The key Li,j assigned to set Si,j is GM of LABELi,j .
Note that each label induces three parts: GL - the label for the left child,
GR - the label for the right child and GM the key at the node. For such a
labeling process, given the label of a node it is possible to compute the labels
(and keys) of all its descendants. On the other hand, without receiving the
label of an ancestor of a node, its label is pseudo-random and for a node j,
given the labels of all its descendants (but not including itself) the key Li,j
is pseudo-random (LABELi,j , the label of vj , is not pseudo-random given
7 We say that G: {0, 1}n → {0, 1}3n is a pseudo-random sequence generator if no
polynomial-time adversary can distinguish the output of G on a randomly chosen seed
from a truly random string of similar length.
18.2 Subset-Cover Revocation Framework [78] 335

this information simply because one can check for consistency of the labels).
It is important to note that given LABELi , computing Li,j requires at most
log N invocations of G.

FIGURE 18.11
Key assignment in SD.

Providing keys to receivers

We now describe the information Iu that each receiver u gets in order to

derive key assignment described above.

For each subtree Ti such that u is a leaf of Ti , the receiver u should be

able to compute Li,j iff j is not an ancestor of u 8 . Consider the path from vi
to u and let vi1 , vi2 , . . . , vik be the nodes which are adjacent to the path but
not ancestors of u as in Figure 18.12. Each j in Ti that is not an ancestor of
u is a descendant of one of these nodes. Therefore, if u receives the labels of
vi1 , vi2 , . . . , vik as part of Iu , then invoking G at most log N times suffices to
compute Li,j for any j that is not an ancestor of u.

As for the total number of keys (in fact, labels) stored by receiver u, each
tree Ti of depth k that contains u will contribute k − 1 keys (plus one key for
8 Since the receiver u in this case is non-revoked, it can use its private information to

deduce Li,j .
336 18 Broadcast Encryption

FIGURE 18.12
Providing keys to receiver u in SD.

the case where there are no revocations), so the total is

logX
N +1
log (N + 1)log N 1 1
1+ (k − 1) = 1 + = log 2 N + log N + 1. (18.2)
2 2 2
k=1

Decryption step

Upon receiving the ciphertext, a receiver u first finds the subset Si,j such
that u ∈ Si,j , computes the key corresponding to Li,j , then using this key
obtains the session key and decrypts the ciphertext to obtain the original
message.

Summary

In the Subset Difference method, the result can be obtained from [78] as
follows.

1. The message header consists of at most 2r − 1 indices and encryp-

tions of the session key.
1 1
2. Receivers have to store 2 log 2 N + 2 log N + 1 keys.
3. Processing a message requires O(log N ) operations plus a single
decryption operation.
18.3 Identity-Based Broadcast Encryption 337

18.3 Identity-Based Broadcast Encryption

This section describes the first identity-based broadcast encryption scheme
(IBBE) with constant size ciphertexts and private keys [37]. In this scheme,
the public key is of size linear in the maximal size m of the set of receivers,
which is smaller than the number of possible users (identities) in the system.
Compared with a broadcast encryption system introduced by Boneh, Gentry
and Waters [25], this system has a better efficiency: the public key is shorter
than in [25]. Moreover, the total number of possible users in the system does
not have to be fixed in the setup. We called this property “Dynamic Broadcast
Encryption.” Since it is also a Key Encapsulation Mechanism (KEM), long
messages can be encrypted under a short symmetric key.

Dynamic broadcast encryption9 The concept of dynamic broadcast en-

cryption (DBE) was introduced by Delerablée, Paillier, and Pointcheval in
[38]. A DBE scheme is a BE in which the total number of users is not fixed
in the setup, with the property that any new user can decrypt all previously
distributed messages.

18.3.1 Preliminaries
This section provides a formal definition of identity-based broadcast encryp-
tion and its security models.

18.3.1.1 Definition
Setup(λ, m) Takes as input the security parameter λ, the maximal size m
of the set of receivers for one encryption, and outputs a master secret key
M SK and a public key P K. The P KG is given M SK and makes P K
public.
Extract(M SK, IDi ) Takes as input the master secret key M SK and a user
identity IDi . Extract generates a user private key skIDi .
Encrypt(S, P K) Takes as input the public key P K and a set of included
identities S = {ID1 , · · · , IDs } with s ≤ m and outputs a pair (Hdr, K),
where Hdr is called the header and K ∈ K, where K is a set of keys for the
symmetric encryption scheme.

When a message M ∈ {0, 1}∗ is to be broadcasted to users in S, the broad-

9 In [78], the total number of possible users N is fixed. However, the scheme in [37] does

not depend on N , but only depends on the maximal size of the set of receivers m as can be
checked in the Setup stage.
338 18 Broadcast Encryption

caster generates (Hdr, K) ← Encrypt(S, P K), computes the encryption

CM of M under the symmetric key K ∈ K and broadcasts (Hdr, S, CM ).
We refer Hdr as the header or broadcast ciphertext, (Hdr, S) as the full
header, K as the message encryption key and CM as the broadcast body.
Decrypt(S, ID, skID , Hdr, P K) Takes as input a subset S = {ID1 , · · · ,
IDs } (with s ≤ m), an identity ID, the corresponding private key skID ,
a header Hdr, and the public key P K. If ID ∈ S, the algorithm outputs
the message encryption key K which is then used to decrypt the broadcast
body CM and recover M .

18.3.1.2 Security Model

We define IND-sID-CCA security of an IBBE system. Security is defined us-
ing the following game between an adversary A and a challenger. Both the
adversary and the challenger are given as input m, the maximal size of a set of
receivers S. The only difference with normal IBE systems is that the challenge
identity here is not an identity but a set of identities.
Init The adversary A first outputs a set S ∗ = {ID1∗ , · · · , IDs∗ } of
identities that he wants to attack (with s ≤ m).
Setup The challenger runs Setup(λ, m) to obtain a public key P K.
He gives A the public key PK.
Phase I The adversary A adaptively issues queries q1 , · · · , qs0 ,
where qi is one of the following.
(a) Extraction query (IDi ) with the constraint that IDi ∈ / S ∗:
The challenger runs Extract on IDi and forwards the resulting
private key to the adversary.
(b) Decryption query, which consists of a triple (IDi , S, Hdr)
with S ⊆ S ∗ and IDi ∈ S. The challenger responds with
Decrypt(S, IDi , skIDi , Hdr, P K).
Challenge When A decides that Phase I is over, the challenger runs
the Encrypt algorithm to obtain (Hdr∗ , K) = Encrypt(S ∗ , P K),
where K ∈ K. The challenger then randomly selects b ← {0, 1},
sets Kb = K and sets K1−b to a random value in K. The challenger
returns (Hdr∗ , K0 , K1 ) to A.

Phase II The adversary continues to issue queries qs0 +1 , · · · , qs ,

where qi is one of the following.
(a) Extraction query (IDi ), as in Phase I.
(b) Decryption query, as in phase 1, but with the constraint that
Hdr 6= Hdr∗ . The challenger responds as in Phase I.
18.3 Identity-Based Broadcast Encryption 339

Guess Finally, the adversary A outputs a guess b0 ∈ {0, 1} and

wins the game if b = b0 .
We denote by qD the total number of decryption queries and by t
the total number of extraction queries that can be issued by the adver-
sary during the game. Viewing t, m, qD as attack parameters, we denote by
ind
AdvIBBE (t, m, qD , A) the advantage of A in winning the game as
ind
AdvIBBE (t, m, qD , A) = |2 × P r[b0 = b] − 1| = |P r[b0 = 1|b = 1] − P r[b0 = 1|b = 0]|,

where the probability is taken over the random coins of A and all probabilistic
algorithms are run by the challenger. Here we can know that P r[b0 = 1|b =
1] = P r[b0 = b] and P r[b0 = 1|b = 0] = 1 − P r[b0 = b].

ind ind
Definition 1 Let AdvIBBE (t, m, qD ) = maxA AdvIBBE (t, m, qD , A), where
the maximum is taken over all probabilistic algorithms A running in time
poly(λ). An identity-based broadcast encryption scheme IBBE is said to be
ind
(t, m, qD )-IND-sID-CCA secure if AdvIBBE (t, m, qD ) = negl(λ).

Definition 2 We say that an identity-based broadcast encryption system is

(t, m)-IND-sID-CPA secure if it is (t, m, 0)-IN D-sID-CCA secure.

Remark. In [25], the choice of S ∗ implies a choice of corrupted users, because

the total number of users is fixed in the setup. In the model we described be-
fore, the corrupted users are not chosen at the beginning but adaptively. We
describe below a modification of the model which does not allow adaptive
corruptions, as in [25].

Definition 3 (t, m, qD )-IND-na-sID-CCA security (non-adaptive

sID): at initialization time, the attacker outputs a set S ∗ = {ID1∗ , · · · , IDs∗ }
of identities that he wants to attack, and a set C = {ID ¯ 1 , · · · , ID
¯ t } of iden-
tities that he wants to corrupt (i.e., to obtain the corresponding private key).
Thus the attacker issues t extraction queries only at the beginning of the game.

Definition 4 We say that an identity-based broadcast encryption system is

(t, m)-IND-na-sID-CPA secure if it is (t, m, 0)-IN D-na-sID-CCA secure.

18.3.1.3 Hardness Assumptions

For proving this scheme, Delerablée [38] makes use of the generalization of
the Diffie-Hellman exponent assumption due to Boneh, Boyen, and Goh [21].
They introduced a class of assumptions which includes, for example, DDH (in
GT ), BDH, q-BDHI, and q-BDHE assumptions. We give an overview in the
symmetric case.
Let B = (p, G1 , G2 , GT , e(·, ·)) be a bilinear map group system such that
G1 = G2 = G. Let g0 ∈ G be a generator of G and set g = e(g0 , g0 ) ∈ GT .
340 18 Broadcast Encryption

Let s, n be positive integers and P, Q ∈ Fp [X1 , · · · , Xn ]s be two s-tuples of n-

variate polynomials over Fp . Thus, P and Q are just two lists containing s mul-
tivariate polynomials each. It means that |P | = |Q| = s and Fp [X1 , · · · , Xn ] =
cx,1,i X1 +cx,2,i X2 +· · ·+cx,n,i Xn , where cx,j,i ∈ Fp for 1 ≤ i ≤ s, 1 ≤ j ≤ n and
x ∈ {p, q}. We write P = (p1 , p2 , · · · , ps ), Q = (q1 , q2 , · · · , qs ) and impose that
p1 = q1 = 1. It means that pi = (cp,1,i X1 + cp,2,i X2 + · · · + cp,n,i Xn ). For a set
Ω, any function h : Fp → Ω, and vector (x1 , · · · , xn ) ∈ Fnp , h(P (x1 , · · · , xn ))
stands for (h(p1 (x1 , · · · , xn )), ..., h(ps (x1 , · · · , xn ))) ∈ Ω s . We use a similar
notation for the s-tuple Q. Let f ∈ Fp [X1 , · · · , Xn ]. It is said that f de-
pends on (P, Q), which we denote by f ∈ hP, Qi, when there exists a linear
decomposition
X X
f= ai,j · pi · pj + bi · qi , ai,j , bi ∈ Zp .
1≤i,j≤s 1≤i≤s

Let P, Q be as above and f ∈ Fp [X1 , · · · , Xn ]. The (P, Q, f )-General Diffie-

Hellman Exponent problems are defined as follows.

Definition 5 ((P, Q, f )-GDHE) Given the tuple

 
P (x ,··· ,xn ) Q(x1 ,··· ,xn )
H(x1 , · · · , xn ) = g0 1 ,g ∈ Gs × GsT ,

compute g f (x1 ,··· ,xn ) .

Definition 6 ((P, Q, f )-GDDHE) Given the tuple H(x1 , · · · , xn ) ∈ Gs ×GsT

as above and T ∈ GT , decide whether T = g f (x1 ,··· ,xn ) .

Delerablée refers to [21] for a proof that (P, Q, f )-GDHE and

(P, Q, f )-GDDHE have generic security when f ∈ / hP, Qi. We will
prove that these constructions are secure based on the assumption that
(P, Q, f )-GDDHE is intractable for any f ∈ / hP, Qi and polynomial param-
eters s, n = poly(λ). We just have to determine P, Q, and f , such that we
can perform this simulation, and then proving the condition on the polyno-
mials will prove the intractability of this problem (because as seen before, the
(P, Q, f )-GDDHE problem is hard for any choice of P, Q, and f which satisfy
the aforementioned condition).
18.3 Identity-Based Broadcast Encryption 341

18.3.2 Delerablée’s Scheme [37]

Construction 1. Delerablée’s scheme with random oracle

Setup Given the security parameter λ ∈ Z+ , where λ = |p|

1. Pick two random generators g ∈ G1 and h ∈ G2 .
2. Pick a random γ ∈ Z∗p .
3. Choose a cryptographic hash function H : {0, 1}∗ → Z∗p .
4. Set w = g γ ∈ G1 and v = e(g, h) ∈ GT .
m
5. The public key is PK = (w, v, h, hγ , · · · , hγ ).
6. The master secret key is MSK = (g, γ).
Extract For a given identity ID
1. Set the private key as
1
skID = g γ+H(ID) .

Encrypt Given the list of receivers S and PK, assume for notational sim-
plicity that S = {IDj }sj=1 with s ≤ m.
1. Pick a random k ∈ Zp .
2. Compute C1 = w−k ∈ G1 .
Qs
3. Compute C2 = hk· i=1 (γ+H(IDi )) ∈ G2 .
k
4. Compute K = v ∈ GT .
5. Set the Hdr as (C1 , C2 ).
It outputs (Hdr, K) (Then K is used to encrypt the message).

Decrypt In order to retrieve the message encryption key K encapsulated

in the header Hdr = (C1 , C2 ), a user with identity IDi and the corresponding
private key skIDi (with IDi ∈ S), computes

1
K = e(C1 , hpi,S (γ) ) · e(skIDi , C2 ) H(s,IDj )
with
Q 
1 s
pi,S (γ) = γ · j=1,j6=i (γ + H(IDj )) − H(s, IDj )

and
Qs
H(s, IDj ) = j=1,j6=i H(IDj ).
342 18 Broadcast Encryption

Correctness:
K 0 = e(C1 , hpi,S (γ) ) · e(skIDi , C2 )
1 Qs
= e(g −k·γ , hpQ i,S (γ)
hk· i=1 (γ+H(IDi ))
) · e(g γ+H(ID) , Q
s s Qs
= e(g, h)−k·( Qs
j=1,j6=i (γ+H(IDj ))− j=1,j6=i H(IDj )) · e(g, h)k· j=1,j6=i (γ+H(IDj ))

= e(g,
Qs
h)k· j=1,j6=i H(IDj )
=K j=1,j6 =i H(IDj ) .
Qs 1

Thus (K 0 ) j=1,j6=i H(IDj ) = K.

Note In case the maximal size of the set of receivers m is increased, we don’t
need to set up the scheme again. For example, when we increase m to m + 1,
m m+1
we have to broadcast only the public key PK = (w, v, h, hγ , · · · , hγ , hγ ).

Efficiency This construction achieves O(1)-size ciphertexts, O(m)-size public

keys and constant size private keys. Note that the public key is linear in the
maximal size of S, but not in the number of decryption keys that can be
distributed. Note also that as we said before, the broadcaster has to send the
set S of identities that are included in the ciphertext. This set needs to be
decrypted, as in previous schemes, thus it is counted in the full header, but
not in the header.

18.3.3 Security Analysis of Delerablée’s Scheme

Now we prove the IND-sID-CPA security of this system by using the GDDHE
framework of [21]. We start by defining the following intermediate decisional
problem.

Definition 7 (f, g, F )-GDDHE. Let B = (p, G1 , G2 , GT , e(·, ·)) be a bilinear

map group system and let f and g be two coprime polynomials with pairwise
distinct roots of respective orders t and n. Let g0 be a generator of G1 and h0
a generator of G2 . Solving the (f, g, F )-GDDHE problem consists, given
t−1 2n
γ·f (γ) k·γ·f (γ) k·g(γ)
g0 , g0γ , · · · , g0γ , g0 , g0 , h0 , hγ0 , · · · , hγ0 , h0 ,
k·f (γ)
and T ∈ GT , in deciding whether T is equal to e(g0 , h0 ) or to some
random element of GT .
We denote by Adv gddhe (f, g, F, A) the advantage of an algorithm
A in distinguishing the two distributions and set Adv gddhe (f, g, F ) =
maxA Adv gddhe (f, g, F, A) over poly(|p|)-time A’s.

Corollary 1 (Generic security of (f, g, F )-GDDHE). For any probabilis-

tic algorithm A that totalizes of at most q queries to the oracles performing
the group operations in G1 , G2 , GT and the bilinear map e(·, ·),
(q + 2(n + t + 4) + 2)2 · d
Adv gddhe (f, g, F, A) ≤ (18.3)
2p
with d = 2 · max(n, t + 1).
18.3 Identity-Based Broadcast Encryption 343
ind
Theorem 1 For any n, t, we have AdvIBBE (t, n) ≤ 2 · Adv gddhe (f, g, F ).

Proof To establish the semantic security of IBBE against static adversaries,

we assume an adversary A breaking it under a (t, n)-collusion is given and we
build a reduction algorithm R that distinguishes the two distributions of the
(f, g, F )-GDDHE problem.

Both the adversary and the challenger are given as input n, the maximal
size of a set of included users S, and t, the total number of extraction queries
and random oracle queries that can be issued by the adversary.

Algorithm R is given as input a group system B = (p, G1 , G2 , GT , e(·, ·)),

and a (f, g, F )-GDDHE instance in B (as described in Definition 7). We
thus have f and g, two coprime polynomials with pairwise distinct roots, of
respective orders t and n, and R is given
t−1 2n
γ·f (γ) k·γ·f (γ) k·g(γ)
g0 , g0γ , · · · , g0γ , g0 , g0 , h0 , hγ0 , · · · , hγ0 , h0 , (18.4)

and T ∈ GT , in deciding whether T is equal to e(g0 , h0 )k·f (γ) or to some

random element of GT .
For simplicity, we state that f and g are unitary polynomials, but this is
not a mandatory requirement.

Notations
Qt
1. f (X) = i=1 (X + xi ).
Qt+n
2. g(X) = i=t+1 (X + xi ).
f (x)
3. fi (x) = x+xi for i ∈ [1, t], which is a polynomial of degree t − 1.
g(x)
4. gi (x) = x+xi for i ∈ [t + 1, t + n], which is a polynomial of degree
n − 1.

Reduction algorithm R

Init The adversary A outputs a set S ∗ = {ID1∗ , · · · , IDs∗∗ } of identities

that he wants to attack (with s∗ ≤ n).

Setup
f (γ)
1. Set g = g0 (No actual calculations are made).
Qt+n
i=t+s∗ +1
(γ+xi )
2. Compute h = h0 .
γ·f (γ)
3. Compute w = g0 = gγ .
344 18 Broadcast Encryption

Qt+n
4. Compute v = e(g0 , h0 )f (γ)· i=t+s∗ +1
(γ+xi )
= e(g, h).
n
5. Set the public key as P K = (w, v, h, h , · · · , hγ ).
γ

Hash Queries At any time the adversary A can query the random or-
acle on any identity IDi (at most t − qE times, with qE the number of
extraction queries). To respond to these queries, R maintains a list LH
of tuples (IDi , xi , skIDi ) that contains at the beginning
t+s∗
{(∗, xi , ∗)}ti=1 , (IDi , xi , ∗)i=t+1

(we choose to note “*” an empty entry in LH ). When the adversary issues
a hash query on identity IDi ,
1. If IDi already appears in the list LH , R responds with the
corresponding xi .
2. Otherwise, R sets H(IDi ) = xi and completes the list with
(IDi , xi , ∗).
Phase I The adversary A adaptively issues queries q1 , · · · , qm , where qi
is an extraction query (IDi ). The challenger runs Extract on IDi ∈ / S∗
and forwards the resulting private key to the adversary. To generate the
keys,
1. If A has already issued an extraction query on IDi , R responds
with the corresponding skIDi in the list LH .
2. Else, if A has already issued a hash query on IDi , then R uses
the corresponding xi to compute
f (γ) 1
skID = g0i = g γ+H(ID) .

R then completes the list LH with skIDi for IDi .

3. Otherwise, R sets H(IDi ) = xi , computes the corresponding
skIDi exactly as above, and completes the list LH for IDi .
Challenge When A decides that Phase I is over, algorithm R computes
Encrypt to obtain (Hdr∗ , K) = Encrypt(S ∗ , P K) as
Qt+n  
−k·γ·f (γ) k·g(γ) k·γ·f (γ) q(γ)
C1 = g0 , C2 = h0 , K = T i=t+s∗ +1 xi · e g0 , h0
Q 
t+n Qt+n
with q(γ) = γ1 · i=t+s∗ +1 (γ + xi ) − i=t+s∗ +1 xi .
The challenger then randomly selects b ← {0, 1}, sets Kb = K and sets
K1−b to a random value in K. The challenger returns (Hdr∗ , K0 , K1 ) to
A.
18.3 Identity-Based Broadcast Encryption 345

Phase II The adversary continues to issue queries qm+1 , · · · , qE , where

qi is an extraction query (IDi ) with the constraint that IDi ∈ / S∗
(identical to Phase I).

Guess Finally, the adversary A outputs a guess b0 ∈ {0, 1} and wins the
game if b = b0 .

Simulation of private key generation

Now, we explain how to generate a valid private key without knowledge of

the master secret key γ. Before explaining, look again a valid private key
1
skID = g γ+H(ID) . (18.5)

As seen from above, the simulator must know the γ for generating a valid
private key. The difficulty is that the simulator does not know γ. But, it can
generate a valid private key by using the problem instance only as below. We
set g as below in the setup stage as
f (γ)
g = g0 , (18.6)

where f (x) ∈ Zp [x] of degree t.

t−1
We can generate a valid private key by using g, the instance g0 , g0γ , · · · , g0γ ,
and the hash values (x1 , · · · , xt ) as

Qt
1
f (γ) i=1 (γ+xi )
γ+H(ID) γ+H(ID)
skID = g γ+H(ID) = g0 = g0 . (18.7)
If H(ID) = x1 ,
Qt
i=1 (γ+xi ) Qt Pt
xi )γ t−2
t−1
Qt
i=2 (γ+xi ) ( xi
skID = g0 γ+x1
= g0 = g0γ g0 i=2
· · · g0 i=2
. (18.8)

Thus the simulator can generate a valid private key without knowledge of γ.

Simulation of challenge ciphertext generation

We explain how to generate a valid challenge ciphertext without knowledge

of γ. First of all, we must keep in mind that the simulator cannot generate a
valid private key for a challenge identities and decrypt the challenge cipher-
text. Now let us see the challenge ciphertext.

−k·γ·f (γ) f (γ) −k·γ

C1 = g0 = (g0 ) = (g γ )−k = w−k ,
346 18 Broadcast Encryption
Qt+n
k· t+n (γ+xi ) k·Qt+s∗ (γ+x )
Q
k·g(γ) i=t+1 (γ+xi ) i=t+s∗ +1
C2 = h0 = h0 = (h0 ) i=t+1 i
Qt+s∗ Qt+s∗ ∗
= (h)k· i=t+1 (γ+xi )
 = (h)
k· i=t+1 (γ+H(IDi )) , 
Qt+n
1
·( (γ+xi )− t+n
i=t+s∗ +1 i )
Q
Qt+n
xi k·γ·f (γ) i=t+s∗ +1
x
K=T i=t+s∗ +1 ·e g0 , h0γ
Qt+n t+n
γ ·(
1
(γ+xi )− t+n i=t+s∗ +1 i ) ,
Q Q
= TQ i=t+s∗ +1 xi · e(g0 , h0 )k·γ·f (γ)· i=t+s∗ +1
x
t+n Qt+n Qt+n
= T Qi=t+s∗ +1 xi · e(g0 , h0 )k·f (γ)· i=t+s∗Q+1
(γ+xi )
· e(g0 , h0 )−k·f (γ)· i=t+s∗ +1 xi ,
t+n t+n
= T i=t+s∗ +1 xi · v k · e(g0 , h0 )−k·f (γ)· i=t+s∗ +1 xi .
As shown above, the challenge ciphertext can be made by using the prob-
lem instance only.

Now check whether it is a valid challenge ciphertext or not in two cases:

(1)T is real (2)T is random, respectively. First, in the case that T is real (i.e.,
T = e(g0 , h0 )k·f (γ) ), K is computed as
Qt+n Qt+n
K = T i=t+s∗ +1 xQi · v k · e(g0 , h0 )−k·f (γ)· i=t+s∗ +1 xQi
t+n t+n
= e(g0 , h0 )k·f (γ)· i=t+s∗ +1 xi · v k · e(g0 , h0 )−k·f (γ)· i=t+s∗ +1 xi
= vk .
As shown above, a valid challenge ciphertext is made. Therefore the simulator
can decrypt it by using the appropriate private key.

But, in the case that T is random, the simulator cannot make any valid
challenge ciphertext.

Probability analysis

Adv gddhe (f, g, F, R)

= P r[b0 = b|real] − P r[b0 = b|rand]
= 12 × (P r[b0 = 1|b = 1 ∧ real] − P r[b0 = 1|b = 0 ∧ real])
− 12 × (P r[b0 = 1|b = 1 ∧ rand] − P r[b0 = 1|b = 0 ∧ rand]).

Now in the random case, the distribution of b is independent from the

adversary’s view, where

P r[b0 = 1|b = 1 ∧ rand] = P r[b0 = 1|b = 0 ∧ rand]. (18.9)

In the real case, however, the distributions of all variables defined by R per-
fectly comply with the semantic security game since all simulations are perfect.
Therefore
ind
AdvIBBE (t, n, A) = P r[b0 = 1|b = 1 ∧ real] − P r[b0 = 1|b = 0 ∧ real]. (18.10)

Putting it altogether, we get that

1
Adv gddhe (f, g, F, R) = ind
· AdvIBBE (t, n, A). (18.11)
2
2
18.3 Identity-Based Broadcast Encryption 347

About chosen-ciphertext attacks The Cannetti, Halevi, and Katz [32] re-
sult applies here by just making one of the identities that we broadcast to
derive from a verification key of a strong signature scheme. Then it can be
used to sign the ciphertext.

Removing the random oracle model One way to remove the random
oracle model could be to randomize the private key extraction as follows: For
1 1
an identity IDi , skIDi = g γ+IDi could be replaced by Ai = g γ+IDi +ri ·α , with
α, an element of M SK, and ri chosen by the PKG. Note that this random-
ization has already been employed in [19].

Note also that we could easily obtain IN D-na-sID-CP A without random

oracles by using an assumption which is not fully non-interactive. Indeed, dur-
ing the setup, if the algorithm is given a (f, g, F )-GDDHE instance with g
that corresponds to the target set and f to the corrupted set (chosen by the
attacker at initialization), then the rest of the proof can be done without any
oracle.

Exercises
18.1 Explain why a simulator cannot generate a valid private key for challenge
identities.

18.2 Explain Adv gddhe (f, g, F, R) in detail.

19
Attribute-Based Encryption

CONTENTS
19.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
19.2 Access Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
19.2.1 Secret Sharing Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
19.2.2 Access Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
19.2.3 Satisfying the Access Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
19.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
19.3.1 The Generic Bilinear Group Model . . . . . . . . . . . . . . . . . . . . . 354
19.3.2 The Decisional Bilinear Diffie-Hellman (DBDH)
Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
19.3.3 Selective-Set Model for KP-ABE . . . . . . . . . . . . . . . . . . . . . . . . 355
19.3.4 Security Model for CP-ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
19.4 KP-ABE [55] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
19.4.1 Security Analysis of KP-ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
19.4.2 Probability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
19.5 CP-ABE [14] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

The attribute-based encryption (ABE) is presented in this chapter. It is a type

of public-key encryption in which the secret key of a user and a ciphertext
are dependent upon the attributes of the user. This scheme involves two addi-
tional components: access tree, and set of attributes. The comparison of ABE
and IBE is then given. There are two types of ABE: KP-ABE and CP-ABE.
The next part of the chapter describes the structures of access tree. Satisfying
the access trees can only result in the decryption of the messages. The pre-
liminaries related to ABE are then discussed. The next part of the chapter
discusses the KP-ABE approach. In KP-ABE, a ciphertext is constructed such
that part containing the set of attributes and a private key along with access
structure is generated by a trusted party. Similarly, the CP-ABE scheme is
discussed. In CP-ABE, a part of a user’s private key is composed of attribute
set, and the ciphertext contains the structure specifying the access policy de-
fined over the universe of attributes in the system. Decryption happens only
if his or her attributes satisfy the access structure.

349
350 19 Attribute-Based Encryption

19.1 Overview
When multiple parties need same data, that may contain sensitive information
including personal, financial, or medical details. It requires some additional
measures to hide specific details of the user, compared to conventional public
key cryptography, where private key (i.e., decryption key) is different for each
user. In order to provide fine grained access to the user based on his attributes,
attribute based encryption was first presented in [55]. Working of this scheme
involves two additional components. One is access structure, and the other
is set of attributes. If user is successful in satisfying the access structure, the
user can decrypt ciphertext.

Comparison between IBE and ABE In IBE, a public key is bit string and
secret key corresponding to the public key is generated by KGC. Public and
private key act as pair, ciphertext created through the public key can be de-
crypted through its paired private key. Whereas the concept of ABE is similar
to Fuzzy-IBE, but ABE provides more fine-grained access1 than Fuzzy-IBE
encryption. In ABE, the private keys and users are associated through access
structure. While Fuzzy-IBE allows a private key for an identity ω to decrypt to
a ciphertext encrypted with an identity ω 0 , if and only if the identities ω and
ω 0 are close to each other as measured by the “set overlap”2 distance metric.
Thus, Fuzzy-IBE achieves error tolerance, but it has limited applicability to
access control of data. Due to error tolerance in Fuzzy-IBE, supported access
structure is a threshold gate. Its value is fixed as specified at the setup time.
Similar to Fuzzy-IBE, ABE scheme is also based on attributes instead of a
single identity. User’s keys and ciphertexts are labeled with sets of descriptive
attributes and a particular key can decrypt a particular ciphertext only if
there is a match between the attributes of the ciphertext and the attributes
of the user’s key.

Comparison between KP-ABE and CP-ABE There are two kinds of

ABE: KP-ABE and CP-ABE.
In KP-ABE, ciphertext is associated with the attributes and user key is as-
sociated with access structure. In the other hand, in CP-ABE, ciphertext is
associated with the access structure and user key is associated with attributes.

1 Refined in terms of attribute-based key generation. In Fuzzy-IBE, user is considered

valid for decryption if his attribute set look like the attribute set defined by the encryption
party, that is, it will allow some margin of error. This error margin is based on statistical
distance between the attribute set of the user requesting for the decryption and attribute
set defined at the time of encryption.
2 It is defined as the similarities between the attribute set of the user requesting for the

decryption and attribute set defined at the time of encryption.

19.2 Access Structure 351

19.2 Access Structure

Definition 1 For set Zn and a threshold value 0 < k ≤ n, the threshold
function qk : Zn → {0, 1} is defined as
(
0, if x < k
qk (x) = (19.1)
1, if x ≥ k.

19.2.1 Secret Sharing Scheme

Secret Sharing Schemes (SSS) are used to divide a secret s among multiple
parties. The information of a single party i is called share λi of that party.
Every SSS is paired with an access structure, which defines the set of parties
that should be able to reconstruct the secret using their shares.

The access structure can be seen as the threshold function, i.e., at least k
number of parties must use their share to construct the secret. Furthermore
access structure can be represented as a tree such that there is a threshold
function associated with each node of the tree. Each non-leaf node x with
numx children in such access tree is “AND” or “OR” gate, with threshold 1
and numx respectively. For each leaf node x, att(x) is defined as the attribute
associated with the leaf node x. In access tree, the leaf node is analogous to
the share of a party. Therefore, any set of parties that satisfy the access struc-
ture can combine their share to reconstruct the secret.

Definition 2 For a finite field F and set of random variables {%1 , · · · , %l },

secret sharing scheme is linear if:
1. Share of each party is vector over F.
2. The generation of shares of each parties is carried out such that,
each coordinate of the share λi of every party i is linear combination
of {%1 , · · · , %l } and the secret s.

19.2.2 Access Trees

Definition 3 The Lagrange coefficient ∆i,S for i ∈ Zp and a set S, of the
elements in Zp : ∆i,S (x) = Πj∈S,j6=i x−j
i−j .

Let T be a structure representing an access tree with root r, the Tx denotes

the access tree rooted at node x, i.e., Tr is same as T . For a non-leaf node
x, let numx be the count of its children nodes, we also define threshold value
kx , 0 < kx ≤ numx . We can think of each node as a threshold gate, when
352 19 Attribute-Based Encryption

kx = 1 the gate is an OR gate and when kx = numx , it is an AND gate. For

each leaf node x of the tree, threshold value is 1, i.e., kx |x=leaf = 1.

Let for node x, parent(x) be its parent, the function index(x) defines the
index to the children nodes of x, uniquely assigned to the nodes in an access
structure in arbitrary manner. For each leaf node, function att(x) is defined
corresponding to the attribute associated with the leaf node x.

Definition 4 Let {P1 , P2 , . . . , Pn } be set of parties. A collection A ⊂

2{P1 ,P2 ,...,Pn } , is monotone if ∀B, C: if B ∈ A and B ∈ C then C ∈ A. An
access structure A is a collection of non-empty subsets of {P1 , P2 , . . . Pn },
i.e., A ⊂ 2{P1 ,P2 ,...Pn } \{φ}. Sets in A are called authorized sets while others
are unauthorized sets.

19.2.3 Satisfying the Access Tree

Definition 5 If attribute set γ satisfies the access tree Tx , we say Tx (γ) = 1.
Tx (γ) is computed recursively. For all children x0 of a non-leaf node x, evalu-
ate Tx0 (γ). If minimum kx number of children of x return 1, Tx (γ) = 1. For
each leaf node x, Tx (γ) = 1 if and only if att(x) ∈ γ.

To relate an example for access tree, please refer to Figure 19.1.

For access tree Tx rooted at node x, and universe of attributes U =
{A hospital, B hospital, C hospital, P ediatric dept, Surgical dept, Doctor},
threshold function (A hospital | B hospital | C hospital) ∧ ((P ediatric dept |
Surgical dept) ∧ Doctor) is satisfied for the node x and set of attributes
γ = {C hospital, Surgical dept, Doctor}. In this access tree, on each node,
threshold gate is indicated inside circle and index number is written outside of
the circle. Table 19.1 demonstrates conceptual working of tree using threshold
function.

