Elsevier

Information Sciences

Volume 538, October 2020, Pages 273-289
Information Sciences

Adaptively secure certificate-based broadcast encryption and its application to cloud storage service

https://doi.org/10.1016/j.ins.2020.05.092Get rights and content

Abstract

The existing public key broadcast encryption schemes are mainly constructed in identity-based cryptosystem, which bears the inherent problems of key escrow and key distribution. The certificate-based encryption mechanism can effectively address the problems in identity-based cryptosystem. Meanwhile, it simplifies the certificate revocation issue for traditional public key cryptosystem. Inspired by the idea of certificate-based encryption, we put forward the new primitive certificate-based broadcast encryption as well as its formal definition and security model. In virtue of prime order bilinear groups, we present an instantiation scheme of certificate-based broadcast encryption. To our best knowledge, the proposed scheme is the first adaptively secure scheme for certificate-based broadcast encryption in the standard model against chosen-ciphertext attack. Compared with the previous work, our scheme has advantages in the respects of computation cost as well as security properties. Furthermore, we present an application scenario of the proposed scheme for data access control in cloud storage service.

Introduction

There is an emerging trend that more and more users choose to preserve and share their personal data in virtue of the cloud storage service. As a consequence, how to guarantee the confidentiality of the data preserved in public clouds has become a challenge. So far, numerous methods have been introduced, in which broadcast encryption (BE) provides a promising solution. BE was firstly put forward by Fiat and Naor [11]. In short, BE is a significant cryptographic primitive and it can support a sender to deliver encrypted data for multiple authorized receivers. Adopting BE, a broadcaster encrypts messages for the authorized receivers within a dynamic set S. Meanwhile, any authorized receiver within S is able to decrypt the ciphertexts. Nevertheless, any user outside S is unable to decrypt the ciphertexts. Since the primitive BE is introduced, it has been widely applied in video conference, file sharing, remote education, video on demand (VOD), high-definition (HD) pay-TV system, etc. For the past few years, with the increasingly extensive utilization of cloud storage services [16], [19], [20], [21], [22], [23], [24], [25], [27], [28], [29], [31], [33], [34], [43], [45], [46], [50], BE has also been deemd as a promising data access control mechanism.

Generally, BE can be classified into two categories. One is symmetric key BE, in which only the trusted authority, who is in charge of distributing the users’ decryption keys, can initiate a broadcast session. The other one is public key BE (PKBE), in which any user who possesses the system public parameters is able to initiate a broadcast session for multiple authorized receivers he/she chooses. Obviously, PKBE is more suitable for the applications in modern communication networks such as cloud computing.

There are three types of security level when constructing PKBE schemes.

(1) Adaptive security, also known as full security, was put forward by Gentry and Waters [14]. It means that, for an adversary, it is allowed to adaptively choose a target receiver set in challenge phase. Specifically, the adversary selects challenging receiver set according to the system public parameters and those previously queried user private keys in the first phase.

(2) Static security, also known as selective security, as defined in the literature [2], is a weaker version of adaptive security for PKBE schemes. It means that, an adversary must state openly the challenging target receiver set before obtaining the system public parameters.

(3) Semi-static security was also presented by Gentry and Waters [14]. This level is between the above two levels. Concretely, an adversary for semi-static security also needs to state the target receiver set before obtaining the system public parameters. Subsequently, in challenge phase, the adversary selects any proper subset of the target receiver set as challenging receiver set.

Most of the existing PKBE schemes [3], [6], [8], [9], [14], [15], [17], [35], [36], [37], [47], [48], [49] are constructed with the form of identity-based broadcast encryption (IBBE) [32], which is a natural extension for the notion of identity-based encryption (IBE). IBBE could be viewed as a specific type for PKBE which combines BE and IBE. Essentially, IBE is a particular case of IBBE with a single receiver in the broadcast process. The previous IBBE schemes mainly focused on enhancing efficiency and security property. However, the inherent key escrow problem and key distribution problem for identity-based cryptosystem (IBC) still need to be solved in those IBBE schemes.

