Organización de la información

Lemma 9 For any adversary A, there exists a probabilistic machine B₁, whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv(0_A)(λ)−

Adv(1)_A (λ)| ≤AdvP1_B1-IPE(λ).

Proof. In order to prove Lemma 9, we construct a probabilistic machineB₁ against Problem 1-IPE using an adversaryA in a security game (Game 0’ or 1) as a black box as follows:

1. B₁ is given a Problem 1-IPE instance, (param,B₀,B∗₀,B,B∗,e_β,0,{e_β,t,i}_{t=1,...,d;i=1,2},e_β,1,

e₂).

2. B1 plays a role of the challenger in the security game against adversary A.

3. At the first step of the game,B1 providesAa public keypk:= (1λ,param,B₀,B) of Game 0’ (and 1), whereB₀ := (b_0,1,b_0,3,b_0,5) and B:= (b₁, . . . ,b₄,b₁₄,b₁₅).

4. When a key query is issued for vector v := {(t, v_t)|t ∈ I_v}, B₁ answers normal key (k₀∗,{k∗_t}_t∈Iv) with Eq. (3), that is computed usingB∗₀,B∗ of the Problem 1-IPE instance. 5. When B₁ receives an encryption query with challenge plaintexts (m(0), m(1)) and x(0) := {(t, x(0)_t )|t ∈I_x}, x(1) :={(t, x(1)_t )|t∈ I_x} with I_x := I_x(0) =I_x(1) from A, B₁ computes the challenge ciphertext (c₀,{c_t}_t∈Ix, c_T) such that

c₀:=e_β,0+ζb_0,3, c_t:=x(_tb)e_β,t,1+ξ₁e_β,t,2+ξ₂b₄, c_T :=gζ_Tm(b),

where ζ, ξ₁, ξ₂ ←U F_q, b ← {U 0,1}, and (b_0,3,e_β,0,{e_β,t,i}_{t=1,...,d;i=1,2},b₄) is a part of the Problem 1-IPE instance.

6. When a key query is issued byAafter the encryption query,B1 executes the same proce- dure as that of step 4.

7. A finally outputs bitb. Ifb=b,B₁ outputsβ:= 1. Otherwise, B₁ outputsβ:= 0. It is straightforward that the distribution by B₁’s simulation given a Problem 1-IPE instance withβ is equivalent to that in Game 0’ (resp. Game 1), when β= 0 (resp.β = 1). Lemma 10 For any adversaryA, there exists a probabilistic machineB₂, whose running time is essentially the same as that ofA, such that for any security parameter λ, |Adv(2-(_A h−1)-2)(λ)−

Adv_A(2-h-1)(λ)| ≤AdvP2_B2--_hIPE(λ) + 2/q, where B2-_h(·) :=B2(h,·).

Proof. In order to prove Lemma 10, we construct a probabilistic machineB2 against Problem 2-IPE using an adversary A in a security game (Game 2-(h−1)-2 or 2-h-1) as a black box as follows:

1. B₂ is given an integerh and a Problem 2-IPE instance, (param,B₀,B∗₀,B,B∗,h∗_β,0,e₀, {h∗_β,t,j,e_t,j}_{t=1,...,d;j=1,2}).

2. B2 plays a role of the challenger in the security game against adversary A.

3. At the first step of the game,B₂ providesAa public keypk:= (1λ,param,B₀,B) of Game 2-(h−1)-2 (and 2-h-1), where B₀ and B are obtained from the Problem 2-IPE instance. 4. When the ι-th key query is issued for vectorv:={(t, v_t)|t∈I_v},B2 answers as follows: (a) When 1≤ι≤h−1,B₂ answers semi-functional key (k₀∗,{k_t∗}_t∈Iv) with Eq. (7), that

is computed using B∗₀,B∗ of the Problem 2-IPE instance.

(b) Whenι=h,B₂calculates (k₀∗,{k∗_t}_t∈Iv) using (b_0,1,b_0,3,b∗₄,h∗_β,0,{h∗_β,t,j}_{t=1,...,d;j=1,2}) of the Problem 2-IPE instance as follows:

fort∈I_v, g_t, ξ_t←U F_q, p∗_β,0,t:=g_th∗_β,0+ξ_tb∗_0,1, p∗_β,t,2 :=g_th∗_β,t,2+ξ_tb∗₄, k∗₀ :=−_t∈I

vp∗β,0,t+b∗0,3,

(c) Whenι≥h+ 1,B₂ answers normal key (k∗₀,{k_t∗}_t∈Iv) with Eq. (3), that is computed using B∗₀,B∗ of the Problem 2-IPE instance.

