Self-updatable encryption with short public parameters and its extensions

Abstract

Cloud storage is very popular since it has many advantages, but there is a new threat to cloud storage that was not considered before. Self-updatable encryption that updates a past ciphertext to a future ciphertext by using a public key is a new cryptographic primitive introduced by Lee et al. (in: Sako K, Sarkar P (eds) Advances in cryptology—ASIACRYPT 2013, 2013) to defeat this threat, in which an adversary who obtained a past private key can still decrypt a (previously unread) past ciphertext stored in cloud storage. Additionally, an SUE scheme can be combined with an attribute-based encryption (ABE) scheme to construct a powerful revocable-storage ABE (RS-ABE) scheme introduced by Sahai et al. (in: Safavi-Naini R, Canetti R (eds) Advances in cryptology—CRYPTO 2012, 2012) that provides the key revocation and ciphertext updating functionality for cloud storage. In this paper, we propose an efficient SUE scheme and its extended schemes. First, we propose an SUE scheme with short public parameters in prime-order bilinear groups and prove its security under a \(q\)-type assumption. Next, we extend our SUE scheme to a time-interval SUE (TI-SUE) scheme that supports a time interval in ciphertexts. Our TI-SUE scheme has short public parameters and it is also secure under the \(q\)-type assumption. Finally, we propose the first large universe RS-ABE scheme with short public parameters in prime-order bilinear groups and prove its security in the selective revocation list model under a \(q\)-type assumption.

Appendices

Appendix 1: Definition of ciphertext delegatable encryption

Ciphertext delegatable encryption (CDE) is a new type of PKE, in which a ciphertext with a label \(L\) can be delegated to a new ciphertext with a label \(L'\) if \(L\) is a prefix of \(L'\). The concept of CDE was introduced by Lee et al. [14] to construct an SUE scheme. The formal syntax of CDE is described as follows:

Definition 8

(Ciphertext Delegatable Encryption) A ciphertext delegatable encryption (CDE) scheme for the set \(\mathcal {L}\) of labels consists of seven PPT algorithms Init, Setup, GenKey, Encrypt, DelegateCT, RandCT, and Decrypt, which are defined as follows:

• Init(\(1^\lambda \)) The initialization algorithm takes as input a security parameter \(1^\lambda \), and it outputs a group description string \(GDS\).

• Setup(\(GDS, l\)) The setup algorithm takes as input a group description string \(GDS\) and the maximum length \(l\) of the label strings, and it outputs a master key \(MK\) and public parameters \(PP\).

• GenKey(\(L, MK, PP\)) The key generation algorithm takes as input a label string \(L \in \{0,1\}^n\) with \(n \le l\), the master key \(MK\), and the public parameters \(PP\), and it outputs a private key \(SK_L\).

• Encrypt(\(L, PP\)) The encryption algorithm takes as input a label string \(L \in \{0,1\}^d\) with \(d \le l\) and the public parameters \(PP\), and it outputs a ciphertext header \(CH_L\) and a session key \(EK\).

• DelegateCT(\(CH_L, c, PP\)) The ciphertext delegation algorithm takes as input a ciphertext header \(CH_L\) for a label string \(L \in \{0,1\}^d\) with \(d < l\), a bit value \(c \in \{0,1\}\), and the public parameters \(PP\), and it outputs a delegated ciphertext header \(CH_{L'}\) for the label string \(L' = L\Vert c\).

• RandCT(\(CH_L, PP\)) The ciphertext randomization algorithm takes as input a ciphertext header \(CH_L\) for a label string \(L \in \{0,1\}^d\) with \(d < l\) and the public parameters \(PP\), and it outputs a re-randomized ciphertext header \(CH'_L\) and a partial session key \(EK'\).

• Decrypt(\(CH_L, SK_{L'}, PP\)) The decryption algorithm takes as input a ciphertext header \(CH_L\), a private key \(SK_{L'}\), and the public parameters \(PP\), and it outputs a session key \(EK\) or the distinguished symbol \(\perp \).

