Abstract
In this paper, we constructed a non-interactive group key exchange protocol (GNIKE) with flexibility, i.e., the number of participants in the GNIKE is not predefined. Moreover, our GNIKE construction is only based on multilinear map and conventional cryptographic building blocks. The security proof of our GNIKE is in the standard model and relies on an n-exponent multilinear DDH assumption.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If i = 1, then \(\textsf{GPK}_i = \textsf{GPK}_1 = \{\textsf{ID}_t, pk_{\textsf{ID}_t}\}\), \(t = \{2, \ldots , n\}\).
- 2.
\(\textsf{GPK}_{\hat{A}_i}\) is defined in 3.1, i.e. \(\textsf{GPK}_{\hat{A}_i}\) = (\(ID_{\hat{A}_1},pk_{ID_{\hat{A}_1}} \ldots ,ID_{\hat{A}_{i-1}},pk_{ID_{\hat{A}_{i-1}}},\) \(ID_{\hat{A}_{i+1}},pk_{ID_{\hat{A}_{i+1}}},\ldots ,ID_{\hat{A}_{n^*}},pk_{ID_{\hat{A}_{n^*}}}\)).
- 3.
Notice that \(p(t_{\textsf{ID}_{\mathcal {A} _i}}) \ne 0\).
- 4.
If \(i = 1\), the shared key is computed as \(\textsf{nMAP}((g^a)^{x_{\textsf{ID}_{\mathcal {A} _1}}},\ldots ,\) \( Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},S)^{\alpha _i}\).
- 5.
If i = 1, the shared key is computed as \(\textsf{nMAP}((g^a)^{x_{\textsf{ID}_{\mathcal {A} _1}}},Z_{\textsf{ID}_{\mathcal {A} _{i+1}}},\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},\) \( Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},\underbrace{\varPhi ,\ldots ,\varPhi }_{{(n - n^*) \varPhi }}, S)^{\alpha _i}\).
References
Abdalla, M., Chevalier, C., Manulis, M., Pointcheval, D.: Flexible group key exchange with on-demand computation of subgroup keys. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 351–368. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_21
Barak, B.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography (2002)
Boneh, D., Wu, D.J., Zimmerman, J.: Immunizing multilinear maps against zeroizing attacks. IACR Cryptology ePrint Archive 2014/930 (2014)
Dai, Y., Lee, J., Mennink, B., Steinberger, J.: The security of multiple encryption in the ideal cipher model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 20–38. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_2
Cheon, J.H., Lee, C., Ryu, H.: Cryptanalysis of the new CLT multilinear maps. IACR Cryptology ePrint Archive 2015/934 (2015)
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_26
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17
Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 513–530. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_28
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_27
Gay, R., Pass, R.: Indistinguishability obfuscation from circular security. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 736–749 (2021). https://doi.org/10.1145/3406325.3451070
Hofheinz, D., Jager, T., Khurana, D., Sahai, A., Waters, B., Zhandry, M.: How to generate and use universal samplers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 715–744. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_24
Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_21
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 60–73 (2021)
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7
Khurana, D., Rao, V., Sahai, A.: Multi-party key exchange for unbounded parties from indistinguishability obfuscation. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 52–75. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_3
Krawczyk, H., Rabin, T.: Chameleon signatures. In: ISOC Network and Distributed System Security Symposium - NDSS 2000. The Internet Society, February (2000)
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14
Li, Y., Yang, Z.: Strongly secure one-round group authenticated key exchange in the standard model. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 122–138. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_7
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local prgs. Cryptology ePrint Archive, Report 2017/250 (2017). https://doi.org/10.1007/978-3-319-63688-7_21, https://eprint.iacr.org/2017/250
Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from ddh-like assumptions on constant-degree graded encodings. Cryptology ePrint Archive, Report 2016/795 (2016). https://eprint.iacr.org/2016/795
Paneth, O., Sahai, A.: On the equivalence of obfuscation and multilinear maps. IACR Cryptology ePrint Archive 2015/791 (2015)
Park, S., Lee, K., Lee, D.H.: New constructions of revocable identity-based encryption from multilinear maps. IEEE Trans. Inf. Forensics Secur. 10(8), 1564–1577 (2015)
Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_28
Rao, V.: Adaptive multiparty non-interactive key exchange without setup in the standard model. IACR Cryptology ePrint Archive 2014/910 (2014)
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs (2004)
Yamakawa, T., Yamada, S., Hanaoka, G., Kunihiro, N.: Self-bilinear map on unknown order groups from indistinguishability obfuscation and its applications. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 90–107. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Intractability Analysis of n-Exponent Multilinear Diffie-Hellman Assumption
To analyze the intractability of the n-exponent multilinear Diffie-Hellman assumption, we relate it to another problem which is claimed to be hard [10, 22]. This \(\textsf{nMDDH}\) problem is rephrased below in our notation.
