Unconditionally Secure Anonymous Encryption ... - Semantic Scholar

2 downloads 17 Views 160KB Size Report
Dec 1, 2005 - exchange (with certificates) [4] or (conventional) digital signatures are ... sender prior to selecting a shared secret, and this means loss of anonymity. .... digital signature schemes [20, 21, 22] that do exist, these schemes yet too ...

The Computer Journal Advance Access published December 1, 2005 © The Author 2005. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions, please email: [email protected] doi:10.1093/comjnl/bxh149

Unconditionally Secure Anonymous Encryption and Group Authentication1 Goichiro Hanaoka1,∗ , Junji Shikata2 , Yumiko Hanaoka3 and Hideki Imai4 1 National Institute of Advanced Industrial Science and Technology, Tokyo, Japan 2 Graduate School of Environment and Information Sciences, Yokohama National University,

Yokohama, Japan 3 NTT DoCoMo, Inc., Yokosuka, Japan 4 Institute of Industrial Science, The University of Tokyo, Tokyo, Japan ∗ Corresponding author: [email protected]

Anonymous channels or similar techniques that achieve sender’s anonymity play important roles in many applications, e.g. electronic voting. However, they will be meaningless if cryptographic primitives containing sender’s identity are carelessly used during the transmission. In computationally secure settings, this problem may be easily overcome by using public key encryption and group signatures. However, in an unconditionally secure setting, in which no computational difficulty is assumed, this is not an easy case as such. As the increasing computational power approaches the point where security policy can no longer assume the difficulty of solving factoring or discrete logarithm problems, it must shift its focus to assuring the solvency of unconditionally secure schemes that provide long-term security. The main contribution of this paper is to study the security primitives for the above problem. In this paper, we first define the unconditionally secure asymmetric encryption scheme, which is an encryption scheme with unconditional security and where it is impossible for a receiver to deduce the identity of a sender from the encrypted message. We also investigate tight lower bounds on required memory sizes from an information theoretic viewpoint and show an optimal construction based on polynomials. It is remarkable to see that these bounds are considerably different from those in Shannon’s model of the conventional unconditionally secure symmetric encryption. Other than the polynomial-based scheme, we also show a construction based on combinatorial theory, a non-malleable scheme and a multi-receiver scheme. Then, we define and formalize the group authentication code (GA-code), which is an unconditionally secure authentication code with anonymity like group signatures. In this scheme, any authenticated user will be able to generate and send an authenticated message while the receiver can verify the legitimacy of the message—that it has been sent from a legitimate user but at the same time retains his anonymity. However, by cooperating with the group authority, such as in the case of disputes, the receiver is able to obtain information of the user’s identity. For GA-code, we show two concrete constructions. Received 28 July 2005; revised 30 September 2005

1.

INTRODUCTION

In many applications, there is a need to allow user or the author of the message to be able to transmit messages without revealing his/her identity, e.g. electronic voting. A most commonly used cryptographic technique that is used to build an actual implementation of these characters, is called anonymous channels [1, 2, 3]. However, if not 1 A preliminary version of this paper was presented at Asiacrypt’02 [Hanaoka, G., Shikata, J., Hanaoka, Y. and Imai, H. (2002) Unconditionally secure anonymous encryption and group authentication. In Proc. ASIACRYPT’02, Queenstown, December 1–5, pp. 81–99. Springer-Verlag, Berlin.].

carefully designed, i.e. when a sender uses encryption and authentication methods requiring the sender’s identity for decryption or message verification, these systems can be easily compromised, thus corrupting results or violating senders’ privacy. For example, if Diffie–Hellman key exchange (with certificates) [4] or (conventional) digital signatures are used, the receiver will be able to easily obtain information regarding the sender’s identity, and also may leave the message contents along with the identity of the sender open to perusal. In a computationally secure setting, this problem can be solved straightforwardly by using (conventional) public-key encryption e.g. [5, 6] and group signatures [7, 8] shielding the sender’s identity. These

The Computer Journal, 2005

2 of 12

G. Hanaoka et al.

schemes and the infrastructure within which they operate are restricted in scope in that they rely for their security on the assumed computational difficulty of computing certain number-theoretic problems, such as factoring large composites or solving discrete logarithms in large finite fields. However, this presumption no longer assures the security of computationally secure schemes as the progress in computers as well as further refinement of various algorithms in near future make it computationally able to solve the larger size number-theoretic problems. Unfortunately, in unconditionally secure environments, where no computational difficulty is assumed, there is yet no straightforward answer to this; all of the current existing schemes use mutual information between sender and receiver, and this mutual information is utilized as a shared communication key between them. This implies that the receiver has to know certain information regarding the sender prior to selecting a shared secret, and this means loss of anonymity. (This also implies that an unconditionally secure public-key encryption scheme is essentially non-existent, since in the model of public-key cryptosystems, a sender and a receiver do not share mutual information between them.) As the increasing computational power approaches the point where security policy can no longer assume on the difficulty of computationally hard problems, it must shift its focus to assuring the solvency of unconditionally secure schemes that provides long-term security. A similar problem arises in authentication as well. In conventional authentication schemes, the identity of the sender is required for verifying integrity of a transmitted message. In order to protect the sender’s privacy in a computationally secure setting, group signatures [7, 8] were proposed and since then, group signature schemes have been greatly studied in the literature. However, in an unconditional setting, there has never existed an authentication scheme that assures anonymity of the sender like that seen in the group signature schemes. For the importance of preparing for the eventual need of long-term security, an unconditionally secure setting must be considered a sine qua non for a security policy. The main contribution of this paper is to study models, bounds and constructions of novel security primitives on the above problem with no computational assumption. In this paper, we first define the unconditionally secure asymmetric encryption (USAE) scheme, which is an encryption scheme with unconditional security in which a receiver cannot obtain any information of the identity of a sender from the encrypted message. We also investigate tight lower bounds on required memory sizes from information theory and also show concrete constructions of USAE schemes based on polynomials and cover free family (CFF) [9]. A USAE based on polynomials is optimal because it matches the lower bounds. We further show another construction from combinatorial theory, a non-malleable scheme and a multireceiver scheme. We then define and formalize the group authentication code (GA-code), which is an unconditionally secure authentication code (A-code) with anonymity like group signatures. In this proposed scheme, any authenticated user will be able to generate an authenticated message and

send it to the receiver. The receiver is then able to verify the authenticity of the received message while maintaining the privacy of the user. Moreover, neither a recipient nor a group authority can obtain any meaningful information of the user who had generated the authenticated message, i.e. no one can link any message to the author who sent it. However, by cooperating with group authority, such as in the case of disputes, the receiver is able to obtain the sender’s identity. 1.1.

Related works

Unconditionally secure key distribution schemes. For confidentiality without computational assumptions, unconditionally secure key distribution schemes are often utilized as suitable security primitives. Blom [10] made the first attempt to construct an unconditionally secure key distribution scheme using MDS linear codes. His idea was later generalized by Matsumoto and Imai [11], viz. key predistribution schemes (KPS); they also proposed a simpler version of KPS, the linear scheme. Blundo et al. [12] proposed a concrete construction of KPS for conference key distribution and investigated lower bounds on required memory size for users and showed that their scheme, as well as Blom’s original scheme and Matsumoto–Imai’s scheme, all matched the lower bounds. Blundo et al. [13], as well as Kurosawa et al. [14] showed other interesting bounds on required memory sizes. In [15], an in-depth survey of various constructions of KPS has been carried out and corresponding properties have been investigated. KPS may seem to be the best building blocks for unconditionally secure communication systems; however, they are not suitable for certain applications e.g. electronic voting systems, which must ensure user’s anonymity; the identity of a sender is required for a recipient to generate the communication key. In all of the existing KPS hitherto, a sender and a receiver’s secret information must be used to generate the communication key, and therefore, all of the currently existing schemes do not meet the security requirements for a system with anonymity. As far as we know, there has never existed an unconditionally secure key distribution scheme without a requirement of sender’s identity. Unconditionally secure authentication schemes and group signatures. For a secure authentication without computational assumptions, unconditionally secure A-codes [16, 17] may be considered which have been intensively studied in the literature. An overall structure of A-codes is as follows. In the first stage of A-codes, a trusted authority generates secret information for each of sender and receiver. Then, the sender generates an authenticated message using his given secret information and transmits it to the receiver. Finally, the receiver verifies the validity of the authenticated message with his secret information. Here, no adversary succeeds in impersonation or substitution attack even if the adversary has unlimited computational power. There have also been many attempts to modify A-codes with the aim of enhancing the codes with desirable properties other than anonymity, such as asymmetricity [18] and multireceiver-authenticity [19].

