Abstract
A key exposure problem is unavoidable since it seems human error can never be eliminated completely, and key-insulated encryption is one of the cryptographic solutions to the problem. At Asiacrypt’05, Hanaoka et al. introduced hierarchical key-insulation functionality, which is attractive functionality that enhances key exposure resistance, and proposed an identity-based hierarchical key-insulated encryption (hierarchical IKE) scheme in the random oracle model. In this paper, we first propose the hierarchical IKE scheme in the standard model (i.e., without random oracles). Our hierarchical IKE scheme is secure under the symmetric external Diffie–Hellman (\(\mathsf{SXDH}\)) assumption, which is a static assumption. Particularly, in the non-hierarchical case, our construction is the first IKE scheme that achieves constant-size parameters including public parameters, secret keys, and ciphertexts. Furthermore, we also propose the first public-key-based key-insulated encryption (PK-KIE) in the hierarchical setting by using our technique.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
This fact was also mentioned in [20].
This means that initial helper keys \(hk^{(\ell -1)}_{\texttt {I},0},\ldots ,hk^{(2)}_{\texttt {I},0},hk^{(1)}_{\texttt {I},0}\) must be updated by \(hk^{(\ell )}_{\texttt {I},0}\) first and foremost since \(0\notin \mathcal {T}_i\) for every \(i\in \{0,1,\ldots ,\ell -1\}\).
In the case \(i=\ell \), \(R_i^{(y)}\) and \(R_i^{(x)}\) mean empty strings, namely we have \(hk^{(\ell )}_{\texttt {I},0}:=(D_{y},D'_{y},\)\(D_{x},D'_{x},D, \{(K^{(y)}_{j},K^{(x)}_{j})\}_{j=0}^{\ell -1})\).
In the case \(i=1\), \(\{(\hat{k}^{(y)}_{j},\hat{k}^{(x)}_{j})\}_{j=0}^{\ell -1}\) means an empty string, namely we have \(\delta ^{(0)}_{\texttt {I},t_{0}}:=(\hat{d}_{y},\)\( \hat{d}'_{y}, \hat{d}_{x}, \hat{d}'_{x}, \hat{d})\).
The formal definitions of the \(\mathsf{CBDH}\) and \(\mathsf{DBDH}\) assumptions are given in Appendix A.
The formal description of the OTS is given in Appendix A.
This means that initial helper keys \(hk^{(\ell -1)}_{0},\ldots ,hk^{(2)}_{0},hk^{(1)}_{0}\) must be updated by \(hk^{(\ell )}_{0}\) first and foremost since \(0\notin \mathcal {T}_i\) for every \(i\in \{0,1,\ldots ,\ell -1\}\).
In the case \(i=\ell \), \(R_{\ell }\), \(D_{y}\), \(D_{x}\), D, and \(\{(K^{(y)}_{j},K^{(x)}_{j})\}_{j=0}^{i-1}\) mean empty strings, and we consider these as identity elements in \(\mathbb {G}_2\) when these elements are used in operations.
In the case \(i=1\), \(\{(\hat{k}^{(y)}_{j},\hat{k}^{(x)}_{j})\}_{j=0}^{\ell -1}\) means an empty string, namely we have \(\delta ^{(0)}_{t_{0}}:=(\hat{d}_{y}, \ldots , \hat{d}_5, \hat{k}_{vk},\hat{k}'_{vk})\).
References
Bellare M., Miner S.: A forward-secure digital signature scheme. In: Wiener M. (ed.) Advances in Cryptology—CRYPTO’99. Lecture Notes in Computer Science, vol. 1666, pp. 431–448. Springer, Berlin (1999).
Bellare M., Palacio A.: Protecting against key-exposure: strongly key-insulated encryption with optimal threshold. Appl. Algebr. Eng. Commun. Comput. 16(6), 379–396 (2006).
Bethencourt J., Sahai A., Waters B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, S&P’07, pp. 321–334 (2007)
Blakley G.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317. AFIPS Press, Monval, NJ (1979)
Boneh D., Canetti R., Halevi S., Katz J.: Chosen ciphertext security from identity based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007).
Boneh D., Sahai A., Waters B.: Functional encryption: definitions and challenges. In: Ishai Y. (ed.) Theory of Cryptography. Lecture Notes in Computer Science, vol. 6597, pp. 253–273. Springer, Berlin (2011).