Definition 8
The n-multilinear decisional Diffie-Hellman (\(\textsf{nMDDH}\)) problem is \((t,\epsilon _{\textsf{nMDDH}})\)-hard in \(\textsf{GP}= (\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g)\) with multilinear map \(\textsf{nMAP}\), if for all adversaries running in probabilistic polynomial time t, it holds that
where \((g, a, R) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}\times \mathbb {Z}_p \times \mathbb {G}_T\).
With the following lemma, the complexity of \(\textsf{nEMDDH}\) can be demonstrated.
Lemma 1
If the \(\textsf{nMDDH}\) problem is \((t,\epsilon _{\textsf{nMDDH}})\)-hard in \(\textsf{GP}\), then the n-Exponent multilinear decisional Diffie-Hellman (\(\textsf{nEMDDH}\)) problem is \((t_e,\epsilon _{\textsf{nEMDDH}})\)-hard in \(\textsf{GP}\), where \(t_e \approx t\), \(\epsilon _{\textsf{nMDDH}} = \epsilon _{\textsf{nEMDDH}}\).
Proof
Let \(\mathcal {A}_{\textsf{nEMDDH}}\) be a \({\textsf{nEMDDH}}\) adversary. We show how to construct another adversary \(\mathcal {B}\) against the \(\textsf{nMDDH}\) problem instance \((\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g, g^a, R)\), with \(R = \textsf{nMAP}(g,g)^{a^{n+1}}\) or \(R {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}_T\).
After receiving its own challenge \(\mathcal {B}\) first chooses \(c {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\) and sets implicitly \(b = a\cdot c\) and then computes
\(\mathcal {B}\) outputs whatever \(\mathcal {A}_{\textsf{nEMDDH}}\) outputs on \((\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g, g^a, g^b, R')\).
It is obvious that \(\mathcal {B} \) runs in time \(t_e \approx t\), if the exponentiation is efficient in \(\textsf{GP}\).
Note that since c is uniformly random in \(\mathbb {Z}_p\), so is \(g^b = (g^a)^c\) in \(\mathbb {G}\). Moreover, if \(R = \textsf{nMAP}(g,g)^{a^{n+1}} = \textsf{nMAP}(g,g)^{a^{n}a} \), then \(R' = R^c = (\textsf{nMAP}(g,g)^{a^{n}a})^c = \textsf{nMAP}(g,g)^{a^{n}\cdot ac} = \textsf{nMAP}(g,g)^{a^{n}\cdot b} \). Otherwise, \(R'\) remains uniformly random in \(\mathbb {G}_T\). Therefore, \(\mathcal {B}\) has generated perfectly an \({\textsf{nEMDDH}}\) instance for \(\mathcal {A}_{\textsf{nEMDDH}}\) and \(\epsilon _{\textsf{nMDDH}} = \epsilon _{\textsf{nEMDDH}}\).
B Cases in Game 2 in the Proof of Theorem 1
In game 2, we prove the claim by constructing a \(\textsf{nEMDDH}\) adversary \(\mathcal {B} \) with advantage \(\epsilon \) calling \(\mathcal {A} \) as a sub-procedure. Let \((g, g^a, g^b, R) \in \mathbb {G}^3 \times \mathbb {G}_T\) be \(\mathcal {B} \)’s inputs, where \(a, b \in \mathbb {Z}_p\). \(\mathcal {B} \)’s goal is to determine if \(\textsf{nMAP}(g, \ldots , g )^{a^nb} = R\). To set up the \(\textsf{GNIKE}\) instance, \(\mathcal {B} \) as a challenger runs \(\mathsf {GNIKE.Setup}(1^\kappa )\) to generate the system parameters, including a chameleon key pair \(\textsf{CHAMKey}=(\textsf{p}, \mathsf {\tau })\) and the groups with \(\textsf{nMultilinear}\) map \(\textsf{MG}\). It then randomly selects \(s_{\hat{A}_1}, \ldots , s_{\hat{A}_n} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{0, 1\}^*\) and \(r_{\hat{A}_i}, \ldots , r_{\hat{A}_i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {R}_{\textsf{CH}}\).