The correctness of CDE is defined as follows: For all \(MK, PP\) generated by Setup, any \(SK_{L'}\) generated by \({\mathbf{{GenKey} }}\), any \(CH_L\) and \(EK\) generated by \({\mathbf{{Encrypt} }}\) or \({\mathbf{{DelegateCT} }}\), it is required that:

• If \(L\) is a prefix of \(L'\), then \({\mathbf{{Decrypt} }} (CH_L, SK_{L'}, PP) = EK\).

• If \(L\) is not a prefix of \(L'\), then \({\mathbf{{Decrypt} }} (CH_L, SK_{L'}, PP) = \perp \) with all but negligible probability.

Additionally, it requires that the ciphertext distribution of RandCT is statistically equal to that of Encrypt.

The security model of CDE was introduced by Lee et al. [14] and we follow the selective security model version of their security definition. The security is defined as follows:

Definition 9

(Selective Security) The selective security of CDE is defined in terms of the indistinguishability under chosen plaintext attacks (IND-CPA). The security game is defined as the following experiment between a challenger \(\mathcal {C}\) and a probabilistic polynomial-time (PPT) adversary \(\mathcal {A}\):

1. 1.

   Init: \(\mathcal {A}\) initially submits a challenge label string \(L^*\).

2. 2.

   Setup: \(\mathcal {C}\) generates a master key \(MK\) and public parameters \(PP\) by running \({\mathbf{{Init} }}\) and \({\mathbf{{Setup} }}\), and it gives \(PP\) to \(\mathcal {A}\).

3. 3.

   Query 1: \(\mathcal {A}\) may adaptively request a polynomial number of private keys for label strings \(L_1, \ldots , L_{q'}\), and \(\mathcal {C}\) gives the corresponding private keys \(SK_{L_1}, \ldots , SK_{L_{q'}}\) to \(\mathcal {A}\) by running \({\mathbf{{GenKey} }} (L_i, MK, PP)\) with the following restriction: For any label string \(L_i\) of private key queries, it is required that \(L^*\) is not a prefix of \(L_i\). initially submits a challeng

4. 4.

   Challenge: \(\mathcal {C}\) chooses a random bit \(b \in \{0,1\}\) and computes a ciphertext header \(CH^*\) and a session key \(EK^*\) by running \({\mathbf{{Encrypt} }}(L^*, PP)\). If \(b=0\), then it gives \(CH^*\) and \(EK^*\) to \(\mathcal {A}\). Otherwise, it gives \(CH^*\) and a random session key to \(\mathcal {A}\).

5. 5.

   Query 2: \(\mathcal {A}\) may continue to request private keys for additional label strings \(L_{q' + 1}, \ldots , L_q\) subject to the same restriction as before, and \(\mathcal {C}\) gives the corresponding private keys to \(\mathcal {A}\).

6. 6.

   Guess: Finally \(\mathcal {A}\) outputs a bit \(b'\).

The advantage of \(\mathcal {A}\) is defined as \(\mathbf Adv _{\mathcal {A}}^{CDE} (\lambda ) = \big | \Pr [\mu = \mu '] - \frac{1}{2} \big |\) where the probability is taken over all the randomness of the game. A CDE scheme is selectively secure under chosen plaintext attacks if for all PPT adversaries \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in the above game is negligible in the security parameter \(\lambda \).

We can also define the full model that is stronger than the selective model of CDE. In the full model, an adversary submits a label string \(L^*\) at the challenge step instead of the init step.

Appendix 2: SUE under standard assumptions

In this section, we propose an SUE scheme with shorter public parameters and prove its selective security under the standard assumption.

1.1 Construction

To devise an SUE scheme under the standard assumption, we modify the SUE scheme in Sect. 3 by slightly increasing the number of group elements in public parameters. In the security proof of Sect. 3, we can program multiple challenge labels to short public parameters by the help of the \(q\)-type assumption, but we cannot use this programming technique in the standard assumption. However, the number of group elements in public parameters is just proportional to the depth of a binary tree since the challenge labels is just proportional to the depth of the tree. Note that this SUE scheme has shorter public parameters compared with the SUE scheme of Lee et al. [14] in prime-order bilinear groups.

