IRIBE: Intrusion-resilient identity-based encryption
Introduction
The motivation of identity-based encryption introduced by Shamir [21] was to simplify key management process and eliminate the need for certificates. In an identity-based encryption scheme, the public key is replaced by any user's identity information while the associated secret key is generated by a trusted Private Key Generator (PKG). Identity-based encryption schemes have attracted much attention since the concept's appearance. Many schemes [2,3,7,11,15, 22,] about identity-based encryption have been proposed in the last decade.
Regular identity-based encryption crucially depends on the privacy of secret keys. However, it is very difficult to keep secret keys absolutely secure with more and more mobile and unprotected devices used in cryptographic primitives. It is indeed generally much easier for an adversary to obtain the user's secret key by breaking into the device than cracking actual cryptographic assumptions on which the system is based [26]. Once a secret decryption key is exposed, all the ciphertexts related to the corresponding public encryption key could be decrypted. We have to revoke the pair of secret decryption key and public encryption key, and issue a new pair. This problem seems especially serious for identity-based encryption because the public encryption key corresponding to the user's identity is not easy to change.
Key-evolving cryptosystems can reduce the threat of key exposure. In a key-evolving cryptosystem, the whole lifetime is divided into multiple time periods. Secret keys evolve in different time periods, while the public key is fixed. There are three kinds of key-evolving cryptosystems: forward-secure cryptosystem, key-insulated cryptosystem and intrusion-resilient cryptosystem. Forward-secure encryption [8] can protect the security of ciphertexts before key exposure, but cannot protect the security after key exposure. Key-insulated encryption and intrusion-resilient encryption can keep the security not only before key exposure but also after key exposure, at the cost of introducing an entity (i.e. the base) to help the user update its secret keys. In key-insulated encryption [1,10,[14], [17], [20]], the user holds the secret decryption key, and can decrypt the ciphertexts on its own. At the end of each time period, the user would update its secret decryption key by communicating with the base and performing some local computations. As a result, the exposure of the user's current secret key does not compromise the security for the past periods and the future periods. However, the security will be wholly lost in key-insulated encryption when the user and the base are corrupted in the same period. Intrusion-resilient encryption [12], [13], [16] is as key-insulated encryption: the user decrypts the ciphertexts on its own with the secret key it holds, and the secret key update needs an update message from the base. Different from key-insulated encryption, intrusion-resilient encryption refreshes the secret keys of the user and the base many times in one period, which makes the intruder unable to get the secret keys of other periods even after arbitrarily many compromises of the user and the base, as long as these compromises do not happen simultaneously. Furthermore, the intruder cannot decrypt the ciphertexts pertaining to previous time periods, even if it compromises the user and the base simultaneously.
Forward-secure mechanism and key-insulated mechanism have been applied to identity-based encryption to deal with the key-exposure problem in [25], [27] and [23], [19], [24], respectively. However, applying intrusion-resilient mechanism to identity-based encryption is still an unsolved problem up to now. Indeed, intrusion-resilient model appears to provide the maximum possible security in the face of key exposure. Therefore, intrusion-resilient mechanism can greatly enhance the security of identity-based encryption. How to make identity-based encryption with intrusion-resilient security is an important problem.
Seo et al. proposed a revocable identity-based encryption with decryption key exposure resilience [29]. In Seo's scheme, the adversary is allowed to obtain the decryption key (t ≠ t*) for the challenged identity ID*(t* is the challenged time period), which only provides partial secret key exposure resilience. Specifically, the secret key of the user with identity ID in [29], [30] is composed by two parts. One part is the private key skID, which is used to generate decryption key dkID, t. The other part is the decryption key dkID, t, which is used to decrypt the ciphertext. Seo's scheme can only deal with the decryption key dkID, t exposure problem. If the full secret key (composed by skID and dkID, t) is exposed, the security will completely lose. In practice, when the adversary compromises the user in time period t, he should get not only the decryption key dkID, t but also the private key skID. Therefore, Seo's scheme is not able to deal with the real key exposure in actual scenarios.
Section snippets
Our contribution
In order to resolve the above problem, we propose a new paradigm called intrusion-resilient identity-based encryption (IRIBE) in this paper. We firstly give the definition and the security notions of IRIBE scheme. And then construct the first IRIBE scheme. In our scheme, decryption keys evolve in regular intervals, while the identity information corresponding to the public key is unchanged during the whole lifetime. The ciphertexts in any other time periods are secure even after arbitrarily
Cryptographic assumption
We firstly review some common cryptographic prelimilaries about bilinear maps and the decisional l-wBDHI assumption.
Let G1 and G2 be two multiplicative groups with the same prime order p. We say a map is a bilinear map if the following properties are satisfied:
- 1.
Bilinear: For all g1, g2 ∈ G1 and , we have (g1, g2)ab.
- 2.
Non-degenerate: The map does not send all pairs in G1 × G1 to the identity in G2.
- 3.
