抗泄漏CCA安全的内积功能加密  

作　　者：韩帅 刘胜利[1,2,3] 谷大武 HAN Shuai;LIU Sheng-Li;GU Da-Wu(School of Electronic Information and Electrical Engineering,Shanghai Jiao Tong University,Shanghai 200240,China;State Key Laboratory of Cryptology,P.O.Box 5159,Beijing 100878,China;Westone Cryptologic Research Center,Beijing 100070,China)

机构地区：[1]上海交通大学电子信息与电气工程学院,上海200240 [2]密码科学技术全国重点实验室,北京100878 [3]成都卫士通信息产业股份有限公司摩石实验室,北京100070

出　　处：《密码学报》2023年第5期1001-1018,共18页Journal of Cryptologic Research

基　　金：国家自然科学基金(62372292,62002223,61925207);广东省基础与应用基础研究重大项目(2019B030302008);国家重点研发计划(2022YFB2701500,2020YFA0712302);中国科协青年人才托举工程(YESS20200185)。

摘　　要：内积功能加密(IPFE)是一类重要的功能加密方案,其使用功能密钥对密文进行解密时可以恢复出明文消息的内积值,在生物特征认证、近邻搜索和统计分析等场景有很多应用.内积功能加密的常规安全性要求为选择明文/密文攻击下的不可区分性(IND-CPA/CCA).然而在实际应用中,内积功能加密还面临许多新的安全威胁,例如通过密钥泄漏攻击,敌手可以获得密钥的部分泄漏信息.在这样的场景中,我们亟需构造满足抗泄漏CPA/CCA安全性的内积功能加密方案.然而,目前已有的内积功能加密方案要么仅实现抗泄漏CPA安全性,要么仅实现半适应性的抗泄漏CCA安全性,其中“半适应性”指敌手必须在安全实验一开始就提交要挑战的实例.本文设计了第一个达到适应性抗泄漏CCA安全性的内积功能加密方案.方案所实现的抗泄漏CCA安全性是完全适应性的,允许敌手以任意的适应性的方式实施密钥泄漏攻击、CCA攻击和提交挑战实例.本文的内积功能加密方案在非对称配对群上构造,其抗泄漏CCA安全性基于标准的MDDH假设,包含了标准的DDH假设和k-Linear假设.从技术层面来说,方案构造受到了Agrawal等人(Crypto 2016)提出的IND-CPA安全的内积功能加密方案以及Kiltz等人(Eurocrypt 2015)提出的非交互零知识证明系统的启发.为了实现适应性的抗泄漏CCA安全性,本文将他们的技术进行有机结合和改造以适用于密钥泄漏场景,并对本文方案中实例的维数进行精细调整,最终通过使用统计性的复杂性杠杆技术来得到适应性安全性.Inner-product functional encryption(IPFE)is an important type of FE that reveals only the inner product values of encrypted messages when decrypted using functional secret keys,and has wide applications in biometric authentication,nearest-neighbor search,statistical analysis,etc.The traditional security requirement for IPFE is indistinguishability under chosen-plaintext/ciphertext attacks(IND-CPA/CCA).However,in practical applications,there are many new security threats such as key leakage attacks,with which an adversary can learn partial information about secret keys.It is urgent to construct IPFE schemes with leakage-resilient CPA/CCA(LR-CPA/CCA)security in such realistic scenarios.Up to now,existing IPFE schemes have only either LR-CPA security or semi-adaptive LR-CCA security,where“semi-adaptive”means that the adversary has to declare the challenge instances at the beginning of the security experiment.This paper constructs an IPFE scheme achieving adaptive LR-CCA security.The achieved LR-CCA security is fully adaptive,and allows the adversary to launch key leakage attacks,CCA attacks and submit the challenge instances in an arbitrary and adaptive manner.The proposed IPFE scheme is constructed over asymmetric pairing groups,and its LR-CCA security is based on the standard matrix decisional Diffie-Hellman(MDDH)assumptions,which cover the standard DDH and k-Linear assumptions.Technically speaking,this construction is inspired by the IND-CPA secure IPFE scheme proposed by Agrawal et al.at Crypto 2016 and the non-interactive zero-knowledge proof system proposed by Kiltz et al.at Eurocrypt 2015.To achieve adaptive LR-CCA security,their techniques in the key leakage settings are adapted,and the dimensions of instances in the proposed scheme are carefully adjusted so that it can be resorted into a statistical complexity leveraging argument to obtain adaptive security.

关 键 词：内积功能加密 抗泄漏安全性 CCA安全性 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]