Our CDE scheme is described as follows:

• CDE.Init(\(1^{\lambda }\)): This algorithm takes as input a security parameter \(1^{\lambda }\). It generates bilinear groups \(\mathbb {G}, \mathbb {G}_T\) of prime order \(p\). Let \(g\) be the generator of \(\mathbb {G}\). It outputs a group description string as \(GDS = \big ( (p, \mathbb {G}, \mathbb {G}_T, e),~ g \big )\).

• CDE.Setup(\(GDS, l\)): This algorithm takes as input the string \(GDS\) and the maximum length \(l\) of label strings. It chooses random elements \(w, v, u, \{ h_{i,0}, h_{i,1} \}_{i=1}^l \in \mathbb {G}\) and a random exponent \(\beta \in \mathbb {Z}_p\). We define \(F_{i,b}(L) = u^L h_{i,b}\) where \(i \in [l]\) and \(b \in \{0,1\}\). It outputs the master key \(MK = \beta \) and the public parameters as

  $$\begin{aligned} PP = \Big ( (p, \mathbb {G}, \mathbb {G}_T, e),~ g,~ w,~ v,~ u,~ \{ h_{i,0}, h_{i,1} \}_{i=1}^l,~ \Lambda = e(g,g)^{\beta } \Big ). \end{aligned}$$

• CDE.GenKey(\(L, MK, PP\)): This algorithm takes as input a label string \(L \in \{0,1\}^n\) where \(n \le l\), the master key \(MK\), and the public parameters \(PP\). It selects random exponents \(r, r_1, \ldots , r_n \in \mathbb {Z}_p\) and outputs a private key that implicitly includes \(L\) as

  $$\begin{aligned} SK_{L} = \Big ( K_0 = g^{\beta } w^{r},~ K_1 = g^{-r},~ \big \{ K_{i,1} = v^r F_{i,L[i]}(L|_i)^{r_i},~ K_{i,2} = g^{-r_i} \big \}_{i=1}^n \Big ). \end{aligned}$$

• CDE.Encrypt(\(L, t, \mathbf {s}, PP\)): This algorithm takes as input a label string \(L \in \{0,1\}^d\) where \(d \le l\), a random exponent \(t \in \mathbb {Z}_p\), a vector \(\mathbf {s} = (s_1, \ldots , s_d) \in \mathbb {Z}_p^d\) of random exponents, and the public parameters \(PP\). It outputs a ciphertext header that implicitly includes \(L\) as

  $$\begin{aligned} CH_{L} = \Big ( C_0 = g^t,~ C_1 = w^t \prod _{i=1}^d v^{s_i},~ \big \{ C_{i,1} = g^{s_i},~ C_{i,2} = F_{i,L[i]}(L|_i)^{s_i} \big \}_{i=1}^d \Big ). \end{aligned}$$

  and a session key as \(EK = \Lambda ^t\).

• CDE.DelegateCT(\(CH_L, c, PP\)): This algorithm takes as input a ciphertext header \(CH_L = ( C_0, C_1, \{ C_{i,1}, C_{i,2} \} )\) for a label string \(L \in \{0,1\}^d\) where \(d < l\), a bit value \(c \in \{0,1\}\), and the public parameters \(PP\). It selects a random exponent \(s_{d+1} \in \mathbb {Z}_p\) and outputs a delegated ciphertext header for a new label string \(L' = L\Vert c\) as

  $$\begin{aligned} CH_{L'}&= \Big ( C'_0 = C_0,~ C'_1 = C_1 \cdot v^{s_{d+1}},~ \big \{ C'_{i,1} = C_{i,1},~ C'_{i,2} = C_{i,2} \big \}_{i=1}^{d},\\&\quad C'_{d+1,1} = g^{s_{d+1}},~ C'_{d+1,2} = F_{d+1,c}(L')^{s_{d+1}} \Big ). \end{aligned}$$