The Computer Journal, 2005

Unconditionally Secure Anonymous Encryption and Group Authentication However, in none of these attempted modifications, receivers were able to identify the sender of the message. Thus, there were no existing A-codes and their variants that were applicable concerning the protection of the sender’s identity, i.e. no anonymity. Though there are some unconditionally secure digital signature schemes [20, 21, 22] that do exist, these schemes yet too, do not provide anonymity. However, in computationally secure settings, anonymity can be achieved by using group signatures [7, 8]. For a group signature, a user is able to prove that he is a legitimate user of the group by using the secret information given to him by a group authority; in the case of a dispute, the group authority can identify the user from a published signature signed by the user. Group signature is therefore a suitable authenticating scheme that can be used especially in cases where the privacy of the user has to be maintained. However, all the existing group signature schemes are based on computational assumptions and will be broken if certain computationally hard problems, e.g. discrete logarithm or factoring, are solved. 1.2.

Our results

We start this paper by defining USAE with formal definitions. USAE is an encryption scheme with unconditional security in which a receiver cannot gain any information of a particular user from an encrypted message. We investigate from information theory, the lower bounds for the required memory sizes of a ciphertext, a sender and a receiver’s secrets. Further, we propose concrete constructions of USAE based on polynomials and also constructions based on CFFs. Polynomial-based construction is optimal because it matches the lower bounds which in turn implies that the lower bounds are all tight. One important fact that bears mention: it is quite remarkable to see that these bounds that we have shown are significantly different from those shown in Shannon’s model of conventional unconditionally secure symmetric encryption. For example, in our model, required memory sizes for ciphertext, encryption key and decryption key are at least log2 |M| + log2 |S| bits, log2 |M| + log2 |S| bits and (k + 1) log2 |M| bits respectively, where M is the message space, S is the set of all senders and k is the maximum number of dishonest senders. Comparisons between polynomialbased and CFF-based schemes are also made. In addition, we study an extension of USAE, that with non-malleability. More precisely, a formal definition of non-malleability, a concrete non-malleable scheme and a security proof are investigated. Furthermore, another extension of USAE, for multiple-receiver setting, is shown. We continue by defining the GA-code with formal definitions. GA-code is an unconditionally secure A-code with anonymity like group signatures. In GA-codes, any user in a group can generate an authenticated message and verify it as long as it has been sent from a legitimate user in a group. Moreover, a receiver is not able to obtain any meaningful information of a particular user who had generated the authenticated message. However, in the case of disputes, a receiver is able to obtain the sender’s identity by cooperating with a group authority. It is important to note here that the group authority or the receiver by itself

3 of 12

will be insufficient to obtain any information regarding the user i.e. they must cooperate with each other. We then show two concrete constructions of GA-code with formal security proofs. One construction is based on polynomials and the other on CFFs and A-codes. Organization of this paper is as follows: in Section 2, we study the model, bounds and constructions for USAE. Polynomial-based USAE construction is optimal because it matches the lower bounds. This in turn implies that the lower bounds are all tight. We also show other efficient and secure implementations of USAE. In Section 3, we show model and concrete construction for GA-code with formal security proof. 2.

UNCONDITIONALLY SECURE ASYMMETRIC ENCRYPTION

In this section, model, security definition, lower bounds and concrete constructions of USAE are shown. One of our constructions is optimal in terms of required memory sizes for a ciphertext, an encryption key and a decryption key. It should be noted that the definition that we use for ‘asymmetric encryption’ in this paper is not equivalent to the meaning of ‘public-key encryption’ in a general sense. Here, in USAE, ‘asymmetric’ is used as a pair of encryption and decryption keys that are asymmetric, and where an encryption key is not public. 2.1.

Model

Since no computational difficulty is assumed in USAE, it is impossible for a sender to secretly transmit a message using only the public information. This means that in order to construct a USAE, a different assumption (rather than computational assumptions) will be required, e.g. existence of a noisy channel, that of a quantum channel, bounds of memory or threshold of the number of malicious users. For simplicity, we introduce the trusted initializer model (R. Rivest, unpublished data) in which we assume a trusted initializer who honestly distributes each user’s secret in the initial phase and deletes his memory after the distribution of the secrets. We should note that the trusted initializer can be removed by using multi-party computation [23] if the number of malicious users is less than a third of the total number of users and there exists a private channel between each pair of users. In the model of USAE, there are n + 2 participants, a set of n senders {S1 , . . . , Sn }, a receiver R and a trusted initializer TI. TI generates encryption keys e1 , . . . , en for S1 , . . . , Sn respectively, and a decryption key d for R. After distributing these keys, TI deletes his memory. In order to send a plaintext m to R with confidentiality, s ∈ {S1 , . . . , Sn } encrypts m by using ei and transmits a ciphertext c to R. R decrypts c by using d and recovers m. 2.2.

Definition

Here, we formally define the security of USAE. It should be noted that, in addition to confidentiality, anonymity of a sender is also required for USAE. Let S, Ei (i = 1, . . . , n), D, M and C denote the random variables induced by s, ei (i = 1, . . . , n), d, m and c

The Computer Journal, 2005

G. Hanaoka et al.

4 of 12

respectively. For a random variable X , H (X ) denotes the entropy of X . For X , let X := {x| Pr(X = x) > 0}. |X| denotes the cardinality of X. We assume that at most k (0 ≤ k ≤ n − 1) authorized senders are malicious. Then, the security of USAE is formally defined as follows: Definition 1. We say that (E1 , . . . , En , D, M, C) is a (k, n)-one-time USAE if (i) R can correctly decrypt m from c, that is, H (M|C, D) = 0. (ii) Any set of k malicious senders has no information on m from c. Namely, for any set of k malicious senders {Si1 , . . . , Sik } ⊂ {S1 , . . . , Sn } such that s ∈ / {Si1 , . . . , Sik }, H (M|C, Ei1 , . . . , Eik ) = H (M). (iii) R obtains no information on the identity of s from c; viz. H (S|C) = H (S). (iv) Additionally, we assume that a ciphertext c is uniquely determined from a plaintext m and an encryption key ei , i.e. H (C|M, Ei ) = 0 for any i. 2.3.

=−

× log2 Pr(C = c|S = Si ) n  



Theorem 1. In a (k, n)-one-time USAE, H (C) H (M) + H (S).



Proof. Let Ci (1 ≤ i ≤ n) be sets of all possible ciphertexts generated by ei (1 ≤ i ≤ n) respectively. First, we show Ci ∩ Cj = φ (i  = j ) for all i, j (1 ≤ i ≤ n, 1 ≤ j ≤ n). Suppose that ci ∈ Ci , cj ∈ Cj , ci = cj and that mi , mj ∈ M are plaintexts of ci and cj respectively. Here, it should be noted that the receiver R can utilize only ci (= cj ) and d, and that R has no information on which of ei and ej was used to generate the ciphertext. This is because of what was stated in the third condition of Definition 1. Also, due to the first condition of Definition 1, we have mi = mj . This implies that Sj can recover mi from ci when Sj can generate cj such that cj = ci . However, due to the second condition of Definition 1, Sj cannot decrypt a ciphertext that he cannot generate. This is a contradiction. Therefore, Ci ∩ Cj = φ (i  = j ) for all i, j (1 ≤ i ≤ n, 1 ≤ j ≤ n). Then, we have  H (C) = − Pr(C = c) log2 Pr(C = c) =

i=1

=

n  i=1

−



× log2 Pr(S = Si ).