5. When B₂ receives an encryption query with challenge plaintexts (m(0), m(1)) and x(0) := {(t, x(0)_t )|t ∈I_x}, x(1) :={(t, x(1)_t )|t∈ I_x} with I_x := I_x(0) =I_x(1) from A, B₂ computes the challenge ciphertext (c₀,{c_t}_t∈Ix, c_T) such that

c₀ :=e₀+ζb_0,3, c_t:=x(_tb)e_t,1+θ₁e_t,2+θ₂b₄, c_T :=g_Tζm(b)_,

where ζ, θ₁, θ₂ ←U F_q,b← {U 0,1}, and (b_0,3,e₀,{e_t,j}_{t=1,..,n;j=1,2}) is a part of the Problem 2-IPE instance.

6. When a key query is issued byAafter the encryption query,B₂ executes the same proce- dure as that of step 4.

7. A finally outputs bitb. Ifb=b,B₂ outputsβ:= 1. Otherwise, B₂ outputsβ:= 0. Claim 1 The distribution of the view of adversary A in the above-mentioned game simulated by B₂ given a Problem 2-IPE instance with β ∈ {0,1} is the same as that in Game 2-(h−1)-2 (resp. Game 2-h-1) if β = 0 (resp. β = 1) except with probability 1/q (resp.1/q).

Proof. It is straightforward that the distribution by B₂’s simulation given a Problem 2-IPE instance with β= 0 is equivalent to that in Game 2-(h−1)-2 except thatδ defined in Problem 2-IPE is zero, i.e., except with probability 1/q.

When β = 1, the challenge ciphertext in the above simulation is given as: c₀ := (ω, τ , ζ, 0, ϕ₀)_B0, fort∈I_x, 4 7 2 2 c_t:= ( σ_t(1, t), ωx(_tb),ω, (τ x(_tb), τ), 02, (τ x_t(b), τ)·Z_t, 0, 02, ϕ_t,1,ϕ_t,2 )_B, whereσ_t:=x(_tb)σ_t,1+σ_t,2,ω:=θ₁ω+θ₂,τ:=θ₁τ,ϕ_t,j :=x(_tb)ϕ_t,1,j+ϕ_t,2,jforj = 1,2,ω, τ,{σ_t,j, ϕ_t,i,j}_{t∈Ix;i,j=1,2} are defined in Problem 2-IPE.

p∗_β,0,t,p∗_β,t,2 for t ∈ I_v calculated in case (b) of steps 4 and 6 in the above simulation are expressed as: s_t:=g_tδ+ξ_t, a_k :=g_kρ, p∗_0,0,t= (s_t,0,0, g_tη₀,0)_B∗ 0, p∗1,0,t = (st, at,0, gtη0,0)B∗₀, 4 7 2 2 p∗_0,t,2 := ( g_tμ_t,2(t, −1), 0, s_t, 07, g_t(η_t,2,1, η_t,2,2), 02 )_B∗, p∗_1,t,2 := ( g_tμ_t,2(t, −1), 0, s_t, 04, (0, a_t)U_t, 0, g_t(η_t,j,1, η_t,j,2), 02 )_B∗, where δ, ρ, η₀,{μ_t,2, U_t, η_t,2,1, η_t,2,2}_t∈Iv are defined in Problem 2-IPE. Therefore, (k₀∗,{k∗_t}_t∈Iv) are expressed as:

s₀ :=n_t=1s_t, a₀ :=n_t=1a_t, η₀:= (n_t=1g_t)η₀, if β= 0, k∗₀ = (−s₀,0,1,η₀,0)_B∗ 0, if β = 1, k0∗= (−s0,−a0,1,η0,0)B∗0, 4 7 2 2 if β = 0, k_t∗:= ( μ_t(t, −1), δv_t, s_t, 07, η_t,1,η_t,2, 02 )_B∗, if β = 1, k_t∗:= ( μ_t(t, −1), δv_t, s_t, 04, (ρv_t, a_t)·U_t, 0, η_t,1,η_t,2, 02 )_B∗,

where δ, ρ, s_t, a_t,μ_t :=v_tμ_t,1+g_tμ_t,2,η_t,j :=v_tη_t,j+g_tη_t,j fort∈I_v;j = 1,2 are independently and uniformly distributed. Therefore, (k∗₀,{k_t∗}_t∈Iv) and (c₀,{c_t}_t∈Ix) are distributed as in Eqs. (6) and (5), respectively. Therefore, when β = 1, the distribution by B2’s simulation is equivalent to that in Game 2-h-1 except that δ defined in Problem 2-IPE is zero, i.e., except

with probability 1/q.