Canetti R., Halevi S., Katz J.: A forward-secure public-key encryption scheme. In: Biham E. (ed.) Advances in Cryptology—EUROCRYPT 2003. Lecture Notes in Computer Science, vol. 2656, pp. 255–271. Springer, Berlin (2003).
Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004, vol. 3027, pp. 207–222. Springer, Berlin (2004).
Chatterjee S., Menezes A.: On cryptographic protocols employing asymmetric pairings—the role of \({\varPsi }\) revisited. Discret. Appl. Math. 159(13), 1311–1322 (2011).
Chen J., Gong J.: ABE with tag made easy: Concise framework and new instantiations in prime-order groups. In: Advances in Cryptology—ASIACRYPT 2017. Springer, Berlin (2017)
Cheon J., Hopper N., Kim Y., Osipkov I.: Timed-release and key-insulated public key encryption. In: Crescenzo G., Rubin A. (eds.) Financial Cryptography and Data Security, vol. 4107, pp. 191–205. Springer, Berlin (2006).
Dodis Y., Katz J., Xu S., Yung M.: Key-insulated public key cryptosystems. In: Knudsen L. (ed.) Advances in Cryptology—EUROCRYPT 2002, vol. 2332, pp. 65–82. Springer, Berlin (2002).
Dodis Y., Katz J., Xu S., Yung M.: Strong key-insulated signature schemes. In: Desmedt Y. (ed.) Public Key Cryptography—PKC 2003. Lecture Notes in Computer Science, vol. 2567, pp. 130–144. Springer, Berlin (2002).
Dodis Y., Franklin M., Katz J., Miyaji A., Yung M.: Intrusion-resilient public-key encryption. In: Joye M. (ed.) Topics in Cryptology—CT-RSA 2003. Lecture Notes in Computer Science, vol. 2612, pp. 19–32. Springer, Berlin (2003).
Dodis Y., Franklin M., Katz J., Miyaji A., Yung M.: A generic construction for intrusion-resilient public-key encryption. In: Okamoto T. (ed.) Topics in Cryptology—CT-RSA 2004. Lecture Notes in Computer Science, vol. 2964, pp. 81–98. Springer, Berlin (2004).
Dodis Y., Luo W., Xu S., Yung M.: Key-insulated symmetric key cryptography and mitigating attacks against cryptographic cloud software. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’12, pp. 57–58. ACM, New York (2012).
Galbraith S.D., Paterson K.G., Smart N.P.: Pairings for cryptographers. Discret. Appl. Math. 156(16), 3113–3121 (2008).
Gentry C., Silverberg A.: Hierarchical ID-based cryptography. In: Zheng Y. (ed.) Advances in Cryptology—ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 548–566. Springer, Berlin (2002).
Hanaoka G., Weng J.: Generic constructions of parallel key-insulated encryption. In: Garay J., De Prisco R. (eds.) Security and Cryptography for Networks, vol. 6280, pp. 36–53. Springer, Berlin (2010).
Hanaoka Y., Hanaoka G., Shikata J., Imai H.: Identity-based hierarchical strongly key-insulated encryption and its application. In: Roy B. (ed.) Advances in Cryptology—ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788, pp. 495–514. Springer, Berlin (2005).
Hanaoka G., Hanaoka Y., Imai H.: Parallel key-insulated public key encryption. In: Yung M., Dodis Y., Kiayias A., Malkin T. (eds.) Public Key Cryptography—PKC 2006. Lecture Notes in Computer Science, vol. 3958, pp. 105–122. Springer, Berlin (2006).
Itkis G., Reyzin L.: SiBIR: Signer-base intrusion-resilient signatures. In: Yung M. (ed.) Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 499–514. Springer, Berlin (2002).
Jutla C., Roy A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: Sako K., Sarkar P. (eds.) Advances in Cryptology—ASIACRYPT 2013. Lecture Notes in Computer Science, vol. 8269, pp. 1–20. Springer, Berlin (2013).
Libert B., Quisquater J.J., Yung M.: Parallel key-insulated public key encryption without random oracles. In: Okamoto T., Wang X. (eds.) Public Key Cryptography—PKC 2007. Lecture Notes in Computer Science, vol. 4450, pp. 298–314. Springer, Berlin (2007).