• CDE.RandCT(\(CH_L, t', \mathbf {s}', PP\)): This algorithm takes as input a ciphertext header \(CH_L = (C_0, C_1, \{ C_{i,1}, C_{i,2} \})\) for a label string \(L \in \{0,1\}^d\) where \(d \le l\), a random exponent \(t' \in \mathbb {Z}_p\), a vector \(\mathbf {s}' = (s'_1, \ldots , s'_d) \in \mathbb {Z}_p^d\) of random exponents, and the public parameters \(PP\). It outputs a re-randomized ciphertext header as

  $$\begin{aligned} CH'_{L}&= \Big ( C'_0 = C_0 \cdot g^{t'},~ C'_1 = C_1 \cdot w^{t'} \prod _{i=1}^d v^{s'_i},\\&\qquad \,\,\,\big \{ C'_{i,1} = C_{i,1} \cdot g^{s'_i}, C'_{i,2} = C_{i,2} \cdot F_{i,L[i]}(L|_i)^{s'_i} \big \}_{i=1}^d \Big ). \end{aligned}$$

  and a partial session key as \(EK' = \Lambda ^{t'}\) that will be multiplied with the session key \(EK\) of \(CH_L\).

• CDE.Decrypt(\(CH_L, SK_{L'}, PP\)): This algorithm takes as input a ciphertext header \(CH_L\) for a label string \(L \in \{0,1\}^d\), a private key \(SK_{L'} = (K_0, K_1, \{ K_{i,1}, K_{i,2} \}_{i=1}^n )\) for a label string \(L' \in \{0,1\}^n\) where \(d \le n \le l\), and the public parameters \(PP\). If \(L\) is a prefix of \(L'\), then it derives \(CH'_{L'} = ( C'_0, C'_1, \{ C'_{i,1}, C'_{i,2} \}_{i=1}^n )\) by iteratively running \({\mathbf{{DelegateCT} }}\) and outputs a session key as

  $$\begin{aligned} EK = e(C'_0, K_0) \cdot e(C'_1, K_1) \cdot \prod _{i=1}^n \Big ( e(C'_{i,1}, K_{i,1}) \cdot e(C'_{i,2}, K_{i,2}) \Big ) \end{aligned}$$

  Otherwise, it outputs \(\perp \). The description of our SUE scheme is almost the same as that of Sect. 3. We omit the description of the SUE scheme.

1.2 Security analysis

To prove the security of above SUE scheme, we use the partitioning method. In the preparation of public parameters, a simulator can program only one challenge label to one element. The detailed description of the security proof is given as follows:

Theorem 13

The above SUE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds. That is, for any PPT adversary \(\mathcal {A}\), we have that \(\mathbf Adv _{\mathcal {A}}^{SUE}(\lambda ) \le \mathbf Adv _{\mathcal {B}}^{DBDH}(\lambda )\).

Proof

Suppose there exists an adversary \(\mathcal {A}\) that attacks the above SUE scheme with a non-negligible advantage. A simulator \(\mathcal {B}\) that solves the DBDH assumption using \(\mathcal {A}\) is given: a challenge tuple \(D = ((p, \mathbb {G}, \mathbb {G}_T, e), g, g^a, g^b, g^c)\) and \(Z\) where \(Z = Z_0 = e(g,g)^{abc}\) or \(Z = Z_1 = e(g,g)^d\). Then \(\mathcal {B}\) that interacts with \(\mathcal {A}\) is described as follows:

• Init: \(\mathcal {A}\) initially submits a challenge time \(T^*\). \(\mathcal {B}\) first obtains a challenge label \(L^*\) that is associated with the challenge time \(T^*\) by computing \(L^* = \psi (T^*)\). Recall that \({\mathbf{{TimeLabels} }}(L) = \{ L \} \cup {\mathbf{{RightSibling} }}({\mathbf{{Path} }}(L)) \setminus {\mathbf{{Path} }} ({\mathbf{{Parent} }}(L))\). We define \({\mathbf{{TL} }}(L^*, i,j)\) be a function that returns a label string \(L\) in \({\mathbf{{TimeLabels} }}(L^*)\) where the length of \(L\) is \(i\) and \(L[i] = j\). Note that \({\mathbf{{TL} }}(L^*,i,j)\) return \(0\) if there is no label string for \(i\) and \(j\).

