Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

A generic construction for revocable identity-based encryption with subset difference methods

Abstract

To deal with dynamically changing user’s credentials in identity-based encryption (IBE), providing an efficient key revocation method is a very important issue. Recently, Ma and Lin proposed a generic method of designing a revocable IBE (RIBE) scheme that uses the complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. In this paper, we propose a new generic method for designing an RIBE scheme that uses the subset difference (SD) method instead of using the CS method. In order to use the SD method, we generically design an RIBE scheme by combining IBE, identity-based revocation (IBR), and two-level HIBE schemes. If the underlying IBE, IBR, and HIBE schemes are adaptively (or selectively) secure, then our RIBE scheme is also adaptively (or selectively) secure. In addition, we show that the layered SD (LSD) method can be applied to our RIBE scheme and a chosen-ciphertext secure RIBE scheme also can be designed generically.

Citation: Lee K (2020) A generic construction for revocable identity-based encryption with subset difference methods. PLoS ONE 15(9): e0239053. https://doi.org/10.1371/journal.pone.0239053

Editor: Qi Jiang, Xidian University, CHINA

Received: May 1, 2020; Accepted: August 30, 2020; Published: September 18, 2020

Copyright: © 2020 Kwangsu Lee. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the manuscript.

Funding: Kwangsu Lee was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD). There was no additional external funding received for this study.

Competing interests: We have no conflicts of interest to disclose.

1 Introduction

Identity-based encryption (IBE) is a new type of public-key encryption (PKE) that solve the public-key management problem in PKE by using a user’s identity as a public key [1]. Since the first IBE scheme in bilinear maps was proposed by Boneh and Franklin [2], research on new types of cryptographic encryption such as IBE, hierarchical IBE (HIBE), attribute-based encryption (ABE), and predicate encryption (PE) has been actively studied as an important research topic [25]. Despite the long history of research on IBE, the IBE schemes have not been widely deployed in real environments. One reason of this problem is that unlike PKE schemes, which uses a public-key infrastructure to handle certificate issuance and revocation, it is not simple to revoke the private key of a user in IBE. Therefore, an important additional feature of IBE schemes is to support the private key revocation flexibly and efficiently.

The method of revoking the private key of a user in IBE has been studied since the initial IBE scheme was designed, but this method is not suitable for handling a large number of users [2]. The first revocable IBE (RIBE) scheme to efficiently handle large numbers of users was proposed by Boldyreva et al. [6]. The key design principle of their RIBE scheme is that a trusted center periodically creates and broadcasts an update key on time T for non-revoked users, along with the generation of a user’s private key. In this case, if the private key of a user ID is not revoked in the update key on time T, the user can decrypt a ciphertext for his identity ID and the corresponding time T. In other words, the RIBE scheme proposed by Boldyreva et al. can be seen as a method to support the indirect private key revocation, in which the center decides the revocation of private keys instead of the sender. Specifically, Boldyreva et al. designed their RIBE scheme by combining a tree-based broadcast method with a fuzzy identity-based encryption scheme. After the work of Boldyreva et al., various RIBE schemes and extension schemes have been proposed to enhance the efficiency, security, and functionality of RIBE [717].

Currently, to design an RIBE scheme, we redesign an RIBE scheme from the beginning by directly modifying an efficient IBE scheme proposed before. This is problematic in that a new RIBE scheme must be designed again whenever a new IBE scheme having a different mathematical structure is proposed. Ma and Lin recently overcome this problem by suggesting a generic method of designing an RIBE scheme by using an IBE scheme as a black-box [18]. In their generic RIBE scheme with the complete subtree (CS) method, an update key consists of IBE private keys and a ciphertext consists of O(logN) IBE ciphertexts where r is the number of revoked users and N is the number of users. In the RIBE scheme, reducing the size of update keys is an important issues since an update key should be broadcasted to all users for each time period. The motivation of this work is to reduce the update key size of the generic RIBE scheme. In tree-based broadcast encryption, there exists the subset difference (SD) method proposed by Naor et al. [19] which is more efficient than the CS method. Additionally, the layered SD (LSD) method which improved the SD method has also been proposed [20]. Therefore, we ask whether it is possible to design an RIBE scheme from an IBE scheme in a generic way using the SD/LSD method to reduce the size of update keys. If the SD/LSD method can be applied to a generic RIBE scheme, the size of an update key can be reduced from key elements to O(r) key elements.

1.1 Our contributions

In this paper, we show that it is possible to design an RIBE scheme with the SD method in a generic way. As described above, the generic RIBE scheme with the CS method uses IBE and two-level HIBE schemes as basic building blocks [18]. On the contrary, our generic RIBE scheme with the SD method uses IBE, identity-based revocation (IBR), and two-level HIBE schemes as basic building blocks. The IBR scheme is a special type of identity-based broadcast encryption (IBBE) scheme in which a set R of revoked users is specified in an IBR ciphertext whereas a set S of receivers is specified in an IBBE ciphertext. The newly derived RIBE scheme with the SD method consists of O(r) number of IBE and IBR private keys in an update key and O(log2 N) number of IBE and IBR ciphertexts in a ciphertext. Compared with the previous generic RIBE scheme with the CS method, the size of an update key is reduced but the size of a ciphertext is increased. The detailed comparison of RIBE schemes is given in Table 1.

thumbnail
Download:
Table 1. Comparison of revocable identity-based encryption schemes.

https://doi.org/10.1371/journal.pone.0239053.t001

To analyze the security of our generic RIBE scheme with the SD method, we show that if the underlying IBE, IBR, and HIBE schemes are adaptively (or selectively) secure under chosen plaintext attacks, then the proposed generic RIBE scheme is also adaptively (or selectively) secure under chosen plaintext attacks. The key idea of our proof is to first divide the types of an attacker according to the queries of the attacker, and to isolate the attacker of a specific type to break the security of the underlying IBE, IBR, or HIBE scheme. However, this idea is not simple to apply since the SD method has a complicated subset cover structure unlike the CS method. To handle this complicated structure in a ciphertext, we introduce additional hybrid games in the security proof and handle each ciphertext element of the challenge ciphertext one by one.

In addition, we show that it is possible to reduce the size of a ciphertext by extending our generic RIBE scheme to use the more efficient LSD method instead of using the SD method, but this modified scheme increases the size of an update key slightly. We also show that our generic RIBE scheme which provides only chosen-plaintext attack (CPA) security can be extended to provide the security against the more powerful chosen-ciphertext attacker (CCA). To provide the CCA security of RIBE, the underlying IBE, IBR, and HIBE schemes should provide the CCA security and a one-time signature scheme with strong unforgeability should be used.

1.2 Related work

Certificate revocation.

The study of certificate revocation in public-key encryption has been the subject of much research. In reality, the most widely used certificate revocation method is to periodically issue a certificate revocation list (CRL) containing serial numbers of revoked user’s certificates. In addition, a delta-CRL can be used to more efficiently issue the revocation information, and it is also possible to immediately check the state of a certificate by using the online certificate status protocol (OCSP) service. In the theoretical aspect, various certificate revocation methods which are more efficient than the traditional methods also have been proposed [2123].

Broadcast encryption.

Public-key broadcast encryption (PKBE) provides the revocation of receivers because a sender can specify a receiver set S in a ciphertext directly [24]. Identity-based broadcast encryption (IBBE) can provide more powerful revocation than existing PKBE because the maximum number of users in the system can be exponential [25]. Identity-based revocation (IBR) can be viewed as a cryptographic scheme that implements direct user revocation because all system users except the revoked users can decrypt a ciphertext where a revoked set R is specified in the ciphertext [26, 27]. However, PKBE, IBBE, and IBR have the disadvantage that a user cannot be revoked after the creation of a ciphertext. Particularly, it is a critical problem in a cryptographic system in which ciphertexts are stored in cloud storage and a user accesses these ciphertexts later since the user cannot be revoked when his or her credential is expired.

Revocable IBE.

Boneh and Franklin [2] proposed a revocation method for IBE such that a trusted center periodically issues a private key for a user by combining an identity and time as IDT, but this method is not scalable since a secure channel should be established for every time. The efficient and scalable RIBE scheme was proposed by Boldyreva et al. [6] by combining the complete subtree (CS) method and a fuzzy identity-based encryption scheme. In their RIBE scheme, a ciphertext is associated with a receiver’s identity D and time T, and a trusted center periodically issues an update key one time T for non-revoked users to implement the indirect key revocation. A number of secure and efficient RIBE schemes using a broadcast method for key updates have been proposed [79, 13, 14, 17, 28]. Most of the RIBE schemes follow the CS method for update keys, but Lee et al. [15] showed that an RIBE scheme with the SD method can be designed to reduces the size of update keys. Recently, Ma and Lin [18] proposed a generic RIBE construction with the CS method by combining IBE and HIBE schemes.