This completes the proof of Lemma 10.

Lemma 11 For any adversaryA, for any security parameter λ, Adv_A(2-h-1)(λ) =Adv(2-_A h-2)(λ). Proof. It is clear that the distribution of the public-key and the ι-th key query’s answer for ι=h in Game 2-h-1 and Game 2-h-2 are exactly the same. Therefore, to prove this lemma we will show that the joint distribution of theh-th key query’s answer and the challenge ciphertext in Game 2-h-1 and Game 2-h-2 are equivalent.

Let r_t := (πv_t, a_t) ·U_t, which is coefficients of the t-th key element k∗_t for t ∈ I_v, and

w_t:= (τ x(_tb),τ)·Z_t, which is coefficients of thet-th ciphertext elementc_t fort∈I_x in Game 2- h-1. Letn:=(I_v), n :=(I_x), andnelements ofI_v are expressed by{t₁, . . . , t_n|1≤t₁≤t₂≤ · · · ≤t_n ≤ d}. We will show that (a₀,{r_t}_t∈Iv,{w_t}_t∈Ix) ∈ F_q×F_q2n×F2_qn are uniformly and independently distributed from the other variables in the joint distribution of adversary A’s view.

When I_v ⊆ I_x, there exist an index t_i ∈ I_v \I_x, and coefficients w_ti := (πv_ti, a_ti)·U_ti of k∗_ti is uniformly and independently distributed in F2_q since U_ti ←U GL(2,F_q) is uniformly and independently distributed from the other variables in A’s view. Moreover, variablesa_tj for j= 1, . . . , i−1, i+1, . . . , nanda₀ :=_{j=1,,...,i−1,i+1,...,n}a_tjare also uniformly and independently distributed inF_q sincea_ti appears only inw_ti inA’s view. Therefore, from Lemma 8, variables (a₀,{r_t}_t∈Iv,{w_t}_t∈Ix) are uniformly and independently distributed from the other variables.

When I_v ⊆I_x, it holds that_t∈I

vvtxt= 0 from the definition of the security game. Since

r_t·w_t=πτ v_tx_t+τ a _t, (a₀,{r_t·w_t}_t∈Iv) = (a₀, r_t1 ·w_t1, . . . , r_tn·w_tn) are represented as ⎛ ⎜ ⎜ ⎜ ⎝ a₀ r_t1·w_t1 .. . r_tn·w_tn ⎞ ⎟ ⎟ ⎟ ⎠=M· ⎛ ⎜ ⎜ ⎜ ⎝ π a_t1 .. . a_tn ⎞ ⎟ ⎟ ⎟ ⎠, whereM := ⎛ ⎜ ⎜ ⎜ ⎝ 0 1 . . . 1 τ v_t1x_t1 τ .. . . .. τ v_tnx_tn τ ⎞ ⎟ ⎟ ⎟ ⎠ (24)

The determinant of M is given by det(M) = (τ)n−1τ(n_i=1v_tix_ti) = (τ)n−1τ(_t∈I

vvtxt),

which is nonzero since _t∈I

vvtxt= 0 with all but negligible probability 2/q, i.e., except when

τ = 0 orτ = 0. Since fresh variables (π,{a_t}_t∈Iv) appear only in (a₀,{r_t·w_t}_t∈Iv) in A’s view, these variables (a₀,{r_t·w_t}_t∈Iv) are also fresh, i.e., uniformly and independently distributed from the other variables. Then, from Lemma 8, variables (a₀,{r_t}_t∈Iv,{w_t}_t∈Ix) are uniformly and independently distributed from the other variables when I_v⊆I_x, too.

Therefore, the view of adversary A in the Game 2-h-1 is the same as that in Game 2-h-2.

This completes the proof of Lemma 11.

Lemma 12 For any adversary A, for any security parameter λ, |Adv_A(2-ν-2)(λ)−Adv(3)_A (λ)| ≤ 1/q.

