IRIBE: Intrusion-resilient identity-based encryption

doi:10.1016/j.ins.2015.09.020

Information Sciences

Volume 329, 1 February 2016, Pages 90-104

https://doi.org/10.1016/j.ins.2015.09.020 Get rights and content

Abstract

In order to limit the damage of key exposure for identity-based encryption, we propose a new paradigm called intrusion-resilient identity-based encryption (IRIBE) in this paper. Compared with key-insulated identity-based encryption and forward-secure identity-based encryption, IRIBE can achieve a stronger level of security. In our proposed scheme, the ciphertexts in any other time periods are secure even after arbitrarily many compromises of the base and the user, as long as compromises do not happen simultaneously. Furthermore, the intruder cannot decrypt the ciphertexts pertaining to previous time periods, even if it compromises the base and the user simultaneously. Therefore, our IRIBE scheme can greatly enhance the security of identity-based encryption. We also formalize the definition and the security notions of this paradigm. The proposed scheme is proven secure in the standard model.

Introduction

The motivation of identity-based encryption introduced by Shamir [21] was to simplify key management process and eliminate the need for certificates. In an identity-based encryption scheme, the public key is replaced by any user's identity information while the associated secret key is generated by a trusted Private Key Generator (PKG). Identity-based encryption schemes have attracted much attention since the concept's appearance. Many schemes [2,3,7,11,15, 22,] about identity-based encryption have been proposed in the last decade.

Regular identity-based encryption crucially depends on the privacy of secret keys. However, it is very difficult to keep secret keys absolutely secure with more and more mobile and unprotected devices used in cryptographic primitives. It is indeed generally much easier for an adversary to obtain the user's secret key by breaking into the device than cracking actual cryptographic assumptions on which the system is based [26]. Once a secret decryption key is exposed, all the ciphertexts related to the corresponding public encryption key could be decrypted. We have to revoke the pair of secret decryption key and public encryption key, and issue a new pair. This problem seems especially serious for identity-based encryption because the public encryption key corresponding to the user's identity is not easy to change.

Key-evolving cryptosystems can reduce the threat of key exposure. In a key-evolving cryptosystem, the whole lifetime is divided into multiple time periods. Secret keys evolve in different time periods, while the public key is fixed. There are three kinds of key-evolving cryptosystems: forward-secure cryptosystem, key-insulated cryptosystem and intrusion-resilient cryptosystem. Forward-secure encryption [8] can protect the security of ciphertexts before key exposure, but cannot protect the security after key exposure. Key-insulated encryption and intrusion-resilient encryption can keep the security not only before key exposure but also after key exposure, at the cost of introducing an entity (i.e. the base) to help the user update its secret keys. In key-insulated encryption [1,10,[14], [17], [20]], the user holds the secret decryption key, and can decrypt the ciphertexts on its own. At the end of each time period, the user would update its secret decryption key by communicating with the base and performing some local computations. As a result, the exposure of the user's current secret key does not compromise the security for the past periods and the future periods. However, the security will be wholly lost in key-insulated encryption when the user and the base are corrupted in the same period. Intrusion-resilient encryption [12], [13], [16] is as key-insulated encryption: the user decrypts the ciphertexts on its own with the secret key it holds, and the secret key update needs an update message from the base. Different from key-insulated encryption, intrusion-resilient encryption refreshes the secret keys of the user and the base many times in one period, which makes the intruder unable to get the secret keys of other periods even after arbitrarily many compromises of the user and the base, as long as these compromises do not happen simultaneously. Furthermore, the intruder cannot decrypt the ciphertexts pertaining to previous time periods, even if it compromises the user and the base simultaneously.

Forward-secure mechanism and key-insulated mechanism have been applied to identity-based encryption to deal with the key-exposure problem in [25], [27] and [23], [19], [24], respectively. However, applying intrusion-resilient mechanism to identity-based encryption is still an unsolved problem up to now. Indeed, intrusion-resilient model appears to provide the maximum possible security in the face of key exposure. Therefore, intrusion-resilient mechanism can greatly enhance the security of identity-based encryption. How to make identity-based encryption with intrusion-resilient security is an important problem.