Let p(t) = \(\prod ^n_{i=0}(t-t_{\hat{A}_i})^i\) = \(\varSigma ^{n}_{i=0} p_{i}t^i\) = \(p_{0} + p_{1}{t} + \ldots + p_{n}{t^n}\) be a polynomial of degree n over \(\mathbb {Z}_p\), where \(t_{\hat{A}_i} := \) \(\textsf{H}_{\textsf{p}}(s_{\hat{A}_i}, r_{\hat{A}_i})\). Next, a polynomial of degree n, q(t) = \(\varSigma ^{n}_{i=0} q_{i}t^i\) = \(q_{0} + q_{1}{t} + \ldots + q_{n}{t^n}\) is randomly selected over \(\mathbb {Z}_p\). Consequently, \(\mathcal {B} \) selects random values \(\gamma _1, \gamma _2\), uniformly in \( \mathbb {Z}^*_p\), sets then \(\varPhi = (g^a)^{\gamma _1}g^{\gamma _2}\), \(u_{i}=(g^{a})^{p_i}g^{q_{i}}\) for \(0 \le i \le n\) and \(S = g^b\). Since \(q_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}^*_p\), we have \(u_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}\). Observably, \(u_{0}\ldots u_{n}^{t^n} = (g^{a})^{p(t)}g^{q(t)}\). \(\mathcal {B} \) then returns the public parameters \((\textsf{MG},\{u_i\}_{0 \le i\le n}, \varPhi , S, \textsf{p})\) to \(\mathcal {A} \) to finish the set up phase. Thereafter, \(\mathcal {B} \) answers the queries from \(\mathcal {A} \) in the following ways.
-
\(\textsf{RegisterHonestUID}(\textsf{ID}_{\hat{A}_i})\): \(\mathcal {A} \) supplies an identity \(\textsf{ID}_{\hat{A}_i}\) (\(i \in [n]\)) to be registered as honest. To answer this query, B selects \(\alpha _i, \beta _i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\), computes \(Z_{\hat{A}_i} = (g^a)^{\alpha _i}g^{\beta _i}\). With the trapdoor key \(\mathsf {\tau }\), \(\mathcal {B} \) can extract \(r_{\hat{A}_{i, ch}}\), such that
$$\textsf{H}_{\textsf{p}}(Z_{\textsf{ID}_{\hat{A}_i}} || \textsf{ID}_{\hat{A}_i}, r_{\hat{A}_{i, ch}}) = \textsf{H}_{\textsf{p}} (s_{\hat{A}_i}, r_{\hat{A}_i}) = t_{\hat{A}_i}. $$\(\mathcal {B} \) then computes \(X_{\textsf{ID}_{\hat{A}_i}}\) = \([(g^{a})^{p(t_{\hat{A}_i})}g^{q(t_{\hat{A}_i})}]^{a\alpha _i+\beta _i}\) = \([(g^{a})^{0}g^{q(t_{\hat{A}_i})}]^{a\alpha _i+\beta _i}\) = \((g^{q(t_{\hat{A}_i})})^{a\alpha _i+\beta _i}\) = \((g^a)^{\alpha _iq(t_{\hat{A}_i})}g^{\beta _iq(t_{\hat{A}_i})}\). Finally, \(\mathcal {B} \) returns the public key \(pk_{\textsf{ID}_{\hat{A}_i}}\) = (\(Z_{\hat{A}_i}\), \(X_{\hat{A}_i}\), \(r_{\hat{A}_{i, ch}}\)) to \(\mathcal {A} \).
