Making <Emphasis Type="BoldItalic">Any</Emphasis> Identity-Based Encryption Accountable, Efficiently

Aggelos Kiayias; Qiang Tang

doi:10.1007/978-3-319-24174-6_17

European Symposium on Research in Computer Security

ESORICS 2015: Computer Security -- ESORICS 2015 pp 326-346 | Cite as

Making Any Identity-Based Encryption Accountable, Efficiently

Authors
Authors and affiliations

Aggelos Kiayias
Qiang TangEmail author

Conference paper

First Online: 13 January 2016

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)

Abstract

Identity-Based Encryption (IBE) provides a compelling solution to the PKI management problem, however it comes with the serious privacy consideration that a trusted party (called the PKG) is required to generate (and hence also know) the secret keys of all users. This inherent key escrow problem is considered to be one of the major reasons hindering the wider utilization of IBE systems. In order to address this problem, Goyal [20] introduced the notion of accountable authority IBE (A-IBE), in which a judge can differentiate the PKG from the user as the source of a decryption software. Via this “tracing” mechanism, A-IBE deters the PKG from leaking the user’s secret key and hence offers a defense mechanism for IBE users against a malicious PKG.

All previous works on A-IBE focused on specialized constructions trying to achieve different properties and efficiency enhancements. In this paper for the first time we show how to add accountability to any IBE scheme using oblivious transfer (OT), with almost the same ciphertext efficiency as the underlying IBE. Furthermore, we extend our generic construction to support identity reuse without losing efficiency. This property is desirable in practice as users may accidentally lose their secret keys and they -naturally- prefer not to abandon their identities. How to achieve this property was open until our work. Along the way, we first modify the generic construction and develop a new technique to provide public traceability generically.

This is a preview of subscription content, to check access

Notes

Acknowledgements.

We thank Hong-Sheng Zhou for the early discussions. We thank the anonymous reviewer to point out the simplification for S-I. The authors were supported by the ERC project CODAMODA.

A Preliminaries

1-out-of-2 Oblivious Transfer Protocol. Briefly speaking, a 1-out-of-2 OT protocol [27] is between a sender S and a receiver R. S has two messages $(m_0,m_1)$ as input, and R chooses one of them according to a bit b. S should not know b, while R should not have any knowledge of $m_{1-b}$.

We only provide a half simulation type of definition (cf. [27]). For sender security, we make a comparison to the ideal implementation in which there is a trusted party receiving $m_0,m_1$ from S and b from R, and sends R the message $m_b$. We require that $\forall m_0,m_1$ and any efficient adversary $\mathcal {A}$ as the receiver, there is a simulator plays as the receiver in the ideal world that, the output distribution of the simulator and $\mathcal {A}$ are computationally indistinguishable. For receiver security, suppose $t_0,t_1$ represent the trascript sent by the receiver w.r.t input 0 and 1 respectively, we require that the sender can not distinguish the distribution of $t_0$ and $t_1$.

Accountable authority identity-based encryption. Here we provide a general definition for an A-IBE scheme, it is composed of the following algorithms:

Setup $(\lambda ,\delta )$ This algorithm takes the security parameter $\lambda $ and the correctness parameter $\delta $ as input and outputs master key pair (mpk, msk) and the system parameters $t(\delta ),\ell (\delta )$.
KeyGen This is a stateful protocol between a user and the PKG in which the user has an identity ID and mpk, and the PKG has mpk, msk, ID as inputs respectively. It ends with the user outputting her secret key $sk_{ID}$ or $\bot $ if the secret-keys are malformed, and the PKG output a tracing key $T_{ID}$ and a current state $st_{ID}$.
Enc $(ID,mpk,m,st_{ID})$ This algorithm inputs a receiver identity ID, master public key mpk, the message m and potentially a public state $st_{ID}$, and outputs the ciphertext C.
Dec $(C,sk_{ID})$ This algorithm takes ciphertext C and user secret key $sk_{ID}$ as input, and outputs the plaintext m.
Trace $^{B}(ID,\delta ,T_{ID})$. This algorithm inputs a pirate decryption box B for ID, correctness parameter $\delta $ and a tracing key $T_{ID}$ as input, it outputs “user”, “PKG” or “$\bot $".

Note that the algorithms can be stateless as usual if identity reuse is not required. When $T_{ID}$ is public, then the A-IBE scheme has public traceability.