Seo et al. proposed a revocable identity-based encryption with decryption key exposure resilience [29]. In Seo's scheme, the adversary is allowed to obtain the decryption key $d k_{I D^{*}, t}$ (t ≠ t*) for the challenged identity ID*(t* is the challenged time period), which only provides partial secret key exposure resilience. Specifically, the secret key of the user with identity ID in [29], [30] is composed by two parts. One part is the private key sk_ID, which is used to generate decryption key dk_{ID, t}. The other part is the decryption key dk_{ID, t}, which is used to decrypt the ciphertext. Seo's scheme can only deal with the decryption key dk_{ID, t} exposure problem. If the full secret key (composed by sk_ID and dk_{ID, t}) is exposed, the security will completely lose. In practice, when the adversary compromises the user in time period t, he should get not only the decryption key dk_{ID, t} but also the private key sk_ID. Therefore, Seo's scheme is not able to deal with the real key exposure in actual scenarios.

Section snippets

Our contribution

In order to resolve the above problem, we propose a new paradigm called intrusion-resilient identity-based encryption (IRIBE) in this paper. We firstly give the definition and the security notions of IRIBE scheme. And then construct the first IRIBE scheme. In our scheme, decryption keys evolve in regular intervals, while the identity information corresponding to the public key is unchanged during the whole lifetime. The ciphertexts in any other time periods are secure even after arbitrarily

Cryptographic assumption

We firstly review some common cryptographic prelimilaries about bilinear maps and the decisional l-wBDHI assumption.

Let G₁ and G₂ be two multiplicative groups with the same prime order p. We say a map $\hat{e} : G_{1} \times G_{1} \to G_{2}$ is a bilinear map if the following properties are satisfied:

1.
Bilinear: For all g₁, g₂ ∈ G₁ and $a, b \in Z_{p}^{*}$ , we have $\hat{e} ({g_{1}}^{a}, {g_{2}}^{b}) = \hat{e}$ (g₁, g₂)^ab.
2.
Non-degenerate: The map does not send all pairs in G₁ × G₁ to the identity in G₂.
3.
Computable: There is an efficient algorithm to compute $\hat{e} (g_{1}, g_{2})$

Intuition

In order to represent periods 0,1,2,…, $T = 2^{l} - 1$ , we use a full binary tree [3], [8] with depth l and associate each period with each leaf of the tree from left to right. The leftmost leaf node denotes period 0 and the rightmost leaf node denotes period T. Label each node of the binary tree with a binary string w. Let ϕ denote an empty string and label the root of the binary tree with ϕ. When a node is labeled x, its left child and right child are labeled x0 and x1. Denote the length of bitstring x

Security analysis

Theorem 1

If the decisional (t′, ɛ′)l-wBDHI assumption holds in G₁, then our scheme is (t,ɛ,q_SK, q_SKB,q_SKU, q_SKR, q_Extr) semantically secure, where $\begin{matrix} t^{'} = t + O ((q_{S K} + q_{S K B} + q_{S K U}) T l (n_{u} + l) + q_{S K R} l^{2} + q_{E x t r} l (n_{u} + l)) t_{G_{1}}, \\ ɛ^{'} = \frac{T - 1}{2 T^{2} (n_{u} + 1) (q_{S K} + q_{S K B} + q_{S K U} + q_{E x t r})} \cdot ɛ \end{matrix}$

(

t_{G_{1}}

denotes the maximum running time of one operation in G₁).

Proof

Suppose there is an adversary F against the semantic security of our scheme. We construct an algorithm A to solve the decisional l-wBDHI problem in G₁. Firstly, A randomly guesses i*(1 ≤ i* ≤ T) as the

Complexity analysis and comparison

We give the complexity analysis of the full performance parameters about the total number of time periods T in our scheme. From Table 1, we can see that the running time complexities of IRIBE.Setup algorithm and IRIBE.Decrypt algorithm are both O(1); the running time complexities of IRIBE.refbase algorithm, IRIBE.refuser algorithm and IRIBE.Decrypt algorithm are all O(logT); the running time complexities of IRIBE.Extract algorithm, IRIBE.Updbase algorithm and IRIBE.Upduser algorithm are all

Conclusion

Key exposure threatens the security of identity-based encryption systems greatly. In this paper, we propose the first intrusion-resilient identity-based encryption scheme. We give the security notions of intrusion-resilient identity-based encryption schemes. Our scheme can be proven secure without random oracles.

