Abstract
Revocable identity-based encryption (RIBE) is an extension of IBE that supports a key revocation mechanism, which is an indispensable feature for practical cryptographic schemes. Due to this extra feature, RIBE is often required to satisfy a strong security notion unique to the revocation setting called decryption key exposure resistance (DKER). Additionally, hierarchal IBE (HIBE) is another orthogonal extension of IBE that supports key delegation functionalities allowing for scalable deployments of cryptographic schemes. So far, R(H)IBE constructions with DKER are only known from bilinear maps, where all constructions rely heavily on the so-called key re-randomization property to achieve the DKER and/or hierarchal feature. Since lattice-based schemes seem to be inherently ill-fit with the key re-randomization property, no construction of lattice-based R(H)IBE schemes with DKER are known.
In this paper, we propose the first lattice-based RHIBE scheme with DKER without relying on the key re-randomization property, departing from all the previously known methods. We start our work by providing a generic construction of RIBE schemes with DKER, which uses as building blocks any two-level standard HIBE scheme and (weak) RIBE scheme without DKER. Based on previous lattice-based RIBE constructions without DKER, our result implies the first lattice-based RIBE scheme with DKER. Then, building on top of our generic construction, we construct the first lattice-based RHIBE scheme with DKER, by further exploiting the algebraic structure of lattices. To this end, we prepare a new tool called the level conversion keys, which enables us to achieve the hierarchal feature without relying on the key re-randomization property.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
As we will show in Sect. 4, the time period space is a set of natural numbers \(\{ 1,2,\ldots \}\). Here, we assume that there is an efficient hash function that maps each natural number to a distinct vector in \(\mathbb {Z}_q^n \setminus \{ \mathbf {0}_n \}\).
- 3.
To be more precise, there are cases \({\mathsf {k}}{\mathsf {u}}_{\mathsf {t}}\) and \({\mathsf {k}}{\mathsf {u}}_{\mathsf {t}^*}\) might not share a common node, however, \({\mathcal {A}}\) can always adaptively revoke other users so that this holds.
- 4.
If \(|\mathsf {ID}'| = L\), then this step is skipped.
- 5.
Here, \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) is the latest secret key that is the result of the step (2).
- 6.
We stress that just making this query does not give the secret key \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) to \(\mathcal {A}\). It is captured by the “Secret Key Reveal Query” explained next. Furthermore, we provide the key updates to \(\mathcal {A}\) unconditionally, since they are typically broadcast via an insecure channel and are not meant to be secret.
- 7.
In other words, this check ensures that if \(\mathsf {ID}^*\) or any of its ancestors was not revoked before the challenge time period \(\mathsf {t}^*\), then \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) will not be revealed for any \(\mathsf {ID}\in \mathsf {prefix}(\mathsf {ID}^*)\). Without this condition, there is a trivial attack on any RHIBE scheme.
- 8.
This check ensures that the identities that have already been revoked will remain revoked in the next time period.
- 9.
In other words, this check ensures that if some \(\mathsf {ID}\) is revoked, then all of its descendants are also revoked.
- 10.
In other words, this check is to ensure that if the secret key \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}'}\) of some ancestor \(\mathsf {ID}'\) of \(\mathsf {ID}^*\) (or \(\mathsf {ID}^*\) itself) has been revealed to \(\mathcal {A}\), then \(\mathsf {ID}'\) is revoked in the next time period.
- 11.
In previous works [33, 35], \(\mathcal {A}\) is disallowed to obtain not only \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}^*,\mathsf {t}^*}\) (which is clearly necessary to avoid a trivial attack), but also decryption keys \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}',\mathsf {t}^*}\) for all \(\mathsf {ID}' \in \mathsf {prefix}(\mathsf {ID}^*)\). Our relaxed condition here makes the defined security stronger since \(\mathcal {A}\) is able to obtain additional information without any restrictions.
- 12.
Note that \({\mathsf {k}}{\mathsf {u}}_{{\mathsf {p}}{\mathsf {a}}(\mathsf {ID}),\mathsf {t}}\) must have been already generated at this point due to the condition \(\mathsf {t}\le \mathsf {t}_{\mathtt {cu}}\).
- 13.
Recall that a user at level 0 corresponds to the \(\mathsf {kgc}\), i.e., for any level-1 user \(\mathsf {ID}\in {\mathbb {Z}}_q^n \setminus \{ \mathbf {0}_n \}\), \({\mathsf {p}}{\mathsf {a}}(\mathsf {ID}) = \mathsf {kgc}\).
- 14.
There are two exceptions for this algorithm. In the special case \(\mathsf {ID}= \mathsf {kgc}\), recall that we set \(\mathbf {T}_{[\mathbf {A}_{1} | \mathbf {E}(\mathsf {kgc})]}\) as \(\mathbf {T}_{\mathbf {A}_1}\), which is included in the \({\mathsf {s}}{\mathsf {k}}_{\mathsf {kgc}}\). In the other special case when \(\ell = L\), we no longer sample \(\mathbf {f}_{\mathsf {ID}, k}\), since this vector is only required for delegating key updates to its children, which users at level L do not have.
