Page 80 - Read Online
P. 80
Jiang et al. J Surveill Secur Saf 2020;1:61-78 I http://dx.doi.org/10.20517/jsss.2020.09 Page 73
*
x
(1) The simulator randomly chooses an element ∈x R Z , and yields the public parameters as g 1 = g , g 2 = h
q
ω
*
,
a
and the master secret key msk = g . Next, it randomly picks integersωϖ ∈ Z , and sets u j = gg .
ϖ j
j
2
2
R
q
j
j
There is a random oracle H . The simulator stores a list of queries in the game and responses to the
4
challenger in a consistent manner by controlling the random oracle.
(2) When processing a file F, the simulator first yields a secret key for user as KAB by executing KeyGen
*
algorithm. Hereafter, the simulator picks a random unique identifier for file F and a random element ∈x ~ Z ,
q
~
*
x
and yields g ϑ t = (g α ) . For every data block , the simulator picks random values χ ∈ Z and sets:
i
i
q
R
∑ s ωχ ij , ∑ s ϖ χ , ij (10)
j
j
4 Λ ll FID lli ) = � H g γ i /(g 2 1 = j g 1 = j )
(Λ
� FID i
Based on equation (10), we have:
s
(Λ
(H 4 Λ ll FID lli � FID i )⋅� ∏ u χ ij ) = ϑ (g γ i ) t ϑ t (11)
j
= j 1
.
In addition, the simulator computes the block authentication for file block x as s = KAB (H
i
4
i
s
( ⋅
(Λ
σ = i ( ⋅KAB H 4 Λ ll FID lli )⋅ � FID i ∏ u χ j , ij )=KAB g γ i ) t ϑ t . From the perspective of , s is computationally indistinguishable from
ϑ
�
i
the real value. = j 1
(3) With the constant interaction, the simulator sends the processed files F to the adversary , which
*
~
contains{{ }σ ii ∈ [1, ]n ,δ Λ , FID }. Then, outputs a forgery σ with a non-negligible probability. Finally, if the
~
adversary is succeed to pass the validation, but the aggregate authenticationσ is unequal to the excepted
aggregate authentication s calculated by the simulator, then the game aborts.
,
According to the correctness of the proposed protocol, it is obvious that a correct proof χ 1 , ,χσ can get
s
through the verification successfully of the equation as follow:
s
e ( , )= (σ g e g 2 , g 1 ) ∑ ∈ i s ⋅ KP ∑ i I ∈ i I i s ⋅ ⋅WP ( e ∏ u χ j , g ϑ t ) (12)
j
~ ~ ~ = j 1
,
Suppose the adversary forges a proof χ 1 , ,χσ which is different from the correct proof. Next,
s
compute the following equation:
~ ∑ ∑ s ~ (13)
e (, )σ g = ( e g g 1 ) ∈ i s ⋅ KP i I i s ⋅ ⋅WP ( e ∏ u χ j , g ϑ t )
,
∈ i I
2
j
= j 1
~ ~ ~
It is obvious that χ j χ ≠ j , otherwise =σσ . Then, define a set{ χ ∆ j χ = j χ − j } j ∈ [1, ] s , which means at least one
element of χ∆ is non-zero. After that, divide equation (13) by equation (12) and get the following equation:
j
~ s s ~
ω
x
e ( / , )σσ g = ( e ∏ u ∆ j χ j , g θ t ) = e ( ∏ (gg ϖ j ) ∆ χ j j ,(g α ) ) (14)
2
It further implies: ~ = j 1 s = j 1 ~ s
~ − x ϖ ⋅ ∑ j χ ⋅∆ j x ω ⋅ ∑ j χ ⋅∆ j (15)
(σ σ⋅ e − 1 ( ⋅ g α ) 1 = j , ) = g e (,h g α ) 1 = j
Finally, we can get the value of h as follow:
α
~ s ~ s
~ − x ϖ ⋅ ∑ j χ ⋅∆ j 1/( ∑ ω ⋅ x j χ ⋅∆ j ) (16)
α = h (σσ⋅ − 1 ( ⋅ g α ) 1 = j ) 1 = j
s
~
As long as the ⋅ ∑ ω x j χ ⋅∆ j ≠ 0 mod q, the above equations are valid and can be structured to solve
the CDH problem. The probability of solving the CDH problem is equal to the probability of
1
= j
~ s
1 Pr[− x ω ⋅ ∑ j χ ⋅∆ j = 0 mod ] 1 1/= −q q , which is contradictory with the assumptions of the CDH problem. It
= j
1
means that if the adversary has a different probability of success in Game 0 versus Game 1, which is non-
negligible, then the simulator can be constructed to solve the CDH problem.
Game 2: Game 2 is similar with Game 1, except the following difference. The challenger keeps interaction
with the adversary and holds all the processed outsourced files that have been sent to . In the process
~
of the proposed auditing protocol, if the aggregate authenticatorσ yielded by is not equality to the
aggregate authenticatorσ of the challenged file blocks, then the game aborts and the adversary succeeds.