To integrate the virtues of IBC into traditional public key infrastructure (PKI), Gentry [12] proposed the notion of certificate-based encryption (CBE). For a CBE construction, it tactfully incorporates public key encryption (PKE) as well as IBE on the premise that their best characteristics are preserved. The mechanism of implicit certificate in CBE effectively eliminates the problems of certificate revocation and third-party queries for traditional PKI. Moreover, it concurrently addresses the problems of key distribution and key escrow which are inherent for IBC.

It is intuitively feasible that, the idea of CBE could be employed to construct PKBE schemes which can avert the above problems. For now, multi-receiver certificate-based encryption [10], [39] and certificate-based group encryption [38] solved this issue to some extent. Nevertheless, to our best knowledge, there is still no formal definition or concrete security model for PKBE based on CBE. Furthermore, it is challenging to construct adaptively secure and efficient PKBE scheme from CBE in the standard model.

Mu et al. [32] first put forward the notion of IBBE, which is very similar to multi-receiver identity-based key encapsulation mechanism (mID-KEM) [1]. IBBE integrates IBE into BE. The difference between normal BE and IBBE is that, the users in the former are usually identified by sequential indexes from 1 to n, while the users in the latter are differentiated with their identities. When a sender intends to broadcast sensitive messages to multiple authorized receivers, for a concrete IBE scheme, the sender needs to encrypt these messages for each receiver separately. Obviously, it is very inefficient. For IBBE, the sender encrypts the message with only one time and then broadcasts the corresponding ciphertext to multiple authorized receivers. The first practical IBBE scheme with constant-size user private key as well as ciphertext was put forward by Delerablée [8]. It achieves static security against chosen-plaintext attack (CPA) adversaries with random oracles. The IBBE schemes with adaptive security were proposed in the literature [14], [37], [47], [49]. For the IBBE scheme proposed in the literature [14]1, the size for ciphertext is sublinear, and in encryption phase, a sub-algorithm is utilized to obtain adaptive security. Ren and Gu [37] proposed a construction for IBBE and alleged it is the first fully adaptive chosen-ciphertext attack (CCA2)2 secure IBBE construction without random oracles. Nevertheless, Wang et al. [44] proved the scheme in the literature [37] is even not CPA secure. Under q-type complexity assumptions, the two IBBE schemes presented in the literature [47], [49] implement CPA and CCA2 security, respectively. The IBBE schemes proposed in the literature [17], [48] are adaptively CPA-secure under simple assumptions from the subgroups, but the sizes for system parameters and user private key depend on the maximum number of receivers. Based on multilinear maps, Boneh et al. [4] proposed three IBBE schemes. The first two schemes are selectively CPA-secure, while the third one achieves adaptive CPA security. For the three schemes, the ciphertext sizes are all constant, but the sizes for system parameters grow logarithmically with the maximum number of receivers. Besides, the decryption cost for all three schemes increases linearly with the amount of intended receivers. In virtue of the symmetric external Diffie–Hellman assumption, Ramanna and Sarkar [36] advanced two IBBE schemes with adaptive CPA security, in which the lengths of public parameters grow linearly and sublinearly with the maximum number of receivers, respectively. Li et al. [26] came up with an IBBE scheme which can achieve continuous leakage resilience. Recently, Chen et al. [5] put forward an efficient anonymous IBBE scheme combined its application to the system of data access control in cloud storage service.

Gentry [12] first presented the concept of certificate-based cryptosystem, which absorbs the best characteristics for traditional PKI and IBC. Certificate-based cryptosystem efficiently avoids problems of the key distribution and key escrow for IBC. Moreover, it also addresses the issues of certificate management and third-party queries for traditional PKI. The notion of multi-receiver certificate-based encryption was first introduced by Sur et al. [39]. Further, they proposed an instance scheme of multi-receiver CBE. However, in the literature [39], both the security model and formal definition were not provided. Besides, the security proof of the instance scheme was not rigid. Subsequently, an anonymous multi-receiver CBE scheme was put forward by Fan et al. [10]. The scheme achieved selective security against CPA adversaries. Ren et al. [38] proposed certificate-based group encryption, in which anyone is able to verifiably deliver confidential messages to a group member whose identity is hidden within a group of certified users. The concrete scheme presented in the literature [38] achieves adaptive CPA security in the random oracle model. Nevertheless, when it needs to transmit messages to the whole group certified users simultaneously, the scheme will bear great overhead of computation and communication, which makes the scheme hardly feasible for realistic BE application scenarios.