Revocable HIBE.

The first revocable HIBE (RHIBE) scheme, which provides the private key revocation in HIBE, was proposed by Seo and Emura [10]. They proposed an RHIBE scheme by applying the design principle of previous RIBE schemes to an HIBE scheme. To improve the initially proposed RHIBE scheme, Seo and Emura later introduced a history-free update method to reduce the size of private keys and update keys [12]. After that, Lee and Park have introduced a new RHIBE scheme with short private keys and short updated keys by introducing an intermediate private key in HIBE and using a modular design method [16]. In order to enhance the selective security of previous RHIBE schemes, Lee [29] proposed an adaptively secure RHIBE scheme by applying the dual system encryption method of Waters [30], which was successfully used in adaptively secure IBE and HIBE schemes.

Revocable ABE.

ABE is an extension of IBE in which a ciphertext is associated with attributes and a private key is associated with an access structure, and the ciphertext of ABE can be decrypted by the private key of ABE if the attributes satisfies the access structure [4]. An revocable ABE (RABE) scheme was proposed by Boldyreva et al. [6] by following the design principle of their RIBE scheme. ABE is well-suited for environments such as cloud storage where multiple users access different ciphertexts since it can provide flexible access control. For such an environment, Sahai et al. [31] proposed a revocable-storage ABE (RS-ABE) scheme that supports ciphertext updates as well as user key revocation. Lee et al. [29, 32] proposed an improved RS-ABE scheme by using a self-updatable encryption scheme, and they also proposed an RS-ABE scheme that provides the CCA security [33]. A generic construction of ABE with direct revocation in which a revoked set is attached in a ciphertext was proposed by Yamada et al. [34].

2 Preliminaries

In this section, we first review the definition and security model of IBE, IBR, and HIBE. Next, we review the definition and security model of RIBE.

2.1 Identity-based encryption

Identity-based encryption (IBE) is a kind of public key encryption (PKE) that can use a receiver’s identity as a public key [2]. In IBE, a sender generates a ciphertext by encryption a message for the receiver’s identity ID. A receiver retrieves a private key corresponding to his identity ID from a trusted center and then decrypts the ciphertext if the identity of the ciphertext is equal to the identity of the private key. The detailed syntax of IBE is given as follows.

Definition 2.1 (Identity-Based Encryption, IBE). Let be an identity space and be a message space. An IBE scheme consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows:

  1. Setup(1λ): The setup algorithm takes as input a security parameter 1λ. It outputs a master key MK and public parameters PP.
  2. GenKey(ID, MK, PP): The private key generation algorithm takes as input an identity , the master key MK, and public parameters PP. It outputs a private key SKID.
  3. Encrypt(ID, M, PP): The encryption algorithm takes as input an identity , a message , and public parameters PP. It outputs a ciphertext CTID.
  4. Decrypt(CTID, SKID, PP): The decryption algorithm takes as input a ciphertext CTID, a private key SKID, and public parameters PP. It outputs a message M.

The correctness of IBE is defined as follows: For all MK and PP generated by Setup(1λ), SKID generated by GenKey(ID, MK, PP) for any ID, and any ID and M, it is required that

  • Decrypt(Encrypt(ID, M, PP), SKID, PP) = M.

The security model of IBE is defined by extending the IND-CPA security model of PKE to allow additional private key queries [2]. In this model, an attacker can request a private key of an identity ID. In the challenge stage, the attacker submits a challenge identity ID* and challenge messages , , and then receives a challenge ciphertext CT*. The attacker further queries private keys and finally guesses the message hidden in CT*. The detailed description of the security model of IBE is given as follows.

Definition 2.2 (IND-CPA Security). The IND-CPA security of IBE is defined in terms of the following game between a challenger and a PPT adversary :

  1. Setup: generates a master key MK and public parameters PP by running Setup(1λ). It keeps MK to itself and gives PP to .
  2. Phase 1: may adaptively request private keys for identities . In response, gives the corresponding private keys to by running GenKey(IDi, MK, PP).
  3. Challenge: submits a challenge identity ID* and two messages with the equal length subject to the restriction: for all IDi of private key queries, IDiID*. flips a random coin μ ∈ {0, 1} and gives the challenge ciphertext CT* to by running Encrypt .
  4. Phase 2: may continue to request private keys for IDq1+1, …, IDq.
  5. Guess: outputs a guess μ′ ∈ {0, 1} of μ, and wins the game if μ = μ′.

The advantage of is defined as where the probability is taken over all the randomness of the game. An IBE scheme is IND-CPA secure if for all PPT adversary , the advantage of is negligible in the security parameter λ.

2.2 Identity-based revocation

Identity-based revocation (IBR) is a kind of public-key broadcast encryption (PKBE) [26], in which a large number of users with identities can participate to the system and a sender can specify the set R of revoked users in a ciphertext instead of the set S of receivers. In IBR, a sender generates a ciphertext CT by using a revoked set R and a message M, and then broadcasts the ciphertext. A receiver retrieves a private key for his or her identity from a trusted central and decrypt the ciphertext if his or her identity is not included in the set R. The detailed syntax of IBR is given as follows.

Definition 2.3 (Identity-Based Revocation, IBR). An IBR scheme consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows:

  1. Setup(1λ): The setup algorithm takes as input a security parameter 1λ. It outputs a master key MK and public parameters PP.
  2. GenKey(ID, MK, PP): The private key generation algorithm takes as input an identity , the master key MK, and public parameters PP. It outputs a private key SKID.
  3. Encrypt(R, M, PP): The encryption algorithm takes as input revoked identities , a message , and public parameters PP. It outputs a ciphertext CTR.
  4. Decrypt(CTR, SKID, PP): The decryption algorithm takes as input a ciphertext CTR, a private key SKID, and public parameters PP. It outputs a message M.

The correctness of IBR is defined as follows: For all MK and PP generated by Setup(1λ), SKID generated by GenKey(ID, MK, PP) for any ID, and any R such that IDR and any M, it is required that

  • Decrypt(Encrypt(R, M, PP), SKID, PP) = M.

The security model of IBR is defined by extending the IND-CPA security model of PKBE to account for the revoked set R [26]. In this model, an attacker requests private key queries on identities. In the challenge step, the attacker submits a challenge revoked set R* and the challenge message and receives a challenge ciphertext CT*. The attacker additionally requests private key queries and finally guesses the hidden message in CT*. In this game, all identities of private keys must belong to the revoked set R*. The detailed description of the security model is given as follows.

Definition 2.4 (IND-CPA Security). The IND-CPA security of IBR is defined in terms of the following game between a challenger and a PPT adversary :

  1. Setup: generates a master key MK and public parameters PP by running Setup(1λ). It keeps MK to itself and gives PP to .
  2. Phase 1: may adaptively request private keys for identities . In response, gives the corresponding private keys to by running GenKey(IDi, MK, PP).
  3. Challenge: submits a challenge revoked set R* of users and two messages with the equal length subject to the restriction: for all IDi of private key queries, IDiR*. flips a random coin μ ∈ {0, 1} and gives the challenge ciphertext CT* to by running Encrypt .
  4. Phase 2: may continue to request private keys for IDq1+1, …, IDq.
  5. Guess: outputs a guess μ′ ∈ {0, 1} of μ, and wins the game if μ = μ′.

The advantage of is defined as where the probability is taken over all the randomness of the game. An IBR scheme is IND-CPA secure if for all PPT adversary , the advantage of is negligible in the security parameter λ.

2.3 Hierarchical identity-based encryption

Hierarchical identity-based encryption (HIBE) is an extension of IBE in which a hierarchical identity is used to represent a user’s identity and the delegation of private keys is provided [3, 35]. In HIBE, a user receives a private key for his hierarchical identity from a trusted center, or receives a delegated private key from another user. If a sender creates a ciphertext for a receiver’s hierarchical identity and transmits it to a receiver, then the receiver can decrypt the ciphertext by using his private key if the hierarchical identity of his private key is a prefix of the hierarchical identity of the ciphertext.

Let HID = (ID1, …, IDk) be an identity vector of size k. We let HID|j be a vector (ID1, …, IDj) of size j derived from HID. We define a function Prefix(HID|k) that returns a set of prefix vectors {HID|j}1≤jk where HID|k = (ID1, …, IDk). The detailed syntax of HIBE is given as follows.

Definition 2.5 (Hierarchical Identity-Based Encryption, HIBE). An HIBE scheme consists of five algorithms Setup, GenKey, Delegate, Encrypt, and Decrypt, which are defined as follows:

  1. Setup(1λ, Lmax). The setup algorithm takes as input a security parameter 1λ and maximum hierarchical depth Lmax. It outputs a master key MK and public parameters PP.
  2. GenKey(HID|k, MK, PP). The key generation algorithm takes as input a hierarchical identity where kLmax, the master key MK, and the public parameters PP. It outputs a private key .
  3. Delegate(). The delegation algorithm takes as input a hierarchical identity HID|k, a private key for HID|k−1, and the public parameters PP. It outputs a delegated private key .
  4. Encrypt(HID|, M, PP). The encryption algorithm takes as input a hierarchical identity where ℓ ≤ Lmax, a message M, and public parameters PP. It outputs a ciphertext .
  5. Decrypt(). The decryption algorithm takes as input a ciphertext , a private key , and public parameters PP. It outputs a message M.

