Mediated Traceable Anonymous Encryption

(1)

HAL Id: inria-00539540

https://hal.inria.fr/inria-00539540

Submitted on 24 Nov 2010

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Mediated Traceable Anonymous Encryption

Malika Izabachène, David Pointcheval, Damien Vergnaud

To cite this version:

Malika Izabachène, David Pointcheval, Damien Vergnaud. Mediated Traceable Anonymous Encryp- tion. First International Conference on Cryptology and Information Security (LatinCrypt ’10), Aug 2010, Puebla, Mexico. pp.40–60. �inria-00539540�

(2)

❚❤✐s ✐s t❤❡ ❢✉❧❧ ✈❡rs✐♦♥ ♦❢ t❤❡ ❡①t❡♥❞❡❞ ❛❜str❛❝t ✇❤✐❝❤ ❛♣♣❡❛rs ✐♥ ▲❛t✐♥❝r②♣t ✬✶✵ ✭❛✉❣✉st ✽✲✶✶✱ ✷✵✶✵✱ P✉❡❜❧❛✱ ▼❡①✐❝♦✮

▼✳ ❆❜❞❛❧❧❛ ❛♥❞ P✳ ❇❛rr❡t♦ ❊❞s✳✱ ❙♣r✐♥❣❡r✲❱❡r❧❛❣✱ ▲◆❈❙ ✻✷✶✷✱ ♣❛❣❡s ✹✵✕✻✵✳

▼❡❞✐❛t❡❞ ❚r❛❝❡❛❜❧❡ ❆♥♦♥②♠♦✉s ❊♥❝r②♣t✐♦♥

▼❛❧✐❦❛ ■③❛❜❛❝❤è♥❡¹✱ ❉❛✈✐❞ P♦✐♥t❝❤❡✈❛❧²✱ ❛♥❞ ❉❛♠✐❡♥ ❱❡r❣♥❛✉❞²

1 ❯❱❙◗✱ ❋r❛♥❝❡

2 ❊◆❙✴❈◆❘❙✴■◆❘■❆✱ P❛r✐s✱ ❋r❛♥❝❡

❆❜str❛❝t✳ ❚❤❡ ♥♦t✐♦♥ ♦❢ ❦❡② ♣r✐✈❛❝② ❢♦r ❛s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡s ✇❛s ❢♦r♠❛❧❧② ❞❡✜♥❡❞ ❜② ❇❡❧❧❛r❡✱

❇♦❧❞②r❡✈❛✱ ❉❡s❛✐ ❛♥❞ P♦✐♥t❝❤❡✈❛❧ ✐♥ ✷✵✵✶✿ ✐t st❛t❡s t❤❛t ❛♥ ❡❛✈❡s❞r♦♣♣❡r ✐♥ ♣♦ss❡ss✐♦♥ ♦❢ ❛ ❝✐♣❤❡rt❡①t ✐s ♥♦t ❛❜❧❡

t♦ t❡❧❧ ✇❤✐❝❤ s♣❡❝✐✜❝ ❦❡②✱ ♦✉t ♦❢ ❛ s❡t ♦❢ ❦♥♦✇♥ ♣✉❜❧✐❝ ❦❡②s✱ ✐s t❤❡ ♦♥❡ ✉♥❞❡r ✇❤✐❝❤ t❤❡ ❝✐♣❤❡rt❡①t ✇❛s ❝r❡❛t❡❞✳

❙✐♥❝❡ ❛♥♦♥②♠✐t② ❝❛♥ ❜❡ ♠✐s✉s❡❞ ❜② ❞✐s❤♦♥❡st ✉s❡rs✱ s♦♠❡ s✐t✉❛t✐♦♥s ❝♦✉❧❞ r❡q✉✐r❡ ❛ tr❛❝✐♥❣ ❛✉t❤♦r✐t② ❝❛♣❛❜❧❡

♦❢ r❡✈♦❦✐♥❣ ❦❡② ♣r✐✈❛❝② ✇❤❡♥ ✐❧❧❡❣❛❧ ❜❡❤❛✈✐♦r ✐s ❞❡t❡❝t❡❞✳ Pr✐♦r ✇♦r❦s ♦♥ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥

♠✐ss ❛ ❝r✐t✐❝❛❧ ♣♦✐♥t✿ ❛♥ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ ♠❛② ♣r♦❞✉❝❡ ❛ ❝♦✈❡rt ❝❤❛♥♥❡❧ ✇❤✐❝❤ ♠❛❧✐❝✐♦✉s ✉s❡rs ❝❛♥ ✉s❡ t♦

❝♦♠♠✉♥✐❝❛t❡ ✐❧❧❡❣❛❧❧② ✉s✐♥❣ ❝✐♣❤❡rt❡①ts t❤❛t tr❛❝❡ ❜❛❝❦ t♦ ♥♦❜♦❞② ♦r✱ ❡✈❡♥ ✇♦rs❡✱ t♦ s♦♠❡ ❤♦♥❡st ✉s❡r✳

■♥ t❤✐s ♣❛♣❡r✱ ✇❡ ❡①❛♠✐♥❡ s✉❜❧✐♠✐♥❛❧ ❝❤❛♥♥❡❧s ✐♥ t❤❡ ❝♦♥t❡①t ♦❢ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ ❛♥❞ ✇❡

✐♥tr♦❞✉❝❡ ❛ ♥❡✇ ♣r✐♠✐t✐✈❡ t❡r♠❡❞ ♠❡❞✐❛t❡❞ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ t❤❛t ♣r♦✈✐❞❡s ❝♦♥✜❞❡♥t✐❛❧✐t② ❛♥❞

❛♥♦♥②♠✐t② ✇❤✐❧❡ ♣r❡✈❡♥t✐♥❣ ♠❛❧✐❝✐♦✉s ✉s❡rs t♦ ❡♠❜❡❞ s✉❜❧✐♠✐♥❛❧ ♠❡ss❛❣❡s ✐♥ ❝✐♣❤❡rt❡①ts✳ ■♥ ♦✉r ♠♦❞❡❧✱ ❛❧❧

❝✐♣❤❡rt❡①ts ♣❛ss t❤r♦✉❣❤ ❛ ♠❡❞✐❛t♦r ✭♦r ♣♦ss✐❜❧② s❡✈❡r❛❧ s✉❝❝❡ss✐✈❡ ♠❡❞✐❛t♦rs✮ ❛♥❞ ♦✉r ❣♦❛❧ ✐s t♦ ❞❡s✐❣♥ ♣r♦t♦❝♦❧s

✇❤❡r❡ t❤❡ ❛❜s❡♥❝❡ ♦❢ ❝♦✈❡rt ❝❤❛♥♥❡❧s ✐s ❣✉❛r❛♥t❡❡❞ ❛s ❧♦♥❣ ❛s t❤❡ ♠❡❞✐❛t♦r ✐s ❤♦♥❡st✱ ✇❤✐❧❡ s❡♠❛♥t✐❝ s❡❝✉r✐t②

❛♥❞ ❦❡② ♣r✐✈❛❝② ❤♦❧❞ ❡✈❡♥ ✐❢ t❤❡ ♠❡❞✐❛t♦r ✐s ❞✐s❤♦♥❡st✳

❲❡ ❣✐✈❡ s❡❝✉r✐t② ❞❡✜♥✐t✐♦♥s ❢♦r t❤✐s ♥❡✇ ♣r✐♠✐t✐✈❡ ❛♥❞ ❝♦♥str✉❝t✐♦♥s ♠❡❡t✐♥❣ t❤❡ ❢♦r♠❛❧✐③❡❞ r❡q✉✐r❡♠❡♥ts✳

❖✉r ❣❡♥❡r✐❝ ❝♦♥str✉❝t✐♦♥ ✐s ❢❛✐r❧② ❡✣❝✐❡♥t✱ ✇✐t❤ ❝✐♣❤❡rt❡①ts t❤❛t ❤❛✈❡ ❧♦❣❛r✐t❤♠✐❝ s✐③❡ ✐♥ t❤❡ ♥✉♠❜❡r ♦❢ ❣r♦✉♣

♠❡♠❜❡rs✱ ✇❤✐❧❡ ♣r❡✈❡♥t✐♥❣ ❝♦❧❧✉s✐♦♥s✳ ❚❤❡ s❡❝✉r✐t② ❛♥❛❧②s✐s r❡q✉✐r❡s ❝❧❛ss✐❝❛❧ ❝♦♠♣❧❡①✐t② ❛ss✉♠♣t✐♦♥s ✐♥ t❤❡

st❛♥❞❛r❞ ♠♦❞❡❧✳

✶ ■♥tr♦❞✉❝t✐♦♥

▼♦t✐✈❛t✐♦♥✳ ❚❤❡ ♥♦t✐♦♥ ♦❢ ❦❡② ♣r✐✈❛❝② ❢♦r ✭❛s②♠♠❡tr✐❝✮ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡s ✇❛s ❢♦r♠❛❧❧② ❞❡✜♥❡❞ ❜②

❇❡❧❧❛r❡✱ ❇♦❧❞②r❡✈❛✱ ❉❡s❛✐ ❛♥❞ P♦✐♥t❝❤❡✈❛❧ ❬✷❪✳ ❚❤❡ ♠♦t✐✈❛t✐♦♥ ❢♦r t❤✐s s❡❝✉r✐t② ♥♦t✐♦♥ ✐s ❛♥♦♥②♠♦✉s ❝♦♠✲

♠✉♥✐❝❛t✐♦♥✱ ✇❤❡r❡ ❡❛✈❡s❞r♦♣♣❡rs ❛r❡ ♣r❡✈❡♥t❡❞ ❢r♦♠ ❧❡❛r♥✐♥❣ t❤❡ ✐❞❡♥t✐t✐❡s ♦❢ t❤❡ ❝♦♠♠✉♥✐❝❛t✐♥❣ ♣❛rt✐❡s✱

❛♥❞ ♥❛♠❡❧② t❤❡ t❛r❣❡t r❡❝✐♣✐❡♥t ♦❢ ❛ ❝✐♣❤❡rt❡①t✳ ❙✐♥❝❡ ♣❡♦♣❧❡ ❛r❡ ♠♦r❡ ❛♥❞ ♠♦r❡ ❝♦♥❝❡r♥❡❞ ❛❜♦✉t ❛❧❧ t❤❡✐r

❛❝t✐♦♥s ❜❡✐♥❣ ❧✐♥❦❛❜❧❡ t♦ ❡❛❝❤ ♦t❤❡r ✭♦r ❡✈❡♥ ✇♦rs❡✱ t♦ t❤❡✐r ✐❞❡♥t✐t②✮✱ ❦❡② ♣r✐✈❛❝② ✐s ♦❜✈✐♦✉s❧② ❛ ✈❡r②

❛ttr❛❝t✐✈❡ ♥♦t✐♦♥ ❢r♦♠ t❤❡ ✉s❡r✬s ♣♦✐♥t ♦❢ ✈✐❡✇✳ ❍♦✇❡✈❡r✱ s♦♠❡ ♦r❣❛♥✐③❛t✐♦♥s ❛♥❞ ❣♦✈❡r♥♠❡♥ts ❛r❡ ❝♦♥✲

❝❡r♥❡❞ ❛❜♦✉t ❤♦✇ ❛♥♦♥②♠✐t② ❝❛♥ ❜❡ ❛❜✉s❡❞ ❜② ❝r✐♠✐♥❛❧s✱ ❛♥❞ t❤❡ ❦❡② ♣r✐✈❛❝② ♣r♦♣❡rt② ❝❛♥ ♣♦t❡♥t✐❛❧❧② ❜❡

❞❛♥❣❡r♦✉s ❛❣❛✐♥st ♣✉❜❧✐❝ s❛❢❡t②✳ ❚❤❡r❡❢♦r❡ ❛♥♦♥②♠✐t② r❡✈♦❝❛t✐♦♥ s❤♦✉❧❞ ❜❡ ❛✈❛✐❧❛❜❧❡ ✇❤❡♥ ✐❧❧❡❣❛❧ ❜❡❤❛✈✐♦r

✐s ❞❡t❡❝t❡❞✱ ❛s ♣r♦✈✐❞❡❞ ❜② ❣r♦✉♣ s✐❣♥❛t✉r❡s ❬✾❪✳

❚❤✐s ♠♦t✐✈❛t❡s t❤❡ ♥♦t✐♦♥ ♦❢ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ ✐♥ ✇❤✐❝❤ ❛♥ ❛❞✈❡rs❛r② ❝❛♥♥♦t ❞❡t❡r♠✐♥❡