Let us compute polynomial for root node x of Figure 19.1 access tree.
Note that dx is degree of every non-leaf node polynomial, which we compute
in this way, dx = kx − 1. Note that in this example, if a node is an AND
gate, then the number of its child nodes must be 2. Therefore, dx must be 0
or 1. If we ignore dx = kx − 1 and assume that if a node is an AND gate,
then its dx is 1 and if a node is an OR gate, then its dx is 0, we can remove
the limitation that child nodes must be 2. Now, in our case, the root node
x = 1 has an AND gate so this node has num1 = 2, k1 = 2, d1 = 1. Because
the degree of polynomial, d1 = 1 so we will take q1 (0) = y (where y is a
uniformly random value y ∈ Zp ) and add it with a random number a ∈ Fp
to complete polynomial q1 (x) = ax + y. Next, we compute each polynomials
for nodes that its parent is root node. First, put index in the polynomial of
root node. Second, compute dx , then, according to dx , add random number.
19.2 Access Structure 353
TABLE 19.1
Flow of satisfying an access tree.
(index,threshold)→ (index,threshold)→ ∨ (index,threshold)→ ∨
Tr (γ) = k (k ) ← Tx (γ) = k (k ) ← Tx (γ) = k (k ) ∨
← Tx (γ) = (att(x) ∈ γ) ← Tx (γ) =
(att(x) ∈ γ)
(1,2) →
(2,2) →
← T5 (γ) = 1 (att(5) ∈ γ)
(4,1) →
← T6 (γ) = 0
(att(6) ∈ γ)
← T7 (γ) = 1
(att(7) ∈ γ)
← T4 (γ) = 1 (1) = 1
← T2 (γ) = 2 (2) = 1
(3,1) →
← T8 (γ) = 0 (att(8) ∈ γ)
← T9 (γ) = 0 (att(9) ∈ γ)
← T10 (γ) = 1 (att(10) ∈ γ)
← T3 (γ) = 1 (1) = 1
T1 (γ) = 2 (2) = 1

FIGURE 19.1
Satisfying an access tree.

In case of node with index 2, d2 = 1. Therefore, its polynomial is set to

q2 (x) = bx + 2a + y, where b is random number. In case of node with index 3,
d3 = 0. Therefore, its polynomial is set to q3 (x) = 3a + y. In the same way, we
make polynomial equation for each non-leaf node. Furthermore, polynomials
of all non-leaf nodes (including root node) of above tree are given below:

1. Root Node: q1 (x) = ax + y.

354 19 Attribute-Based Encryption

2. Child with index=2: q2 (x) = bx + 2a + y.

3. Child with index=3: q3 (x) = 3a + y.
4. Child with index=4: q4 (x) = 4b + 2a + y.
In case of leaf node, it is dealt with OR gate. In such a way as non-leaf
node, polynomials of all leaf nodes of above tree are computed as follows:
1. Leaf Node with index=5: q5 (0) = q2 (5) = 5b + 2a + y.
2. Leaf Node with index=6: q6 (0) = q4 (6) = 4b + 2a + y.
3. Leaf Node with index=7: q7 (0) = q4 (7) = 4b + 2a + y.
4. Leaf Node with index=8: q8 (0) = q3 (8) = 3a + y.
5. Leaf Node with index=9: q9 (0) = q3 (9) = 3a + y.
6. Leaf Node with index=10: q10 (0) = q3 (10) = 3a + y.

19.3 Preliminaries
This section provides some hardness assumptions and security models for
attribute-based encryption.

19.3.1 The Generic Bilinear Group Model

Suppose for two random encodings ψ0 , ψ1 of the additive group Fp . These
encodings are injective maps, ψ0 , ψ1 : Fp → {0, 1}m , m > 3log(p) 3 . That is
Gi = {ψi (x) : x ∈ Fp }, where i ∈ {0, 1}. We have the following:
1. Oracles such that we can compute the induced group action on
G0 , G1 .
2. An oracle to calculate bilinear map e : G0 × G0 → G1 as described
in Bilinear map.
3. A random oracle to represent the hash function H.
In the generic group model, we will refer g x and e(g, g)x as ψ0 (x) and
ψ1 (x) respectively.

3 This is because of the fact we have three oracles G , G , H. Range of each oracle is of
0 1
order p. Therefore, to generate a unique string from the response of each oracle size of the
string must be greater than 3log(p).
19.3 Preliminaries 355

19.3.2 The Decisional Bilinear Diffie-Hellman (DBDH) As-

sumption
Let a, b, c, z ∈ Zp be chosen at random and g be a generator of G0 . The deci-
sional BDH assumption is that no probabilistic polynomial-time algorithm B
can distinguish the tuple (A = g a , B = g b , C = g c , e(g, g)abc ) from the tuple
(A = g a , B = g b , C = g c , e(g, g)z ) with more than a negligible advantage. The
advantage of B is

|P r[B(A, B, C, e(g, g)abc ) = 0] − P r[B(A, B, C, e(g, g)z )] = 0| ≤ . (19.2)

19.3.3 Selective-Set Model for KP-ABE

The game model for selective-set model is defined as below.

1. Init The adversary declares the set of attributes γ, that he wishes

to be challenged upon.
2. Setup The challenger runs the Setup algorithm of ABE and gives
the public parameters to the adversary.
3. Phase I The adversary is allowed to issue queries for private keys
for many access structures Aj , where γ ∈
/ Aj for all j.
4. Challenge The adversary submits two equal length messages m0
and m1 . The challenger flips a random coin v, and encrypts mv with
γ. The ciphertext is passed to the adversary.
5. Phase II The same as in Phase I.
6. Guess The adversary outputs the guess v 0 .
The advantage of the adversary A in this game is defined as P r|b0 = b| − 21 .

Definition 6 The KP-ABE scheme is secure in the Selective-Set

Model if all polynomial time adversaries have at most a negligible advantage
in the above security game.

19.3.4 Security Model for CP-ABE

The adoptive security model game is described as below.

1. Setup The challenger runs the Setup algorithm and gives the public
parameters PK to the adversary.
356 19 Attribute-Based Encryption

2. Phase I The adversary makes repeated private keys corresponding

to sets of attributes S1 , . . . , Sq1 .
3. Challenge The adversary submits two equal length messages M0
and M1 and challenge access structure A∗ such that “attribute sets”
from Phase 1 (i.e., S1 , . . . , Sq1 ) do not satisfy the A∗ . A receives CT ∗
as a response of the query.
4. Phase II Phase I is repeated with the restriction that none of the
sets of attributes, Sq1 +1 , . . . , Sq , satisfy access structure A∗ corre-
sponding to the challenge.
5. Guess The adversary guesses b0 of b.
The advantage of adversary A in this game is defined as P r|b0 = b| − 21 .

Definition 7 The CP-ABE scheme is secure in the security model

if all polynomial time adversaries have at most a negligible advantage in the
above security game.

19.4 KP-ABE [55]

KP-ABE is an approach in public-key cryptography where identity is defined
as a set of attributes. The person authorized to decrypt the ciphertext holds
a key for matching attributes. Such private keys are generated by trusted
parties. In KP-ABE, structure maintains the access policy, which is encoded
into the secret key. In this case, monotonic tree is the access structure T . In
KP-ABE, ciphertext is constructed such that part of it contains the set of
attributes γ. In addition, the private key along with access structure is gen-
erated by trusted party.

Construction 1. KP-ABE

Setup
1. On input of security parameter κ, determine groups G0 , G1 , a
bilinear map e : G0 × G0 → G1 , and associate each attribute
with a unique element in Z∗p .
2. Define a universe of attributes, U = {1, 2, ..., n}.
3. Choose uniformly random values ti ∈ Zp for each i ∈ U.
4. Choose uniformly random value y ∈ Zp .
19.4 KP-ABE [55] 357

5. The public parameters PK are (T1 = g t1 , · · · , Tn = g tn , Y =

e(g, g)y ) and the master key MK is t1 , · · · , tn , y.
Key Generation This algorithm outputs the key which enables the user
to decrypt a message encrypted under set of attributes γ only if T (γ) = 1.
1. Choose polynomial qx for each non-leaf node x, in the tree T .
2. Polynomials are chosen in a top-down manner, starting from
root node r.
3. For node x set degree of polynomial qx , such that dx = kx − 1,
where kx is threshold value for the node.
4. For any root node r, set qr (0) = y, dr , and other points ran-
domly.
5. For other nodes x, set qx (0) = qparent(x) (index(x)), dx , and
other point randomly.
6. After polynomials have been decided, for each leaf node x, give
these values to the user as
qx (0)
Dx = g ti
, where i = att(x).

7. The set of above secret values is decryption key D.

Encryption For message m ∈ G1 under the set of attributes γ, and
random s ∈ Zp .
1. Publish
E = (γ, E 0 , {Ei }i∈γ ),
E0 = M Y s,
Ei = Tis .

Decryption If the node x is a leaf node,

DecryptN ode(E, D, x) = e(Dx , Ei ),
1. If i ∈ γ
e(Dx , Ei )
qx (0)

, g s.ti )
ti
= e(g2
= e(g, g)s.qx (0) .

2. Else
return ⊥ .

If the node x is a non-leaf node, DecryptN ode algorithm is recursively

worked.
358 19 Attribute-Based Encryption

Let i = att(x), if the node x is a leaf node then it simply proceeds as men-
tioned in the Decryption process described above. Now consider the recursive
case when x is a non-leaf node, in this case algorithm DecryptN ode(E, D, x)
4
proceeds as

For all nodes z that are children of x, it calls DecryptN ode(E, D, z) and
compute the output as Fz , as shown below. Let Sx be an arbitrary kx -sized
set of child nodes z such that Fz 6=⊥. If no such set exists, then node was not
satisfied and function returns ⊥. Otherwise, function return the result after
computing as

Y ∆i,S 0 (0) i=index(z)

Fx = Fz x
, W here 0 ={index(z):z∈S }
Sx x
z∈Sx
Y
= (e(g, g)s·qz (0) )∆i,Sx0 (0)
z∈Sx
Y
= (e(g, g)s·qparent(z) (index(z)) )∆i,Sx0 (0)
z∈Sx
Y
= e(g, g)s·qx (i)·∆i,Sx0 (0) = e(g, g)s·qx (0) .
z∈Sx

Here ∆i,Sx0 (0) is the Lagrange coefficient. We started calling function from
the root of access tree, we can observe that DecryptN ode(CT, SK, r) =
e(g, g)ys = Y s (Here using r because it is for root node) if and only if cipher-
text satisfies the tree T . Since E 0 = M Y s the decryption algorithm simply
divides out Y s and recovers the message M .
For an example, a user has the private key for the access tree as in Figure
19.1. So, the private key is comprised as follows:
q5 (0) 5b+2a+y q6 (0) 6d+4b+2a+y q7 (0) 7d+4b+2a+y
D5 = g s1
=g s1
, D6 = g s2
=g s2
, D7 = g s3
=g s3
,
q8 (0) 3a+y q9 (0) 3a+y q10 (0) 3a+y
D8 = g s4
=g s4
, D9 = g s5
=g s5
, D10 = g s6
=g s5
.
The set of attributes γ of the ciphertext is {Doctor, Surgical dept,
B hospital}. So, the ciphertext is computed as follows:
s s s
E0 = M Y s, E1 = T1s = g s1 , E3 = T3s = g s3 , E5 = T5s = g s5 .

To compute F1 , i.e., Fr , we compute as follows:

3a+y s
1. F9 = e(D9 , E5 ) = e(g s5
, g s5 ) = e(g, g)s(3a+y) .
4 Here if we consider Figure 19.1, then for the node which have index 2, we know q (x) =
2
q (0)
b · x + 2a + y; therefore the secret value for this node will be: D2 = 2t = 2a+y
t
.
i i
19.4 KP-ABE [55] 359
4b+2a+y s
2. F7 = e(D7 , E3 ) = e(g s3
, g s3 ) = e(g, g)s(4b+2a+y) .
5b+2a+y s
3. F5 = e(D5 , E1 ) = e(g s1
, g s1 ) = e(g, g)s(5b+2a+y) .
∆4,{4} (0)
4. F4 = F7 = e(g, g)s(4b+2a+y) , where ∆4,{4} (0) = 1.
∆ (0)
5. F3 = F9 3,{3} = e(g, g)s(3a+y) , where ∆3,{3} (0) = 1.
0−5
∆ (0) ∆ (0) ∆ (0)
6. F2 = z∈{4,5} Fz z,{4,5} = F4 4,{4,5} × F5 5,{4,5}
Q
= F44−5 ×
0−4
F55−4 = F45 × F5−4
= (e(g, g)s(4b+2a+y) )5 ×(e(g, g)s(5b+2a+y) )−4 = e(g, g)s(20b+10a+5y) ×
e(g, g)s(−20b−8a−4y)
= e(g, g)s(20b+10a+5y−20b−8a−4y) = e(g, g)s(2a+y) .
0−3
∆ (0) ∆ (0) ∆ (0)
7. F1 = z∈{2,3} Fz z,{2,3} = F2 2,{2,3} × F3 3,{2,3}
Q
= F22−3 ×
0−2
F33−2 = F23 × F3−2
= (e(g, g)s(2a+y) )3 × (e(g, g)s(3a+y) )−2 = (e(g, g)s(6a+3y) ) ×
(e(g, g)s(−6a−2y) )
= (e(g, g)s(6a+3y−6a−2y) ) = (e(g, g)sy ) = Y .

19.4.1 Security Analysis of KP-ABE

Theorem 1 If an adversary can break Construction 1 in the Selective-Set
model, then a simulator can be constructed to play the Decisional BDH game
with a non-negligible advantage .

Proof Suppose there exists a polynomial time adversary A, capable of break-

ing Construction 1 in Selective-Set model with advantage , then we can build
a simulator B that can solve Decisional BDH problem with advantage /2.

The challenger first sets two groups G0 and G1 with an efficient bilinear
map e and generator g. The challenger defines universe U and selects uniformly
random bit µ out of B’s view. For µ = 0, the challenger sets (A, B, C, Z) =
(g a , g b , g c , e(g, g)abc ), otherwise, (A, B, C, Z) = (g a , g b , g c , e(g, g)z ) for random
a, b, c, z.
Init The simulator B runs adversary A that chooses set of attributes γ to be
challenged upon.
Setup The simulator sets the parameter Y = e(A, B) = e(g, g)ab . ∀i ∈ U, if
i ∈ γ, B chooses a random ri ∈ Zp and sets ti = ri (i.e., Ti = g ri ). Otherwise,
if i ∈/ γ, B sets ti = bβi , for random value βi ∈ Zp (i.e., Ti = g bβi = B βi ). B
gives the public parameters to A. Here note that B does not know the master
key. If B knows the master key, then B does not need to run this process,
because B can differentiate himself on the basis of given instance.
360 19 Attribute-Based Encryption

Phase I A adaptively makes requests for the keys corresponding to any access
structure T , such that the challenge set γ does not satisfy T , i.e., T (γ) = 0.
To generate a secret key, B needs to assign a polynomial Qx of degree dx
for each non-leaf node x in T . Furthermore, to simulate key generation for
each node x in access tree based on attributes, the computation is carried out
through two procedures PolySat(Tx , γ, λx ) and PolyUnsat(Tx , γ, g λx ). The
details are in the below box:

PolySat(Tx , γ, λx )

This procedure sets up the polynomials for nodes of an access sub-tree

Tx with satisfied root node, i.e., Tx (γ) = 1. Input parameters for this
procedure are tree rooted at Tx , set of attributes γ, challenge set, and an
integer λx ∈ Zp . The algorithm proceeds as follows:

1. To set up a polynomial qx of degree dx for root node x, set

qx (0) = λx and the rest of the points randomly to completely
fix qx .
2. Set polynomials for each child node x0 of node x by calling
procedure PolySat(Tx0 , γ, qx (index(x0 ))). Notice that in this
way, qx0 (0) = qx (index(x0 )) for each node x0 of x.
PolyUnsat(Tx , γ, g λx )

This procedure sets up the polynomials for the nodes of an access tree
with unsatisfied root node, i.e., Tx (γ) = 0. For unsatisfied child node x0
of node x, the polynomial is set such that qx0 (0) 6= qx (index(x0 )). Input
parameters for this procedure are tree rooted at Tx , set of attributes γ,
challenge set, and an element g λx ∈ G0 , where λx ∈ Zp :
1. Define a polynomial qx of degree dx for the root node x such
that qx (0) = λx . As Tx (γ) = 0, no more than dx children of x
are satisfied. Remember that dx = kx − 1 and kx is threshold
value. Let hx ≤ dx be the number of satisfied children of x.
2. For each satisfied children x0 of x, the procedure chooses a ran-
dom point λx0 ∈ Zp and sets qx (index(x0 )) = λx0 . Remember
that even if the access trees of two users are same, the polyno-
mials of each nodes in private keys of two users are different.
So, the relationship between the private keys of two users do
not exist, except for qr (0) = y. Therefore, to randomly select
λx0 is not effected to simulate the private keys of the others.
3. It than fixes the remaining dx − hx points of qx randomly to
completely define qx .
19.4 KP-ABE [55] 361

4. For each node x0 of x, the algorithm calls:

(a) PolySat(Tx0 , γ, qx (index(x0 ))), if x0 is a satisfied node
(qx (index(x0 )) is known).
0
(b) PolyUnsat(Tx0 , γ, g qx (index(x )) ), if x0 is not a satisfied node
qx (index(x0 )) qx (0)
(For g , only g is known, and the rest points
are set randomly to complete its definition).
0
Why PolyUnsat algorithm takes g qx (index(x )) as input? When
x is root, PolySat algorithm cannot run. Because qx (0) = ab,
where a, b are exponents of instances of assumption, the sim-
ulator cannot know these values. However, PolyUnsat can run
without knowing the exponents of instances of assumption, be-
cause even if g qx (0) = g ab , according to the setting of Ti , Dx is
using only g a .

We need to make sure that the private key created through this process works
properly.

We completely know qx if Tx is satisfied with the challenge attribute set γ,

because it is randomly set. In other case, at least g qx (0) is known, and we may
or may not know qx completely. The simulator defines the final polynomial,
Qx (·) = b · qx (·) for each node x of T . Now as qr (0) = a (qr presents root node
polynomial), procedure sets y = Qr (0) = ab. Simulator defines the polynomial
Qx (·) and returns private key as follow:
if att(x) ∈ γ

Qx (0) b·qx (0) qx (0)

Dx = g ti
=g ti
=B ri
, (19.3)
else Qx (0) b·qx (0) qx (0)
Dx = g ti
=g b·βi
=g βi
. (19.4)
The distribution of the private key for T is identical to that in the original
scheme.

Challenge The adversary A will submit two messages m0 , m1 to the simula-

tor. The simulator chooses a uniform random bit v and returns an encryption
of mv as

E = (γ, E 0 = mv Z, {Ei = C ri }i∈γ ). (19.5)

abc s ab c
Now if µ = 0 then Z = e(g, g) . If s = c, then Y = (e(g, g) ) =
e(g, g)abc and Ei = (g ri )c = C ri . Therefore, the ciphertext is a valid random
encryption of message mv .
362 19 Attribute-Based Encryption

Otherwise, if µ = 1 then Z = e(g, g)z , E 0 = mv e(g, g)z , as z is random, E 0

will be random element in G1 . Therefore, the ciphertext contains no informa-
tion about mv , in A’s point of view.

Phase II The challenger B responds to the queries of A, similar as in Phase I.

Guess A will submit a guess v 0 of v. If v 0 = v, B will output µ0 = 0 to

indicate that it was given a valid BDH-tuple. Otherwise B will output µ0 = 1
to indicate that it was given a random tuple.

19.4.2 Probability Analysis

In this section, we will perform probability analysis of KP-ABE. Now for
the case µ = 1, the adversary gains no information about v. Therefore when
v 6= v 0 , the simulator guesses µ0 = 1 with the following probability
1
P r[µ0 = µ|µ = 1] = .
2
Now if µ = 0, A can decrypt an encryption of mv . So, its advantage is  as
per definition. Therefore the simulator guesses µ0 = 0 when v 6= v 0 as
1
P r[µ0 = µ|µ = 0] = + .
2
The overall advantage of the simulator in Decisional BDH game is
1
P r[µ0 = µ|µ = 0]P r[µ = 0] + P r[µ0 = µ|µ = 1]P r[µ = 1] −
2
1
(N ote : P r[µ = 1] = P r[µ = 0] = )
2
1 1 1
= P r[µ0 = µ|µ = 0] + P r[µ0 = µ|µ = 1] −
2 2 2
1 1 11 1 1
= ( + ) + − = .
2 2 22 2 2
2

19.5 CP-ABE [14]

In CP-ABE, part of user’s private key is composed of attribute set, and cipher-
text contains the structure specifying access policy defined over the universe
of attributes in the system. A user will be able to decrypt a ciphertext, if and
only if his attributes satisfy the access structure associated with ciphertext.
In CP-ABE, authorization is included into the encrypted data, and the user
19.5 CP-ABE [14] 363

who satisfies this policy can decrypt data. In addition, the user encrypts the
message and defines the access structure by defining attributes of legitimate
users for decryption. Therefore, key generation authority assigns private key
based on the attributes of the user.

Construction 2. CP-ABE

Setup

1. Choose a bilinear group G0 of prime order p with generator g.

2. Choose two random exponents α, β ∈ Zp .
3. Choose a hash function H : {0, 1}∗ → G0 .
1
4. The public key PK is (G0 , g, h = g β , f = g β , e(g, g)α and mas-
ter key MK is (β, g α ), where f is only used for delegation.
Key Generation For a set of attributes S, choose a random value r ∈ Zp
and ∀j ∈ S, rj ∈ Zp , and output

SK = (D = g (α+r)/β , ∀j ∈ S : Dj = g r · H(j)rj , Dj0 = g rj ).

Delegate
1. Take as input the secret key SK, for a set of attributes S and
set S̃ ⊂ S
SK = (D, ∀j ∈ S : Dj , Dj0 ).

˜ for the set of attributes S̃ as

2. Output a secret key SK
˜ = (D̃ = Df r̃ , ∀k ∈ S̃ : D̃k , D̃k0 ),
SK

D̃k = Dk g r̃ H(k)r̃k , D̃k0 =, Dk0 g r̃k .

Encryption
1. Choose polynomial qx for each node (including the leaf) x, in
the tree T .
2. These polynomials are chosen in a top-down manner, starting
from root node r.
3. For each node x, set degree dx of polynomial qx , such that
dx = kx − 1, where kx is its threshold value.
4. Choose random s ∈ Zp , for root node r, set qr (0) = s, dr and
other points set randomly.
364 19 Attribute-Based Encryption

5. For other nodes x, set qx (0) = qparent(x) (index(x)), and other

points are set randomly.
6. Let, Y be the set of leaf nodes in T . The ciphertext is con-
structed as:

CT = (T , C̃ = M · e(g, g)αs , C, ∀y ∈ Y : Cy , Cy0 ),

C = hs , Cy = g qy (0) , Cy0 = H(att(y))qy (0) .

Decryption It uses DecryptNode(CT, SK, x) to get polynomial interpo-

lation.
1. If T is satisfied by S, and A = DecryptNode(CT, SK, r) =
e(g, g)rs , we have

C̃ M · e(g, g)αs
M= = .
e(C, D)/A e(hs , g (α+r)/β )/e(g, g)rs

2. Else, return ⊥
DecryptNode On input ciphertext CT , secret key SK and node x, if x
is leaf node, let i = att(x):
1. If i ∈
/ S, return ⊥.
e(Di , Cx ) e(g r H(i)ri , g qx (0) )
2. Else, return 0 0
= = e(g, g)rqx (0) .
e(Di , Cx ) e(g ri , H(i)qx (0) )
If x is non-leaf node, for all children nodes z, evaluate Fz =
DecryptNode(CT, SK, z). For set of children Sx = {z|Fz 6=⊥}:
1. If its size |Sx | < kx , return ⊥.
2. Else, let i = index(z), Sx0 = {index(z), z ∈ Sx }:

Y ∆i,S 0 (0)
return Fx = Fz x
= e(g, g)rqx (0) .
z∈Sx

Correctness of Fz :
Y ∆i,S 0 (0) Y ∆i,S 0 (0)
Fx = Fz x
= (e(g, g)r·qz (0) ) x

z∈Sx z∈Sx

Y ∆i,S 0 (0)
= (e(g, g)r·qparent(z) (index(z)) ) x

z∈Sx
19.5 CP-ABE [14] 365
Y
= e(g, g)r·qx (i)·∆i,Sx0 (0) = e(g, g)r·qx (0)
z∈Sx

As in the case of KP-ABE, it also has to show the full process.

Theorem 2 Given ψ0 , ψ1 , G0 , G1 for an adversary A. If A is bounded in q

number of query responses to oracles for the hash function, groups G0 , G1 of
order p and bilinear map e, the adversary can break Construction 2 in CP-
ABE security model with at most advantage O(q 2 /p).

Intuition of the Proof It can be observed that in the security game of

CP-ABE, C̃, a component of the challenge ciphertext, is Mb · e(g, g)αs (=
Mb ·ψ1 (αs)), where b is chosen randomly from {0, 1}. Suppose there is another
game in which C̃ is either e(g, g)αs (= ψ1 (αs)) or e(g, g)θ (= ψ1 (θ)), where
θ is selected uniformly at random from Fp , and the adversary has to guess
between two cases. Furthermore, the adversary that has an advantage  in
CP-ABE game can be modified into an adversary that has the advantage /2
in the another game. It may be seen as two hybrid games, i.e., in one game,
the adversary has to distinguish between M0 · e(g, g)αs (= M0 · ψ1 (αs)) and
e(g, g)θ (= ψ1 (θ)) and in other game, the adversary has to distinguish between
e(g, g)θ (= ψ1 (θ)) and M1 ·e(g, g)αs (= M1 ·ψ1 (αs)). The combination of these
two games is equivalent to CP-ABE security game.

Proof For the proof of security in the generic bilinear group model, details of
response of the simulator to the adversary A are described below:

Setup The simulator chooses α, β randomly from Fp . If β = 0, i.e., 1/p of

the times, setup is aborted. Same is the case in actual scheme. The public
parameters h = g β (= ψ0 (β)), f = g 1/β (= ψ0 (1/β)) and e(g, g)α (= ψ1 (α))
are sent to the adversary.

Phase I The simulator has to respond two types of queries. For different
queries, the simulator proceeds as follows:

1. Hash Query On query for the evaluation of H(i), where i is any

string, ti ∈ Fp is chosen uniformly at random such that value was
not chosen before. Finally the value g ti (= ψ0 (ti )) are passed to the
adversary.
2. Key Generation Query On the j th key generation query, for
attribute set Sj , the new random value r(j) is chosen from Fp .
(j)
The simulator then computes D = g (α+r )/β (= ψ0 ((α + r(j) )/β))
(j) (j) (j)
and ∀i ∈ Sj , we have Di = g r +ti ri (= ψ0 (r(j) + ti ri )) and
(j) (j)
Di0 = g ri (= ψ0 (ri )) and the values are passed to the adversary.
366 19 Attribute-Based Encryption

Challenge In this phase, the adversary sends two messages M0 , M1 and access
tree A to the challenger B. B chooses s ∈ Fp . Then it constructs the shares
λi , of s for all relevant attributes i, by using linear secret sharing scheme
associated with A. That is, for attribute i to satisfy access tree A, λi must
include s. λi are chosen uniformly at random from the Fp which depends on
the correctness imposed on them (λi ) by access structure. The choice of λi is
simulated by choosing l random values %1 , . . . , %l chosen uniformly at random
form Fp , for some value l, and then letting the λi be the fixed public linear
combinations of %k and s. The simulator chooses a random θ ∈ Fp and con-
structs the encryption as C̃ = e(g, g)θ (= ψ1 (θ)) and C = hs (= ψ0 (βs)). For
each attribute i, we have Ci = g λi (= ψ0 (λi )), and Ci0 = g ti λi (= ψ0 (ti λi )),
and these values are sent back to the adversary.

In the proof, it will be shown that if the simulator can choose the variable
values5 randomly with the probability 1 − O(q 2 /p), then the adversary will
see the same distribution of ciphertext as the C̃ = e(g, g)αs . It will be con-
cluded that for stated conditions, the adversary’s advantage would be at most
O(q 2 /p).

Reduction algorithm R

Setup
1. Choose two random values α, β.
2. Compute h = g β .
3. Compute f = g 1/β .
4. Compute v = e(g, g)α .
5. Set the public key as P K = (g, h, f, v).
Hash Queries To respond queries for the evaluation of hash on any
attribute string i, R maintains a list, (i, H(i), ti ) where i ∈ {0, 1}∗ , and
proceed as follows.

1. If i already appears in the list, respond with the corresponding

H(i).
2. Else, choose a random value ti ∈ Fp , set H(i) = g ti , respond
with H(i), and complete the list with (i, H(i), ti ).
Phase I To respond key generation queries S1 , S2 , . . . , Sq1 requested by
the adversary A, where Si is a set of attributes in ith query, the challenger
runs Gen on Si and forwards corresponding key to A. Proceedings are as
follows.

5 This includes all values chosen uniformly from Fp i.e., α, β, ti , r(j) , s, λi , %1 , . . . , %l , θ.

19.5 CP-ABE [14] 367

(i)
1. Choose a random value r(i) and calculate D(i) = g (α+r )/β
.
(i)
2. For each attribute j ∈ Si , choose a random value rj , and
request H(j) from hash oracle.
(i) (i) (i)
(i) (i)0
3. Calculate Dj = g r · H(j)rj and Dj = g rj .
(i) (i)0
4. Return (D(i) , Dj , Dj ) as response of query.
Challenge
1. A outputs messages M0 , M1 , and challenge access structure A∗ ,
such that none of the sets in Phase I satisfy A∗ .
2. B chooses a bit b ∈ {0, 1}.
3. B chooses a random value s ∈ Zp , which is a constant value of
polynomial for root node R, i.e., the qR (0) = s.
4. B generates values λi = qy (0) where i is attribute corresponding
to each leaf node y ∈ Y , where Y is set of all leave nodes in A∗ .
5. B calculates random θ = α · s, C̃ = Mb · e(g, g)θ , and C = hs .
6. B calculates ∀y ∈ Y , Cy = g λi , Cy0 = g ti ·λi .
7. Send (C̃, C, Cy , Cy0 ) to A.
Phase II In this phase, A requests for keys of attribute sets
Sq1 +1 , Sq1 +2 , . . . , Sq . This phase is the same as Query Phase I, ex-
cept for none of the requested set of the attribute is appeared in Phase I
and they do not satisfy A∗ .

Guess Finally, A outputs b0 ∈ {0, 1}.

Adversary can make valid queries on group oracles with the probability
1 − O(1/p), if the following conditions are imposed on queries:

1. The legitimate input from the adversary is either received from

the simulation, or intermediate values it already received from the
oracles.
2. There are p distinct values in the ranges of responses in both oracles
ψ0 and ψ1 .
As such, we may keep track of the algebraic expressions being called for from
the oracles, as long as no “unexpected collisions” happen. More precisely, we
can think of an oracle query as the response from a rational function6 ν = η/ξ.
6 In actual scheme, it is exponential function in these independent variables but in generic
368 19 Attribute-Based Encryption
(j)
Independent variables of Oracle (ν) are θ, α, β, ti , r(j) , ri , s and %k 7 . We de-
fine an unexpected collision when two distinct functions η/ξ 6= η 0 /ξ 0 collide
for a specific query (Say x1 ), i.e., η/ξ(x1 ) = η 0 /ξ 0 (x1 )8 . We now condition on
the event that no such unexpected collision occur in either group G0 or G1 .
For any pair of queries (within a group) corresponding to distinct rational
functions η/ξ and η 0 /ξ 0 , a collision occurs only if the non-zero polynomial
ηξ 0 − η 0 ξ evaluates to zero. Note that the total degree of ηξ 0 − η 0 ξ is in this
case at most 5. By Schwartz-Zippel lemma9 , the probability of this event is
O(1/p). By a union bound, the probability that any of such collision happen
is at most O(q 2 /p) 10 . Therefore under these conditions, the probability that
there is no collision is still 1 − O(q 2 /p).

Remember that it is working in the generic group model where each group
element’s representation is chosen uniformly. The only way that the adver-
sary’s view can differ in the case of θ = αs is the case there are two queries
ν and ν 0 into G1 such that there is an unexpected collision in ν and ν 0 when
θ = αs, i.e., ν 6= ν 0 , but ν|θ=αs = ν 0 |θ=αs . θ only occurs as e(g, g)θ or
(ψ1 (θ)) ∈ G1 . The only dependence that ν or ν 0 can have on θ is by hav-
ing some additive terms of the form γ 0 θ, for constant γ 0 . Therefore, we have
ν − ν 0 = γαs − γθ, for some constant γ 6= 0. We can artificially add the query
ν − ν 0 + γθ = γαs to the adversary’s queries. In the following part, it is shown
that an adversary can never construct a query for e(g, g)γαs (= ψ1 (γαs)).

Table 19.2 enumerates all possible rational queries into G1 by means of the
bilinear maps and the group elements given to an adversary by simulation,
except queries described as follows.

1. Every monomial involves the variable β, since β will not be relevant

to constructing the query involving αs.
2. The variables i and i0 . These are the possible attribute strings which
appear in terms of λi . And these expressions do not contain the
terms of %k . (As defined in Linear Secret Sharing Scheme, λi is linear
combination of %1 , . . . , %l and s. However, without information of

group model, we define e(g, g)x = ψ1 (x). Therefore it is rational function in generic group
model, where both η and ξ are polynomials.
7 The query contains either λ and λ 0 , these are linear combinations of s and % . That
i i k
is why subscript k of %k is different from subscript of other variables, i.e., i, i0 .
8 To understand this case, we can think of two rational function as curve in a space, and

at certain point, there is point of intersection of these curves.