$\delta $ -correctness of a decryption device B, for regular A-IBE schemes, it is defined as $\Pr [B(C)=m:C=\mathbf{Enc}(ID,mpk,m)]\ge \delta $; while for A-IBE schemes allowing identity re-use, the box might contain a couple of keys for one identity corresponding to different states, we require that for a randomly selected state, it works with $\delta $ correctness, thus the $\delta $-correctness in this case is defined as $\Pr [B(C)=m:C=\mathbf{Enc}(ID,mpk, m,i)\wedge i\leftarrow \{1,\ldots ,st_{ID}\}]\ge \delta $. Note that according to the pigeonhole principle, there exists at least one state j, $\Pr [B(C)=m:C=\mathbf{Enc}(ID,mpk,m,j)]\ge \delta /st_{ID}$, and this is important for the tracing algorithm of S-III.

IND-ID-CPA security. This is similar to the standard semantic security for IBE schemes. Consider the following game between the adversary $\mathcal {A}$ and the challenger $\mathcal {C}$:

Setup $\mathcal {C}$ runs Setup, and sends $\mathcal {A}$ the system public key: mpk.
Phase 1 $\mathcal {A}$ runs the KeyGen protocol with the challenger for several distinct adaptively chosen identities $ID_{1},..,ID_{q}$ and gets the decryption keys $sk_{ID_{1}},..,sk_{ID_{q}}$.
Challenge $\mathcal {A}$ submits two equal length messages $m_{0},m_{1}$ and an identity ID that is not appearing in the queries of Phase 1. $\mathcal {C}$ flips a random coin b and encrypts $m_{b}$ with ID. The ciphertext C is passed on to $\mathcal {A}$.
Phase 2 This is identical to Phase 1 and $\mathcal {A}$ is not allowed to query for ID.
Guess The adversary outputs a guess $b'$ of b.

The advantage of the adversary $\mathcal {A}$ is defined as $|\Pr [b'=b]-1/2|$; we say an A-IBE is IND-ID-CPA secure if $\mathcal {A}$’s advantage is negligible.

Note that for A-IBE schemes with public traceability, the adversary also gets the public tracing key T.

Besides standard semantic security, for an A-IBE scheme, there are two additional security properties that have to be considered. The first is security against a malicious PKG. Any A-IBE scheme, should prevent the PKG from learning useful information which can help her to leak a decryption program B (we will also call it a decryption “box”) on behalf of a certain identity and evade the tracing algorithm. The second is security against malicious users. In this perspective, a group of colluding users should not be able to make a working box B that frames the PKG. Depending of the form of B, one may consider various models for the tracing algorithm. Specifically, if the tracing algorithm only needs oracle access to B, we call it traceable in the black-box model. Common variants of the black-box model exist depending on whether the PKG is given access to the decryption oracle that corresponds to the secret key the user gets (called the “fully black-box model” if yes, and the “weak black-box model” otherwise).

Weak (Black-Box) Dishonest-PKG Game. Consider the following game between a PPT adversary $\mathcal {A}$ and a PPT challenger $\mathcal {C}$:

Setup: The adversary acts as a malicious PKG, generates system public keys and sends $\mathcal {C}$ mpk. Also $\mathcal {A}$ specifies an identity ID.
KeyGen: $\mathcal {C}$ and $\mathcal {A}$ then engage in the KeyGen protocols of A-IBE acting as a user and PKG respectively. In each run, they jointly generate a decryption key and a tracing key $T_{ID}$ and state $st_{ID}$ for the identity ID. If neither party aborts, then $\mathcal {C}$ gets a decryption key $sk_{ID}$ for user ID as output.
Create Decryption Box: The adversary outputs a decryption box B.

The adversary $\mathcal {A}$ wins the game if the following conditions hold true:

$$\begin{aligned} B \text { has } \delta \text {-correctness} \wedge \mathbf{Trace}^{B}(ID,sk_{ID})\ne \text {``PKG''}. \end{aligned}$$

In a full dishonest-PKG game, $\mathcal {A}$ is also allowed to ask decryption queries. In other weaker (non-black-box) models, the tracing algorithm might have non-black-box access to the pirate box B.

Adaptive Dishonest-User Game. In this game, a set of malicious users collude to create a decoder box, trying to frame the PKG.

Setup $\mathcal {C}$ runs the A-IBE Setup algorithm, and sends $\mathcal {A}$ mpk;
Secret Key Queries The adversary runs the KeyGen protocols with $\mathcal {C}$, playing the role of different users and PKG respectively, for adaptively chosen identities $ID_{1},..,ID_{q}$ for different times. $\mathcal {A}$ gets the corresponding secret keys $\{sk_{ID_{1}}\},..,\{sk_{ID_{q}}\}$ and $\mathcal {C}$ outputs the corresponding tracing keys $T_{ID_1},\ldots ,T_{ID_q}$ and the states $st_{ID_1},\ldots ,st_{ID_q}$.
Create Decryption Box The adversary outputs an identity ID together with a decryption box B for ID.

