Elsevier

Information Sciences

Volume 505, December 2019, Pages 352-366
Information Sciences

Accountable identity-based encryption with distributed private key generators

https://doi.org/10.1016/j.ins.2019.07.086Get rights and content

Abstract

Distributed private key generators (PKGs) in identity-based encryption (IBE) is a viable approach to mitigate the inherent key escrow problem, where the user’s private key is generated by multiple PKGs, and hence, there is no single PKG can impersonate the user. Nevertheless, these PKGs can still collude to generate a user’s private key and auction it without the risk of being caught. In the traditional IBE setting, accountable IBE can identify the creator of a pirated private key between the user and the PKG. Unfortunately, the similar problem in IBE with distributed PKGs remains an open research problem. To fill this gap, we concentrate on adding accountability to IBE with distributed PKGs. Specifically, we propose the formal definition of A-IBE with distributed PKGs (A-dIBE) and the corresponding security models. Subsequently, we present a concrete construction with the corresponding security proof. This cryptographic primitive enjoys the advantages of both the IBE with distributed PKGs and A-IBE. Specifically, it distributes the power to multiple PKGs, while preserving the traceability that could give a convincing judgment to identify the suspect between the user and the PKGs. Furthermore, our construction could be easily extended to achieve IND-ID-CCA security and the revocation of the PKGs is efficient.

Introduction

The notion of identity-based cryptography was put forth to eliminate the certificate management problem in the public-key infrastructure (PKI) setting. In identity-based encryption (IBE) schemes, the user’s public key is its identity and the corresponding private key is generated by an authority, known as the private key generator (PKG). The PKG is required to be fully-trusted since it has full control over the user’s private key such that it can decrypt all the ciphertexts or even illegally sell some users’ private keys without taking the risk of being caught. This inherent property of IBE schemes is referred to as the “key escrow problem”.

Several approaches have been proposed to address or mitigate the key escrow problem, such as distributed PKGs [4], certificateless encryption (CLE) [1], certificate-based encryption (CBE) [11], and accountable identity-based encryption (A-IBE) [13]. Among these approaches, CLE and CBE address the key escrow problem while sacrificing some of the important features of IBE. Some examples of CLE constructions include [22], [27], [29] and examples of CBE include [10], [23], [28].

The method of distributed PKGs relieves the key escrow problem by employing multiple PKGs to decentralize the power on the authority in traditional IBE schemes. In an IBE scheme with distributed PKGs (which will be referred to as dIBE throughout this paper), the user’s private key is generated by multiple PKGs together such that any single PKG cannot obtain a complete private key. Moreover, the leakage caused by less than a threshold number of the PKGs will not disclose the complete private key of a user. The dIBE not only eases the key escrow problem but also preserves the main features of IBE.

A-IBE was introduced as a new way to mitigate the key escrow problem, where the creator of a pirate decoder device can be traced between the PKG and a suspected user. In an A-IBE scheme, a user interacts with the PKG to generate the corresponding private key and the tracing is realized by an additional trace algorithm. A-IBE is classified into white-box A-IBE and black-box A-IBE according to whether the device is a private key or a decoder device. Furthermore, full black-box A-IBE allows a dishonest PKG to obtain the decryption results of adaptively chosen ciphertexts, while weak black-box A-IBE does not.

However, in a dIBE scheme, the PKGs can still collude to generate a user private key and auction it without the risk of being caught. In such a scenario, everyone can recognize the associated identity of the pirated private key when it can decrypt all the message encrypted to the specific user identity. While in the distributed PKGs setting, even if the user is very sure he/she has not ever leaked his/her private key or generated such a pirated private key, everyone else would prefer to believe the user creates it. When mass economic loss is caused by the pirated private key, the user cannot even prove his/her innocence to the court, let alone enable the PKGs to be held accountable. Therefore, the accountability in dIBE is paramount as it has practical applications such as deterring the malicious behavior of the PKGs.

Unfortunately, achieving the distribution and accountability simultaneously is daunting, as it cannot be simply achieved by applying the accountability technique to an existing dIBE scheme. On the other hand, it is straightforward to have a trivial construction, where multiple PKGs run the same A-IBE scheme in parallel. Such a scheme is feasible but inefficient. Specifically, the sizes of the master public key, the user’s private key, ciphertext, and any other parameters are linear with respect to the number of the PKGs. To fill this gap in the literature, in this paper, we propose the accountable identity-based encryption with distributed PKGs (A-dIBE).

Distributed PKGs. In their seminal paper on IBE, Boneh and Franklin [4] suggested to distribute the master secret key of the authority among multiple PKGs with a threshold technique, which enables that at least a threshold number of PKGs can generate a private key for a user. Chen et al. [7] further studied IBE with multiple trusted authorities in pairing-based cryptosystems, where a user can decrypt a ciphertext which is encrypted with the combination of several public keys using the corresponding combination of private keys. Later, Kate and Goldberg [18] presented the first practical implementation of the dIBE scheme. Siad [25] formalized the definition of anonymous dIBE and its security models. Grumazescu et al. combined the distributed PKGs with hierarchical infrastructure in [15]. In 2016, a robust distributed key issuing protocol was given by Kalyani and Sridevi [17].