9 Let F be a field. Let f (x , . . . , x ) be a multivariate polynomial of total degree d, and
1 n
suppose that f is not the zero polynomial. Let S be a finite subset of F. Let r1 , r2 , . . . , rn are
the variables chosen at random uniformly and independently from S. Then the probability
d
that f (r1 , r2 , . . . , rn ) = 0 is ≤ |S| .
10 Union bond is calculated as O(q × q × p ), where q is the number of G queries, q is
0 1 0 0 0 1
the number of G1 queries, and p0 is the probability that a polynomial evaluates to 0, which
is O(q × q × p1 ).
19.5 CP-ABE [14] 369
TABLE 19.2
Possible query types from the adversary.
(j)
ti ti0 λi ti0 ti ti0 λi0 ti r(j) + ti ti0 ri0
(j) (j)
ti0 ri0 ti α+r αs + sr(j)
(j) (j)
λi λi0 ti λi λi0 λi0 r(j) + λi0 ti ri λi ri
(j) (j) (j)
λi ti ti0 λi λi0 ti λi ri + ti ti0 λi ri ti λi0 ri0
0
(j) (j) (j) (j ) (j)
ti λi (r(j) + ti ri )(r(j) + ti0 ri0 ) (r(j) + ti ri )ri0 r(j) + ti ri
(j) (j) (j)
ri ri0 ri s

%k , the adversary cannot find the value of s, we can say that these
expressions do not contain the terms of %k .)
3. The variables j and j 0 . These are the indices of secret key queries
which appear in terms of λi . And these expressions do not contain
the terms of %k .
In addition to polynomials in Table 19.2, the adversary also has access to
1 and α 11 . The adversary can query arbitrary linear combinations of these.
Therefore, we must show that none of these polynomials can be equal to a poly-
nomial of the form γαs where γ is non-zero constant12 . From the discussion
above, it is clear that the only way that the adversary can create term contain-
ing αs is by pairing sβ with (α+r(j) )/β to get the term αs+sr(j) . In this way,
the adversary could create a query polynomial containing γαs + Σj∈T γj sr(j) ,
for set T and constants γ, γj 6= 0, where T means that the set of private keys
made by the simulator. Now if the adversary wants to obtain polynomial of
the form γαs, the adversary must add other linear combinations in order to
cancel the term Σj∈T γj sr(j) . By referring to Table 19.2, we can say that the
only other term that the adversary has access to that could involve monomials
(j)
of the form sr(j) are obtained by pairing r(j) + ti ri with some λi0 , where λi0
13
are linear combinations of s and %k ’s. Considering all these things for sets
Tj0 and constants γ(i,j,i0 ) 6= 0, the adversary can construct a query polynomial
of the form:
!
(j) (j) (j)

γαs + Σ γj sr + 0Σ 0 γ(i,j,j 0 ) λi0 r + λi0 ti ri + other terms (19.6)
j∈T i,i ∈Tj

The following case analysis completes the proof:

11 e(g, g)1and e(g, g)α are in public parameters.
12 These are queries to oracle ψ1 in generic group model.
13 In the proof, the secret key j is function of attribute strings i, and the proof concludes

by computing the probability of collision in the secret keys caused by the random selection of
attribute strings, so in order to differentiate two different keys (j, j 0 ) that may collide on the
basis of two different attribute strings (i, i0 ). We have simple and 0 notation to differentiate
one from another.
370 19 Attribute-Based Encryption

1. There exists some j ∈ T such that the set of secret shares Lj =

{λi0 : ∃i : (i, i0 ) ∈ Tj0 } 14 does not allow for the reconstruction of
the secret s.
If this is true, then the term sr(j) will not be canceled, and so the
adversary’s query polynomial cannot be of the form γαs.
2. For all j ∈ T , the set of secret shares Lj = {λi0 : ∃i : (i, i0 ) ∈ Tj0 }
allow for the reconstruction of the secret s.
Fix any j ∈ T . Consider an attribute set Sj , the set of attributes
belonging to the j th adversary key request. From the assumption
that no requested key should pass the challenge access structure,
and the properties of the secret sharing scheme, we know that the
set L0j = {λi : i ∈ Sj } cannot allow for the reconstruction of s, where
i is an attribute. It is because that (1) the secret sharing scheme
guarantees that unless a sufficient number of shares are gathered,
the secret value s is not known and (2) the assumption guarantees
that a sufficient number of shares cannot gather.
Thus, there must exist at least one share λi0 in Lj such that λi0
is linearly independent of L0j when written in terms of s and the
%k ’s. By the case analysis, this means that in the adversary’s query
(j)
(Equation 19.6), there is a term of the form λi0 ti ri for some i ∈ Sj ,
(j)
because at least one share λi0 including the term λi0 ti ri must be
included in the set of secret shares Lj for all j ∈ T .
However, (examining the table above), there is no term that the
adversary has access to that can cancel this term. Therefore, any
adversary query polynomial of this form cannot be of the form γαs.
2

14 Here the attribute strings for two different shares are from the set of valid attribute

strings.
20
Secret Sharing

CONTENTS
20.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
20.2 Efficient Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
20.2.1 Shamir’s Secret Sharing [90] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
20.2.1.1 Mathematical Definition . . . . . . . . . . . . . . . . . . . . . 373
20.2.1.2 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
20.2.1.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
20.2.2 Blakley’s Secret Sharing [16] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
20.2.2.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
20.2.2.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

This chapter discusses secret sharing methods. Secret sharing or secret split-
ting are methods for the distribution of a secret among the group participants,
each of whom is given a chunk of the secret. Reconstruction is only possible
when sufficient shares are combined. The next part of the chapter discusses
efficient secret sharing techniques that involve Shamir’s and Blakley’s secret
sharing schemes. The schemes are discussed in detail by providing overviews,
mathematical definitions, constructions, and examples. The final part of the
chapter shows an application of secret sharing.

20.1 Overview
Encryptions have been traditionally used to keep information confidential.
But some critital information such as missile launch code requires reliability
as well as confidentiality. It could be disastrous if it is lost. Traditional encryp-
tion methods are not suitable for achieving high levels of reliability because
keeping multiple copies of the same information encrypted in different loca-
tions may lead to additional attacks. To address this problem, secret sharing
was proposed independently by Adi Shamir [90] and George Blakley [16] in
1979.

371
372 20 Secret Sharing

Secret sharing (also called secret splitting) is a method for distributing a

secret among a group of participants, where each of them is allocated a share
of the secret and the secret can be reconstructed only when a sufficient number
of shares are combined together. Let us suppose that there is one dealer and
n players. The dealer sets the specific conditions (e.g., t: threshold) and gives
a share of the secret to the players, so that the players are able to reconstruct
the secret when more than t different shares are gathered; otherwise they
cannot reconstruct the secret. Such a system is called a (t, n)-threshold scheme
(sometimes also written as an (n, t)-threshold scheme interchangeably).

20.2 Efficient Secret Sharing

Trivial t = n schemes can be used to reveal a secret to any desired subsets
of the players simply by applying the scheme for each subset. For example,
to reveal a secret s to any two of the three players Alice, Bob, and Carol,
we create three different (2, 2) secret shares for s (e.g., a1 = r1 , a2 = s − r1 ,
b1 = r2 , b2 = s − r2 , c1 = r3 , c2 = s − r3 ), giving the three sets of two shares
to Alice and Bob, Alice and Carol, and Bob and Carol (e.g., Alice has a1 = r1
and b2 = s − r2 , Bob has b1 = r2 and c2 = s − r3 , and Carol has c1 = r3 and
a2 = s − r1 ).

However, the trivial approach raises space efficiency problem because as

n increases, the players are required to maintain a larger number of sub-
sets. For
example, when revealing a secret to any 30 of 50 players, it re-
quires 50
30 ≈ 4.7 × 10
13
schemes to be created and each player to maintain
49

13
29 ≈ 2.8×10 distinct sets of shares for each scheme. To solve this problem,
schemes that allow secrets to be shared efficiently with a threshold of players
have been developed.

20.2.1 Shamir’s Secret Sharing [90]

In this scheme, any t out of n shares can be used to recover the secret. The
system bases on the idea that a unique polynomial of degree (t − 1) can be ob-
tained from any set of t points that lie on the polynomial. It takes two points
to define a straight line, three points to fully define a quadratic, four points to
define a cubic curve, and so on. That is, it takes t points to define a polynomial
of degree t − 1. The method is to create a polynomial of degree t − 1 with the
secret as the first coefficient and the remaining coefficients picked at random.
Next find n points on the curve and give one to each of the players. When at
least t out of the n players reveal their points, there is sufficient information to
get a (t−1)-th degree polynomial to them, the first coefficient being the secret.
20.2 Efficient Secret Sharing 373

20.2.1.1 Mathematical Definition

The goal is to divide secret S (that is, a safe combination) into n pieces of
data S1 , . . . , Sn in such a way that

1. Knowledge of any t or more Si pieces makes S easily computable.

That is, the complete secret S can be reconstructed from any com-
bination of t pieces of data.
2. Knowledge of any t − 1 or fewer Si pieces leaves S completely unde-
termined. That is, the secret S cannot be reconstructed with fewer
than t pieces.

20.2.1.2 The Construction

As mentioned above, the essential idea of Adi Shamir’s threshold scheme is
that it takes t points to define a polynomial of degree t − 1.

Suppose we want to use a (t, n) threshold scheme to share our secret S,

which are without loss of generality assumed to be an element in a finite field
F of size P where 0 < t ≤ n < P , S < P , and P is a prime number.

Choose at random t − 1 positive integers a1 , · · · , at−1 with ai < P and let

a0 = S. Build the polynomial f (x) = a0 + a1 x + a2 x2 + a3 x3 + · + at−1 xt−1 .
Let us construct any n points out of it, for instance set i = 1, · · · , n to re-
trieve (i, f (i)). Every participant is given a point (a non-zero integer input to
the polynomial, and the corresponding integer output) along with the prime
which defines the finite field to use. Given any subset of t of these pairs, we
can find the coefficients of the polynomial using interpolation. The secret is
the constant term a0 .

20.2.1.3 Example
The following example illustrates the basic idea. Note that calculations in the
example are done using integer arithmetic rather than using finite field arith-
metic. Therefore the example below does not provide perfect secrecy and is
not a true example of Shamir’s scheme. So we will explain this problem and
show the right way to implement it using finite field arithmetic.

1. Suppose that our secret is 2357 (S = 2357).

2. We wish to divide the secret into 7 parts (n = 7), where any subset
of 5 parts (k = 5) is sufficient to reconstruct the secret. It means
that it is (5, 7) secret-sharing scheme. At random we obtain four
374 20 Secret Sharing

(t − 1) numbers: 904, 282, 710, and 21. (a0 = 2357, a1 = 904, a2 =

282, a3 = 710, a4 = 21).
3. We construct 7 points Dx−1 = (x, f (x) = a0 + a1 x + a2 x2 + a3 x3 +
a4 x4 ) from the polynomial as
D0 = (1, 4274), D1 = (2, 11309), D2 = (3, 28478), D3 =
(4, 61301), D4 = (5, 115802), D5 = (6, 198509), D6 = (7, 316454).
We give each participant a different single point (both x and f (x)). Since
we use Dx−1 instead of Dx , the points start from (1, f (1)), not from (0, f (0)).
This is necessary because f (0) is the secret.

Reconstruction

In order to reconstruct the secret, any 5 points will be enough.

Let us consider (x0 , y0 ) = (1, 4274), (x1 , y1 ) = (3, 28478), (x2 , y2 ) =

(5, 115802), (x3 , y3 ) = (6, 198509), (x4 , y4 ) = (7, 316454).

We can drive the secret f (0) in the following way.

x1 x2 x3 x4 3 5 6 7 630
l0 = · · · = · · · = ,
x1 − x0 x2 − x0 x3 − x0 x4 − x0 3−1 5−1 6−1 7−1 240
x0 x2 x3 x4 1 5 6 7 210
l1 = · · · = · · · = ,
x0 − x1 x2 − x1 x3 − x1 x4 − x1 1−3 5−3 6−3 7−3 −48
x0 x1 x3 x4 1 3 6 7 126
l2 = · · · = · · · = ,
x0 − x2 x1 − x2 x3 − x2 x4 − x2 1−5 3−5 6−5 7−5 16
x0 x1 x2 x4 1 3 5 7 105
l3 = · · · = · · · = ,
x0 − x3 x1 − x3 x2 − x3 x4 − x3 1−6 3−6 5−6 7−6 −15
x0 x1 x2 x3 1 3 5 6 90
l4 = · · · = · · · = .
x0 − x4 x1 − x4 x2 − x4 x3 − x4 1−7 3−7 5−7 6−7 48
Finally,

k
X 630 210
f (0) = f (j)lj−1 = 4274 + 28478 +
j=1
240 −48
126 105 90
115802 + 198509 + 316454 = 2357.
16 −15 48
Problem and solution
Although the above method works fine, there is a security problem that an
adversary gains a lot of information about S with every Di that it finds,
because the method uses integer arithmetic. By using finite field arithmetic,
this problem can be solved without a big change.
20.2 Efficient Secret Sharing 375

20.2.2 Blakley’s Secret Sharing [16]

Two nonparallel lines in the same plane intersect at exactly one point. Three
nonparallel planes in space intersect at exactly one point. More generally, any
n nonparallel (n−1)-dimensional hyperplanes intersect at a specific point. The
secret may be encoded as any single coordinate of the point of intersection. If
the secret is encoded using all the coordinates, even if they are random, then
an insider (someone in possession of one or more of the (n − 1)-dimensional
hyperplanes) gains information about the secret since he knows it must lie on
his plane. If an insider can gain any more knowledge about the secret than an
outsider can, then the system no longer has information theoretic security. If
only one of the n coordinates is used, then the insider knows no more than an
outsider (i.e., the secret must lie on the x-axis for a two-dimensional system).
If each player is given enough information to define a hyperplane, the secret
is recovered by calculating the planes’ point of intersection and then taking a
specified coordinate of that intersection.

Blakley’s scheme is less space-efficient than Shamir’s; while Shamir’s shares

are each only as large as the original secret, Blakley’s shares are t times larger,
where t is the threshold number of players. Blakley’s scheme can be tightened
by adding restrictions on which planes are usable as shares. The resulting
scheme is equivalent to Shamir’s polynomial system.

20.2.2.1 The Construction

Preparation
1. Pick a prime p.
2. If we wish to divide the secret, where any subset of 4 parts (k = 4)
is sufficient to reconstruct the secret, create a point Q(w, x, y, z)
such that
(a) Let w be the secret.
(b) Choose x, y, z ∈ Zp randomly.
3. Construct a share for each participant.
(a) Pick a, b, c ∈ Zp randomly, then set d = z −aw−bx−cy(mod p).
(b) Plane is z = aw + bx + cy + d.
(c) Give each participant a different plane (a, b, c, d).

Reconstruction

1. We know that ai w + bi x + ci y − z = −di (mod p), 1 ≤ i ≤ 4.

376 20 Secret Sharing

2. Yield
 a matrix equation
   
a1 b1 c1 −1 w0 −c1
a2 b2 c2
   x0  = −c2 .
−1    
a3 b3 c3 −1  y0  −c3 
a4 b4 c4 −1 z0 −c4
3. As long as determinant of matrix is nonzero mod p, the matrix can
be inverted and the secret can be found.
4. Row operations work as well.

20.2.2.2 Example
1. Let p = 103.
2. Suppose the share A, ..., F are as follows.
(a) A : z = 88w + 51x + 26y + 99
(b) B : z = 9w + 98x + 22y + 40
(c) C : z = 100w + 70x + 35y + 26
(d) D : z = 62w + 96x + 81y + 76
(e) E : z = 43w + 11x + 71y + 2
(f) F : z = 94w + 13x + 84y + 55
3. To retrieve a secret, we need to use only 4 shares (e.g., A, B, C, D).
(a) Convert
 A, B, C,
D to:
   
88 51 26 −1 w −99
 9
 98 22 −1   x  = −40.
   
100 70 35 −1   y  −26
62 96 81 −1 z −76
 
88 51 26 −1
 9 98 22 −1
(b) Compute the inverse matrix of   :
100 70 35 −1
62 96 81 −1
 
27 76 74 29
15 11 62 15
81 70 91 67.
 

96 5 92 12
(c) Compute
 (w, x, y, z):
     
27 76 74 29 −99 w 47
15 11 62 15 −40  x  61
81 70 91 67 −26 =  y  = 57.
      

96 5 92 12 −76 z 73
4. The secret is 47.
20.2 Efficient Secret Sharing 377

Exercise
20.1 What if we remove the restriction like choosing a large prime in the
above secret sharing schemes?
21
Predicate Encryption and Functional
Encryption

CONTENTS
21.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
21.1.1 Predicate Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
21.1.2 Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
21.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
21.2.1 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
21.2.2 Definition of Predicate Encryption . . . . . . . . . . . . . . . . . . . . . . 385
21.2.3 Definition of Functional Encryption . . . . . . . . . . . . . . . . . . . . . 387
21.3 Predicate-Only Encryption [62] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
21.3.1 Proof of Predicate-Only Encryption Security . . . . . . . . . . . 390
21.4 Predicate Encryption [62] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
21.4.1 Proof of Predicate Encryption Security . . . . . . . . . . . . . . . . . 399
21.5 Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
21.5.1 Proof of Functional Encryption Security . . . . . . . . . . . . . . . . 405
21.5.2 Applications of Functional Encryption . . . . . . . . . . . . . . . . . . 409
21.5.2.1 Distance Measurement . . . . . . . . . . . . . . . . . . . . . . . 409
21.5.2.2 Exact Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
21.5.2.3 Weighted Average . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

This chapter explains predicate encryption (PE) and functional encryption

(FE). The first part of the chapter defines PE and provides the comparison of
PE and ABE followed by the definition of FE. The next part of the chapter
provides preliminaries required starting from the discussion of bilinear map
and hardness assumptions. The first hardness assumption is the asymmetric
decisional bilinear Diffie-Hellman. Subsequently, the external Diffie-Hellman
assumption is defined. Next, the formal definitions of PE and the security
notions are then discussed. Similarly, definitions of FE along with the algo-
rithms are discussed. The next section presents the predicate-only encryption
that is based on anonymous HIBE. The extension of this scheme is the PE
scheme which is given in detail in the next section. The constructions and se-
curity proofs of a predicate-only encryption and a PE scheme are also given.
Similarly, the final section presents the constructions and security proofs of

379
380 21 Predicate Encryption and Functional Encryption

a FE scheme. The applications of FE are then discussed including distance

measurement, exact threshold, and weighted average.

21.1 Overview
In this chapter, we explain the basic concepts behind the construction of pred-
icate encryption (PE) and functional encryption (FE).

21.1.1 Predicate Encryption

PE in [60] and [80] is a kind of public-key encryption (PKE) such as RSA,
attribute-based encryption (ABE), and identity-based encryption (IBE). In
PE schemes, the secret keys of users are associated P with predicates f ∈ F
and ciphertexts are bound to attributes x ∈ . The decryption procedure is
successful if and only if f (x) = 1. If this relation is not satisfied, decryption
fails and no information about the message is leaked. Informally, an attribute
is expressed as vector ~x and predicate f~v is associated with vector ~v , where
f~v (~x) = 1 iff h~v , ~xi = 0. In contrast to traditional PKE schemes supporting
the payload-hiding property only, PE schemes support the attribute-hiding
property. While payload-hiding means that users cannot decrypt the cipher-
text without the corresponding key, the attribute-hiding property makes sure
that no information about attribute x is leaked during the decryption process.
Also, PE schemes enable constructions in which the predicates correspond to
the evaluations of disjunctions, conjunctions, polynomials, CNF formula, DNF
formula, and threshold. As a result, such schemes can achieve high flexibility
in terms of access control. In addition, a PE supporting “inner product” can
be used as a primitive to construct additional schemes such as anonymous
identity-based encryption and hidden-vector encryption.

Comparison of ABE and PE

Note that the attribute exposure problem is inherent in ABE because the
attributes are stored in each user’s storage (e.g., CP-ABE) or transmitted
with ciphertext to receivers without any encoding (e.g., KP-ABE). However,
because PE schemes basically support the attribute-hiding property, it does
not have the attribute exposure problem.

Why is attribute-hiding important?

The decryptor can collect information using direct decryption, then infer
important meanings from them through indirect methods such as big data
processing technologies.
21.1 Overview 381

For example, a credit card company commonly uses attributes such as the
identity of the owner and date/amount/place of purchase. This information
may then be used to create a profile of the user’s purchase style. For a mil-
itary application, attributes could include position, number of participants,
and area/period of operation. Analyzing the surrounding situations from en-
crypted communications and the ensuing operation may allow an attacker
to obtain hints about the future troop movements and encrypted commu-
nications. In the medical field, we can also see the importance of ensuring
privacy in data transmissions. Although medical data usually require a high
degree of privacy, they are referenced by many entities such as the patient
himself/herself or staff (e.g., doctors, nurses, technicians) from various depart-
ments or belonging to different medical institutions. Even partial exposure of
those attributes could hurt the patient’s privacy.

21.1.2 Functional Encryption

FE in [69] and [26] is a new paradigm of PKE used to calculate a particular
function using the encrypted data without retrieving the original data. Also,
it can overcome the all-or-nothing approach which inherently allows a user to
either access a full message or obtain nothing depending on whether or not
a proper secret key is presented in the traditional PKE. Over the last few
decades, a number of primitives such as IBE, ABE, and PE have been intro-
duced for providing more fine-grained access control which is highly desirable
for modern applications. Recently, such studies have been generalized to FE.

In FE, the owner of the M SK (master secret key) can generate a secret
key SKf for a function f . Given the ciphertext C(x) of a message x, the result
of f (x) is available to a user by decrypting C(x) with SKf . In this case, only
the information about f (x), that is, the result of the function f , is exposed,
but no information about x can be published.

Why do we focus on inner product functionality?

To design an efficient FE scheme that can provide a sufficient expressive-

ness applicable to the real world, numerous studies have focused on applicable
inner product functionality. By extending the ciphertext to any monomials
that appear in the desired family of polynomials, an inner product can be
made sufficient to calculate arbitrary polynomial evaluations. As a result, in-
ner product encryption has been established as a useful tool in building FE
associated with both secret key and ciphertext vectors.

Figures 21.1, 21.2, and 21.3 show the difference of ABE, PE, and FE.
382 21 Predicate Encryption and Functional Encryption

FIGURE 21.1
Attribute-based encryption.

FIGURE 21.2
Predicate encryption.

In ABE (e.g., CP-ABE), a sender encrypts a message according to access

policy he chooses and broadcasts the resulting ciphertext. When a receiver
gets the ciphertext, he tries to decrypt it. If the receiver’s attribute satisfies
the access policy of the ciphertext, he can retrieve the message from the ci-
phertext. On the other hand, if the receiver’s attribute does not satisfy the
access policy of the ciphertext, he cannot retrieve the message from the ci-
phertext.

In PE (supporting inner product), a sender encrypts a message according

to attribute vector he chooses and broadcasts the resulting ciphertext. When
a receiver gets the ciphertext, he tries to decrypt it. If the result of inner
product of both the receiver’s predicate vector and the attribute vector of the
ciphertext is 0, he can retrieve the message from the ciphertext. On the other
hand, if the result of inner product of both the receiver’s predicate vector and
21.2 Preliminaries 383

FIGURE 21.3
Functional encryption.

the attribute vector of the ciphertext is not 0, he cannot retrieve the message
from the ciphertext.

In FE (for inner products evaluations), a sender encrypts a message vector

and broadcasts the resulting ciphertext. When a receiver gets the ciphertext,
he tries to decrypt it for getting the result of inner product of both the re-
ceiver’s function vector and the message vector of the ciphertext. Unlike other
schemes (e.g., ABE and PE), since FE basically outputs the function result
instead of the message itself, all receivers which have a valid secret key can
get the function result.

21.2 Preliminaries
This section provides fundamentals and definitions of PE and FE.

21.2.1 Hardness Assumptions

Asymmetric Decisional Bilinear Diffie-Hellman (DBDH)

Consider the following two distributions: For g ∈ G1 , h ∈ G2 , a, b, c ∈ Z∗p ,

and T ∈ GT chosen uniformly at random, we define


1. PA = g, g a , g c , h, ha , hb , e(g, h)abc ∈ G31 × G32 × GT ,


2. RA = g, g a , g c , h, ha , hb , T ∈ G31 × G32 × GT .
384 21 Predicate Encryption and Functional Encryption
DBDH
For an algorithm A, we let AdvA be the advantage of A in distinguishing
these two distributions as
DBDH
AdvA = |P r[A(D) = 1] − P r[A(R) = 1]| , (21.1)

where D is sampled from PA and R is sampled from RA . We say that an

DBDH
algorithm B that outputs a bit in {0, 1} has the advantage AdvA =  in
solving the Decisional Bilinear Diffie-Hellman problem in asymmetric paring
if
|P r[B(g, g a , g c , h, ha , hb , e(g, h)abc ) = 0] −
P r[B(g, g a , g c , h, ha , hb , T ) = 0]| ≥ ,
where the probability is over the random choice of generator g ∈ G1 and
h ∈ G2 , exponents a, b, c ∈ Z∗p , T ∈ GT and the random bits used by B.

As usual, to state the assumption asymptotically, we rely on a bilinear

group generator G that takes a security parameter λ as input and outputs the
description of a bilinear group.

Definition 1 Let G be a bilinear group generator. We say that DBDH holds

for G if, for all probabilistic polynomial-time (PPT) algorithms A, the func-
DBDH
tion AdvA (λ) is a negligible function of λ.

P-Asymmetric Decisional Bilinear Diffie-Hellman (P-DBDH)

Consider the following two distributions: For g ∈ G1 , h ∈ G2 , a, b, c ∈ Z∗p

and T ∈ G1 chosen uniformly at random, we define


1. DN = g, g a , g ab , g c , h, ha , hb , g abc ∈ G41 × G32 × G1 ,


2. DR = g, g a , g ab , g c , h, ha , hb , T ∈ G41 × G32 × G1 .
P-DBDH
For an algorithm A, we let AdvA be the advantage of A in distinguish-
ing these two distributions
P-DBDH
AdvA = |P r[A(N ) = 1] − P r[A(P ) = 1]| , (21.2)

where N is sampled from DN and P is sampled from DR . We say that an

P-DBDH
algorithm B that outputs a bit in {0, 1} has the advantage AdvA = P
in solving the P-DBDH problem in asymmetric paring if

|P r[B(g, g a , g ab , g c , h, ha , hb , g abc ) = 0] −
P r[B(g, g a , g ab , g c , h, ha , hb , T ) = 0]|≥ P ,

where the probability is over the random choice of generator g ∈ G1 and

h ∈ G2 , exponents a, b, c ∈ Z∗p , T ∈ G1 , and the random bits used by B.
21.2 Preliminaries 385

Definition 2 Let G be a bilinear group generator. We say that P-DBDH

P-DBDH
holds for G if, for all PPT algorithms A, the function AdvA (λ) is a
negligible function of λ.

External Diffie-Hellman (XDH)

Consider the following two distributions: For g ∈ G1 , h ∈ G2 , a, b ∈ Z∗p

and T ∈ G1 chosen uniformly at random, we define


1. DN = g, g a , g b , h, g ab ∈ G31 × G2 × G1 ,


2. DR = g, g a , g b , h, T ∈ G31 × G2 × G1 .
XDH
For an algorithm A, we let AdvA be the advantage of A in distinguishing
these two distributions
XDH
AdvA = |P r[A(N ) = 1] − P r[A(P ) = 1]| , (21.3)

where N is sampled from DN and P is sampled from DR . We say that an

XDH
algorithm B that outputs a bit in {0, 1} has the advantage AdvA =  in
solving the XDH problem in asymmetric pairing if
|P r[B(g, g a , g b , h, g ab ) = 0] −
P r[B(g, g a , g b , h, T ) = 0]|≥ ,
where the probability is over the random choice of generator g ∈ G1 and
h ∈ G2 , exponents a, b ∈ Z∗p , T ∈ G1 and the random bits used by B.

Definition 3 Let G be a bilinear group generator. We say that XDH holds

XDH
for G if, for all PPT algorithms A, the function AdvA (λ) is a negligible
function of λ.

21.2.2 Definition of Predicate Encryption

Below are the formal definitions and security notion of predicate encryption.

Definition 4 A predicate P encryption scheme for the class of predicates F

over the set of attributes consists of PPT algorithms Setup, Gen, Encrypt,
and Decrypt. They are given as follows.

1. Setup(λ) takes as input the security parameter λ. It outputs the

public parameters P P and the master secret key M SK.
2. Gen(P P, M SK, ~v ) takes as input the public parameters P P , the
master secret key M SK and the predicate vector ~v 6= ~0. It outputs
a corresponding secret key sk~v .
3. Encrypt(P P, M, ~x) takes as input the public parameters P P , the
message M and the attribute vector ~x. It outputs the ciphertext C.
386 21 Predicate Encryption and Functional Encryption

4. Decrypt(sk~v , C) takes as input the secret key sk~v and the cipher-
text C. It outputs the message M or a random value.

For correctness, we require that for all (P P, M SK) generated by

Setup(λ),Pall ~v ∈ F, any key sk~v ← Gen(P P, M SK, ~v ) and all attribute vec-
tor ~x ∈

1. If h~x, ~v i = 0,
then Decrypt(sk~v , Encrypt(P P, M, ~x))= M .
2. If h~x, ~v i 6= 0,
then Decrypt(sk~v , Encrypt(P P, M, ~x))=⊥ with all but negligible
probability.
We further consider a variant of the above, called a predicate-only en-
cryption scheme. Compared with a predicate encryption scheme, the differ-
ence is that in a predicate-only encryption scheme, an encryption algorithm
takes as input only a vector ~x, and its corresponding decryption algorithm
Decrypt(sk~v ,Encrypt(P P, ~x)) outputs 1 if h~x, ~v i = 0 and ⊥ with all but
negligible probability otherwise.

Definition 5 P An inner-product predicate encryption scheme for predicate F

over attributes is selective attribute-secure against chosen-plaintext
attacks if for all PPT adversary A, the advantage of A in the following
security game Γw is negligible in the security parameter.
Initialization A outputs challenge attribute vectors ~x0 and ~x1 ∈
1. P
.
2. Setup The challenger B runs Setup(λ) for generating the public
parameters P P and the master secret key M SK and sends P P to
A.
3. Phase I A may adaptively make a polynomial number of queries to
create a secret key for a predicate ~v ∈ F subject to the restrictions
that h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0. B creates a secret key and sends it
to A.
4. Challenge A outputs challenge messages M0 and M1 . B chooses a
random bit w. A is given C ← Encrypt(P P, Mw , ~xw ).
5. Phase II A may continue to request secret keys for additional
predicate vectors subject to the restrictions given in Phase I.
6. Guess A outputs a bit w0 , and succeeds if w0 = w.

For w ∈ {0, 1}, let Ww be the event for w = w0 in Game Γw and define A’s
advantage as
21.2 Preliminaries 387

Adv IN D-sAH-CP A (λ) = |P r[W0 ] − P r[W1 ]|. (21.4)

The above game can be used to define the attribute-hiding property for
the predicate-only encryption scheme if the adversary does not output mes-
sages in the challenge phase. Naturally, the challenge ciphertext is given to
A as C ← Encrypt(P P, ~xw ). Under this slight modification with a similar
Adv IN D-sAH-CP A (λ) as the one above, we say that a predicate-only encryption
scheme is attribute-hiding if for all PPT adversary A, Adv IN D-sAH-CP A (λ) is
negligible.

21.2.3 Definition of Functional Encryption

Below are formal definition and security notion of functional encryption.

DefinitionP 6 A functionality F defined over (Y, X ) is a function

P F :
Y × X → , where Y is the key space, X is the message space, and is the
output space.

Definition 7 A functional encryption scheme for functionality F con-

sists of PPT algorithms Setup, Gen, Encrypt, and Decrypt. They are given as
follows.
1. Setup(λ, n) takes as input the security parameter λ and the vector
length parameter n. It outputs the public parameters P P and the
master secret key M SK.
2. Gen(P P, M SK, ~y ) takes as input the public parameters P P , the
master secret key M SK, and the key vector ~y ∈ Y \ {~0}. It outputs
a corresponding secret key SK~y .
3. Encrypt(P P, ~x) takes as input the public parameters P P and the
message vector ~x ∈ X . It outputs the ciphertext C.
4. Decrypt(SK~y , C) takes as input the secret key SK~y and the ci-
phertext C. It outputs h~x, ~y i.
For correctness, we require that for all (P P, M SK) generated by
Setup(λ), all ~y ∈ Y \ {~0}, any key SK~y ← Gen(P P, M SK, ~y ), and all mes-
sage vector ~x ∈ X , we have Decrypt(SK~y , Encrypt(P P, ~x))= h~x, ~y i with all
but negligible probability.

Definition 8 A functional encryption scheme for functionality F is selec-

tively secure against chosen-plaintext attacks if for all PPT adversary
A, the advantage of A in the following security game Γw is negligible in the
security parameter.
1. Initialization A outputs challenge message vectors ~x0 and ~x1 ∈ X .
388 21 Predicate Encryption and Functional Encryption

2. Setup The challenger B runs Setup(λ, n) for generating the public

parameters P P , the master secret key M SK, and sends P P to A.
3. Phase I A may adaptively make a polynomial number of queries
to create a secret key for a key vector ~y ∈ Y \ {~0} subject to the
restrictions that h~x0 , ~y i = h~x1 , ~y i. B creates a secret key SK~y and
sends it to A.
4. Challenge B chooses a random bit w. A is given C ←
Encrypt(P P, ~xw ).
5. Phase II A may continue to request secret keys for additional key
vectors subject to the restrictions given in Phase I.
6. Guess A outputs a bit w0 and succeeds if w0 = w.
For w ∈ {0, 1}, let Ww be the event for w = w0 in Game Γw and define
A’s advantage as

Adv IN D-sCP A (λ) = |P r[W0 ] − P r[W1 ]|. (21.5)

21.3 Predicate-Only Encryption [62]

In this section, we present a predicate-only encryption scheme under the P-
DBDH assumption. In the next section, we describe how to extend the present
scheme to obtain a predicate encryption scheme.

Construction 1. Predicate-only encryption

Setup (λ) Given a security parameter λ ∈ Z+

1. Run G on input λ to generate a prime q (|q| = λ), three groups
G1 , G2 and GT of order q, and eb: G1 × G2 → GT . Choose two
random generators g ∈ G1 and h ∈ G2 .
2. Select random (γ, a1 , · · · , an , z) ∈ (Z∗p )n+2 .
3. Compute as follows.
(a) g1 = g γ , g2,1 = g a1 , · · · , g2,n = g an , g0 = g z ∈ G1 ,
(b) h1 = hγ , h2,1 = ha1 , · · · , h2,n = han ∈ G2 .
4. The public parameters are P P = (g, g0 , g1 , g2,1 , · · · , g2,n ) ∈
Gn+3
1 .
5. The master secret key is M SK = (h, h1 , h2,1 , · · · , h2,n ) ∈
Gn+2
2 .
21.3 Predicate-Only Encryption [62] 389

Note that n is the dimension of the attribute/predicate vectors.