Proof. To prove Lemma 12, we will show distribution of public parameters, queried keys, and challenge ciphertext, (param,B,{sk(h):= (k₀(h)∗,{k_t(h)∗}_t∈Iv)}_h=1,...,ν,ct:= (c₀,{c_t}_t∈Ix, c_T)), in Game 2-ν-2 and that in Game 3 are equivalent.

First, we note that a part of ciphertext {c_t}_t∈Iv in Game 2-ν-2 and that in Game 3 are equivalently distributed since matrices {Z_t ←U GL(2,F_q)}_t∈Iv of {c_t}_t∈Iv in Game 2-ν-2 are uniformly and independently distributed from other variables.

For the distribution of k∗₀ and c₀, we define new dual orthonormal bases (D₀,D∗₀) of V₀ as follows:

We generate χ←UF_q, and set

d_0,2:=b_0,2−χb_0,3, d∗_0,3:=b∗_0,3+χb∗_0,2

D0:= (b0,1,d0,2,b0,3, . . . ,b0,5), D∗0 := (b∗0,1,b∗0,2,d∗0,3,b∗0,4,b∗0,5).

We then easily verify that D₀ and D∗₀ are dual orthonormal, and are distributed the same as the original bases, B₀ and B∗₀.

The t= 0 elements of keys and challenge ciphertext ({k₀(h)∗}_h=1,...,ν,c₀) in Game 2-ν-2 are expressed over bases (B₀,B∗₀) and (D₀,D∗₀) as

k₀(h)∗ := (−s(₀h), r₀(h), 1, η(₀h), 0 )_B∗ 0 = (−s (h) 0 , r0(h)−χ, 1, η0(h), 0 )D∗ 0 = ( −s(₀h), r₀(h), 1, η(₀h), 0 )_D∗ 0 c₀ := (ω, τ , ζ, 0, ϕ₀ )_B0 = (ω, τ , ζ+χτ , 0, ϕ₀ )_D0 = (ω, τ , ζ , 0, ϕ₀ )_D0, wherec_T :=gζ_Tm(b),

where r(₀h) := r(₀h)−χ, ζ := ζ+χτ ∈ F_q are uniformly, independently (from other variables) distributed since r₀(h), χ←U F_q, except for the caseτ = 0, i.e., except with probability 1/q.

In the light of the adversary’s view, both (B₀,B∗₀) and (D₀,D∗₀) are consistent with pub- lic key pk := (1λ,param,B₀,B). Therefore, {sk(h) := (k₀(h)∗,{k_t(h)∗}_t∈Iv)}_h=1,...,ν and ct := (c₀,{c_t}_t∈Ix, c_T) above can be expressed as keys and ciphertext in two ways, in Game 2-ν-2 over bases ((B₀,B∗₀),(B,B∗)) and in Game 3 over bases ((D₀,D∗₀),(B,B∗)). Thus, Game 2-ν-2

can be conceptually changed to Game 3.

Lemma 13 For any adversary A, there exists a probabilistic machine B₃, whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv(3)_A (λ)−

Adv(4)_A (λ)| ≤AdvP3_B3-IPE(λ) + 2/q.

Proof. In order to prove Lemma 13, we construct a probabilistic machineB₃ against Problem 3-IPE using an adversaryA in a security game (Game 3 or 4) as a black box as follows:

1. B₃ is given a Problem 3-IPE instance, (param,B₀,B∗₀,B,B∗,h∗,e_β).

2. B₃ plays a role of the challenger in the security game against adversary A.

3. At the first step of the game,B₃ providesAa public keypk:= (1λ,param,B₀,B) of Game 3 (and 4), where B₀:= (b_0,1,b_0,3,b_0,5) and B := (b₁, . . . ,b₄,b₁₄,b₁₅).