−



(1)

From the first and the fourth conditions of Definition 1, a mapping σi : Ci → M, such that for any c ∈ Ci , σi (c) ∈ M is the corresponding plaintext of c, is bijective, for any i (1 ≤ i ≤ n). Therefore, Equation (1) becomes H (C) = −

n 

Pr(S = Si )



Pr(M = σ (ci )|S = Si )

ci ∈Ci

i=1

× log2 Pr(M = σ (ci )|S = Si ) −

n 

Pr(S = Si ) log2 Pr(S = Si )





× =−

c∈Ci n 

Pr(C = c|S = Si ) Pr(S = Si )



Pr(M = m|S = Si )

m∈M

i=1

× log2 Pr(M = m|S = Si ) −

n 

Pr(S = Si ) log2 Pr(S = Si )

i=1

×



Pr(C = c|S = Si )

c∈Ci

=− −



Pr(M = m) log2 Pr(M = m)

m∈M n 

Pr(S = Si ) log2 Pr(S = Si )

i=1

≥ H (M) + H (S), which proves the theorem.   Theorem 1 implies that the required memory size for a ciphertext is always larger than that for a plaintext by at least H (S) bits. Next is a lemma that shows the relationship between the required memory size for an encryption key ei and for a ciphertext c in USAE. Lemma 2.1. In a (k, n)-one-time USAE, H (Ei ) ≥ H (C), for any i. Proof. From the second condition of Definition 1, we have

Pr(C = c) log2 Pr(C = c)

H (M|C) = H (M).

c∈Ci



Pr(S = Si ) Pr(C = c|S = Si )

i=1 c∈Ci

i=1

In this subsection, lower bounds on required memory sizes for a ciphertext, an encryption key and a decryption key in USAE are shown. These bounds are all tight since we also show a construction which matches them (see Section 2.4, for details). We begin by showing a lower bound on the required memory size for a ciphertext.

c∈C 

Pr(S = Si ) Pr(C = c|S = Si )

i=1 c∈Ci

Lower bounds

n 

n  

(2)

And, it is obvious that

Pr(S = Si ) Pr(C = c|S = Si )

c∈Ci



× log2 (Pr(S = Si ) Pr(C = c|S = Si ))

H (C) = H (C|M, Ei ) + H (M) − H (M|C) + H (Ei |M) − H (Ei |M, C).

The Computer Journal, 2005

(3)

Unconditionally Secure Anonymous Encryption and Group Authentication Then, from the fourth condition of Definition 1, Equations (2) and (3), we have

Therefore, from Equations (5) and (6), H (D) = H (D|Ei0 , Ei1 , . . . , Eik , Ci0 , Ci1 , . . . , Cik ) + H (D) − H (D|Ci0 , Ci1 , . . . , Cik ) + H (Ei0 , Ei1 , . . . , Eik |Ci0 , Ci1 , . . . , Cik ) − H (Ei0 , Ei1 , . . . , Eik |Ci0 , Ci1 , . . . , Cik , D)

H (C) = H (Ei |M) − H (Ei |M, C) ≤ H (Ei |M) − H (Ei |M, C) + H (Ei |M, C) + H (Ei ) − H (Ei |M)

≥ H (Ei0 , Ei1 , . . . , Eik |Ci0 , Ci1 , . . . , Cik ) ≥ (k + 1)H (M),

= H (Ei ), which proves the theorem.   Lemma 2.1 implies that the memory size requirement for an encryption key in USAE is equal to or greater than that for a ciphertext. This is also closely related to the famous Shannon’s result [24]. That is, in unconditionally secure symmetric encryption, it is a well-known fact that the required memory size for an encryption key is equal to or greater than that for a plaintext, assuming that a ciphertext is uniquely determined from a plaintext and an encryption key. Now, a lower bound on the required memory size for an encryption key is shown. Theorem 2. In a (k, n)-one-time USAE, H (Ei ) H (M) + H (S), for any i.



Proof. From Lemma 2.1 and Theorem 1, we have H (Ei ) ≥ H (M) + H (S) for any i.   Theorem 2 implies that the required memory size for an encryption key is always larger than that for a plaintext by at least H (S) bits. Finally, we show a lower bound on the required memory size for a decryption key. Theorem 3. In a (k, n)-one-time USAE, H (D) ≥ (k + 1) H (M) if the equality in Lemma 2.1 is satisfied for any i. Proof. Let Ci (1 ≤ i ≤ n) be the set of all possible ciphertexts generated by ei (1 ≤ i ≤ n) respectively, and Ci (1 ≤ i ≤ n) be random variables in Ci (1 ≤ i ≤ n). We note that Pr(Ci = c) = Pr(S = Si ) Pr(C = c|ei ). For any set of k + 1 encryption keys ei0 , . . . , eik , we have H (Ei0 |Ei1 , . . . , Eik , Ci0 , Ci1 , . . . , Cik ) ≥ H (M).

(4)

This is due to the second condition of Definition 1 and Lemma 2.2. Then, from Equations (4),

5 of 12

which proves the theorem.

 

Lemma 2.2. Let Ci (1 ≤ i ≤ n) be the set of all possible ciphertexts generated by ei (1 ≤ i ≤ n) respectively, and Ci (1 ≤ i ≤ n) be random variables in Ci . Then, H (Ei |Ci ) ≥ H (M) for any i. Proof. In general, we have H (Ei |Ci ) = H (Ei |Ci , M) + H (M|Ci ) − H (M|Ei , Ci ). (7) From the first and second conditions of Definition 1, H (M|Ci ) = H (M) and H (M|Ei , Ci ) = 0. Therefore, Equation (7) becomes H (Ei |Ci ) ≥ H (M).   Theorem 3 implies that the required memory size for a decryption key is (k +1) times larger than that for a plaintext. 2.4.

Constructions

Now, we show two concrete constructions of USAE. One of the constructions is based on polynomials over finite fields, and the other one on CFF [9]. The polynomial-based construction is optimal in terms of required memory sizes for a ciphertext, an encryption key and a decryption key. For the CFF construction, security parameters can be flexibly determined. In this subsection, we assume that the distribution of the sender is uniform, that is, Pr(S = Si ) = 1/n for any i (1 ≤ i ≤ n). 2.4.1. Optimal construction from polynomial Here, we show an optimal (k, n)-one-time USAE which meets all our bounds. This means that the lower bounds in the previous subsection are all tight. Definition 2. A (k, n)-one-time USAE is optimal if one has equalities in Theorems 1, 2 and 3.

H (Ei0 , Ei1 , . . . , Eik |Ci0 , Ci1 , . . . , Cik ) = H (Ei0 |Ci0 , Ci1 , . . . , Cik )

Optimal (k, n)-one-time USAE based on polynomials

+ H (Ei1 |Ei0 , Ci0 , Ci1 , . . . , Cik ) + H (Ei2 |Ei0 , Ei1 Ci0 , Ci1 , . . . , Cik ) + ··· + H (Eik |Ei0 , Ei1 , . . . , Eik−1 , Ci0 , Ci1 , . . . , Cik ) ≥ (k + 1)H (M).

(5)

Since H (Ei |Ci , M) = 0 for any i if H (Ei ) = H (Ci ), we have H (Ei0 , Ei1 , . . . , Eik |Ci0 , Ci1 , . . . , Cik , D) = 0.

