Skip to main content

Lattice-Based Revocable (Hierarchical) IBE with Decryption Key Exposure Resistance

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:

Abstract

Revocable identity-based encryption (RIBE) is an extension of IBE that supports a key revocation mechanism, which is an indispensable feature for practical cryptographic schemes. Due to this extra feature, RIBE is often required to satisfy a strong security notion unique to the revocation setting called decryption key exposure resistance (DKER). Additionally, hierarchal IBE (HIBE) is another orthogonal extension of IBE that supports key delegation functionalities allowing for scalable deployments of cryptographic schemes. So far, R(H)IBE constructions with DKER are only known from bilinear maps, where all constructions rely heavily on the so-called key re-randomization property to achieve the DKER and/or hierarchal feature. Since lattice-based schemes seem to be inherently ill-fit with the key re-randomization property, no construction of lattice-based R(H)IBE schemes with DKER are known.

In this paper, we propose the first lattice-based RHIBE scheme with DKER without relying on the key re-randomization property, departing from all the previously known methods. We start our work by providing a generic construction of RIBE schemes with DKER, which uses as building blocks any two-level standard HIBE scheme and (weak) RIBE scheme without DKER. Based on previous lattice-based RIBE constructions without DKER, our result implies the first lattice-based RIBE scheme with DKER. Then, building on top of our generic construction, we construct the first lattice-based RHIBE scheme with DKER, by further exploiting the algebraic structure of lattices. To this end, we prepare a new tool called the level conversion keys, which enables us to achieve the hierarchal feature without relying on the key re-randomization property.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    A knowledgeable reader familiar with lattice-based cryptography may wonder why the existing RIBE schemes [10, 36] cannot be easily modified to support the property by using short trapdoor bases. We provide detailed discussions on why this simple modification is insufficient in Sect. 2.

  2. 2.

    As we will show in Sect. 4, the time period space is a set of natural numbers \(\{ 1,2,\ldots \}\). Here, we assume that there is an efficient hash function that maps each natural number to a distinct vector in \(\mathbb {Z}_q^n \setminus \{ \mathbf {0}_n \}\).

  3. 3.

    To be more precise, there are cases \({\mathsf {k}}{\mathsf {u}}_{\mathsf {t}}\) and \({\mathsf {k}}{\mathsf {u}}_{\mathsf {t}^*}\) might not share a common node, however, \({\mathcal {A}}\) can always adaptively revoke other users so that this holds.

  4. 4.

    If \(|\mathsf {ID}'| = L\), then this step is skipped.

  5. 5.

    Here, \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) is the latest secret key that is the result of the step (2).

  6. 6.

    We stress that just making this query does not give the secret key \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) to \(\mathcal {A}\). It is captured by the “Secret Key Reveal Query” explained next. Furthermore, we provide the key updates to \(\mathcal {A}\) unconditionally, since they are typically broadcast via an insecure channel and are not meant to be secret.

  7. 7.

    In other words, this check ensures that if \(\mathsf {ID}^*\) or any of its ancestors was not revoked before the challenge time period \(\mathsf {t}^*\), then \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}}\) will not be revealed for any \(\mathsf {ID}\in \mathsf {prefix}(\mathsf {ID}^*)\). Without this condition, there is a trivial attack on any RHIBE scheme.

  8. 8.

    This check ensures that the identities that have already been revoked will remain revoked in the next time period.

  9. 9.

    In other words, this check ensures that if some \(\mathsf {ID}\) is revoked, then all of its descendants are also revoked.

  10. 10.

    In other words, this check is to ensure that if the secret key \({\mathsf {s}}{\mathsf {k}}_{\mathsf {ID}'}\) of some ancestor \(\mathsf {ID}'\) of \(\mathsf {ID}^*\) (or \(\mathsf {ID}^*\) itself) has been revealed to \(\mathcal {A}\), then \(\mathsf {ID}'\) is revoked in the next time period.

  11. 11.

