Generic transformation from broadcast encryption to round-optimal deniable ring authentication

Abstract

Deniable ring authentication enables a prover in some group (called a ring) to authenticate a message to a verifier using its secret key while at the same time allowing the prover to deny ever having interacted with the verifier. This primitive furthermore guarantees the anonymity of the prover in the sense that the verifier will learn nothing about the prover’s identity except that it is included in the ring. In this work, we propose a new generic construction of two-round concurrently deniable ring authentication in the random oracle model. Our generic construction is based on any \(\text {IND-CPA}\) secure broadcast encryption (BE) scheme. Instantiating the underlying \(\text {IND-CPA}\) secure BE scheme with the schemes proposed by Agrawal and Yamada (EUROCRYPT 2020) or Agrawal, Wichs, and Yamada (TCC 2020), we obtain the first two-round concurrently deniable ring authentication scheme with optimal efficiency in an asymptotic sense. Here, by optimal efficiency, we mean that all of the sizes of a public parameter and secret keys, the communication costs, and the number of pairing operations are independent of n, where n is the number of users in a ring. In addition to these main instantiations, through our generic construction, we further obtain various two-round concurrently deniable ring authentication schemes.

Appendices

Appendix A: Definition of collision-resistant hash function

Here, we recall the definition of a collision-resistant hash function. A hash function consists of a pair of PPT algorithms \(\mathsf {CRHF} = (\mathsf {HKG} , \mathsf {Hash} )\). \(\mathsf {HKG} \) is the hash key generation algorithm that, given a security parameter \(1^\lambda \), outputs a hash key \({ hk}\). \(\mathsf {Hash} \) is the (deterministic) hashing algorithm that, given a hash key \({ hk}\) and a string \(x \in \{0,1\}^*\), outputs a hash value h.

Definition 8

(Collision-resistance) We say that \(\mathsf {CRHF} = (\mathsf {HKG} , \mathsf {Hash} )\) is a collision-resistant hash function if for any PPT adversary \(\mathcal {A}\),

$$\begin{aligned} \mathsf{Adv }^{\mathsf {cr} }_{\mathsf {CRHF} , \mathcal {A}}(\lambda ):= & {} \Pr [{ hk}\leftarrow \mathsf {HKG} (1^\lambda ); (x, x^*) \leftarrow \mathcal {A}({ hk}): \\ \mathsf {Hash} ({ hk}, x)= & {} \mathsf {Hash} ({ hk}, x^*) \wedge x \ne x^*] = \mathsf{negl} (\lambda ). \end{aligned}$$

Appendix B: An instantiation of our deniable ring authentication scheme

Here, we give a simple and efficient instantiation of our deniable ring authentication scheme based on an existing BE scheme. Concretely, we present an instantiation based on Gay et al.’s BE scheme [24] under the k-linear assumption. Before describing our instantiation, we introduce some notations for a bilinear group and the k-linear assumption.

Notations for Bilinear Groups Let \(\mathcal {G}\) be a PPT algorithm that, given a security parameter \(1^\lambda \) as input, outputs an asymmetric bilinear group description \((p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, P_1, P_2, \mathsf {e} )\), where \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) are cyclic groups of prime order \(p = \Omega (2^\lambda )\), \(P_i\) are generators of \(\mathbb {G}_i\) for \(i \in \{1, 2\}\), and \(\mathsf {e} \) is a non-degenerate bilinear map. Here, we require that the group operations in \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) as well as the bilinear map \(\mathsf {e} \) be computable in deterministic polynomial time, and define a generator in \(\mathbb {G}_T\) as \(P_T :=\mathsf {e} (P_1, P_2)\). We use the implicit representation of group elements as in [21]. Specifically, for \(i \in \{1, 2, T\}\) and \(a \in \mathbb {Z}_p\), we define \([a]_i :=aP_i \in \mathbb {G}_i\) as the implicit representation of a in \(\mathbb {G}_i\). Given \([a]_1\) and \([b]_2\), we can efficiently compute \([ab]_T\) using the bilinear map \(\mathsf {e} \). Similarly, for a matrix

$$\begin{aligned} \mathbf {A} = \left( \begin{array}{ccc} a_{1,1} &{} \ldots &{} a_{1,m} \\ \vdots &{} \ddots &{} \vdots \\ a_{n,1} &{} \ldots &{} a_{n,m} \end{array} \right) \in \mathbb {Z}_p^{n \times m}, \end{aligned}$$

we define

$$\begin{aligned}{}[\mathbf {A}]_i :=\left( \begin{array}{ccc} a_{1,1} P_i &{} \ldots &{} a_{1,m} P_i \\ \vdots &{} \ddots &{} \vdots \\ a_{n,1} P_i &{} \ldots &{} a_{n,m} P_i \end{array} \right) \in \mathbb {G}^{n \times m}_i \end{aligned}$$

as the implicit representation of \(\mathbf {A}\) in \(\mathbb {G}_i\). For two matrices \(\mathbf {A} \in \mathbb {Z}_p^{\ell \times m}\) and \(\mathbf {B} \in \mathbb {Z}_p^{m \times n}\), define \(\mathsf {e} ([\mathbf {A}]_1, [\mathbf {B}]_2) :=[\mathbf {A}\mathbf {B}]_T \in \mathbb {G}^{\ell \times m}_T\).