The correctness of HIBE is defined as follows: For all MK, PP generated by Setup(1λ, Lmax), all HID|, HID|k, any generated by GenKey(HID|k, MK, PP) such that HID|kPrefix(HID|), it is required that

  • .

The security model of HIBE is defined by extending the security model of IBE to include additional private key delegations [3, 35]. That is, an attacker can request delegated private key queries together with general private key queries. In this case, if the distribution of general private keys and the distribution of delegate private keys are the same, then we can only consider general private key queries to simplify the security model. The detailed security model of HIBE is given as follows.

Definition 2.6 (IND-CPA Security). The IND-CPA security of HIBE is defined in terms of the following game between a challenger and a PPT adversary :

  1. Setup: generates a master key MK and public parameters PP by running Setup(1λ, Lmax). It keeps MK to itself and gives PP to .
  2. Phase 1: may adaptively request a polynomial number of private key queries. In response, gives a corresponding private key to by running GenKey(HID|k, MK, PP) for each query.
  3. Challenge: submits a challenge hierarchical identity HID*| and two messages with the equal length subject to the restriction: for each HID|k of private key queries, HID|kPrefix(HID*|). flips a random coin μ ∈ {0, 1} and gives a challenge ciphertext CT* to by running Encrypt .
  4. Phase 2: may continue to request private key queries.
  5. Guess: outputs a guess μ′ ∈ {0, 1} of μ, and wins the game if μ = μ′.

The advantage of is defined as where the probability is taken over all the randomness of the game. An HIBE scheme is IND-CPA secure if for all PPT adversary , the advantage of is negligible in the security parameter λ.

2.4 Revocable identity-based encryption

Revocable identity-based encryption (RIBE) is an extension of existing identity-based encryption (IBE) to support private key revocation [6]. In RIBE, each user receives a private key for his or her identity ID from a trusted center. The trusted center then periodically generates an update key which is associated with time T and a non-revoked user set, and then it broadcasts the update key through the public channel. In this case, if the private key of a user is not revoked in the update key, the user can derive a decryption key for ID and T by combining the private key and the update key, and this decryption key can be used to decrypt a ciphertext which is related with ID and T. The syntax of RIBE is given as follows.

Definition 2.7 (Revocable IBE, RIBE). An RIBE scheme consists of seven algorithms Setup, GenKey, UpdateKey, DeriveKey, Encrypt, Decrypt, and Revoke, which are defined as follows:

  1. Setup(1λ): The setup algorithm takes as input a security parameter 1λ. It outputs a master key MK, an (empty) revocation list RL, and public parameters PP.
  2. GenKey(ID, MK, PP): The private key generation algorithm takes as input an identity , the master key MK, and public parameters PP. It outputs a private key SKID.
  3. UpdateKey(T, RL, MK, PP): The update key generation algorithm takes as input update time , the revocation list RL, the master key MK, and public parameters PP. It outputs an update key UKT.
  4. DeriveKey(SKID, UKT, PP): The decryption key derivation algorithm takes as input a private key SKID, an update key UKT, and public parameters PP. It outputs a decryption key DKID,T.
  5. Encrypt(ID, T, M, PP): The encryption algorithm takes as input an identity , time T, a message , and public parameters PP. It outputs a ciphertext CTID,T.
  6. Decrypt(CTID,T, DKID′, T, PP): The decryption algorithm takes as input a ciphertext CTID,T, a decryption key DKID′, T, and public parameters PP. It outputs a message M.
  7. Revoke(ID, T, RL): The revocation algorithm takes as input an identity ID to be revoked and revocation time T, and a revocation list RL. It outputs an updated revocation list RL.

The correctness of RIBE is defined as follows: For all MK, RL, and PP generated by Setup(1λ), SKID generated by GenKey(ID, MK, PP) for any ID, UKT generated by UpdateKey(T, RL, MK, PP) for any T and RL such that (ID, Tj)∉RL for all TjT, CTID,T generated by Encrypt(ID, T, M, PP) for any ID, T, and M, it is required that

  • Decrypt(CTID,T, DeriveKey(SKID, UKT, PP), PP) = M.

The security model of RIBE was first defined by Boldyreva et al. [6], and then this security model was extended by Seo and Emura [9] to support decryption key exposure resistance. In the security model of RIBE, an attacker can request a private key query for an identity ID, an update key query for time T, a decryption key query for ID and T, and a revocation query. In the challenge step, the attacker submits a challenge identity ID*, challenge time T*, and challenge messages , and receives a challenge ciphertext CT*. Note that the private key query for ID* is not allowed in the IBE security model, but this private key query for ID* is allowed in the RIBE security model. At this time, if the private key for ID* is queried, then the private key for ID* must be revoked in the update key on the challenge time T*. The detailed definition of the RIBE security model is given as follows.

Definition 2.8 (IND-CPA Security). The IND-CPA security of RIBE is defined in terms of the following experiment between a challenger and a PPT adversary :

  1. Setup: generates a master key MK, a revocation list RL, a state ST, and public parameters PP by running Setup(1λ). It keeps MK, RL to itself and gives PP to .
  2. Phase 1: adaptively request a polynomial number of queries. These queries are processed as follows:
    • If this is a private key query for an identity ID, then it gives the corresponding private key SKID to by running GenKey(ID, MK, PP).
    • If this is an update key query for time T, then it gives the corresponding update key UKT,R to by running UpdateKey(T, RL, MK, PP).
    • If this is a decryption key query for an identity ID and time T, then it gives the corresponding decryption key DKID,T to by running DeriveKey(SKID, UKT, PP).
    • If this is a revocation query for an identity ID and revocation time T, then it updates the revocation list RL by running Revoke(ID, T, RL, ST) with the restriction: The revocation query for time T cannot be queried if the update key query for the time T was already requested.

    Note that we assume that the update key queries and the revocation queries are requested in non-decreasing order of time.
  3. Challenge: submits a challenge identity ID*, challenge time T*, and two challenge messages with equal length with the following restrictions:
    • If a private key query for an identity ID such that ID = ID* was requested, then the identity ID* should be revoked at some time T such that TT*.
    • The decryption key query for ID* and T* was not requested.

    flips random μ ∈ {0, 1} and obtains a ciphertext CT* by running Encrypt . It gives CT* to .
  4. Phase 2: may continue to request a polynomial number of additional queries subject to the same restrictions as before.
  5. Guess: Finally, outputs a guess μ′ ∈ {0, 1}, and wins the game if μ = μ′.

The advantage of is defined as where the probability is taken over all the randomness of the experiment. An RIBE scheme is IND-CPA secure if for all PPT adversary , the advantage of is negligible in the security parameter λ.

3 Revocable IBE with SD

In this section, we first review the perfect binary tree and the subset difference method, and then we propose a generic construction for RIBE by combining subset difference, IBE, IBR, and HIBE schemes.

3.1 Binary tree

A perfect binary tree is a tree data structure in which all internal nodes have two child nodes and all leaf nodes have the same depth. Let N = 2n be the number of leaf nodes in . The number of all nodes in is 2N − 1 and we denote vi as a node in for any 1 ≤ i ≤ 2N − 1. The depth di of a node vi is the length of the path from a root node to the node. The root node of a tree has depth zero. The depth of is the length of the path from the root node to a leaf node. A level of is a set of all nodes at given depth.

Each node has an identifier Li ∈ {0, 1}* which is a fixed and unique string. An identifier of each node is assigned as follows: Each edge in the tree is assigned with 0 or 1 depending on whether it is connected to the left or right child node. The identifier Li of a node vi is obtained by reading all labels of edges in a path from the root node to the node vi. The root node has an empty identifier ϵ. For a node vi, we define Label(vi) be the identifier of vi and Depth(vi) be the depth di of vi.

A subtree in is defined as a tree that is rooted at a node . A subset Si is defined as a set of all leaf nodes in . For any two nodes where vj is a descendant of vi, is defined as a subtree , that is, all nodes that are descendants of vi but not vj. A subset Si,j is defined as the set of leaf nodes in , that is, Si,j = Si\Sj.

For a perfect binary tree and a subset R of leaf nodes, is defined as the Steiner Tree induced by the set R and the root node, that is, the minimal subtree of that connects all the leaf nodes in R and the root node.