(6)

(i) Setting up. Let |M| = q, where q is a prime power and q ≥ n. TI chooses a uniformly random k i polynomial f (x) = i=0 ai x over GF (q). TI also chooses distinct numbers bi (1 ≤ i ≤ n) from a set B ⊆ GF (q) uniformly at random, where |B| = n. B may be public to all players. Next, TI gives f (x) to R as his decryption key, and also gives {b1 , f (b1 )}, {b2 , f (b2 )}, . . . , {bn , f (bn )} to S1 , S2 , . . . , Sn as encryption keys respectively. TI deletes his memory after distributing the keys.

The Computer Journal, 2005

6 of 12

G. Hanaoka et al.

(ii) Encryption. Sender Si encrypts m by c = {bi , c }, where c := f (bi ) + m. (iii) Decryption. Receiver R decrypts c by f (x) as follows: m = c − f (x)|x=bi .

(iii) Decryption. Receiver R generates  Fri from L and ri . Then, R computes m as m = c − "∈Fr ".

Theorem 4. The above scheme is an optimal (k, n)-onetime USAE.

Proof. It is obvious that the above scheme satisfies all conditions in Definition 1.   The required memory sizes for the above construction are formally addressed as follows:

Proof. In the above scheme, H (C) = H (M) + log2 n, H (Ei ) = H (M) + log2 n (1 ≤ i ≤ n) and H (D) = (k + 1)H (M). It is clear that the above scheme satisfies the first condition of Definition 1. Suppose that colluders Si1 , . . . , Sik , such that Si  ∈ {Si1 , . . . , Sik }, can obtain certain information on m from c. This implies that the colluders have certain information on f (bi ). However, this is impossible because deg f (x) = k and the colluders know only the k points of f (x). Hence, the above scheme satisfies the second condition of Definition 1. Finally, since, for a ciphertext c = {b, c } such that b ∈ B and c = f (b) + m, any of S1 , . . . , Sn can be a possible sender of the ciphertext from R’s point of view, and therefore, R can determine who the sender of the ciphertext is with probability at most 1/n. Hence, the above scheme satisfies the third condition of Definition 1 as well.   2.4.2. Construction from CFF Here, we show a construction of USAE based on CFF [9] which allows a more flexible parameter setting than the polynomial-based one, viz. in CFF-based construction, it is possible to choose parameters n and |M| with |M| < n, while, in polynomial-based construction, these two parameters must always be determined to be |M| ≥ n. Definition 3. Let L := {"1 , "2 , . . . , "t } and F = {F1 , . . . , Fn } be a family of subsets of L. We call (L, F ) an (n, t, k) CFF if F0  ⊂ F1 ∪. . .∪Fk for all F0 , F1 , . . . , Fk ∈ F , where Fi  = Fj if i  = j . A trivial CFF is the family consisting of single-element subsets, in which case n = t. It should also be noted that there exist non-trivial constructions of CFF with n > t. Construction of CFFs is intensively studied in various areas of mathematics such as finite geometry, design theory and probability theory. Concrete methods for generating CFFs are given in [25]. (k, n)-one-time USAE based on (n, t, k)-CFF (i) Setting up. TI first generates an (n, t, k)-CFF such that each of "i (1 ≤ i ≤ t) is an element of GF (q), where M = GF (q). TI also chooses distinct numbers ri (1 ≤ i ≤ n) from {1, 2, . . . , n} uniformly at random. An algorithm that generates Fi (1 ≤ i ≤ n) from i and L may be public to all players. Next, TI gives L to R as his decryption key. TI also gives {ri , "(i) } (1 ≤ i ≤ n) to Si (1 ≤ i ≤ n) respectively, as encryption keys, where "(i) := "∈Fri ". After distributing the keys, TI deletes his memory. (ii) Encryption. Sender Si encrypts m by c = {ri , c }, where c = m + "(i) .

i

Theorem 5. The above scheme is a (k, n)-one-time USAE.

Theorem 6. The required memory sizes in the above construction are given as follows: H (C) = log2 nq, H (Ei ) = log2 nq for any i (1 ≤ i ≤ n), H (D) = t log2 q. It should be noted that the CFF-based construction matches the lower bounds on the required memory sizes for a ciphertext and an encryption key.

2.5.

Comparison

In this subsection, comparison between polynomial- and CFF-based constructions is explored. Given the above fact, our polynomial construction is optimal in terms of required memory sizes. Therefore, the polynomial-based construction is theoretically superior to the CFF-based construction storage-wise. However, polynomial-based constructions can only be implemented when |M| ≥ n although, in most practical situations, this restriction may be ignored. On the other hand, for the CFF-based construction, it allows even for |M| < n when there exists an appropriate CFF. We now show an example of system parameter settings in the case where this restriction applies. For the following situation, the CFF-based construction will be more suitable than the polynomial-based construction in terms of required memory sizes. Example. Assume that the message space is {yes, no} and we need a (127, 128)-one-time USAE. For the polynomial-based construction, a finite field GF (q) with q ≥ 128 is required. Consequently, the size of a ciphertext will be at least 14 bits. A receiver and a sender must then store at least 896 bits and 14 bits, respectively. For the CFF-based construction, (128, 128, 127)-CFF (trivial CFF) over GF (2), the size of a ciphertext will be 8 bits at the least, and a receiver and a sender store at least 128 bits and 8 bits respectively. For the described situation, we can see a significant advantage of the CFF-based construction over the polynomial-based construction. In summary, different constructions are advantageous for different perspectives, so, one construction may do better than another under certain circumstances. However, the polynomial-based construction is generally most suitable for typical security parameter settings in USAE. However, for the case when |M| < n, the CFF-based construction is better. Memory size requirements can be reduced further for the above example if we utilize non-trivial CFF instead. However, in a non-trivial CFF, the number of malicious

The Computer Journal, 2005

Unconditionally Secure Anonymous Encryption and Group Authentication senders cannot be set to a considerably larger number than the total number of the senders. This fact is due to the following proposition: Proposition 1 ([25]). In a non-trivial (n, t, k)-CFF with n > t, [k(k − 1)]/2 ≤ n. 2.6.

Non-malleable scheme

7 of 12

Proof. Similar to the proof of Theorem 4, it can be proved that the above scheme is a (k, n)-one-time USAE. Now, we show that the above scheme satisfies the equality of Equation (8). It is obvious that ˆ H (M|C, M)   =−

ˆ = m|M Pr(M = m) Pr(M ˆ = m)

m∈M m∈M−{m} ˆ

In this subsection, we consider non-malleability [26] of the proposed USAE. Frankly, non-malleability means an adversary’s inability i.e. given a challenge ciphertext c, to generate a different ciphertext cˆ such that the plaintexts m, m ˆ underlying these two ciphertexts are meaningfully related. For computational encryption schemes, formal definitions of non-malleability are given in [27, 28]. Here, we give a definition of non-malleability for USAE. Definition 4. Let c( ˆ = c) be another ciphertext which could have been generated by s instead of c in USAE, and ˆ denote m( ˆ = m) be a plaintext underlying c. ˆ Let Cˆ and M random variables induced by cˆ and m ˆ respectively. A USAE is perfectly non-malleable if the following equation holds: ˆ ˆ M, Ei , . . . , Eik ) = H (M|C, ˆ H (M|C, C, M), 1 for any set of k malicious senders {Si1 , . . . , Sik } {S1 , . . . , Sn } such that s ∈ / {Si1 , . . . , Sik }.