Acknowledgment

This research is supported by National Natural Science Foundation of China (61272425, 61572267, 61402245, 60703089), Qingdao Science and Technology Development project (12-1-4-2-(16)-jch), Huawei Technology Fund (YB2013120027), and Shandong Provincial Key Laboratory of Computer Network (SDKLCN-2013-03), PAPD and CICAEET.

References (30)

M. Bellare et al.
Protecting against key-exposure: Strongly key-insulated encryption with optimal threshold
Appl. Algebra Eng. Commun. Comput.
(2006)
D. Boneh et al.
Efficient selective-ID identity based encryption without random oracles
Advances in Cryptology-Eurocrypt 2004, LNCS 3027
(2004)
D. Boneh et al.
Hierarchical identity based encryption with constant size ciphertext
Advances in Cryptology-EUROCRYPT 2005, LNCS 3493
(2005)
J. Yu et al.
Enabling cloud storage auditing with key-exposure resistance
IEEE Transactions on Information Forensics and Security
(2015)
D. Boneh et al.
Improved efficiency for CCA-secure cryptosystems built using identity based encryption
Advance in Cryptology-CT-RSA 2005, LNCS 3376
(2005)
X. Boyen et al.
Simple and efficient CCA2 security from IBE techniques
X. Boyen et al.
Anonymous hierarchical identity-based encryption (without random oracles)
Advances in Cryptology-CRYPTO 2006, LNCS 4117
(2006)
R. Canetti et al.
A forward-secure public-key encryption scheme
Advances in Cryptology-EUROCRYPT 2003, LNCS 2656
(2003)
R. Canetti et al.
Chosen-ciphertext security from identity-based encryption
Advance in Cryptology-Eurocrypt 2004, LNCS 3027
(2004)
J.H. Cheon et al.
Timed-release and key-insulated public key encryption
Advance in FC 2006, LNCS 4107
(2006)

C. Cocks

An identity based encryption scheme based on quadratic residues

Y. Dodis et al.

Intrusion resilient public-key encryption

Topics in Cryptology–CT-RSA 2003, LNCS 2612

(2003)

Y. Dodis et al.

A generic construction for intrusion-resilient public-key encryption

Topics in CT-RSA 2004, LNCS 2964

(2004)

Y. Dodis et al.

Key-insulated public-key cryptosystems

Advance in EUROCRYPT 2002. LNCS 2332

(2002)

C. Gentry

Practical identity-based encryption without random oracles

Advances in Cryptology-EUROCRYPT 2006, LNCS 4404

(2006)

Cited by (17)