Computable: There is an efficient algorithm to compute
Intuition
In order to represent periods 0,1,2,…,, we use a full binary tree [3], [8] with depth l and associate each period with each leaf of the tree from left to right. The leftmost leaf node denotes period 0 and the rightmost leaf node denotes period T. Label each node of the binary tree with a binary string w. Let ϕ denote an empty string and label the root of the binary tree with ϕ. When a node is labeled x, its left child and right child are labeled x0 and x1. Denote the length of bitstring x
Security analysis
Theorem 1 If the decisional (t′, ɛ′)l-wBDHI assumption holds in G1, then our scheme is (t,ɛ,qSK, qSKB,qSKU, qSKR, qExtr) semantically secure, where
Proof Suppose there is an adversary F against the semantic security of our scheme. We construct an algorithm A to solve the decisional l-wBDHI problem in G1. Firstly, A randomly guesses i*(1 ≤ i* ≤ T) as the
Complexity analysis and comparison
We give the complexity analysis of the full performance parameters about the total number of time periods T in our scheme. From Table 1, we can see that the running time complexities of IRIBE.Setup algorithm and IRIBE.Decrypt algorithm are both O(1); the running time complexities of IRIBE.refbase algorithm, IRIBE.refuser algorithm and IRIBE.Decrypt algorithm are all O(logT); the running time complexities of IRIBE.Extract algorithm, IRIBE.Updbase algorithm and IRIBE.Upduser algorithm are all
Conclusion
Key exposure threatens the security of identity-based encryption systems greatly. In this paper, we propose the first intrusion-resilient identity-based encryption scheme. We give the security notions of intrusion-resilient identity-based encryption schemes. Our scheme can be proven secure without random oracles.
Acknowledgment
This research is supported by National Natural Science Foundation of China (61272425, 61572267, 61402245, 60703089), Qingdao Science and Technology Development project (12-1-4-2-(16)-jch), Huawei Technology Fund (YB2013120027), and Shandong Provincial Key Laboratory of Computer Network (SDKLCN-2013-03), PAPD and CICAEET.
References (30)
- et al.
Protecting against key-exposure: Strongly key-insulated encryption with optimal threshold
Appl. Algebra Eng. Commun. Comput.
(2006) - et al.
Efficient selective-ID identity based encryption without random oracles
Advances in Cryptology-Eurocrypt 2004, LNCS 3027
(2004) - et al.
Hierarchical identity based encryption with constant size ciphertext
Advances in Cryptology-EUROCRYPT 2005, LNCS 3493
(2005) - et al.
Enabling cloud storage auditing with key-exposure resistance
IEEE Transactions on Information Forensics and Security
(2015) - et al.
Improved efficiency for CCA-secure cryptosystems built using identity based encryption
Advance in Cryptology-CT-RSA 2005, LNCS 3376
(2005) - et al.
Simple and efficient CCA2 security from IBE techniques
- et al.
Anonymous hierarchical identity-based encryption (without random oracles)
Advances in Cryptology-CRYPTO 2006, LNCS 4117
(2006) - et al.
A forward-secure public-key encryption scheme
Advances in Cryptology-EUROCRYPT 2003, LNCS 2656
(2003) - et al.
Chosen-ciphertext security from identity-based encryption
Advance in Cryptology-Eurocrypt 2004, LNCS 3027
(2004) - et al.
Timed-release and key-insulated public key encryption
Advance in FC 2006, LNCS 4107
(2006)
An identity based encryption scheme based on quadratic residues
Intrusion resilient public-key encryption
Topics in Cryptology–CT-RSA 2003, LNCS 2612
A generic construction for intrusion-resilient public-key encryption
Topics in CT-RSA 2004, LNCS 2964
Key-insulated public-key cryptosystems
Advance in EUROCRYPT 2002. LNCS 2332
Practical identity-based encryption without random oracles
Advances in Cryptology-EUROCRYPT 2006, LNCS 4404
Cited by (17)
Intrusion-resilient identity-based signatures: Concrete scheme in the standard model and generic construction
2018, Information SciencesCitation Excerpt :As a result, security proofs in random oracles do not always imply the security of actual schemes in the real world [10]. In recent years, there have been a lot of researches on the cryptographic systems without random oracles such as [8,9,17,26]. Therefore, how to construct an IRIBS scheme without random oracles is a worthwhile task.
Remote data possession checking with privacy-preserving authenticators for cloud storage
2017, Future Generation Computer SystemsEnabling efficient and verifiable multi-keyword ranked search over encrypted cloud data
2017, Information SciencesCitation Excerpt :The large amount of data such as e-mails, personal health records, financial reports, may inevitably include users’ sensitive information. Despite the enormous benefits, outsourcing data to the cloud server makes these data out of users physical control, which makes users concern about whether the data is correctly stored in the cloud server [31,42–45] and whether the privacy of users is protected effectively. To guarantee data confidentiality, encryption is a good way for users.
Light-weight and privacy-preserving secure cloud auditing scheme for group users via the third party medium
2017, Journal of Network and Computer ApplicationsContinuous leakage-resilient certificate-based encryption
2016, Information SciencesCitation Excerpt :Nevertheless, the adversary may gain a certain amount of information about secret states through side channel attacks in real life. Many schemes [13,23,26,29,35,47–49,51,52] against the side channel attacks were proposed in recent years. And, there are various kinds of models for these schemes, such as relative-leakage model [3,22,29,32,38,40,45,48,49], bounded-retrieval model (BRM) [5,6,33,41], auxiliary inputs model [15,26,46] and continuous leakage-resilient model [1,2,4,7,8,11,12,16,17,20,24–26,39,43,50].
Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability
2016, Journal of Systems and SoftwareCitation Excerpt :As effective it is, this method needs complex process to protect data privacy, and the recipient has to interact with data owner to access the original dataset. Yu et al. used key update technique (Yu et al., 2014, 2016) to deal with the key-exposure problem in cloud storage auditing (Yu et al., 2015). Other problems in data auditing have been researched, such as efficient data auditing (Guan et al., 2015, Yu et al., In Press), secure possession checking (Ren et al., 2015), data dynamic operations (Erway et al., 2009, Sookhak et al., In Press, Wang et al., 2011, Zhang and Blanton, 2013), data privacy protection (Wang et al., 2013), multicopy dynamic data possession (Barsoum and Hasan, 2015), and proxy auditing (Wang, 2013), etc.