Abstract
Recently, Chen et al. (ASIACRYPT 2021) introduced a notion called hierarchical integrated signature and encryption (HISE), which provides a new principle for combining public key schemes. It uses a single public key for both signature and encryption schemes, and one can derive a decryption key from the signing key but not vice versa. Whereas, they left the dual notion where the signing key can be derived from the decryption key as an open problem.
In this paper, we resolve the problem by formalizing the notion called hierarchical integrated encryption and signature (HIES). Similar to HISE, it features a unique public key for both encryption and signature components and has a two-level key derivation mechanism, but reverses the hierarchy between signing key and decryption key, i.e. one can derive a signing key from the decryption key but not vice versa. This property enables secure delegation of signing capacity in the public key reuse setting. We present a generic construction of HIES from constrained identity-based encryption. Furthermore, we instantiate our generic HIES construction and implement it. The experimental result demonstrates that our HIES scheme is comparable to the best Cartesian product combined public-key scheme in terms of efficiency, and is superior in having richer functionality as well as retaining merits of key reuse.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Key escrow means that the owner delegates his decryption/signing capacity to the escrow agent simply through sharing his decryption/signing key with the agent.
- 2.
A public key certificate which signed by a certificate authority (CA) is an electronic document used to validate the public key. Its costs include but not limited to registration, issuing, storage, transmission, verification, and building/recurring fees.
References
Government of Canada. https://www.canada.ca/en/shared-services/corporate/transparency/briefing-documents/ministerial-briefing-book/delegation.html
The University of Iowa. https://opsmanual.uiowa.edu/administrative-financial-and-facilities-policies/facsimile-signatures-and-signature-assignment-2
Viafirma. https://www.viafirma.com/blog-xnoccio/en/signature-delegation/
WhatsApp. https://www.whatsapp.com
Akinyele, J.A., Garman, C., Hohenberger, S.: Automating fast and secure translations from type-i to type-iii pairing schemes. In: ACM CCS 2015, pp. 1370–1381 (2015)
Alimi, P.: On the use of pedersen commitments for confidential payments. https://research.nccgroup.com/2021/06/15/on-the-use-of-pedersen-commitments-for-confidential-payments/
Boldyreva, A.: Secure proxy signature scheme for delegation of signing rights (2003). http://eprint.iacr.org/2003/096/
Boneh, D., Boyen, X.: Efficient selective-id secure identity based encryption without random oracles. Cryptology ePrint Archive, Report 2004/172 (2004). https://ia.cr/2004/172
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_23
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16
Cao, F., Cao, Z.: A secure identity-based multi-proxy signature scheme. Comput. Electr. Eng. 35(1), 86–95 (2009)
Chen, Y., Ma, X., Tang, C., Au, M.H.: PGC: pretty good confidential transaction system with auditability. In: ESORICS 2020, pp. 591–610 (2020)
Chen, Y., Tang, Q., Wang, Y.: Hierarchical integrated signature and encryption. Cryptology ePrint Archive, Report 2021/1237 (2021). https://ia.cr/2021/1237
Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal padding schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_15
Dai, J.Z., Yang, X.H., Dong, J.X.: Designated-receiver proxy signature scheme for electronic commerce. In: SMC 2003 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483) (2003)
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 16, 3113–3121 (2008)
Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_34
Haber, S., Pinkas, B.: Securely combining public-key cryptosystems. In: ACM CCS 2001, pp. 215–224 (2001)
Horwitz, J., Lynn, B.: Toward hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_31
Huang, X., Mu, Y., Susilo, W., Zhang, F., Chen, X.: A short proxy signature scheme: efficient authentication in the ubiquitous world. In: Enokido, T., Yan, L., Xiao, B., Kim, D., Dai, Y., Yang, L.T. (eds.) EUC 2005. LNCS, vol. 3823, pp. 480–489. Springer, Heidelberg (2005). https://doi.org/10.1007/11596042_50
Huang, X., Susilo, W., Mu, Y., Wu, W.: Proxy signature without random oracles. In: Cao, J., Stojmenovic, I., Jia, X., Das, S.K. (eds.) MSN 2006. LNCS, vol. 4325, pp. 473–484. Springer, Heidelberg (2006). https://doi.org/10.1007/11943952_40
Kim, S., Park, S., Won, D.: Proxy signatures, revisited. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 223–232. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0028478
Komano, Y., Ohta, K.: Efficient universal padding techniques for multiplicative trapdoor one-way permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 366–382. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_22
Lee, B., Kim, H., Kim, K.: Secure mobile agent using strong non-designated proxy signature. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 474–486. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-47719-5_37
Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures: delegation of the power to sign messages. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 79(9), 1338–1354 (1996)
Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures for delegating signing operation. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 48–57. CCS 1996, Association for Computing Machinery, New York, NY, USA (1996)
Neuman, B.: Proxy-based authorization and accounting for distributed systems. In: 1993 Proceedings. The 13th International Conference on Distributed Computing Systems, pp. 283–291 (1993)
Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the joint security of encryption and signature, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_9
Rubin, K., Silverberg, A.: Compression in finite fields and torus-based cryptography. SIAM J. Comput. 37(5), 1401–1428 (2008)
Sakemi, Y., Kobayashi, T., Saito, T., Wahby, R.S.: Pairing-Friendly Curves. Internet-Draft draft-irtf-cfrg-pairing-friendly-curves-09, Internet Engineering Task Force (2020). https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09
Shigeo, M.: A portable and fast pairing-based cryptography library. https://github.com/herumi/mcl
Shim, K.A.: Short designated verifier proxy signatures. Comput. Electr. Eng. 37(2), 180–186 (2011)
Acknowledgements
We thank the anonymous reviewers for their helpful feedback. This work is supported by the National Key Research and Development Program of China (Grant No. 2021YFA1000600), the National Natural Science Foundation of China (Grant No. 62272269), and the Taishan scholar program of Shandong Province.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Hierarchical Identity-Based Encryption
A Hierarchical Identity-Based Encryption
Hierarchical identity-based encryption (HIBE) is first introduced in [19, 21]. We formally describe the definition of HIBE below. In an HIBE scheme, users having a position in the hierarchy, are specified by an ID-tuple \( \textsf{ID}=\left( I_{1},\cdots ,I_{j}\right) \), where \( I_{i} \) corresponds to the identity at level i.
1.1 A.1 Definition of HIBE
Definition 6
A hierarchical identity-based encryption scheme consists of five polynomial-time algorithms:
-
\(\textsf{Setup}(1^\lambda )\): on input a security parameter \(\lambda \), outputs public parameters pp, including the plaintext space \( \mathcal {M} \), the ciphertext space \( \mathcal {C} \) and the identity space \( \mathcal {I} \) in every level.
-
\( \textsf{KeyGen}(pp) \): on input the public parameters pp, outputs a public key mpk and a master secret key msk (i.e. root secret in level-0).
-
\( \textsf{Extract}(mpk,sk_{\textsf{ID}},\left\langle \textsf{ID},I\right\rangle ) \): on input the public key mpk, a secret key for ID-tuple \( \textsf{ID} \), and an ID-tuple \( \left\langle \textsf{ID},I\right\rangle \) which is a child node of \( \textsf{ID} \), outputs \( sk_{\left\langle \textsf{ID},I\right\rangle } \).
-
\( \textsf{Enc}(mpk, \textsf{ID}, m) \): on input public key mpk, the ID-tuple of the intended message recipient \( \textsf{ID} \) and a message \( m\in \mathcal {M} \), outputs a ciphertext \( c\in \mathcal {C} \).
-
\( \textsf{Dec}(sk_\textsf{ID},c) \): on input a secret key \( sk_\textsf{ID} \) and a ciphertext c, outputs a message m or a special reject symbol \(\bot \) denoting failure.
Correctness. An HIBE scheme is correct, if encryption algorithm \( \textsf{Enc} \) and decryption algorithm \( \textsf{Dec} \) satisfy the standard consistency constraint, namely, when \( sk_\textsf{ID} \) is the secret key generated by the extraction algorithm \( \textsf{Extract} \) for user \( \textsf{ID} \), then for any \( m\in \mathcal {M} \) and \( c\leftarrow \textsf{Enc}(mpk, \textsf{ID}, m) \), it always holds that \( \textsf{Dec}(sk_\textsf{ID},c)=m \).
Security. Let \( \mathcal {O}_\textsf{extract} \) be an oracle of \( \textsf{Extract} \) that on input an ID-tuple \( \textsf{ID} \) and outputs \( sk_{\textsf{ID}}\). An HIBE scheme is IND-CPA secure, if for all PPT adversary \( \mathcal {A} \) there is a negligible function \( \textsf{negl}(\lambda ) \) such that:
In guess stage, \( \mathcal {A} \) is not allowed to query the \( \mathcal {O}_\textsf{extract} \) for \( \textsf{ID}^{*} \) or the ancestor nodes of it (i.e. \( \textsf{ID} \)s which are prefixed with \( \textsf{ID}^{*} \)). Meanwhile, two weaker security notions can be defined similarly. One is OW-CPA security, in which the adversary is required to recover the plaintext from a random ciphertext. The other is selective-identity IND-CPA security, in which the adversary must commit ahead of time (non-adaptively) to the identity it intends to attack before seeing the mpk.
1.2 A.2 Boneh-Boyen HIBE Scheme
We review the \( \ell \)-HIBE scheme of Boneh-Boyen (\(\mathsf {BB_{1}\text {-}IBE}\)) [9] as below. As [6, 18] noticed, compared to symmetric pairings, asymmetric pairings yield schemes having more efficiency in terms of both bandwidth and computation time. Therefore, we adjust the original Boneh-Boyen HIBE with asymmetric pairings.