Intrusion-resilient identity-based signatures: Concrete scheme in the standard model and generic construction
2018, Information Sciences
Citation Excerpt :
As a result, security proofs in random oracles do not always imply the security of actual schemes in the real world [10]. In recent years, there have been a lot of researches on the cryptographic systems without random oracles such as [8,9,17,26]. Therefore, how to construct an IRIBS scheme without random oracles is a worthwhile task.
Key exposure problem is a very serious problem for identity-based signatures. Once the secret key is exposed in identity-based signatures, all signatures generated from this secret key will become insecure. To mitigate this serious damage, the intrusion-resilient mechanism has been introduced into identity-based signatures. However, all existing schemes can only be proven secure in random oracles. As we know, security proofs in random oracles do not always imply the security of actual schemes in the real world. In order to deal with this problem, in this paper, we propose the first intrusion-resilient identity-based signature (IRIBS) scheme that can be proven secure in the standard model. In the proposed scheme, the homomorphic structure in the key update is employed to refresh secret keys in one time period. It makes the scheme achieve the intrusion resilience when key exposure happens. In addition, we also provide the first solution for how to generically construct IRIBS schemes. We make use of the separable structure between the user's key material used for updating and that used for the actual signing. As a result, our solution can produce IRIBS schemes from forward-secure identity-based signature (FSIBS) schemes with a special property. This contribution will also simplify the future designs of IRIBS schemes and FSIBS schemes.
Remote data possession checking with privacy-preserving authenticators for cloud storage
2017, Future Generation Computer Systems
As a convenient and economical data storage solution, cloud storage has been widely adopted in recent years. For cloud storage users, how to guarantee data integrity is one of the biggest concerns. Remote data possession checking schemes are proposed to address this problem. Nonetheless, the existing approaches do not consider the privacy of authenticators, which sometimes may bring financial loss to users. In this paper, we propose a new paradigm named remote data possession checking with privacy-preserving authenticators for cloud storage. In this new paradigm, both cloud service provider and the public verifier do not have access to the real authenticators (signatures) for cloud data. Meanwhile, the integrity of cloud data is still able to be efficiently checked. It is potentially useful in some special situations where electronic checks and contracts are outsourced. To securely protect the privacy of the authenticator, we design a new authenticator called Homomorphic Invisible Authenticator (HIA), which protects the privacy of authenticator and supports the blockless verification. Based on HIA, we construct the first remote data possession checking scheme with privacy-preserving authenticators for cloud storage. To evaluate the security and efficiency of our proposed scheme, we conduct both theoretical analysis and simulation experiments. The results show that our proposed paradigm is secure and efficient.
Enabling efficient and verifiable multi-keyword ranked search over encrypted cloud data
2017, Information Sciences
Citation Excerpt :
The large amount of data such as e-mails, personal health records, financial reports, may inevitably include users’ sensitive information. Despite the enormous benefits, outsourcing data to the cloud server makes these data out of users physical control, which makes users concern about whether the data is correctly stored in the cloud server [31,42–45] and whether the privacy of users is protected effectively. To guarantee data confidentiality, encryption is a good way for users.
With the prevalence of the cloud computing, data owners can outsource their data to the cloud server to enjoy convenient services. To ensure the user's data confidentiality, the outsourced data are usually stored in an encryption form on the cloud server, which makes it extremely difficult to search the specific encrypted documents matching some keywords from the cloud server for users. To address this issue, in this paper, we develop a multi-keyword ranked search scheme over encrypted cloud data, which also supports search results verification. To achieve efficient multi-keyword search, we construct a special data structure QSet based on an inverted index structure. To reduce the search complexity, we use the strategy that firstly searching the estimated least frequent keyword in the query to significantly narrow down the number of searching documents. Within this framework, to support ranked search, we utilize the common $TF \times IDF$ rule to compute the relevance scores of documents matching a given search request. To resist malicious behaviors of the cloud server, we generate a binary vector for each keyword and use MAC to check the authenticity of the returned ciphertexts. The security analysis demonstrates that our proposed schemes are semantic secure in the adaptive setting. Extensive experimental evaluation shows the efficiency in the computation overhead of search and verification.
Light-weight and privacy-preserving secure cloud auditing scheme for group users via the third party medium
2017, Journal of Network and Computer Applications
To verify the integrity of cloud data, many cloud storage auditing schemes have been proposed. However, most of them incur a lot of computation overhead for users when data authenticators are generated or the data integrity is verified, which inevitably brings in heavy burdens to resource-constrained users. To overcome this problem, we propose a cloud storage auditing scheme for group users, which greatly reduces the computation burden on the user side. In our scheme, we introduce a Third Party Medium (TPM) to perform time-consuming operations on behalf of users. The TPM is in charge of generating authenticators for users and verifying data integrity on behalf of users. In order to protect the data privacy against the TPM, we blind data using simple operations in the phase of data uploading and data auditing. The user does not need to perform time-consuming decryption operations when using cloud data. We set an expiration time of the authorization to make sure only the TPM who possesses the authorization within valid period is able to upload data to the cloud and challenge the cloud data. The security proof and the performance analysis show that our proposed scheme is secure and efficient.
Continuous leakage-resilient certificate-based encryption
2016, Information Sciences
Citation Excerpt :
Nevertheless, the adversary may gain a certain amount of information about secret states through side channel attacks in real life. Many schemes [13,23,26,29,35,47–49,51,52] against the side channel attacks were proposed in recent years. And, there are various kinds of models for these schemes, such as relative-leakage model [3,22,29,32,38,40,45,48,49], bounded-retrieval model (BRM) [5,6,33,41], auxiliary inputs model [15,26,46] and continuous leakage-resilient model [1,2,4,7,8,11,12,16,17,20,24–26,39,43,50].
Encryption schemes are generally considered to be secure in an ideal environment, where the adversary cannot obtain the secret internal state of schemes. However, in the realistic environment, the adversary can gain partial information about decryption private key through various types of side channel attacks. In order to capture these attacks, it is crucial to design encryption schemes which are resilient to leakage. In this article, we first formalize a continuous leakage-resilient security model of certificate-based encryption. In the model, the adversary continuously obtains partial information about the secret states through the continuous leakage attacks. Furthermore, we construct a continuous leakage-resilient certificate-based encryption (CLR-CBE) scheme which is resilient to continuous leakage, and it is secure against adaptive chosen ciphertext attacks under the bilinear Diffie–Hellman inversion (BDHI) hardness assumption. Lastly, we show the bound on leakage and make comparison between proposed and existing schemes in terms of security properties and efficiency.
Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability
2016, Journal of Systems and Software
Citation Excerpt :
As effective it is, this method needs complex process to protect data privacy, and the recipient has to interact with data owner to access the original dataset. Yu et al. used key update technique (Yu et al., 2014, 2016) to deal with the key-exposure problem in cloud storage auditing (Yu et al., 2015). Other problems in data auditing have been researched, such as efficient data auditing (Guan et al., 2015, Yu et al., In Press), secure possession checking (Ren et al., 2015), data dynamic operations (Erway et al., 2009, Sookhak et al., In Press, Wang et al., 2011, Zhang and Blanton, 2013), data privacy protection (Wang et al., 2013), multicopy dynamic data possession (Barsoum and Hasan, 2015), and proxy auditing (Wang, 2013), etc.
Nowadays, cloud storage service has been widely adopted by diverse organizations, through which users can conveniently share data with others. For security consideration, previous public auditing schemes for shared cloud data concealed the identities of group members. However, the unconstrained identity anonymity will lead to a new problem, that is, a group member can maliciously modify shared data without being identified. Since uncontrolled malicious modifications may wreck the usability of the shared data, the identity traceability should also be retained in data sharing. In this paper, we propose an efficient public auditing solution that can preserve the identity privacy and the identity traceability for group members simultaneously. Specifically, we first design a new framework for data sharing in cloud, and formalize the definition of the public auditing scheme for shared cloud data supporting identity privacy and traceability. And then we construct such a scheme, in which a group manager is introduced to help members generate authenticators to protect the identity privacy and two lists are employed to record the members who perform the latest modification on each block to achieve the identity traceability. Besides, the scheme also achieves data privacy during authenticator generation by utilizing blind signature technique. Based on the proposed scheme, we further design an auditing system for practical scenarios. Finally, we prove the proposed scheme is secure based on several security requirements, and justify its performance by concrete implementations.

