Anonymous and leakage resilient IBE and IPE

Abstract

We construct identity-based encryption and inner product encryption schemes under the decision linear assumption. Their private user keys are leakage-resilient in several scenarios. In particular,

• In the bounded memory leakage model (Akavia et al., TCC, vol. 5444, pp. 474–495, 2009), our basic schemes reach the maximum-possible leakage rate \(1-o(1)\).

• In the continual memory leakage model (Brakerski et al., Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage, 2010; Dodis et al., Cryptography against continuous memory attacks, 2010), variants of the above schemes enjoy leakage rate at least \(\frac{1}{2} -o(1)\). Among the results, we improve upon the work of Brakerski et al. by presenting adaptively secure IBE schemes.

In addition, we prove that our IBE schemes are anonymous under the DLIN assumption, so that ciphertexts leaks no information on the corresponding identities. Similarly, attributes in IPE are proved computationally hidden in the corresponding ciphertexts.

Appendices

Appendix 1: Computing \(g^\mathbf {v}\)

We are given \(\mathbf {F}\in \mathbb {Z}_q^{2\times 2\ell }\), \(g^\mathbf {D}\in \mathbb {G}^{2\times 1}\) and want to compute \(g^\mathbf {v}\in \mathbb {G}^{2\ell \times 1}\) where \(\mathbf {F}\mathbf {v}= \mathbf {D}\). With all but negligible probability, we can assume that \(\mathbf {F}\) as generated in our scheme is of rank 2. Solving the linear equation \(\mathbf {F}\mathbf {v}=\mathbf {D}\) gives us \(\left[ \mathbf {I}_2 \big | \mathbf {F}_1\right] \mathbf {v}=\mathbf {F}_2\mathbf {D}\) where \(\mathbf {I}_2\) is the \(2\times 2\) identity matrix, and \(\mathbf {F}_1\in \mathbb {Z}^{2\times (2\ell -2)}, \mathbf {F}_2\in \mathbb {Z}_q^{2\times 2}\) depends on \(\mathbf {F}\). Now let \(\mathbf {w}=(\mathbf {v}[1], \mathbf {v}[2])^T\) and \(\mathbf {w}^{\prime }= (\mathbf {v}[3], \dots , \mathbf {v}[2\ell ])^T\) we have \(\mathbf {w}+ \mathbf {F}_1 \mathbf {w}^{\prime }=\mathbf {F}_2 \mathbf {D},\) so that \(\mathbf {w}^{\prime }\) can be free, and \(\mathbf {w}= \mathbf {F}_2 \mathbf {D}- \mathbf {F}_1 \mathbf {w}^{\prime }\). Since \(g^\mathbf {D}\) is given, we can compute \(g^\mathbf {w}\), and hence \(g^\mathbf {v}\) as well.

Appendix 2: Public key encryption scheme \({\mathcal {L}\ell }\) in [13]

1.1 Description

Fix integer parameter \(\ell \ge 7\). In key-generation, take random matrices \(\mathbf {A}\in \mathbb {Z}_q^{2\times \ell }\) and \(\mathbf {Y}\in \mathbb {Z}_q^{\ell \times 2}\) such that \(\mathbf {A}\mathbf {Y}= \mathbf {0}\). The public key is \(pk = g^{\mathbf {A}}\) and the secret key is \(sk = g^{\mathbf {Y}}\). To update the secret key, take random \(\mathbf {R}\in \mathbb {Z}_q^{2\times 2}\) and set \(sk^{\prime } = g^{\mathbf {Y}\mathbf {R}}\). Message space is of one bit. Encryption of bit 1 is \(g^\mathbf{u}\) for random vector \(\mathbf{u}\in \mathbb {Z}_q^{\ell }\). Encryption of bit 0 is \(g^{\mathbf{r}\mathbf {A}}\) for random vector \(\mathbf{r} \in \mathbb {Z}_q^{1\times 2}\). In decryption, given a ciphertext \(g^\mathbf{c}\) and secret key \(g^{\mathbf {Y}}\), apply pairing \({\hat{e}}\) to get \({\hat{e}}(g,g)^{\mathbf{c}\mathbf {Y}}\). If the result equals \({\hat{e}}(g,g)^{\mathbf {0}}\), return 0, otherwise return 1 as the message.

1.2 Security in CML model

Under the DLIN assumption, for \(\ell \ge 7\) and for all constants \(\gamma , c>0\), the above public key encryption scheme is secure in the CML model with update and memory leakage rates

$$\begin{aligned} (\rho _U,\rho _M)=\left( \frac{c\log _2 |q|}{(2\ell +4)\log _2 q}, \frac{\ell -6-\gamma }{2\ell }\right) . \end{aligned}$$