Accountable identity-based encryption with distributed private key generators
Introduction
The notion of identity-based cryptography was put forth to eliminate the certificate management problem in the public-key infrastructure (PKI) setting. In identity-based encryption (IBE) schemes, the user’s public key is its identity and the corresponding private key is generated by an authority, known as the private key generator (PKG). The PKG is required to be fully-trusted since it has full control over the user’s private key such that it can decrypt all the ciphertexts or even illegally sell some users’ private keys without taking the risk of being caught. This inherent property of IBE schemes is referred to as the “key escrow problem”.
Several approaches have been proposed to address or mitigate the key escrow problem, such as distributed PKGs [4], certificateless encryption (CLE) [1], certificate-based encryption (CBE) [11], and accountable identity-based encryption (A-IBE) [13]. Among these approaches, CLE and CBE address the key escrow problem while sacrificing some of the important features of IBE. Some examples of CLE constructions include [22], [27], [29] and examples of CBE include [10], [23], [28].
The method of distributed PKGs relieves the key escrow problem by employing multiple PKGs to decentralize the power on the authority in traditional IBE schemes. In an IBE scheme with distributed PKGs (which will be referred to as dIBE throughout this paper), the user’s private key is generated by multiple PKGs together such that any single PKG cannot obtain a complete private key. Moreover, the leakage caused by less than a threshold number of the PKGs will not disclose the complete private key of a user. The dIBE not only eases the key escrow problem but also preserves the main features of IBE.
A-IBE was introduced as a new way to mitigate the key escrow problem, where the creator of a pirate decoder device can be traced between the PKG and a suspected user. In an A-IBE scheme, a user interacts with the PKG to generate the corresponding private key and the tracing is realized by an additional trace algorithm. A-IBE is classified into white-box A-IBE and black-box A-IBE according to whether the device is a private key or a decoder device. Furthermore, full black-box A-IBE allows a dishonest PKG to obtain the decryption results of adaptively chosen ciphertexts, while weak black-box A-IBE does not.
However, in a dIBE scheme, the PKGs can still collude to generate a user private key and auction it without the risk of being caught. In such a scenario, everyone can recognize the associated identity of the pirated private key when it can decrypt all the message encrypted to the specific user identity. While in the distributed PKGs setting, even if the user is very sure he/she has not ever leaked his/her private key or generated such a pirated private key, everyone else would prefer to believe the user creates it. When mass economic loss is caused by the pirated private key, the user cannot even prove his/her innocence to the court, let alone enable the PKGs to be held accountable. Therefore, the accountability in dIBE is paramount as it has practical applications such as deterring the malicious behavior of the PKGs.
Unfortunately, achieving the distribution and accountability simultaneously is daunting, as it cannot be simply achieved by applying the accountability technique to an existing dIBE scheme. On the other hand, it is straightforward to have a trivial construction, where multiple PKGs run the same A-IBE scheme in parallel. Such a scheme is feasible but inefficient. Specifically, the sizes of the master public key, the user’s private key, ciphertext, and any other parameters are linear with respect to the number of the PKGs. To fill this gap in the literature, in this paper, we propose the accountable identity-based encryption with distributed PKGs (A-dIBE).
Distributed PKGs. In their seminal paper on IBE, Boneh and Franklin [4] suggested to distribute the master secret key of the authority among multiple PKGs with a threshold technique, which enables that at least a threshold number of PKGs can generate a private key for a user. Chen et al. [7] further studied IBE with multiple trusted authorities in pairing-based cryptosystems, where a user can decrypt a ciphertext which is encrypted with the combination of several public keys using the corresponding combination of private keys. Later, Kate and Goldberg [18] presented the first practical implementation of the dIBE scheme. Siad [25] formalized the definition of anonymous dIBE and its security models. Grumazescu et al. combined the distributed PKGs with hierarchical infrastructure in [15]. In 2016, a robust distributed key issuing protocol was given by Kalyani and Sridevi [17].