Gen(P P, M SK, ~v ) For the predicates ~v ∈ F

1. Pick random r, R ∈ Z∗p .

2. Compute as follows.
Qn v r
(a) k1 = i=1 (h2,i ) i hR
1,
(b) k2 = hr ,
(c) k3 = hR .
3. The secret key is sk~v = (k1 , k2 , k3 , ~v ) ∈ G32 × (Z∗p )n .
P
Encrypt(P P, ~x) For the attribute set ~x ∈
1. Pick a random s ∈ Z∗p .
2. Compute as follows.
(a) c1 = g s ,
s
(b) c2,i = g0xi s (g2,i ) for 1 ≤ i ≤ n,
(c) c3 = g1s .
3. The ciphertext is C = (c1 , c2,1 , · · · , c2,n , c3 ) ∈ Gn+2
1 .
Decrypt(sk~v , C) To decrypt a given ciphertext C =
(c1 , c2,1 , · · · , c2,n , c3 ) ∈ Gn+2
1 using the secret key sk~v = (k 1 , k2 , k3 , ~
v ) ∈
G32 × (Z∗p )n , compute
Qn
e ( i=1 (c2,i )vi , k2 ) · e(c3 , k3 )
∈ GT .
e(c1 , k1 )

Correctness
Qn To see that correctness holds, let C and sk~v be as above. Then
e ( i=1 (c2,i )vi , k2 ) · e(c3 , k3 ) · e(c1 , k1 )−1
Qn s Qn v r
−1
= e ( i=1 (g0xi s (g2,i ) )vi , hr ) · e g1s , hR · e g s , i=1 (h2,i ) i hR


1
Qn
Qn
−1
= e ( i=1 (g zxi vi s g ai vi s ), hr ) · e g γs , hR · e g s , i=1 hai vi r hγR

−1
= e g zsh~x,~vi g h~a,~vis , hr · e g γs , hR · e g s , hh~a,~vir hγR




−1
−1
= e g zsh~x,~vi , hr · e g h~a,~vis , hr · e g γs , hR · e g s , hh~a,~vir




· e g s , hγR
= e(g, h)zsrh~x,~vi · e(g, h)h~a,~visr · e(g, h)γsR · e(g, h)−h~a,~visr · e(g, h)−sγR
= e(g, h)zsrh~x,~vi ∈ GT .
If h~x, ~v i = 0, then we can get 1.
390 21 Predicate Encryption and Functional Encryption

21.3.1 Proof of Predicate-Only Encryption Security

The following theorem proves the security of this scheme under the P-DBDH
assumption.

Theorem 1 The predicate-only encryption scheme is selectively attribute-

hiding secure against chosen plaintext attacks in the standard model un-
der the P-DBDH assumption. For all PPT algorithms B, the function
AdvBIN D−sAH−CP A (λ) is a negligible function of λ.

Proof The proof proceeds by a hybrid argument across a number of games.

Let C = (B, C1 , · · · , Cn , D) ∈ Gn+2
1 denote the challenge ciphertext given to
the adversary during two real attacks (Γ0 and Γ1 ). Additionally, let R1 , · · · , Rn
and R0 be random elements of G1 . We define the following hybrid experiments,
which differ in how the challenge ciphertext is generated as follows.

1. Game Γ0,1 : This game is the original security game, where the
challenge attribute is ~x0 and the challenge ciphertext is C =
(B, C1 , · · · , Cn , D).
2. Game Γ0,2 : In this game, element D of the ciphertext is changed to
a random element R0 of G1 . The challenge attribute is the same as
for Γ0,1 , but the challenge ciphertext is C = (B, C1 , · · · , Cn , R0 ).
3. Game Γ0,3 : In this game, elements C1 , · · · , Cn of the ciphertext are
changed to the random elements R1 , · · · , Rn of G1 . The element R0
and challenge attribute are the same as for Γ0,2 , but the challenge
ciphertext is C = (B, R1 , · · · , Rn , R0 ).
For the security proof, we additionally define a sequence of games
Γ0,2,1 , Γ0,2,2 , · · · , Γ0,2,n , where Γ0,2 = Γ0,2,0 and Γ0,3 = Γ0,2,n =
Γ1,3 . In the game Γ0,2,j for 1 ≤ j ≤ n, the first j-th attribute
elements are random numbers in Z∗p , and the remaining attribute
elements are the elements in the challenge attribute with the chal-
lenge ciphertext C = (B, R1 , · · · , Rj , Cj+1 , · · · , Cn , R0 ).
4. Game Γ1,3 : This game is almost the same as Γ0,3 except that
the challenge attribute is ~x1 and the challenge ciphertext is C =
(B, R1 , · · · , Rn , R0 ).
5. Game Γ1,2 : This game is almost the same as Γ0,2 except that
the challenge attribute is ~x1 and the challenge ciphertext is C =
(B, C1 , · · · , Cn , R0 ).
6. Game Γ1,1 : This game is almost the same as Γ0,1 except that
the challenge attribute is ~x1 and the challenge ciphertext is C =
(B, C1 , · · · , Cn , D).
21.3 Predicate-Only Encryption [62] 391

Γ0,1 and Γ1,1 are the same as games Γ0 and Γ1 in Definition 5, respectively.
Therefore,

AdvBIN D-sAH-CP A (λ) ≤ P r[AΓ0,1 = 0] − P r[AΓ1,1 = 0] . (21.6)

To prove that Γ0,1 is indistinguishable from Γ1,1 , we prove that each step
of the hybrid argument is indistinguishable from the next.

Lemma 1 Let A be an adversary playing the IN D-sAH-CP A attack game.

Then, there exists an algorithm B solving the P-DBDH problem such that

P r[AΓw,1 = 0] − P r[AΓw,2 = 0] ≤ AdvBP-DBDH .

Lemma 2 Let A be an adversary playing the IN D-sAH-CP A attack game.

Then, there exists an algorithm B solving the P-DBDH problem such that

P r[AΓw,2,j−1 = 0] − P r[AΓw,2,j = 0] ≤ AdvBP−DBDH . (21.7)

In Lemma 1 and 2, w ∈ {0, 1}.

Thus, if there is no algorithm B that solves the P-DBDH problem with an

advantage better than P , for all adversary A,
|P r[AΓ0,1 = 0] − P r[AΓ1,1 = 0]| ≤
P r[AΓ0,1 = 0] − P r[AΓ0,2 = 0] +
P r[AΓ0,2 = 0] − P r[AΓ0,2,1 = 0] + · · · +
P r[AΓ0,2,j−1 = 0] − P r[AΓ0,2,j = 0] + · · · +
P r[AΓ0,2,n−1 = 0] − P r[AΓ0,2,n = 0] +
P r[AΓ1,2,n = 0] − P r[AΓ1,2,n−1 = 0] + · · · +
P r[AΓ1,2,j = 0] − P r[AΓ1,2,j−1 = 0] + · · · +
P r[AΓ1,2,1 = 0] − P r[AΓ1,2 = 0] +
P r[AΓ1,2 = 0] − P r[AΓ1,1 = 0] ≤ 2(n + 1)P .

Consequently, under the P-DBDH assumption, Game Γ0,1 is indistinguish-

able from Γ1,1 .

In the following, we prove Lemma 1 and 2 under the P-DBDH assumption.

Proof of Lemma 1 Suppose A has an advantage P in distinguishing

Game Γw,1 from Game Γw,2 . We build an algorithm B that solves the P-
DBDH problem in asymmetric pairing. B is given as input a random 8-tuple
(g, g a , g ab , g c , h, ha , hb , T ) that is either sampled from DN (where T = g abc )
or from DR (where T is uniform and independent in G1 ). Algorithm B’s goal
is to output 1 if T = g abc and 0 otherwise. Algorithm B works by interacting
with A in a selective attribute game as follows.
392 21 Predicate Encryption and Functional Encryption

Reduction algorithm

P game begins with A by outputting

Initialization The selective attribute
the attribute vectors ~x0 and ~x1 ∈ that it intends to attack.

Setup
1. Pick random exponents z 0 , a01 , · · · , a0n ∈ Z∗p .
0
2. Define as follows: ~x = ~xw , g0 = g z g a , g1 = g ab ,
0 0
g2,1 = g −ax1 g a1 , · · · , g2,n = g −axn g an ,
0 0
h1 = hab , h2,1 = h−ax1 ha1 , · · · , h2,n = h−axn han .
where a and b are the exponents which are unknown to B,
3. Simulate the system for the following parameters
γ = ab, a1 = −ax1 + a01 , · · · , an = −axn + a0n , z = z 0 + a.
4. Send the public parameters
P P = (g, g0 = g z , g1 = g γ , g2,1 = g a1 , · · · , g2,n = g an ).
5. Set the master secret key
M SK = (h, h1 = hγ , h2,1 = ha1 , · · · , h2,n = han ), where h1 is
unknown to B.
Phase I Consider a query for the secret key corresponding to the predicate
vector ~v ∈ F, which satisfies h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.
1. Pick random exponents r0 , R ∈ Z∗p .
Qn 0 0 a0i vi bR 0 R
2. Set k1 = i=1 (h−axi hai )vi r h I , k2 = hr hb I , k3 = hR ,
where I = h~x, ~v i.
3. Send the secret key sk~v = (k1 , k2 , k3 , ~v ).
Challenge A decides that Phase I is over.
1. Set the challenge ciphertext as
0 0 0 0
C = (g c , (g c )z x1 +a1 , · · · , (g c )z xn +an , T ),
where c is an exponent which is unknown to B.
2. Send the challenge ciphertext C = (B, C1 , · · · , Cn , D).
Phase II A continues to adaptively make a polynomial number of queries
not issued in Phase I. B responds as before.

Guess
1. Finally, A outputs guesses w0 ∈ {0, 1}.
2. If w = w0 , it outputs 1 (indicating that T = g abc );
otherwise, it outputs 0 (indicating that T 6= g abc ).
21.3 Predicate-Only Encryption [62] 393

Simulation of secret key generation in Lemma 1

The original
Qn secret key is set as follows.
v r
k1 = i=1 (h2,i ) i hR1, k2 = hr , k3 = hR .

In the above reduction algorithm, the secret key is set as follows.

Qn 0 0 a0i vi bR 0 R
k1 = i=1 (h−axi hai )vi r h I , k2 = hr hb I , k3 = hR .

The secret key must be generated in the cases of h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.
If h~x0 , ~v i 6= 0, h~x1 , ~v i 6= 0, and r = r0 + b R
I , then k1 and k2 are valid and
computed as follows.
Qn 0 0 a0i vi bR
k1 = i=1 (h−axi hai )vi r h I
Qn 0 0 0 a0i vi bR
= i=1 h−axi vi r hai vi r h I
Qn 0 R R 0 0 a0i vi bR
= i=1 h−axi vi r h−abxi vi I habxi vi I hai vi r h I
Qn 0 0 0 a0i vi bR Q
R n R
= i=1 (h−axi vi r h−abxi vi I hai vi r h I ) i=1 habxi vi I
0
ai vi bR
Qn 0 R 0 0 R
= i=1 (h−axi vi r h−abxi vi I hai vi r h I )habI I
Qn 0 0 R
= Qi=1 (h−axi hai )vi (r +b I ) habR
n vi r R
= i=1 (h2,i ) h1 ,
0 R
k2 = hr hb I = hr .

If h~x0 , ~v i = h~x1 , ~v i = 0, then k1 and k2 cannot be computed, because 01 cannot

be computed. So, it cannot generate the secret key for using to decrypt the
challenge ciphertext.

Simulation of challenge ciphertext generation in Lemma 1

The original ciphertext is set as follows.

B = g s , C1 = g0x1 s (g2,1 )s , · · · , Cn = g0xn s (g2,n )s , D = g1s .
In the above reduction algorithm, the challenge ciphertext is set as follows.
0 0 0 0
B = g c , C1 = (g c )z x1 +a1 , · · · , Cn = (g c )z xn +an , D = T , where c = s.

If T = g abc , then D is valid, because T = g abc = (g ab )c = (g1 )s , and can set D

by using the instance of the problem, T . On the other hand, if T is random,
then naturally D is invalid.
Since c = s, B is valid (B = g c = g s ) and can set B = g s by using the instance
of the problem, g c .
0 0 0 0 0 0
Since (g c )z xi +ai = (g c )z xi +axi −axi +ai = (g c )z xi +axi (g c )−axi +ai =
g0 (g2,i )s for 1 ≤ i ≤ n, Ci is also valid and can set Ci = g0xi s (g2,i )s by
xi s

using the instance of the problem, g c .

394 21 Predicate Encryption and Functional Encryption

If B tries to generate the challenge ciphertext of other attribute vectors

~y , then it cannot generate it. This is because in order to generate the chal-
lenge ciphertext of other attribute vectors ~y , B has to know g ac as follows:
0 0
Ci = (g c )z yi (g ac )(yi −xi ) (g c )ai = g0yi s (g2,i )s for 1 ≤ i ≤ n. But, B does not
know g ac . So, the challenge ciphertext of other attribute vectors ~y cannot be
generated.

In conclusion, we can say that

1. When T = g abc = g3c , i.e., when B’s 8-tuple input is sampled from
DN , then C = (B, C1 , · · · , Cn , D): Thus, A is playing Game Γw,1 .
2. When T is uniform and independent in G1 , i.e., when B’s 8-tuple in-
put is sampled from DR , then C = (B, C1 , · · · , Cn , R0 ) for a random
R0 : Thus, A is playing Game Γw,2 .
So, if A has an advantage P in distinguishing Game Γw,1 from Game Γw,2 ,
then B has the same advantage P against P-DBDH.

Proof of Lemma 2

Suppose A has an advantage P in distinguishing Game Γw,2,j−1

from Game Γw,2,j . We build an algorithm B that solves the P-DBDH
problem in asymmetric pairing. B is given as input a random 8-tuple
(g, g a , g ab , g c , h, ha , hb , T ) that is either sampled from DN (where T = g abc
) or from DR (where T is uniform and independent in G1 ). Algorithm B’s
goal is to output 1 if T = g abc and 0 otherwise. Algorithm B works by inter-
acting with A in a selective attribute game as follows.

Reduction algorithm

P game begins with A by outputting

Initialization The selective attribute
the attribute vectors ~x0 and ~x1 ∈ that it intends to attack.
Setup
1. Pick random exponents z 0 , a01 , · · · , a0n ∈ Z∗p .
0
2. Define as follows: ~x0 = ~xw , g0 = g z g −a , g1 = g a ,
0
g2,j = g −ab g axj g −aj , {g2,i = g axi g −ai }ni=1,i6=j ,
0 0
h1 = ha , h2,j = h−ab haxj h−aj , {h2,i = haxi h−ai }ni=1,i6=j ,
where a and b are the exponents which are unknown to B.
3. Simulate the system for the following parameters
z = z 0 − a, γ = a, aj = −ab + axj − a0j , {ai = axi − a0i }ni=1,i6=j .
4. Send the public parameters
P P = (g, g0 = g z , g1 = g γ , g2,1 = g a1 , · · · , g2,n = g an ).
21.3 Predicate-Only Encryption [62] 395

5. Set the master secret key

M SK = (h, h1 = hγ , h2,1 = ha1 , · · · , h2,n = han ),
where h2,j is unknown to B.
Phase I Consider a query for the secret key corresponding to the predi-
cate vector ~v ∈ F, which satisfies h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.
1. Pick random exponents r0 , R0 ∈ Z∗p .
Qn r0 0 r0 0 r0 0 r0
2. Set k1 = i=1 (haxi vi I h−ai vi I )haR , k2 = h I , k3 = hR hbvj I ,
where I = h~x, ~v i.
3. Send the secret key sk~v = (k1 , k2 , k3 , ~v ).
Challenge A decides that Phase I is over.
1. Set the challenge ciphertext as follows: 0
0
B = g c , C1 = R1 , · · · , Cj−1 = Rj−1 , Cj = (T )−1 g z xj c g −aj c ,
0 0 0 0
Cj+1 = g z xj+1 c g −aj+1 c , · · · , Cn = g z xn c g −an c , D = R0 ,
0
where R1 , · · · , Rj−1 , R are uniformly and independently cho-
sen from G1 .
2. Send the challenge ciphertext C = (B, C1 , · · · , Cn , D).
Phase II A continues to adaptively make a polynomial number of
queries not issued in Phase I. B responds as before.

Guess
1. Finally, A outputs guesses w0 ∈ {0, 1}.
2. If w = w0 , it outputs 1 (indicating that T = g abc );
otherwise, it outputs 0 (indicating that T 6= g abc ).

Simulation of secret key generation in Lemma 2

The original
Qn secret key is set as follows.
v r
k1 = i=1 (h2,i ) i hR1, k2 = hr , k3 = hR .

In the above reduction algorithm, the secret key is set as follows.

Qn r0 0 r0 0 r0 0 r0
k1 = i=1 (haxi vi I h−ai vi I )haR , k2 = h I , k3 = hR hbvj I .

The secret key must be generated in the cases of h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.
0 0
If h~x0 , ~v i 6= 0, h~x1 , ~v i 6= 0, r = rI and R = R0 + bvj rI ∈ Z∗p , then k1 , k2 and
k3 are valid and computed as follows.
396 21 Predicate Encryption and Functional Encryption
Qn r0 0 r0 0
k1 = i=1 (haxi vi I h−ai vi I )haR
Qn r0 0 r0 r0 0 r0
= i=1 (haxi vi I h−ai vi I )h−abvj I haR habvj I
Qn r 0 0 r 0 r 0 r0 0 r 0 r0
= i=1,i6=j (haxi vi I h−ai vi I )(h−abvj I haxj vj I h−aj vj I )ha(R +bvj I )
Qn 0 r0 0 r0
= i=1,i6=j (haxi h−ai )vi I (h−ab haxj h−aj )vi I hR 1
Qn
= i=1,i6=j ((h2,i )vi r )(h2,j )vj r hR 1
Qn
= i=1 ((h2,i )vi r )hR
1,

r0
k2 = h I = hr ,
0 r0
k3 = hR hbvj I = hR .

If h~x0 , ~v i = h~x1 , ~v i = 0, then k1 and k2 cannot be computed, because 10 cannot

be computed. So, it cannot generate the secret key for using to decrypt the
challenge ciphertext.

Simulation of challenge ciphertext generation in Lemma 2

The original ciphertext is set as follows.

B = g s , C1 = g0x1 s (g2,1 )s , · · · , Cn = g0xn s (g2,n )s , D = g1s .

In the above reduction algorithm, the challenge ciphertext 0is set as follows.
0
B = g c , C1 = R1 , · · · , Cj−1 = Rj−1 , Cj = (T )−1 g z xj c g −aj c ,
0 0 0 0
Cj+1 = g z xj+1 c g −aj+1 c , · · · , Cn = g z xn c g −an c , D = R0 , where c = s.
0 0
If T = g abc , then Cj is valid, because Cj = (T )−1 g z xj c g −aj c =
0 0 0 0 0 0
(g abc )−1 g z xj c g −aj c = (g −ab )c g z xj c g −aj c = (g −ab+z xj −aj )c = g2,j c
and can
set Cj by using the instance of the problem, T . On the other hand, if T is
random, then naturally Cj is invalid.
Since c = s, B is valid (B = g c = g s ) and can set B = g s by using the instance
of the problem, g c .
0 0 0 0 0 0
Since g z xi c g −ai c = g z xi c−axi c g axi c−ai c = g (z −a)xi c g (axi −ai )c = g0xi s (g2,i )s for
j +1 ≤ i ≤ n, Ci is also valid and can set Ci = g0xi s (g2,i )s by using the instance
of the problem, g c .
If B tries to generate the challenge ciphertext of other attribute vectors ~y ,
it cannot generate it. It is because in order to generate the challenge ci-
phertext of other attribute vectors ~y , B has to know g ac as follows: Cj =
0 0 y s
g z yj c g −a(yj −xj )c g −aj c = g0 j (g2,j )s . But, B does not know g ac . Therefore, the
challenge ciphertext of other attribute vectors ~y cannot be generated.

In conclusion, we can say that

1. When T = g abc = g3c , i.e., when B’s 8-tuple input is sampled from
DN , then C = (B, R1 , · · · , Rj−1 , Cj , · · · , Cn , R0 ) for a random R0 ,
R1 , · · · , Rj−1 : Thus, A is playing Game Γw,2,j−1 .
21.4 Predicate Encryption [62] 397

2. When T is uniform and independent in G1 , i.e., when B’s 8-tuple in-

put is sampled from DR , then C = (B, R1 , · · · , Rj , Cj+1 , · · · , Cn , R0 )
for a random R0 , R1 , · · · , Rj : Thus, A is playing Game Γw,2,j .
So, if A has an advantage P in distinguishing Game Γw,2,j−1 from Game
Γw,2,j , then B has the same advantage P against P-DBDH. 2

21.4 Predicate Encryption [62]

We now describe the predicate encryption scheme which is attribute-hiding un-
der the DBDH and P-DBDH assumptions by slightly modifying the predicate-
only encryption scheme. The main difference is that the present predicate en-
cryption schemeP should be allowed to encrypt a message M as well as the
= (Z∗p )n and M ∈ GT .
P
attributes ~x ∈ , where we assume that

Construction 2. Predicate encryption

Setup (λ) Given a security parameter λ ∈ Z+

1. Run G on input λ to generate a prime q (|q| = λ), three groups
G1 , G2 , and GT of order q, and eb: G1 × G2 → GT . Choose two
random generators g ∈ G1 and h ∈ G2 .
2. Select random (α, β, γ, a1 , · · · , an , z) ∈ (Z∗p )n+4 .
3. Compute as follows.
(a) g1 = g γ , g2,1 = g a1 , · · · , g2,n = g an , g0 = g z ∈ G1 ,
(b) h1 = hγ , h2,1 = ha1 , · · · , h2,n = han ∈ G2 ,
(c) Y = e(g, hαβ ) ∈ GT .
4. The public parameters are
P P = (g, g0 , g1 , g2,1 , · · · , g2,n , Y ) ∈ Gn+3
1 × GT .
5. The master secret key is
M SK = hαβ , h, h1 , h2,1 , · · · , h2,n ∈ Gn+3


2 .
Note that n is the dimension of the attribute/predicate vectors.

Gen(P P, M SK, ~v ) For the predicates ~v ∈ F

1. Pick random r, R ∈ Z∗p .
2. Compute as follows.
Qn v r
(a) k1 = hαβ i=1 (h2,i ) i hR
1,
398 21 Predicate Encryption and Functional Encryption

(b) k2 = hr ,
(c) k3 = hR .
3. The secret key is sk~v = (k1 , k2 , k3 , ~v ) ∈ G32 × (Z∗p )n .
Encrypt
P (P P, M, ~x) To encrypt a message M ∈ GT under the attributes
~x ∈
1. Pick a random s ∈ Z∗p .
2. Compute as follows.
(a) c0 = M · Y s ,
(b) c1 = g s ,
s
(c) c2,i = g0xi s (g2,i ) for 1 ≤ i ≤ n,
(d) c3 = g1s .
3. The ciphertext is C = (c0 , c1 , c2,1 , · · · , c2,n , c3 ) ∈ GT × Gn+2
1 .
Decrypt (sk~v , C) To decrypt a given ciphertext
C = (c0 , c1 , c2,1 , · · · , c2,n , c3 ) ∈ GT × Gn+2
1 using the secret key sk~v =
(k1 , k2 , k3 , ~v ) ∈ G32 × (Z∗p )n , compute
Qn
e ( i=1 (c2,i )vi , k2 ) · e(c3 , k3 )
c0 · ∈ GT .
e(c1 , k1 )

Correctness To see that the correctness holds, let C and sk~v be as above.
Then
Qn
c0 · e ( i=1 (c2,i )vQ i
, k2 ) · e(c3 , k3 ) · e(c1 , k1 )−1
n s
· e ( i=1 (g0xi s (g2,i ) )vi , hr ) · e g1s , hR
αβs


= M · e(g, h)
Qn v r
−1
·e g s , hαβ i=1 (h2,i ) i hR 1
n

= M · e(g, h)αβs · e ( i=1 (g zxi vi s g ai vi s ), hr ) · e g γs , hR
Q
Qn
−1
·e g s , hαβ i=1 hai vi r hγR
= M · e(g, h)αβs · e g zsh~x,~vi g h~a,~vis , hr · e g γs , hR




−1
·e g s , hαβ hh~a,~vir hγR

−1
= M · e(g, h)αβs · e g zsh~x,~vi , hr · e g h~a,~vis , hr · e g γs , hR · e g s , hαβ




·
h~ v ir −1 γR −1
s a,~

s


e g ,h · e g ,h
= M · e(g, h)αβs · e(g, h)zsrh~x,~vi · e(g, h)h~a,~visr · e(g, h)γsR · e(g, h)−αβs ·
e(g, h)−h~a,~visr · e(g, h)−sγR
= e(g, h)zsrh~x,~vi ∈ GT .
If h~x, ~v i = 0, we can get M .
21.4 Predicate Encryption [62] 399

21.4.1 Proof of Predicate Encryption Security

The following theorem proves the security of this scheme under the DBDH
and P-DBDH assumptions.

Theorem 2 The predicate encryption scheme is selectively attribute-hiding

secure against chosen plaintext attacks in the standard model under the
DBDH and P-DBDH assumptions. For all PPT algorithms B, the function
AdvBIN D-sAH-CP A (λ) is a negligible function of λ.

Proof The proof proceeds by a hybrid argument across a number of games.

Let C = (A, B, C1 , · · · , Cn , D) ∈ GT × Gn+2
1 denote the challenge ciphertext
given to the adversary during two real attacks (Γ0 and Γ1 ). Additionally, let
R be a random element of GT and R1 , · · · , Rn , and R0 be random elements
of G1 . We define the following hybrid experiments, which differ in how the
challenge ciphertext is generated as

1. Game Γ0,0 : This game is the original security game, where the
challenge attribute, message, and ciphertext are ~x0 , M0 , and C =
(A, B, C1 , · · · , Cn , D), respectively.
2. Game Γ0,1 : In this game, the element A of the ciphertext is changed
to a random element R of GT . But the challenge attribute and
message are the same as for Γ0,0 . The challenge ciphertext is C =
(R, B, C1 , · · · , Cn , D).
3. Game Γ0,2 : In this game, the element D of the ciphertext is changed
to a random element R0 of G1 . However, the element R of the ci-
phertext, the challenge attribute, and the message are the same as
for Γ0,1 . The challenge ciphertext is C = (R, B, C1 , · · · , Cn , R0 ).
4. Game Γ0,3 : In this game, the elements C1 , · · · , Cn of the ciphertext
are changed to the random elements R1 , · · · , Rn of G1 . However,
elements R0 and R of the ciphertext, the challenge attribute, and
the message are the same as for Γ0,2 . The challenge ciphertext is
C = (R, B, R1 , · · · , Rn , R0 ).
For the security proof, we additionally define a sequence of games
Γ0,2,1 , Γ0,2,2 , · · · , Γ0,2,n , where Γ0,2 = Γ0,2,0 and Γ0,3 = Γ0,2,n =
Γ1,3 . In the game Γ0,2,j for 1 ≤ j ≤ n, the first j-th attribute
elements are random numbers in Z∗p and the remaining attribute
elements are the elements in the challenge attribute. The challenge
ciphertext is C = (R, B, R1 , · · · , Rj , Cj+1 , · · · , Cn , R0 ).
5. Game Γ1,3 : This game is almost the same as Γ0,3 except that the
challenge attribute and the message are ~x1 and M1 , respectively.
The challenge ciphertext is C = (R, B, R1 , · · · , Rn , R0 ).
6. Game Γ1,2 : This game is almost the same as Γ0,2 except that the
400 21 Predicate Encryption and Functional Encryption

challenge attribute and the message are ~x1 and M1 , respectively.

The challenge ciphertext is C = (R, B, C1 , · · · , Cn , R0 ).
7. Game Γ1,1 : This game is almost the same as Γ0,1 except that the
challenge attribute and the message are ~x1 and M1 , respectively.
The challenge ciphertext is C = (R, B, C1 , · · · , Cn , D).
8. Game Γ1,0 : This game is almost the same as Γ0,0 except that the
challenge attribute and the message are ~x1 and M1 , respectively.
The challenge ciphertext is C = (A, B, C1 , · · · , Cn , D).

Γ0,0 and Γ1,0 are the same as games Γ0 and Γ1 in Definition 5, respectively.
Therefore,

AdvBIN D-sAH-CP A (λ) ≤ P r[AΓ0,0 = 0] − P r[AΓ1,0 = 0] . (21.8)

To prove that Γ0,0 is indistinguishable from Γ1,0 , we prove that each step
of the hybrid argument is indistinguishable from the next.

Lemma 3 Let A be an adversary playing the IN D-sAH-CP A attack game.

Then, there exists an algorithm B solving the DBDH problem such that

P r[AΓw,0 = 0] − P r[AΓw,1 = 0] ≤ AdvBDBDH . (21.9)

Lemma 4 Let A be an adversary playing the IN D-sAH-CP A attack game.
Then, there exists an algorithm B solving the P-DBDH problem such that

P r[AΓw,1 = 0] − P r[AΓw,2 = 0] ≤ AdvBP-DBDH . (21.10)

Lemma 5 Let A be an adversary playing the IN D-sAH-CP A attack game.
Then, there exists an algorithm B solving the P-DBDH problem such that

P r[AΓw,2,j−1 = 0] − P r[AΓw,2,j = 0] ≤ AdvBP-DBDH . (21.11)

In Lemma 3, 4, and 5, w ∈ {0, 1}.

Thus, if there is no algorithm B that solves DBDH and P-DBDH problems

with an advantage better than  and P , respectively, then, for all adversary
A,
|P r[AΓ0,0 = 0] − P r[AΓ1,0 = 0]|
≤ P r[AΓ0,0 = 0] − P r[AΓ0,1 = 0]
+ P r[AΓ0,1 = 0] − P r[AΓ0,2 = 0]
+ P r[AΓ0,2 = 0] − P r[AΓ0,2,1 = 0] + · · ·
+ P r[AΓ0,2,j−1 = 0] − P r[AΓ0,2,j = 0]
+ · · · + P r[AΓ0,2,n−1 = 0] − P r[AΓ0,2,n = 0]
+ P r[AΓ1,2,n = 0] − P r[AΓ1,2,n−1 = 0] + · · ·
+ P r[AΓ1,2,j = 0] − P r[AΓ1,2,j−1 = 0]
21.4 Predicate Encryption [62] 401

+ · · · + P r[AΓ1,2,1 = 0] − P r[AΓ1,2 = 0]
+ P r[AΓ1,2 = 0] − P r[AΓ1,1 = 0]
+ P r[AΓ1,1 = 0] − P r[AΓ1,0 = 0]
≤ 2( + (n + 1)P ).

Consequently, under the DBDH and P-DBDH assumptions, Game Γ0,0 is

indistinguishable from Γ1,0 .

Proof of Lemma 3 Suppose A has the advantage  in distinguishing

Game Γw,0 from Game Γw,1 . We build an algorithm B that solves the
DBDH problem in asymmetric pairing. B is given as input a random 7-tuple
(g, g a , g c , h, ha , hb , T ) that is either sampled from PA (where T = e(g, h)abc )
or from RA (where T is uniform and independent in GT ). Algorithm B’s goal
is to output 1 if T = e(g, h)abc and 0 otherwise. Algorithm B works by inter-
acting with A in a selective attribute game as follows.

Reduction algorithm

P game begins with A by outputting

Initialization The selective attribute
the attribute vectors ~x0 and ~x1 ∈ that it intends to attack.

Setup
1. Pick random exponents z 0 , γ 0 , δ, a01 , · · · , a0n ∈ Z∗p .
2. Define as follows:
0
~x = ~xw , hαβ = hab , g0 = g z g aδ , Y = e(g a , hb ),
0 0 0
g1 = g γ , g2,1 = g −aδx1 g a1 , · · · , g2,n = g −aδxn g an ,
0 0 0
h1 = hγ , h2,1 = h−ax1 ha1 , · · · , h2,n = h−axn han ,
where a and b are the exponents which are unknown to B.
3. Simulate the system for the following parameters
α = a, β = b, γ = γ 0 , z = z 0 + aδ, a1 = −aδx1 + a01 , · · · , an =
−aδxn + a0n .
4. Send the public parameters
P P = (g, g0 = g z , g1 = g γ , g2,1 = g a1 , · · · , g2,n = g an , Y ).
5. Set the master secret key
M SK = (h, hαβ , h1 = hγ , h2,1 = ha1 , · · · , h2,n = han ),
where hαβ is unknown to B.
Phase I Consider a query for the secret key corresponding to the predi-
cate vector ~v ∈ F, which satisfies h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.
1. Pick random exponents r0 , R ∈ Z∗p .
402 21 Predicate Encryption and Functional Encryption

Qn 0 0 a0i vi b 0 0 1
2. Set k1 = i=1 (h−aδxi hai )vi r h δI hγ R , k2 = hr hb δI , k3 =
hR , where I = h~x, ~v i.
3. Send the secret key sk~v = (k1 , k2 , k3 , ~v ).
Challenge When A decides that Phase I is over, it outputs two messages
M0 and M1 ∈ GT on which it wishes to be challenged.

1. Select a message Mw according to the game and set it to M .

2. Set the challenge ciphertext
0 0 0 0 0
C = (M · T, g c , (g c )z x1 +a1 , · · · , (g c )z xn +an , (g c )γ ),
where c is an exponent which is unknown to B.
3. Send the challenge ciphertext C = (A, B, C1 , · · · , Cn , D).
Phase II A continues to adaptively make a polynomial number of
queries not issued in Phase I. B responds as before.

Guess
1. Finally, A outputs guesses w0 ∈ {0, 1}.
2. If w = w0 , it outputs 1 (indicating that T = e(g, h)abc );
otherwise, it outputs 0 (indicating that T 6= e(g, h)abc ).

Simulation of secret key generation in Lemma 3

The original
Qn secret key is set as follows.
v r
k1 = i=1 (h2,i ) i hR1, k2 = hr , k3 = hR .

In the above reduction algorithm, the secret key is set as follows.

Qn 0 0 a0i vi b 0 0 1
k1 = i=1 (h−aδxi hai )vi r h δI hγ R , k2 = hr hb δI , k3 = hR .
The secret key must be generated in the cases of h~x0 , ~v i 6= 0 and h~x1 , ~v i 6= 0.

If h~x0 , ~v i 6= 0, h~x1 , ~v i 6= 0 and r = r0 + b

δI ∈ Z∗p , then k1 and k2 are valid
and computed as follows.
Qn 0 0 a0i vi b 0 Qn 0 0 0 a0i vi b 0
k1 = i=1 (h−aδxi hai )vi r h δI hγ R = i=1 (h−aδxi vi r hai vi r )h δI hγ R
a 0v b
Qn 0 1 1 0 0 i i 0
= i=1 (h−aδxi vi r habδxi vi δI h−abδxi vi δI hai vi r )h δI hγ R
0
ai vi b
1 Qn 0 1 0 0 0
= habδI δI i=1 (h−aδxi vi r h−abδxi vi δI hai vi r )h δI hγ R
n 0 1 0 0 0 1 0
= hab i=1 ((h−aδxi )vi r (h−aδxi )vi b δI (hai )vi r (hai )vi b δI )hγ R
Q
Qn 0 1 0 0 1 0
= hab i=1 ((h−aδxi )vi (r +b δI ) (hai )vi (r +b δI ) hγ R
n 0 0 1 0 n
= hab i=1 ((h−aδxi hai )vi (r +b δI ) hγ R = hab i=1 (h2,i )vi r hR
Q Q
1,

0 1
k2 = hr hb δI = hr .
21.4 Predicate Encryption [62] 403

If h~x0 , ~v i = h~x1 , ~v i = 0, then k1 and k2 cannot be computed, because 10 cannot

be computed. So, it cannot generate the secret key for using to decrypt the
challenge ciphertext.

Simulation of challenge ciphertext generation in Lemma 3

The original ciphertext is set as follows.

A = M · Y s , B = g s , C1 = g0x1 s (g2,1 )s , · · · , Cn = g0xn s (g2,n )s , D = g1s .

In the above reduction algorithm, the challenge ciphertext is set as follows.