Matsuda T., Nakai Y., Matsuura K.: Efficient generic constructions of timed-release encryption with pre-open capability. In: Joye M., Miyaji A., Otsuka A. (eds.) Pairing-Based Cryptography—Pairing 2010, vol. 6487, pp. 225–245. Springer, Berlin (2010).
Ramanna S., Sarkar P.: Efficient (anonymous) compact HIBE from standard assumptions. In: Chow S., Liu J., Hui L., Yiu S. (eds.) Provable Security. Lecture Notes in Computer Science, vol. 8782, pp. 243–258. Springer, Berlin (2014).
Ramanna S., Chatterjee S., Sarkar P.: Variants of Waters’ dual system primitives using asymmetric pairings. In: Fischlin M., Buchmann J., Manulis M. (eds.) Public Key Cryptography—PKC 2012. Lecture Notes in Computer Science, vol. 7293, pp. 298–315. Springer, Berlin (2012).
Sahai A., Waters B.: Fuzzy identity-based encryption. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 457–473. Springer, Berlin (2005).
Shamir A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979).
Watanabe Y., Shikata J.: Identity-based hierarchical key-insulated encryption without random oracles. In: Cheng C.M., Chung K.M., Persiano G., Yang B.Y. (eds.) Public-Key Cryptography—PKC 2016, Part I. Lecture Notes in Computer Science, vol. 9614, pp. 255–279. Springer, Berlin (2016).
Watanabe Y., Emura K., Seo J.H.: New revocable IBE in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters. In: Handschuh H. (ed.) Topics in Cryptology—CT-RSA 2017, vol. 10159, pp. 432–449. Springer, Berlin (2017).
Waters B.: Efficient identity-based encryption without random oracles. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005, vol. 3494, pp. 114–127. Springer, Berlin (2005).
Waters B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi S. (ed.) Advances in Cryptology—CRYPTO 2009, vol. 5677, pp. 619–636. Springer, Berlin (2009).
Weng J., Liu S., Chen K., Ma C.: Identity-based parallel key-insulated encryption without random oracles: security notions and construction. In: Barua R., Lange T. (eds.) Progress in Cryptology—INDOCRYPT 2006, vol. 4329, pp. 409–423. Springer, Berlin (2006).
Weng J., Liu S., Chen K., Zheng D., Qiu W.: Identity-based threshold key-insulated encryption without random oracles. In: Malkin T. (ed.) Topics in Cryptology—CT-RSA 2008, vol. 4964, pp. 203–220. Springer, Berlin (2008).
Acknowledgements
We would like to thank anonymous referees for their helpful comments. The first author was in part supported by JSPS KAKENHI Grant Number JP15H02710, and in part conducted under the auspices of the MEXT Program for Promoting the Reform of National Universities. The second author is supported by JSPS Research Fellowships for Young Scientists, and was supported by Grant-in-Aid for JSPS Fellows Grant Numbers JP13J03998 and JP16J10532, and Grant-in-Aid for Young Scientists JP17K12697.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Blundo.
Preliminary version appeared in PKC 2016 [30].
Appendix A: Omitted descriptions
Appendix A: Omitted descriptions
Bilinear Group A bilinear group generator \(\mathcal {G}\) is an algorithm that takes a security parameter \(\lambda \) as input and outputs a bilinear group \((p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, g_1, \)\(g_2, e)\), where p is a prime, \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) are multiplicative cyclic groups of order p, \(g_1\) and \(g_2\) are (random) generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and e is an efficiently computable and non-degenerate bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) with the following bilinear property: For any \(u, u'\in \mathbb {G}_1\) and \(v, v' \in \mathbb {G}_2\), \(e(uu',v)=e(u,v)e(u',v)\) and \(e(u,vv')=e(u,v)e(u,v')\).
A bilinear map e is called symmetric or a “Type-1” pairing if \(\mathbb {G}_1=\mathbb {G}_2\). Otherwise, it is called asymmetric. In the asymmetric setting, e is called a “Type-2” pairing if there is an efficiently computable isomorphism either from \(\mathbb {G}_1\) to \(\mathbb {G}_2\) or from \(\mathbb {G}_2\) to \(\mathbb {G}_1\). If no efficiently computable isomorphisms are known, then it is called a “Type-3” pairing. In this paper, we focus on the Type-3 pairing, which is the most efficient setting in terms of group sizes (of \(\mathbb {G}_1\)) and operations. For details, see [9, 17].