-
\(\textsf{RegisterCorruptUID}(\textsf{ID}_{\mathcal {A} _i},pk_{\textsf{ID}_{\mathcal {A} _i}})\): Upon receiving a public key \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) and an identity \(\textsf{ID}_{\mathcal {A} _i}\) from \(\mathcal {A} \). The public key \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) is registered as corrupt if \(\textsf{ID}_{\mathcal {A} _i}\) has not been registered before.
-
\(\textsf{RevealCorruptKey}\): \(\mathcal {A} \) supplies two sets of identities \(IDS_{\mathcal {A}}\) and \(IDS_{H}\): \(IDS_{\mathcal {A}}\) = \(\{ \textsf{ID}_{\mathcal {A} _1}, \ldots , \textsf{ID}_{\mathcal {A} _{l_1}} \}\) denoted here as corrupt and \(IDS_{H}\) = \(\{\) \(\textsf{ID}_{H_1}\), \(\ldots \), \(\textsf{ID}_{H_{l_2}}\) \(\}\) as honest and \(l_1 + l_2 = n^*\).
-
Case 1 (\(n^* = n\)), where n is the upper bound on the size of the group: For this query at least one of the identities supplied by \(\mathcal {A} \) was registered as honest (\(1 \le l_2 < n\)), and all identities supplied by \(\mathcal {A} \) must be unique. \(\mathcal {B} \) then checks the public key of any corrupt identity in \(IDS_{\mathcal {A}}\) using the multilinear equations to confirm that \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) is of the form (\(Z_{\textsf{ID}_{\mathcal {A} _i}}\), \(a_{\textsf{ID}_{\mathcal {A} _i}}\), \(r_{\textsf{ID}_{\mathcal {A} _i}}\)), where \(Z_{\textsf{ID}_{\mathcal {A} _i}}\) = \(g^{a_{\textsf{ID}_{\mathcal {A} _i}}}\) and \(a_{\textsf{ID}_{\mathcal {A} _i}}\)=\(Y_{\textsf{ID}_{\mathcal {A} _i}}^{a_{\textsf{ID}_{\mathcal {A} _i}}}\) = \([(g^a)^{p(t_{\textsf{ID}_{\mathcal {A} _i}})}g^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]^{a_{\textsf{ID}_{\mathcal {A} _i}}}\). If the check fails, \(\mathcal {B} \) rejects this query. \(\mathcal {B} \) then computes the corresponding shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\) as follows:
- \(*\):
-
\(t_{\textsf{ID}_{\mathcal {A} _i}}\) = \(\textsf{H}_{\textsf{p}}(Z_{\textsf{ID}_{\mathcal {A} _i}} || \textsf{ID}_{\textsf{ID}_{\mathcal {A} _i}}, r_{\textsf{ID}_{\mathcal {A} _i}})\), where \(i \in [l_1]\),
- \(*\):
-
computes \(p(t_{\textsf{ID}_{\mathcal {A} _i}})\) and \(q(t_{\textsf{ID}_{\mathcal {A} _i}})\) using the polynomials p(t) and q(t)Footnote 3,
- \(*\):
-
\(\{[a_{\textsf{ID}_{\mathcal {A} _i}}]/ [Z_{\textsf{ID}_{\mathcal {A} _i}}^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]\}^{p(t_{\textsf{ID}_{\mathcal {A} _i}})^{-1}}\)
= \(\{[(g^a)^{p(t_{\textsf{ID}_{\mathcal {A} _i}})}g^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]^{a_{\textsf{ID}_{\mathcal {A} _i}}}/ [(g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]\}^{p(t_{\textsf{ID}_{\mathcal {A} _i}})^{-1}}\) = \((g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}}\),
- \(*\):
-
\(Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*\) = \([(g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}}]^{\alpha _i}\) \((Z_{\textsf{ID}_{\mathcal {A} _i}})^{\beta _i}\) = \((g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}{\alpha _i}}\) \((g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{\beta _i}\) = \((g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{({a \alpha _i} + {\beta _i})}\) = \(Z_{\textsf{ID}_{\mathcal {A} _i}}^{({a \alpha _i} + {\beta _i})}\)
- \(*\):
-
the shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\)Footnote 4:
$$\begin{aligned} \textsf{nMAP}(&Z_{\textsf{ID}_{\mathcal {A} _1}},\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{i-1}}},Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*,\\&Z_{\textsf{ID}_{\mathcal {A} _{i+1}}} \ldots ,Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},S) \end{aligned}$$
-
Case 2 (\( 2 \le n^* < n\)): \(\mathcal {B} \) proceeds as the same as case 1 mentioned above. For this case \(\mathcal {B} \) firstly adds \(\varPhi \) as padding for (\(n - n^*\)) times in the following \(\textsf{nMAP}\) equation, computes then the corresponding shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\) as follows:
- \(*\):
-
the shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\)Footnote 5 is computed as
$$\begin{aligned} \textsf{nMAP}(&\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{i-1}}},Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*,Z_{\textsf{ID}_{\mathcal {A} _{i+1}}},\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},\\&Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},\underbrace{\varPhi ,\ldots ,\varPhi }_{{(n - n^*) }}, S) \end{aligned}$$
-
-
\(\textsf{Test}\): Assume \(R =\textsf{nMAP}(g,\ldots ,g)^{a^n b}\). \(\mathcal {A} \) supplies \(n^*\) identities (\(\textsf{ID}_i, i \in [n^*]\)) that were registered as honest.