View all citing articles on Scopus

View full text

IRIBE: Intrusion-resilient identity-based encryption

Abstract

Introduction

Section snippets

Our contribution

Cryptographic assumption

Intuition

Security analysis

Complexity analysis and comparison

Conclusion

Acknowledgment

Protecting against key-exposure: Strongly key-insulated encryption with optimal threshold

Appl. Algebra Eng. Commun. Comput.

Efficient selective-ID identity based encryption without random oracles

Advances in Cryptology-Eurocrypt 2004, LNCS 3027

Hierarchical identity based encryption with constant size ciphertext

Advances in Cryptology-EUROCRYPT 2005, LNCS 3493

Enabling cloud storage auditing with key-exposure resistance

IEEE Transactions on Information Forensics and Security

Improved efficiency for CCA-secure cryptosystems built using identity based encryption

Advance in Cryptology-CT-RSA 2005, LNCS 3376

Simple and efficient CCA2 security from IBE techniques

Anonymous hierarchical identity-based encryption (without random oracles)

Advances in Cryptology-CRYPTO 2006, LNCS 4117

A forward-secure public-key encryption scheme

Advances in Cryptology-EUROCRYPT 2003, LNCS 2656

Chosen-ciphertext security from identity-based encryption

Advance in Cryptology-Eurocrypt 2004, LNCS 3027

Timed-release and key-insulated public key encryption

Advance in FC 2006, LNCS 4107

An identity based encryption scheme based on quadratic residues

Intrusion resilient public-key encryption

Topics in Cryptology–CT-RSA 2003, LNCS 2612

A generic construction for intrusion-resilient public-key encryption

Topics in CT-RSA 2004, LNCS 2964

Key-insulated public-key cryptosystems

Advance in EUROCRYPT 2002. LNCS 2332

Practical identity-based encryption without random oracles

Advances in Cryptology-EUROCRYPT 2006, LNCS 4404