Covercrypt: An Efficient Early-Abort KEM for Hidden Access Policies with Traceability from the DDH and LWE

Abstract

Attribute-Based Encryption (ABE) is a very attractive primitive to limit access according to specific rights. While very powerful instantiations have been offered, under various computational assumptions, they rely on either classical or post-quantum problems, and are quite intricate to implement, generally resulting in poor efficiency; the construction we offer results in a powerful efficiency gap with respect to existing solutions. With the threat of quantum computers, post-quantum solutions are important, but not yet tested enough to rely on such problems only. We thus first study an hybrid approach to rely on the best of the two worlds: the scheme is secure if at least one of the two underlying assumptions is still valid (i.e. the DDH and LWE). Then, we address the ABE problem, with a practical solution delivering encrypted contents such that only authorized users can decrypt, without revealing the target sets, while also granting tracing capabilities. Our scheme is inspired by the Subset Cover framework where the users’ rights are organized as subsets and a content is encrypted with respect to a subset covering of the target set. Quite conveniently, we offer black-box modularity: one can easily use any public-key encryption of their choice, such as Kyber, with their favorite library, to combine it with a simple ElGamal variant of key encapsulation mechanisms, providing strong security guarantees.

Appendices

Appendix

A Public-Key Encryption

A Public-Key Encryption (PKE) scheme is defined by 3 algorithms:

• \(\textsf {PKE}.\textsf{KeyGen}(1^\kappa )\): the key generation algorithm outputs a pair of public and secret keys \(({\textsf{pk}},{\textsf{sk}})\);

• \(\textsf {PKE}.\textsf{Enc}({\textsf{pk}}, m)\): the encryption algorithm encrypts the input message m under the public key \({\textsf{pk}}\) and outputs the ciphertext C;

• \(\textsf {PKE}.\textsf{Dec}({\textsf{sk}},C)\): the decryption algorithm outputs the message m encrypted in C.

We will use the classical notion of indistinguishability and of anonymity of such a PKE scheme, similarly to the same notions for KEMs:

• Indistinguishability. For an honestly generated \({\textsf{pk}}\), if the adversary chooses two messages \(m_0\) and \(m_1\), it cannot distinguish an encryption of \(m_0\) from an encryption of \(m_1\), both under \({\textsf{pk}}\).

• Anonymity. For two honestly generated \({\textsf{pk}}_0\) and \({\textsf{pk}}_1\), if the adversary chooses a message m, it cannot distinguish an encryption of m under \({\textsf{pk}}_0\) from the encryption of m under \({\textsf{pk}}_1\).

B Proof of Theorem 5

We present a sequence of games, from the \(\textsf {AUTH} \) security game against \({\textsf {KEM}}'\).

• Game G\(_{0}\) : In the initial game, one runs \(({\textsf{pk}}_i,{\textsf{sk}}_i)\leftarrow {\textsf {KEM}}'.\textsf{KeyGen}(1^\kappa )\), \((c,s)\leftarrow {\textsf {KEM}}.\textsf{Enc}({\textsf{pk}}_0)\) and \(K_0 \Vert V \leftarrow \textsf{PRG}(s)\). One then runs \(s' \leftarrow {\textsf {KEM}}.\textsf{Dec}({\textsf{sk}}_1,c)\), followed by \(U'\Vert V' \leftarrow \textsf{PRG}(s')\). We denote \(P_{0}\) the probability \(V' = V\). This is \(\textsf{Adv}^{\textsf {auth}}_{{\textsf {KEM}}'}(1^\kappa )\).

• Game G\(_{1}\) : In this game, we just replace \(s {\mathop {\leftarrow }\limits ^{{}_\$}}\{0;1\}^\kappa \), that is drawn uniformly at random from the session-key space of \({\textsf {KEM}}\), \(\{0;1\}^\kappa \). The difference between this game and the previous one is the \(\textsf {SK-IND} \)-game on the underlying \({\textsf {KEM}}\), against a trivial adversary \(\mathcal {A}_0\). Hence, \(P_{0} - P_{1} \le \textsf{Adv}^{\textsf {sk-ind}}_{{\textsf {KEM}}}(\tau )\), \(\tau \) the running time of the trivial adversary \(\mathcal {A}_0\) that runs two key generations, one encapsulation, two \(\textsf{PRG}\) evaluations, and one decapsulation.