4. When a key query is issued for vectorv:={(t, v_t)|t∈I_v},B₃ answers (k∗₀,{k∗_t}_t∈Iv) such that k₀∗:= ( −s₀, 0, 1, η₀, 0 )_B∗ 0, k_t∗:=δv _th∗+ (μ_t(t, −1), 0, s_t, 06, r_t, 0, η_t, 02 )_B∗ fort∈I_v, wheres_t, μ_t, η₀,δ←U F_q, r_t, η_t←UF2_q, s₀ :=_t∈I vst, and (B∗0,h∗,B∗:= (b1,b2,b4, . . . ,b15))

5. When B₃ receives an encryption query with challenge plaintexts (m(0), m(1)) and vectors

x(0) := {(t, x(0)_t )|t ∈ I_x}, x(1) := {(t, x(1)_t )|t ∈ I_x} with I_x := I_x(0) = I_x(1) from A, B₃ computes the challenge ciphertext (c₀,{c_t}_t∈Ix, c_T) such that

c₀:= ( ω, τ , ζ, 0, ϕ₀ )_B0,

c_t:=x(_tb)e_β+ (σ_t(1, t), 0, ω, 0, τ , 02, z_t, 03, ϕ_t )_B fort∈I_x, c_T :=gζ_Tm(b),

whereζ, ζ,ω,τ , ϕ₀←UF_q, z_t, ϕ_t←U F2_q, b← {U 0,1}, and (B₀,e_β,B) is a part of the Problem 3-IPE instance.

6. When a key query is issued byAafter the encryption query,B3 executes the same proce- dure as that of step 4.

7. A finally outputs bitb. Ifb=b,B₃ outputsβ:= 0. Otherwise, B₃ outputsβ:= 1. Claim 2 The distribution of the view of adversary A in the above-mentioned game simulated by B₃ given a Problem 3-IPE instance with β ∈ {0,1} is the same as that in Game 3 (resp. Game 4) if β= 1 (resp. β= 0) with all but negligible probability 1/q.

Proof. We will consider the joint distribution of k(_th)∗ for h = 1, . . . , ν; t ∈ I_v(h) and ct for t∈I_x.

The h-th queried key{k(_th)∗}_h=1,...,ν forv(h) :={(t, v_t(h))|t∈I_v(h)} generated in steps 4 and 6 is

k_t(h)∗ = δ(h)v_t(h)h∗+ (μ(_th)(t, −1), 0, s(_th), 04, r_t(h), 0, η_t(h), 02 )_B∗

= (μ(_th)(t, −1), δ(h)uv_t(h), s(_th), 04, r_t(h)+δ(h)v_t(h)(r,0), 0, η_t(h), 02 )_B∗ = (μ(_th)(t, −1), δ(h)v_t(h), s_t(h), 04, r_t, 0, η_t(h), 02 )_B∗

whereδ(h):=δ(h)u∈F_q, r(_th) :=r_t(h)+δ(h)v_t(h)(r,0) are uniformly and independently distributed sinceδ(h) ←UF_q, r_t(h)←UF2_q, except for the case u= 0, i.e., except with probability 1/q.

When β = 0, ciphertextc_tgenerated in step 5 is

c_t = x(_tb)e₀+ (σ_t(1, t), 0, ω, 0, τ , 02, z_t, 03, ϕ_t )_B = ( σ_t(1, t), 0, ω, 0, τ , 02, z_t+x(_tb)(z₁, z₂), 03, ϕ_t )_B = ( σ_t(1, t), 0, ω, 0, τ , 02, z_t, 03, ϕ_t )_B

wherez_t:=z_t+x(_tb)(z₁, z₂)∈F2_q is uniformly and independently distributed since z_t ←UF2_q. When β = 1, ciphertextc_tgenerated in step 5 is

c_t = x(_tb)e₀+ (σ_t(1, t), 0, ω, 0, τ , 02, z_t, 03, ϕ_t )_B

= (σ_t(1, t), ωx(_tb), ω, τ x (_tb), τ , 02, z_t+x(_tb)(z₁, z₂), 03, ϕ_t )_B = (σ_t(1, t), ωx(_tb), ω, τ x (_tb), τ , 02, z_t, 03, ϕ_t )_B

wherez_t:=z_t+x(_tb)(z₁, z₂)∈F2_q are uniformly and independently distributed sincez_t ←U F2_q. Therefore, the above{c_t}_t∈Ix and c₀ := (ω, τ , ζ, 0, ϕ₀ )_B0, c_T :=g_Tζm(b) give a challenge ciphertext in Game 3 when β= 1, and that in Game 4 when β = 0.

From Claim 2, Adv(3)_A (λ)−Adv(4)_A (λ)≤Pr

B3(1λ, )→1 ←GR ₀P3-IPE(1λ) − Pr

B3(1λ, )→1 ←GR 1P3-IPE(1λ)+ 2/q = AdvP3B3-IPE(λ) + 2/q. This completes the proof of