We next give formal definitions the \(\mathsf{CBDH}\) and \(\mathsf{DBDH}\) assumptions as follows. In the following, we assume the Type-1 pairing (i.e., \(\mathbb {G}:=\mathbb {G}_1=\mathbb {G}_2\)).
Computational Bilinear Diffie–Hellman (\(\mathsf{CBDH}\)) Assumption Let \(\mathcal {A}\) be a PPT adversary and we consider \(\mathcal {A}\)’s advantage against the \(\mathsf{CBDH}\) problem as follows.
Definition 6
The \(\mathsf{CBDH}\) assumption relative to a generator \(\mathcal {G}\) holds if for all PPT adversaries \(\mathcal {A}\), \(Adv^{\mathsf{CBDH}}_{\mathcal {G},\mathcal {A}}(\lambda )\) is negligible in \(\lambda \).
Decisional Bilinear Diffie–Hellman (\(\mathsf{DBDH}\)) Assumption Let \(\mathcal {A}\) be a PPT adversary and we consider \(\mathcal {A}\)’s advantage against the \(\mathsf{DBDH}\) problem as follows.
Definition 7
The \(\mathsf{DBDH}\) assumption relative to a generator \(\mathcal {G}\) holds if for all PPT adversaries \(\mathcal {A}\), \(Adv^{\mathsf{DBDH}}_{\mathcal {G},\mathcal {A}}(\lambda )\) is negligible in \(\lambda \).
Finally, we describe the definition of OTS as follows.
One-time signature An OTS scheme \(\varPi _{\textsc {ots}}\) consists of three-tuple algorithms (KGen, Sign, Ver) defined as follows.
-
\((vk,sk)\leftarrow \textsf {KGen}(\lambda )\): It takes a security parameter \(\lambda \) and outputs a pair of a public key and a secret key (vk, sk).
-
\(\sigma \leftarrow \textsf {Sign}(sk,m)\): It takes the secret key sk and a message \(m\in \mathcal {M}\) and outputs a signature \(\sigma \).
-
1 or \(0\leftarrow \textsf {Ver}(vk,m,\sigma )\): It takes the public key vk and a pair of a message and a signature \((m,\sigma )\), and then outputs 1 or 0.
We assume that \(\varPi _{\textsc {ots}}\) meets the following correctness property: For all security parameters \(\lambda \in \mathbb {N}\), all \((vk,sk)\leftarrow \textsf {KGen}(\lambda )\), and all \(m\in \mathcal {M}\), it holds that \(1\leftarrow \textsf {Ver}(vk,(m,\textsf {Sign}(sk,m)))\).
We describe the notion of strong unforgeability against one-time attack (\(\mathsf{sUF}\text {-}\mathsf{OT}\)). Let \(\mathcal {A}\) be a PPT adversary, and \(\mathcal {A}\)’s advantage against \(\mathsf{sUF}\text {-}\mathsf{OT}\) security is defined by
\(\textit{Sign}(\cdot )\) is a signing oracle which takes a message m as input, and then returns \(\sigma \) by running \(\textsf {Sign}(sk,m)\). \(\mathcal {A}\) is allowed to access to the above oracle only once.
Definition 8
An OTS scheme \(\varPi _{\textsc {ots}}\) is said to be \(\mathsf{sUF}\text {-}\mathsf{OT}\) secure if for all PPT adversaries \(\mathcal {A}\), \(Adv^{\mathsf{sUF}\text {-}\mathsf{OT}}_{\varPi _{\textsc {ots}},\mathcal {A}}(\lambda )\) is negligible in \(\lambda \).
Rights and permissions
About this article
Cite this article
Shikata, J., Watanabe, Y. Identity-based encryption with hierarchical key-insulation in the standard model. Des. Codes Cryptogr. 87, 1005–1033 (2019). https://doi.org/10.1007/s10623-018-0503-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-018-0503-4
Keywords
- Key-insulated encryption
- Identity-based hierarchical key-insulated encryption
- Hierarchical identity-based encryption
- Asymmetric pairing