• Game G\(_{2}\) :In this game, one takes \(K_0\Vert V {\mathop {\leftarrow }\limits ^{{}_\$}}\{0;1\}^{k+\ell }\). This is indistinguishable from the previous game except with probability \(\textsf{Adv}_{\textsf{PRG}_{\kappa ,k+\ell }}^\textsf{ind}(\tau ')\). Hence, \(P_{1} - P_{2} \le \textsf{Adv}_{\textsf{PRG}_{\kappa ,k+\ell }}^\textsf{ind}(\tau ')\), where \(\tau '\) is the running time of another trivial adversary \(\mathcal {A}_1\) that runs two key generations, one encapsulation, one \(\textsf{PRG}\) evaluations, and one decapsulation. In this game, as V is drawn uniformly at random from \(\{0;1\}^\ell \), the probability that it is equal to \(V'\in \{0;1\}^\ell \) is equal to \(2^{-\ell }\): \(P_{2} = 2^{-\ell }\).

Finally, from the above, one deducts that:

$$\begin{aligned} \textsf{Adv}^{\textsf {auth}}_{{\textsf {KEM}}'}(\kappa ) \le 2^{-\ell } + \textsf{Adv}^{\textsf {sk-ind}}_{{\textsf {KEM}}}(\tau ) + \textsf{Adv}_{\textsf{PRG}_{\kappa ,k+\ell }}^\textsf{ind}(\tau ') \end{aligned}$$

C Proof of Theorem 11

To prove this theorem, we first give a description of the confirmer algorithm \(\mathcal {C}\), then we provide the indistinguishability analysis, and eventually prove \(\mathcal {C}\) will give a correct answer.

Description of the Confirmer \(\mathcal {C}\): The confirmer algorithm \(\mathcal {C}\) can proceed as follows, for a candidate subset \(\mathcal {G}\): \(\{\textsf{usk}_j = (v_{j,k})_k\}_{j\in \mathcal {G}}\), for \(\mathcal {G}\) of size at most t: it chooses \((u_k)_k\) orthogonal to the subvector-space spanned by \(\{(v_{j,k})_k\}_{j\in \mathcal {G}}\), which means that: \(\sum _k u_k v_{j,k} = 0, \forall j\in \mathcal {G}.\) This is possible as \((v_{j,k})_{k\in [1,t+1],j\in \mathcal {G}}\) is of rank at most t in \(\mathbb {Z}_q^{t+1}\). Then the kernel is of dimension at least 1. One generates a fake ciphertext \(C = (C_k)_k\), with \(C_k \leftarrow h_k^r \cdot g^{u_k s'}\), for random \(r,s'{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_q\), and then \(K \leftarrow h^r\):

• Any key \(\textsf{usk}_j\) in \(\mathcal {G}\) will lead to:

  $$\prod _k C_k^{v_{j,k}} = \prod _k g^{(r s_k + s' u_k) \cdot v_{j,k}} = g^{r \sum _k s_k v_{j,k} + s' \sum _k u_k v_{j,k}} = g^{r s + s' \times 0} = K;$$

• and any key \(\textsf{usk}_j\) outside \(\mathcal {G}\) will lead to: \(\prod _k C_k^{v_{j,k}} = K \times (g^{\sum _k u_k v_{j,k}})^{s'} \ne K.\)

we will show this allows to confirm at least one traitor from a candidat subset of traitors.