The adversary wins if the followings hold true:

$$\begin{aligned} B \text { has } \delta \text {-correctness} \wedge \mathbf{Trace}^{B}(ID,sk_{ID})= \text {``PKG''}. \end{aligned}$$

Weaker model also exists, i.e., in the selective dishonest-user game, the adversary is required to declare the ID to be attacked at the beginning.

References

1.
Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003) CrossRefGoogle Scholar
2.
Au, M.H., Huang, Q., Liu, J.K., Susilo, W., Wong, D.S., Yang, G.: Traceable and retrievable identity-based encryption. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 94–110. Springer, Heidelberg (2008) CrossRefGoogle Scholar
3.
Bellare, M., Micali, S.: Non-interactive oblivious transfer and applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 547–557. Springer, Heidelberg (1989) Google Scholar
4.
Bellare, M., Rogaway, P.: Random oracles are practical: Aa paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
5.
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles-. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) CrossRefGoogle Scholar
6.
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004) CrossRefGoogle Scholar
7.
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) CrossRefGoogle Scholar
8.
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001) CrossRefGoogle Scholar
9.
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008) CrossRefGoogle Scholar
10.
Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: ACM Conference on Computer and Communications Security, pp. 501–510 (2008)Google Scholar
11.
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011) CrossRefGoogle Scholar
12.
Boyen, X., Martin, L.: Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems. RFC 5091 (Informational), December (2007)Google Scholar
13.
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)MathSciNetCrossRefGoogle Scholar
14.
Chow, S.S.M.: Removing escrow from identity-based encryption. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 256–276. Springer, Heidelberg (2009) CrossRefGoogle Scholar
15.
Cramer, R., Damgåard, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994) Google Scholar
16.
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) Google Scholar
17.
Gamal, T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetCrossRefGoogle Scholar
18.
Gentry, C.: Certificate-based encryption and the certificate revocation problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 272–293. Springer, Heidelberg (2003) CrossRefGoogle Scholar
19.
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) CrossRefGoogle Scholar
20.
Goyal, V.: Reducing trust in the PKG in identity based cryptosystems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 430–447. Springer, Heidelberg (2007) CrossRefGoogle Scholar
21.
Goyal, V., Lu, S., Sahai, A., Waters, B.: Black-box accountable authority identity-based encryption. In: ACM Conference on Computer and Communications Security, pp. 427–436 (2008)Google Scholar
22.
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
23.
Guruswami, V., Indyk, P.: Expander-based constructions of efficiently decodable codes. FOCS 2001, 658–667 (2001)MathSciNetGoogle Scholar
24.
Kiayias, A., Tang, Q.: How to keep a secret: leakage deterring public-key cryptosystems. In: ACM Conference on Computer and Communications Security, pp. 943–954 (2013)Google Scholar
25.
Lai, J., Deng, R.H., Zhao, Y., Weng, J.: Accountable authority identity-based encryption with public traceability. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 326–342. Springer, Heidelberg (2013) CrossRefGoogle Scholar
26.
Libert, B., Vergnaud, D.: Towards black-box accountable authority ibe with short ciphertexts and private keys. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 235–255. Springer, Springer (2009) CrossRefGoogle Scholar
27.
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: SODA, pp. 448–457 (2001)Google Scholar
28.
Sahai, A., Seyalioglu, H.: Fully secure accountable-authority identity-based encryption. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 296–316. Springer, Heidelberg (2011) CrossRefGoogle Scholar
29.
Sahai, A., Waters, B.: Fuzzy Identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) CrossRefGoogle Scholar
30.
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990) Google Scholar
31.
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) Google Scholar
32.
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) CrossRefGoogle Scholar
33.
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009) CrossRefGoogle Scholar
34.
Yuen, T.H., Chow, S.S.M., Zhang, C., Yiu, S.-M.: Exponent-inversion signatures and ibe under static assumptions. IACR Cryptol. ePrint Arch. 2014, 311 (2014)Google Scholar

Copyright information

Open Access This chapter is distributed under the terms of the Creative Commons Attribution Noncommercial License, which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

Authors and Affiliations

Aggelos Kiayias
- 1
Qiang Tang
- 2
Email author

1.National and Kapodistrian University of AthensAthensGreece
2.University of ConnecticutStorrsUSA