Structure-Preserving Certificateless Encryption and Its Application

Abstract

Certificateless encryption (CLE) combines the advantages of public-key encryption (PKE) and identity-based encryption (IBE) by removing the certificate management of PKE and the key escrow problem of IBE. In this paper, we propose structure-preserving CLE schemes. Structure preservation enables efficient non-interactive proof of certain ciphertext properties, thus supporting efficient modular constructions of advanced cryptographic protocols with a simple design.

As an illustration, we propose a structure-preserving group signature scheme with certified limited (CL) opening from structure-preserving CLE. CL opening allows a master certifier to certify openers. The opener who is the designated one for a group signature can open it (i.e., revoke its anonymity). Neither the certifier nor any non-designated openers can perform the opening. The structure-preserving property of our scheme can also hide who is the designated opener among a list of possibilities.

S. S. M. Chow—Supported by General Research Funds (CUHK 14210217) of the Research Grants Council, Hong Kong.

A Towards Removing \({\mathbb {G}}_{T}\) Elements from the Ciphertext

Recall that in our basic scheme (Sect. 4.2)

$$K = \{e(W_{2}, \tilde{R})e(U, \tilde{R}) / e(W_{1}, h) \}^{x} \{e({\mathsf {ID}}, \tilde{V}_{1})e(D_{\alpha }, \tilde{V}_{2})/e(g, h) \}^{y} / e(D_{\alpha }, h)^{z}.$$

We include the following terms in the ciphertext such that \(\prod _{i = 1}^{4}\{e(C_i, \tilde{C}_i)\} = K\).

$$\begin{aligned} C_1&= ((W_2\cdot U)^x)^{r_1},&\tilde{C}_1&= \tilde{R}^{1/r_1},&C_2&= ({\mathsf {ID}}^y)^{r_2},&\tilde{C}_2&= \tilde{V}_1^{1/r_2},\\ C_3&= ({D_\alpha }^y)^{r_3},&\tilde{C}_3&= \tilde{V}_2^{1/r_3},&C_4&= ({W_1}^x/g^y/{D_\alpha }^z)^{r_4},&\tilde{C}_4&= h^{1/r_4}. \end{aligned}$$

K can be recovered by \(e(C_{g}, \tilde{S})e(T, C_{R})e(C_{z}, \tilde{D}_{\alpha })\) as in the decryption algorithm.

The idea of encryption/decryption is still about encoding/recovering the bits \(\{\tau _{j}\}\) in \(C_{0} = M \cdot \prod _{j = 1}^{l}{G_{j}^{\tau _{j}}}\) (Sect. 4.3). Roughly, the trick [25] has two steps. First, we replicate K into l versions by different randomness. Second, we replicate the master public key and the private key into two versions based on different generators. To encode \(\tau _j = 0\), both encryption and decryption should use the first version of the corresponding key. Similarly, \(\tau _j = 1\) takes the second version.