3.2 Subset difference method

The subset difference (SD) method is one instance of the subset cover (SC) framework proposed by Naor et al. [19] which was used for efficient symmetric key broadcast encryption. The SD method is more efficient than the complete subtree (CS) method because the size of the cover set representing the non-revoked users is smaller than that of the CS method. We follow the SD definition of Lee et al. [36]. The SD method uses a perfect binary tree and each user is located at a leaf node in the binary tree. The Assign algorithm computes a path set PV, which is consists of subsets associated with the path from the root node to a user’s leaf node. The Cover algorithm derives a cover set CV that can effectively cover non-revoked leaf nodes. The Match algorithm can derive two related subsets if a user’s leaf node is not revoked in the cover set. A simple example of the SD method is given in Figs 1 and 2. A detailed description of the SD method is given as follows.

  1. SD.Setup(N): Let N = 2n be the number of leaf nodes. It sets a perfect binary tree of depth n and outputs . Note that a user is assigned to a leaf node in and the collection of SD is the set of all subsets {Si,j} where and vj is a descendant of vi.
  2. SD.Assign(): Let v be the leaf node of that is assigned to a user ID. Let be a path from the root node to the leaf node . It initializes a path set PV as an empty one. For all i, j ∈ {k0, …, kn} such that vj is a descendant of vi, it adds a subset Si,j defined by two nodes vi and vj in the path into PV. It outputs the path set PV = {Si,j}.
  3. SD.Cover(): Let R be a revoked set of leaf nodes (or users). It first sets a subtree as , and then it builds a cover set CV iteratively by removing nodes from until consists of just a single node as follows:
    1. It finds two leaf nodes vi and vj in such that the least-common-ancestor v of vi and vj does not contain any other leaf nodes of in its subtree. Let vl and vk be the two child nodes of v such that vi is a descendant of vl and vj is a descendant of vk. If there is only one leaf node left, it makes vi = vj to the leaf node, v to be the root of and vl = vk = v.
    2. If vlvi, then it adds the subset Sl,i to CV; likewise, if vkvj, it adds the subset Sk,j to CVR.
    3. It removes from all the descendants of v and makes v a leaf node.

    It outputs the cover set CV = {Si,j}.
  4. SD.Match(CV, PV): Let CV = {Si,j} and PV = {Si,j}. It finds two subsets Si,jCV and Si′, jPV such that (vi = vi)∧(dj = dj)∧(vjvj) where dj is the depth of vj. If two subsets exist, then it outputs (Si,j, Si′, j). Otherwise, it outputs ⊥.

The correctness of the SD scheme requires that if vR, then SD.Match(CV, PV) = (Si,j, Si′, j) such that (vi = vi)∧(dj = dj)∧(vjvj) where Si,j is defined by two nodes vi and vj.

Lemma 3.1 ([19]). Let N = 2n be the number of leaf nodes in a perfect binary tree and r be the size of a revoked set. In the SD method, the size of a path set is O(log2 N) where the hidden constant is 1/2 and the size of a cover set is at most 2r − 1.

thumbnail
Download:
Fig 1. A path set for ID = 010 in the SD method.

https://doi.org/10.1371/journal.pone.0239053.g001

thumbnail
Download:
Fig 2. A cover set for R = {v12, v13} in the SD method.

https://doi.org/10.1371/journal.pone.0239053.g002

3.3 Design principle

In order to design a generic RIBE scheme with the SD method, we first analyze the generic RIBE scheme with the CS method proposed by Ma and Lin [18]. The key design principle of their RIBE scheme with the CS method is that the identity ID of a receiver can be fixed to the path of a binary tree and a ciphertext is associated with the path set of the receiver’s identity ID where as the private key of a user is associated with the path set of a binary tree in directly constructed many RIBE schemes. Therefore, if the receiver’s identity ID is not revoked in the CS method, there is a common node in the path set of the binary tree and a node in the cover set of an update key. Thus, the equality function of IBE can be used to handle this common node since the path can be related to IBE ciphertexts and the cover set can be related to IBE private keys.

However, this design method is difficult to apply to the SD method. The reason is that in the SD method, unlike the CS method, there are no common nodes in the path set and the cover set. To solve this problem, we use the new interpretation of the SD method which was used for an efficient public-key revocation (PKR) scheme and RIBE scheme by using the SD method [15, 36]. To design an efficient PKR scheme, Lee et al. [36] observed that the subset Si,j of the SD method can be interpreted as a set of single member revocation instead of the existing interpretation that the subset Si,j is a set of leaf nodes where each leaf node belongs to the subtree but does not belong to the subtree . That is, if we consider a group set GL which consists of all nodes of the subtree that has the same depth as the node vj, the subset Si,j can be interpreted as the same as GL except that the node vj is excluded from GL. Thus, Si,j can be interpreted as single member revocation because it revokes one node vj in GL.

This interesting observation was also used to directly construct an RIBE scheme with the SD method by Lee et al. [15]. They used a degree-one polynomial in the exponent to implement single member revocation, but they only achieved an RIBE scheme in a non-generic way. In this work, we found that IBE and IBR schemes can be combined in a generic way to achieve single member revocation if an RIBE ciphertext is associated with a path set PV for a receiver’s identity ID and an RIBE update key is associated with a cover set CV for a revoked set R. That is, given the subset Si,j, if we set a group label GL = Lidj and a member label ML = Lj where Li, Lj are identifiers of nodes vi, vj and dj is the depth of vj, then all members of the group GL can be represented by a label pair (GL, ML). In this case, a label pair (GL, ML) in a ciphertext and another label pair (GL′, ML′) in an update key can be matching pairs if the group labels are equal but the member labels are different such that GL = GL′∧MLML′. Thus, we can support the equality GL = GL′ by using an IBE scheme, and we can support the inequality MLML′ by using an IBR scheme. In addition, to provide security against collusion attacks in the black-box construction, we divided the message M of a ciphertext into several secret shares by using a simple secret sharing scheme, and then encrypt these shares by using IBE and IBR schemes. Additionally, we use an HIBE scheme to provide the decryption key exposure resistance.

3.4 Generic construction

Let IBE = (Setup, GenKey, Encrypt, Decrypt) be an IBE scheme, IBR = (Setup, GenKey, Encrypt, Decrypt) be an IBR scheme that supports a single revoked identity, and HIBE = (Setup, GenKey, Delegate, Encrypt, Decrypt) be a two-level HIBE scheme. We define GMLabels(Si,j) = (GL = Label(vi)‖Depth(vj), ML = Label(vj)) where GL is a group label and ML is a member label. A simple example of a group of nodes derived from a subset Si,j is given in Fig 3. A generic RIBE scheme using the SD method is described as follows.

  1. RIBE.Setup(1λ): Let be the identity space.
    1. It first obtains MKIBE, PPIBE by running IBE.Setup(1λ). It obtains MKIBR, PPIBR by running IBR.Setup(1λ). It also obtains MKHIBE, PPHIBE by running HIBE.Setup(1λ, 2).
    2. It defines a binary tree by running SD.Setup(2n) where . Note that it will deterministically assign an identity ID to a leaf node such that Label(v) = ID.
    3. It outputs a master key MK = (MKIBE, MKIBR, MKHIBE), a revocation list RL = ∅, and public parameters .
  2. RIBE.GenKey(ID, MK, PP): To generate a private key for ID, it proceeds as follows:
    1. It obtains SKHIBE by running HIBE.GenKey((ID), MKHIBE, PPHIBE).
    2. Finally, it outputs a private key SKID = SKHIBE.
  3. RIBE.UpdateKey(T, RL, MK, PP): To generate an update key for T, it proceeds as follows:
    1. It initializes RV = ∅. For each (IDj, Tj)∈RL, it adds a leaf node which is associated with IDj into RV if TjT. It obtains CVT by running SD.Cover .
    2. For each Si,jCVT, it sets labels (GL, ML) = GMLabels(Si,j) and performs: It obtains by running IBE.GenKey(GLT, MKIBE, PPIBE) and by running IBR.GenKey (MLT, MKIBR, PPIBR).
    3. Finally, it outputs an update key .
  4. RIBE.DeriveKey(SKID, UKT, PP): Let SKID = SKHIBE. To derive a decryption key for ID and T, it proceeds as follows:
    1. It obtains DKHIBE by running HIBE.Delegate((ID, T), SKHIBE, PPHIBE).
    2. Finally, it outputs a decryption key DKID,T = (UKT, DKHIBE).
  5. RIBE.Encrypt(ID, T, M, PP): To generate a ciphertext for ID and T, it proceeds as follows:
    1. It selects random R1 and sets R2 = MR1. It obtains CTHIBE by running HIBE.Encrypt ((ID, T), R2, PPHIBE).
    2. Let vID be a leaf node associated with ID such that ID = Label(vID). Recall that the leaf node vID is fixed by the Label function. It obtains PVID by running SD.Assign .
    3. For each Si,jPVID, it sets labels (GL, ML) = GMLabels(Si,j) and performs:
      1. It selects random and sets .
      2. It obtains by running IBE.Encrypt and obtains by running IBR.Encrypt .