0 0 0 0 0
A = M · T, B = g c , C1 = (g c )z x1 +a1 , · · · , Cn = (g c )z xn +an , D = (g c )γ ,
where c = s.

If T = e(g, h)abc , then A is valid, because T = e(g, h)abc = (e(g, h)ab )c = (Y )s ,

and can set A by using the instance of the problem, T . On the other hand, if
T is random, then naturally A is invalid.

Since c = s, B is valid (B = g c = g s ) and can set B = g s by using the

instance of the problem, g c .
0 0 0 0 0 0
Since (g c )z xi +ai = (g c )z xi +aδxi −aδxi +ai = (g c )z xi +aδxi (g c )−aδxi +ai =
g0xi s (g2,i )s
for 1 ≤ i ≤ n, Ci is also valid and can set Ci = g0xi s (g2,i )s by using
the instance of the problem, g c .

If B tries to generate the challenge ciphertext of the other attribute vec-

tors ~y , then it cannot generate it. It is because in order to generate the chal-
lenge ciphertext of other attribute vectors ~y , B has to know g ac as follows:
0 0
Ci = (g c )z yi (g ac )δ(yi −xi ) (g c )ai = g0yi s (g2,i )s for 1 ≤ i ≤ n. But, B does not
ac
know g . So, the challenge ciphertext of other attribute vectors ~y cannot be
generated.

In conclusion, we can say that

1. When T = e(g, h)abc = e(g, hab )c , i.e., when B’s 7-tuple input is
sampled from PA , then C is a valid encryption of M under the
attribute ~x initially chosen by the adversary: Thus, A is playing
Game Γw,0 .
2. When T is uniform and independent in GT , i.e., when B’s 7-tuple
input is sampled from RA , then C = (R, B, C1 , · · · , Cn , D) for a
random R: Thus, A is playing Game Γw,1 .
So, if A has an advantage  in distinguishing Game Γw,0 from Game Γw,1 ,
then B has the same advantage  against DBDH. 2

At this point, we have achieved confidentiality by using the DBDH as-

sumptions. By slightly modifying the proofs of Lemma 1 and 2, the remaining
proofs of Lemma 4 and 5 for attribute-hiding can be achieved.
404 21 Predicate Encryption and Functional Encryption

21.5 Functional Encryption

In this section, we present a pairing-based public key FE scheme for inner
products evaluations under the XDH assumption. This scheme is based on
the predicate-only encryption scheme [62]. So, by finding the gap between FE
and [62] in the scheme and proof, we can understand how to make FE from
[62].

Construction 3. Functional encryption

Setup(λ) Given a security parameter λ ∈ Z+

1. Run G on input λ to generate a prime q (|q| = λ), three groups
G1 , G2 and GT of order q, and eb: G1 × G2 → GT . Choose two
random generators g ∈ G1 and h ∈ G2 .
2. Select random (a1 , · · · , an ) ∈ (Z∗p )n .
3. Compute as follows.
(a) g1 = g a1 , · · · , gn = g an ∈ G1 ,
(b) h1 = ha1 , · · · , hn = han ∈ G2 ,
(c) Y = e(g, h) ∈ GT .
4. The public parameters are P P = (g, g1 , · · · , gn ) ∈ Gn+1
1 .
5. The master secret key is M SK = (h, h1 , h1 , · · · , hn , Y ) ∈
Gn+1
2 × GT .
Note that n is the dimension of the key(function)/message vectors.

Gen(P P, M SK, ~y ) For the key vector ~y ∈ Y \ {~0}

1. Pick a random R ∈ Z∗p .

2. Compute as follows.
Qn y R
(a) k1 = i=1 (hi ) i ,
R
(b) k2 = h ,
(c) k3 = e(g, h)R .
3. The secret key is SK~y = (k1 , k2 , k3 , ~y ) ∈ G22 × GT × (Z∗p )n .
Encrypt (P P, ~x) To encrypt the message vector ~x ∈ X
1. Pick a random s ∈ Z∗p .
2. Compute as follows.
21.5 Functional Encryption 405

(a) c1 = g s ,
s
(b) c2,i = g xi (gi ) for 1 ≤ i ≤ n.
3. The ciphertext is C = (c1 , c2,1 , · · · , c2,n ) ∈ Gn+1
1 .
Decrypt (SK~y , C) To decrypt a given ciphertext C =
(c1 , c2,1 , · · · , c2,n ) ∈ Gn+1
1 using the secret key SK~
y = (k , k
1 2 3, k , ~
y ) ∈
G22 × GT × (Z∗p )n , compute as follows.
Qn
1. D = e(c1 , k1 )−1 e ( i=1 (c2,i )yi , k2 ) ∈ GT ,
2. h~x, ~y i = logk3 D.

Correctness To see that the correctness holds, let C and SK~y be as above.
Then
Qn
D = e(c1 , k1 )−1 · e ( i=1 (c2,i )yi , k2 )
 Q −1
n y R Qn s yi

= e g s , i=1 (hi ) i ·e xi
i=1 (g (gi ) ) , h
R
 Q −1
n y R Qn ai s yi


= e g s , i=1 (hai ) i ·e xi
i=1 (g (g ) ) , h
R
 Q −1
n y R Qn
Qn

= e g s , i=1 (hai ) i ·e i=1 (g
xi yi
), hR · e i=1 (g
ai syi
) , hR
Pn Pn Pn
= e(g, h)−Rs i=1 ai yi
· e(g, h)R i=1 xi yi
· e(g, h)Rs i=1 ai yi
= e(g, h)Rh~x,~yi .

If h~x, ~y i has a small magnitude, then we can get the actual value of the
inner product by using a discrete logarithm computation. In order to ensure
correctness of this construction, it assumes that the target inner products are
contained within a range of polynomial-size.

21.5.1 Proof of Functional Encryption Security

To prove the security of this pairing-based public key FE scheme, we organize
hybrid games that change the encryption of ~x0 to the encryption of ~x1 . The fol-
lowing theorem proves the security of this scheme under the XDH assumption.

Theorem 3 This scheme is selectively secure against chosen-plaintext attacks

in the standard model under the XDH assumption. For all PPT algorithms
B, the function AdvBIN D−sCP A (λ) is a negligible function of λ.

Proof The proof proceeds by a hybrid argument across a number of games.

Let C = (A, B1 , · · · , Bn ) ∈ Gn+1
1 denote the challenge ciphertext given to the
adversary during two real attacks (Γ0 and Γ1 ). Additionally, let R1 , · · · , Rn
be random elements of G1 . We define the following hybrid experiments, which
differ in how the challenge ciphertext is generated as
406 21 Predicate Encryption and Functional Encryption

1. Game Γ0,0 This game is the original security game, where the
challenge message is ~x0 and the challenge ciphertext is C =
(A, B1 , · · · , Bn ).
2. Game Γ0,1 In this game, the elements B1 , · · · , Bn of the ciphertext
are changed to the random elements R1 , · · · , Rn of G1 , because the
challenge ciphertext is generated for ~x0 + r(~x1 − ~x0 ), where r ∈ Z∗p
is a hidden random value and C = (A, R1 , · · · , Rn ).
3. Game Γ1,1 This game is almost the same as Γ0,1 except that the
challenge ciphertext is generated for ~x1 + r0 (~x1 − ~x0 ), where r0 ∈ Z∗p
is a hidden random value and C = (A, R1 , · · · , Rn ).
4. Game Γ1,0 This game is almost the same as Γ0,0 except that
the challenge message is ~x1 . The challenge ciphertext is C =
(A, B1 , · · · , Bn ).
Γ0,0 and Γ1,0 are the same as games Γ0 and Γ1 in Definition 4, respectively.
Therefore,

AdvBIN D-sCP A (λ) = P r[AΓ0,0 = 0] − P r[AΓ1,0 = 0] . (21.12)

To prove that Γ0,0 is indistinguishable from Γ1,0 , we prove that each step
of the hybrid argument is indistinguishable from the next.

Lemma 6 Let A be an adversary playing the IN D-sCP A attack game. Then,

there exists an algorithm B solving the XDH problem such that

P r[AΓw,0 = 0] − P r[AΓw,1 = 0] ≤ AdvBXDH , (21.13)

where w ∈ {0, 1}.
In the following, we prove Lemma 6 under the XDH assumption.

Proof of Lemma 6 Suppose A has an advantage  in distinguishing Game

Γw,1 from Game Γw,0 . We build an algorithm B that solves the XDH problem
in asymmetric pairing. B is given as input a random 5-tuple (g, g a , g b , h, T )
that is sampled either from DN (where T = g ab ) or from DR (where T is
uniform and independent in G1 ). Algorithm B’s goal is to output 0 if T = g ab
and 1 otherwise. Algorithm B works by interacting with A in a selective mes-
sage game as follows.
21.5 Functional Encryption 407

Reduction algorithm

Initialization The selective game begins with A by outputting message

vectors ~x0 and ~x1 ∈ X that it intends to attack.

Setup
1. Pick random exponents a01 , · · · , a0n ∈ Z∗p .
0
2. Define as follows: ~x = ~xw , g1 = g ax1,1 g −ax0,1 g a1 , · · · , gn =
0 0 0
g ax1,n g −ax0,n g an , h1 = hax1,1 h−ax0,1 ha1 , · · · , hn = hax1,n h−ax0,n han .
where a is the exponent which is unknown to B.
3. Simulate the system for the following parameters
a1 = ax1,1 − ax0,1 + a01 , · · · , an = ax1,n − ax0,n + a0n .
4. Send the public parameters P P = (g1 = g a1 , · · · , gn = g an ).
5. Set the master secret key M SK = (h, h1 = ha1 , · · · , hn = han ),
where {hi }ni=1 are unknown to B.
Phase I Consider a query for the secret key corresponding to the key vector
~y ∈ Y \ {~0}, which satisfies h~x0 , ~y i = h~x1 , ~y i.
1. Pick a random exponent R ∈ Z∗p .
Qn 0
2. Set k1 = i=1 (hai yi R ), k2 = hR , k3 = e(g, h)R .
3. Send the secret key SK~y = (k1 , k2 , k3 , ~y ).
Challenge A decides that Phase I is over.
1. Set the challenge ciphertext
0
c1 = g b , {c2,i = g xi T x1,i −x0,i g ai b }ni=1 ,
where b is an exponent which is unknown to B.
2. Send the challenge ciphertext C = (A, B1 , · · · , Bn ).
Phase II A continues to adaptively make a polynomial number of queries
not issued in Phase I. B responds as before.

Guess
1. Finally, A outputs guesses w0 ∈ {0, 1}.
2. If w = w0 , it outputs 1 (indicating that T = g ab );
otherwise, it outputs 0 (indicating that T 6= g ab ).

Simulation of secret key generation in Lemma 6

The original
Qn secret key is set as follows.
y R
k1 = i=1 (hi ) i , k2 = hR , k3 = e(g, h)R .
408 21 Predicate Encryption and Functional Encryption

In theQabove reduction algorithm, the secret key is set as follows.

n 0
k1 = i=1 (hai yi R ), k2 = hR , k3 = e(g, h)R .

The secret key must be generated in the cases of h~x0 , ~y i = h~x1 , ~y i.

If h~x0 , ~y i − h~x1 , ~y i = 0, k1 is valid and computed as follows.
Qn 0 Qn 0
k1 = P i=1 (hai yi R ) = ha(h~x0 ,~yi−h~x1 ,~yi)R i=1 hai yi R
n n 0 n Qn 0
= ha i=1 (x1,i yi −x0,i yi )R i=1 hai yi R = i=1 ha(x1,i yi −x0,i yi )R i=1 hai yi R
Q Q
a0i yi R 0
Qn n −ax0,i yi R n n
= Qi=1 hax1,i yi R Q = i=1 (hax1,i h−ax0,i hai )yi R
Q Q Q
i=1 h i=1 h
n ai yi R n yi R
= i=1 (h ) = i=1 (hi ) .

If h~x0 , ~y i 6= h~x1 , ~y i, k1 cannot be computed, because we do not know ha .

So, it cannot generate the secret keys needed for distinguishing the two games.

Simulation of challenge ciphertext generation in Lemma 6

The original ciphertext is set as follows.

s s
A = g s , B1 = g x1 (g1 ) , · · · , Bn = g xn (gn ) .

In the above reduction algorithm, the challenge ciphertext is set as

0 0
A = g b , B1 = g x1 T x1,1 −x0,1 g a1 b , · · · , Bn = g xn T x1,n −x0,n g an b ,
where c = s.
0
If T = g ab , then B1 , · · · , Bn are valid, because for 1 ≤ i ≤ n, T x1,i −x0,i g ai b =
0 0 0
(g ab )x1,i −x0,i g ai b = (g a(x1,i −x0,i ) )b g ai b = (g ax1,i −ax0,i +ai )b = (gi )b , and can set
B1 , · · · , Bn by using the instance of the problem, T . On the other hand, if T
is random, then naturally B1 , · · · , Bn are invalid.

Since c = s, B is valid (B = g c = g s ) and can set B = g s by using the

instance of the problem, g c .

Unlike the proof of the predicate encryption, B does not try to generate
the challenge ciphertext of other message vectors, because changing the chal-
lenge message vector does not give any advantage to B in this game.

In conclusion, we can say that

1. When T = g ab , i.e., when B’s 5-tuple input is sampled from DN ,
C = (c1 , c2,1 , · · · , c2,n ). Thus, A is playing Game Γw,0 .
2. When T is uniform and independent in G1 , i.e., when B’s 5-tuple
input is sampled from DR , C = (c1 , r2,1 , · · · , r2,n ) for a random
r2,1 , · · · , r2,n . Thus, A is playing Game Γw,1 .
So, if A has an advantage  in distinguishing Game Γw,1 from Game Γw,0 ,
then B has the same advantage  against XDH.
21.5 Functional Encryption 409

Lemma 7 Adversary A cannot distinguish Γ1,1 from Γ0,1 , that is,

P r[AΓ0,1 = 0] − P r[AΓ1,1 = 0] = 0. (21.14)

In the following, we prove Lemma 7.

Proof of Lemma 7

To prove Lemma 7, we show that the challenge ciphertext C that is the

encryption of ~x0 + r(~x1 − ~x0 ) can be restated as the encryption of ~x1 + r0 (~x1 −
~x0 ), where r and r0 are hidden to the adversary. By simply setting r = r0 + 1,
we obtain the following equation

~x0 + r(~x1 − ~x0 ) = ~x0 + (r0 + 1)(~x1 − ~x0 ) = ~x1 + r0 (~x1 − ~x0 ). (21.15)

Note that the secret key SK~y cannot be used to distinguish the change
since h~x0 , ~y i = h~x1 , ~y i by the restriction of the security model.

This completes the proof of Lemma 7.

Thus, if there is no algorithm B that solves the XDH problem with an

advantage better than , then, for all adversary A,

|P r[AΓ0,0 = 0] − P r[AΓ1,0 = 0]|

= P r[AΓ0,0 = 0] − P r[AΓ0,1 = 0] + P r[AΓ0,1 = 0] − P r[AΓ1,1 = 0] |
+ P r[AΓ1,1 = 0] − P r[AΓ1,0 = 0] ≤ 2.
Consequently, under the XDH assumption, Game Γ0,0 is indistinguishable
from Γ1,0 . 2

21.5.2 Applications of Functional Encryption

FE has a lot of new applications in contrast with previous PKE schemes (e.g.,
IBE, ABE, PE). It is because the purpose of previous PKE schemes is to
output a message included in a ciphertext according to access policy. On the
other hand, since FE schemes output function results, they can be used to
support additional purposes. For details on applications of FE, readers are
referred to [63].

21.5.2.1 Distance Measurement

In an online random chatting environment, when each element of a vector re-
flects a personal preference, one can know who has the similar preference with
him by computing the inner products. Note that one cannot see the personal
information of others directly. After figuring out whether a specific user has
the similar preference, one can start chatting with him or her accordingly.
410 21 Predicate Encryption and Functional Encryption

21.5.2.2 Exact Threshold

Recently, biometric-based authentication is gaining popularity since it is more
convenient than traditional password-based one. In contrast to password-
based authentication, biometric-based authentication involves certain noises
when measuring biometric information. A viable method to address this prob-
lem is to check whether the user’s secret key matches the measured biometric
information within an approximate value by computing the inner products.

21.5.2.3 Weighted Average

Weighted average computed from the inner products can be used to gather
information without exposing personal information. Let us suppose a recruit-
ment system where a job seeker’s own data is ~x = {x1 , · · · , xn } and a job
provider sets up a function using an assessment indicator ~y = {y1 , · · · , yn }.
Here, the elements of ~x might include licenses and practical experience, while
the elements of ~y do the weighted values of licenses and practical experience
displayed. A job seeker uploads the ciphertext C(~x) and a job provider re-
ceives the corresponding secret key SK~y . In this case, the job provider can
get various results from different job seekers according to the decrypted data
generated from C(~x)s by using corresponding SK~y s, respectively. Note that
job seekers do not need to worry about their personal information being re-
vealed during this recruitment process because the job providers can only
access the evaluated results but not the job seekers’ plain data.
 Part III

Post-Quantum
Cryptography
22
Introduction to Lattice

CONTENTS
22.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
22.2 Lattice Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.3 NTRU Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

The first part of the chapter is dedicated to the introduction of lattices and
dual lattices. Determinant is then explained with the Gram-Schmidt orthog-
onalization process as it is an important numerical invariant attached to the
lattice. The next section describes representative lattice problems. The final
part of the chapter describes the NRTU cryptosystem which is closely related
to lattice problems for a certain class of lattices.

22.1 Preliminaries
This chapter is written with the intention to provide the theoretical founda-
tion for lattice-based cryptography. For further details on lattice, readers refer
to [68].

Definition 1 (Lattice) Any Euclidean vector space E is a metric space with

distance function d : E × E → R defined by d(x, y) = ||x − y||. A subset L of a
vector space E is a lattice if and only if there are linearly independent vectors
b1 , · · · , bn ∈ E such that
n
X n
X
L= Zbi = { ci bi : ci ∈ Z, 1 < i ≤ n}. (22.1)
i=1 i=1

Definition 2 (Rank and Lattice Basis) The integer n is called the rank
of the lattice, and the sequence of vectors b1 , · · · , bn is called a lattice basis .
The dimension of E determines the dimension of the lattice.

413
414 22 Introduction to Lattice

An n-dimensional lattice L is an additive subgroup of E such that L is

discrete, which means there is a real number  > 0 such that any two distinct
points x 6= y ∈ L are at distance at least ||x − y|| ≥ . Equivalently, an n-
dimensional lattice L is an additive subgroup of Rn . The value of  depends
on the difference between successive points in vector space E. For example,
Qn is a subgroup of Rn , but not a lattice, because it is not discrete. Zn is a
lattice because it is an additive subgroup of Rn and the distance between any
two points in Zn is at least 1.

Example A simple example of n-dimensional lattice is given by the set Zn

of all vectors with integral coordinates. When the number of basis vectors
equals the number of coordinates, we say that the lattice is f ull rank or
f ull dimensional. A lattice L is full rank if and only if the basis vectors of L
linearly span across the entire space E.

Definition 3 (Dual Lattice) Suppose that L is a lattice of full rank in a vec-

tor space E. The dual lattice of L, denoted L† , is the lattice of vectors having
integral inner products with all vectors in L: L† = {x ∈ E : hx, Li ∈ Z}. L† is
also a lattice of full rank in E.

Definition 4 (Determinant of a Lattice) The determinant of a lattice L,

denoted d(L) or det(L), is the signed volume of the fundamental parallelepiped
spanned by the basis vectors. The determinant is independent of the choice of
the basis.

A way to compute the determinant is given by the Gram-Schmidt or-

thogonalization process. For any basis vectors b1 , · · · , bn for L, the process
computes the orthogonalized vectors b1 ∗ , · · · , bn ∗ iteratively by

b∗i = bi − Σj<i µij b∗j , (22.2)

hbi ,b∗ i
where µij = hb∗ ,bj∗ i and b∗1 = b1 . That is, bi ∗ is the component of bi ∗ orthog-
j j
onal to b1 , · · · , bi−1 . The determinant of the lattice equals the product of the
lengths of the orthogonalized vectors

det(L) = Πni=1 ||bi ∗ ||. (22.3)

22.2 Lattice Problems

This section provides definitions of representative lattice problems.
22.3 NTRU Cryptosystem 415

Definition 5 (Shortest Vector Problem (SVP)) Given a lattice L, the

shortest vector problem is to find a non-zero vector v ∈ L for any non-zero
u ∈ L such that ||v|| ≤ ||u||.

Definition 6 (Approximate Shortest Vector Problem (γ-SVP)) Given

a lattice L, the shortest vector problem is to find a non-zero vector v ∈ L for
any non-zero u ∈ L such that ||v|| ≤ γ||u||, where γ is a real number. Observe
that taking γ = 1 corresponds to the exact versions of the problems, and also
that the problems become easier as γ increases.

Definition 7 (Closest Vector Problem (CVP)) Given a lattice L and a

target vector w ∈ L, the approximate closest vector problem is to find a vector
u ∈ L closest to the target w, i.e., for any v ∈ L such that ||u − w|| ≤ ||v − w||.

Definition 8 (Approximate Closest Vector Problem (γ-CVP)) Given

a lattice L and a target vector w ∈ L, the approximate closest vector problem
is to find a vector u ∈ L closest to the target w, i.e., for any v ∈ L such that
||u − w|| ≤ γ||v − w||, where γ is a real number. Note that the closest vector
problem is a generalization of the shortest vector problem.

To date, we do not know any polynomial time algorithm to solve SVP.

Goldreich et al. showed that any hardness of SVP implies the same hardness
for CVP [54]. Therefore, no algorithm can solve CVP in polynomial time.

The shortest vector problem can be described as follows: given a lattice L

of positive rank, find a non-zero element x ∈ L with q(x) smallest possible. If
we are given short basis vectors, we can easily solve this problem. Thus, the
key to the problem is to get short basis vectors from given random long basis
vectors. The so-called LLL algorithm [15] turns out to approximately solve
SVP by generating reduced basis.

When we construct a cryptographic scheme based on lattices, we can design

one-way functions based on the fact that it is hard to get short basis vectors
from given long basis vectors. For example, in the public key encryption such as
the following NTRU cryptosystem, the short basis vectors constitute a private
key and the corresponding long basis vectors are open as the corresponding
public key.

22.3 NTRU Cryptosystem

The original NTRU [58] was proposed by Hoffstein, Pipher, and Silverman
which was based on rings. Micciancio and Regev presented the lattice NTRU
416 22 Introduction to Lattice

version. The lattices used in NTRU belongs to a special class such as con-
volutional modular lattices with even dimensions [74]. Its security is closely
related to the hardness of CVP, but it is rarely known whether lattices used in
NTRU are as hard as the general case. NTRU has a number of performance
benefits such as fast encryption, decryption, and key generation along with
comparatively short public key size.

The NTRU cryptosystem proceeds as follows.

1. Setup
The NTRU cryptosystem parameters include a prime dimen-
sion n, an integer modulus q, a smaller integer p, and an integer
weight bound bf .
2. Gen
Private Key: The private key is set to be a short vector (f, g)
with the following restrictions.
(a) The matrix [T ∗ f ] shouldbe invertible modulo q, where
 
0 0 ··· 0 1
1
 0 · · · 0 0 
T = 0
 1 · · · 0 0 .
 .... . . .. .. 
. . . . .
0 0 ··· 1 0

(b) f ∈ e1 + pu and g ∈ pv, where u, v ∈ {−1, 0, 1} and f, g are

random polynomials, and e1 is defined such that f − e1 and g
have exactly df + 1 positive entries and df negative entries.
Public Key: The public key is the Hermite Normal Form (HNF)
of the convolutional modular lattice Lq ((T ∗ x, T ∗ g)t ) such that
 
I O
H= , where h = [T ∗ f ]−1 g mod q.
T ∗h q·I

3. Encryption
Given the message m ∈ {−1, 0, 1}n with df + 1 positive and df
negative entities, a random vector r is chosen with the same condi-
tions that the message has. The ciphertext is c = f (−r, m) mod H
shown as
c = (0, (m + [T ∗ h]r) mod q). (22.4)

4. Decryption
The decryption process is divided into two stages. In the first
22.3 NTRU Cryptosystem 417

stage, ciphertext c is multiplied with the matrix [T ∗ f ] mod q such

that

[T ∗f ]c mod q = [T ∗f ][m]+[T ∗f ][T ∗h]r mod q = [T ∗f ]m+[T ∗g]r mod q,

(22.5)
where [T ∗ f ][T ∗ h] = [T ∗ ([T ∗ f ]h)], [T ∗ f ] = I mod p, [T ∗ g] =
O mod p, I is identity and O is zero matrix. Therefore, message m
can be obtained by reducing it to mod p as

[T ∗ f ]m + [T ∗ g]r modp = I · m + O · r = m. (22.6)

Exercises
22.1 Answer the following questions:
1. Given a m × n integer matrix A, show that {b ∈ Zm : bA = 0} is a
lattice of rank m − rk(A).
2. Given a m × n integer matrix A and an integer N , show that {b ∈
Zm : bA = 0 mod N } is a lattice of rank m.
22.2 Let A be a basis matrix of a full rank lattice L.
1. Show that (AT )−1 is a basis matrix for the dual lattice.

2. Show that the determinant of the dual lattice is d(L)−1 .

22.3 Give an example of a lattice L of rank 1 in Z2 whose determinant d(L)

is not an integer.

22.4 Let L be a rank 2 lattice in R2 and let {b1 , b2 } be a basis for L. Show
that d(L) = ||b1 || · ||b2 |||sin(θ)| where θ is the angle between b1 , b2 .
 
1001 0
22.5 Given a lattice L with the basis matrix A = :
1 2008
1. What are the two shortest non-zero vectors?
2. What is the closest vector to (5005, 6024)?
3. Why is it easy to find the closest vector in this lattice?
22.6 Given two bases for Z2 as (24, 25) and (23, 24), find the Gram-Schmidt
vectors b1 , b2 , and their corresponding lengths.

22.7 Give a working encryption and decryption example on message m =

−x5 + x3 + x2 − x + 1 for NTRU encryption scheme with the parameters
n = 7, p = 3, q = 41.
418 22 Introduction to Lattice

22.8 Give a working encryption and decryption example on message m =

x10 + x9 − x8 − x4 + x3 − 1 for NTRU encryption scheme with the parameters
n = 11, p = 3, q = 32.
23
Lattice-Based Cryptography

CONTENTS
23.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
23.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
23.2.1 Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
23.3 Lattice-Based Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
23.3.1 Learning with Errors (LWE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
23.3.2 Learning with Rounding (LWR) . . . . . . . . . . . . . . . . . . . . . . . . 424
23.3.3 Ring Variants of LWE and LWR . . . . . . . . . . . . . . . . . . . . . . . . 425
23.4 (LWE+LWR)-Based Public-Key Encryption [34] . . . . . . . . . . . . . . . 425
23.4.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
23.4.2 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
23.4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
23.5 Ring Variant of Lizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
23.5.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

An overview of lattice-based post-quantum cryptography is provided in this

chapter. Post-quantum cryptography refers to the cryptographic algorithms
that are thought to be secure against an attack by a quantum computer.
The first section introduces post-quantum cryptography. The next section
describes the preliminaries that must be mastered in order to understand
the post-quantum cryptography. The remaining sections describe lattice-based
cryptographic constructions of post-quantum cryptography. Learning with er-
rors (LWE), learning with rounding (LWR), and ring variants of LWE and
LWR are then discussed.

23.1 Overview
Post-quantum cryptography are the cryptographic algorithms (usually public-
key algorithms) thought to be secure against an attack by a quantum com-
puter. However, this is not true for the most existing popular public-key
algorithms, which can be efficiently broken by a sufficiently large quantum
computer. The problem with the currently popular algorithms is that their

419
420 23 Lattice-Based Cryptography

security relies on one of these hard mathematical problems: (1) the integer
factorization problem, (2) the discrete logarithm problem, or (3) the elliptic-
curve discrete logarithm problem. All of these problems can be easily solved
on a sufficiently powerful quantum computer running the Shor’s algorithm
[66].

In contrast to the threat which quantum computing poses to current

public-key algorithms, most current symmetric cryptographic algorithms, and
hash functions are considered to be relatively secure against attacks by quan-
tum computers. Although the Grover’s algorithm [102] does speed up attacks
against symmetric ciphers, doubling the key size can effectively thwart these
attacks. Thus post-quantum symmetric cryptography does not need to differ
significantly from the current symmetric cryptography.

23.2 Preliminaries
All logarithms in this chapter are base 2 (e.g., log a = log2 a) unless otherwise
indicated. For a positive integer q, we use Z∩(−q/2, q/2] as a representative of
Zq . For a real number r, bre denotes the nearest integer to r, rounding upwards
in case of a tie, e.g., b4.5e = 5 and b4.4e = 4. We denote vectors in bold, e.g.,
a, and every vector in this chapter is a column vector (aT = [a1 , a2 , . . . , an ]),
where n is the dimension ofp vector.
Qn The norm || · || is always 2-norm in this
chapter (2-norm= ||~x||2 = |x |2 ). We denote by h·, ·i the usual dot
i=1 i
product of two vectors. We use x ← D to denote the sampling x according to
the distribution D. It denotes the uniform sampling when D is a finite set. For
an integer n ≥ 1, Dn denotes the product of i.i.d.(independent and identically
distributed) random variables Di ∼ D (‘∼’ can mean “similar to,” including
“of the same order of magnitude as” such as x ∼ y meaning that x and y
are of the same order of magnitude). We let λ denote the security parameter:
all known valid attacks against the cryptographic scheme under scope should
take Ω(2λ ) bit operations. A function negl : N → R+ (N: natural number, R+ :
positive real number) is negligible if for every positive polynomial p(λ) there
exists λ0 ∈ N such that negl(λ) < 1/p(λ) for all λ > λ0 . For two matrices A
and B with the same number of rows, (A||B) denotes their row concatenation,
i.e., for A ∈ Zm×n1 and B ∈ Zm×n2 , the m × (n1 + n2 ) matrix C = (A||B) is
defined as 
ai,j 1 ≤ j ≤ n1
Cij =
bi,(j−n1 ) n1 ≤ j ≤ n1 + n2 .
23.3 Lattice-Based Cryptography 421

23.2.1 Distributions
For a positive integer q, we define Uq by the uniform distribution over Zq . For
a real σ > 0, the discrete Gaussian distribution of parameter σ, denoted by
DGσ , is a probability distribution with support Z that assigns a probability
proportional to exp(−(πx2 )/σ 2 ) to each x ∈ Z. Note that the variance of DGσ
is very close to σ 2 /2π unless σ is very small. [34] will apply the following simple
lemmas for tail bounds (bound probabilities of extreme events) to discrete
Gaussian distributions.
1. HW Tn (h) : For an integer 0 ≤ h ≤ n, the distribution uniformly
samples vector from {0, ±1}n under the condition to have exactly
h non-zero elements.
2. ZOn (ρ) : For a real number 0 ≤ ρ ≤ 1, the distribution samples
vector v from {0, ±1}n , where each element of vector v is chosen
satisfying P r[vi = 0] = 1 − ρ and P r[vi = 1] = ρ/2 = P r[vi = −1].
That is, the probability of that the element becomes to 0 is 1 − ρ,
and the probability of that the element becomes to 1 or −1 is ρ/2.

23.3 Lattice-Based Cryptography

Lattice-based cryptographic constructions are one of candidates of post-
quantum cryptography, which are believed to be secure against quantum com-
puters. It has the following unique advantages.
1. Very strong security proofs based on worst-case hardness1
1 Worst-case hardness of lattice problems means that breaking the lattice based crypto-

graphic construction (even with some small non-negligible probability) is provably at least
as hard as solving several lattice problems (approximately, within polynomial factors) in the
worst case. In other words, breaking the lattice based cryptographic construction implies
that there is an efficient algorithm that can solve for every instance of the underlying lattice
problem.
In most of the cases, the underlying problem is to approximate lattice problems such as
SVP to polynomial elements. It is thought to be a difficult problem. This strong security
guarantee is one of the characteristics of lattice-based cryptography.
The worst-case security guarantee is important because of the following two reasons.
(a) It is sure that the attacks on cryptographic construction are only effective when the
range of to selection parameters is restricted and not asymptotically effective. In other
words, it ensures that there is no fundamental defect in the design of the cryptographic
construction.
(b) In principle, a worst-case security guarantee can help to select specific parameters for
the cryptographic system. However, in practice the parameter estimates are selected
conservatively (either too few or too many). Therefore, it is often the case that param-
eters are set according to the best known attack.
422 23 Lattice-Based Cryptography

2. Relatively efficient implementations

3. Simplicity
4. Applicable in various applications

23.3.1 Learning with Errors (LWE)

LWE is one of the most promising primitives in many usages (especially post-
quantum cryptography) due to its lightweight operation and rigorous security
reduction against the worst-case of the lattice problems that are considered
to be hard to solve even after the advance of quantum computers.

In 2005, LWE was first introduced by Regev[88] to construct a public key

encryption. After that, many cryptographic systems based on LWE have been
proposed depending on its versatility. However, some variants [49], [86] of the
Regev’s technique requiring somewhat larger parameters are not practical.
Lindner and Peikert [70] had improved the LWE based scheme to use the
method to insert the noise into a combination of LWE samples in the encryp-
tion phase. However, it is still impractical, because the noise sampling from
the discrete Gaussian distribution requires inefficient floating point operations
of high bit precision [42]. From 2012 through 2016, some post-quantum key
exchanges [4], [28], [27], [39], [85], and more efficient Public-Key Encryption
(PKE) [100], [23] were proposed, where they use sparse small secrets based
on the hardness assumptions of LWE and its ring variant. Although they are
practical and support quantum-resistant security, they are still inefficient due
to Gaussian sampling. There have been some attempts [27], [85] to improve it,
which are not yet satisfactory. Recently, Lizard [34] was proposed to improve
the performance.

LWE
For an n-dimensional vector s ∈ Zn and an error distribution X over Z,
LWE distribution ALW E n
n,q,X (s) over Zq × Zq is obtained by choosing a vector
a uniformly and randomly from Znq and error e from X , and outputting
(a, b = ha, si + e) ∈ Znq × Zq .

The search LWE problem

Find s ∈ Zq for given arbitrarily many independent samples (ai , bi ) from
ALW E
n,q,X (s).

The decision LWE problem

The decision LWE denoted by LW En,q,X (D) aims to distinguish the distribu-
tion ALW E n
n,q,X (s) from the uniform distribution over Zq × Zq with non-negligible
advantage, for a fixed s ← D. When the number of samples are limited by m,
we denote the problem by LW En,m,q,X (D).
23.3 Lattice-Based Cryptography 423

Jung Hee Cheon et al. [34] only consider the discrete Gaussian X = DGαq
as an error distribution where α is the error rate in (0, 1), so α will substitute
the distribution X in description of LWE problem, say LW En,m,q,α (D). The
LWE problem is self-reducible2 so we usually omit the key distribution D (For
example, LW En,m,q,X , LW En,m,q,α ) when it is a uniform distribution over
Znq .
Its hardness is guaranteed by the decision version of the shortest vector prob-
lem (GapSVP), and the shortest independent vectors problem (SIVP) which
are the worst case hardness of the standard lattice problems. After Regev
[88] presented the quantum reduction from those lattice problems to the LWE
problem, Peikert et al. [30], [84] improved the reduction to a classical version
for significantly worse parameter (the dimension should be the size of nlogq ).
In this case, the reduction holds only for GapSVP, not SIVP.

The decision LWE problem with sparse binary secret

After the research about the connection between the LWE problem and some
lattice problems, some variants of LWE, of which the secret distributions are
modified from the uniform distribution, were proposed. Zvika Brakerski et al.
[30] proved that the LWE problem with binary secret is at least as hard as
the original LWE problem. Following the approach of Zvika Brakerski et al.
[30], Cheon et al. [34] proved the hardness of the LWE problem with sparse
secret(the number of non-zero components of the secret vector is a constant).

The hardness of the LWE problem with signed-binary secret of Hamming

weight h, LW En,m,q,β (HW Tn (h)) is guaranteed by the following theorem.

Theorem 1 (Informal) If log(n Ch ) + h > klogq and β > α(10h)1/2 , the

LW En,m,q,β (HW Tn (h)) problem is at least as hard as the LW En,m,q,α ,
Pk n!
where n Ck = nk! = k!(n−k)! is the number of k-combinations from a given
set S of n elements.

Proof is omitted.

The multiple secret LWE

In [29], [85], [86], to encrypt a string, not a bit, LWE with single secret
2 Problem of deciding language sometimes called “decision problem:” given input x, so-

lution = yes/no answer. But many problems are more naturally “search problems:” given
input x, find solution y.
Many languages come from natural search problems. Clearly, efficient solution to search
problem would give efficient solution to corresponding decision problem. So proof that de-
cision problem is NP-hard implies that search problem is “hard” as well, and does not have
any efficient solution.
But exactly how much more difficult are search problems? Perhaps surprisingly, many (but
not all) are only polynomially more difficult than corresponding decision problem, in the
following sense: any efficient solution to the decision problem can be used to solve the search
problem efficiently. This is called “self-reducibility.”
424 23 Lattice-Based Cryptography

was generalized to LWE with multiple secrets. An instance of multi-secret

LWE is (a, ha, s1 i + e1 , ..., ha, sn i + en ), where s1 , . . . , sk are secret vectors and
e1 , . . . , ek are independently chosen error vectors. Using the hybrid argument,
multi-secret LWE is proved to be at least as hard as LWE with single secret.
Based on this hardness guarantee, [34] uses the LWE instances with a number
of sparse signed-binary secrets to construct an encryption scheme.

The conclusion of this section is that in the case of log(n Ch ) + h > k logq
and β > α(10h)1/2 , the LWE problem with signed-binary secret of Hamming
weight h is difficult, and the scheme using LWE instances with a number of
sparse signed-binary secrets applying multi-secret LWE can be easily proved.
So, a secure and efficient scheme can be developed by using these.

23.3.2 Learning with Rounding (LWR)

The LWR problem which was introduced from [7] is the variant of LWE prob-
lem. Instead of adding auxiliary errors, the instance of the LWR problem is
generated through the deterministic rounding process into a smaller modulus.
Because the error generated in above process is deterministic, the LWR prob-
lem is called “derandomized” version of the LWE problem. More precisely, to
hide the secret information, the LWR problem uses the rounding to modulus p
instead of adding errors; the deterministic error is generated by scaling down
from Zq to Zp , where q > p. When modulus is somewhat large, [5] and [7] show
that the LWR problem is not easier than the LWE problem. However, due to
the constraint which modulus must be large, the LWR problem has been used
only for special applications such as pseudorandom generator (PRG) [7]. In
[18], when the number of samples are limited, it is proven that the LWR prob-
lem is difficult under the hardness assumption of the LWE problem.

LWR
For an n-dimensional vector s over Zq , the LWR distribution ALW R
n,q,p (s) over
n n
Zq × Zp is obtained by choosing a vector a from Zq uniform randomly, and
returning (a, bp/q · a · se) ∈ Znq × Zp .

Like the LWE problem, ALW R

n,m,q,p (s) indicates the distribution of m samples
from An,q,p (s); that is contained in Zm×n
LW R
q × Zmp .

The search LWR problem

It is defined to find secret s as the search version of the LWE problem

The decision LWR problem(LW Rn,m,q,p (D))

It’s purpose is to distinguish the distribution ALW R
n,q,p (s) from the uniform dis-
n
tribution over Zq × Zp with m instances for a fixed s ← D.
23.4 (LWE+LWR)-Based Public-Key Encryption [34] 425

23.3.3 Ring Variants of LWE and LWR

In [73], Lyubashevsky et al. deal with the LWE problem over rings, namely
ring-LWE. For positive integers n and q, and an irreducible polynomial
g(x) ∈ Z[x] of degree n, we define the ring R = Z[x]/(g(x)) and its quotient
ring modulo q, Rq = Zq [x]/(g(x)). The ring-LWE problem is to distinguish
between the uniform distribution and the distribution of (a, a · s + e) ∈ Rq2
where a is uniform randomly chosen polynomial, e is chosen from an error
distribution and s is a secret polynomial.

Due to the efficiency and compactness of ring-LWE, many lattice-based

cryptosystems are constructed as ring-LWE based, rather than LWE-based.
Similarly to LWE, the ring-LWE problem over the ring R is at least as hard
as approximate version of SVP over the ideal lattices of R in the sense of
quantum reduction.
The ring variant of LWR is introduced in [7], [18] as an analogue of LWR. In
the ring-LWR problem, the vectors chosen from Znq are substituted by poly-
nomials in Rq , i.e., the ring-LWR instance for a secret polynomial s ∈ Rq
is (a, bp/q · a · se) ∈ Rq × Rp where bp/q · a · se is obtained by applying the
rounding function to each coefficient of p/q · a · s. The search and decision
ring-LWR problems are defined in the same way as the LWR problem, but
over rings.

Abhishek Banerjee et al. [7] proved that decision ring-LWR is at least

as hard as decision ring-LWE for sufficiently large modulus. Later, reduction
from search ring-LWE to search ring-LWR was constructed in overall scope of
the modulus [7] when the number of samples is bounded.

23.4 (LWE+LWR)-Based Public-Key Encryption [34]

The PKE schemes based on LWE problem have a simple and fast decryption,
but encryption is rather slow due to large parameter size for leftover hash
lemma [8] or expensive Gaussian samplings [43]. Jung Hee Cheon et al. [34]
proposed a novel PKE scheme called Lizard based on LWE and LWR problems
with provable security. Based on [9] that the LWR assumption is hard under
the hardness assumption of LWE; when the number of samples is limited,
the LWR assumption can be securely used in the encryption phase. To make
a ciphertext by using the LWR instances instead of the LWE instances not
only reduces the parameters and the ciphertext size, but also substitutes the
expensive discrete Gaussian sampling by deterministic and efficient rounding.
426 23 Lattice-Based Cryptography

Lizard has a conceptually simple encryption procedure consisting of subset

sum and rounding operations without Gaussian samplings and leftover hash
lemma. Also, by taking some advantages of sparse binary secrets, Lizard be-
comes very practical in the sense that it could compress the ciphertext size
by scaling it down from Zq to Zp where p is the rounding modulus, and the
other is that it speed up the encryption algorithm by eliminating the Gaussian
sampling process.

23.4.1 The Construction

We now describe the public-key encryption scheme based on both the LWE
and LWR problems. The public key consists of m number of n dimensional
LWE instances, and encryptions of zero form (n + l) samples of m dimensional
LWR, where l is the dimension of plaintext vectors. The scheme is described
as follows.
1. Lizard.Setup(1λ ): Choose positive integers m, n, q, p, t, and l.
Choose private key distribution Ds over Zn , ephemeral secret dis-
tribution Dr over Zm , and parameter σ for discrete Gaussian dis-
tribution DGσ . Output params ← (m, n, q, p, t, l, Ds , Dr , σ).
(m×n)
2. Lizard.Gen(params): Generate a random matrix A ← Zq .
Choose a secret matrix S = (s1 || · · · ||sl ) by sampling column
vectors si ∈ Zn independently from the distribution Ds . Gen-
(m×l)
erate an error matrix E = (e1 || · · · ||el ) from DGσ and let
(m×l)
B ← AS + E ∈ Zq where the operations are held in modu-
(m×(n+l))
lar q. Output the public key pk ← (A||B) ∈ Zq and the
secret key sk ← S ∈ Z(n×l) .
3. Lizard.Encpk (m): For a plaintext m = (mi )1≤i≤l ∈ Zlt , choose an
m dimensional vector r ∈ Zm from the distribution Dr . Compute
the vectors c01 ← AT r and c02 ← B T r over Zq , and output the
(n+l)
vector c ← (c1 , c2 ) ∈ Zp where c1 ← b(p/q) · c01 e ∈ Znp and
0
c2 ← b(p/t) · m + (p/q) · c2 e ∈ Zlp .
(n+l)
4. Lizard.Decsk (c): For a ciphertext c ← (c1 , c2 ) ∈ Zp , compute
and output the vector m0 ← bt/p · (c2 − S T c1 )e(mod t).
Here, we assume t|p|q (t can divide p, and p can divide q) in the rest of
paper. However, this scheme still works correctly for parameters that do not
satisfy t|p|q.
23.4 (LWE+LWR)-Based Public-Key Encryption [34] 427

23.4.2 Correctness
Lemma 1 The cryptosystem described above works correctly as long as the
following inequality holds for the security parameter λ:
h i
P r |he, ri + hs, fi| < q/2t − q/2p : e ← DGm
ρ , r ← Dr , s ← Ds , f ← Zn
q/p

< negl(λ).

Proof. Let r ∈ Zm be a vector sampled from Dr in this encryption proce-

dure, and let c0 = (c01 , c02 ) ← (AT r, B T r) ∈ Zn+l
q . The output ciphertext is
c ← (c1 = b(p/q) · c01 e, c2 = b(p/t) · m + (p/q) · c02 e).

Let f1 ← c01 (mod q/p) ∈ Znq/p and f2 ← c02 (mod q/p) ∈ Zlq/p be the vectors
satisfying (p/q) · c1 = c01 − f1 and (p/q) · (c2 − (p/t) · m) = c02 − f2 . (where
f1 and f2 can be thought of as the error of c01 and c02 , respectively). Note
that f1 = AT r (mod q/p) is uniformly and randomly distributed over Znq/p
independently from the choice of r, e, and s. Then for any 1 ≤ i ≤ l, the i-th
component of c2 − S T c1 ∈ Zlq is

(c2 − S T c1 )[i] = (p/t) · mi + (p/q) · (c02 − S T c01 )[i] − (p/q) · (f2 [i] − hsi , f1 i)

= (p/t) · mi + (p/q) · (B T r − S T AT r)[i] − (p/q) · (f2 [i] − hsi , f1 i)

= (p/t) · mi + (p/q) · ((AS + E)T r − S T AT r)[i] − (p/q) · (f2 [i] − hsi , f1 i)
= (p/t) · mi + (p/q) · ((S T AT + E T )r − S T AT r)[i] − (p/q) · (f2 [i] − hsi , f1 i)
= (p/t) · mi + (p/q) · (S T AT r[i] + hei , ri − S T AT r[i]) − (p/q) · (f2 [i] − hsi , f1 i)
= (p/t) · mi + (p/q) · (hei , ri + hsi , f1 i) − (p/q) · f2 [i]
= (p/t) · mi + b(p/q) · (hei , ri + hsi , f1 i)e,
since f2 = (AS + E)T r = S T f1 + E T r (mod q/p). Therefore, the correctness
of this scheme is guaranteed if the encryption error is bounded by p/2t, or
equivalently, |hei , ri + hsi , f1 i| < (q/2t) − (q/2p) with an overwhelming prob-
ability.

23.4.3 Security
[34] argues that the proposed encryption scheme is IND-CPA secure under
the hardness assumptions of the LWE problem and the LWR problem. The
following theorem gives an explicit proof of this argument on security.

Lemma 2 The PKE scheme Lizard is IND-CPA secure under the hardness
assumption of LW En,m,q,DGσ (Ds ) and LW Rm,n+l,q,p (Dr ).
428 23 Lattice-Based Cryptography

Proof. An encryption of m can be generated by adding (p/t) · m to an

encryption of zero. Hence it is enough to show that the pair of public in-
formation pk = (A||B) ← Lizard.Gen(params) and encryption of zero
c ← Lizard.Encpk (0) is computationally indistinguishable from the uni-
m×(n+l) (n+l)
form distribution over Zq × Zq for a parameter set params ←
λ
Lizard.Setup(1 ).
1. D0 = {(pk, c) : pk ← Lizard.Gen(params), c ← Lizard.Encpk (0)}.
m×(n+l)
2. D1 = {(pk, c) : pk ← Zq , c ← Lizard.Encpk (0)}.
m×(n+l) (n+l)
3. D2 = {(pk, c) : pk ← Zq ,c ← Zq }.
The public key pk = (A||B) ← Lizard.Gen(params) is generated by
sampling m instances of LWE problem with l independent secret vectors
s1 , · · · , sl ← Ds . In addition, the multi-secret LWE problem is no easier than
ordinary LWE problem. Hence, distributions D0 and D1 are computationally
indistinguishable under the LW En,m,q,DGσ (Ds ) assumption.
m(n+l)
Now assume that pk is uniformly random over Zq . Then pk and
c ← Lizard.Encpk (0) together form (n + l) instances of the m dimensional
LWR problem with secret r ← Dr . Therefore, distributions D1 and D2 are
computationally indistinguishable under the LW Rm,n+l,q,p (Dr ) assumption.
As a result, distributions D0 and D2 are computationally indistinguishable
under the hardness assumption of LW En,m,q,DGσ (Ds ) and LW Rm,n+l,q,p (Dr )
, which denotes the IND-CPA security of the PKE scheme.

Remark 1. Lizard can be naturally converted into two IND-CCA versions:

one in the random oracle model using the Fujisaki-Okamoto conversion [45],
and the other in the quantum random oracle model using the Targhi-Unruh
conversion [94]. We denote the CCA version of Lizard by CCALizard. The
scheme description of CCALizard is in Appendix A of [34].

23.5 Ring Variant of Lizard

In this section, we introduce a ring variant of Lizard scheme, called RLizard
[67], IND-CCA secure encryption scheme.

We bring some notations for the description of this ring-based encryption

scheme. For an integer d, let Φd (X) be the d-th cyclotomic polynomial of de-
gree n = φ(d), where φ(d) is called “Euler’s phi-function.” φ(d) means that
(1) the number of the integers is less than d and (2) φ(d) and d are relative
prime. We write the cyclotomic ring and its residue ring modulo an integer q
23.5 Ring Variant of Lizard 429

by R = Z[X]/(Φd (X)) and Rq = Zq [X]/(Φd (X)). 3 We identify the vectors of

Pn−1
Znq with the elements of Rq by (a0 , · · · , an−1 ) 7→ i=0 ai X i . For any distri-
Pn−1
bution D over Zq , sampling a polynomial i=0 ai X i ∈ Rq from Dn denotes
sampling the coefficient vector (a0 , · · · , an−1 ) from the distribution Dn . For
the simplicity of ring operations, we choose a power-of-two degree in the fol-
lowing description.

The cyclotomic polynomial In mathematics, more specifically in algebra,

the n-th cyclotomic polynomial for any positive integer n is the unique irre-
ducible polynomial with integer coefficients, which is a divisor of xn − 1 and
is not a divisor
√ of xk − 1 for any k < n. Its roots4 are all n-th primitive roots
k
of unity5 e2 −1π n , where k runs over the positive integers not greater than n
and coprime to n. In other words, the n-th cyclotomic polynomial is equal to
Y  √ k

Φn (x) = x − e2 −1π n . (23.1)
1≤k≤n
gcd(k,n)=1

It may also be defined as the monic polynomial6 with integer coefficients,

which is the minimal polynomial over √ the field of the rational numbers of
any primitive n-th-root of unity (e2 −1π/n is an example of such a root). An
important relation linking cyclotomic polynomials and primitive roots of unity
is Y
Φb (x) = xn − 1, (23.2)
b|n
n
showing that every root of x − 1 is a b-th primitive root of unity for some b
that divides n.
3 e.g., If Φ (X) = X 1024 − 1 then R = a 1023 + · · · + a , where {a }1023 ∈ Z, and
d 1023 X 0 i i=0
Rq = a1023 X 1023 + · · · + a0 , where {ai }1023
i=0 ∈ Z q .
4 In mathematics, a zero, also sometimes called a root, of a real-, complex-, or generally

vector-valued function f is a member x of the domain of f such that f (x) vanishes at x;

that is, x is a solution of the equation f (x) = 0.
In other words, a ”zero” of a function is an input value that produces an output of zero
(0).
A root of a polynomial is a zero of the corresponding polynomial function. The funda-
mental theorem of algebra shows that any non-zero polynomial has a number of roots at
most equal to its degree and that the number of roots and the degree are equal when one
considers the complex roots (or more generally the roots in an algebraically closed exten-
sion) counted with their multiplicities. For example, the polynomial f of degree two, defined
by f (x) = x2 − 5x + 6 has two roots 2 and 3, since f (2) = 22 − 5 · 2 + 6 = 0 and f (3) =
32 − 5 · 3 + 6 = 0.
5 n-th roots of unity: the number x satisfy xn = 1.
6 In algebra, a monic polynomial is a univariate polynomial in which the leading coefficient

(the nonzero coefficient of highest degree) is equal to 1. Therefore, a monic polynomial has
the form
xn + cn−1 xn−1 + · · · + c2 x2 + c1 x + c0 .
A polynomial in one indeterminate is called a univariate polynomial, and a polynomial in
more than one indeterminate is called a multivariate polynomial.
430 23 Lattice-Based Cryptography

In particular, if n = pm is a prime power (where p is prime), then

p−1
Y 
m−1 m−1
Φn (x) = Φp (xp )= xip . (23.3)
i=0

Q2−1  11−1
  10 
For example, if n = 2·210 = 211 then Φn (x) = i=0 xi2 = x2 + 1 =


x1024 + 1 .

The cyclotomic ring Let f (x) = xn + 1 ∈ Z[x], where the security pa-
rameter n is a power of 2, making f (x) irreducible over the rationals. Let
R = Z[x]/ hf (x)i be the ring of integer polynomials modulo f (x). Elements of
R (i.e., residues modulo f (x)) can be represented by integer polynomials of
degree less than n. Let q = 1 mod 2n be a sufficiently large public prime mod-
ulus (bounded by a polynomial in n), and let Rq = Z[x]/ hqi = Zq [x]/ hf (x)i
be the ring of integer polynomials modulo both f (x) and q. The q n elements
of Rq may be represented by polynomials of degree less than n whose co-
efficients are from some set of canonical representatives of Zq , for example,
{0, · · · , q − 1}.7

23.5.1 The Construction

RLizard has a natural analogue based on the harness of Ring-LWE and Ring-
LWR problems. Although the security ground of ring variant of this scheme
is weaker than that of the original scheme based on LWE and LWR, the ring
variant exploits better key sizes, plaintext expansion rate, and Enc/Dec speed.

For the simplicity of ring operations, we choose a power-of-two degree in

the following description.
1. RLizard.Setup(1λ ): Choose positive integers q, p, and t. Let n ∈ Z
be a power of 2 and Φ(X) = X n + 1 be the 2n-th cyclotomic poly-
nomial. Choose hs , hr less than or equal to n, a private key distri-
bution Ds over Rn , an ephemeral secret distribution Dr over Rn ,
and parameter σ for discrete Gaussian distribution DGσ . Output
params ← (n, q, p, t, Ds , Dr , σ).
2. RLizard.Gen(params): Generate a random polynomial a ← Rq .
Sample a secret polynomial s ← Ds , and an error polynomial e ←
DGnσ . Let b = a · s + e ∈ Rq . Output the public key pk ← (a, b) ∈ Rq2
and the secret key sk ← S ∈ R.
3. RLizard.Encpk (m): For a plaintext m ∈ Rt = R/tR, choose r ←
Dr and compute c01 ← a · r and c02 ← b · r. Output the vector
7 i.e., R is a polynomial whose orders are less than n to represent q n elements, and each
q
coefficient have the element over Zq . E.g., when n = 3 and q = 5, the element over Rq can
be 3x2 + 4x + 2.
23.5 Ring Variant of Lizard 431

c ← (c1 , c2 ) ∈ Rp2 , where c1 ← b(p/q) · c01 e ∈ Rp and c2 ← b(p/t) ·

m + (p/q) · c02 e ∈ Rp .
4. RLizard.Decsk (c): For a ciphertext c ← (c1 , c2 ), compute and out-
put the polynomial m0 ← bt/p · (c2 − c1 · s)e(mod t) ∈ Rt .
Note that all the polynomial multiplications with s or r required in key gen-
eration, encryption, and decryption phases can be done very efficiently by
shifting and adding vectors.

Parameter consideration Since the best known attacks do not utilize the
ring structure so far, the authors analyze the hardness of Ring-LWE as the
LWE problem without ring structure. By setting Ds = Dr = HW Tn (128),
they recommend to use the parameter n = 1024, q = 210 , p = 28 , t = 2, α−1 =
154 to resist all known quantum attacks for the security parameter λ = 128.

Hardness of ring-LWR There have been a lot of progresses in studying the

hardness of the ring-LWR problem. Banergee et al. [7] proved that the decision
version of the ring-LWR problem is harder than that of the ring-LWE problem
for large modulus. Bogdanov et al. [18] extended the scope of the modulus,
but the extension holds only for the search version of the ring-LWR problem.
They stated that the search version of the ring-LWR problem is not easier
than that of the ring-LWE problem when the number of samples is bounded
with a flexible upper bound in Theorem 3 in [18].
24
Introduction to Linear Codes

CONTENTS
24.1 Fundamentals of Coding Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
24.2 Basics of Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
24.2.1 Generator Matrix and Parity-Check Matrix . . . . . . . . . . . . 435
24.3 Types of Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
24.3.1 Maximum-Likelihood Decoding . . . . . . . . . . . . . . . . . . . . . . . . . 439
24.3.2 Minimum-Distance Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
24.3.3 Syndrome Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
24.4 Hamming Geometry and Code Performance . . . . . . . . . . . . . . . . . . . . 440
24.5 Types of Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
24.5.1 Hamming Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
24.5.2 Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
24.5.3 Generalized Reed-Solomon (GRS) Codes . . . . . . . . . . . . . . . 442
24.5.4 Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
24.5.4.1 Construction of Goppa Codes . . . . . . . . . . . . . . . . 443
24.5.4.2 Binary Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . . . 443
24.5.4.3 Parity-Check Matrix of Goppa Codes . . . . . . . . 444
24.6 Hard Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Along with lattice-based cryptography, code-based cryptography has emerged

as one of the strong candidates which seems to be secure against quantum
computer attacks. This chapter mainly introduces the coding theory and code-
based cryptography. The basics of linear codes are first presented for under-
standing the next sections. The types of decoding are then explained with
main focus on unique decoding. The next part presents the types of codes
that are efficiently decodable. The final part of the chapter discusses hard
problems from the coding theory that can serve as basis for cryptographic
primitives.

433
434 24 Introduction to Linear Codes

24.1 Fundamentals of Coding Theory

Coding theory originated from digital communication systems, where data
are easily corrupted by noise during transmission. Now error-correcting codes
have been not only in telecommunication, and computer system including
data storage and data compression, but also in theoretical implications such
as cryptography and complexity theory. A general coding-theoretical model
assumes that a sequence of symbols called message is transmitted over a noisy
channel and the received message is likely to become corrupted with a non-
zero probability. To overcome this problem, the transmitted information will
not only contain the message, but also include some redundancy based on the
message symbols. Generally, we send k bits of data in n bits, where r = n − k
are redundant bits. For example, 64 bits are stored as 72 bits, where extra 8
bits are used for check and recovery. We classify a wide range of code families
into two types of codes: block codes encode information block by block, while
convolutional codes encode a continuous stream of information bits.

24.2 Basics of Linear Codes

In this section, basics of linear codes have been introduced. A linear code-
which we denote C, is a linear subspace. The elements of the code are called
codewords.

Definition 1 (Linear Code) An [n, k]q linear code C is a linear subspace

over Fq of length n and dimension k.

The cardinality of C is |C| = q k and the (information) rate, denoted R, of

an [n, k]q linear code is nk . We sometimes omit the subscript and simply write
[n, k] linear code, which implicitly means that the code is binary, i.e., q = 2.

Definition 2 (Hamming Distance) The hamming distance between two

words in F2 is the number of coordinates or places in which they differ.

Example(Hamming Distance)

dH ((1, 1, 0, 1, 1), (1, 0, 0, 1, 1)) = 1

Definition 3 (Hamming Weight) The hamming weight of a word is the

number of non-zero coordinates.
24.2 Basics of Linear Codes 435

Example (Hamming Weight)

wH (1, 0, 0, 1, 1) = 3

Note that the hamming distance between x and y equals the hamming
weight of x + y.

Example

dH ((1, 1, 0, 1, 1), (1, 0, 0, 1, 1, )) = wH (0, 1, 0, 0, 0) = 1

Definition 4 (Minimum Hamming Distance) The minimum hamming

distance of a linear code C denoted by dmin is the minimum distance of its
codewords:

dmin = min
0
dH (c, c0 ) (24.1)
c,c ∈C

= min
0
wH (c − c0 )
c,c ∈C

= min wH (c)
c∈C,c6=0

If C has minimum distance dmin , then we say that C is an [n, k, dmin ] lin-
ear code over Fq . From the above, we see that the minimum distance is equal
to the minimum of codeword weights in C. A linear code C can be expressed
as the image of a matrix, and as the kernel of another matrix explained in
the subsequent section. Furthermore, the minimum distance of a code is fun-
damental to determine its error-correction capabilities. Imagine a codeword
x is transmitted over a noisy channel, and errors occur in a certain number
of positions, say w. We represent this as an error vector e of weight w hav-
ing non-zero positions where the errors occur. The received word will then
be z = x + e. We say that a code C is able to correct w errors if, for each
codeword, it is possible to detect and correct any configuration of w errors
occurred during transmission. The following theorem holds.

Theorem 1 Let C be an [n, k] linear code over Fq having minimum distance

−1
dmin . Then C is able to correct at most t = w = b dmin
2 c errors.

Proof is omitted.

24.2.1 Generator Matrix and Parity-Check Matrix

Let {x1 , x2 , ..., xk } ∈ Fk2 denote the k information bits encoded into the code-
word C ∈ Fn2 . Thus the vector of k information bits into the encoder is denoted
by
x = {x1 , x2 · · · xk } ∈ Fk2 (24.2)
436 24 Introduction to Linear Codes

and the output of the encoder is the vector

C = {c1 , c2 · · · cn } ∈ Fn2 . (24.3)

The encoding operation performed in a linear binary block encoder can be

represented by a set of n equations of the form as

cj = x1 g1,j + x2 g2,j + ... + xk gk,j (j = 1, 2, ..., n), (24.4)

where gi,j = 0 or 1 and xi gi,j represents the product of xi and gi,j . The linear
equations may also be represented in a matrix form as

C = xG, (24.5)

where G, called the generator matrix of the code, is defined as

   
← g1 → g11 g12 . . . g1n
← g2 → g21 g22 . . . g2n 
G=  =  .. ..  . (24.6)
   
.. ..
 .   . . . 
← gk → gk1 gk2 . . . gkn

Note that each codeword is simply a linear combination of the vectors {gi } of
G, i.e.,
C = x1 g1 + x2 g2 + ... + xk gk . (24.7)
Since the linear [n, k] code with 2k codewords is a subspace of dimension k,
the row vectors {gi } of the generator matrix G must be linearly independent,
where they must span a subspace of k dimensions, i.e., {gi } must be a basis for
the [n, k] code. We note that the set of the basis vectors is not unique because
G is not unique. Also,the subspace has dimension k, and the rank of G is k.
Any generator matrix of an [n, k] code can be reduced by row operations to
the systematic form as

.
 
1 0 0 . . . 0 .. p11 p12 ... p1n−k 
.
.. 0 .. p21
 
0 1 0 . . . p22 ... p2n−k 
G = [Ik .P] = 
. . . .. .. .. .. .. 
, (24.8)
 .. .. .. . . . . . 
 
..
0 0 0 ... 1 . pk1 pk2 ... pkn−k

where Ik is a k × k identity matrix and P is a k × (n − k) matrix that de-

termines the n − k redundant bits or parity check bits. Note that a generator
matrix of the systematic form generates a linear block code in which the first
k bits of each codeword is identical to the information bits to be transmitted,
and the remaining n − k bits of each codeword are linear combinations of
the k information bits. These (n − k) redundant bits are called parity check
24.2 Basics of Linear Codes 437

bits and the resulting [n, k] code is called a systematic code. An [n, k] code
generated by a generator matrix that is not in the systematic form (Eq. 24.8)
is called non-systematic. Such a generator matrix is equivalent to a generator
matrix of the systematic form in the sense that one can be obtained from the
other by elementary row operations and column permutation. The two [n, k]
linear codes generated by the two equivalent generator matrices are said to be
equivalent, if one can obtain from the other by a permutation of the places
of every element. Thus, every linear [n, k] code is equivalent to a linear sys-
tematic [n, k] code. Now, on the basis of the above argument, we define the
generator matrix and parity-check matrix as follows.

Definition 5 (Generator matrix and parity-check matrix) Let C ⊆ Fnq

be a linear code of dimension k. If G ∈ Fk×n
q is a basis matrix of C, i.e.,

C = {uG : u ∈ Fkq } (24.9)

then we say that G is generator1 matrix for C. Therefore, C has an encoding

map f : Fkq → Fnq which is u 7→ uG. If C is the kernel2 of matrix H ∈
(n−k)×k
Fq , i.e.,
C = ker(H) = {v ∈ Fnq : HvT = 0}

then we say that H is a parity-check matrix of C. It follows that GHT = 0.

Now suppose that the linear [n, k] code is systematic and its generator
matrix G is given by the above systematic form. Then, since GHT = 0, it
follows that

.
H = [−PT ..In−k ]. (24.10)
Here, the negative sign may be dropped3 when dealing with the binary codes.

Example Consider a [7, 4] code with generator matrix

..
 
1 0 0 0 . 1 0 1
..
..
 
0 1 0 0 . 1 1 1
G = [Ik .P] = 
 ..


0 0 1 0 . 1 1 0
 
..
0 0 0 1 . 0 1 1
1 In
other words, let C be an [n, k] linear code over Fk . A k × n matrix G whose rowspace
equals C is called the generator matrix of C.
2 A vector v is in the kernel of a matrix A if and only if Av = 0.
3 Since modulo-2 subtraction is identical to modulo-2 addition.
438 24 Introduction to Linear Codes

and its corresponding parity-check matrix

 
..
. 1 1 1 0 . 1 0 0
T.  .. 
H = [P .In−k ] = 0 1 1 1 . 0 1 0 .
 
..
1 1 0 1 . 0 0 1
A typical codeword may be expressed as
C = [x1 x2 x3 x4 c5 c6 c7 ],
where the xj are the four information bits and the cj represents the three
parity check bits generated as
c 5 = x1 + x 2 + x 3 ,
c 6 = x2 + x 3 + x 4 ,
c 7 = x1 + x 2 + x 4 .
This linear systematic [n, k] binary block encoder may be implemented by us-
ing a k-bit shift register and (n−k) modulo-2 tied to the appropriate stages of
the shift register. The (n − k) adders generate the parity check bits, which are
subsequently stored temporarily in a second shift register of length (n − k).
In this way, k-bit of information bits shifted into the k-bit shift register and
then (n − k) parity check bits are computed as shown in Figure 24.1.

FIGURE 24.1
A linear shift register for generating a [7, 4] binary code.

Definition 6 (Dual Code) Let C be an [n, k] linear code over Fq . The dual
code of C is the set C ⊥ = {x ∈ Fnq : x · y = 0∀y ∈ C}.

Theorem 2 Let C be an [n, k] linear code over Fq . Then the dual code C ⊥ is
an [n, n − k = r] linear code. Moreover, if G = (Ik |P) is a generator matrix
in systematic form for C, then H = (−PT |In−k ) is a generator matrix for C ⊥ .

Proof is omitted.
24.3 Types of Decoding 439

24.3 Types of Decoding

There are many types of decoding. Different approaches of decoding are briefly
introduced in this section. The main focus will be on the unique decoding,
i.e., when one desires a unique solution to the decoding problem. In unique
decoding, the number of errors that an [n, k, dmin ]q linear code is able to
correct is given by the error-correction capability
 
dmin − 1
t= . (24.11)
2

24.3.1 Maximum-Likelihood Decoding

Given an [n, k]q code C and a received word r ∈ Fnq , a maximum-likelihood
decoding procedure chooses the most likely codeword c ∈ C, i.e., it will find a
solution to the maximization problem
arg (max(P r(rreceived | csent ))). (24.12)
c∈C

If all codewords are sent according to a uniformly random distribution, it

allows for a reformulation of the maximization problem. Using the Bayes’
rule, we obtain

P r(rreceived , csent )
P r(rreceived |csent ) =
P r(csent )
P r(rreceived , csent )
= P r(csent |rreceived ) · ,
P r(csent )
| {z }
constant

which in turn yields the maximization problem

arg (max(P r(r received | c sent))). (24.13)
c∈C

This reformulation of the maximum-likelihood decoding problem is called

ideal observer decoding.

24.3.2 Minimum-Distance Decoding

A minimum-distance (or nearest neighbor) decoding procedure chooses the
codeword c ∈ C closest to the received word r. More specifically, a minimum-
distance decoding procedure solves the minimization problem
arg (min(dH (r, c))). (24.14)
c∈C
440 24 Introduction to Linear Codes

When the error model is a binary symmetric channel BSCρ 4 with ρ < 12 ,
minimum-distance decoding is equivalent to maximum-likelihood decoding.
This follows from that the probability-distribution function of the error

P r(rreceived |csent ) = (1 − ρ)n−d · ρd (24.15)

obtains its maximum when d = dH (r, c) is minimal.

24.3.3 Syndrome Decoding

A vector ĉ = c + e with an error vector e of wH (e) > 0 added to the codeword
c can be interpreted as an erroneous codeword.