Accountable Identity-Based Encryption. The notion of Accountable Identity-Based Encryption (A-IBE) was introduced by Goyal in [13]. In [13], two schemes were presented: one white-box A-IBE scheme and one weak black-box A-IBE scheme. Later, Goyal et al. [14] showed the first full black-box A-IBE scheme. Au et al. [2] extended the function of A-IBE and suggested a retrievable white-box A-IBE scheme, where the user can extract the PKG’s master secret key when given a pirated private key created by the PKG. In 2009, an efficient weak black-box A-IBE scheme was presented by Libert and Vergnaud in [21]. The decryption keys and ciphertexts in their scheme consist of a constant number of group elements. Sahai and Seyalioglu [24] improved Goyal et al.’s work [14] and gave a fully secure full black-box A-IBE scheme. The public traceability problem for the weak black-box A-IBE was first solved by Lai et al. in [20], where the tracing just needs a public tracing key, not the user’s private key. Kiayias and Tang [19] showed how to transfer any IBE to weak black-box A-IBE. In 2016, Han et al. [16] proposed an accountable mobile e-commerce construction based on their identity-based plaintext-checkable encryption scheme. Cheng et al. applied A-IBE to suggest an accountable privacy-preserving mechanism in [8].

In this work, we concentrate on the study of accountable identity-based encryption with distributed PKGs (A-dIBE). Our contributions are summarized as follows.

  • 1.

    We formalize the definitions and security models of A-dIBE schemes. Three security aspects are considered, namely message confidentiality, anti-collusion, and accountability. In particular, the message confidentiality is realized by the indistinguishable security against chosen plaintext attack (IND-ID-CPA security). The accountability is protected by the dishonest PKGs security and dishonest user security.

  • 2.

    We construct a white-box A-dIBE scheme based on Gentry’s IBE scheme [12] and prove its security in the random oracle model, where the creator of a pirated private key can be traced. Every PKG in our scheme generates its own master public key and computes a system public key together. The user runs a protocol with each PKG to obtain one “partial” private key and computes its complete private key corresponding to the system public key using all of them. Moreover, the private key consists of a constant number of group elements.

  • 3.

    We extend our scheme to capture the indistinguishable security against chosen ciphertext attack (IND-ID-CCA security) without breaking the main construction. Furthermore, we show how to efficiently revoke the PKGs in our A-dIBE scheme.

The rest of this paper is organized as follows. In Section 2, we give the formal definitions and security models of A-dIBE. In Section 3, we describe a construction of white-box A-dIBE and prove its security. In Section 4, we extend our scheme to IND-ID-CCA secure version and show how to revoke PKGs. Finally, in Section 5, we conclude this paper and suggest some future works.

Section snippets

Definitions and security models

We formalize the definitions and security models for the accountable identity-based encryption with distributed PKGs (A-dIBE).

A concrete scheme

We construct a white-box accountable identity-based encryption scheme with distributed PKGs (A-dIBE scheme) based on Gentry’s IBE scheme [12]1, and we prove its security.

Discussions

We extend our scheme to an IND-ID-CCA secure scheme using the technique applied in Gentry’s scheme [12], where the main construction and the security proof keeps unchanged except some additional parameters and steps. Moreover, we show that the revocation of the PKGs in our construction can be efficiently performed. The remaining PKGs only need to compute a new system public key without interaction, and a user can easily compute a corresponding private key with the original private key and the

Conclusion

To provide accountability in IBE when employing multiple PKGs, we presented the concept of accountable identity-based encryption with distributed PKGs (A-dIBE). We formalized the definitions and security models of A-dIBE and gave a white-box A-dIBE scheme along with its security proof. The proposed scheme can trace a pirated private key to its source which might be the colluded PKGs or a suspected user. Moreover, we show how to transfer our scheme to be IND-ID-CCA secure and how to revoke the

Declaration of Competing Interest

The authors declare that they do not have any financial or nonfinancial conflict of interests

Acknowledgments

This work is supported by the National Key R&D Program of China under Grant No. 2017YFB0802000, the National Natural Science Foundation of China under Grant Nos. 61572390, U1736111, the National Cryptography Development Fund under Grant No. MMJJ20180111, the Plan For Scientific Innovation Talent of Henan Province under Grand No. 184100510012, the Program for Science & Technology Innovation Talents in Universities of Henan Province under Grant No. 18HASTIT022, the Innovation Scientists and

References (29)

  • Q. Wu et al.

    Asymmetric group key agreement

  • S.S. Al-Riyami et al.

    Certificateless public key cryptography

  • M.H. Au et al.

    Traceable and retrievable identity-based encryption

  • D. Boneh et al.

    Short signatures without random oracles and the SDH assumption in bilinear groups

    J. Cryptol.

    (2008)
  • D. Boneh et al.

    Identity-based encryption from the weil pairing

  • D. Boneh et al.

    Short signatures from the weil pairing

    J. Cryptol.

    (2004)
  • J. Camenisch

    Group signature schemes and payment systems based on the discrete logarithm problem

    (1998)
  • L. Chen et al.

    Applications of multiple trust authorities in pairing based cryptosystems

  • H. Cheng et al.

    Accountable privacy-preserving mechanism for cloud computing based on identity-based encryption

    IEEE Access

    (2018)
  • J.H. Cheon

    Security analysis of the strong Diffie-Hellman problem

  • W. Gao et al.

    Generic construction of certificate-based encryption from certificateless encryption revisited

    Comput. J.

    (2015)
  • C. Gentry

    Certificate-based encryption and the certificate revocation problem

  • C. Gentry

    Practical identity-based encryption without random oracles

  • V. Goyal

    Reducing trust in the PKG in identity based cryptosystems

  • Cited by (0)

    View full text