    In previous works [33, 35], \(\mathcal {A}\) is disallowed to obtain not only \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}^*,\mathsf {t}^*}\) (which is clearly necessary to avoid a trivial attack), but also decryption keys \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}',\mathsf {t}^*}\) for all \(\mathsf {ID}' \in \mathsf {prefix}(\mathsf {ID}^*)\). Our relaxed condition here makes the defined security stronger since \(\mathcal {A}\) is able to obtain additional information without any restrictions.

  12. 12.

    Note that \({\mathsf {k}}{\mathsf {u}}_{{\mathsf {p}}{\mathsf {a}}(\mathsf {ID}),\mathsf {t}}\) must have been already generated at this point due to the condition \(\mathsf {t}\le \mathsf {t}_{\mathtt {cu}}\).

  13. 13.

    Recall that a user at level 0 corresponds to the \(\mathsf {kgc}\), i.e., for any level-1 user \(\mathsf {ID}\in {\mathbb {Z}}_q^n \setminus \{ \mathbf {0}_n \}\), \({\mathsf {p}}{\mathsf {a}}(\mathsf {ID}) = \mathsf {kgc}\).

  14. 14.

    There are two exceptions for this algorithm. In the special case \(\mathsf {ID}= \mathsf {kgc}\), recall that we set \(\mathbf {T}_{[\mathbf {A}_{1} | \mathbf {E}(\mathsf {kgc})]}\) as \(\mathbf {T}_{\mathbf {A}_1}\), which is included in the \({\mathsf {s}}{\mathsf {k}}_{\mathsf {kgc}}\). In the other special case when \(\ell = L\), we no longer sample \(\mathbf {f}_{\mathsf {ID}, k}\), since this vector is only required for delegating key updates to its children, which users at level L do not have.

  15. 15.

    The branch in the algorithm is due to the fact that for the special case \(\ell = 0\), i.e., \(\mathsf {ID}= \mathsf {kgc}\), we have \({\mathsf {k}}{\mathsf {u}}_{{\mathsf {p}}{\mathsf {a}}(\mathsf {ID}), \mathsf {t}} = \bot \) for all and there exists no decryption key \({\mathsf {d}}{\mathsf {k}}_{\mathsf {ID}, \mathsf {t}}\).

References

  1. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28

    Chapter  MATH  Google Scholar 

  2. Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1

    Chapter  Google Scholar 

  3. Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)

    Article  MathSciNet  Google Scholar 

  4. Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_17

    Chapter  Google Scholar 

  5. Attrapadung, N., Imai, H.: Conjunctive broadcast and attribute-based encryption. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 248–265. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_16

    Chapter  MATH  Google Scholar 

  6. Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: CCS 2008, pp. 417–426. ACM (2008)

    Google Scholar 

  7. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)

    Article  MathSciNet  Google Scholar 

  8. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)

    Article  MathSciNet  Google Scholar 

  9. Chang, D., Chauhan, A.K., Kumar, S., Sanadhya, S.K.: Revocable identity-based encryption from codes with rank metric. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 435–451. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_23

    Chapter  Google Scholar 

  10. Chen, J., Lim, H.W., Ling, S., Wang, H., Nguyen, K.: Revocable identity-based encryption from lattices. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 390–403. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_29

    Chapter  Google Scholar 

  11. Cui, H., Deng, R.H., Li, Y., Qin, B.: Server-aided revocable attribute-based encryption. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 570–587. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_29

    Chapter  Google Scholar 

  12. Döttling, N., Garg, S.: From selective IBE to full IBE and selective HIBE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 372–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_13

    Chapter  Google Scholar 

  13. Emura, K., Seo, J.H., Youn, T.: Semi-generic transformation of revocable hierarchical identity-based encryption and its DBDH instantiation. IEICE Trans. 99–A(1), 83–91 (2016)

    Article  Google Scholar 

  14. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)

    Google Scholar 

  15. Ishida, Y., Shikata, J., Watanabe, Y.: CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance. IJACT 3(3), 288–311 (2017)

    Article  MathSciNet  Google Scholar 

  16. Katsumata, S., Yamada, S.: Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 682–712. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_23

    Chapter  Google Scholar 

  17. Lee, K.: Revocable hierarchical identity-based encryption with adaptive security. IACR Cryptology ePrint Archive 2016, 749 (2016)