Definition 7 (Syndrome) The syndrome of a vector ĉ = c + e in Fnq is the

vector in Fn−k
q defined by

Sĉ = H · ĉT = H · (cT + eT ) = H · eT . (24.16)

24.4 Hamming Geometry and Code Performance

In the previous section, we have seen the Hamming distance and Hamming
weight. There is an interesting relationship between Hamming Geometry of a
code and its ability to correct errors. Let C = {x1 , x2 , ..., xM } be a code of
length n. Suppose that we want C to be capable of correcting all error patterns
of Hamming weight ≤ e, that is, if xi is sent, y = xi + z is received, and
wH (z) ≤ e, we want our decoder’s output to be x̂ = xi . It is easy to see that if
1
each codeword is sent with probability M , then the receiver’s best strategy for
guessing which codeword was sent is to pick the codeword closest to y, that
is, the one for which dH (xi , y) is the smallest (Note that dH (xi , y) = wH (z)).
It follows that syndrome decoding for the linear codes described before is
equivalent to a decoding process that “finds the closest codeword.” It is clear
that if this geometric decoding strategy is used, the code will be capable
of correcting all patterns of weight ≤ e iff the distance between each pair of
codewords is ≥ 2e+1. For Figure 24.2 (a), if dH (xi , xj ) ≥ 2e+1, that is, if the
hamming spheres of radius e around xi and xj are disjoint, then if xi is sent
and dH (xi , y) ≤ e, y cannot get closer to xj than it is to xi , and so geometric
decoder will not prefer xj to xi . On the other hand, if dH (xi , xj ) ≤ 2e, that
is, if the hamming spheres of radius e intersect (see Figure 24.2 (b)), then it
is clear that, if xi is sent, there exists a y that has dH (xi , y) ≤ e, but is at
4 If the channel is discrete and memoryless with a constant crossover (bit error) proba-

bility ρ ∈ [0, 1], we say that it is a binary symmetric channel denoted BSCρ .
24.5 Types of Codes 441

least as close to xj as it is to xi . Therefore, we are led to define the minimum

distance of the code C as

dmin (C) = min{dH (x, x ) : x, x ∈ C, x = x }

and we have the following theorem.

FIGURE 24.2
Hamming sphere of radius e around adjacent codewords.

Theorem 3 A code C = {x1 , x2 , ..., xM } is capable of correcting all error

patterns weight ≤ e iff dmin (C) ≥ 2e + 1.

Proof is omitted.

For example, a code with dmin = 7 can correct all error patterns of weight
≤ 3; if dmin = 22, all patterns of weight ≤ 10 and so forth.

24.5 Types of Codes

A family of codes is said to be efficiently decodable if there exists a polynomial
time (PPT) machine that can solve a problem related to minimum distance
decoding for all given instances in the particular encoding. A lot of progress
has been made in constructing efficiently decodable (and encodable) codes
with good error-correction properties.

24.5.1 Hamming Code

The Hamming codes are a kind of (binary) linear error-correcting (block)
codes that are able to correct one error and able to detect up to two errors.
Hamming codes are perfect in the sense that that they attain the Hamming
bound and thus achieve the highest possible rate for a certain block length
and minimum distance dmin = 3. For any integer r > 1, there is at least one
Hamming code of length n = 2r − 1 and dimension k = 2r − r − 1.
442 24 Introduction to Linear Codes

Example A very simple example of [7, 4] Hamming code is

(u1 u2 u3 u4 ) 7→ (u1 u2 u3 u4 v5 v6 v7 )
Here (u1 u2 u3 u4 ) are information bits and (v5 v6 v7 ) are parity bits. Gener-
ator matrix form for this example is
 
1 0 0 0 1 1 0
.. 0 1 0 0 1 0 1
G = [Ik .P] = 
0 0
.
1 0 0 1 1
0 0 0 1 1 1 1
We can get parity-check matrix H from the generator matrix because
H = [P T : In−k ] as shown below
 
1 1 0 1 1 0 0
T
H = [P : In−k ] = 1 0 1 1 0 1 0 .
0 1 1 1 0 0 1

24.5.2 Cyclic Codes

Cyclic codes are attractive in achieving a good error-correction capability.
Many codes (e.g., BCH, Reed-Solomon codes, Euclidian geometry codes, and
quadratic residue codes) belong to the family of cyclic codes.

Definition 8 (Cyclic Code) Let C be a [n, k, dmin ]q linear code. If ev-

ery circular shift of a codeword c = (c1 c2 · · · cn ) ∈ C again is a codeword
c0 = (cn c1 · · · cn−1 ) ∈ C, we say that C is a cyclic code.

The description of cyclic code may become easier to understand if we see

them as polynomials, i.e.,

(c1 c2 · · · cn ) 7→ c1 + c2 x + · · · cn xn−1 ∈ Fq [x]/ < xn − 1 > . (24.17)

If so, then every right-circular shift in codeword space corresponds to a

multiplication by x in the polynomial counterpart, i.e.,

(cn c1 · · · cn−1 ) 7→ cn + c1 x + · · · cn−1 xn−1 (24.18)

n−1
= x · (c1 + c2 x + · · · cn x ). (24.19)

24.5.3 Generalized Reed-Solomon (GRS) Codes

GRS codes are a generalization of Reed-Solomon (RS) codes. GRS codes are
maximum distance separable codes, i.e., the minimum distance has the max-
imum value possible for a linear [n, k] code, where dmin = n − k + 1.
24.5 Types of Codes 443

For some polynomial f (x) ∈ Fpm [x]<k , pairwise distinct elements L =

(α0 , . . . αn−1 ) ∈ Fnpm , a non-zero elements V = (v0 , . . . , vn−1 ) ∈ Fnpm and
0 ≤ k ≤ n, GRS code of order [n, k] over Fpm for a certain prime power p and
extension degree m > 1 can be defined as

GRSn,k (L, V ) = {c ∈ Fnpm |ci = vi f (αi )}. (24.20)

24.5.4 Goppa Codes

Goppa codes are alternate codes over Fq that are restricted to a Goppa Poly-
nomial g(x) with degree deg(g) = t and support L = (αi , . . . , αn ) of n distinct
elements in F1 . Note that g(x) ∈ Fq [x] is a square-free polynomial of degree t
such that g(αi ) 6= 0 ∀αi ∈ L. Here, g is another representation of the previ-
ously defined (in Section 24.5.3) tuple of non-zero elements V and polynomial
f (x). Therefore, Goppa code can be derived from the definition of GRS codes
as

Goppan,k,p (L, g) = GRSn,k (L, g) ∩ Fnp . (24.21)

24.5.4.1 Construction of Goppa Codes

Goppa codes are one of the most important code classes in code-based cryp-
tography because they resist all critical attacks so far.

24.5.4.2 Binary Goppa Codes

First, we will give the definition of the binary Goppa codes.

Definition 9 (Binary Goppa Code) Let m and t be the positive integers

and the Goppa polynomial
t
X
g(x) = gi xi ∈ F2m [x] (24.22)
i=0

be square-free polynomial of degree t and let the support

L = {α1 , . . . αn ) ∈ Fn2m , g(α) 6= 0∀α ∈ L} (24.23)

be a set of n distinct elements of F2m . For any vector ĉ = (c1 , . . . , cn ) ∈

Fn2m , we define the syndrome of c as
n
X ĉi g(x) − g(αi )
Sĉ (x) = − mod g(x). (24.24)
i=1
g(αi ) x − αi
444 24 Introduction to Linear Codes

We now define a binary Goppa code over F2m using the syndrome equation,
where c ∈ Fn2m is a codeword of the code, as
n
X ci
Goppan,k,2 (L, g(x)) = {c ∈ Fn2m |Sc (x) = ≡ 0 mod g(x)}. (24.25)
i=1
x − αi

Note: If g(x) is irreducible over F2m , then Goppa(L, g) is called an irreducible

binary Goppa code. If g(x) has no multiple roots, then Goppa(L, g) is called
a separable code and g(x) a square-free polynomial.

24.5.4.3 Parity-Check Matrix of Goppa Codes

According to the definition of syndrome in Goppa codes, every element ĉi of
a vector ĉ = c + e is multiplied with

g(x) − g(αi )
. (24.26)
g(αi ) · (x − αi )

Given a Goppa polynomial g(x) = gs xs + gs−1 xs−1 + · · · + g0 , the parity-check

matrix H can be constructed as
gs gs gs
...
 
g(α0 ) g(α1 ) g(αn−1 )
gs−1 +gs ·α0 gs−1 +gs ·α0 gs−1 +gs ·α0

 g(α0 ) g(α1 ) ... g(αn−1 )


H=  .. .. .. .
 . . .


g1 +g2 ·α0 +···+gs ·αs−1 g 1 +g 2 ·α 0 +···+gs ·α s−1
g 1 +g 2 ·α 0 +···+gs ·α s−1

g(α0 )
0
g(α1 )
0
... g(αn−1 )
0

(24.27)
This can be simplified to
   1 1
... 1 
gs 0 ... 0 g(α0 ) g(α1 ) g(αn−1 )
αn−1 
gs−1  α0 α1
...
gs ... 0   g(α0 )
 g(α1 ) g(αn−1 ) 
H= . ..  × 
 .. .. ..  = Hg × Ĥ,

 .. .. .
. .  . . 

g1 g2 ··· gs αs−1 αs−1 αs−1
n−1
0
g(α0 )
1
g(α1 ) ... g(αn−1 )
(24.28)
where Hg has a determinant unequal to zero.
Then, Ĥ is an equivalent parity check matrix to H, but has a simpler
structure. Using Gauss-Jordan elimination5 , Ĥ can be brought to systematic
form. Note that for every column swap in Gauss-Jordan, the corresponding
elements in the support L have also to be swapped. The generator matrix
G can be derived from the systematic parity check matrix H = (P |In−k ) as
(Ik | − P T ).

5 http://www.math.udel.edu/ angell/Gausjor.pdf
24.6 Hard Problems 445

24.6 Hard Problems

Code-based cryptography has been based on hard problems that arise from
coding theory. We start with the so-called the general decoding problem
(GDP). This corresponds to correcting a certain number of errors occurred on
the codeword x, represented by an error vector e, that is, y = x + e.

By Theorem 1,a unique solution exists if the weight of e is less than or

−1
equal to t = wt = dmin
2 , where dmin is the minimum distance of C. This
problem is well known and was proved to be NP-complete by Berlekamp et
al. in [13].

An alternative formulation is given in terms of the parity-check matrix,

and is known as the syndrome decoding problem (SDP) as we have seen syn-
drome decoding in the previous sections. Sometimes, this is also referred to as
computational syndrome decoding problem. Both problems are summarized
below.

General Decoding Problem

Given An [n, k] linear code C over Fq and a vector y ∈ Fn

q

Goal Find (x) ∈ C such that dmin (x, y) is minimal.

Syndrome Decoding Problem

Given An [n − k, n] parity-check matrix for an [n, k] linear code C

over Fq and a vector s ∈ Fn−k
q and an integer w ∈ N+

Goal Find (e) ∈ Fn T

q of weight ≤ w such that s = He .

Exercises
24.1 Calculate the Hamming distance d for the codes below.
446 24 Introduction to Linear Codes

1.



1 0 1 1 0 0 1 1 1 1 , 0 1 0 1 0 0 0 0 0 1

2.



1 0 1 0 1 1 1 1 0 1 , 0 0 1 0 0 1 0 0 0 0

3.



1 1 0 1 0 1 1 0 0 0 , 1 0 1 1 0 1 1 1 1 1 ,


0 0 0 1 0 1 0 1 0 1

4.



1 1 0 0 0 1 0 1 0 0 , 1 1 0 0 0 0 0 0 1 1



1 1 0 1 1 0 0 1 0 0 , 0 0 1 0 0 1 1 1 1 0

24.2 Calculate the Hamming weight wH for the codes below.

1.

0 1 1 1 0 1 0 1

2.



1 0 1 1 0 0 1 1 1 1 + 0 1 0 1 0 0 0 0 0 1

3.



1 0 1 1 0 0 1 1 1 1 − 0 1 0 1 0 0 0 0 0 1

4.



1 0 1 1 0 0 1 1 1 1 ⊕ 0 1 0 1 0 0 0 0 0 1

24.3 Calculate the maximum errors t that can be corrected by the codes
below.
1.

1 1 1 0 0 0 1 1 1 0

2.

0 1 0 0 1 0 0 1 0 0

3.

1 1 1 1 0 1 1 0 1 0
24.6 Hard Problems 447

4.

1 1 0 0 1 1 0 1 1 1

24.4 Calculate the codeword C for the following.

1.  
0 1 0 0 0 1
x = {101}, G = 1 0 0 1 1 0
0 1 1 0 0 0

2.  
1 0 0 0 1
0 1 0 1 0
x = {1011}, G = 
0

0 1 0 0
0 0 0 1 0

3.  
1 0 1 0 1 0 1
1 1 0 0 0 0 1
x = {100}, G = 
0

0 1 1 0 0 0
1 0 0 1 0 1 0

4.  
1 0 1 1 0 0 0
0 1 1 0 1 0 1
x = {100}, G = 
0

1 0 1 0 1 0
0 1 0 0 0 0 1

24.5 Convert the generator for every C in Exercise 24.4 to the systematic form.

24.6 Find the parity-check matrix for every C in Exercise 24.4.

24.7 Given a code C = {c1 , c2 , c3 , c4 , c5 } ∈ F52 , where each word has differ-
ent probability of being bit 1 as {0.7, 0.9, 0.5, 0.6, 0.8}: Using the maximum-
likelihood decoding, which is the most likely code that has been received:
1. If you received a word r = 0.
2. If you received a word r = 1.
24.8 Given a code C = {11001, 00000, 01010, 10101, 11110} and a received
code 10010, decode the received word by using the minimum-distance decod-
ing.
 
1 1 1 0 1 0 0
24.9 Given the parity-check matrix H = 1 0 1 1 0 1 0for a [7, 4]
1 1 0 1 0 0 1
code:
1. Encode the message {0110}.
448 24 Introduction to Linear Codes

2. You received a word {0100011} with one error in a message bit.

Decode the transmitted word.
3. You received a word {0110001} with one error in a parity bit. De-
code the transmitted word.
24.70 Given a code C = {10110, 01101, 10001, 01010}:
1. Find the Hamming sphere with radius e = 1 for every word in C.
2. Give two Hamming spheres that intersect for radius e = 2.
3. Draw the Hamming sphere of radius e = 2 for the code C.
24.11
 Given the generator
 for a [7, 4] Hamming code as G =
1 0 0 0 0 1 1
0 1 0 0 1 0 1
0 0 1 0 1 1 0 :
 

0 0 0 1 1 1 1

1. Encode the message x = {1101}.

2. Find the parity-check matrix H.
3. Decode the word from (1).
4. Show how to detect an error in a corrupted received word c =
{1111001}.
5. Decode c.
24.12 Given the generator for a (7, 4) cyclic code as g(x) = 1 + x + x3 .
1. Encode the message x = {1101}.
2. Find the parity-check matrix H.
3. Decode the word from (1).
4. Show how to detect an error in a corrupted received word c =
{1111001}.
5. Decode c.
25
Code-Based Cryptography

CONTENTS
25.1 McEliece Cryptosystem [75] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
25.1.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
25.1.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
25.1.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
25.2 Niederreiter Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
25.2.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
25.2.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
25.2.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
25.3 Security Analysis of McEliece and Niederreiter . . . . . . . . . . . . . . . . . 454
25.4 QC-MDPC McEliece Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
25.4.1 MDPC and QC-MDPC Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 455
25.4.1.1 MDPC Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
25.4.1.2 MDPC Code Construction . . . . . . . . . . . . . . . . . . . 456
25.4.1.3 QC-MDPC Code Construction . . . . . . . . . . . . . . . 456
25.4.2 QC-MDPC McEliece Cryptosystem [101] . . . . . . . . . . . . . . . 456
25.4.2.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
25.4.2.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
25.4.2.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

An overview of the classic code-based cryptography is provided including

the McElice cryptosystem and Niederrieter Cryptosystem. The next section
presents the McElice cryptosystems using binary Goppa codes. Similarly, the
Niederreiter Cryptosystem along with the algorithms involved are then dis-
cussed in detail. The next part of the chapter discusses the MDPC codes and
QC-MDPC McElice cryptosystem. The explanations start with the formal
definitions of MDPC codes followed by the construction for the algorithms in-
volved in the MDPC and QC-MDPC codes. The work proposing QC-MDPC
code to instantiate McEliece cryptosystem is presented in the next section.

449
450 25 Code-Based Cryptography

25.1 McEliece Cryptosystem [75]

For the purposes of the McEliece encryption, the generator matrix G of a
linear code over Fkq should be seen as a map Fkq → Fnq sending a message m
of length k to an element in Fnq . McEliece proposed code-based cryptography
using binary Goppa code. The McEliece public-key cryptosystem is set up as
follows.

25.1.1 Key Generation

The secret key consists of a random classical Goppa code Γ =
Γq (α1 , · · · , αn , g) over Fq of length n and dimension k with an error-correction
capability of w errors. A generator matrix G for the code Γ as well as an n × n
permutation matrix P , and an invertible k × k matrix S are randomly gen-
erated and kept secret as a part of the secret key. In particular, an efficient
decoding algorithm for Γ is known. All steps of key generation are formally
explained as in Construction 1.

Construction 1. ClassicMcElice : Gen

Input System parameters t, n, p, m

Output Public key Kpub , and secret key Ksec

1. Choose a binary [n, k, d]-Goppa code C capable of correcting up to

t errors.
2. Compute the corresponding k × n generator matrix G for code C.
3. Select a random non-singular binary k × k scrambling matrix S.
4. Select a random n × n permutation matrix P .
5. Compute the k × n matrix Ĝ = S · G · P .
6. Return Kpub = Ĝ and Ksec = (Γ, G, S −1 , P −1 ).
25.1 McEliece Cryptosystem [75] 451

25.1.2 Encryption
Information needs to be embedded in a length-k word m ∈ Fkq in order to
be suitable for the encryption algorithm. Then m can be encrypted with the
following algorithm in Construction 2.

Construction 2. Classic McElice : Encryption

Input: Public key Keypub = (Ĝ), message M and the parameter w

Output Ciphertext y ∈ Fnq

1. Compute mĜ.
2. Hide the message by adding a random error vector e of length n
and weight w.
3. Return y = mĜ + e.

25.1.3 Decryption
The decryption algorithm as shown in Construction 3 needs to decode the
ciphertext y, i.e., determine the error vector e. The legitimate receiver of y,
i.e., the owner of the private key, can make use of the hidden Goppa-code
structure, in particular, of the decoding algorithm for Γ.

Construction 3. Classic McElice : Decryption

Input A vector y = mĜ + e ∈ Fnq and private key Ksec = (Γ, G, P, S)

corresponding to Ĝ

Output Message m

1. Compute the syndrome ŷ = y · P −1 .

2. Compute the syndrome s corresponding to y.
3. Obtain m̂ of length k from s using decoding algorithm Γ.
4. Compute m = m̂ · S −1 .
5. Return m.
452 25 Code-Based Cryptography

The decryption algorithm works for any McEliece ciphertext y, i.e., for
any y which is an output of the encryption algorithm. Indeed, in this case, y
is known to be at distance w from a vector mSG which is a codeword in Γ.
The permutation by P −1 of the errors in the error vector does not change the
weight of this vector, so it does not affect the decoding algorithm for Γ.

25.2 Niederreiter Cryptosystem

Niederreiter’s cryptosystem, a variant of the McEliece cryptosystem, uses the
Goppa codes as the McElice crytosystem but differs from it in public-key struc-
ture, encryption mechanism, and decryption mechanism. Note that the specific
system in [72] with Goppa codes replaced by generalized Reed–Solomon codes
was broken. The Niederreiter public-key cryptosystem is set up as follows.

25.2.1 Key Generation

The secret key consists of an n × n permutation matrix P , a non-singular
(n − k) × (n − k) matrix S, a parity-check matrix H for a Goppa code
Γ = Γq (α1 , · · · , αn , g) of dimension k and error-correcting capability w.
In particular, an efficient decoding algorithm for Γ is known. As in the
McEliece cryptosystem, the sizes n, k, w are public system parameters, but
α1 , · · · , αn , g, P, and S are randomly generated secrets.

Construction 4. Niederreiter : Gen

Input System parameters t, n, p, m

Output Public key Kpub , and secret key Ksec

1. Choose a binary [n, k, d]-Goppa code C capable of correcting up to

t errors.
2. Compute the corresponding (n − k) × n parity-check matrix H for
code C.
3. Select a random non-singular binary (n − k) × (n − k) scrambling
matrix S.
4. Select a random n × n permutation matrix P .
5. Compute the k × n matrix Ĥ = S · H · P .
6. Return Kpub = Ĥ, and Ksec = (Γ, H, S −1 , P −1 ).
25.2 Niederreiter Cryptosystem 453

25.2.2 Encryption
Information needs to be embedded in a length-n word x ∈ Fnq with w nonzero
entries in order to be suitable for the encryption algorithm. Then x can be
encrypted with the following algorithm in Construction 5. The output is the
syndrome of x with respect to the public matrix Ĥ.

Construction 5. Niederreiter : Encryption

Input A message x ∈ Fnq of weight w and Public key Keypub = (Ĥ)

Output Ciphertext c ∈ Fn−k

q

1. Represent message m as a binary string x of length n and weight t.

2. Compute the syndrome c = Ĥ · xT ·
3. Return c.

25.2.3 Decryption
In order to decrypt the message, one has to find a weight-w vector x having
syndrome s with respect to Ĥ. As in the McEliece cryptosystem, the owner
of the private key can make use of the hidden Goppa-code structure, in par-
ticular, of the decoding algorithm for Γ.

Construction 6. Niederreiter : Decryption

Input: A syndrome s = c = Ĥ · xT ∈ Fn−kq and private key Ksec =

−1 −1
(Γ, S, H, P ) = (H, S , P ) corresponding to Ĥ

Output Message x

1. Compute ĉ = S −1 · c.
2. Use the decoding algorithm Γ to find x̂.
3. Computer x = P −1 · x̂ of length n and weight t.
4. Return x.
454 25 Code-Based Cryptography

The decryption algorithm works for any Niederreiter ciphertext c, i.e., for
any c which is an output of the encryption algorithm.

25.3 Security Analysis of McEliece and Niederreiter

There are two computational assumptions underlying the security of the
McEliece scheme.

Assumption 1 (Indistinguishably) The matrix Ĝ output by Gen is com-

putationally indistinguishable from a uniformly chosen matrix of the same size.

Assumption 2 (Decoding Hardness) Decoding a random linear code with

parameters n, k, w is hard.

The computational assumptions for Niederreiter are almost the same, ex-
cept for Assumption 1, that changes as follows.

Assumption 3 (Indistinguishably) The (n − k) × n matrix Ĥ output by

Gen is computationally indistinguishable from a uniformly chosen matrix of
the same size.

McEliece and Niederreiter are one-way secure under passive attacks, but
not indistinguishably secure under chosen ciphertext attacks as well as chosen
plaintext attacks. It is easy to show that McElieceis is not IND-CPA secure.
An adversary A is given a public key G; it then chooses two plaintexts m0 , m1 ,
submits them to the encryption oracle and gets back ψ ∗ = EncMcEG (mb ). To win
the game, A chooses a random b ∈ {0, 1}, encodes mb∗ , then checks the weight
of ψ ∗ − mb∗ G; clearly b = b∗ if and only if wH (ψ ∗ − mb∗ G) = w. The attack
is trivial for Niederreiter since the scheme is deterministic. Furthermore, it is
easy to show that both McEliece and Niederreiter are not IND-CCA secure.

25.4 QC-MDPC McEliece Cryptosystem

As discussed in the previous chapter, the security of code-based cryptography
is based on two hardness assumptions: the indistinguishability of the code
family and generic decoding.

Many articles have shown that the indistinguishability problem for Goppa
codes might not be always sufficiently hard. Although it does not necessar-
25.4 QC-MDPC McEliece Cryptosystem 455

ily lead to a practical attack, it suggests that Goppa (and more generally,
algebraic) codes may not be the optimal choice for code-based cryptography.
Therefore, we can conclude that codes that do not have any algebraic structure
would completely prevent this practical threat. One of the good alternatives
is low density parity check (LDPC) codes [47] that are commonly used in
the telecommunication, since they have no algebraic structure. However, such
code is also vulnerable to attacks, as the low weight codewords can be easily
found in polynomial time. To avoid such problem, McEliece schemes based on
moderate density parity-check (MDPC) codes [76] are being proposed. As the
name implies, they introduce moderate density parity-check (MDPC) codes
of higher density than what are normally adopted for telecommunication ap-
plications. MDPC codes lead to a worse error-correction capability, but they
ensure an adequate security level in the code-based cryptography. More effi-
cient variants employ quasi-cyclic MDPC (QC-MDPC) codes, wherein each
row of the code matrix is the cyclic rotation of the row before it, except the
first row. In other words, we can compress the code into a single row vec-
tor, which greatly reduces the public/private key size compared to the Goppa
codes.

25.4.1 MDPC and QC-MDPC Codes

The definitions and constructions of both MDPC and QC-MDPC codes are
presented.

25.4.1.1 MDPC Code

Given an [n, k]-linear code, the value n is usually referred to as the length
of the code, and k is referred to as the dimension. In what follows, the value
r = (n − k) is referred to as the co-dimension of the code.

Definition 1 (MDPC code) An [n, r, w]-MDPC code is a linear code of

length n, co-dimension
√ r which admits
p a parity-check matrix of a constant
row weight w = Õ( n) or w ∈ O( n · log(n)).

Definition 2 (Quasi-Cyclic Code) A linear code C ⊆ Fn2 is quasi-cyclic if

there exists a positive integer n0 ∈ {1, 2, ..., n − 1}1 such that for every code-
word c ∈ C the word c0 obtained from a right cyclic shift of c by n0 positions
is itself a codeword of C.

Definition 3 (QC-MDPC code) An [n, r, w]-linear code is a quasi-cyclic

moderate density parity-check (QC-MDPC) code if it is both an MDPC code
and a quasi-cyclic code.
456 25 Code-Based Cryptography

25.4.1.2 MDPC Code Construction

A random [n, r, w]-MDPC code is easily generated by picking a random par-
itycheck matrix H ∈ Fr×n 2 of row weight w. With overwhelming probability,
this matrix is of full rank and the rightmost r × r block is always invertible
after possibly swapping a few columns.

25.4.1.3 QC-MDPC Code Construction

Main concern of this section is [n, r, w]-QC-MDPC codes, where n = n0 p and
r = p. This means that the parity-check matrix has the form as

H − [H0 |H1 | . . . |Hn0 −1 ], (25.1)

where Hi is a p × p circulant block. We define the first row of H by picking

a random vector of length n = n0 p and weight w. The other r − 1 rows are
obtained from the r − 1 quasi-cyclic shifts
Pn0 −1of this first row. Each block Hi will
have a row weight wi such that w = i=0 wi .

In general, a smooth distribution is expected for the sequence of wi ’s. A

generator matrix G in row reduced echelon form ( G = [Ik |Q]) can be easily
derived from the Hi ’s blocks. Assuming the rightmost block Hn0 −1 is non-
singular (which particularly implies wn0 −1 odd, otherwise the rows of Hn0 −1
would sum up to 0), we construct a generator-matrix as
 
(Hn−1
0 −1
H0 )T
(Hn−1 H1 )T 
 
0 −1

G = [c|c]
 I .. . (25.2)
.

 
(Hn−1
0 −1
Hn0 −2 )T

25.4.2 QC-MDPC McEliece Cryptosystem [101]

The latest work deploying QC-MDPC code to instantiate McEliece cryptosys-
tem was presented in [101].

25.4.2.1 Key Generation

Before describing the scheme, it is worth mentioning that the generator matrix
G is not in general a generator matrix for a quasi-cyclic code, but rather
it is isomorphic to such a generator matrix. However, as it turns out, the
representation of G given above is suitable for the needs of the cryptosystem
and furthermore, using this representation of G does not degrade security at
all. To obtain a generator matrix G0 for a QC-MDPC code from a matrix G
as above, one must interleave the columns of G (a simple permutation). Note
that indeed G is a k × n matrix and that for any vector x ∈ Fk2 , the first k
bits of xG is exactly equals to x itself.
25.4 QC-MDPC McEliece Cryptosystem 457

Construction 7. QC-MDPC McEliece:Gen

Input: Security parameter n, weight w, co-dimension r, and error-

correction threshold t

Output: Public key G, secret key H

1. Generate a parity-check matrix H ∈ Fr×n
2 of a t-error-correcting
[n, r, w]-QC-MDPC code as described above.
2. Calculate G = [Ik |Q] as described above.
3. Return (G, H).

25.4.2.2 Encryption
Encryption in the QC-MDPC McEliece scheme can be succinctly described
as a matrix multiplication followed by an XOR with an error vector.

Construction 8. QC-MDPC McEliece: Encryption

Input: Public key G, message m ∈ Fk2 , and error vector e ∈ Fk2 of

weight at most t

Output: Ciphertext c ∈ Fn2

1. c ← mG ⊕ e.
2. Return c.

25.4.2.3 Decryption
Decryption requires as a subroutine a t-error-correcting QC-MDPC decoding
algorithm ΨH with knowledge of the secret key H.
458 25 Code-Based Cryptography

Construction 9. QC-MDPC McEliece: Decryption

Input: Ciphertext c ∈ Fn2

Output: A message vector m ∈ Fk2 such that d(mG, c) ≤ t, ⊥

1. Compute mG = ΨH (c) = ΨH (mG ⊕ e). If this step fails, output ⊥.

2. Extract m as the first k bits of mG.
3. Return m.

The QC-MDPC McEliece scheme is secure under two assumptions:

1. The randomness of the public key: given a parity-check matrix H,
it is hard to tell if there exists a random vector within it.
2. The hardness of decoding QC-MDPC codes: given a parity-check
matrix H, it is hard to decode it, and the best known solution is
generic decoding algorithms.
These two assumptions are true in the case for non-cyclic code, but it is
unknown for the cyclic case. However, general consensus agrees that the cyclic
code alone does not make the problem easier [101]. Hence, QC-MDPC remains
the most efficient variant of McEliece cryptosystem to date.

Exercises
25.1 Given
 the parameters
 of an McEliece encryption scheme as m = 4, t =
1 0 0 1
0 1 0 1
2, S = 0 1 0 0 ,


0 0 1 1
25.4 QC-MDPC McEliece Cryptosystem 459
 
0 1 1 0 1 0 1 0 0 1 0 0
0 1 1 1 1 0 0 1 1 0 0 0
G= 1 1 1 0 1 1
,
0 1 0 0 1 0
1 1 1 0 1 1 0 1 0 0 1 0
 
1 0 0 0 0 0 0 0 0 0 0 0
0 0 1 0 0 0 0 0 0 0 0 0 
 
0 0 0 0 0 0 0 0 1 0 0 0 
 
0 0 0 0 0 1 0 0 0 0 0 0 
 
0 1 0 0 0 0 0 0 0 0 0 0 
 
P = 0 0 0 1 0 0 0 0 0 0 0 0  :
0 0 0 0 0 0 0 0 0 0 0 1 
 
0 0 0 0 0 0 0 1 0 0 0 0 
 
0 0 0 0 0 0 0 0 0 1 0 0 
 
0 0 0 0 0 0 0 0 0 0 1 0 
0 0 0 0 0 0 1 0 0 0 0 0
1. What are the values for n, k, and d?
2. Compute G0 = S · G · P .
3. Encrypt the message {1010} with error {110000000000}.
4. Decrypt y = {001111011110}.
25.2 Given
 the parameters of
 a Niederreiter encryption scheme as m = 6, t =
0 0 1 1 1 1
1 1 1 1 1 0
 
0 1 1 1 1 1
2, S = 
0
,
 1 0 0 0 1 
1 0 1 0 0 1
1 0 1 0 1 1
 
  0 0 0 0 0 0 0 1
0 0 1 1 1 0 0 1 0 0 0 1 0 0 0
 0

0 0 0 1 0 1 1 1 0 0 0 0 0 0 1 0
   
1 1 0 0 0 0 0 0  1 0 0 0 0 0 0 0
H=
0 , P =  :
 0 1 0 0 1 1 1  0 1 0 0 0 0 0
 0

0 0 1 1 1 0 1 0  0 0 1 0 0 0 0 0
 
1 0 1 1 1 1 1 1 0 0 0 0 0 1 0 0
0 0 0 0 1 0 0 0
1. What are the values for n, k, and d?
2. Compute H 0 = S · H · P .
3. Encrypt the encoded message {00100001}.
4. Decrypt y = {011111}.
 Part IV

Implementations of
Selected Algorithms
26
Selected Algorithms

CONTENTS
26.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
26.2 Boneh-Franklin IBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
26.3 Boneh-Boyen IBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
26.4 Broadcast Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
26.5 Ciphertext-Policy Attribute-Based Encryption
(CP-ABE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
26.6 Predicate Encryption (PE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
26.7 Rivest-Shamir-Adleman (RSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
26.8 Elliptic Curve Digital Signature Algorithm
(ECDSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
26.9 QC-MDPC McEliece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
26.10 NTRUEncrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
26.11 Number Theoretic Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
26.12 The Paillier Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
26.13 AES Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
26.14 wolfSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

This chapter briefly explains implementations of some selected cryptographic

algorithms. The source code can be downloadable at https://ai-
security.github.io.

26.1 Introduction
Various popular cryptographic schemes are implemented using the MIRACL
library. MIRACL is an open source software library for implementing cryp-
tographic algorithms, which can be used for writing C or C++ program that
requires elliptic curve cryptography (ECC). It also supports multi-precision
arithmetic like modular multiplication, modular exponentiation, etc. These
operations can work with very large integer (e.g., 1024-bit, 2048-bit, etc.)
due to the efficient implementation in MIRACL. We show the steps to com-
pile MIRACL as a static library (.lib) and use it in the Windows environment.

463
464 26 Selected Algorithms

26.2 Boneh-Franklin IBE

Conventional public key cryptography (PKC) requires that the public keys to
be exchanged before the encryption starts. Identity-based encryption (IBE)
can be used to perform similar tasks offered by conventional PKC. The main
feature in IBE is that it allows the user to create public key using known
unique identifier such (e.g., email address). Then a third party can use this
public key to create private key. In such a setting, there is no need to perform
key exchange, which is one important advantage compared to conventional
PKC. Boneh-Franklin IBE scheme is developed based on the Weil pairing
over elliptic curves and finite fields. We show how the Boneh-Franklin IBE
scheme can be implemented using the MIRACL library.

26.3 Boneh-Boyen IBE

Boneh-Boyen IBE is another popular IBE based on the well-studied decisional
bilinear Diffie-Hellman assumption, which is extensible to systems with hier-
archical identities (or often known as HIBE). This scheme is provably secure
in the selective-identity sense without the random oracle model. It is often
viewed as an improvement compared to the Boneh-Franklin IBE scheme with
provable security. We show how the Boneh-Boyen IBE scheme can be imple-
mented using the MIRACL library.