- 15.
The branch in the algorithm is due to the fact that for the special case \(\ell = 0\), i.e., \(\mathsf {ID}= \mathsf {kgc}\), we have \({\mathsf {k}}{\mathsf {u}}_{{\mathsf {p}}{\mathsf {a}}(\mathsf {ID}), \mathsf {t}} = \bot \) for all and there exists no decryption key \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}, \mathsf {t}}\).
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_17
Attrapadung, N., Imai, H.: Conjunctive broadcast and attribute-based encryption. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 248–265. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_16
Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: CCS 2008, pp. 417–426. ACM (2008)
Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)
Chang, D., Chauhan, A.K., Kumar, S., Sanadhya, S.K.: Revocable identity-based encryption from codes with rank metric. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 435–451. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_23
Chen, J., Lim, H.W., Ling, S., Wang, H., Nguyen, K.: Revocable identity-based encryption from lattices. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 390–403. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_29
Cui, H., Deng, R.H., Li, Y., Qin, B.: Server-aided revocable attribute-based encryption. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 570–587. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_29
Döttling, N., Garg, S.: From selective IBE to full IBE and selective HIBE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 372–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_13
Emura, K., Seo, J.H., Youn, T.: Semi-generic transformation of revocable hierarchical identity-based encryption and its DBDH instantiation. IEICE Trans. 99–A(1), 83–91 (2016)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Ishida, Y., Shikata, J., Watanabe, Y.: CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance. IJACT 3(3), 288–311 (2017)
Katsumata, S., Yamada, S.: Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 682–712. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_23
Lee, K.: Revocable hierarchical identity-based encryption with adaptive security. IACR Cryptology ePrint Archive 2016, 749 (2016)
Lee, K., Lee, D.H., Park, J.H.: Efficient revocable identity-based encryption via subset difference methods. Des. Codes Cryptogr. 85(1), 39–76 (2017)
Lee, K., Park, S.: Revocable hierarchical identity-based encryption with shorter private keys and update keys. IACR Cryptology ePrint Archive 2016, 460 (2016)
Libert, B., Vergnaud, D.: Adaptive-ID secure revocable identity-based encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 1–15. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_1
Ling, S., Nguyen, K., Wang, H., Zhang, J.: Revocable predicate encryption from lattices. In: Okamoto, T., Yu, Y., Au, M.H., Li, Y. (eds.) ProvSec 2017. LNCS, vol. 10592, pp. 305–326. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68637-0_19
Ling, S., Nguyen, K., Wang, H., Zhang, J.: Server-aided revocable predicate encryption: formalization and lattice-based instantiation. CoRR abs/1801.07844 (2018)
Mao, X., Lai, J., Chen, K., Weng, J., Mei, Q.: Efficient revocable identity-based encryption from multilinear maps. Secur. Commun. Netw. 8(18), 3511–3522 (2015)
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_3
Nguyen, K., Wang, H., Zhang, J.: Server-aided revocable identity-based encryption from lattices. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 107–123. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_7
González-Nieto, J.M., Manulis, M., Sun, D.: Fully private revocable predicate encryption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 350–363. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_26
Park, S., Lee, D.H., Lee, K.: Revocable hierarchical identity-based encryption from multilinear maps. CoRR abs/1610.07948 (2016)
Park, S., Lee, K., Lee, D.H.: New constructions of revocable identity-based encryption from multilinear maps. IEEE Trans. Inf. Forensics Secur. 10(8), 1564–1577 (2015)
Qin, B., Deng, R.H., Li, Y., Liu, S.: Server-aided revocable identity-based encryption. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 286–304. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_15
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93. ACM (2005)
Ryu, G., Lee, K., Park, S., Lee, D.H.: Unbounded hierarchical identity-based encryption with efficient revocation. In: Kim, H., Choi, D. (eds.) WISA 2015. LNCS, vol. 9503, pp. 122–133. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31875-2_11
Seo, J.H., Emura, K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 216–234. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_14
Seo, J.H., Emura, K.: Revocable hierarchical identity-based encryption. Theor. Comput. Sci. 542, 44–62 (2014)
Seo, J.H., Emura, K.: Revocable hierarchical identity-based encryption via history-free approach. Theor. Comput. Sci. 615, 45–60 (2016)
Takayasu, A., Watanabe, Y.: Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10342, pp. 184–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60055-0_10
Watanabe, Y., Emura, K., Seo, J.H.: New revocable IBE in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 432–449. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_25
Acknowledgement
The first author was partially supported by JST CREST Grant Number JPMJCR1302 and JSPS KAKENHI Grant Number 17J05603. The second author was partially supported by JST CREST Grant Number JPMJCR1688. The third author was partially supported by JST CREST Grant Number JPMJCR14D6.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Katsumata, S., Matsuda, T., Takayasu, A. (2019). Lattice-Based Revocable (Hierarchical) IBE with Decryption Key Exposure Resistance. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-17259-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17258-9
Online ISBN: 978-3-030-17259-6
eBook Packages: Computer ScienceComputer Science (R0)