(8) ⊂

The above definition is reasonable since Equation (8) implies that even if an adversary knows a pair of {c, m}, there is no other ciphertext which can give further information except the information that its underlying plaintext is not identical to m. In other words, no adversary can generate a ciphertext whose plaintext is meaningfully related to m when Equation (8) holds. A USAE which satisfies perfect non-malleability is constructed as follows: Non-malleable (k, n)-one-time USAE based on polynomials (i) Setting up. Let |M| = q, where q is a prime power and q ≥ n. TI chooses a uniformly random k j polynomial fi (x) = j =0 aij x (i = 1, 2) over GF (q). TI also chooses distinct numbers bi (1 ≤ i ≤ n) from a set B ⊆ GF (q) uniformly at random, where |B| = n, such that f2 (bi )  = 0 for any i (1 ≤ i ≤ n). B may be public to all players. Next, TI gives f1 (x) and f2 (x) to R as his decryption key, and also gives {b1 , f1 (b1 ), f2 (b1 )}, {b2 ,f1 (b2 ), f2 (b2 )}, . . . , {bn , f1 (bn ), f2 (bn )} to S1 , S2 , . . . , Sn as encryption keys respectively. TI deletes his memory after distributing the keys. (ii) Encryption. Sender Si encrypts m by c = {bi , c }, where c := f1 (bi ) + mf2 (bi ). (iii) Decryption. Receiver R decrypts c by f1 (x) and f2 (x) as follows: m = (c − f1 (x)|x=bi )/f2 (x)|x=bi . Theorem 7. The above scheme is a perfectly nonmalleable (k, n)-one-time USAE.

ˆ = m|M ˆ = m) × log2 Pr(M = m) Pr(M

(9)

ˆ ˆ M, Ei , . . . , Eik ) is equivNext, we show that H (M|C, C, 1 alent to that in Equation (9). Since both deg f1 (x) and deg f2 (x) are k, information on f1 (x) and f2 (x) cannot be obtained even if e1 , . . . , ek are used. Then, a set of all possible values for (f1 (x), f2 (x)) becomes ' := {(γ1 , γ2 )|c = γ1 + mγ2 , γ2  = 0}. Consequently, for given c(= ˆ {bi , cˆ }),  a set of all possible plaintext m ˆ underlying cˆ is M := {m |   m = (cˆ − γ1 )/γ2 , ∀(γ1 , γ2 ) ∈ '}. From Lemmas 2.3 and 2.4, we have M  = M − {m} and a mapping τ : ' → M  , such that τ (γ1 , γ 2) = (cˆ − γ1 )/γ2 , is bijective. Hence, we have ˆ ˆ M, Ei , . . . , Eik ) H (M|C, C, 1   ˆ = τ (γ1 , γ2 )|M = m) =− Pr(M = m) Pr(M m∈M (γ1 ,γ2 )∈'

ˆ = τ (γ1 , γ2 )|M = m) × log2 Pr(M = m) Pr(M   ˆ = m|M =− Pr(M = m) Pr(M ˆ = m) m∈M m∈M−{m} ˆ

ˆ = m|M ˆ = m). × log2 Pr(M = m) Pr(M

(10)  

From Equations (9) and (10), Equation (8) holds. , c })

∈ C and Lemma 2.3. For a given ciphertext c(= {bi its corresponding plaintext m ∈ M, let ' := {(γ1 , γ2 )|c = γ1 + mγ2 , γ2  = 0}. Then, for any c(= ˆ {bi , cˆ }) ∈ C, such    that cˆ  = c , (cˆ − γ1 )/γ2  = m if (γ1 , γ2 ) ∈ '. Proof. Suppose that there exist (γ1 , γ2 ) ∈ ', such that (cˆ − γ1 )/γ2 = m. Then, cˆ = γ1 + mγ2 = c . Since cˆ = c , this is a contradiction.   Lemma 2.4. For a given ciphertext c(= {bi , c }) ∈ C and its corresponding plaintext m ∈ M, let ' := {(γ1 , γ2 )|c = γ1 + mγ2 , γ2  = 0}. Then, for any c(= ˆ {bi , cˆ }) ∈ C,     such that cˆ  = c , (cˆ − γ11 )/γ12  = (cˆ − γ21 )/γ22 if (γ11 , γ12 )  = (γ21 , γ22 ) and (γ11 , γ12 ), (γ21 , γ22 ) ∈ '. Proof. Suppose that there exist (γ11 , γ12 ), (γ21 , γ22 ) ∈ ', such that (cˆ − γ11 )/γ12 = (cˆ − γ21 )/γ22 . Letting m ˆ := (cˆ −γ11 )/γ12 (= (cˆ −γ21 )/γ22 ), we have cˆ = γ11 + mγ ˆ 12 = ˆ 22 . Hence, γ21 + mγ ˆ 12 − γ22 ). (γ11 − γ21 ) = −m(γ Also, since

c

(11)

= γ11 + mγ12 = γ21 + mγ22 , it is clear that (γ11 − γ21 ) = −m(γ12 − γ22 ).

(12)

From Equations (11) and (12), it is obvious that (γ11 −γ21 ) = (γ12 − γ22 ) = 0 or m = m. When (γ11 − γ21 ) =

The Computer Journal, 2005

8 of 12

G. Hanaoka et al.

(γ12 − γ22 ) = 0, we get (γ11 , γ12 ) = (γ21 , γ22 ). This is a contradiction. On the other hand, when m = m, this is also a contradition due to Lemma 2.3.   Similar to the above scheme, a non-malleable (k, n)-onetime USAE based on CFF can be constructed and the CFFbased scheme will again be more efficient for |M| < n in terms of required memory size as in the discussion in Section 2.5.

2.7.

Multiple-receiver scheme

The model of USAE described in Section 2.1 is built for a single receiver. That is, there exists only one receiver for the entire model. From this, we can extend the model to be a multiple receiver model, which is called USAE with multiple receivers (MUSAE), and we show a concrete construction of MUSAE. Model. In the model of extended MUSAE, there are n1 + n2 + 1 participants, a set of n1 senders {S1 , . . . , Sn1 }, a set of receivers {R1 , . . . , Rn2 } and a trusted initializer, TI. TI generates encryption keys e1 , . . . , en1 respectively for each S1 , . . . , Sn1 , and similarly, the decryption keys d1 , . . . , dn2 are generated respectively for each R1 , . . . , Rn2 . To send a plaintext m to Ri (1 ≤ i ≤ n2 ) with confidentiality, Sj (1 ≤ j ≤ n1 ) encrypts m by using ej and transmits the ciphertext c to Ri . Ri decrypts c by using di which will recover m. In the multiple-receiver model, a sender may also be a receiver, concurrently. Construction. (k1 , k2 , n1 , n2 )-one-time MUSAE can be defined in like manner to (k, n)-one-time USAE: let k1 , k2 , n1 and n2 be the number of malicious senders, malicious receivers, total number of senders, total number of receivers respectively. A trivial construction of (k1 , k2 , n1 , n2 )-onetime MUSAE uses n2 different (k1 , n1 )-one-time USAEs simultaneously. In a MUSAE construction, an encryption key size of a sender becomes approximately n2 times larger than that of the encryption key size of a sender in a (k1 , n1 )one-time USAE. A more efficient construction based on polynomials when the encryption key size is significantly reduced to the trivial construction will be discussed next. Let |M| = q, where q is a prime and q ≥ max (n1 , n2 ). TI chooses a uniformly random bivariate k1 k2 i j polynomial f (x, y) = i=0 j =0 aij x y over GF (q). TI also chooses distinct numbers bi (1 ≤ i ≤ n1 ) from a set B ⊆ GF (q) uniformly at random, where |B| = n. B may be public to all players. Next, TI gives f (x, R1 ), . . . , f (x, Rn2 ) to R1 , . . . , Rn2 respectively, as decryption keys, assuming that each receiver’s identity can be expressed by an element in GF (q). TI also gives {b1 , f (b1 , y)}, {b2 , f (b2 , y)}, . . . , {bn1 , f (bn1 , y)} to S1 , S2 , . . . , Sn1 respectively, as encryption keys. TI deletes his memory after distributing all the keys. When Si wants to transmit message m to Rj , Si encrypts m by {bi , f (bi , y)} as follows: c = {bi , c }, where c := f (bi , Rj ) + m. R recovers m by m = c − f (x, Rj )|x=bi .