26.4 Broadcast Encryption

Broadcast encryption (BE) is a special type of encryption that controls the
content accessed by a group of users. BE deals with methods to efficiently
broadcast information to a dynamically changing group of users who are al-
lowed to receive a data. It is often convenient to think of it as a revoca-
tion scheme, which addresses the case where some subset of the users (non-
members) are excluded from receiving the information. We show how the BE
scheme can be implemented using the MIRACL library.
26.6 Ciphertext-Policy Attribute-Based Encryption(CP-ABE) 465

26.5 Ciphertext-Policy Attribute-Based Encryption

(CP-ABE)
Attribute-based encryption (ABE) is an advanced public-key cryptosystem
developed recently, wherein the secret key used for decryption is dependent
on the user attributes (e.g., the city in which he lives or his position in a com-
pany). The sender can encrypt the data and send to another person without
relying on the certificate. In ABE, the sender can encrypt a list of attributes
and broadcast it; whoever having some or all these attributes can decrypt the
data successfully. CP-ABE is a variant of ABE where the policy to access the
plaintext is not contained the secret key but the ciphertext. A structure of
access will be built in CP-ABE, wherein only the user with the correct secret
key (a set of attributes) and the access structure, can decrypt the ciphertext.
We show how the Brent Waters’ CP-IBE scheme can be implemented using
the MIRACL library.

26.6 Predicate Encryption (PE)

Predicate encryption is an advanced public-key cryptosystem developed re-
cently to supports attribute-hiding as well as payload-hiding, which allows
high flexibility in terms of access control. Since the first PE scheme was in-
troduced in 2008, several predicate encryption schemes have been published.
However, these schemes are impractical as they require O(n) pairing compu-
tations for decryption with considerably large sized public parameters, secret
key, and ciphertext, where n is the dimension of the attribute/predicate vec-
tors. Recently, I. Kim, S. O. Hwang, J. H. Park, and C. Park proposed a
very efficient predicate encryption scheme that requires only n exponentiation
and three pairing computations for decryption. The scheme also comes with
shorter sized public parameters, secret key, and ciphertext. It is proven selec-
tive attribute-secure against chosen-plaintext attacks in the standard model
under the Asymmetric Decisional Bilinear Diffie-Hellman assumptions. We
show how the Kim et al.’s PE scheme can be implemented using the MIR-
ACL library.
466 26 Selected Algorithms

26.7 Rivest-Shamir-Adleman (RSA)

RSA is a popular public key cryptography that widely used by the industry
for the past decades. It has a very simple structure, thus easy to understand
and implement correctly. It can also be used as a digital signature genera-
tion algorithm (e.g., DSA). However, due to the advancement of the integer
factorization techniques and development of powerful computers, the RSA
problem can be solved easily if the key size is small. Hence, the key size of
RSA is usually 2048-bit or 3076-bit, which can be very slow if it is not imple-
mented efficiently. We start with basic approach to implement multiplication
in multi-precision format, then introduce the efficient modular reduction tech-
nique (Montgomery reduction). Binary exponentiation is then introduced to
improve the performance of exponentiation, which allows an efficient RSA
implementation. Lastly, graphics processing unit (GPU) is being used to im-
plement RSA in parallel form, achieving very fast RSA encryption/decryption.

26.8 Elliptic Curve Digital Signature Algorithm

(ECDSA)
ECDSA was published in the early 2000 by NIST as an alternative to the
DSA (based on RSA), released as FIPS-186. ECDSA relies on a elliptic curve
public key cryptosystem, which is designed based on the hardness of ellip-
tic curve discrete logarithm problem. It is able to achieve similar security
level compared to RSA, with a much smaller key size. For instance, RSA
requires 3072-bit key size to achieve 128-bit security, but ECC only needs
256-bit key. Hence, ECDSA is becoming popular in the past two decades as
it requires much smaller key size compared to RSA. This translate directly
into smaller memory cost (good for embedded system) and faster signature
generation/verification. ECDSA relies heavily on the modular multiplication,
which shares a lot of similarity with RSA. We explain the implementation of
ECDSA as outlined in the latest revision of Digital Signature Standard (DSS)
released by NIST in 2019.

26.9 QC-MDPC McEliece

McEliece cryptosystem was one of the oldest code based cryptosystems that
are still secure nowadays. It is designed based on the coding theory, which
26.11 NTRUEncrypt 467

is secure against the attack from quantum computers. The original McEliece
cryptosystem was designed with Goppa code, which suffers from very large key
sizes, causing it impractical to be implemented on embedded systems. In 2013,
R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. L. M. Barreto proposed to
replace the Goppa code with the QC-MDPC code, which successfully reduced
the key sizes to a practical level. The encryption in McEliece is very simple,
as it only involves matrix-vector multiplication and addition. The decryption
depends on the bit-flipping algorithm, which is commonly used for decoding
error code. The QC-MDPC McEliece cryptosystem was implemented and its
speed performance was evaluated.

26.10 NTRUEncrypt
NTRU is a lattice based cryptosystem developed in 1996 and remain as one
of the most promising candidates in post-quantum cryptography. It was de-
signed based on the shortest vector problem (SVP) in a lattice, which is still
not possible to be solved by quantum computers efficiently. NTRUEncrypt
was included into the IEEE Std 1363.1 in 2008; this is the first post-quantum
cryptosystem that was standardized. Among the two NTRU schemes proposed
(NTRUSign and NTRUEncrypt), NTRUEncrypt had received more attention
due to its efficiency comparable to popular public key cryptosystem like ECC.
The encryption and decryption process in NTRUEncrypt are very simple, as
it only involves polynomial multiplication. The polynomial multiplication was
implemented with technique to exploit the sparsity in polynomials. It is also
implemented on graphics processing unit (GPU) to exploit the parallel archi-
tecture for batch polynomial multiplication.

26.11 Number Theoretic Transform

Besides NTRU, there are other variants of lattice based cryptography that
has special lattice structure suitable for efficient implementation; qTESLA is
one of such scheme. With special lattice structure, the polynomial multipli-
cation can be implemented more efficiently using Number Theoretic Trans-
form (NTT). NTT is developed based on the Fast Fourier Transform (FFT),
which is a popular technique used in signal processing. FFT operates over
real number (floating point), but NTT operates on the integer; other than
that, both techniques share a lot of similarities. We show how to implement
468 26 Selected Algorithms

the NTT with various techniques, including the precomputation of twiddle

factors, nega-cyclic convolution, Cooley-Tukey and Stockham FFT. The im-
plementation was performed on the qTESLA parameters to demonstrate its
practicality on state-of-the-art lattice based cryptography. Lastly, it is also
implemented on graphics processing unit (GPU) to exploit the parallel archi-
tecture for batch polynomial multiplication using NTT.

26.12 The Paillier Encryption

Homomorphic encryption (HE) allows computations to be performed in en-
crypted domain. This means that a user can encrypt the plaintext and pass the
ciphertext to third party (e.g., cloud server) to compute the data on behalf of
him/her, without disclosing important information. This computing paradigm
is very important to protect the privacy of users in various applications. Pail-
lier cryptosystem was standardized in ISO/IEC 18033-6:2019 recently. It al-
lows the user to perform additive operation on encrypted domain, so it is also
known as Additive HE. The main operation involved in Paillier cryptosystem
is modular exponentiation, which is very time consuming. However, we can
utilize the same techniques presented in RSA section (e.g. Montgomery mul-
tiplication, binary exponentiation, and Chinese Remainder Theorem (CRT))
to speed up the execution. We show how Paillier cryptosystem can be imple-
mented efficiently using the MIRACL library.

26.13 AES Block Cipher

Advanced Encryption Standard (AES) released by NIST in year 2001 eventu-
ally became the de-facto encryption scheme for many applications. AES can
be implemented easily by following the specifications, but the performance
may not be optimal. On the other hand, many operations in AES can be
pre-computed, so that the encryption/decryption process only requires simple
table-lookup (T-box). This is essentially an example of time-memory trade-off,
wherein more memory space is used to store pre-computed results for better
speed performance. AES with both basic and T-box implementation are dis-
cussed.
26.14 wolfSSL 469

26.14 wolfSSL
Secure Socket Layer (SSL) is a cryptography protocol used to protect the com-
munication in networking system. Since 2015, SSL was succeeded by Transport
Layer Security (TLS) protocol. Both SSL and TLS are widely used in many
networking applications. We show an overview of the handshake process in
SSL/TLS, which is the core operation in the protocol to protect the commu-
nication. Then, we introduce wolfSSL, a software library implementing TLS
protocol in plain C language, which is widely used in many commercial prod-
ucts. wolfSSL is highly portable; it can be used in desktop PC, server, and
embedded system. It is also smaller in code size and faster in performance,
compared to another popular software library, OpenSSL. Simple client/server
and bench-marking programs are shown to enable further exploration on us-
ing this commercial grade software library.
Bibliography

[1] Ethereum whitepaper, (Accessed: September 26, 2020). Available On-

line: https : //ethereum.org/en/whitepaper/.

[2] Mining hardware comparison, (Accessed: September 26, 2020).

Available Online: https : //en.bitcoin.it/wiki/M ining hardware
comparison.
[3] Nadhem AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram
Poettering, and Jacob CN Schuldt. On the security of RC4 in TLS. In
22nd USENIX Security Symposium (USENIX Security 13), pages 305–
320, 2013.
[4] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe.
Post-quantum key exchange—a New Hope. In 25th USENIX Security
Symposium (USENIX Security 16), pages 327–343, 2016.
[5] Joël Alwen, Stephan Krenn, Krzysztof Pietrzak, and Daniel Wichs.
Learning with rounding, revisited. In Annual Cryptology Conference,
pages 57–74. Springer, 2013.
[6] Nuttapong Attrapadung, Jun Furukawa, Takeshi Gomi, Goichiro
Hanaoka, Hideki Imai, and Rui Zhang. Efficient identity-based encryp-
tion with tight security reduction. In International Conference on Cryp-
tology and Network Security, pages 19–36. Springer, 2006.
[7] Abhishek Banerjee, Chris Peikert, and Alon Rosen. Pseudorandom func-
tions and lattices. In Annual International Conference on the Theory
and Applications of Cryptographic Techniques, pages 719–737. Springer,
2012.
[8] Boaz Barak, Yevgeniy Dodis, Hugo Krawczyk, Olivier Pereira, Krzysztof
Pietrzak, François-Xavier Standaert, and Yu Yu. Leftover hash lemma,
revisited. In Annual Cryptology Conference, pages 1–20. Springer, 2011.
[9] Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven. New di-
rections in nearest neighbor searching with applications to lattice siev-
ing. In Proceedings of the Twenty-Seventh Annual ACM-SIAM Sympo-
sium on Discrete Algorithms, pages 10–24. SIAM, 2016.

471
472 Bibliography

[10] Mihir Bellare and Thomas Ristenpart. Simulation without the artificial
abort: Simplified proof and improved concrete security for waters’ IBE
scheme. In Annual International Conference on the Theory and Appli-
cations of Cryptographic Techniques, pages 407–424. Springer, 2009.
[11] Mihir Bellare and Phillip Rogaway. The exact security of digital
signatures-how to sign with RSA and Rabin. In International Con-
ference on the Theory and Applications of Cryptographic Techniques,
pages 399–416. Springer, 1996.
[12] Mihir Bellare and Phillip Rogaway. Probabilistic signature scheme,
July 24 2001. US Patent 6,266,771.
[13] Elwyn Berlekamp, Robert McEliece, and Henk Van Tilborg. On the in-
herent intractability of certain coding problems (corresp.). IEEE Trans-
actions on Information Theory, 24(3):384–386, 1978.
[14] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy
attribute-based encryption. In 2007 IEEE Symposium on Security and
Privacy (SP’07), pages 321–334. IEEE, 2007.
[15] Frits Beukers. Lattice reduction. In Some Tapas of Computer Algebra,
pages 66–77. Springer, 1999.
[16] George Robert Blakley. Safeguarding cryptographic keys. In 1979 In-
ternational Workshop on Managing Requirements Knowledge (MARK),
pages 313–318. IEEE, 1979.
[17] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols
based on the RSA encryption standard PKCS# 1. In Annual Inter-
national Cryptology Conference, pages 1–12. Springer, 1998.
[18] Andrej Bogdanov, Siyao Guo, Daniel Masny, Silas Richelson, and Alon
Rosen. On the hardness of learning with rounding over small modulus.
In Theory of Cryptography Conference, pages 209–224. Springer, 2016.
[19] Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity-
based encryption without random oracles. In International Conference
on the Theory and Applications of Cryptographic Techniques, pages 223–
238. Springer, 2004.

[20] Dan Boneh and Xavier Boyen. Efficient selective identity-based en-
cryption without random oracles. Journal of Cryptology, 24(4):659–693,
2011.
[21] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based
encryption with constant size ciphertext. In Annual International Con-
ference on the Theory and Applications of Cryptographic Techniques,
pages 440–456. Springer, 2005.
Bibliography 473

[22] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures.
In Annual International Cryptology Conference, pages 41–55. Springer,
2004.
[23] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Per-
siano. Public key encryption with keyword search. In International Con-
ference on the Theory and Applications of Cryptographic Techniques,
pages 506–522. Springer, 2004.
[24] Dan Boneh and Matt Franklin. Identity-based encryption from the Weil
pairing. In Annual International Cryptology Conference, pages 213–229.
Springer, 2001.
[25] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broad-
cast encryption with short ciphertexts and private keys. In Annual In-
ternational Cryptology Conference, pages 258–275. Springer, 2005.
[26] Dan Boneh, Amit Sahai, and Brent Waters. Functional encryption:
Definitions and challenges. In Theory of Cryptography Conference, pages
253–273. Springer, 2011.
[27] Joppe Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig,
Valeria Nikolaenko, Ananth Raghunathan, and Douglas Stebila. Frodo:
Take off the ring! practical, quantum-secure key exchange from LWE.
In Proceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security, pages 1006–1018, 2016.
[28] Joppe W Bos, Craig Costello, Michael Naehrig, and Douglas Stebila.
Post-quantum key exchange for the TLS protocol from the ring learning
with errors problem. In 2015 IEEE Symposium on Security and Privacy,
pages 553–570. IEEE, 2015.
[29] Zvika Brakerski, Craig Gentry, and Shai Halevi. Packed ciphertexts in
LWE-based homomorphic encryption. In International Workshop on
Public Key Cryptography, pages 1–13. Springer, 2013.
[30] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and
Damien Stehlé. Classical hardness of learning with errors. In Proceedings
of the Forty-Fifth Annual ACM Symposium on Theory of Computing,
pages 575–584, 2013.
[31] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-
key encryption scheme. In International Conference on the Theory
and Applications of Cryptographic Techniques, pages 255–271. Springer,
2003.
[32] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext secu-
rity from identity-based encryption. In International Conference on the
Theory and Applications of Cryptographic Techniques, pages 207–222.
Springer, 2004.
474 Bibliography

[33] Liqun Chen and Zhaohui Cheng. Security proof of Sakai-Kasahara’s

identity-based encryption scheme. In IMA International Conference on
Cryptography and Coding, pages 442–459. Springer, 2005.
[34] Jung Hee Cheon, Duhyeong Kim, Joohee Lee, and Yongsoo Song. Lizard:
Cut off the tail! A practical post-quantum public-key encryption from
LWE and LWR. In International Conference on Security and Cryptog-
raphy for Networks, pages 160–177. Springer, 2018.

[35] Jean-Sébastien Coron. Optimal security proofs for PSS and other sig-
nature schemes. In International Conference on the Theory and Appli-
cations of Cryptographic Techniques, pages 272–287. Springer, 2002.
[36] Ronald Cramer and Victor Shoup. A practical public key cryptosystem
provably secure against adaptive chosen ciphertext attack. In Annual
International Cryptology Conference, pages 13–25. Springer, 1998.
[37] Cécile Delerablée. Identity-based broadcast encryption with constant
size ciphertexts and private keys. In International Conference on the
Theory and Application of Cryptology and Information Security, pages
200–215. Springer, 2007.
[38] Cécile Delerablée, Pascal Paillier, and David Pointcheval. Fully collusion
secure dynamic broadcast encryption with constant-size ciphertexts or
decryption keys. In International Conference on Pairing-Based Cryp-
tography, pages 39–59. Springer, 2007.
[39] Jintai Ding, Xiang Xie, and Xiaodong Lin. A simple provably secure
key exchange scheme based on the learning with errors problem. IACR
Cryptology EPrint Archive, 2012:688, 2012.
[40] Morris J Dworkin. Sha-3 standard: Permutation-based hash and
extendable-output functions. Technical report, 2015.
[41] Donald Eastlake and Paul Jones. US secure hash algorithm 1 (SHA1),
2001.
[42] János Folláth. Gaussian sampling in lattice based cryptography. Tatra
Mountains Mathematical Publications, 60(1):1–23, 2014.
[43] Marcus Frean and Phillip Boyle. Using Gaussian processes to optimize
expensive functions. In Australasian Joint Conference on Artificial In-
telligence, pages 258–267. Springer, 2008.
[44] Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmet-
ric and symmetric encryption schemes. In Annual International Cryp-
tology Conference, pages 537–554. Springer, 1999.
Bibliography 475

[45] Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmet-

ric and symmetric encryption schemes. Journal of cryptology, 26(1):80–
101, 2013.
[46] David Galindo. Boneh-Franklin identity based encryption revisited. In
International Colloquium on Automata, Languages, and Programming,
pages 791–802. Springer, 2005.

[47] Robert Gallager. Low-density parity-check codes. IRE Transactions on

Information Theory, 8(1):21–28, 1962.
[48] Craig Gentry. Practical identity-based encryption without random ora-
cles. In Annual International Conference on the Theory and Applications
of Cryptographic Techniques, pages 445–464. Springer, 2006.
[49] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors
for hard lattices and new cryptographic constructions. In Proceedings
of the fortieth annual ACM symposium on Theory of computing, pages
197–206, 2008.
[50] Craig Gentry and Brent Waters. Adaptive security in broadcast encryp-
tion systems (with short ciphertexts). In Annual International Confer-
ence on the Theory and Applications of Cryptographic Techniques, pages
171–188. Springer, 2009.
[51] Ryan Glabb, Laurent Imbert, Graham Jullien, Arnaud Tisserand, and
Nicolas Veyrat-Charvillon. Multi-mode operator for SHA-2 hash func-
tions. Journal of Systems Architecture, 53(2-3):127–138, 2007.
[52] Oded Goldreich. Foundations of Cryptography: Volume 1, Basic Tools.
Cambridge University Press, 2007.
[53] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct
Randolli functions. In 25th Annual Symposium on Foundations of Com-
puter Science, 1984., pages 464–479. IEEE, 1984.
[54] Oded Goldreich, Daniele Micciancio, Shmuel Safra, and J-P Seifert.
Approximating shortest lattice vectors is not harder than approximat-
ing closest lattice vectors. Information Processing Letters, 71(2):55–61,
1999.
[55] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-
based encryption for fine-grained access control of encrypted data. In
Proceedings of the 13th ACM Conference on Computer and Communi-
cations Security, pages 89–98, 2006.
[56] Lien Harn and Changlu Lin. Authenticated group key transfer protocol
based on secret sharing. IEEE Transactions on Computers, 59(6):842–
846, 2010.
476 Bibliography

[57] Johan Håstad, Russell Impagliazzo, Leonid A Levin, and Michael Luby.
A pseudorandom generator from any one-way function. SIAM Journal
on Computing, 28(4):1364–1396, 1999.
[58] Jeffrey Hoffstein, Jill Pipher, and Joseph H Silverman. Ntru: A ring-
based public key cryptosystem. In International Algorithmic Number
Theory Symposium, pages 267–288. Springer, 1998.

[59] Burton S Kaliski Jr and CA Redwood City. An overview of the PKCS

standards. RSA Laboratories, Nov, 1993.
[60] Jonathan Katz, Amit Sahai, and Brent Waters. Predicate encryption
supporting disjunctions, polynomial equations, and inner products. In
Annual International Conference on the Theory and Applications of
Cryptographic Techniques, pages 146–162. Springer, 2008.
[61] Jonathan Katz and Nan Wang. Efficiency improvements for signature
schemes with tight security reductions. In Proceedings of the 10th ACM
Conference on Computer and Communications Security, pages 155–164.
ACM, 2003.
[62] Intae Kim, Seong Oun Hwang, Jong Hwan Park, and Chanil Park. An
efficient predicate encryption with constant pairing computations and
minimum costs. IEEE Transactions on Computers, 65(10):2947–2958,
2016.
[63] Intae Kim, Jong Hwan Park, and Seong Oun Hwang. An efficient public
key functional encryption for inner product evaluations. Neural Com-
puting and Applications, 32(17):13117–13128, September 1, 2020.
[64] Takashi Kitagawa, Peng Yang, Goichiro Hanaoka, Rui Zhang, Hajime
Watanabe, Kanta Matsuura, and Hideki Imai. Generic transforms to
acquire CCA-security for identity based encryption: The cases of FO
pkc and REACT. In Australasian Conference on Information Security
and Privacy, pages 348–359. Springer, 2006.
[65] Hugo Krawczyk, Mihir Bellare, and Ran Canetti. HMAC: Keyed-
hashing for message authentication, 1997.
[66] Ben P Lanyon, Till J Weinhold, Nathan K Langford, Marco Barbieri,
Daniel FV James, Alexei Gilchrist, and Andrew G White. Experimental
demonstration of a compiled version of Shor’s algorithm with quantum
entanglement. Physical Review Letters, 99(25):250505, 2007.
[67] Joohee Lee, Duhyeong Kim, Hyungkyu Lee, Younho Lee, and Jung Hee
Cheon. Rlizard: Post-quantum key encapsulation mechanism for IoT
devices. IEEE Access, 7:2080–2091, 2018.
[68] Hendrik W Lenstra Jr. Lattices. 2008.
Bibliography 477

[69] Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima,

and Brent Waters. Fully secure functional encryption: Attribute-based
encryption and (hierarchical) inner product encryption. In Annual In-
ternational Conference on the Theory and Applications of Cryptographic
Techniques, pages 62–91. Springer, 2010.
[70] Richard Lindner and Chris Peikert. Better key sizes (and attacks) for
LWE-based encryption. In Cryptographers’ Track at the RSA Confer-
ence, pages 319–339. Springer, 2011.
[71] Yu Liu, Kaijie Wu, and Ramesh Karri. Scan-based attacks on linear
feedback shift register based stream ciphers. ACM Transactions on
Design Automation of Electronic Systems (TODAES), 16(2):1–15, 2011.
[72] Pierre Loidreau and Nicolas Sendrier. Weak keys in the McEliece
public-key cryptosystem. IEEE Transactions on Information Theory,
47(3):1207–1211, 2001.
[73] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices
and learning with errors over rings. In Annual International Conference
on the Theory and Applications of Cryptographic Techniques, pages 1–
23. Springer, 2010.
[74] Alexander May and Joseph H Silverman. Dimension reduction methods
for convolution modular lattices. In International Cryptography and
Lattices Conference, pages 110–125. Springer, 2001.
[75] Robert J McEliece. A public-key cryptosystem based on algebraic. Cod-
ing Theory, 4244:114–116, 1978.
[76] Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, and Paulo SLM
Barreto. MDPC-McEliece: New McEliece variants from moderate den-
sity parity-check codes. In 2013 IEEE International Symposium on In-
formation Theory, pages 2069–2073. IEEE, 2013.
[77] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Tech-
nical report, Manubot, 2008.
[78] Dalit Naor, Moni Naor, and Jeff Lotspiech. Revocation and tracing
schemes for stateless receivers. In Annual International Cryptology Con-
ference, pages 41–62. Springer, 2001.
[79] Mototsugu Nishioka. Identity-based encryptions with tight security re-
ductions to the BDH problem. IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences, 91(5):1241–1252,
2008.
[80] Tatsuaki Okamoto and Katsuyuki Takashima. Hierarchical predicate en-
cryption for inner-products. In International Conference on the Theory
478 Bibliography

and Application of Cryptology and Information Security, pages 214–231.

Springer, 2009.
[81] Pascal Paillier. Public-key cryptosystems based on composite degree
residuosity classes. In International Conference on the Theory and Ap-
plications of Cryptographic Techniques, pages 223–238. Springer, 1999.
[82] Jong Hwan Park and Dong Hoon Lee. An efficient IBE scheme with
tight security reduction in the random oracle model. Designs, Codes
and Cryptography, 79(1):63–85, 2016.
[83] Jong Hwan Park, Kwangsu Lee, and Dong Hoon Lee. New chosen-
ciphertext secure identity-based encryption with tight security reduction
to the bilinear Diffie–Hellman problem. Information Sciences, 325:256–
270, 2015.
[84] Chris Peikert. Public-key cryptosystems from the worst-case shortest
vector problem. In Proceedings of the Forty-First Annual ACM Sympo-
sium on Theory of Computing, pages 333–342, 2009.
[85] Chris Peikert. Lattice cryptography for the internet. In International
Workshop on Post-Quantum Cryptography, pages 197–219. Springer,
2014.
[86] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework
for efficient and composable oblivious transfer. In Annual International
Cryptology Conference, pages 554–571. Springer, 2008.
[87] David Pointcheval and Jacques Stern. Security proofs for signature
schemes. In International Conference on the Theory and Applications
of Cryptographic Techniques, pages 387–398. Springer, 1996.
[88] Oded Regev. On lattices, learning with errors, random linear codes, and
cryptography. Journal of the ACM (JACM), 56(6):1–40, 2009.
[89] Ronald Rivest and S Dusse. The MD5 message-digest algorithm, 1992.
[90] Adi Shamir. How to share a secret. Communications of the ACM,
22(11):612–613, 1979.
[91] Adi Shamir. Identity-based cryptosystems and signature schemes. In
Workshop on the Theory and Application of Cryptographic Techniques,
pages 47–53. Springer, 1984.
[92] Victor Shoup. Lower bounds for discrete logarithms and related prob-
lems. In International Conference on the Theory and Applications of
Cryptographic Techniques, pages 256–266. Springer, 1997.
[93] NIST-FIPS Standard. Announcing the advanced encryption standard
(AES). Federal Information Processing Standards Publication, 197(1-
51):3–3, 2001.
Bibliography 479

[94] Ehsan Ebrahimi Targhi and Dominique Unruh. Quantum security of

the Fujisaki-Okamoto and OAEP transforms. IACR Cryptology ePrint
Archive, 2015:1210, 2015.
[95] Paolo Tasca and CJ Tessone. A taxonomy of blockchain technologies:
principles of identification and classification. ledger 4 (2019). arXiv
preprint ArXiv:1708.04872 [Cs], 2019.

[96] Luuc Van Der Horst, Kim-Kwang Raymond Choo, and Nhien-An Le-
Khac. Process memory investigation of the bitcoin clients electrum and
bitcoin core. IEEE Access, 5:22385–22398, 2017.
[97] Gilbert S Vernam. Secret signaling system. US Patent, (1,310,719),
2016.
[98] Brent Waters. Efficient identity-based encryption without random ora-
cles. In Annual International Conference on the Theory and Applications
of Cryptographic Techniques, pages 114–127. Springer, 2005.
[99] Brent Waters. Dual system encryption: Realizing fully secure IBE and
HIBE under simple assumptions. In Annual International Cryptology
Conference, pages 619–636. Springer, 2009.
[100] Tsu-Yang Wu, Chien-Ming Chen, King-Hang Wang, Chao Meng, and
Eric Ke Wang. A provably secure certificateless public key encryption
with keyword search. Journal of the Chinese Institute of Engineers,
42(1):20–28, 2019.
[101] Atsushi Yamada, E Eaton, K Kalach, P Lafrance, and A Parent. QC-
MDPC KEM: A key encapsulation mechanism based on the QC-MDPC
mceliece encryption scheme. NIST Submission, 2017.
[102] Christof Zalka. Grover’s quantum searching algorithm is optimal. Phys-
ical Review A, 60(4):2746, 1999.
Index

Abelian group, 110 Implementation, 464

Access structure, 351 Broadcast encryption, 321
Access tree, 351 Implementation, 464
Adaptive chosen-ciphertext attack
(CCA2), 16 Canetti-Halevi-Katz transformation,
Adaptive chosen-message attack 309
(Adaptive CMA), 17 CBC, see Modes of operation
Advanced Encryption Standard CBC-MAC, 75
(AES), 47 Chosen-ciphertext attack (CCA), 16,
Implementation, 468 59
All-and-any strategy, 301 Chosen-message attack (CMA), 16
Approximate closest vector problem Chosen-plaintext attack (CPA), 16,
(γ-CVP), 415 38
Approximate shortest vector Ciphertext-only attack (COA), 16
problem (γ-SVP), 415 Closest vector problem (CVP), 415
Attribute-based encryption (ABE), Code-based cryptography, 449
349 Coding theory, 434
CP-ABE, 362 Collision resistance, 88
Implementation of CP-ABE, 465 Collision resistant hash function, 89
KP-ABE, 356 Commitment scheme, 102
Complete Subtree (CS) method, 327
Bilinear Diffie-Hellman (BDH) Compression function, 90, 92
assumption, 184 Computational Diffie-Hellman
Bilinear Diffie-Hellman (BDH) (CDH) problem, 119
problem, 184 Consensus algorithm, 175
Bilinear map (or Weil and Tate CP-ABE, see Attribute-based
pairing), 183 encryption (ABE)
Binary tree encryption, 310 Cramer-Shoup encryption, 145
Birthday attack, 95 Cryptocurrency, 176
Bitcoin, 171 CTR, see Modes of operation
Blakley’s secret sharing, see Secret Cyclic code, see Types of codes
sharing Cyclic subgroup, 111
Block cipher, 52
Blockchain, 171 Decision linear Diffie-Hellman
Boneh-Boyen IBE, 293 (DLDH) assumption, 284
Implementation, 464 Decisional bilinear Diffie-Hellman
Boneh-Franklin IBE, 185 (DBDH) assumption, 230

481
482 Index

Decisional Diffie-Hellman (DDH) Generic group model, 25, 284

problem, 119 Gentry’s IBE, 206
Decisional linear (DLin) assumption, Goppa code, see Types of codes
231 Gram-Schmidt orthogonalization,
Delerablée’s scheme, 341 414
Determinant, see Lattice Group, 110
Diffie-Hellman (DH) key exchange
protocol, 120 Hamming code, see Types of codes
Digital signature, 159 Hamming distance, see Linear code
Discrete logarithm, 118 Hamming weight, see Linear code
Discrete logarithm problem, 119 Hash function, 88
Dual code, see Linear code Hash-and-MAC, 96
Dual lattice, see Lattice Hierarchical identity-based
Dual system encryption, 231 encryption (HIBE), 257
HMAC, 97
ECB, see Modes of operation Homomorphic public-key encryption,
ECDSA (Elliptic Curve Digital see Paillier encryption
Signature Algorithm) Hybrid argument (or proof), 24, 228
implementation, 466 Hybrid encryption, 128
El Gamal encryption, 129
El Gamal signature, 162 Identity-based broadcast encryption
Elliptic curve, 114 (IBBE), 337
Elliptic curve cryptography (ECC), Identity-based encryption (IBE),
463 181, 199, 227, 289
Euclidean algorithm, 105 Indistinguishability (IND), 14
Euler’s criterion, 110 Left-or-Right, 15
Euler’s phi function, 106 Real-or-Random, 16
Euler’s theorem, 106 Irreducible (or prime) polynomial,
Existential unforgeability (EUF), 15 113
Extended Euclidean algorithm, 105
Katz-Wang technique, 305
Fermat’s little theorem, 105 Key-encapsulation mechanism
Field, 112 (KEM), 129
Finite field, 112 Key-only attack (KOA), 16
GF (2n ), 113 Known-message attack (KMA), 16
Fujisaki-Okamoto transformation, Known-plaintext attack (KPA), 16
193 KP-ABE, see Attribute-based
Full domain hash RSA signature, 169 encryption (ABE)
Functional encryption (FE), 381
Lattice, 413
General decoding problem (GDP), Determinant, 414
445 Dual lattice, 414
Generalized Reed-Solomon (GRS) Lattice basis, 413
code, see Types of codes Rank, 413
Generator matrix, see Linear code Lattice basis, see Lattice
Generic bilinear group model, 354 Lattice-based cryptography, 419
Index 483

Learning with errors (LWE), 422 Park-Lee technique, 306

Learning with rounding (LWR), 424 PE (Predicate encryption)
Linear code, 433 Implementation, 465
Dual code, 438 Perfect security, 5
Generator matrix, 435 Plain (or Textbook) RSA encryption,
Hamming distance, 434 133
Hamming weight, 434 Plain RSA signature, 169
Minimum Hamming distance, Predicate encryption (PE), 380
435 Predicate-only encryption , 388
Parity-check matrix, 435 Preimage resistance, 89
Private-key encryption, 27, 35, 51
Maximum-likelihood decoding, see Probabilistic signature scheme
Types of decoding (PSS), 171
McEliece cryptosystem, 450 Pseudorandom generator, 30
MDPC code, 455 Pseudorandomness, 29
Merkle tree, 99 Public-key encryption, 117
Merkle-Damgard transform, 93
Message authentication, 65 QC-MDPC code, 455
Message authentication code, 67 QC-MDPC McEliece cryptosystem,
Minimum Hamming distance, see 454, 456
Linear code QC-MDPC McEliece
Minimum-distance decoding, see implementation, 466
Types of decoding Quasi-cyclic code, 455
MIRACL library, 463
Modes of operation, 52 Random oracle model (ROM), 20
CBC, 52 Rank, see Lattice
CTR, 54 Reduction, 19
ECB, 52 Lossy reduction, 201
Tight reduction, 200, 299
Negligible function, 10 Replay attack, 69
Niederreiter cryptosystem, 452 Ring, 112
Non-malleability (NM), 15 RSA encryption implementation, 466
Non-static assumption, 228 RSA problem, 134
NTRU cryptosystem, 415 RSA-OAEP encryption, 144
NTRUEncrypt implementation, 467
Number Theoretic Transform (NTT) Searching method, 303
implementation, 467 Second preimage resistance, 89
Secret sharing, 371
One-time pad (OTP), 4 Blakley’s secret sharing, 375
One-time signature, 312 Shamir’s secret sharing, 372
One-wayness (OW), 14 Secret sharing scheme, 351
Security definition (or notion), 17
Padded RSA encryption, 136 Selective unforgeability (SUF), 15
Paillier encryption, 155 Self-decryption paradox, 304
Implementation, 468 Semantic security, 14, 187, 343
Parity-check matrix, see Linear code Sequence of games, 22
484 Index

Shamir’s secret sharing, see Secret

sharing
Shortest vector problem (SVP), 415
Smart contract, 176
Splicing attack, 76
SSL (Secure Socket Layer)/TLS
(Transport Layer Security),
469
Static assumption, 227
Stream cipher, 35
Subgroup, 111
Subset Difference (SD) method, 330
Subset-Cover algorithm, 325
Syndrome decoding, see Types of
decoding
Syndrome decoding problem (SDP),
445

Types of codes, 441

Cyclic code, 442
Generalized Reed-Solomon
(GRS) code, 442
Goppa code, 443
Hamming code, 441
Types of decoding, 439
Maximum-likelihood decoding,
439
Minimum-distance decoding,
439
Syndrome decoding, 440

Unbreakability (UBK), 14, 15

Universal unforgeability (UUF), 15

Waters’ HIBE, 269

Waters’ IBE, 235