✇❤✐❝❤ ✉s❡r✬s ♣✉❜❧✐❝ ❦❡② ❤❛s ❜❡❡♥ ✉s❡❞ t♦ ❣❡♥❡r❛t❡ t❤❡ ❝✐♣❤❡rt❡①t t❤❛t ✐t s❡❡s ✇❤✐❧❡ ❛ tr✉st❡❞ t❤✐r❞ ♣❛rt②

✭❣✐✈❡♥ s♦♠❡ tr❛♣❞♦♦r ✐♥❢♦r♠❛t✐♦♥✮ ✐s ❛❜❧❡ t♦ r❡✈♦❦❡ ❛♥♦♥②♠✐t② ❛♥❞ t❤✉s t♦ tr❛❝❡ ❜❛❝❦ t♦ t❤❡ ✐♥t❡♥❞❡❞

r❡❝✐♣✐❡♥t✳ ❙♦♠❡ ✇♦r❦ ❞❡❛❧t ✇✐t❤ s✉❝❤ ❛ ♣r♦♣❡rt②✱ ❜✉t t♦ t❤❡ ❜❡st ♦❢ ♦✉r ❦♥♦✇❧❡❞❣❡✱ ❛ ❝r✐t✐❝❛❧ ♣♦✐♥t ✇❛s

♠✐ss❡❞✿ ❛♥ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ ♠❛② ❝♦♥t❛✐♥ ❛ st❡❣❛♥♦❣r❛♣❤✐❝ ❝❤❛♥♥❡❧ ✭♦r ❛ ❝♦✈❡rt ❝❤❛♥♥❡❧✮ ✇❤✐❝❤ ♠❛❧✐❝✐♦✉s

✉s❡rs ❝❛♥ ✉s❡ t♦ ❝♦♠♠✉♥✐❝❛t❡ ✐❧❧❡❣❛❧❧② ✉s✐♥❣ ❝✐♣❤❡rt❡①ts t❤❛t tr❛❝❡ ❜❛❝❦ t♦ ♥♦❜♦❞②✱ ♦r ❡✈❡♥ ✇♦rs❡ t♦ s♦♠❡

❤♦♥❡st ✉s❡r✳ ▼♦r❡ ♣r❡❝✐s❡❧②✱ st✐❧❧ ✉s✐♥❣ t❤❡ ♦✣❝✐❛❧ s❝❤❡♠❡✱ ✐t ♠❛② ❜❡ ♣♦ss✐❜❧❡ t♦ ❡♥❝r②♣t ❛ ♠❡ss❛❣❡ t♦ ❛ ✉s❡r

❆ ✭t❤❡ ♦✣❝✐❛❧ t❛r❣❡t r❡❝✐♣✐❡♥t ❢♦r t❤❡ tr❛❝✐♥❣ ❛✉t❤♦r✐t②✮ s♦ t❤❛t t❤❡ r❛♥❞♦♠♥❡ss ✐s ✉s❡❞ ❢♦r tr❛♥s♠✐tt✐♥❣

s♦♠❡ ❡①tr❛ ✐♥❢♦r♠❛t✐♦♥ t♦ ❛ ✉s❡r ❇✱ t❤❛t ✇♦✉❧❞ ♥♦t ❜❡ tr❛❝❡❞ ❛s ❛ ♣♦ss✐❜❧❡ r❡❝✐♣✐❡♥t✳

❋♦r ✐♥st❛♥❝❡✱ ✐♥ ✷✵✵✼✱ ❑✐❛②✐❛s✱ ❚s✐♦✉♥✐s ❛♥❞ ❨✉♥❣ ❬✶✼❪ ♣r❡s❡♥t❡❞ ❣r♦✉♣ ❡♥❝r②♣t✐♦♥✱ ❛ ❝r②♣t♦❣r❛♣❤✐❝

♣r✐♠✐t✐✈❡ ✇❤✐❝❤ ❝❛♥ ❜❡ s❡❡♥ ❛s t❤❡ ❡♥❝r②♣t✐♦♥ ❛♥❛❧♦❣✉❡ ♦❢ ❛ ❣r♦✉♣ s✐❣♥❛t✉r❡ ❬✾❪✳ ■t ♣r♦✈✐❞❡s s❡♠❛♥t✐❝

s❡❝✉r✐t②✱ ❛♥♦♥②♠✐t② ❛♥❞ ❛ ✇❛② ❢♦r t❤❡ ❣r♦✉♣ ♠❛♥❛❣❡r t♦ r❡✈♦❦❡ ❛♥♦♥②♠✐t② ♦❢ ❝✐♣❤❡rt❡①ts✳ ❍♦✇❡✈❡r✱ ✐t

♠❛❦❡s ✉s❡ ♦❢ ③❡r♦✲❦♥♦✇❧❡❞❣❡ ♣r♦♦❢s t♦ ❞❡t❡r♠✐♥❡ ✇❤❡t❤❡r ❛ ❝✐♣❤❡rt❡①t ✐s ✈❛❧✐❞ ♦r ♥♦t✳ ❆s ❛ ❝♦♥s❡q✉❡♥❝❡✱

❛♥ ✐♥✈❛❧✐❞ ❝✐♣❤❡rt❡①t ❝❛♥ ❜❡ ✉s❡❞ t♦ tr❛♥s♠✐t s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✳ ❆❜♦✈❡ ❛❧❧✱ s✉❜❧✐♠✐♥❛❧ ❝❤❛♥♥❡❧s ✭❛✈❛✐❧❛❜❧❡

✐♥ t❤❡ r❛♥❞♦♠♥❡ss✮ ❝❛♥ ❜❡ ❡①♣❧♦✐t❡❞ t♦ s❡♥❞ s♦♠❡ ✐♥❢♦r♠❛t✐♦♥ ✐♥ ❛❞❞✐t✐♦♥ t♦ ❛ ❝❧❡❛♥ ♠❡ss❛❣❡✱ ♦r ❡✈❡♥ t♦

❢r❛♠❡ ❛♥ ❤♦♥❡st ✉s❡r✳

❝

❙♣r✐♥❣❡r✲❱❡r❧❛❣✱ ✷✵✶✵✳

(3)

▲❡t ✉s ❝♦♥s✐❞❡r t❤❡ ❢♦❧❧♦✇✐♥❣ ❡①❛♠♣❧❡✿ ✐♥ ✷✵✵✵✱ ❙❛❦♦ ❬✷✵❪ ♣r♦♣♦s❡❞ ❛ ♥♦✈❡❧ ❛♣♣r♦❛❝❤ t♦ ❛❝❤✐❡✈❡ ❜✐❞

s❡❝r❡❝② ✐♥ ❛✉❝t✐♦♥ ♣r♦t♦❝♦❧s✳ ❍❡r t❡❝❤♥✐q✉❡ ❝♦♥s✐sts ✐♥ ❡①♣r❡ss✐♥❣ ❡❛❝❤ ❜✐❞ ❛s ❛♥ ❡♥❝r②♣t✐♦♥ ♦❢ ❛ ❦♥♦✇♥

♠❡ss❛❣❡✱ ✇✐t❤ ❛ ❦❡② ❝♦rr❡s♣♦♥❞✐♥❣ t♦ t❤❡ ✈❛❧✉❡ ♦❢ t❤❡ ❜✐❞✳ ❚❤❡r❡❢♦r❡✱ ✇❤❛t ♥❡❡❞s t♦ ❜❡ ❤✐❞❞❡♥ ✐♥ t❤❡

❝✐♣❤❡rt❡①t ✐s ♥♦t t❤❡ ♠❡ss❛❣❡✱ ❜✉t t❤❡ ❦❡② ✐ts❡❧❢❀ t❤❡ ✉s❡ ♦❢ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ ✭❡✳❣✳ ❣r♦✉♣

❡♥❝r②♣t✐♦♥✮ s❡❡♠s ✈❡r② ♣r♦♠✐s✐♥❣ ❢♦r s✉❝❤ ❛♣♣❧✐❝❛t✐♦♥s ✭t❤❡ ❜✐❞ ✐ts❡❧❢ ❜❡✐♥❣ ✐❞❡♥t✐✜❡❞ ✉s✐♥❣ t❤❡ tr❛❝✐♥❣

♣r♦❝❡❞✉r❡✮✳ ❍♦✇❡✈❡r✱ ♦♥❡ ♠❛❥♦r ❝♦♥❝❡r♥ ✐♥ ❛✉❝t✐♦♥ ♣r♦t♦❝♦❧s ✐s t❤❡ ♣r♦❜❧❡♠ ♦❢ ❝♦❧❧✉s✐♦♥ ❜❡t✇❡❡♥ ❜✐❞❞❡rs

❛♥❞ ✐t ✐s ❤✐❣❤❧② ❞❡s✐r❛❜❧❡ t♦ ♣r❡✈❡♥t ❜✐❞❞❡rs ❢r♦♠ ❡♥❣❛❣✐♥❣ ✐♥ s✉❝❤ ❝♦❧❧❛❜♦r❛t✐✈❡ ❜✐❞❞✐♥❣ str❛t❡❣✐❡s✳ ❯♥❢♦r✲

t✉♥❛t❡❧②✱ ♥♦ ❦♥♦✇♥ ❝♦♥str✉❝t✐♦♥ ♦❢ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ ✐s ❢r❡❡ ♦❢ ❝♦✈❡rt ❝❤❛♥♥❡❧s ❛♥❞ t❤❡ ♠❛✐♥

♣✉r♣♦s❡ ♦❢ t❤❡ ♣r❡s❡♥t ♣❛♣❡r ✐s ♣r❡❝✐s❡❧② t♦ ♣r♦♣♦s❡ ❛ ♥❡✇ ❝r②♣t♦❣r❛♣❤✐❝ ♣r✐♠✐t✐✈❡ ❛❞❞r❡ss✐♥❣ t❤✐s ✐ss✉❡✳

❘❡❝❡♥t❧②✱ ❆❜❞❛❧❧❛✱ ❇❡❧❧❛r❡ ❛♥❞ ◆❡✈❡♥ ❬✶❪ ✐♥tr♦❞✉❝❡❞ t❤❡ ❝♦♥❝❡♣t ♦❢ r♦❜✉st ❡♥❝r②♣t✐♦♥ ✐♥ ✇❤✐❝❤ ✐t ✐s ❤❛r❞ t♦

♣r♦❞✉❝❡ ❛ ❝✐♣❤❡rt❡①t t❤❛t ✐s ✈❛❧✐❞ ❢♦r t✇♦ ❞✐✛❡r❡♥t ✉s❡rs✳ ❚❤❡② s❤♦✇❡❞ t❤❛t ✐❢ t❤❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥

s❝❤❡♠❡ ✉s❡❞ ✐♥ ❙❛❦♦✬s ♣r♦t♦❝♦❧ ✐s ♥♦t r♦❜✉st t❤❡♥ t❤❡ ❛✉❝t✐♦♥ ♣r♦t♦❝♦❧ ❞♦❡s ♥♦t ❛❝❤✐❡✈❡ ❢❛✐r♥❡ss ✭✐✳❡✳ ❛

❝❤❡❛t✐♥❣ ❜✐❞❞❡r ❝❛♥ ♣❧❛❝❡ ❛ ❜✐❞ t❤❛t ❤❡ ❝❛♥ ♦♣❡♥ ❧❛t❡r t♦ ❛♥ ❛r❜✐tr❛r② ✈❛❧✉❡✮✳ ❚❤❡ ♣r✐♠✐t✐✈❡ ✇❡ ♣r♦♣♦s❡

✐♥ t❤✐s ♣❛♣❡r ♣❡r♠✐ts t♦ ❛❝❤✐❡✈❡ s✐♠✉❧t❛♥❡♦✉s❧② ❢❛✐r♥❡ss ❛♥❞ ❝♦❧❧✉s✐♦♥✲❢r❡❡♥❡ss ✐♥ ❙❛❦♦✬s ♣r♦t♦❝♦❧✳

❈♦♥tr✐❜✉t✐♦♥s✳ ❲❡ ✐♥tr♦❞✉❝❡ ❛ ♥❡✇ ♣r✐♠✐t✐✈❡ ✇❤✐❝❤ ✇❡ ❝❛❧❧ ♠❡❞✐❛t❡❞ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥

❛♥❞ t❤❛t ♣r♦✈✐❞❡s ❝♦♥✜❞❡♥t✐❛❧✐t② ❛♥❞ ❛♥♦♥②♠✐t② ✇❤✐❧❡ ♣r❡✈❡♥t✐♥❣ ♠❛❧✐❝✐♦✉s ✉s❡rs t♦ ❡♠❜❡❞ s✉❜❧✐♠✐♥❛❧