• Setup: \(\mathcal {B}\) first chooses random exponents \(w', v', u', \{ h'_{i,j} \}_{\forall 1 \le i \le l, \forall j \in \{0,1\}} \in \mathbb {Z}_p\). It implicitly sets \(\beta = ab\) and publishes the public parameters \(PP\) as

  $$\begin{aligned} g,~ w&= g^a g^{w'},~ v = g^a g^{v'},~ u = g^a g^{u'},~ \big \{ h_{i,j} = \big (g^a\big )^{-{\mathbf{{TL} }}(L^*,i,j)} g^{h'_{i,j}} \big \}_{\forall 1 \le i \le l, \forall j \in \{0,1\}},\\ \Lambda&= e\big (g^a,g^b\big ). \end{aligned}$$

• Query 1: \(\mathcal {A}\) adaptively request a private key for a time \(T\) with the restriction \(T < T^*\). \(\mathcal {B}\) first obtains a label string \(L \in \{0,1\}^n\) by computing \(\psi (T)\). Next, it selects random exponent \(r', r'_1, \ldots , r'_n \in \mathbb {Z}_p\) and creates a private key by implicitly setting \(r = -b + r'\), \(\{ r_i = b/(L|_i - {\mathbf{{TL} }}(L^*,i,L[i])) + r'_i \}_{i=1}^n\) as

  $$\begin{aligned}&K_0 = \big (g^b\big )^{-w'} w^{r'},~ K_1 = g^b g^{-r'},~ \\&\Bigg \{ K_{i,1} = \big (g^b\big )^{-v'} v^{r'} \big (g^b\big )^{\big (u' L|_i + h'_{i,L[i]}\big )/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) } F_{i,L[i]}\big (L|_i\big )^{r'_i},~ \\&~~ K_{i,2} = \big (g^b\big )^{-1/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big )} g^{-r'_i} \Bigg \}_{i=1}^n. \end{aligned}$$

  Note that if \(T < T^*\), then it can create a private key since \({\mathbf{{Path} }}(L) \cap {\mathbf{{TimeLabels} }}(L^*) = \emptyset \) where \(L = \psi (T)\).

• Challenge: To create the challenge ciphertext for the challenge time \(T^*\), \(\mathcal {B}\) proceeds as follows:

1. 1.

   It first sets a label \(L^* \in \{0,1\}^d\) by computing \(\psi (T^*)\). It chooses random exponents \(s_1, \ldots , s_{d-1}, s'_d \in \mathbb {Z}_p\). It implicitly sets \(t = c\), \(s_d = -c + s'_d\) and creates ciphertext components \(CH^{(0)}\) as

   $$\begin{aligned}&C_0 = g^c,~ C_1 = \big (g^c\big )^{w'} \prod _{i=1}^{d-1} v^{s_i} \big (g^c\big )^{-v'} v^{s'_d},~ \Bigg \{ C_{i,1} = g^{s_i},~ C_{i,2} = F_{i,L^*[i]}\big (L^*|_i\big )^{s_i} \Bigg \}_{i=1}^{d-1},~ \\&C_{d,1} = \big (g^c\big )^{-1} g^{s'_d},~ C_{d,2} = \big (g^c\big )^{-\big (u' L^*|_i + h'_{i,L^*[i]}\big )} F_{d,L^*[d]}\big (L^*|_i\big )^{s'_d}. \end{aligned}$$
2. 2.

   For \(1 \le j \le d\), it first sets \(L^{(j)} = L^*|_{d-j}\Vert 1\) and proceeds as follows: Let \(d^{(j)}\) be the length of \(L^{(j)}\). If \(L^{(j)} = L|_{d-j+1}\), it sets \(CH^{(j)}\) as an empty one. Otherwise, it selects \(s'_{d^{(j)}} \in \mathbb {Z}_p\) and creates ciphertext components \(CH^{(j)}\) as

   $$\begin{aligned}&C_1 = \big (g^c\big )^{w'} \prod _{i=1}^{d^{(j)}-1} v^{s_i} \big (g^c\big )^{-v'} v^{s'_{d^{(j)}}},~ \\&C_{d^{(j)},1} = \big (g^c\big )^{-1} g^{s'_{d^{(j)}}},~ C_{d^{(j)},2} = \big (g^c\big )^{-\big (u' L^{(j)} + h'_{d^{(j)},L[d^{(j)}]}\big )} F_{d^{(j)},L^{(j)}}\big (L^{(j)}\big )^{s'_{d^{(j)}}}. \end{aligned}$$
3. 3.