    Google Scholar 

  18. Lee, K., Lee, D.H., Park, J.H.: Efficient revocable identity-based encryption via subset difference methods. Des. Codes Cryptogr. 85(1), 39–76 (2017)

    Article  MathSciNet  Google Scholar 

  19. Lee, K., Park, S.: Revocable hierarchical identity-based encryption with shorter private keys and update keys. IACR Cryptology ePrint Archive 2016, 460 (2016)

    Google Scholar 

  20. Libert, B., Vergnaud, D.: Adaptive-ID secure revocable identity-based encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 1–15. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_1

    Chapter  Google Scholar 

  21. Ling, S., Nguyen, K., Wang, H., Zhang, J.: Revocable predicate encryption from lattices. In: Okamoto, T., Yu, Y., Au, M.H., Li, Y. (eds.) ProvSec 2017. LNCS, vol. 10592, pp. 305–326. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68637-0_19

    Chapter  Google Scholar 

  22. Ling, S., Nguyen, K., Wang, H., Zhang, J.: Server-aided revocable predicate encryption: formalization and lattice-based instantiation. CoRR abs/1801.07844 (2018)

    Google Scholar 

  23. Mao, X., Lai, J., Chen, K., Weng, J., Mei, Q.: Efficient revocable identity-based encryption from multilinear maps. Secur. Commun. Netw. 8(18), 3511–3522 (2015)

    Article  Google Scholar 

  24. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  25. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_3

    Chapter  Google Scholar 

  26. Nguyen, K., Wang, H., Zhang, J.: Server-aided revocable identity-based encryption from lattices. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 107–123. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_7

    Chapter  Google Scholar 

  27. González-Nieto, J.M., Manulis, M., Sun, D.: Fully private revocable predicate encryption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 350–363. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_26

    Chapter  Google Scholar 

  28. Park, S., Lee, D.H., Lee, K.: Revocable hierarchical identity-based encryption from multilinear maps. CoRR abs/1610.07948 (2016)

    Google Scholar 

  29. Park, S., Lee, K., Lee, D.H.: New constructions of revocable identity-based encryption from multilinear maps. IEEE Trans. Inf. Forensics Secur. 10(8), 1564–1577 (2015)

    Article  Google Scholar 

  30. Qin, B., Deng, R.H., Li, Y., Liu, S.: Server-aided revocable identity-based encryption. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 286–304. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_15

    Chapter  Google Scholar 

  31. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93. ACM (2005)

    Google Scholar 

  32. Ryu, G., Lee, K., Park, S., Lee, D.H.: Unbounded hierarchical identity-based encryption with efficient revocation. In: Kim, H., Choi, D. (eds.) WISA 2015. LNCS, vol. 9503, pp. 122–133. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31875-2_11

    Chapter  Google Scholar 

  33. Seo, J.H., Emura, K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 216–234. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_14

    Chapter  Google Scholar 

  34. Seo, J.H., Emura, K.: Revocable hierarchical identity-based encryption. Theor. Comput. Sci. 542, 44–62 (2014)

    Article  MathSciNet  Google Scholar 

  35. Seo, J.H., Emura, K.: Revocable hierarchical identity-based encryption via history-free approach. Theor. Comput. Sci. 615, 45–60 (2016)

    Article  MathSciNet  Google Scholar 

  36. Takayasu, A., Watanabe, Y.: Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10342, pp. 184–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60055-0_10

    Chapter  Google Scholar 

  37. Watanabe, Y., Emura, K., Seo, J.H.: New revocable IBE in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 432–449. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_25

    Chapter  MATH  Google Scholar 

Download references

Acknowledgement

The first author was partially supported by JST CREST Grant Number JPMJCR1302 and JSPS KAKENHI Grant Number 17J05603. The second author was partially supported by JST CREST Grant Number JPMJCR1688. The third author was partially supported by JST CREST Grant Number JPMJCR14D6.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Atsushi Takayasu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Katsumata, S., Matsuda, T., Takayasu, A. (2019). Lattice-Based Revocable (Hierarchical) IBE with Decryption Key Exposure Resistance. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17259-6_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17258-9

  • Online ISBN: 978-3-030-17259-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics