You Can Sign but Not Decrypt: Hierarchical Integrated Encryption and Signature

Abstract

Recently, Chen et al. (ASIACRYPT 2021) introduced a notion called hierarchical integrated signature and encryption (HISE), which provides a new principle for combining public key schemes. It uses a single public key for both signature and encryption schemes, and one can derive a decryption key from the signing key but not vice versa. Whereas, they left the dual notion where the signing key can be derived from the decryption key as an open problem.

In this paper, we resolve the problem by formalizing the notion called hierarchical integrated encryption and signature (HIES). Similar to HISE, it features a unique public key for both encryption and signature components and has a two-level key derivation mechanism, but reverses the hierarchy between signing key and decryption key, i.e. one can derive a signing key from the decryption key but not vice versa. This property enables secure delegation of signing capacity in the public key reuse setting. We present a generic construction of HIES from constrained identity-based encryption. Furthermore, we instantiate our generic HIES construction and implement it. The experimental result demonstrates that our HIES scheme is comparable to the best Cartesian product combined public-key scheme in terms of efficiency, and is superior in having richer functionality as well as retaining merits of key reuse.

A Hierarchical Identity-Based Encryption

Hierarchical identity-based encryption (HIBE) is first introduced in [19, 21]. We formally describe the definition of HIBE below. In an HIBE scheme, users having a position in the hierarchy, are specified by an ID-tuple \( \textsf{ID}=\left( I_{1},\cdots ,I_{j}\right) \), where \( I_{i} \) corresponds to the identity at level i.

1.1 A.1 Definition of HIBE

Definition 6

A hierarchical identity-based encryption scheme consists of five polynomial-time algorithms:

• \(\textsf{Setup}(1^\lambda )\): on input a security parameter \(\lambda \), outputs public parameters pp, including the plaintext space \( \mathcal {M} \), the ciphertext space \( \mathcal {C} \) and the identity space \( \mathcal {I} \) in every level.

• \( \textsf{KeyGen}(pp) \): on input the public parameters pp, outputs a public key mpk and a master secret key msk (i.e. root secret in level-0).

• \( \textsf{Extract}(mpk,sk_{\textsf{ID}},\left\langle \textsf{ID},I\right\rangle ) \): on input the public key mpk, a secret key for ID-tuple \( \textsf{ID} \), and an ID-tuple \( \left\langle \textsf{ID},I\right\rangle \) which is a child node of \( \textsf{ID} \), outputs \( sk_{\left\langle \textsf{ID},I\right\rangle } \).

• \( \textsf{Enc}(mpk, \textsf{ID}, m) \): on input public key mpk, the ID-tuple of the intended message recipient \( \textsf{ID} \) and a message \( m\in \mathcal {M} \), outputs a ciphertext \( c\in \mathcal {C} \).

• \( \textsf{Dec}(sk_\textsf{ID},c) \): on input a secret key \( sk_\textsf{ID} \) and a ciphertext c, outputs a message m or a special reject symbol \(\bot \) denoting failure.

Correctness. An HIBE scheme is correct, if encryption algorithm \( \textsf{Enc} \) and decryption algorithm \( \textsf{Dec} \) satisfy the standard consistency constraint, namely, when \( sk_\textsf{ID} \) is the secret key generated by the extraction algorithm \( \textsf{Extract} \) for user \( \textsf{ID} \), then for any \( m\in \mathcal {M} \) and \( c\leftarrow \textsf{Enc}(mpk, \textsf{ID}, m) \), it always holds that \( \textsf{Dec}(sk_\textsf{ID},c)=m \).

Security. Let \( \mathcal {O}_\textsf{extract} \) be an oracle of \( \textsf{Extract} \) that on input an ID-tuple \( \textsf{ID} \) and outputs \( sk_{\textsf{ID}}\). An HIBE scheme is IND-CPA secure, if for all PPT adversary \( \mathcal {A} \) there is a negligible function \( \textsf{negl}(\lambda ) \) such that:

$$\begin{aligned} \Pr \left[ b=b': \begin{array}{l} pp \leftarrow \textsf{Setup}(1^\lambda ); \\ (mpk, msk) \leftarrow \textsf{KeyGen}(pp);\\ (\textsf{ID}^{*},(m_{0},m_{1}))\leftarrow \mathcal {A}^{\mathcal {O}_\textsf{extract}} (pp,mpk);\\ b{\mathop {\leftarrow }\limits ^{R}}\{0,1\},c^{*}\leftarrow \textsf{Enc}(mpk,\textsf{ID}^{*},m_{b});\\ b'\leftarrow \mathcal {A}^{\mathcal {O}_\textsf{extract}}(c^{*}); \end{array} \right] \le \frac{1}{2}+\textsf{negl}(\lambda ). \end{aligned}$$

In guess stage, \( \mathcal {A} \) is not allowed to query the \( \mathcal {O}_\textsf{extract} \) for \( \textsf{ID}^{*} \) or the ancestor nodes of it (i.e. \( \textsf{ID} \)s which are prefixed with \( \textsf{ID}^{*} \)). Meanwhile, two weaker security notions can be defined similarly. One is OW-CPA security, in which the adversary is required to recover the plaintext from a random ciphertext. The other is selective-identity IND-CPA security, in which the adversary must commit ahead of time (non-adaptively) to the identity it intends to attack before seeing the mpk.