The k-Linear Assumption. Let \(\mathcal {D}_k :=\{\mathbf {A}\}\) be a matrix distribution defined as

$$\begin{aligned} \mathbf {A} = \left( \begin{array}{ccccc} a_1 &{} 0 &{} \ldots &{} 0 &{} 0 \\ 0 &{} a_2 &{} \ldots &{} 0 &{} 0 \\ 0 &{} 0 &{} &{} \ddots &{} 0 \\ \vdots &{} &{} \ddots &{} &{} \vdots \\ 0 &{} 0 &{} \ldots &{} 0 &{} a_k \\ 1 &{} 1 &{} \ldots &{} 1 &{} 1 \end{array} \right) \in \mathbb {Z}_p^{(k+1) \times k}, \end{aligned}$$

where \(a_j \leftarrow \mathbb {Z}_p^*\) for all \(j \in [k]\).

Definition 9

(The k-Linear Assumption) We say that the k-linear assumption holds relative to \(\mathcal {G}\) in \(\mathbb {G}_i\) for \(i \in \{1, 2, T\}\) if for any PPT adversary \(\mathcal {A}\),

$$\begin{aligned} |\Pr [\mathcal {A}(G, [\mathbf {A}]_i, [\mathbf {A}\mathbf {w}]_i) = 1] - \Pr [\mathcal {A}(G, [\mathbf {A}]_i, [\mathbf {u}]_i) = 1]| = \mathsf{negl} (\lambda ), \end{aligned}$$

where the probability is taken over \(G :=(p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, P_1, P_2, \mathsf {e} ) \leftarrow \mathcal {G}(1^\lambda )\), \(\mathbf {A} \leftarrow \mathcal {D}_k\), \(\mathbf {w} \leftarrow \mathbb {Z}_p^k\), and \(\mathbf {u} \leftarrow \mathbb {Z}_p^{k+1}\).

We note that the 1-linear assumption corresponds to the SXDH assumption.

Fig. 3

An instantiation of plaintext aware and IND-CCA secure broadcast encryption \(\mathsf {BE} ^{\mathsf {GKW} }_{\mathsf {FO} }\) based on Gay et al.’s scheme [24]

Fig. 4

A simple and efficient instantiation of our deniable ring authentication scheme

An Instantiation of Our Broadcast Encryption Scheme Before providing an instantiation our deniable ring authentication scheme, we give an instantiation of our plaintext aware and \(\text {IND-CCA}\) secure BE scheme with Gay et al’s \(\text {IND-CPA}\) secure BE scheme.

Let \(\mathsf {H} _{\mathcal {RO}}: \{0,1\}^*\rightarrow \mathbb {Z}_p^k\) be a hash function which is modeled as a random oracle. Let \(\mathsf {KDF} : \mathbb {G}_T \rightarrow \{0,1\}^{\lambda + \ell _m}\) be a key derivation function, where \(\ell _m\) is some polynomial in \(\lambda \). Then, an instantiation of our BE scheme \(\mathsf {BE} ^{\mathsf {GKW} }_{\mathsf {FO} } = (\mathsf {Setup} ^{\mathsf {GKW} }_{\mathsf {FO} }, \mathsf {Enc} ^{\mathsf {GKW} }_{\mathsf {FO} }, \mathsf {Dec} ^{\mathsf {GKW} }_{\mathsf {FO} })\) with the plaintext space \(\mathcal {M}= \{0,1\}^{\ell _m}\) and the randomness space \(\mathcal {R}= \{0,1\}^{\lambda }\) for \(\mathsf {Enc} ^{\mathsf {GKW} }_{\mathsf {FO} }\) is described in Fig. 3.

An Instantiation of Our Deniable Ring Authentication Scheme Now, we present the description of an instantiation of our deniable ring authentication scheme by using the above instantiation of our BE scheme based on Gay et al.’s BE scheme. Let \(\mathsf {CRHF} = (\mathsf {HKG} , \mathsf {Hash} )\) be a collision-resistant hash function, where \(\mathsf {Hash} \) has an input space \(\{0,1\}^*\) and the output space \(\{0,1\}^{\ell _h}\), and \(\ell _h\) is some polynomial in \(\lambda \). Let \(\mathsf {H} _{\mathcal {RO}}: \{0,1\}^*\rightarrow \mathbb {Z}_p^k\) be a hash function which is modeled as a random oracle. Let \(\mathsf {KDF} : \mathbb {G}_T \rightarrow \{0,1\}^{\ell _h + 2\lambda }\) be a key derivation function. Then, the description of an instantiation with the message space \(\{0,1\}^{\ell _m}\) using our BE scheme (based on Gay et al.’s scheme) is given in Fig. 4, where \(\ell _m\) is some polynomial in \(\lambda \).

As shown in Fig. 4, we can see that this instantiation is efficient due to the underlying Gay et al.’s BE scheme [24] and our transformation. More precisely, a user secret key consists of \(k + 1\) elements of \(\mathbb {G}_2\) and the communication cost consists of \(2k + 1\) elements of \(\mathbb {G}_1\) and a bit string of length \(\ell _h + 2\lambda \), where k is the parameter of the underlying k-linear assumption.