-
\( \textsf{Setup}(1^{\lambda }) \): on input the security parameter \( \lambda \), generates an asymmetric pairings tuple \( \left( \mathbb {G}_{1},\mathbb {G}_{2}, \mathbb {G}_{T}, p, g_{1}, g_{2}, e\right) \), and picks a family of collision resistant hash functions \( \textsf{H}_{j}:\{0,1\}^{*}\rightarrow \mathbb {G}_{2} \) for \( j\in [0,\ell ] \). The public parameters pp include the description of bilinear groups and the hash functions \( \{\textsf{H}_{j}\}_{j\in [0,\ell ]} \). The \( \textsf{ID} \) at level-j is \( \mathcal {I}^{j}=(\{0,1\}^{*})^{j} \). The plaintext space is \( \mathcal {M}=\mathbb {G}_{T} \).
-
\( \textsf{KeyGen}(pp) \): on input the public parameters pp, picks a random \( \alpha \in \mathbb {Z}_{p} \), sets \( f_{1}=g_{1}^{\alpha } \) and \( f_{2}=g_{2}^{\alpha } \), sets public key \( mpk=f_{1}=g_{1}^{\alpha } \) and master secret key \( msk=f_{2}=g_{2}^{\alpha } \).
-
\( \textsf{Extract}( mpk,sk_{\textsf{ID}},\left\langle \textsf{ID},I\right\rangle ) \): on input the public key mpk, a level-j private key \( sk_\textsf{ID}=\left( d_{0},\dots ,d_{j} \right) \in \left( \mathbb {G}_{2},\mathbb {G}_{1}^{j}\right) \) and a level-\( (j+1) \) ID-tuple \( \left\langle \textsf{ID},I\right\rangle =\left( I_{1},\dots ,I_{j},I_{j+1}\right) \in (\{0,1\}^{*})^{j+1} \), first picks a random \( r \in \mathbb {Z}_{p}\) and outputs
$$\begin{aligned} sk_{\left\langle \textsf{ID},I\right\rangle }=\left( d_{0}\cdot \textsf{H}_{j+1}(I_{j+1})^{r},d_{1},\dots ,d_{j},g_{2}^{r}\right) \in \left( \mathbb {G}_{2},\mathbb {G}_{1}^{j+1}\right) \end{aligned}$$Note that (1) when \( \textsf{ID} \) is an empty set denoted as \( \epsilon \), \( sk_\textsf{ID}\) is exactly the master secret key msk, that is \( sk_{\epsilon }=f_{2}=g_{2}^{\alpha } \). (2) all the private keys can be also extracted directly from the master secret key msk through computing \( sk_{\left\langle \textsf{ID},I\right\rangle }=\left( g_{2}^{\alpha }\cdot \prod _{k=1}^{j+1}\textsf{H}_{k}(I_{k})^{r_{k}},g_{1}^{r_{1}},\dots ,g_{1}^{r_{j+1}}\right) \) with random elements \( r_{1},\dots ,r_{j+1}\in \mathbb {Z}_{p} \).
-
\( \textsf{Enc}( mpk, \textsf{ID}, m) \): on input the public key mpk, an ID-tuple \( \textsf{ID}=\left( I_{1},\dots ,I_{j}\right) \in (\{0,1\}^{*})^{j} \) and a message \( m\in \mathbb {G}_{T} \), picks a random \( s\in \mathbb {Z}_{p} \) and outputs
$$\begin{aligned} C=\left( e(f_{1},g_{2})^{s}\cdot m, g_{1}^{s}, \textsf{H}_{1}(I_{1})^{s},\dots , \textsf{H}_{j}(I_{j})^{s}\right) \in \left( \mathbb {G}_{T},\mathbb {G}_{1},\mathbb {G}_{2}^{j}\right) . \end{aligned}$$ -
\( \textsf{Dec}(sk_\textsf{ID},c) \): on input a private key \( sk_\textsf{ID}=\left( d_{0},d_{1},\dots ,d_{j} \right) \) and a ciphertext \( C=\left( A,B,C_{1},\dots ,C_{j}\right) \), outputs
$$\begin{aligned} A\cdot \displaystyle {\frac{\prod _{k=1}^{j}e\left( d_{k},C_{k} \right) }{e\left( B,d_{0}\right) }}=m . \end{aligned}$$
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, M., Tu, B., Chen, Y. (2023). You Can Sign but Not Decrypt: Hierarchical Integrated Encryption and Signature. In: Deng, Y., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2022. Lecture Notes in Computer Science, vol 13837. Springer, Cham. https://doi.org/10.1007/978-3-031-26553-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-26553-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-26552-5
Online ISBN: 978-3-031-26553-2
eBook Packages: Computer ScienceComputer Science (R0)