Accountable Identity-Based Encryption. The notion of Accountable Identity-Based Encryption (A-IBE) was introduced by Goyal in [13]. In [13], two schemes were presented: one white-box A-IBE scheme and one weak black-box A-IBE scheme. Later, Goyal et al. [14] showed the first full black-box A-IBE scheme. Au et al. [2] extended the function of A-IBE and suggested a retrievable white-box A-IBE scheme, where the user can extract the PKG’s master secret key when given a pirated private key created by the PKG. In 2009, an efficient weak black-box A-IBE scheme was presented by Libert and Vergnaud in [21]. The decryption keys and ciphertexts in their scheme consist of a constant number of group elements. Sahai and Seyalioglu [24] improved Goyal et al.’s work [14] and gave a fully secure full black-box A-IBE scheme. The public traceability problem for the weak black-box A-IBE was first solved by Lai et al. in [20], where the tracing just needs a public tracing key, not the user’s private key. Kiayias and Tang [19] showed how to transfer any IBE to weak black-box A-IBE. In 2016, Han et al. [16] proposed an accountable mobile e-commerce construction based on their identity-based plaintext-checkable encryption scheme. Cheng et al. applied A-IBE to suggest an accountable privacy-preserving mechanism in [8].
In this work, we concentrate on the study of accountable identity-based encryption with distributed PKGs (A-dIBE). Our contributions are summarized as follows.
- 1.
We formalize the definitions and security models of A-dIBE schemes. Three security aspects are considered, namely message confidentiality, anti-collusion, and accountability. In particular, the message confidentiality is realized by the indistinguishable security against chosen plaintext attack (IND-ID-CPA security). The accountability is protected by the dishonest PKGs security and dishonest user security.
- 2.
We construct a white-box A-dIBE scheme based on Gentry’s IBE scheme [12] and prove its security in the random oracle model, where the creator of a pirated private key can be traced. Every PKG in our scheme generates its own master public key and computes a system public key together. The user runs a protocol with each PKG to obtain one “partial” private key and computes its complete private key corresponding to the system public key using all of them. Moreover, the private key consists of a constant number of group elements.
- 3.
We extend our scheme to capture the indistinguishable security against chosen ciphertext attack (IND-ID-CCA security) without breaking the main construction. Furthermore, we show how to efficiently revoke the PKGs in our A-dIBE scheme.
The rest of this paper is organized as follows. In Section 2, we give the formal definitions and security models of A-dIBE. In Section 3, we describe a construction of white-box A-dIBE and prove its security. In Section 4, we extend our scheme to IND-ID-CCA secure version and show how to revoke PKGs. Finally, in Section 5, we conclude this paper and suggest some future works.
Section snippets
Definitions and security models
We formalize the definitions and security models for the accountable identity-based encryption with distributed PKGs (A-dIBE).
A concrete scheme
We construct a white-box accountable identity-based encryption scheme with distributed PKGs (A-dIBE scheme) based on Gentry’s IBE scheme [12]1, and we prove its security.
Discussions
We extend our scheme to an IND-ID-CCA secure scheme using the technique applied in Gentry’s scheme [12], where the main construction and the security proof keeps unchanged except some additional parameters and steps. Moreover, we show that the revocation of the PKGs in our construction can be efficiently performed. The remaining PKGs only need to compute a new system public key without interaction, and a user can easily compute a corresponding private key with the original private key and the
Conclusion
To provide accountability in IBE when employing multiple PKGs, we presented the concept of accountable identity-based encryption with distributed PKGs (A-dIBE). We formalized the definitions and security models of A-dIBE and gave a white-box A-dIBE scheme along with its security proof. The proposed scheme can trace a pirated private key to its source which might be the colluded PKGs or a suspected user. Moreover, we show how to transfer our scheme to be IND-ID-CCA secure and how to revoke the
Declaration of Competing Interest
The authors declare that they do not have any financial or nonfinancial conflict of interests
Acknowledgments
This work is supported by the National Key RD Program of China under Grant No. 2017YFB0802000, the National Natural Science Foundation of China under Grant Nos. 61572390, U1736111, the National Cryptography Development Fund under Grant No. MMJJ20180111, the Plan For Scientific Innovation Talent of Henan Province under Grand No. 184100510012, the Program for Science Technology Innovation Talents in Universities of Henan Province under Grant No. 18HASTIT022, the Innovation Scientists and
References (29)
- et al.
Asymmetric group key agreement
- et al.
Certificateless public key cryptography
- et al.
Traceable and retrievable identity-based encryption
- et al.
Short signatures without random oracles and the SDH assumption in bilinear groups
J. Cryptol.
(2008) - et al.
Identity-based encryption from the weil pairing
- et al.
Short signatures from the weil pairing
J. Cryptol.
(2004) Group signature schemes and payment systems based on the discrete logarithm problem
(1998)- et al.
Applications of multiple trust authorities in pairing based cryptosystems
- et al.
Accountable privacy-preserving mechanism for cloud computing based on identity-based encryption
IEEE Access
(2018) Security analysis of the strong Diffie-Hellman problem