      It creates .
    4. Finally, it outputs a ciphertext CTID,T = (CTPV, CTHIBE).
  6. RIBE.Decrypt(CTID,T, DKID′, T, PP): Let CTID,T = (CTPV, CTHIBE) and DKID′, T = (UKT, DKHIBE). It proceeds as follows:
    1. It first obtains R2 by running HIBE.Decrypt(CTHIBE, DKHIBE, PPHIBE).
    2. It finds (Si,j, Si′, j) = SD.Match(PVID, CVT). It retrieves from CTPV and from UKT. Next, it obtains R3 by running IBE.Decrypt and obtains R4 by running IBR.Decrypt .
    3. Finally, it outputs a message M = R3R4R2.
  7. RIBE.Revoke(ID, T, RL): If (ID, *) already exists in RL, it outputs RL. Otherwise, it adds (ID, T) to RL and outputs the updated RL.
thumbnail
Download:
Fig 3. A single member revoked group from the subset S1,6 = (v1, v6).

https://doi.org/10.1371/journal.pone.0239053.g003

3.5 Correctness

The correctness of the above RIBE scheme can be easily seen by using the correctness of the underlying IBE, IBR, HIBE and SD schemes. Let CTID,T = (CTPV, CTHIBE) be a ciphertext associated with ID and T, and DKID′, T = (UKT, DKHIBE) be a decryption key is associated with ID′ and T′. In this case, if the condition ID = ID′∧T = T′ is satisfied, then the random R2 is correctly decrypted by running HIBE.Decrypt(CTHIBE, SKHIBE, PPHIBE) because of the correctness of HIBE.

Now we show that random R1 can be correctly decrypted from CTPV and UKT if the identity ID of the ciphertext is not revoked in the update key UKT. Recall that the ciphertext CTPV is associated with PVID and the update key UKT is associated with CVT. By the correctness of the SD scheme, the SD.Match algorithm outputs two subsets of Si,j, Si′, j such that (vi = vi)∧(dj = dj)∧(vjvj) if the leaf node vID is not included in the revoked set RV. Let and be corresponding tuples of Si,j and Si′, j respectively. From the definition of GMLabels, labels (GL, ML) = GMLabels(Si,j) and (GL′, ML′) = GMLabels(Si′, j) are obtained and they satisfy GL = GL′∧MLML′. Therefore, if the time T of the ciphertext is the same as the time T′ of the update key, then random R3 can be decrypted by running IBE.Decrypt because of GLT = GL′‖T′ and random R4 can be decrypted by running IBR.Decrypt because of MLTML′‖T′. Therefore, random R1 is obtained from R3R4.

3.6 Discussions

Layered subset difference.

Since our generic RIBE scheme uses the SD method, the size of a ciphertext depends on the size of the PV set and the size of an update key depends on the size of the CV set in the SD method. Thus, the ciphertext and update key of generic RIBE consists of approximately O(log2 N) IBE ciphertexts and 2r IBE private keys respectively where N = 2n is the number of users and r is the number of revoked users. In order to reduce the size of ciphertexts in this generic RIBE scheme, we can apply the layered subset difference (LSD) method of Halevy and Shamir [20]. If the LSD method is used instead of the SD method, the ciphertext and the update key of this general RIBE scheme consists of O(log1.5 N) IBE ciphertexts and 4r IBE private keys, respectively.

Chosen-ciphertext security.

The CCA security model, which is stronger than the CPA security model, allows an adversary to request decryption queries on ciphertexts. The above generic RIBE construction only can derive a CPA secure RIBE scheme by using CPA secure IBE, IBR, and HIBE schemes as building blocks. To derive a CCA secure RIBE scheme, we may try to use CCA secure encryption primitives as building blocks. However, this simple construction can not be CCA secure because it allows ciphertext elements reordering attacks. To solve this problem, we apply the CCA methodology for multiple encryption proposed by Dodis and Katz [37]. That is, a CCA secure RIBE scheme can be constructed by combining CCA secure IBE, IBR, HIBE schemes with a one-time signature (OTS) scheme with strong unforgeability. At this time, the underlying IBE, IBR, and HIBE schemes should be modified to receive additional labels as inputs since the public key of OTS should be tied with ciphertexts. This approach also provides the decryption key exposure resistance (DKER) property since a decryption key is generated by using the delegation property of HIBE.

4 Security analysis

In this section, we prove the IND-CPA security of the generic RIBE construction proposed in the previous section. The basic idea of this proof is to show that if there is an attacker that breaks the IND-CPA security of the RIBE scheme, then we can construct an algorithm that breaks the IND-CPA security of underlying IBE, IBR, or HIBE schemes. In order to simplify the security proof, we try to prove the security by separating the attacker into two types. That is, the Type-I attacker does not request a private key query on the challenge identity ID*, and the Type-II attacker requests a private key query on the identity ID*.

First, since the Type-I attacker does not query the private key for the identity ID*, we perform the proof that relates the security of the underlying HIBE scheme with the security of the RIBE scheme. Next, since the Type-II attacker queries the private key for ID*, we perform the proof that relates the security of the underlying IBE or IBR scheme and the security of the RIBE scheme.

Theorem 4.1. The generic RIBE scheme is IND-CPA secure if the underlying IBE, IBR, and HIBE schemes are IND-CPA secure.

Proof. Let ID* be the challenge identity and T* be the challenge time. We divide the behavior of an adversary as two types: Type-I and Type-II, which are defined as follows:

  1. Type-I. An adversary is Type-I if it requests a private key for IDID* for all private key queries. In this case, the adversary can request a decryption key for ID and T such that IDID* or ID = ID*∧TT*.
  2. Type-II. An adversary is Type-II if it requests a private key for ID = ID* for some private key query. In this case, the private key for ID* should be revoked at some time T such that TT* by the restriction of the security model.

Let Ei be the event that behaves like Type-i adversary. From Lemmas 4.2 and 4.3, we obtain the following result

This completes our proof.

4.1 Type-I adversary

The Type-I attacker does not request a private key query on the challenge ID*, but can request decryption key queries such that ID = ID* and TT*. To deal with this attacker, we build a reduction algorithm that attacks the HIBE scheme and selects the other IBE and IBR schemes by itself. In this case, this algorithm will be able to handle all queries of the Type-I attacker by using the queries for the HIBE scheme. The detailed proof is as follows.

Lemma 4.2. For the Type-I adversary, the generic RIBE scheme is IND-CPA secure if the HIBE scheme is IND-CPA secure.

Proof. Suppose there exists an adversary that attacks the RIBE scheme with a non-negligible advantage. An algorithm that attacks the HIBE scheme is initially given public parameters PPHIBE by a challenger . Then that interacts with is described as follows:

Setup: generates MKIBE, PPIBE by running the IBE.Setup algorithm, generates MKIBR, PPIBR by running the IBR.Setup algorithm. It initializes RL = ∅ and gives PP = (PPIBE, PPIBR, PPHIBE) to .

Phase 1: adaptively requests a polynomial number of private key, update key, decryption key, and revocation queries.

  • For a private key query with an identity ID, proceeds as follows: It receives SKHIBE from by querying a private key for ID since IDID* by the restriction of the Type-I adversary. It gives SKID = SKHIBE to .
  • For an update key query with time T, proceeds as follows: It simply generates UKT by running the RIBE.UpdateKey algorithm since it knows MKIBE and MKIBR. It gives UKT to .
  • For a decryption key query with an identity ID and time T, proceeds as follows:
    1. It generates UKT by running the RIBE.UpdateKey algorithm since it knows MKIBE and MKIBR.
    2. It receives DKHIBE from by querying a private key for ID and T since IDID* or ID = ID*∧TT* by the restriction of the Type-I adversary.
    3. It gives DKID,T = (UKT, DKHIBE) to .
  • For a revocation query with an identity ID and time T, proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.

Challenge: submits a challenge identity ID*, challenge time T*, and two challenge messages . proceeds as follows:

  1. It first select random R1 and sets .
  2. Next, it receives from by submitting ID*, T*, and two challenge messages R2,0, R2,1.
  3. To creates for ID* and T*, it simply follows the procedures in the RIBE.Encrypt algorithm with the random R1 input.
  4. It gives a challenge ciphertext to .

Phase 2: Same as Phase 1.

Guess: Finally, outputs a guess μ′ ∈ {0, 1}. also outputs μ′.

4.2 Type-II adversary

Since the Type-II attacker requests a private key query on the challenge ID*, we can not handle the private key queries of the RIBE scheme by using the private key queries of the HIBE scheme in the proof. Therefore, we prove the security by relating the security of the IBE and IBR schemes with the security of the RIBE scheme against the Type-II attacker.