♠❡ss❛❣❡s ✐♥ ❝✐♣❤❡rt❡①ts✱ ✇❤✐❝❤ ✇♦✉❧❞ ❛❧❧♦✇ t♦ tr❛♥s♠✐t ✐♥❢♦r♠❛t✐♦♥ t♦ ❛ r❡❝✐♣✐❡♥t t❤❛t ✇♦✉❧❞ r❡♠❛✐♥

♣❡r❢❡❝t❧② ❛♥♦♥②♠♦✉s✱ ♦r ❡✈❡♥ ✇♦rs❡ t♦ ❢r❛♠❡ ❛♥ ❤♦♥❡st ✉s❡r✳

■♥ ♦r❞❡r t♦ ♣r♦✈✐❞❡ s❡♠❛♥t✐❝ s❡❝✉r✐t②✱ ❛s②♠♠❡tr✐❝ ❡♥❝r②♣t✐♦♥ ❤❛s t♦ ❜❡ ♣r♦❜❛❜✐❧✐st✐❝✱ ❛♥❞ r❛♥❞♦♠♥❡ss

❝❛♥ ❜❡ ✉s❡❞ ❛s ❛ ❝♦✈❡rt ❝❤❛♥♥❡❧✳ ❲❡ ✇✐❧❧ t❤✉s ❤❛✈❡ t♦ ❛✈♦✐❞ t❤❡ ✉s❡rs t♦ ❝♦♥tr♦❧ t❤❡ r❛♥❞♦♠♥❡ss ✉s❡❞

✐♥ t❤❡ ❝✐♣❤❡rt❡①t✳ ❲❡ ✐♥tr♦❞✉❝❡ ❛ ♠❡❞✐❛t♦r t❤❛t ✐s ♥♦t ♣r♦✈✐❞❡❞ ✇✐t❤ ❛♥② s❡❝r❡t ✐♥❢♦r♠❛t✐♦♥✱ ❜✉t ✇❤♦s❡

r♦❧❡ ✖s✐♠✐❧❛r t♦ t❤❡ ✇❛r❞❡♥ ♠♦❞❡❧ ✐♥tr♦❞✉❝❡❞ ❜② ❙✐♠♠♦♥s ❬✷✶❪✖ ✐s t♦ ❛❞❞ ♠♦r❡ r❛♥❞♦♠♥❡ss t♦ ❡❛❝❤

❝✐♣❤❡rt❡①t s♦ t❤❛t ❛♥② ❤✐❞❞❡♥ ♠❡ss❛❣❡ ✐s s♠♦t❤❡r❡❞✳ ■t ✐s ✇♦rt❤ ♥♦t✐♥❣ t❤❛t ✖❝♦♥tr❛r② t♦ t❤❡ ❣r♦✉♣

❡♥❝r②♣t✐♦♥ ♣r✐♠✐t✐✈❡✖ t❤❡ ♠❡❞✐❛t♦r ♦♥❧② ❝❤❡❝❦s t❤❡ s②♥t❛❝t✐❝ ✈❛❧✐❞✐t② ♦❢ t❤❡ ❝✐♣❤❡rt❡①t ❜✉t ✐t ❞♦❡s ♥♦t

✈❡r✐❢② t❤❡ s♦✉♥❞♥❡ss ♦❢ ❛♥② ❝♦♠♣❧❡① ♣r♦♦❢✳ ❲❡ ❝❛♥ ❡✈❡♥ ✐t❡r❛t❡ t❤❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥ ♣r♦❝❡ss ❜② s❡✈❡r❛❧

♠❡❞✐❛t♦rs t♦ ❜❡ s✉r❡ t❤❛t ❛♥② ❝✐♣❤❡rt❡①t ❤❛s ❜❡❡♥ r❡✲r❛♥❞♦♠✐③❡❞ ❛t ❧❡❛st ♦♥❝❡✳

❆♥♦t❤❡r ♣♦✐♥t ❢♦r tr❛❝❡❛❜✐❧✐t②✱ ✐t ✐s ✐♠♣♦ss✐❜❧❡ t♦ ❣❡t ✐t ✇✐t❤♦✉t ❛ss✉♠✐♥❣ t❤❛t ✉s❡rs ✭r❡❝✐♣✐❡♥ts✮ ❛r❡

r❡❣✐st❡r❡❞ ✐♥ t❤❡ s②st❡♠✱ s✐♥❝❡ r❡❣✐st❡r❡❞ ✉s❡rs ♦♥❧② ❝❛♥ ❜❡ tr❛❝❡❞✳ ❆s ❢♦r ✭❞②♥❛♠✐❝✮ ❣r♦✉♣ s✐❣♥❛t✉r❡s ❬✸❪✱

✇❡ ❛❧s♦ ✐♥tr♦❞✉❝❡ ❛ tr✉st❡❞ ♣❛rt② t❡r♠❡❞ t❤❡ ✐ss✉❡r t❤❛t r❡❣✐st❡rs ♥❡✇ ✉s❡rs✳ ❖♥❡ ♠❛② ✇♦♥❞❡r ✇❤❡t❤❡r t❤❡ ✐ss✉❡r ❤❛s t♦ ❜❡ tr✉st❡❞ ♦r ♥♦t ✇✐t❤ r❡s♣❡❝t t♦ t❤❡ s❡♠❛♥t✐❝ s❡❝✉r✐t② ♣r♦♣❡rt②✱ s✐♥❝❡ ❤❡ ♠✐❣❤t ❦♥♦✇ ❛❧❧

t❤❡ ❞❡❝r②♣t✐♦♥ ❦❡②s ♦❢ t❤❡ s②st❡♠✿ ♦♥❡ ❞♦❡s ♥♦t r❡❛❧❧② ❝❛r❡ ❛❜♦✉t t❤❛t s✐♥❝❡ ♦♥❡ ❝❛♥ ✉s❡ ✐ts ♦✇♥ ❛❞❞✐t✐♦♥❛❧

❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ t♦ ❡♥❝r②♣t t❤❡ ♣❧❛✐♥t❡①t ❜❡❢♦r❡ r❡✲❡♥❝r②♣t✐♥❣ ✉s✐♥❣ ♦✉r tr❛❝❡❛❜❧❡ ❡♥❝r②♣t✐♦♥ ♣r✐♠✐t✐✈❡✳

■t ✐s r❡❧❛t✐✈❡❧② ❡❛s② t♦ ❞❡s✐❣♥ ❛♥ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ t❤❛t ♣r♦✈✐❞❡s tr❛❝❡❛❜✐❧✐t② ♦r t❤❡ ❛❜s❡♥❝❡

♦❢ st❡❣❛♥♦❣r❛♣❤✐❝ ❝❤❛♥♥❡❧✱ ❜✉t t❤❡ t❛s❦ ✐s ♠♦r❡ ❝❤❛❧❧❡♥❣✐♥❣ ✐❢ ✇❡ ✇❛♥t t♦ ❛❝❤✐❡✈❡ ❜♦t❤ s✐♠✉❧t❛♥❡♦✉s❧②✳

■♥❞❡❡❞✱ t❤❡ ❡①✐st❡♥❝❡ ♦❢ t❤❡ tr❛❝✐♥❣ ♣r♦❝❡❞✉r❡ ✐♠♣❧✐❡s t❤❛t ❛ ❝✐♣❤❡rt❡①t ❝♦♥t❛✐♥s ✭❛t ❧❡❛st ✐♠♣❧✐❝✐t❧②✮ s♦♠❡

✐♥❢♦r♠❛t✐♦♥ ❛❜♦✉t t❤❡ r❡❝✐♣✐❡♥t✱ ❜✉t t❤✐s ✈❛❧✉❡ ❝❛♥ ❜❡ ✉s❡❞ t♦ tr❛♥s♠✐t ♦♥❡ ❜✐t ♦❢ ❝♦✈❡rt ✐♥❢♦r♠❛t✐♦♥✳ ❋♦r

✐♥st❛♥❝❡✱ ❛ ❇♦♥❡❤✲❋r❛♥❦❧✐♥ ❬✻❪ ✐❞❡♥t✐t②✲❜❛s❡❞ ✈❛r✐❛♥t ♦❢ t❤❡ ❊❧●❛♠❛❧ ✉♥✐✈❡rs❛❧ r❡✲❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ ❬✶✺❪

❝❛♥♥♦t ❜❡ ✉s❡❞ t♦ ❛❝❤✐❡✈❡ ❝♦✈❡rt✲❢r❡❡ tr❛❝❡❛❜❧❡ ❛♥♦♥②♠♦✉s ❡♥❝r②♣t✐♦♥✱ s✐♥❝❡ ✐t t✉r♥s ♦✉t t❤❛t t❤❡ r❡✲

r❛♥❞♦♠✐③❛t✐♦♥ ♣r❡s❡r✈❡s s♦♠❡ ♣r❡❞✐❝❛t❡s t❤❛t ❝❛♥ ❜❡ ✉s❡❞ t♦ tr❛♥s❢❡r s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✳

■♥ t❤✐s ♣❛♣❡r ✇❡ ♣r♦♣♦s❡ ❛ ❢♦r♠❛❧ ❞❡✜♥✐t✐♦♥ ♦❢ ▼❡❞✐❛t❡❞ ❚r❛❝❡❛❜❧❡ ❆♥♦♥②♠♦✉s ❊♥❝r②♣t✐♦♥ ❙❝❤❡♠❡

✭Mt❛❡s✮ ❛♥❞ ❛ s❡❝✉r✐t② ♠♦❞❡❧ ❝❛♣t✉r✐♥❣ t❤❡ ✭s❡❡♠✐♥❣❧② ❝♦♥tr❛❞✐❝t♦r②✮ ❢♦❧❧♦✇✐♥❣ s❡❝✉r✐t② ♥♦t✐♦♥s✿

✶✳ s✉❜❧✐♠✐♥❛❧ ❝❤❛♥♥❡❧ ❢r❡❡♥❡ss✿ ❛❢t❡r r❡✲r❛♥❞♦♠✐③❛t✐♦♥✱ ♥♦ ✐♥❢♦r♠❛t✐♦♥ ❛t ❛❧❧ ❝❛♥ ❜❡ ❡①tr❛❝t❡❞ ❢r♦♠ ❛

❝✐♣❤❡rt❡①t t❤❛t ❞♦❡s ♥♦t tr❛❝❡ ❜❛❝❦ t♦ ❛ ✉s❡r r❡❣✐st❡r❡❞ t♦ t❤❡ ✐ss✉❡r✳ ❲❡ t❤✉s ❛ss✉♠❡ t❤❛t t❤❡

❝♦♠♠✉♥✐❝❛t✐♦♥ ♥❡t✇♦r❦ ❣✉❛r❛♥t❡❡s t❤❛t ❛♥② ❝✐♣❤❡rt❡①t ✇✐❧❧ ❣♦ t❤r♦✉❣❤ ❛ ♠❡❞✐❛t♦r✳ ■♥ ♣r❛❝t✐❝❡✱ ✇❡

❝❛♥ ❛ss✉♠❡ t❤❛t ✐♥ ❛ s♣❡❝✐✜❝ ♥❡t✇♦r❦✱ ❛❧❧ t❤❡ r♦✉t❡rs ✐♠♣❧❡♠❡♥t t❤❡ ♠❡❞✐❛t♦r r❡✲r❛♥❞♦♠✐③❛t✐♦♥✱ ✇❤✐❝❤

❡♥❢♦r❝❡s t❤❡ ✉s❡ ♦❢ ♦✉r s❝❤❡♠❡ ❜② ❛❧❧ t❤❡ ✉s❡rs✱ ❛♥❞ ✇❤✐❝❤ ❣✉❛r❛♥t❡❡s t❤❛t ❛❧❧ t❤❡ ❝✐♣❤❡rt❡①ts ❛r❡ r❡✲

r❛♥❞♦♠✐③❡❞ ❛t ❧❡❛st ♦♥❝❡✳ ❚❤❡♥✱ ♣❛❝❦❡ts t❤❛t ❞♦ ♥♦t ❢♦❧❧♦✇ t❤❡ ❡♥❝r②♣t✐♦♥ r✉❧❡s ❛r❡ ♠❛❞❡ r❛♥❞♦♠❀

✷✳ t❤❡ tr❛❝✐♥❣ tr❛♣❞♦♦r ✐♥❢♦r♠❛t✐♦♥ ❞♦❡s ♥♦t ❛❧❧♦✇ t❤❡ ♦♣❡♥❡r t♦ ✈✐♦❧❛t❡ t❤❡ s❡♠❛♥t✐❝ s❡❝✉r✐t② ♦❢ ❝✐♣❤❡r✲

t❡①ts ♥♦r t♦ ✐ss✉❡ ✈❛❧✐❞ ❞❡❝r②♣t✐♦♥ ❦❡②s ✭✐✳❡✳ t♦ ♣❧❛② t❤❡ r♦❧❡ ♦❢ t❤❡ ✐ss✉❡r✮❀

✷

(4)

✸✳ t❤❡ ❝✐♣❤❡rt❡①t r❡♠❛✐♥s ❝♦♥✜❞❡♥t✐❛❧ ❛♥❞ ❛♥♦♥②♠♦✉s ❡✈❡♥ ✇✐t❤ r❡s♣❡❝t t♦ t❤❡ ♠❡❞✐❛t♦r ✭✐✳❡✳ ✇❡ ♦♥❧② r❡❧② ♦♥ t❤❡ ♠❡❞✐❛t♦r t♦ ❣✉❛r❛♥t❡❡ t❤❡ ❛❜s❡♥❝❡ ♦❢ ❝♦✈❡rt ❝❤❛♥♥❡❧s ✐♥ ❝✐♣❤❡rt❡①ts✱ ❜② ♣r♦♣❡r❧② r❡✲

r❛♥❞♦♠✐③✐♥❣ t❤❡ ❝✐♣❤❡rt❡①ts✮✱ ♦r ❛♥② ❝♦❧❧✉s✐♦♥ ♦❢ ✉s❡rs ❛♥❞ t❤❡ ♠❡❞✐❛t♦r✳ ❆s ❛❧r❡❛❞② s❛✐❞✱ ♠✉❧t✐♣❧❡

r❡✲r❛♥❞♦♠✐③❛t✐♦♥s ❛r❡ ❡✈❡♥ ♣♦ss✐❜❧❡ ❜② ✈❛r✐♦✉s ✐♥❞❡♣❡♥❞❡♥t ♠❡❞✐❛t♦rs✳

❲❡ ♣r♦♣♦s❡ ❡✣❝✐❡♥t ❝♦♥str✉❝t✐♦♥s ♦❢ Mt❛❡s ✐♥ t❤❡ st❛♥❞❛r❞ ♠♦❞❡❧✱ ✇❤✐❝❤ s❡❝✉r✐t② r❡❧✐❡s ♦♥ DDH✲❧✐❦❡

❛ss✉♠♣t✐♦♥s✳ ❚❤❡ ✜rst ♦♥❡ ❞♦❡s ♥♦t s♣❧✐t t❤❡ r♦❧❡s ♦❢ t❤❡ ✐ss✉❡r ❛♥❞ t❤❡ ♦♣❡♥❡r ❛♥❞ ❝❛♥ ❜❡ ❛♣♣❧✐❡❞ ✐♥

❛♥② ❣r♦✉♣ ✇❤❡r❡ t❤❡ DDH ❛ss✉♠♣t✐♦♥ ❤♦❧❞s ✇❤✐❧❡ t❤❡ s❡❝♦♥❞ s❝❤❡♠❡ ♠❛❦❡s ✉s❡ ♦❢ ✭❚②♣❡✲✷ ♦r ❚②♣❡✲

✸ ❬✶✸❪✮ ♣❛✐r✐♥❣✲❢r✐❡♥❞❧② ❣r♦✉♣s✱ ✇✐t❤ ❛s②♠♠❡tr✐❝ ♣❛✐r✐♥❣ ✇❤❡r❡ t❤❡ XDH ❛♥❞ t❤❡ ✭❛s②♠♠❡tr✐❝^✶✮ DBDH

❛ss✉♠♣t✐♦♥s ❤♦❧❞✱ t♦ s❡♣❛r❛t❡ t❤❡ t✇♦ ❛✉t❤♦r✐t② r♦❧❡s ✭❛♥❞ t❤❡♥ ❛❝❤✐❡✈❡ t❤❡ s❡❝♦♥❞ ❛❜♦✈❡ ♣r♦♣❡rt②✮✳ ❚❤❡

t✇♦ ✜rst s❝❤❡♠❡s ❧❡❛❞ t♦ ❝✐♣❤❡rt❡①ts t❤❛t ❛r❡ ❧✐♥❡❛r ✐♥ t❤❡ ♥✉♠❜❡r ♦❢ r❡❣✐st❡r❡❞ ✉s❡rs✳ ❚❤✐s ✐s ♥♦t ✈❡r②

♣r❛❝t✐❝❛❧✱ ❜✉t t❤❡② ❛r❡ ❢✉❧❧②✲❝♦❧❧✉s✐♦♥ s❡❝✉r❡✳ ❯s✐♥❣ ♣✉❜❧✐❝ ❝♦❧❧✉s✐♦♥✲s❡❝✉r❡ ❝♦❞❡s ✭❡✳❣✳ ■PP ❝♦❞❡s ❬✶✻❪✮✱

❜❡tt❡r ❡✣❝✐❡♥❝② ❝❛♥ ❜❡ ❛❝❤✐❡✈❡❞✿ ✇❡ ♣r♦✈✐❞❡ ❛ ❣❡♥❡r✐❝ ❝♦♥str✉❝t✐♦♥✱ ✇✐t❤ ✭❛❧♠♦st✮ ❧♦❣❛r✐t❤♠✐❝ ❝✐♣❤❡rt❡①ts✳

✷ ❙❡❝✉r✐t② ▼♦❞❡❧

✷✳✶ ❙②♥t❛❝t✐❝ ❉❡✜♥✐t✐♦♥s

■♥ t❤✐s s❡❝t✐♦♥✱ ✇❡ ❣✐✈❡ t❤❡ ❢♦r♠❛❧ ❞❡✜♥✐t✐♦♥s ♦❢ ♦✉r ♥❡✇ ❝♦♥❝❡♣t✿ t❤❡ ▼❡❞✐❛t❡❞ ❚r❛❝❡❛❜❧❡ ❆♥♦♥②♠♦✉s

❊♥❝r②♣t✐♦♥✱ ✇❤✐❝❤ ✐♥✈♦❧✈❡s t✇♦ tr✉st❡❞ ❛✉t❤♦r✐t✐❡s✱ ❛♥ ✐ss✉❡r ❢♦r ❛❞❞✐♥❣ ♥❡✇ ♠❡♠❜❡rs t♦ t❤❡ s②st❡♠✱

❛♥❞ ❛♥ ♦♣❡♥❡r ❢♦r r❡✈♦❦✐♥❣ ❛♥♦♥②♠✐t②❀ ❛♥❞ ❛ ♥♦♥✲tr✉st❡❞ ❛✉t❤♦r✐t②✱ t❤❡ ♠❡❞✐❛t♦r t❤❛t s②st❡♠❛t✐❝❛❧❧② r❡✲r❛♥❞♦♠✐③❡s ❛❧❧ ✐ts ✐♥♣✉ts✱ ✇✐t❤♦✉t ❛♥② ♣r✐✈❛t❡ ✐♥❢♦r♠❛t✐♦♥✳ ❚❤❡r❡ ❡✈❡♥ ❝❛♥ ❜❡ s❡✈❡r❛❧ ✐♥❞❡♣❡♥❞❡♥t

♠❡❞✐❛t♦rs✳ ▼❡❞✐❛t♦rs ✇✐❧❧ ❜❡ ❛ss✉♠❡❞ t♦ ❜❡ ❤♦♥❡st ✭❜✉t ♣♦ss✐❜❧② ❝✉r✐♦✉s✱ ❛♥❞ t❤✉s ❞❡✜♥✐t❡❧② ♥♦t tr✉st❡❞✮✿

❢♦r t❤❡ s✉❜❧✐♠✐♥❛❧✲❝❤❛♥♥❡❧ ❢r❡❡♥❡ss s❡❝✉r✐t② ♥♦t✐♦♥ ✇❡ ✇✐❧❧ ❞❡✜♥❡ ❧❛t❡r✱ ✐t ✐s ❝❧❡❛r t❤❛t ✐♥ ❝❛s❡ ♦❢ ❝♦❧❧✉s✐♦♥

✇✐t❤ t❤❡ ❧❛st ♠❡❞✐❛t♦r✱ t❤✐s str♦♥❣ s❡❝✉r✐t② ❧❡✈❡❧ ❝❛♥♥♦t ❜❡ ❛❝❤✐❡✈❡❞✳

❉❡✜♥✐t✐♦♥ ✶ ✭▼❡❞✐❛t❡❞ ❚r❛❝❡❛❜❧❡ ❆♥♦♥②♠♦✉s ❊♥❝r②♣t✐♦♥ ❙❝❤❡♠❡s✮✳ ❆ Mt❛❡s ✐s ❛ t✉♣❧❡ ♦❢

❡✣❝✐❡♥t ❛❧❣♦r✐t❤♠s ♦r ♣r♦t♦❝♦❧s ✭GSetup✱Join✱Encrypt✱ReRand✱Decrypt✱Trace✱Judge✮ s✉❝❤ t❤❛t✿

✕ GSetup(λ)→(mpk,msk,sk_O)✿ t❤✐s ✐s ❛ r❛♥❞♦♠✐③❡❞ ❛❧❣♦r✐t❤♠ r✉♥ ❜② ❛ tr✉st❡❞ ♣❛rt② t❤❛t✱ ♦♥ ✐♥♣✉t ♦❢

❛ s❡❝✉r✐t② ♣❛r❛♠❡t❡r λ✱ ♣r♦❞✉❝❡s t❤r❡❡ ❦❡②s ❝♦♥s✐st✐♥❣ ♦❢ ❛ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡② mpk✱ ❛ ♠❛♥❛❣❡r✬s s❡❝r❡t

❦❡②msk ❛♥❞ ❛♥ ♦♣❡♥✐♥❣ ❦❡②sk_O❀ ■t ❛❧s♦ ❣❡♥❡r❛t❡s ❛ ❞❛t❛ str✉❝t✉r❡ L✱ ❝❛❧❧❡❞ ❛ r❡❣✐str❛t✐♦♥ ❧✐st ✇❤✐❝❤

✐s ✐♥✐t✐❛❧❧② ❡♠♣t②✳

✕ Join(✐❞,mpk,msk) → (pk_✐❞,sk_✐❞) t❛❦❡s ❛ ❜✐t✲str✐♥❣ ✐❞❡♥t✐t② ✐❞✱ t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡② mpk ❛♥❞ t❤❡

♠❛♥❛❣❡r✬s s❡❝r❡t ❦❡②msk❛s ✐♥♣✉ts✳ ■t ♦✉t♣✉ts ❛ ♣❛✐r ♦❢ ♠❡♠❜❡r ❦❡②s(pk_✐❞,sk_✐❞)❛ss♦❝✐❛t❡❞ t♦ ✐❞✱ ❛♥❞

✉♣❞❛t❡s t❤❡ r❡❣✐str❛t✐♦♥ ❧✐stL ✇✐t❤ t❤❡ ♣❛✐r(✐❞,pk_✐❞)✳

✕ Encrypt(mpk,pk_✐❞, m) → C t❛❦❡s ❛s ✐♥♣✉t t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡② mpk✱ ❛ ✉s❡r ♣✉❜❧✐❝ ❦❡② pk_✐❞ ❛♥❞ ❛

♠❡ss❛❣❡m✱ ❛♥❞ ♦✉t♣✉ts ❛ ♣r❡✲❝✐♣❤❡rt❡①t C✳

✕ ReRand(mpk, C)→ C^′ t❛❦❡s ❛s ✐♥♣✉t t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡②mpk ❛♥❞ ❛ ♣r❡✲❝✐♣❤❡rt❡①t C✱ ❛♥❞ ♦✉t♣✉ts

❛ r❛♥❞♦♠✐③❡❞ ❝✐♣❤❡rt❡①tC^′✳ ◆♦t❡ t❤❛t ✐t ♠❛② ❜❡ ❛♣♣❧✐❡❞ ❛❣❛✐♥ ♦♥ ❛ r❡✲r❛♥❞♦♠✐③❡❞ ❝✐♣❤❡rt❡①t✳

✕ Decrypt(mpk,sk_✐❞, C)→m t❛❦❡s ❛s ✐♥♣✉t t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡②mpk✱ ❛ ♠❡♠❜❡r s❡❝r❡t ❦❡②sk_✐❞✱ ❛s ✇❡❧❧

❛s ❛ ❝✐♣❤❡rt❡①t C✱ t❤❡♥ ✐t ♦✉t♣✉ts ❛ ♠❡ss❛❣❡✱ ♦r ⊥✐♥ ❝❛s❡ ♦❢ ✐♥✈❛❧✐❞ ❝✐♣❤❡rt❡①t✳

✕ Trace(mpk,sk_O,L, C) → (✐❞, Π)✿ ❚❤✐s ✐s ❛ ❞❡t❡r♠✐♥✐st✐❝ ❛❧❣♦r✐t❤♠ t❤❛t ♦♥ ✐♥♣✉t t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝

❦❡② mpk✱ t❤❡ ♦♣❡♥✐♥❣ ❦❡② skO✱ t❤❡ r❡❣✐str❛t✐♦♥ ❧✐st L ❛♥❞ ❛ ❝✐♣❤❡rt❡①t C✱ ♦✉t♣✉ts ❛ ✉s❡r ✐❞❡♥t✐t② ✐❞

✭❡q✉✐✈❛❧❡♥t❧②✱ t❤❡ ♣✉❜❧✐❝ ❦❡②pk✮ ❛♥❞ ❛ ♣r♦♦❢ Π ❢♦r t❤❡ ❥✉❞❣❡✱ ♦t❤❡r✇✐s❡ ⊥✐♥ ❝❛s❡ ♦❢ ❢❛✐❧✉r❡✳

✕ Judge(mpk,L, C,✐❞, Π)✿ ❚❤✐s ✐s ❛ ❞❡t❡r♠✐♥✐st✐❝ ❛❧❣♦r✐t❤♠ t❤❛t ♦♥ ✐♥♣✉t t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡②mpk✱ t❤❡

r❡❣✐str❛t✐♦♥ ❧✐stL✱ ❛ ❝✐♣❤❡rt❡①t ✐♥C✱ ❛ ✉s❡r ✐❞❡♥t✐t② ✐❞ ❛♥❞ ❛ ♣r♦♦❢Π❝❤❡❝❦s ✇❤❡t❤❡rΠ✐♥❞❡❡❞ ♣r♦✈❡s t❤❛t ✐❞ ✐s t❤❡ t❛r❣❡t r❡❝✐♣✐❡♥t ♦❢ t❤❡ ❝✐♣❤❡rt❡①tC ✭♦r ♦♥❡ ♦❢ t❤❡♠✱ ✐♥ ❝❛s❡ ♦❢ ❝♦❧❧✉s✐♦♥✮✳

❘❛♥❞♦♠ t❛♣❡s ❤❛✈❡ ❜❡❡♥ ♦♠✐tt❡❞ ✐♥ t❤❡ ♥♦t❛t✐♦♥s✱ ❢♦r t❤❡ s❛❦❡ ♦❢ ❝❧❛r✐t②✱ ❜✉t ✐♥ s♦♠❡ ❝❛s❡s✱ t❤❡② ♠❛② ❜❡

❡①♣❧✐❝✐t✿Join(✐❞,mpk,msk;r)✱Encrypt(mpk,pk_✐❞, m;r) ♦r ReRand(mpk, C;r)✳

✶ ❚❤❡ ❛s②♠♠❡tr✐❝ DBDH ❛ss✉♠♣t✐♦♥ ❬✶✶❪ r❡❞✉❝❡s t♦ t❤❡ ❝❧❛ss✐❝❛❧ DBDH ❛ss✉♠♣t✐♦♥ ❬✻❪ ✐♥ t❤❡ ❝❛s❡ ♦❢ ❚②♣❡✲✸ ❜✐❧✐♥❡❛r str✉❝t✉r❡s ❬✶✸❪✳

✸

(5)

✷✳✷ ❙❡❝✉r✐t② ◆♦t✐♦♥s

■♥ ❛♥② ❣r♦✉♣ ♣r♦t♦❝♦❧✱ ✇❤❡r❡ ❡❛❝❤ ✉s❡r ♦✇♥s ❛ ♣r✐✈❛t❡ ❦❡②✱ ❝♦❧❧✉s✐♦♥s ❤❛✈❡ t♦ ❜❡ ❞❡❛❧t ✇✐t❤✿ ❛ ❝♦❧❧✉s✐♦♥

♦❢ ✉s❡rs ♠❛② ❤❡❧♣ t❤❡♠ t♦ ♠❛♥✉❢❛❝t✉r❡ ❛ ♥❡✇ ♣❛✐r (pk,sk) ❛ss♦❝✐❛t❡❞ t♦ ♥♦ ✉s❡r✱ ♦r t♦ ❛♥ ❤♦♥❡st ✉s❡r✳

❚❤❡ ❧❛tt❡r ❝❛s❡ s❤♦✉❧❞ ❜❡ ✉♥❧✐❦❡❧②✳ ❚❤❡ tr❛❝✐♥❣ ❛❧❣♦r✐t❤♠ s❤♦✉❧❞ t❤✉s ✭✐♥ ❝❛s❡ t❤❡ ❝✐♣❤❡rt❡①t ✧❝♦♥t❛✐♥s✧

s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✮ ❡✐t❤❡r ♦✉t♣✉t t❤❡ ✐❞❡♥t✐t② ♦❢ t❤❡ t❛r❣❡t r❡❝❡✐✈❡r ✐❢ t❤✐s ✐s ❛ ✇❡❧❧✲❢♦r♠❡❞ ❝✐♣❤❡rt❡①t t♦

t❤✐s ✉s❡r✱ ♦r t❤❡ ✐❞❡♥t✐t② ♦❢ ♦♥❡ ♦❢ t❤❡ ❝♦❧❧✉❞❡rs ✇❤♦ ❤❡❧♣❡❞ t♦ ♠❛♥✉❢❛❝t✉r❡ t❤❡ t❛r❣❡t ♣✉❜❧✐❝ ❦❡②✳ ■❢ t❤❡

♣r❡✲❝✐♣❤❡rt❡①t ❞♦❡s ♥♦t t❛r❣❡t ❛♥② ♣✉❜❧✐❝ ❦❡② ✭♥♦❜♦❞② ❝❛♥ ❜❡ tr❛❝❡❞✮ t❤❡♥ ✇❡ ✇❛♥t t❤❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥

t♦ ❝❛♥❝❡❧ ❛♥② ✐♥❢♦r♠❛t✐♦♥✳ ❈♦❧❧✉s✐♦♥ ✇✐❧❧ ❜❡ ♠♦❞❡❧❡❞ ❜② ❝♦rr✉♣t q✉❡r✐❡s✱ t❤❛t ✇✐❧❧ ♣r♦✈✐❞❡ t❤❡ s❡❝r❡t ❦❡②s

♦❢ t❤❡ ❝♦rr✉♣t❡❞ ✉s❡rs t♦ t❤❡ ❛❞✈❡rs❛r②✳ ❚❤❡♥✱ ❢r♦♠ ❛❧❧ t❤❡s❡ ❦❡②s✱ t❤❡ ❛❞✈❡rs❛r② ✇✐❧❧ ❜❡ ❛❧❧♦✇❡❞ t♦ ❞♦

❛♥②t❤✐♥❣ ✐t ✇❛♥ts t♦ tr❛♥s❢❡r s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✱ ✐♥ ❛♥ ✉♥tr❛❝❡❛❜❧❡ ✇❛②✳

❆s ❛ ❝♦♥s❡q✉❡♥❝❡✱ ✐♥ t❤❡ s❡❝✉r✐t② ♠♦❞❡❧ ✇❡ ♣r♦✈✐❞❡ t❤❡ ❛❞✈❡rs❛r② ✇✐t❤ t✇♦ ♦r❛❝❧❡s✿ ❛ r❡str✐❝t❡❞ Join

♦r❛❝❧❡ ✭❞❡♥♦t❡❞Join^∗✮ t❤❛t ❥✉st ♦✉t♣✉ts t❤❡ ♣✉❜❧✐❝ ❦❡②s✱ ❛♥❞ ❛Corrupt♦r❛❝❧❡ t❤❛t ♦✉t♣✉ts t❤❡ ✉s❡r✬s s❡❝r❡t

❦❡②✳ ❈♦rr✉♣t❡❞ ✉s❡rs ❛r❡ t❤❡♥ r❡❣✐st❡r❡❞ ✐♥ t❤❡ ❝♦rr✉♣t✐♦♥ ❧✐st C✱ ✐♥✐t✐❛❧❧② ❡♠♣t②✿

✕ Join^∗(✐❞) → pk_✐❞✱ t❛❦❡s ❛s ✐♥♣✉t ❛♥ ✐❞❡♥t✐t②✱ ❛♥❞ t❤❡♥ r✉♥s Join(✐❞,mpk,msk) t♦ ❣❡t (pk_✐❞,sk_✐❞)✱ ❜✉t

♦✉t♣✉ts pk_✐❞ ♦♥❧②✳ ◆♦t❡ t❤❛t t❤❡ r❡❣✐str❛t✐♦♥ ❧✐stL ❤❛s ❜❡❡♥ ✉♣❞❛t❡❞ ❜② t❤❡ Join ♣r♦❝❡❞✉r❡❀

✕ Corrupt(✐❞) → sk_✐❞ t❛❦❡s ❛s ✐♥♣✉t ❛ r❡❣✐st❡r❡❞ ✐❞❡♥t✐t②✱ ❛♥❞ ♦✉t♣✉ts t❤❡ s❡❝r❡t ❦❡② ❝♦rr❡s♣♦♥❞✐♥❣ t♦

pk_✐❞✳ ■t ❛❧s♦ ✉♣❞❛t❡s t❤❡ ❝♦rr✉♣t✐♦♥ ❧✐stC ✇✐t❤(✐❞,sk_✐❞)✳

❲❡ t❤❡♥ ❞❡♥♦t❡ ❜②LU t❤❡ ❧✐st ♦❢ r❡❣✐st❡r❡❞ ✐❞❡♥t✐t✐❡s✱ ❛♥❞ ❜②CU t❤❡ ❧✐st ♦❢ t❤❡ ❝♦rr✉♣t❡❞ ✉s❡rs✱ ✇❤❡r❡❛sL

❛♥❞ C❛❧s♦ ❝♦♥t❛✐♥ ❦❡②s✳ ❲❡ ❛❞❞✐t✐♦♥❛❧❧② ❞❡✜♥❡ ❛ ♣r❡❞✐❝❛t❡ ❚r❛❝❡❛❜❧❡(U, C)✱ ✇❤❡r❡ U ✐s ❛ ❧✐st ♦❢ ✐❞❡♥t✐t✐❡s

❛♥❞ C ❛ ♣r❡✲❝✐♣❤❡rt❡①t✱ t❤❛t t❡sts ✇❤❡t❤❡r t❤❡ tr❛❝✐♥❣ ❛❧❣♦r✐t❤♠✱ r✉♥ ♦♥ t❤❡ ❣❧♦❜❛❧ ♣❛r❛♠❡t❡rs ❛♥❞ ❛ r❡✲r❛♥❞♦♠✐③❛t✐♦♥ ♦❢C✱ ♦✉t♣✉ts ❛♥ ✐❞❡♥t✐t② ✐❞∈ U ✇✐t❤ ❛ ❝♦♥✈✐♥❝✐♥❣ ♣r♦♦❢Π✳

❙✐♥❝❡ ✇❡ ❛r❡ ❞❡❛❧✐♥❣ ✇✐t❤ ❛♥♦♥②♠✐t② ❛♥❞ tr❛❝❡❛❜✐❧✐t②✱ ✇❡ s❤♦✉❧❞ ❛❞❞r❡ss ❢✉❧❧✲❛♥♦♥②♠✐t② ❛♥❞ ❝❤♦s❡♥✲

❝✐♣❤❡rt❡①t s❡❝✉r✐t②✱ ♣r♦✈✐❞✐♥❣ ❛❝❝❡ss t♦ t❤❡ ♦♣❡♥✐♥❣ ♦r❛❝❧❡ ❛♥❞ t♦ t❤❡ ❞❡❝r②♣t✐♦♥ ♦r❛❝❧❡ r❡s♣❡❝t✐✈❡❧②✳ ❇✉t ❞✉❡

t♦ t❤❡ ✐♥❤❡r❡♥t ♠❛❧❧❡❛❜✐❧✐t② ♦❢ s✉❝❤ ❛ r❡✲r❛♥❞♦♠✐③❛❜❧❡ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡✱ s♦♠❡ ❝♦♥str❛✐♥ts ❛r❡ r❡q✉✐r❡❞✳

❚❤✐s ✐s ❞✐s❝✉ss❡❞ ✐♥ t❤❡ ❆♣♣❡♥❞✐① ❆✳ ■♥ t❤✐s s❡❝t✐♦♥✱ ✇❡ ❢♦❝✉s ♦♥ t❤❡ ❜❛s✐❝ ❛♥♦♥②♠✐t② ✭✇✐t❤♦✉t ♦♣❡♥✐♥❣

♦r❛❝❧❡ ❛❝❝❡ss✮ ❛♥❞ t❤❡ ❝❤♦s❡♥✲♣❧❛✐♥t❡①t s❡❝✉r✐t② ✭✇✐t❤♦✉t ❞❡❝r②♣t✐♦♥ ♦r❛❝❧❡ ❛❝❝❡ss✮✳

■♥ ♦r❞❡r t♦ ❛✈♦✐❞ t❤❡ ♦♣❡♥❡r t♦ ❢r❛♠❡ ❛♥ ❤♦♥❡st ✉s❡r✱ ❛s t❤❡ r❡❝✐♣✐❡♥t ♦❢ ❛ ❝✐♣❤❡rt❡①t t❤❛t ✐s ♥♦t ❛✐♠❡❞

t♦ ❤✐♠✱ ✇❡ ❝❛♥ r❡❧② ♦♥ ❛♥ ❛❞❞✐t✐♦♥❛❧ P✉❜❧✐❝ ❑❡② ■♥❢r❛str✉❝t✉r❡ ✭P❑■✮✱ ✐♥ ✇❤✐❝❤ ❡❛❝❤ ✉s❡r ♦✇♥s ❛ ♣❛✐r ♦❢

♣✉❜❧✐❝✴♣r✐✈❛t❡ ❦❡②✱ ❛♥❞ s✐❣♥s pk_✐❞ ✇❤❡♥ ✐t r❡❝❡✐✈❡s t❤❡ ❛ss♦❝✐❛t❡❞ s❡❝r❡t ❦❡② sk_✐❞✳ ❚❤✐s s✐❣♥❛t✉r❡ ❝❛♥ ❜❡

❛❞❞❡❞ t♦ t❤❡ r❡❣✐str❛t✐♦♥ ❧✐st L✳ ❲❡ t❤✉s tr✉st t❤❡ ❧✐♥❦ ❜❡t✇❡❡♥ ❛♥ ✐❞❡♥t✐t② ✐❞ ❛♥❞ t❤❡ ❛ss♦❝✐❛t❡❞ ♣✉❜❧✐❝

❦❡②✳ ❆♥❞ ✇❡ ✇✐❧❧ ✉s❡ ❜♦t❤ ✐♥ ❛♥ ✐♥❞✐✛❡r❡♥t✐❛❜❧❡ ✇❛②✳

❙❡♠❛♥t✐❝ ❙❡❝✉r✐t②✳ ❚❤❡ ♠❛✐♥ s❡❝✉r✐t② ♥♦t✐♦♥ ❢♦r ❛♥ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ ✐s ♦❢ ❝♦✉rs❡ t❤❡ s❡♠❛♥t✐❝

s❡❝✉r✐t② ♦❢ t❤❡ ❝✐♣❤❡rt❡①t ✭❛❢t❡r r❡✲r❛♥❞♦♠✐③❛t✐♦♥✮✱ t❤❛t ✐s ❢♦r♠❛❧✐③❡❞ ❜② t❤❡ ✐♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ♦❢ t❤❡

t✇♦ ❡①♣❡r✐♠❡♥ts ✭❢♦rb= 0,1✮ ♣r❡s❡♥t❡❞ ❋✐❣✳ ✶✭❛✮✳ ❆s ✉s✉❛❧✱ t❤❡ ❛❞✈❡rs❛r② ❤❛s t♦ ❣✉❡ss ✇❤✐❝❤ ♣❧❛✐♥t❡①t ❤❛s

❜❡❡♥ ❡♥❝r②♣t❡❞ ✐♥ t❤❡ ❝❤❛❧❧❡♥❣❡ ❝✐♣❤❡rt❡①t✳ ◆♦t❡ t❤❛t ✇❡ ♣r♦✈✐❞❡ t❤❡ ♦♣❡♥✐♥❣ ❦❡② sk_O t♦ t❤❡ ❛❞✈❡rs❛r②✱

✇❤✐❝❤ ♠♦❞❡❧s ❛ ❝♦❧❧✉s✐♦♥ ✇✐t❤ t❤❡ ♦♣❡♥❡r✳ ❲❡ r❡str✐❝t t❤❡ ❛❞✈❡rs❛r② t♦ ✉s❡ ❛ ✈❛❧✐❞ ✭r❡❣✐st❡r❡❞✮ ♣✉❜❧✐❝

❦❡②✱ s✐♥❝❡ ♦t❤❡r✇✐s❡ ♥♦ ♦♥❡ ❝❛♥ ❞❡❝r②♣t t❤❡ ❝✐♣❤❡rt❡①t✳ ❲❡ ❛r❡ t❤✉s ♦♥❧② ✐♥t❡r❡st❡❞ ✐♥ t❤❡ ♣r✐✈❛❝② ♦❢ r❡❛❧

❝✐♣❤❡rt❡①ts✳ ❲❡ ❞❡✜♥❡ t❤❡ ❛❞✈❛♥t❛❣❡ ♦❢ A✐♥ ❜r❡❛❦✐♥❣ t❤❡ s❡♠❛♥t✐❝ s❡❝✉r✐t② ❜② ✐ts ❛❞✈❛♥t❛❣❡✿

Adv^rind_M_t❛❡s_,_A(λ) = Pr[Exp^rind−1_M_t❛❡s_,A(λ) = 1]−Pr[Exp^rind−0_M_t❛❡s_,A(λ) = 1].

❲❡ ❞❡✜♥❡ ❛ ✇❡❛❦❡r ✈❡rs✐♦♥✱ ✇❤❡r❡ t❤❡ ♦♣❡♥✐♥❣ ❦❡② ✐s ♥♦t ♣r♦✈✐❞❡❞ t♦ t❤❡ ❛❞✈❡rs❛r② ✭✇❤✐❝❤ ✐s ✉s❡❢✉❧ ✇❤❡♥

✇❡ ❝❛♥♥♦t s❡♣❛r❛t❡ t❤❡ ✐ss✉✐♥❣ ❛♥❞ ♦♣❡♥✐♥❣✴tr❛❝✐♥❣ r♦❧❡s✱ ❛s ✐♥ ♦✉r ✜rst s✐♠♣❧❡ s❝❤❡♠❡ ❜❡❧♦✇✮✿

Adv^weak−rind_M_t❛❡s_,A(λ) = Pr[Exp^{weak−rind−}_M_t❛❡s_,A ¹(λ) = 1]−Pr[Exp^{weak−rind−}_M_t❛❡s_,A ⁰(λ) = 1].

❆s ✉s✉❛❧✱ ✇❡ ❞❡♥♦t❡ ❜②AdvMt❛❡s(λ, τ)✱ ❢♦r ❛♥② s❡❝✉r✐t② ♥♦t✐♦♥✱ t❤❡ ❜❡st ❛❞✈❛♥t❛❣❡ ❛♥② ❛❞✈❡rs❛r② ❝❛♥ ❣❡t

✇✐t❤✐♥ t✐♠❡ τ✳ ❋✉rt❤❡r♠♦r❡✱ ✇❡ ♠❛② ❛❞❞ ❛♥ ❡①tr❛ ♣❛r❛♠❡t❡r ω✱ ✇❤❡♥ ✇❡ ❧✐♠✐t t❤❡ ♥✉♠❜❡r ♦❢ Corrupt✲ q✉❡r✐❡s✳ ❚❤✐s ✇✐❧❧ ❜❡ ✉s❡❢✉❧ ❢♦r s❝❤❡♠❡s t❤❛t ❛r❡ ♥♦t ❢✉❧❧②✲❝♦❧❧✉s✐♦♥ s❡❝✉r❡ ✭s❡❡ ❙❡❝t✐♦♥ ✹✮✱ ❜✉t ω✲r❡s✐❧✐❡♥t✿

t❤❡ s❡❝✉r✐t② ❤♦❧❞s ✐❢ t❤❡ ♥✉♠❜❡r ♦❢Corrupt✲q✉❡r✐❡s ✐s ❧❡ss t❤❛♥ ω✳

✹

(6)

❊①♣❡r✐♠❡♥tExp^rind−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗⁽^·^),Corrupt(^·⁾(mpk,skO)

→(pk, m0, m1, s) C←Encrypt(mpk,pk, mb) C^∗←ReRand(mpk, C) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ pk6∈ LU \CU ❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

❊①♣❡r✐♠❡♥tExp^ranon−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗⁽^·^),Corrupt(^·⁾(mpk)

→(pk₀,pk₁, m, s) C←Encrypt(mpk,pk_b, m) C^∗←ReRand(mpk, C) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ pk₀6∈ LU\CU

❖❘ pk₁6∈ LU\CU ❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

❊①♣❡r✐♠❡♥tExp^ind−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗⁽^·^),Corrupt(^·⁾(mpk,skO)

→(pk, m0, m₁, s) C^∗←Encrypt(mpk,pk, mb) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ pk6∈ LU\CU ❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

❊①♣❡r✐♠❡♥tExp^anon−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗⁽^·^),Corrupt(^·⁾(mpk)

→(pk₀,pk₁, m, s) C^∗←Encrypt(mpk,pk_b, m) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ pk₀6∈ LU\CU

❖❘ pk₁6∈ LU \CU ❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

✭❛✮ ❙❡♠❛♥t✐❝ ❙❡❝✉r✐t② ✭❜✮ ❆♥♦♥②♠✐t②

❊①♣❡r✐♠❡♥tExp^correctMt❛❡s,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗(·),Corrupt(·)(mpk)

→(pk, m, r, r^′) C←Encrypt(mpk,pk, m;r) C^∗←ReRand(mpk, C;r^′)

■❋ pk6∈ LU ❘❊❚❯❘◆ ✵

■❋ pk6=Trace(mpk,skO,L, C^∗)

❘❊❚❯❘◆ ✶

■❋ Decrypt(mpk,sk, C^∗)6=m

✭✇❤❡r❡sk❛ss♦❝✐❛t❡❞ t♦pk✮ ❘❊❚❯❘◆ ✶

❊▲❙❊ ❘❊❚❯❘◆ ✵

❊①♣❡r✐♠❡♥tExp^subF−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗(·),Corrupt(·)(mpk)

→(C0, C1, s) C^∗←ReRand(mpk, Cb) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ ❚r❛❝❡❛❜❧❡(CU, C0)

❆◆❉ ❚r❛❝❡❛❜❧❡(CU, C1)❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

✭❝✮ ❈♦rr❡❝t♥❡ss ✭❞✮ ❙✉❜❧✐♠✐♥❛❧✲❈❤❛♥♥❡❧ ❋r❡❡♥❡ss

❊①♣❡r✐♠❡♥tExp^priv−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗(·),Corrupt(·)(mpk)

→(pk₀,pk₁, m0, m1, s) C^∗←Encrypt(mpk,pk_d, md) b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ pk₀6∈ LU \CU

❖❘ pk₁6∈ LU \CU ❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

❊①♣❡r✐♠❡♥tExp^unlink−b_M_t❛❡s_,A(λ) (mpk,msk,skO)←GSetup(λ) A^Join^∗⁽^·^),Corrupt(^·⁾(mpk)

→(C, s)

C₀^′ ←ReRand(mpk, C) C₁^′ ← C^R ✱C^∗←C_b^′

b^′← A^Join^∗⁽^·^),Corrupt(^·⁾(s, C^∗)

■❋ ❚r❛❝❡❛❜❧❡(CU, C0^′)❘❊❚❯❘◆ ✵

❊▲❙❊ ❘❊❚❯❘◆ b^′

✭❡✮ Pr✐✈❛❝② ✭❢✮ ❈✐♣❤❡rt❡①t ❯♥❧✐♥❦❛❜✐❧✐t②

❋✐❣✳ ✶✳ ❊①♣❡r✐♠❡♥ts ❢♦r ❙❡❝✉r✐t② ◆♦t✐♦♥s

✺

(7)