In the above construction, a sender must store at least (k2 + 1) log2 q + log2 n1 bits while in the trivial construction, (n2 + 1) log2 q + log2 n1 bits at least, are needed to be stored. Hence, we can say that the reduction made in the required memory size for an encryption key is considerable. 3.

GROUP AUTHENTICATION CODE

In this section, we show a model, security definition and a concrete construction of GA-code, which is an unconditionally secure A-code code with anonymity like group signatures. With the combination of USAE and GA-code, a secure communication system, which assures confidentiality, authenticity, and user’s anonymity can be constructed without any computational assumptions. 3.1.

Model

Similar to what we saw in the model of USAE, we introduce the trusted initializer model for the GA-code as well. In the GA-code model, there are n+3 participants: a set of n senders {S1 , . . . , Sn }, a receiver R, a group authority G and a trusted initializer, TI. TI generates secret information u1 , . . . , un for S1 , . . . , Sn respectively, and secret information v for R. TI also generates secret information w for G. After distributing these keys, TI deletes his memory. In order to send a plaintext m to R with authenticity, s ∈ {S1 , . . . , Sn } generates an authenticated message α from m by using ui and transmits α to R. R verifies the validity of α by using m and v. In a situation where R wants to reveal the identity of the sender, R can obtain it by cooperating with G only if G approves R’s request. 3.2.

Definition

Here, we formally define the security of the GA-code. In GA-code, a sender is able to prove that he is a legitimate member of a group, {S1 , . . . , Sn }. In addition, by cooperating with G, R can obtain the identity of the sender fairly simply. However, each of R and G alone, cannot reveal the sender’s identity. An adversary can perform impersonation or substitution by constructing a fraudulent code-word. The attack is considered successful if the receiver accepts the code-word. In impersonation, an adversary is assumed to not have seen any prior communication, while in substitution, the adversary have seen at least one transmitted code-word. Both impersonation and substitution can be performed by either senders or outsiders, where none of TI, G, R, S1 , . . . , Sn is included in the collusion of the outsiders. Also, senders’ attack is considered to be successful if a fraudulent codeword is accepted by the receiver and no fraudulent message is traced back by the receiver and a group authority to the malicious sender who wrote the message. Outsiders’ attack is considered successful if the receiver accepts the fraudulent code-word. Note that, a mixed collusion attack delivered together by senders and outsiders is referred to as an attack made only by senders.

The Computer Journal, 2005

Unconditionally Secure Anonymous Encryption and Group Authentication Let S, Ui (i = 1, . . . , n), V, W, M and A denote the random variables induced by s, ui (i = 1, . . . , n), v, w, m and α respectively. For X , let X := {x| Pr(X = x) > 0}. |X| denotes the cardinality of X. We assume that at most k (0 ≤ k ≤ n − 1) authorized senders are malicious. Then, the security of GA-code is formally defined as follows: Definition 5. We say that (U1 , . . . , Un , V, W, M, A) is a (p, k, n)-one-time GA-code if: (i) Any set of k malicious senders can perform impersonation with probability at most p, viz. for any set of k malicious senders {Si1 , . . . , Sik } ⊂ S, max max P r(R accepts α ∧ none of {Si1 , . . . , Sik }

ui1 ,...,uik

α

is detected as the sender of α|ui1 , . . . , uik ) ≤ p.

(ii) Any outsider can perform impersonation with probability at most p, i.e. maxα P r(R accepts α) ≤ p. (iii) Any set of k malicious senders can perform substitution with probability at most p, viz. letting S = Si0 , for any set of k malicious senders Si1 , . . . , Sik such that Si0 ∈ / {Si1 , . . . , Sik }, max max max

ui1 ,...,uik

α  α,α =α 

Pr(R accepts α∧ none of {Si1 , . . . , Sik } is detected as the sender of α|ui1 , . . . , uik , α  ) ≤ p, α

(iv)

(v)

(vi)

(vii)

3.3.

where is taken over the set of valid authenticated messages which can be generated by Si0 . Any set of outsiders can perform substitution with probability at most p, i.e. letting α  be an authenticated message which is generated by an honest user, maxα  maxα,α=α  P r(R accepts α|α  ) ≤ p. R obtains no information on the identity of s from α, viz. P r(S = Si |α, v) = P r(S = Si ) for any α and i (1 ≤ i ≤ n). G obtains no information on the identity of s from α, viz. P r(S = Si |α, w) = P r(S = Si ) for any α and i (1 ≤ i ≤ n). Cooperating with G, R can reveal the identity of the sender of the authenticated message α with probability more than P r(S = Si0 ), where Si0 is the sender of α. Construction

In this subsection, we show a couple of constructions of GA-codes; one is based on polynomials and the other based on CFFs. 3.3.1. Construction from polynomial Based on polynomials, a GA-code can be constructed as follows: GA-code based on polynomials (i) Setting up. Let M = GF (q) − {0}, where q is a prime power and q ≥ n. TI chooses uniformly

9 of 12

random polynomials f (x) and g(x) over GF (q) such that deg f (x) ≤ k + 1 and deg g(x) ≤ k + 1. TI also chooses distinct numbers bi (1 ≤ i ≤ n) from B ⊆ GF (q) uniformly at random, where |B| = n such that f (bi )  = f (bj ) for any i, j with 1 ≤ i, j ≤ n, i = j . Next, TI gives f (x) and g(x) to R as v, and also gives {b1 , f (b1 ), g(b1 )}, {b2 , f (b2 ), g(b2 )}, . . . , {bn , f (bn ), g(bn )} to S1 , S2 , . . . , Sn as u1 , u2 , . . . , un respectively. TI also generates a mapping π : GF (q) → S such that π(f (bi )) = Si and gives it to G as w. TI deletes his memory after distributing keys. (ii) Message generation. Sender Si generates an authenticated message α for m as α = {m, bi , h}, where h := f (bi )m + g(bi ). (iii) Verification. Receiver R accepts α as valid if h is identical to f (x)|x=bi m + g(x)|x=bi . (iv) Tracing. When R wants to reveal the identity of the sender, R first sends a request to G. If R’s request is approved by G, R transmits f (bi ) to G via a secure channel. Then, G reveals the sender’s identity by Si = π(t) and transmits this result back to R. The security of the above scheme is addressed as follows: Lemma 3.1. In the above scheme, colluders, which include at most k of {S1 , S2 , . . . , Sn }, can perform impersonation with probability at most 1/q. (See conditions (i) and (ii) of Definition 5.) Proof. For impersonation to succeed by collusion of senders {Si1 , . . . , Sik }, adversaries need to produce a fraudulent message {b, m , h } such that h = f (b)m + g(b) and b ∈ {bi1 , . . . , bik }. Since the malicious senders have only k points of g(x), it is therefore impossible to obtain any information on g(b), and accordingly, they also have no information on h . Therefore, the probability of the attack succeeding will be at most 1/q. In a manner similar to this, we can also prove that the probability of outsiders’ impersonation succeeding is at most 1/q.   Lemma 3.2. In the above scheme, colluders, which include at most k of {S1 , S2 , . . . , Sn }−{Si0 }, can perform substitution with probability at most 1/(q − k), where Si0 is the honest sender who sends a valid authenticated message α  to R. (See conditions (iii) and (iv) of Definition 5.) Proof. For substitution by senders {Si1 , . . . , Sik } to succeed, adversaries need to produce a fraudulent message {b, m , h } such that h = f (b)m + g(b), b  ∈ {bi1 , . . . , bik } and {b, m , h }  = α(= {bi0 , m, h}), where α is an authenticated message generated by Si0 . For the fraudulent message {b, m , h }, we consider the following cases: (i) b = bi0 and m  = m, (ii) b  = bi0 and m = m, (iii) b  = bi0 and m  = m. For case (i) b = bi0 and m  = m, we have h = f (b)(m − m) + h.