-
Caes 1 (\(n^* = n\)): \(\mathcal {B} \) computes
$$\begin{aligned} K_b&= \textsf{nMAP}(g, \ldots , g)^{(\varPi _{i=1}^{n^*}(a\alpha _i+\beta _i))b} \\&= \textsf{nMAP}(g, \ldots , g)^{(\sum _{k=0}^{n^*}\psi _k a^k)b} \\&= \textsf{nMAP}(g, \ldots , g)^{(a^nb\varPi \alpha _i)+(\sum _{k=0}^{(n^*-1)}\psi _k a^k)b} \\&= R^{\varPi \alpha _i} \textsf{nMAP}(g, \ldots , g)^{\sum _{k=0}^{(n^*-1)}(\psi _k a^k)b}, \end{aligned}$$and returns \(K_b\) to \(\mathcal {A} \).
-
Case 2 (\( 2 \le n^* < n\)): \(\mathcal {B} \) computes
$$\begin{aligned} K_b&=\textsf{nMAP}(g, \ldots , g)^{(\varPi _{i=1}^{n^*}(a\alpha _i+\beta _i))\overbrace{(\varPi _{i=(n^*+1)}^{n}(a\gamma _1 + \gamma _2))}^{\varPhi \ padding} b} \\&=\textsf{nMAP}(g, \ldots , g)^{(\sum _{k=0}^{n}\psi _k a^k)b}\\&= \textsf{nMAP}(g, \ldots , g)^{(a^nb\psi _n)+(\sum _{k=0}^{(n-1)}\psi _k a^k)b}\\&= R^{\psi _n} \textsf{nMAP}(g, \ldots , g)^{\sum _{k=0}^{(n-1)}(\psi _k a^k)b}, \end{aligned}$$and returns \(K_b\) to \(\mathcal {A} \).
-
Finally, when \(\mathcal {A} \) terminates by outputting a bit b, then \(\mathcal {B} \) returns the same bit to \(\textsf{nEMDDH}\) challenger.
-
In each case of the \(\textsf{Test}\) query, the right side of the last equality is how \(\mathcal {B} \) can compute \(K_b\). According to other equalities, \(\mathcal {B} \) can compute the real shared key if \(R = \textsf{nMAP}(g,\ldots , g)^{a^n b}\) holds, with known values of R, \(\alpha _i\), \(\beta _i\), \(\gamma _1\) and \(\gamma _2\). This is exactly as in game \(\mathsf {G^{}_{1}}\). On the other hand, if R is random, \(\mathcal {B} \) will output an independent random value in \(\mathbb {G}_T\). This is exactly as in game \(\mathsf {G^{}_{2}}\).
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Duan, L., Li, Y., Liao, L. (2022). Flexible Group Non-interactive Key Exchange in the Standard Model. In: Ryan, P.Y., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2021. Lecture Notes in Computer Science, vol 13195. Springer, Cham. https://doi.org/10.1007/978-3-031-17510-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-17510-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17509-1
Online ISBN: 978-3-031-17510-7
eBook Packages: Computer ScienceComputer Science (R0)