Indistinguishability Analysis. The above remark about the output key from a pirate decoder \(\mathcal {P}\) assumes an honest behavior, whereas it can stop answering if it detects the fake ciphertext. We first need to show that, with the public key \({\textsf{pk}}= ((h_k)_k,h)\) and only \(\{\textsf{usk}_j = (v_{j,k})_k\}_{j\in \mathcal {G}}\), one cannot distinguish the fake ciphertext from a real ciphertext, generated as above: from a Diffie-Hellman tuple \((A = g^a,B = g^r, C)\), one can derive, from random scalars \(s, s'_k, u_k{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_q\), such that \(\sum _k v_{j,k} s'_k = s\) and \(\sum _k v_{j,k} u_k = 0\), for \(j=1\,\ldots ,n\):

$$\begin{aligned} h_k & \leftarrow A^{u_k}\cdot g^{s'_k} = g^{a u_k + s'_k} & h & \leftarrow g^{s} & \textsf{usk}_j & = (v_{j,k})_k \text{ for } j\in \mathcal {G}\end{aligned}$$

where we implicitly define \(s_k \leftarrow a u_k + s'_k\), that satisfy

$$\sum _k v_{j,k} s_k = \sum _k v_{j,k} (s'_k + a u_k) = \sum _k v_{j,k} s'_k + a \sum _k v_{j,k} u_k = s + 0 = s.$$

Then, one defines \(C_k \leftarrow C^{u_k} \cdot B^{s'_k}\) and \(K \leftarrow B^{s}\).

Let us note \(C = g^{r-c}\), where c is either 0 (a Diffie-Hellman tuple) or random:

$$C_k = A^{(r+c) u_k} \cdot g^{r s'_k} = (A^{u_k} \cdot g^{s'_k})^r \cdot A^{c u_k} = h_k^r \cdot (A^c)^{u_k}.$$

One can remark that: when \(c=0\) (Diffie-Hellman tuple), \(C = (C_k)_k\) is a normal ciphertext; when \(c=s'\) (random tuple), this is a fake ciphertext. Under the \(\textsf {DDH}\) assumption, they are thus indistinguishable for an adversary knowing the keys \((\textsf{usk}_i)_{i\in \mathcal {G}}\).

Confirmation of a Traitor. The above analysis shows that a pirate decoder \(\mathcal {P}\) built from \((\textsf{usk}_i)_{i\in \mathcal {G}}\) cannot distinguish the fake ciphertext from a real ciphertext. A useful pirate decoder should necessarily distinguish real key from random key. Then, several situations may appear, according to the actual set \(\mathcal {T}\) of traitors’ keys used to build the pirate decoder \(\mathcal {P}\) by the adversary \(\mathcal {A}\):

• If \(\mathcal {T}\subseteq \mathcal {G}\), a useful decoder \(\mathcal {P}\) can distinguish keys;

• If \(\mathcal {T}\cap \mathcal {G}= \emptyset \), \(\mathcal {P}\) cannot distinguish keys, as it can get several candidates, independent from the real or random keys.

Let us now assume we started from \(\mathcal {G}\supseteq \mathcal {T}\), then the advantage of \(\mathcal {P}\) in distinguishing real and random keys, denoted \(p_{\mathcal {G}}\), is non-negligible, from the usefulness of the decoder. The following steps would also work if one starts with \(\mathcal {G}\cap \mathcal {T}\ne \emptyset \), so that the advantage \(p_{\mathcal {G}}\) is significant.

One then removes a user J from \(\mathcal {G}\) to generate \(\mathcal {G}'\) and new ciphertexts to evaluate \(p_{\mathcal {G}'}\): if \(J \not \in \mathcal {T}\), \(\textsf{usk}_J\) is not known to the adversary, and so there is no way to check whether \(\sum _k v_{J,k} s'_k = s\) and \(\sum _k v_{J,k} u_k = 0\), even for a powerful adversary. So necessarily, \(p_{\mathcal {G}'} = p_{\mathcal {G}}\).

On the other hand, we know that \(p_{\emptyset } = 0\). So, one can sequentially remove users until a significant gap appears: this is necessarily for a user in \(\mathcal {T}\).    \(\square \)