(13)

Since the adversaries only have f (bi1 ), . . . , f (bik ), and deg f (x) = k + 1, the only information the adversaries have is f (b) ∈ {f (bi1 ), . . . , f (bik )}. Consequently, there are

The Computer Journal, 2005

10 of 12

G. Hanaoka et al.

q − k possible values for f (b). Hence, from Equation (13), there also exist q − k different values for h for any {bi0 , m, m , h}. This implies that the probability for the substitution succeeding does not exceed 1/(q − k). For case (ii) b  = bi0 and m = m, we have deg(f (x)m + g(x)) = k+1 and the adversaries have only f (bi0 )m +g(bi0 ) and f (bi1 )m + g(bi1 ), . . . , f (bik )m + g(bik ). Hence, the adversaries have no information on h = f (b)m + g(b); consequently, the probability for the substitution succeeding also does not exceed 1/q. For case (iii) b  = bi0 and m  = m, we have deg g(x) = k + 1 and the adversaries only have f (bi0 )m + g(bi0 ) and g(bi1 ), . . . , g(bik ). This means, the adversaries have no information on g(b). Also, this implies that they do not have any information on h because h = f (b)m + g(b); consequently, the probability for substitution to succeed also does not exceed 1/q. Similarly, we can also prove that the probability of outsiders’ substitution succeeding will be at most 1/q.   Together, that any adversaries can succeed in their impersonation or substitution has probability at most 1/(q − k). Lemma 3.3. R or G can determine who had generated the authenticated message α with probability at most P r(S = Si0 ). Additionally, cooperating with G, R can reveal the identity of the sender of the authenticated message α with probability 1, if α is valid. (See conditions (v)–(vii) of Definition 5.) Proof. As regards the sender’s anonymity, it is clear that R has no information on the identity of the sender since R does not know the mapping π. Hence, R can only determine the probability of the generator of the authenticated message α to be at most Pr(S = Si0 ). On the other hand, though G knows π , G too, has no information regarding the identity of the sender since G does not know g(bi0 ). The probability of G determining the identity of the generator of α is at most Pr(S = Si0 ). However, by cooperating with G, R can identify the sender with probability 1 if α is valid.   Theorem 8. The above scheme is a (1/(q − k), k, n)-onetime GA-code. Proof. From Lemmas 3.1, 3.2 and 3.3, it is obvious that the above theorem is true.   In the security definition of GA-code, it is assumed that G does not join any colluders who try to perform impersonation or substitution. We should note that the probability of the substitution succeeding can be increased when G joins a collusion attack. Since G knows f (bi ) which is assigned to Si , for example, he can substitute a valid authenticated message α := {m, bi , f (bi )m + g(bi )} with a forged message α  := {m + 1, bi , f (bi )(m + 1) + g(bi )} which will be accepted by R. If such an attack is to be avoided, we can secure the above scheme with a slight modification as follows: TI uniformly at random chooses two mappings π1 : {1, 2, . . . , n} → {1, 2, . . . , n} and π2 : {1, 2, . . . , n} → S such that π2 (π1 (bi )) = Si instead of π . Then, {f (x), g(x), π1 } and π2 are given to R and G as v and w respectively.

The required memory sizes for the above construction are formally addressed as follows: Theorem 9. The required memory sizes in the above construction are given as follows: H (A) = log2 nq(q − 1), H (Ui ) = log2 nq 2 for any i (1 ≤ i ≤ n), H (V) = 2(k + 2) log2 q,

H (W) =

n−1 

log2 (q − i).

i=0

3.3.2. Construction from CFF Another construction of GA-code is based on CFF. An advantage of using the CFF-based GA-code is recalling USAE, it does not always require |M| + 1 ≥ n while the requirement is an absolute for the polynomial-based GA-code. In order to construct a GA-code from CFF, we also introduce ‘classical’ A-codes [16, 17] which include only one sender and one receiver. In such A-codes, there are three ˜ a receiver R˜ and a trusted initializer participants: a sender S, ˜ ˜ TI. TI generates secret information u˜ and v˜ for R˜ and S˜ respectively, such that u˜ = v. ˜ In order to send a plaintext ˜ S˜ generates his authenticated message α˜ from m m ˜ to R, ˜ by ˜ R˜ verifies the validity of α˜ by using u˜ and transmits α˜ to R. using m ˜ and v. ˜ We note that S˜ or R˜ may generate u˜ and v˜ in ˜ order to remove TI. ˜ (V, ˜ )M ˜ and A˜ denote the random Definition 6. Let U, variables induced by u, ˜ (v, ˜ )m ˜ and α˜ respectively. We say that ˜ (V, ˜ )M, ˜ A) ˜ is a p-authentication code (A-code) if (U, ˜ R˜ or TI) ˜ can (i) Any outsiders (which do not include S, perform impersonation with probability at most p. Namely, maxα˜ P r(R˜ accepts α) ˜ ≤ p. (ii) Any set of outsiders can perform substitution with probability at most p, viz. letting α˜  be an ˜ authenticated message which is generated by S,  ˜ maxα˜  maxα, ˜ α˜ ) ≤ p. ˜ α˜ =α˜  P r(R accepts α| Construction methods of A-codes are given in, for example, [16, 17]. In the following, for simplicity, let f : M˜ × U˜ → A˜ denote a mapping such that f (m, ˜ u) ˜ = α. ˜ Additionally, notations for CFF are the same as that in Definition 3. GA-code based on CFFs ˜ TI first generates an (n, t, k)(i) Setting up. Let M := M. CFF such that each of "i (1 ≤ i ≤ t) is an element of U˜ . TI also chooses distinct numbers ri (1 ≤ i ≤ n) from {1, 2, . . . , n} uniformly at random. An algorithm that generates Fi (1 ≤ i ≤ n) from i and L may be public to all players. TI further uniformly at random chooses two mappings π1 : {1, 2, . . . , n} → {1, 2, . . . , n} and π2 : {1, 2, . . . , n} → S such that π2 (π1 (ri )) = Si for 1 ≤ i ≤ n. Next, TI gives {L, π1 } to R as v. TI also gives {ri , Fri } (1 ≤ i ≤ n) to Si (1 ≤ i ≤ n) respectively, as ui . In addition, π2 is given to G as w. After distributing the keys, TI deletes his memory.

The Computer Journal, 2005

Unconditionally Secure Anonymous Encryption and Group Authentication (ii) Message generation. Sender Si generates an authenticated message α for m as (r )

(r )

(r )

α := {ri , α  1 i , α  2 i , . . . , α  |Fir | }, i

(r )

(r )

where α  j i := f (m, "j i ) (1 ≤ j ≤ |Fri |), assuming (r )

(r )

(r )

that Fri = {"1 i , "2 i , . . . , "|Fir | }. i (iii) Verification. Receiver R first generates Fri from L and (r ) ri . Then, R accepts α as valid if α  j i is identical to (r )

f (m, "j i ) for all j (1 ≤ j ≤ |Fri |). (iv) Tracing. When R wants to reveal the identity of the sender, R first sends a request to G. If R’s request is approved by G, R calculates t = π1 (ri ) and transmits it to G. Then, G can now reveal the sender’s identity by Si = π2 (t) and transmits this result back to R via a secure channel. Theorem 10. The above scheme is a (p, k, n)-one-time GA-code. The proof of the theorem is straightforward. The required memory sizes for the above construction are formally addressed as follows: Theorem 11. The required memory sizes in the above construction are given as follows: ˜ H (A) = log2 n + |F |H (A), ˜ f or any i (1 ≤ i ≤ n), H (Ui ) = log2 n + |F |H (U) ˜ + H (V) = tH (U)

n−1 

log2 (i + 1),

i=0

H (W) =

n−1 

log2 i + 1,

i=0

assuming that all |Fri | (1 ≤ i ≤ n) are of the same size |F |. As mentioned so far, we see that the above scheme does not always require |M| + 1 ≥ n while the polynomial-based GA-code can be utilized only when |M|+1 ≥ n. In addition, it should be noticed that the size of α can be reduced if each (r ) (r ) (r ) of α  1 i , α  2 i , . . . , α  |Fir | contains the same m. i

4.