❚❤❡ ❛❜♦✈❡ s❡❝✉r✐t② ♥♦t✐♦♥ ✐s ❛❜♦✉t t❤❡ r❡✲r❛♥❞♦♠✐③❡❞ ❝✐♣❤❡rt❡①t✱ ❛♥❞ t❤✉s ❢♦r ❛♥ ❛❞✈❡rs❛r② t❤❛t ❞♦❡s

♥♦t ❤❛✈❡ ❛❝❝❡ss t♦ t❤❡ ♣r❡✲❝✐♣❤❡rt❡①t ❜❡❢♦r❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥✳ ❲❡ t❤✉s ❞❡✜♥❡ t❤❡ s❛♠❡ s❡❝✉r✐t② ♥♦t✐♦♥

❛❜♦✉t t❤❡ ♣r❡✲❝✐♣❤❡rt❡①t ❝❤❛r❛❝t❡r✐③❡❞ ❜② t❤❡ ❛❞✈❛♥t❛❣❡s Adv^ind_M_t❛❡s_,A(λ) ❛♥❞ Adv^weak−ind_M_t❛❡s_,A(λ)✳ ■t ✐s ❝❧❡❛r t❤❛t t❤❡ ❧❛tt❡r s❡❝✉r✐t② ♥♦t✐♦♥s ✭❜❡❢♦r❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥✮ ❛r❡ str♦♥❣❡r t❤❛♥ t❤❡ ❢♦r♠❡r✱ ❛♥❞ ❛❞❞r❡ss t❤❡

❝❛s❡ ✇❤❡r❡ t❤❡ ♠❡❞✐❛t♦r ✐s ❤♦♥❡st ❜✉t ❝✉r✐♦✉s✿

❚❤❡♦r❡♠ ✷✳ ❋♦r ❛♥② s❝❤❡♠❡ Mt❛❡s ❛♥❞ ❛♥② t✐♠❡ ❜♦✉♥❞τ✱

Adv^rind_M_t❛❡s(λ, τ)≤Adv^ind_M_t❛❡s(λ, τ) Adv^weak−rind_M_t❛❡s (λ, τ)≤Adv^weak−ind_M_t❛❡s (λ, τ)

❆♥♦♥②♠✐t②✳ ❖✉r ❣♦❛❧ ✐♥ t❤✐s ✇♦r❦ ✐s ❛♥♦♥②♠✐t② ♦❢ t❤❡ r❡❝✐♣✐❡♥t ✭❛✳❦✳❛✳ ❦❡② ♣r✐✈❛❝② ❬✷❪✮✱ ✇❡ ❢♦r♠❛❧✐③❡ ✐t

❛s ✉s✉❛❧ ❜② t❤❡ ✐♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ♦❢ t❤❡ t✇♦ ❡①♣❡r✐♠❡♥ts ♣r❡s❡♥t❡❞ ❋✐❣✳ ✶✭❜✮✿ t❤❡ ❛❞✈❡rs❛r② ❤❛s t♦ ❣✉❡ss

✇❤✐❝❤ ♣✉❜❧✐❝ ❦❡② ❤❛s ❜❡❡♥ ✉s❡❞ t♦ ❣❡♥❡r❛t❡ t❤❡ ❝❤❛❧❧❡♥❣❡ ❝✐♣❤❡rt❡①t✳ ❆❣❛✐♥✱ ✇❡ r❡str✐❝t t❤❡ ❛❞✈❡rs❛r② t♦ ✉s❡ ✈❛❧✐❞ ✭r❡❣✐st❡r❡❞✮ ♣✉❜❧✐❝ ❦❡②s✳ ❲❡ ❞❡✜♥❡ t❤❡ ❛❞✈❛♥t❛❣❡ ♦❢ A ✐♥ ❜r❡❛❦✐♥❣ t❤❡ ❛♥♦♥②♠✐t② ✭❛❢t❡r r❡✲r❛♥❞♦♠✐③❛t✐♦♥ ♦r ❜❡❢♦r❡✮ ❜②✿

Adv^(r)anon_M_t❛❡s_,A(λ) = Pr[Exp^(r)anon−1_M_t❛❡s_,A(λ) = 1]−Pr[Exp^(r)anon−0_M_t❛❡s_,A(λ) = 1].

❚❤❡♦r❡♠ ✸✳ ❋♦r ❛♥② s❝❤❡♠❡ Mt❛❡s ❛♥❞ ❛♥② t✐♠❡ ❜♦✉♥❞τ✱ Adv^ranon_M_t❛❡s(λ, τ)≤Adv^anon_M_t❛❡s(λ, τ)✳

❈♦rr❡❝t♥❡ss✳ ❖❢ ❝♦✉rs❡✱ ❛♥ ❡♥❝r②♣t✐♦♥ s❝❤❡♠❡ t❤❛t ✐s ♥♦♥✲❞❡❝r②♣t❛❜❧❡ ❝♦✉❧❞ ❜❡ s❡❝✉r❡ ✭s❡♠❛♥t✐❝❛❧❧② s❡❝✉r❡ ❛♥❞ ❛♥♦♥②♠♦✉s✮✳ ❲❡ t❤✉s ♥❡❡❞ t❤❡ s❝❤❡♠❡ t♦ ❜❡ ❜♦t❤ ❞❡❝r②♣t❛❜❧❡ ❛♥❞ tr❛❝❡❛❜❧❡✿ ❛ ✇❡❧❧✲❢♦r♠❡❞

❝✐♣❤❡rt❡①t s❤♦✉❧❞ ❜❡ ❞❡❝r②♣t❛❜❧❡ ❜② t❤❡ t❛r❣❡t r❡❝✐♣✐❡♥t ✭✉s✐♥❣sk❛ss♦❝✐❛t❡❞ t♦ t❤❡ t❛r❣❡tpk✱ ❜♦t❤ ❣❡♥❡r✲

❛t❡❞ ❜② t❤❡ Join♦r❛❝❧❡✮✱ ❛♥❞ s❤♦✉❧❞ ❜❡ tr❛❝❡❞ ✭✇✐t❤ ❤✐❣❤ ♣r♦❜❛❜✐❧✐t②✮ t♦ t❤✐s r❡❝✐♣✐❡♥t ❜② t❤❡ ♦♣❡♥❡r✳ ◆♦

❛❞✈❡rs❛r② s❤♦✉❧❞ ❜❡ ❛❜❧❡ t♦ ✇✐♥ t❤❡ ❝♦rr❡❝t♥❡ss ❣❛♠❡ ✭s❡❡ ❋✐❣✳ ✶✭❝✮✮ ✇✐t❤ s✐❣♥✐✜❝❛♥t ❛❞✈❛♥t❛❣❡✿

Adv^correct_M_t❛❡s_,_A(λ) = Pr[Exp^correctMt❛❡s,A(λ) = 1].

❙✉❜❧✐♠✐♥❛❧✲❈❤❛♥♥❡❧ ❋r❡❡♥❡ss✳ ▲❡t ✉s r❡♠✐♥❞ t❤❛t ♦✉r ✉❧t✐♠❛t❡ ❣♦❛❧ ✐s t❤❛t ❡✐t❤❡r t❤❡ ❝✐♣❤❡rt❡①t ❝❛♥

❜❡ tr❛❝❡❞ t♦ ❛ ❝♦rr✉♣t❡❞ ✉s❡r ✭✉♥❞❡r t❤❡ ❝♦♥tr♦❧ ♦❢ t❤❡ ❛❞✈❡rs❛r②✮✱ ♦r t❤❡ ❛❞✈❡rs❛r② ❝❛♥♥♦t tr❛♥s❢❡r ❛♥②

✐♥❢♦r♠❛t✐♦♥✳ ❚❤✐s ✐s ♠♦❞❡❧❡❞ ❜② t❤❡ s✉❜❧✐♠✐♥❛❧✲❝❤❛♥♥❡❧ ❢r❡❡♥❡ss ♣r♦♣❡rt② ✭s❡❡ ❋✐❣✳ ✶✭❞✮✮✿ t❤❡ ❛❞✈❡rs❛r②

❣❡♥❡r❛t❡s t✇♦ ♣r❡✲❝✐♣❤❡rt❡①ts C₀ ❛♥❞ C₁✱ ✇✐t❤ ✇❤✐❝❤ ✐t tr✐❡s t♦ tr❛♥s♠✐t s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✳ ■❢ t❤❡② ❛r❡

✇❡❧❧✲❢♦r♠❡❞✱ ❛♥❞ r❡❛❧❧② tr❛❝❡ t♦ ❝♦rr✉♣t❡❞ ✉s❡rs✱ t❤❡♥ t❤✐s ✐s ♥♦r♠❛❧ t❤❛t t❤❡ ✐♥❢♦r♠❛t✐♦♥ ✐s tr❛♥s❢❡rr❡❞ ❛♥❞

s♦ t❤❡ ❛❞✈❡rs❛r② ❞♦❡s ♥♦t ✇✐♥ ✭❤❡♥❝❡ t❤❡ t✇♦ t❡sts ✇✐t❤ t❤❡ ♣r❡❞✐❝❛t❡ ❚r❛❝❡❛❜❧❡✮✳ ❚❤❡ ❝❤❛❧❧❡♥❣❡r ♣r♦✈✐❞❡s

❛ r❡✲r❛♥❞♦♠✐③❡❞ ✈❡rs✐♦♥ ♦❢ ♦♥❡ ♦❢ t❤❡♠ t♦ t❤❡ ❛❞✈❡rs❛r②✱ ❛♥❞ t❤❡ ❧❛tt❡r ❤❛s t♦ ❣✉❡ss ✇❤✐❝❤ ♦♥❡✿ ✐t ❤❛s ♥♦

❜✐❛s ✉♥❧❡ss s♦♠❡ ✐♥❢♦r♠❛t✐♦♥ ❧❡❛❦s ✐♥ t❤❡ r❡✲r❛♥❞♦♠✐③❡❞ ❝✐♣❤❡rt❡①t✳ ❆s ❛ ❝♦♥s❡q✉❡♥❝❡✱ s✉❜❧✐♠✐♥❛❧✲❝❤❛♥♥❡❧

❢r❡❡♥❡ss ✐s q✉❛♥t✐✜❡❞ ❜②

Adv^subF_M_t❛❡s_,A(λ) = Pr[Exp^subF_M_t❛❡s⁻¹_,_A(λ) = 1]−Pr[Exp^subF_M_t❛❡s⁻⁰_,_A(λ) = 1].

❲❡ ♥♦t❡ t❤❛t ❢♦r t❤✐s s❡❝✉r✐t② ♥♦t✐♦♥✱ t❤❡ ❛❞✈❡rs❛r② ❣❡♥❡r❛t❡s t❤❡ ❝✐♣❤❡rt❡①t ✐ts❡❧❢✱ ❛♥❞ ✐s t❤✉s ❛❧❧♦✇❡❞ t♦

❣❡♥❡r❛t❡ ✐❧❧✲❢♦r♠❡❞ ❝✐♣❤❡rt❡①ts✱ ❝♦♥tr❛r✐❧② t♦ t❤❡ ♣r❡✈✐♦✉s s❡❝✉r✐t② ♥♦t✐♦♥s✳ ■♥ s✉❝❤ ❛ ❝❛s❡✱ ♦♥❧②✱ ✐t ✇✐♥s ✐❢

✐t ♠❛♥❛❣❡s t♦ tr❛♥s♠✐t s♦♠❡ ✐♥❢♦r♠❛t✐♦♥✳ ❲❡ ♥♦✇ ♣r♦✈✐❞❡ t✇♦ ❛❞❞✐t✐♦♥❛❧ ♦♥❡ t❤❛t ✇✐❧❧ ✐♠♣❧② t❤❡ ❛❜♦✈❡

♦♥❡s✳

Pr✐✈❛❝②✳ ❚❤✐s ♣r✐✈❛❝② ♥♦t✐♦♥ ✭s❡❡ ❋✐❣✳ ✶✭❡✮✮ ❡♥❝♦♠♣❛ss❡s ❜♦t❤ s❡♠❛♥t✐❝ s❡❝✉r✐t② ✭♣❧❛✐♥t❡①t✲♣r✐✈❛❝②✮ ❛♥❞

❛♥♦♥②♠✐t② ✭❦❡②✲♣r✐✈❛❝②✮ ❜❡❢♦r❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥✱ ❛♥❞ t❤✉s ❡✈❡♥ ✇✐t❤ r❡s♣❡❝t t♦ t❤❡ ♠❡❞✐❛t♦r✿

Adv^priv_M_t❛❡s_,A(λ) = Pr[Exp^priv−_M_t❛❡s¹ _,A(λ) = 1]−Pr[Exp^priv−_M_t❛❡s⁰ _,A(λ) = 1].