The main idea of the proof is to take advantage of the restriction of the RIBE security model such that if the attacker queries the private key for the challenge identity ID*, then the corresponding private key for ID* must be revoked from the update key on the challenge time T*. Thus, the ciphertext in the challenge ciphertext consists of the IBE and IBR ciphertexts associated with the subset Si,j belonging to the path set PVID*, but the IBE and IBR private keys that can decrypt the corresponding ciphertext elements in are not included in the update key for T* because of the restriction. Using this fact, we can prove the security of the RIBE scheme against the Type-II attacker by using the security of the IBE or IBR scheme.

We prove the security by using hybrid games consisting of multiple sub-games because the ciphertext is composed of many IBE and IBR ciphertexts. That is, in the hybrid games, a ciphertext which encrypts a random value related to is changed to another ciphertext which encrypts a random value related to . In this hybrid steps, since the number of IBE and IBR ciphertext pairs in is maximum O(n2), the proof can be completed by performing O(n2) hybrid games. The detailed proof is described as follows.

Lemma 4.3. For the Type-II adversary, the generic RIBE scheme is IND-CPA secure if the IBE and IBR schemes are IND-CPA secure.

Proof. Let ID* be the challenge identity and PVID* be the path set of ID* where the number of subsets in PVID* is ℓ = n(n − 1)/2. The challenge ciphertext is formed as where . For the security proof, we define hybrid games G0, G1, G2, G3 as follows:

  1. Game G0. This game is the original security game defined in the security model except that the challenge bit μ is fixed to 0.
  2. Game G1. This game is the same as the game G0 except that the settings of random R1 and R2 in the challenge ciphertext are changed. That is, R2 are randomly chosen and R1 is set as .
  3. Game G2. In this game, the generation of in the challenge ciphertext CT* is changed. That is, a random is encrypted instead of to generate .
    For the analysis of security, we define additional sub-games H0, …, Hρ, …, H where H0 = G1 and H = G2. The game Hρ is similar to the game Hρ−1 except that the tuple is an encryption on the random . Specifically, each tuple for kρ is an encryption on the random and each tuple for k > ρ is an encryption on the random .
    In the game Hρ, we let of where is related with PVID*. We divide the adversary as the following sub-types:
    - An adversary is Type-II-A if it requests an update key for time T* such that GLGL* for all labels (GL, ML) = GMLabels(Si,j) of Si,jCVR where UKT* is related with CVR.
    - An adversary is Type-II-B if it requests an update key for time T* such that GL = GL* for some labels (GL, ML) = GMLabels(Si,j) of Si,jCVR where UKT* is related with CVR. In this case, we have that MLML* since the identity ID* should be revoked in UKT* by the restriction of the security model.
  4. Game G3. This game is the same as the game G2 except that the settings of random and R2 in the challenge ciphertext are changed. That is, is randomly chosen and R2 is set as . This game is the original security game in the security model except that the challenge bit μ is fixed to 1.

Let be the event that outputs 0 in a game Gi. From Lemmas 4.4 and 4.5, we obtain the following result

This completes our proof.

Lemma 4.4. If the IBE scheme is IND-CPA secure, then no polynomial-time Type-II-A adversary can distinguish between Hρ−1 and Hρ with a non-negligible advantage.

Proof. Suppose there exists an adversary that attacks the RIBE scheme with a non-negligible advantage. An algorithm that attacks the IBE scheme is initially given public parameters PPIBE by a challenger . Then that interacts with is described as follows:

Setup: generates MKIBR, PPIBR by running the IBR.Setup algorithm and generates MKHIBE, PPHIBE by running the HIBE.Setup algorithm. It initializes RL = ∅ and gives PP = (PPIBE, PPIBR, PPHIBE) to .

Phase 1: adaptively requests a polynomial number of private key, update key, decryption key, and revocation queries.

  • For a private key query with an identity ID, proceeds as follows: It generates SKID by running the RIBE.GenKey algorithm since it knows MKHIBE. It gives SKID to .
  • For an update key query with time T, proceeds as follows:
    1. It initializes RV = ∅. For each (IDj, Tj)∈RL, it adds a leaf node into RV if TjT. It obtains CVT by running SD.Cover .
    2. For each Si,jCVT, it sets (GLk, MLk) = GMLabels(Si,j) and performs: It receives from by submitting an identity GLkT. It generates by running IBR.GenKey (MLkT, MKIBR, PPIBR).
    3. It creates and gives UKT to .
  • For a decryption key query with an identity ID and time T, proceeds as follows:
    1. It retrieves SKID = SKHIBE by querying a private key to its own oracle. It also retrieves UKT by querying an update key to its own oracle.
    2. Next, it generates a delegated key DKHIBE of SKHIBE by running HIBE.DelegateKey for ID and T.
    3. It gives DKID,T = (UKT, DKHIBE) to .
  • For a revocation query with an identity ID and time T, proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.

Challenge: submits a challenge identity ID*, challenge time T*, and two challenge messages . proceeds as follows:

  1. It first selects random R2 and sets .
  2. Next, it generates by running HIBE.Encrypt((ID*, T*), R2, PPHIBE).
  3. It obtains PVID* by running SD.Assign where a leaf node vID* is associated with ID*. For each Si,jPVID*, it obtains (GLk, MLk) = GMLabels(Si,j) and proceeds as follows:
    • If k < ρ, then it selects random R3,k and sets , and then generates by running IBE.Encrypt(GLkT*, R3,k, PPIBE) and by running IBR.Encrypt (MLkT*, R4,k, PPIBR).
    • If k = ρ, then it performs the follows:
      1. (a) It selects random R4,k and sets , .
      2. (b) It receives from by submitting a challenge identity GLkT* and challenge messages .
      3. (c) It generates by running IBR.Encrypt(MLkT*, R4,k, PPIBR).
    • If k > ρ, then it selects random R3,k and sets , and then generates by running IBE.Encrypt(GLkT*, R3,k, PPIBE) and by running IBR.Encrypt (MLkT*, R4,k, PPIBR).

    It creates .
  4. It gives a challenge ciphertext to .

Phase 2: Same as Phase 1.

Guess: Finally, outputs a guess μ′ ∈ {0, 1}. also outputs μ′.

Lemma 4.5. If the IBR scheme is IND-CPA secure, then no polynomial-time Type-II-B adversary can distinguish between Hρ−1 and Hρ with a non-negligible advantage.

Proof. Suppose there exists an adversary that attacks the RIBE scheme with a non-negligible advantage. An algorithm that attacks the IBR scheme is initially given public parameters PPIBR by a challenger . Then that interacts with is described as follows:

Setup: generates MKIBE, PPIBE by running the IBE.Setup algorithm and generates MKHIBE, PPHIBE by running the HIBE.Setup algorithm. It initializes RL = ∅ and gives PP = (PPIBE, PPIBR, PPHIBE) to .

Phase 1: adaptively requests a polynomial number of private key, update key, decryption key, and revocation queries.

  • For a private key query with an identity ID, proceeds as follows: It generates SKID by running RIBE.GenKey algorithm since it knows MKHIBE. It gives SKID to .
  • For an update key query with time T, proceeds as follows:
    1. It initializes RV = ∅. For each (IDj, Tj)∈RL, it adds a leaf node into RV if TjT. It obtains CVT by running SD.Cover .
    2. For each Si,jCVT, it sets (GLk, MLk) = GMLabels(Si,j) and performs: It generates by running IBE.GenKey(GLkT, MKIBE, PPIBE). It receives from by submitting an identity MLkT.
    3. It creates and gives UKT to .
  • For a decryption key query with an identity ID and time T, proceeds as follows:
    1. It retrieves SKID = SKHIBE by querying a private key to its own oracle. It also retrieves UKT by querying an update key to its own oracle.
    2. Next, it generates a delegated key DKHIBE of SKHIBE by running HIBE.DelegateKey for ID and T.
    3. It gives DKID,T = (UKT, DKHIBE) to .
  • For a revocation query with an identity ID and time T, proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.

Challenge: submits a challenge identity ID*, challenge time T*, and two challenge messages . proceeds as follows:

  1. It first select random R2 and sets .
  2. Next, it generates by running HIBE.Encrypt((ID*, T*), R2, PPHIBE).
  3. It obtains PVID* by running SD.Assign where a leaf node vID* is associated with ID*. For each Si,jPVID*, it obtains (GLk, MLk) = GMLabels(Si,j) and proceeds as follows:
    • If k < ρ, then it selects random R3,k and sets , and then generates by running IBE.Encrypt(GLkT*, R3,k, PPIBE) and by running IBR.Encrypt (MLkT*, R4,k, PPIBR).
    • If k = ρ, then it performs the follows:
      1. (a) It selects random R3,k and sets , .
      2. (b) It generates by running IBE.Encrypt(GLkT*, R3,k, PPIBE).
      3. (c) It receives from by submitting a challenge identity MLkT* and challenge messages .
    • If k > ρ, then it selects random R3,k and sets , and then generates by running IBE.Encrypt(GLkT*, R3,k, PPIBE) and by running IBR.Encrypt (MLkT*, R4,k, PPIBR).