CONCLUSIONS

In this paper, we proposed models and concrete constructions of USAE- and GA-codes which unconditionally secure encryption and have authentication with sender anonymity. By combining the two, USAE- and GA-codes, we can build a secure communication system with confidentiality, authenticity and guarantee sender’s anonymity as well. Security of such a system is proven without any computational assumptions and, therefore, assures longterm security. A potential application for such a system is electronic voting. Each voter can send his vote to a ballotcounting server without having to reveal his identity as long as there is an appropriate anonymous channel. What needs to be emphasized for such a system is that it can guarantee security

11 of 12

unconditionally, i.e. even against adversaries with extremely high computational power. Dishonest voters, if any exist, can be traced back using the traceability property of the GA-code. As you can see USAE- and GA-codes exhibit their advantage especially for important ‘top-secret’ elections. Moreover, we investigated lower bounds on the required memory sizes for USAE and showed an optimal construction that meets the bounds (i.e. bounds are tight). Furthermore, we gave two extensions of USAE, i.e. a multi-receiver scheme (MUSAE) and a non-malleable scheme. For GA-codes we only showed a single-receiver model, but a multiple-receiver extension can be done similarly as in MUSAE for GA-code. A concrete construction will be shown in our future work. Investigating the tight bounds for the memory sizes in GA-code becomes an important issue when analyzing optimality. It is definitely an interesting open problem. ACKNOWLEDGEMENT We would like to thank the anonymous referees for their helpful comments. REFERENCES [1] Chaum, D. (1981) Untraceable electronic mail, return address, and digital pseudonyms. Commun. ACM, 24, 84–88. [2] Chaum, D. (1987) The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol., 1(1), 65–75. [3] Abe, M. (1998) Universally verifiable mix-net with verification work independent of the number of mix-servers. In Proc. EUROCRYPT’98, Espoo, May 31–June 4, pp. 437–447. Springer-Verlag, Berlin. [4] Diffie, W. and Hellman, M. E. (1976) New directions in cryptography. IEEE Trans. Inform. Theor., IT-22, 644–654. [5] Rivest, R., Shamir, A. and Adleman, L. (1978) A method for obtaining digital signature and public-key cryptosystems. Commun. ACM, 21(2), 120–126. [6] ElGamal, T. (1985) A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theor., IT-31 (4), 469–472. [7] Chaum, D. and van Heyst, E. (1991) Group signatures. In Proc. EUROCRYPT’91, Brighton, April 8–11, pp. 257–265. Springer-Verlag, Berlin. [8] Camenisch, J. and Stadler, M. (1997) Efficient group signature schemes for large groups. In Proc. CRYPTO’97, Santa Barbara, CA, August 17–21, pp. 410–424. Springer-Verlag, Berlin. [9] Erdös, P., Frankl, P. and Furedi, Z. (1982) Families of finite sets in which no sets is covered by the union of two others. J. Combin. Theor. Ser. A, 33, 158–166. [10] Blom, R. (1983) Non-public key distribution. In Proc. CRYPTO’82, Santa Barbara, CA, August, pp. 231–236. Plenum, New York. [11] Matsumoto, T. and Imai, H. (1988) On the Key Predistribution System: a practical solution to the key distribution problem. In Proc. CRYPTO’87, Santa Barbara, CA, August 16–20, pp. 185–193. Springer-Verlag, Berlin. [12] Blundo, C., De Santis, A., Herzberg, A., Kutten, S., Vaccaro, U. and Yung, M. (1993) Perfectly secure key distribution for dynamic conferences. In Proc. CRYPTO’92,

The Computer Journal, 2005

12 of 12

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

G. Hanaoka et al.

Santa Barbara, CA, August 16–20, pp. 471–486. SpringerVerlag, Berlin. Blundo, C., Frota Mattos, L. A. and Stinson, D. R. (1996) Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution. In Proc. CRYPTO’96, Santa Barbara, CA, August 18–22, pp. 387–400. Springer-Verlag, Berlin. Kurosawa, K., Yoshida, T., Desmedt, Y. and Burmester, M. (1998) Some bounds and a construction for secure broadcast encryption. In Proc. ASIACRYPT’98, Beijing, October 18–22, pp. 420–433. Springer-Verlag, Berlin. Stinson, D. R. (1997) On some methods for unconditionally secure key distribution and broadcast encryption. Design. Code. Cryptogr., 12, pp. 215–243. Gilbert, E. N., MacWilliams F. J. and Sloane, N. J. A. (1974) Codes which detect deception. Bell Syst. Tech. J., 53, 405–425. Simmons, G. J. (1985) Authentication theory/coding theory. In Proc. CRYPTO’84, Santa Barbara, CA, August 19–22, pp. 411–431. Springer-Verlag, Berlin. Simmons, G. J. (1988) Message authentication with arbitration of transmitter/receiver disputes. In Proc. EUROCRYPT’87, Amsterdam, April 13–15, pp. 151–165. Springer-Verlag, Berlin. Desmedt, Y., Frankel, Y. and Yung, M. (1992) Multireceiver/Multi-sender network security: efficient authenticated multicast/feedback. In Proc. IEEE Infocom’92, Florence, May 4–8, pp. 2045–2054. IEEE, Piscataway, NJ. Hanaoka, G., Shikata, J., Zheng, Y. and Imai, H. (2000) Unconditionally secure digital signature schemes

[21]

[22]

[23]

[24] [25]

[26]

[27]

[28]

admitting transferability. In Proc. ASIACRYPT’00, Kyoto, December 3–7, pp. 130–142. Springer-Verlag, Berlin. Hanaoka, G., Shikata, J., Zheng, Y. and Imai, H. (2002) Efficient and unconditionally secure digital signatures and a security analysis of a multireceiver authentication code. In Proc. PKC’02, Paris, February 12–14, pp. 64–79. SpringerVerlag, Berlin. Shikata, J., Hanaoka, G., Zheng, Y. and Imai, H. (2002) Security notions for unconditionally secure signature schemes. In Proc. EUROCRYPT’02, Amsterdam, April 28–May 2, pp. 434–449. Springer-Verlag, Berlin. Ben-Or, M., Goldwasser, S. and Wigderson, A. (1988) Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proc. STOC’88, Chicago, IL, May 2–4, pp. 1–10. ACM, New York, NY. Shannon, C. E. (1949) Communication theory of secrecy systems. Bell Syst. Tech. J., 28, 656–715. Erdös, P., Frankl, P. and Furedi, Z. (1985) Families of finite sets in which no sets is covered by the union of r others. Israel J. Math., 51, 79–89. Dolev, D., Dwork, C. and Naor, M. (1991) Non-malleable cryptography. In Proc. STOC’91, New Orleans, LA, May 6–8, pp. 542–552. ACM, New York, NY. Bellare, M., Desai, A., Jokipii, E. and Rogaway, P. (1997) A concrete security treatment of symmetric encryption. In Proc. FOCS’97, Miami Beach, FL, October 19–22, pp. 394–403. IEEE, Piscataway, NJ. Bellare, M., Desai, A., Pointcheval, D. and Rogaway, P. (1998) Relations among notions of security for public-key encryption schemes. In Proc. CRYPTO’98, Santa Barbara, CA, August 23–27, pp. 26–45. Springer-Verlag, Berlin.

The Computer Journal, 2005

Suggest Documents