❈✐♣❤❡rt❡①t✲❯♥❧✐♥❦❛❜✐❧✐t②✳ ❚❤❡♥✱ ✇❡ ✇❛♥t t❤❛t ❡✐t❤❡r t❤❡ ♣r❡✲❝✐♣❤❡rt❡①t s❡♥t t♦ t❤❡ ♠❡❞✐❛t♦r ❤❛s

❛ ✇❡❧❧ ✐❞❡♥t✐✜❡❞ t❛r❣❡t r❡❝✐♣✐❡♥t✱ ♦r t❤❡ r❡✲r❛♥❞♦♠✐③❛t✐♦♥ ❝❛♥❝❡❧ ❛♥② ✐♥❢♦r♠❛t✐♦♥✿ ✉♥❧❡ss t❤❡ ❝✐♣❤❡rt❡①t tr❛❝❡s ❜❛❝❦ t♦ ❛ ✉s❡r ❝♦♥tr♦❧❧❡❞ ❜② t❤❡ ❛❞✈❡rs❛r②✱ ♦r t❤❡ r❡✲r❛♥❞♦♠✐③❡❞ ❝✐♣❤❡rt❡①t ✐s ✉♥❧✐♥❦❛❜❧❡ t♦ t❤❡

✐♥♣✉t ♣r❡✲❝✐♣❤❡rt❡①t✱ ❛♥❞ t❤✉s ✐♥❞✐st✐♥❣✉✐s❤❛❜❧❡ ✇✐t❤ ❛ tr✉❧② r❛♥❞♦♠ ❝✐♣❤❡rt❡①t ✭✐♥ t❤❡ ❘❡❛❧✲♦r✲❘❛♥❞♦♠

s❡♥s❡✮ ✕ ✭s❡❡ ❋✐❣✳ ✶✭❢✮✮✿

Advûnlink_M_t❛❡s_,A(λ) = Pr[Expûnlink−_M_t❛❡s_,A¹ (λ) = 1]−Pr[Expûnlink−_M_t❛❡s_,A⁰ (λ) = 1].

✻

(8)

✷✳✸ ❘❡❧❛t✐♦♥s ❜❡t✇❡❡♥ t❤❡ ❙❡❝✉r✐t② ◆♦t✐♦♥s

■♥ t❤✐s s❡❝t✐♦♥✱ ✇❡ st❛t❡ t❤❛t t❤❡ ❧❛t❡r s❡❝✉r✐t② ♥♦t✐♦♥s ✐♠♣❧② t❤❡ ❢♦r♠❡r✱ ❛♥❞ t❤❡ ♣r♦♦❢s ❝❛♥ ❜❡ ❢♦✉♥❞ ✐♥

t❤❡ ❆♣♣❡♥❞✐① ❆✳

❚❤❡♦r❡♠ ✹✳ ❋♦r ❛♥② s❝❤❡♠❡ Mt❛❡s ❛♥❞ ❛♥② t✐♠❡ ❜♦✉♥❞τ✱

Adv^weak−ind_M_t❛❡s (λ, τ)≤Adv^priv_M_t❛❡s(λ, τ) Advânon_M_t❛❡s(λ, τ)≤Adv^priv_M_t❛❡s(λ, τ) Adv^priv_M_t❛❡s(λ, τ)≤Adv^weak_M_t❛❡s⁻înd(λ, τ) +Advânon_M_t❛❡s(λ, τ).

❚❤❡♦r❡♠ ✺✳ ❋♦r ❛♥② s❝❤❡♠❡ Mt❛❡s ❛♥❞ ❛♥② t✐♠❡ ❜♦✉♥❞τ✱ Adv^subF_M_t❛❡s(λ, τ)≤ 1

2×Adv^unlink_M_t❛❡s(λ, τ).

✸ ❖✉r s❝❤❡♠❡

❋✐rst✱ ✇❡ ♣r❡s❡♥t ❛ s✐♠♣❧❡ s❝❤❡♠❡ ❛❝❤✐❡✈✐♥❣ t❤❡ ❛❜♦✈❡ s❡❝✉r✐t② r❡q✉✐r❡♠❡♥ts✳ ❚❤✐s s❝❤❡♠❡ ✐♥❤❡r✐ts t❤❡

♣r♦♣❡rt✐❡s ♦❢ s♦♠❡ ❝♦♠❜✐♥❛t✐♦♥ ♦❢ ❜r♦❛❞❝❛st ❡♥❝r②♣t✐♦♥ ❛♥❞ r❡✲r❛♥❞♦♠✐③❛❜❧❡ t❡❝❤♥✐q✉❡s✳ ■t ❢✉❧✜❧❧s t❤❡

str♦♥❣❡st ♣r♦♣❡rt✐❡s ♦❢ ♣r✐✈❛❝② ❛♥❞ ✉♥❧✐♥❦❛❜✐❧❧✐t② ✉♥❞❡r t❤❡ s♦❧❡DDH❛ss✉♠♣t✐♦♥✱ ❜✉t ✇✐t❤ t❤❡ r❡str✐❝t✐♦♥

t❤❛t t❤❡ s❛♠❡ tr❛♣❞♦♦r ✐s ✉s❡❞ ❢♦r ❜♦t❤ ❞❡❝r②♣t✐♥❣ ❛♥❞ tr❛❝✐♥❣ ❝✐♣❤❡rt❡①ts✳ ❲❡ t❤❡♥ s❤♦✇ ❤♦✇ ✇❡ ❝❛♥

s❡♣❛r❛t❡ t❤❡s❡ ❝❛♣❛❜✐❧✐t✐❡s✱ ✉♥❞❡r t❤❡ XDH ❬✺❪ ❛♥❞ t❤❡ ✭❛s②♠♠❡tr✐❝✮ DBDH ❬✶✶❪ ❛ss✉♠♣t✐♦♥s✳ ❚❤❡s❡

❝❧❛ss✐❝❛❧ ❛ss✉♠♣t✐♦♥s ❛r❡ r❡✈✐❡✇❡❞ ✐♥ t❤❡ ❆♣♣❡♥❞✐① ❇✳ ❲❡ ❤❡r❡ ✉s❡ ❝❧❛ss✐❝❛❧ ❛❞✈❛♥t❛❣❡ ♥♦t❛t✐♦♥s ❢♦r

❛❧❧ t❤❡ ❞❡❝✐s✐♦♥❛❧ ♣r♦❜❧❡♠s✳

✸✳✶ ❉❡s❝r✐♣t✐♦♥ ♦❢ t❤❡ ❙❝❤❡♠❡ Mt❛❡s¹

✕ GSetup(λ)✿ ❚❤❡GSetup❛❧❣♦r✐t❤♠ t❛❦❡s ❛s ✐♥♣✉t ❛ s❡❝✉r✐t② ♣❛r❛♠❡t❡rλ✳ ■t ❞❡✜♥❡s ❛ ❝②❝❧✐❝ ❣r♦✉♣G♦❢

♣r✐♠❡ ♦r❞❡rq✱ ✐♥ ✇❤✐❝❤ t❤❡DDH❛ss✉♠♣t✐♦♥ ❤♦❧❞s✱ ✐♥ s♦♠❡ ❜❛s✐sg✳ ❲❡ ❞❡♥♦t❡G^∗ =G\{1}✱ t❤❡ s✉❜s❡t

♦❢ ❡❧❡♠❡♥ts ♦❢ ♦r❞❡r ❡①❛❝t❧②q✳ ■t ❝❤♦♦s❡s r❛♥❞♦♠ s❝❛❧❛rsx₁, . . . , xt∈Z^∗_q ✇✐t❤tt❤❡ ♠❛①✐♠✉♠ ♥✉♠❜❡r

♦❢ r❡❣✐st❡r❡❞ ✉s❡rs✳ ■t s❡ts t❤❡ ♠❛st❡r s❡❝r❡t ❦❡② ❛♥❞ t❤❡ ♦♣❡♥✐♥❣ ❦❡② ❛smsk=sk_O= (x1, x2, . . . , xt)

❛♥❞ t❤❡ ❣r♦✉♣ ♣✉❜❧✐❝ ❦❡② mpk= (y₁ =g^x¹, . . . , yt=g^x^t)✳ ■t ❛❧s♦ s❡ts t❤❡ r❡❣✐str❛t✐♦♥ ❧✐stL t♦ ❡♠♣t②✳

✕ Join(✐❞,mpk,msk)✿ ❚❤❡ ✐❞ ✐s ❛ss✉♠❡❞ t♦ ❜❡ ❛♥ ✐♥t❡❣❡r ❜❡t✇❡❡♥ 1 ❛♥❞ t✳ ❚❤✐s ❛❧❣♦r✐t❤♠ t❤✉s ♦✉t♣✉ts sk_✐❞=x_✐❞❛s t❤❡ s❡❝r❡t ❦❡② ♦❢ ✉s❡r ✐❞✱ ✇❤❡r❡❛s t❤❡ ♣✉❜❧✐❝ ❦❡② ✐s y_✐❞✳ ■t ❛❞❞s t❤❡ ♣❛✐r(✐❞,pk_✐❞=y_✐❞)✐♥

t❤❡ ❧✐stL✳

✕ Encrypt(mpk, i, m)✿ ❚♦ ❡♥❝r②♣t ❛ ♠❡ss❛❣❡m∈G✉♥❞❡r ❛ ♣✉❜❧✐❝ ❦❡②pk_i =y_i✱ ✇❡ ❝❤♦♦s❡ t✇♦ r❛♥❞♦♠

s❝❛❧❛rs r, s∈Z^∗_q ❛♥❞ ❝♦♠♣✉t❡(A₁, A₂, B₁, B₂) = (g^r, m·y^r_i, g^s, y^s_i)✳

✕ ReRand(mpk, C)✿ ❚♦ r❡✲r❛♥❞♦♠✐③❡ ❛ ♣r❡✲❝✐♣❤❡rt❡①t ✐♥ (G^∗)⁴✱ ✇❡ ✜rst ❝❤♦♦s❡ 4t r❛♥❞♦♠ s❝❛❧❛rs rj, r_j^′

❛♥❞ sj, s^′_j ✐♥Z^∗_q✱ ❢♦r j= 1,· · ·, t ❛♥❞ ❝♦♠♣✉t❡t s✉❜✲❝✐♣❤❡rt❡①ts ❛s ❢♦❧❧♦✇s✿

C_1,j←A₁·B^r

′ j

1 ·g^r^j C_2,j ←A₂·B^r

′ j

2 ·yjrj

D_1,j←B₁^s^′^j·g^s^j D_2,j ←B₂^s^′^j·yjsj.

❚❤❡♥✱ ✇❡ ♦❜t❛✐♥ ❛ s❡q✉❡♥❝❡C ♦❢ tt✉♣❧❡s(C_1,j, C_2,j, D_1,j, D_2,j) ❢♦r j= 1, . . . , t✳ ◆♦t❡ t❤❛t t❤❡ s❡❝♦♥❞

❤❛❧✈❡s ♦❢ t❤❡ t✉♣❧❡s ❛❧❧♦✇ t♦ r❡✲r❛♥❞♦♠✐③❡ ❛❣❛✐♥ t❤❡ ❝✐♣❤❡rt❡①t✱ ✇✐t❤ 4t r❛♥❞♦♠ s❝❛❧❛rs aj, a^′_j ❛♥❞

b_j, b^′_j✿

C_1,j^′ ←C1,j·D^a

′j

1,j ·g^a^j C_2,j^′ ←C2,j·D^a

′j

2,j ·yja_j

D^′_1,j ←D1,jb^′j·g^b^j D^′_2,j ←D2,jb^′j·yjbj.

✕ Decrypt(mpk, i, C)✿ ❚♦ ❞❡❝r②♣t ❛ ❝✐♣❤❡rt❡①t ❢♦r ✉s❡r i✱ ✉s✐♥❣ t❤❡ s❡❝r❡t ❦❡② xi✱ ✇❡ ❝♦♠♣✉t❡ m ← C2,i·C_1,i^−xⁱ✳ ◆♦t❡ t❤❛t ✉s❡ri❝❛♥ ❝❤❡❝❦ ✇❤❡t❤❡r ❤❡ r❡❛❧❧② ✐s t❤❡ t❛r❣❡t r❡❝✐♣✐❡♥t✿ D2,i ?

=D_1,i^xⁱ✳

✼