    It creates .
  4. It gives a challenge ciphertext to .

Phase 2: Same as Phase 1.

Guess: Finally, outputs a guess μ′ ∈ {0, 1}. also outputs μ′.

5 Instantiations

In this section, we show that our generic RIBE construction can be instantiated as real RIBE schemes by using bilinear maps or lattices.

5.1 RIBE from bilinear maps

Previously, many RIBE schemes using the CS method were directly constructed on bilinear maps [6, 7, 9]. In addition, an RIBE scheme using the SD method was also directly constructed on bilinear maps [15]. Recently, a generic construction for RIBE using the CS method was proposed by Ma and Lin [18]. Nonetheless, different generic construction for RIBE using the SD/LSD method is still an interesting method because it allows different RIBE instantiations by changing the underlying cryptographic schemes and allows RIBE schemes with shorter update keys. Here, we will look at different instantiations of RIBE using the SD/LSD method that provide selective security or adaptive security.

First, we instantiate an efficient RIBE scheme that provides selective security by following the generic construction. To do this, we choose the BB-IBE scheme of Boneh and Boyen [38] as the underlying IBE scheme, which provides selective security in the DBDH assumption. For underlying IBR scheme, we choose the efficient LSW-IBR scheme of Lewko et al. [26]. However, the IBR scheme for our generic construction only requires that the revoked set R of ciphertexts just consists of a single revoked identity ID. Thus, we can derive a simplified LSW-IBR scheme which supports a single revoked identity, and this simplified IBR scheme provides selective security in the DBDH assumption [27]. Finally, we choose the two-level BB-HIBE scheme of Boneh and Boyen [38] that provides selective security in the DBDH assumption. The resulting RIBE scheme that uses the SD/LSD method provides selective security under the DBDH assumption.

We analyze the private key, update key, and ciphertext size of our generic RIBE scheme with the LSD method in an asymmetric bilinear group. In the MNT159 bilinear group, the size of the group is 159 bits, and the size of the group and the group is 954 bits. In the BB-IBE scheme, the private key size is and the ciphertext size is where denotes the size of a group element. In the LSW-IBR scheme, the private key size is and the ciphertext size is . In the BB-HIBE scheme, the private key size is and the ciphertext size is . In our RIBE scheme, the private key size is since it consists of the private key of HIBE, and the update key size is since it is composed of the IBE and IBR private keys associated with a cover set, and the ciphertext size is approximately since it consists of the IBE and IBR ciphertexts associated with a path set. Thus, if we set N = 232 and r = 1000, the private key size is 238 bytes, the update key size is 2385 kilobytes, and the ciphertext size is 30 kilobytes.

Next, we instantiate an RIBE scheme that provides adaptive security. To this security, we use the IBE scheme of Waters [30] which provides adaptive security under the DBDH and DLIN assumptions, the IBR scheme of Okamoto and Takashima [39] which is derived from an NIPE scheme that provides adaptive security, and the two-level HIBE scheme of Waters [30] that provides adaptive security under the DBDH and DLIN assumptions. The resulting RIBE scheme provides adaptive security under these standard assumptions in prime-order bilinear groups. The previous adaptively secure RIBE scheme of Lee et al. [15] is built in composite-order bilinear groups, but this generic RIBE scheme is built in prime-order bilinear groups. However, this generic RIBE scheme has a small size of private keys and a large size of ciphertexts, whereas the RIBE scheme of Lee et al. has a small size of ciphertexts and a large size of private keys.

5.2 RIBE from lattices

A number of RIBE schemes in lattices have been previously proposed [8, 11, 14, 17]. Although the first lattice based RIBE scheme using the CS method did not provide decryption key exposure resistance (DKER), the new RIBE scheme using the CS method that allows DKER was recently proposed by using the delegation property of HIBE [8, 17]. In addition, a lattice based RIBE scheme using the SD method also has been proposed, but this scheme has a serious limitation such that the identity space is restricted to be small universe because the Lagrange interpolation technique is directly applied to lattices [11].

We use the previously proposed efficient lattice based IBE, IBR, and two-level HIBE schemes to instantiate a lattice based RIBE scheme using the SD method. For the underlying IBE and HIBE schemes, we choose efficient IBE and HIBE schemes of Agrawal et al. [40] that provide selective security in the LWE assumption. For the underlying simple IBR scheme, we choose the NIPE scheme of Katsumata and Yamada [41] which is derived from a linear functional encryption scheme. Note that an NIPE scheme is easily transformed into a simplified IBR scheme with a single revoked identity and this resulting IBR scheme provides selective security in the LWE assumption.

We compare our RIBE scheme with the SD method and the RIBE scheme directly designed by Cheng and Zhang [11]. Cheng and Zhang derived their RIBE scheme in lattices by applying the design principle of the RIBE scheme of Lee et al. [15] in bilinear maps. To use the technique of Lee et al., it is necessary to use the Lagrange interpolation to recover a polynomial value in decryption. In lattices, if Lagrange coefficients and noise values in ciphertexts are multiplied, then a large noise value is obtained in the decryption process, which should be removed to obtain a message. Since the resulting noise value is exponentially increased as the size of the identity space increases, their RIBE scheme has a serious problem that only a small universe of identity can be accepted. Therefore, our RIBE scheme with the SD method is the first lattice based RIBE scheme using the SD method that supports a large universe of identity and provides the DKER property.

6 Conclusion

In this paper, we proposed a new generic RIBE construction with the SD method. Our generic construction uses an IBE scheme, an IBR scheme with single revoked identity, and a two-level HIBE scheme as building blocks. The generic RIBE construction can be instantiated by bilinear maps or lattices, and the private key consists of constant IBE and HIBE private keys, the update key consists of O(r) number of IBE and IBR private keys, and the ciphertext mainly consists of O(n2) number of IBE and IBR ciphertexts. If our generic RIBE construction is extended to use the more efficient LSD method instead of the SD method, the ciphertext is reduced to O(n1.5) number of IBE and IBR ciphertexts. In addition, if the underlying IBE, IBR, and HIBE schemes provide the CCA security and a one-time signature is used, then a CCA secure RIBE scheme can be generically constructed.

There are some interesting open problems. The first problem is to reduce the size of a ciphertext in our generic RIBE scheme with the SD method. In the previous generic RIBE scheme with the CS method, the size of a ciphertext can be reduced by using an IBBE scheme. In our generic RIBE scheme with the SD method, it is difficult to reduce the size of a ciphertext since it uses an IBR scheme. The second problem is to design a generic RHIBE scheme with the SD method. To design a generic RHIBE scheme, the private key delegation is needed. It is possible to extend the IBE scheme to support key delegation by using an HIBE scheme, but it is unclear how to extend the IBR scheme to support key delegation.