1.2 A.2 Boneh-Boyen HIBE Scheme

We review the \( \ell \)-HIBE scheme of Boneh-Boyen (\(\mathsf {BB_{1}\text {-}IBE}\)) [9] as below. As [6, 18] noticed, compared to symmetric pairings, asymmetric pairings yield schemes having more efficiency in terms of both bandwidth and computation time. Therefore, we adjust the original Boneh-Boyen HIBE with asymmetric pairings.

• \( \textsf{Setup}(1^{\lambda }) \): on input the security parameter \( \lambda \), generates an asymmetric pairings tuple \( \left( \mathbb {G}_{1},\mathbb {G}_{2}, \mathbb {G}_{T}, p, g_{1}, g_{2}, e\right) \), and picks a family of collision resistant hash functions \( \textsf{H}_{j}:\{0,1\}^{*}\rightarrow \mathbb {G}_{2} \) for \( j\in [0,\ell ] \). The public parameters pp include the description of bilinear groups and the hash functions \( \{\textsf{H}_{j}\}_{j\in [0,\ell ]} \). The \( \textsf{ID} \) at level-j is \( \mathcal {I}^{j}=(\{0,1\}^{*})^{j} \). The plaintext space is \( \mathcal {M}=\mathbb {G}_{T} \).

• \( \textsf{KeyGen}(pp) \): on input the public parameters pp, picks a random \( \alpha \in \mathbb {Z}_{p} \), sets \( f_{1}=g_{1}^{\alpha } \) and \( f_{2}=g_{2}^{\alpha } \), sets public key \( mpk=f_{1}=g_{1}^{\alpha } \) and master secret key \( msk=f_{2}=g_{2}^{\alpha } \).

• \( \textsf{Extract}( mpk,sk_{\textsf{ID}},\left\langle \textsf{ID},I\right\rangle ) \): on input the public key mpk, a level-j private key \( sk_\textsf{ID}=\left( d_{0},\dots ,d_{j} \right) \in \left( \mathbb {G}_{2},\mathbb {G}_{1}^{j}\right) \) and a level-\( (j+1) \) ID-tuple \( \left\langle \textsf{ID},I\right\rangle =\left( I_{1},\dots ,I_{j},I_{j+1}\right) \in (\{0,1\}^{*})^{j+1} \), first picks a random \( r \in \mathbb {Z}_{p}\) and outputs

  $$\begin{aligned} sk_{\left\langle \textsf{ID},I\right\rangle }=\left( d_{0}\cdot \textsf{H}_{j+1}(I_{j+1})^{r},d_{1},\dots ,d_{j},g_{2}^{r}\right) \in \left( \mathbb {G}_{2},\mathbb {G}_{1}^{j+1}\right) \end{aligned}$$

  Note that (1) when \( \textsf{ID} \) is an empty set denoted as \( \epsilon \), \( sk_\textsf{ID}\) is exactly the master secret key msk, that is \( sk_{\epsilon }=f_{2}=g_{2}^{\alpha } \). (2) all the private keys can be also extracted directly from the master secret key msk through computing \( sk_{\left\langle \textsf{ID},I\right\rangle }=\left( g_{2}^{\alpha }\cdot \prod _{k=1}^{j+1}\textsf{H}_{k}(I_{k})^{r_{k}},g_{1}^{r_{1}},\dots ,g_{1}^{r_{j+1}}\right) \) with random elements \( r_{1},\dots ,r_{j+1}\in \mathbb {Z}_{p} \).

• \( \textsf{Enc}( mpk, \textsf{ID}, m) \): on input the public key mpk, an ID-tuple \( \textsf{ID}=\left( I_{1},\dots ,I_{j}\right) \in (\{0,1\}^{*})^{j} \) and a message \( m\in \mathbb {G}_{T} \), picks a random \( s\in \mathbb {Z}_{p} \) and outputs

  $$\begin{aligned} C=\left( e(f_{1},g_{2})^{s}\cdot m, g_{1}^{s}, \textsf{H}_{1}(I_{1})^{s},\dots , \textsf{H}_{j}(I_{j})^{s}\right) \in \left( \mathbb {G}_{T},\mathbb {G}_{1},\mathbb {G}_{2}^{j}\right) . \end{aligned}$$

• \( \textsf{Dec}(sk_\textsf{ID},c) \): on input a private key \( sk_\textsf{ID}=\left( d_{0},d_{1},\dots ,d_{j} \right) \) and a ciphertext \( C=\left( A,B,C_{1},\dots ,C_{j}\right) \), outputs

  $$\begin{aligned} A\cdot \displaystyle {\frac{\prod _{k=1}^{j}e\left( d_{k},C_{k} \right) }{e\left( B,d_{0}\right) }}=m . \end{aligned}$$