   It removes all empty \(CH^{(j)}\) and sets \(CH_T = \big ( CH^{(0)}, \ldots , CH^{(d')} \big )\) for some \(d'\) that consists of non-empty \(CH^{(j)}\).

4. 4.

   It sets the challenger ciphertext header as \(CH_{T^*} = CH_T\) and the session key \(EK = Z\). It gives \(CH_{T^*}\) and \(EK\) to \(\mathcal {A}\).

Note that it can create the challenge ciphertext for \(T^*\) since for all labels \(L^{(j)}\) in the challenge ciphertext, \(L^{(j)} \in {\mathbf{{TimeLabels} }}(L^*)\).

Query 2: Same as Query 1.

Guess: \(\mathcal {A}\) outputs a guess \(\mu '\). \(\mathcal {B}\) also outputs \(\mu '\).

To finish the proof, we should show that the simulation is correct. The private key is correctly distributed as

$$\begin{aligned} K_0&= g^{\beta } w^r = g^{ab} \big (g^a g^{w'}\big )^{-b + r'} = \big (g^b\big )^{-w'} w^{r'},~ \\ K_1&= g^{-r} = g^{b - r'} = g^b g^{-r'},~ \\ K_{i,1}&= v^r F_{i,L[i]}(L|_i)^{r_i} = \big (g^a g^{v'}\big )^{-b + r'} \big ( \big (g^a\big )^{L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )} g^{u' L|_i + h'_{i,L[i]}} \big )^{b/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) + r'_i} \\&= \big (g^b\big )^{-v'} v^{r'} \big (g^b\big )^{\big (u' L|_i + h'_{i,L[i]}\big )/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) } F_{i,L[i]}\big (L|_i\big )^{r'_i},~ \\ K_{i,2}&= g^{-r_i} = g^{-b/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) - r'_i} = \big (g^b\big )^{-1/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big )} g^{-r'_i}. \end{aligned}$$

Note that the term \(g^{ab}\) of \(K_{i,1}\) that is not given in the assumption is cancelled since \(L|_i - {\mathbf{{TL} }}(L^*,i,L[i]) \ne 0\).

The challenge ciphertext component \(CH^{(j)}\) is also correctly distributed as

$$\begin{aligned} C_1 \!&=\! w^t \prod _{i=1}^{d^{(j)}} v^{s_i} \!=\! \big (g^a g^{w'}\big )^c \prod _{i=1}^{d^{(j)}-1} v^{s_i} \cdot \big (g^a g^{v'}\big )^{-c + s'_{d^{(j)}}} \!=\! \big (g^c\big )^{w'} \prod _{i=1}^{d^{(j)}-1} v^{s_i} \cdot \big (g^c\big )^{-v'} v^{s'_{d^{(j)}}},~ \\ C_{d^{(j)},1}&= g^{s_{d^{(j)}}} = g^{-c + s'_{d^{(j)}}} = \big (g^c\big )^{-1} g^{s'_{d^{(j)}}},~ \\ C_{d^{(j)},2}&= F_{d^{(j)},L^*[d^{(j)}]}\big (L^{(j)}\big )^{s_{d^{(j)}}} = \Big ( \big (g^a\big )^{L^{(j)} - {\mathbf{{TL} }}\big (L^*,d^{(j)},L[d^{(j)}]\big )} g^{u' L^{(j)} + h'_{d^{(j)},L\big [d^{(j)}\big ]}} \Big )^{-c + s'_{d^{(j)}}} \\&= \big (g^c\big )^{-\big (u' L^{(j)} + h'_{d^{(j)},L[d^{(j)}]}\big )} F_{d^{(j)},L^{(j)}}\big (L^{(j)}\big )^{s'_{d^{(j)}}}. \end{aligned}$$

Note that the term \(g^{ac}\) of \(C_1\) is cancelled and the term \(g^{ac}\) of \(C_{d^{(j)},2}\) is not needed since \(L^{(j)} = {\mathbf{{TL} }}(L^*, d^{(j)}, L[d^{(j)}])\). This completes our proof. \(\square \)