References

  1. 1. Shamir A. Identity-Based Cryptosystems and Signature Schemes. In: Blakley GR, Chaum D, editors. Advances in Cryptology—CRYPTO’84. vol. 196 of Lecture Notes in Computer Science. Springer; 1984. p. 47–53.
    • 2. Boneh D, Franklin MK. Identity-Based Encryption from the Weil Pairing. In: Kilian J, editor. Advances in Cryptology—CRYPTO 2001. vol. 2139 of Lecture Notes in Computer Science. Springer; 2001. p. 213–229.
      • 3. Horwitz J, Lynn B. Toward Hierarchical Identity-Based Encryption. In: Knudsen LR, editor. Advances in Cryptology—EUROCRYPT 2002. vol. 2332 of Lecture Notes in Computer Science. Springer; 2002. p. 466–481.
        • 4. Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: Juels A, Wright RN, di Vimercati SDC, editors. ACM Conference on Computer and Communications Security—CCS 2006. ACM; 2006. p. 89–98.
          • 5. Boneh D, Waters B. Conjunctive, Subset, and Range Queries on Encrypted Data. In: Vadhan SP, editor. Theory of Cryptography—TCC 2007. vol. 4392 of Lecture Notes in Computer Science. Springer; 2007. p. 535–554.
            • 6. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. In: Ning P, Syverson PF, Jha S, editors. ACM Conference on Computer and Communications Security—CCS 2008. ACM; 2008. p. 417–426.
              • 7. Libert B, Vergnaud D. Adaptive-ID Secure Revocable Identity-Based Encryption. In: Fischlin M, editor. Topics in Cryptology—CT-RSA 2009. vol. 5473 of Lecture Notes in Computer Science. Springer; 2009. p. 1–15.
                • 8. Chen J, Lim HW, Ling S, Wang H, Nguyen K. Revocable Identity-Based Encryption from Lattices. In: Susilo W, Mu Y, Seberry J, editors. Information Security and Privacy—ACISP 2012. vol. 7372 of Lecture Notes in Computer Science. Springer; 2012. p. 390–403.
                  • 9. Seo JH, Emura K. Revocable Identity-Based Encryption Revisited: Security Model and Construction. In: Kurosawa K, Hanaoka G, editors. Public-Key Cryptography—PKC 2013. vol. 7778 of Lecture Notes in Computer Science. Springer; 2013. p. 216–234.
                    • 10. Seo JH, Emura K. Efficient Delegation of Key Generation and Revocation Functionalities in Identity-Based Encryption. In: Dawson E, editor. Topics in Cryptology—CT-RSA 2013. vol. 7779 of Lecture Notes in Computer Science. Springer; 2013. p. 343–358.
                      • 11. Cheng S, Zhang J. Adaptive-ID Secure Revocable Identity-Based Encryption from Lattices via Subset Difference Method. In: López J, Wu Y, editors. Information Security Practice and Experience—ISPEC 2015. vol. 9065 of Lecture Notes in Computer Science. Springer; 2015. p. 283–297.
                        • 12. Seo JH, Emura K. Revocable Hierarchical Identity-Based Encryption: History-Free Update, Security Against Insiders, and Short Ciphertexts. In: Nyberg K, editor. Topics in Cryptology—CT-RSA 2015. vol. 9048 of Lecture Notes in Computer Science. Springer; 2015. p. 106–123.
                          • 13. Park S, Lee K, Lee DH. New Constructions of Revocable Identity-Based Encryption from Multilinear Maps. IEEE Trans Inf Forensic Secur. 2015;10(8):1564–1577.
                          • 14. Takayasu A, Watanabe Y. Lattice-Based Revocable Identity-Based Encryption with Bounded Decryption Key Exposure Resistance. In: Pieprzyk J, Suriadi S, editors. Information Security and Privacy - ACISP 2017. vol. 10342 of Lecture Notes in Computer Science. Springer; 2017. p. 184–204.
                            • 15. Lee K, Lee DH, Park JH. Efficient Revocable Identity-Based Encryption via Subset Difference Methods. Des Codes Cryptogr. 2017;85(1):39–76.
                            • 16. Lee K, Park S. Revocable Hierarchical Identity-Based Encryption with Shorter Private Keys and Update Keys. Des Codes Cryptogr. 2018;86(10):2407–2440.
                            • 17. Katsumata S, Matsuda T, Takayasu A. Lattice-Based Revocable (Hierarchical) IBE with Decryption Key Exposure Resistance. In: Lin D, Sako K, editors. Public-Key Cryptography—PKC 2019. vol. 11443 of Lecture Notes in Computer Science. Springer; 2019. p. 441–471.
                              • 18. Ma X, Lin D. Generic Constructions of Revocable Identity-Based Encryption. In: Liu Z, Yung M, editors. Information Security and Cryptology - Inscrypt 2019. vol. 12020 of Lecture Notes in Computer Science. Springer; 2019. p. 381–396.
                                • 19. Naor D, Naor M, Lotspiech J. Revocation and Tracing Schemes for Stateless Receivers. In: Kilian J, editor. Advances in Cryptology—CRYPTO 2001. vol. 2139 of Lecture Notes in Computer Science. Springer; 2001. p. 41–62.
                                  • 20. Halevy D, Shamir A. The LSD Broadcast Encryption Scheme. In: Yung M, editor. Advances in Cryptology—CRYPTO 2002. vol. 2442 of Lecture Notes in Computer Science. Springer; 2002. p. 47–60.
                                    • 21. Micali S. Efficient Certificate Revocation; 1996. Technical Report TM-542b.
                                      • 22. Aiello W, Lodha S, Ostrovsky R. Fast Digital Identity Revocation (Extended Abstract). In: Krawczyk H, editor. Advances in Cryptology—CRYPTO’98. vol. 1462 of Lecture Notes in Computer Science. Springer; 1998. p. 137–152.
                                        • 23. Naor M, Nissim K. Certificate revocation and certificate update. IEEE J Sel Areas Commun. 2000;18(4):561–570.
                                        • 24. Boneh D, Gentry C, Waters B. Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup V, editor. Advances in Cryptology—CRYPTO 2005. vol. 3621 of Lecture Notes in Computer Science. Springer; 2005. p. 258–275.
                                          • 25. Delerablée C. Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys. In: Kurosawa K, editor. Advances in Cryptology—ASIACRYPT 2007. vol. 4833 of Lecture Notes in Computer Science. Springer; 2007. p. 200–215.
                                            • 26. Lewko AB, Sahai A, Waters B. Revocation Systems with Very Small Private Keys. In: IEEE Symposium on Security and Privacy. IEEE Computer Society; 2010. p. 273–285.
                                              • 27. Lee K, Park JH. Identity-Based Revocation From Subset Difference Methods Under Simple Assumptions. IEEE Access. 2019;7:60333–60347.
                                              • 28. Watanabe Y, Emura K, Seo JH. New Revocable IBE in Prime-Order Groups: Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters. In: Handschuh H, editor. Topics in Cryptology—CT-RSA 2017. vol. 10159 of Lecture Notes in Computer Science. Springer; 2017. p. 432–449.
                                                • 29. Lee K. Self-Updatable Encryption with Short Public Parameters and Its Extensions. Des Codes Cryptogr. 2016;79(1):121–161.
                                                • 30. Waters B. Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In: Halevi S, editor. Advances in Cryptology—CRYPTO 2009. vol. 5677 of Lecture Notes in Computer Science. Springer; 2009. p. 619–636.
                                                  • 31. Sahai A, Seyalioglu H, Waters B. Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption. In: Safavi-Naini R, Canetti R, editors. Advances in Cryptology - CRYPTO 2012. vol. 7417 of Lecture Notes in Computer Science. Springer; 2012. p. 199–217.
                                                    • 32. Lee K, Choi SG, Lee DH, Park JH, Yung M. Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency. In: Sako K, Sarkar P, editors. Advances in Cryptology—ASIACRYPT 2013. vol. 8269 of Lecture Notes in Computer Science. Springer; 2013. p. 235–254.
                                                      • 33. Lee K, Lee DH, Park JH, Yung M. CCA Security for Self-Updatable Encryption: Protecting Cloud Data When Clients Read/Write Ciphertexts. Computer Journal. 2019;62(4):545–562.
                                                      • 34. Yamada K, Attrapadung N, Emura K, Hanaoka G, Tanaka K. Generic Constructions for Fully Secure Revocable Attribute-Based Encryption. In: Foley SN, Gollmann D, Snekkenes E, editors. Computer Security - ESORICS 2017. vol. 10493 of Lecture Notes in Computer Science. Springer; 2017. p. 532–551.
                                                        • 35. Gentry C, Silverberg A. Hierarchical ID-Based Cryptography. In: Zheng Y, editor. Advances in Cryptology—ASIACRYPT 2002. vol. 2501 of Lecture Notes in Computer Science. Springer; 2002. p. 548–566.
                                                          • 36. Lee K, Koo WK, Lee DH, Park JH. Public-Key Revocation and Tracing Schemes with Subset Difference Methods Revisited. In: Kutylowski M, Vaidya J, editors. Computer Security—ESORICS 2014. vol. 8713 of Lecture Notes in Computer Science. Springer; 2014. p. 1–18.
                                                            • 37. Dodis Y, Katz J. Chosen-Ciphertext Security of Multiple Encryption. In: Kilian J, editor. Theory of Cryptography—TCC 2005. vol. 3378 of Lecture Notes in Computer Science. Springer; 2005. p. 188–209.
                                                              • 38. Boneh D, Boyen X. Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin C, Camenisch J, editors. Advances in Cryptology - EUROCRYPT 2004. vol. 3027 of Lecture Notes in Computer Science. Springer; 2004. p. 223–238.
                                                                • 39. Okamoto T, Takashima K. Achieving Short Ciphertexts or Short Secret-Keys for Adaptively Secure General Inner-Product Encryption. In: Lin D, Tsudik G, Wang X, editors. CANS 2011. vol. 7092 of Lecture Notes in Computer Science. Springer; 2011. p. 138–159.
                                                                  • 40. Agrawal S, Boneh D, Boyen X. Efficient Lattice (H)IBE in the Standard Model. In: Gilbert H, editor. Advances in Cryptology—EUROCRYPT 2010. vol. 6110 of Lecture Notes in Computer Science. Springer; 2010. p. 553–572.
                                                                    • 41. Katsumata S, Yamada S. Non-zero Inner Product Encryption Schemes from Various Assumptions: LWE, DDH and DCR. In: Lin D, Sako K, editors. Public-Key Cryptography—PKC 2019. vol. 11443 of Lecture Notes in Computer Science. Springer; 2019. p. 158–188.