For the advantage of IBC in management of public key certificates, most of the existing PKBE schemes are in IBBE forms. In a nutshell, the previous IBBE schemes mainly focus on improving performance and promoting security level. More specifically, in the aspect of performance, the existing work on IBBE endeavor to implement system public parameters, user private key and ciphertext with shorter, preferably constant size, as well as the cost of encryption and decryption which does not grow with the number of receivers, preferably also constant. While in the aspect of security, the existing IBBE schemes are committed to achieving adaptive CCA2 security in the standard model. As a matter of fact, however, constructing PKBE (including IBBE) schemes with ideal performance and security simultaneously is still an open challenging issue so far. The reason lies in the contradiction between performance and security, and in many cases, it needs to strive for trade-off between performance and security, e.g., for obtaining higher security level at the cost of degrading performance. But what’s even worse, all the existing IBBE schemes suffer the inherent problems of key escrow and key distribution for IBC.

The introduction of certificate-based cryptosystem provides a new way to address the above problem. Certificate-based cryptosystem effectively fuses the advantage of traditional PKI and IBC. Meanwhile, it tactfully avoids the problems of certificate management and third-party queries for traditional PKI, as well as solves the problems of key escrow and key distribution for IBC. However, to the best of our knowledge, there is only a few works studied on how to adopt certificate-based cryptosystem to construct encryption schemes for multi-receivers or a group of members so far. Furthermore, the existing work is unsatisfactory whether for performance or for security, hence it is not practical for the realistic BE application scenarios.

In short, the area of application of certificate-based cryptosystem in PKBE is still not covered in great detail and lacks comprehensive solutions. Therefore, the main motivation of this paper is to investigate the feasibility of designing both efficient and secure PKBE schemes in certificate-based cryptosystem.

In summary, the contributions of this paper are threefold.

First, we introduce the novel cryptographic primitive certificate-based broadcast encryption (CBBE) which skillfully integrates CBE into PKBE. The formal definition of CBBE is presented in detail. CBBE preserves the merits of certificate-based cryptosystem well. In fact, it is also intuitively feasible to construct PKBE in virtue of CBE, because CBE itself is just generated by combining PKE and IBE, while the study on designing PKBE based on IBE, i.e. IBBE, is quiet mature. The difficulty lies in how to portray and capture the attack capabilities and behaviors of adversaries in CBBE. To this end, by referring to the classic definitions of two types of adversaries in the relevant research on CBE, as well as considering the attack process in the security model of general PKBE, we define the security model of CBBE for the two types of adversaries with different attack capabilities, respectively.

Second, we present a construction instantiation of CBBE scheme with prime order bilinear groups, and discuss the performance and security of the schme in detail. The key of construction is how to seek effective trade-off between performance and security. The strict security analysis shows that, the CBBE scheme both achieves adaptive CCA2 security against two types of adversaries in the standard model. Compared with the existing PKBE (including IBBE) schemes, the proposed CBBE scheme has advantages in the aspects of sizes of system public parameters and user private key as well as security level. While comparing with the similar multi-receiver CBE scheme [10] and certificate-based group encryption scheme [38], which are also constructed in certificate-based cryptosystem, our CBBE scheme has significant advantages in terms of cost for encryption and decryption as well as security level.

Third, we provide the general system model of data access control in cloud strorage service adopting the primitive CBBE. Furthermore, taking the use case in the scenario of online photo and video sharing with the aid of cloud storage service as an example, we demonstrate how to implement the mechanism of data access control based on the proposed CBBE scheme. In addition, we discuss the feasibility of designing more efficient and secure data access control mechanism by combining the primitive CBBE and two-factor authentication technique [40], [41], [42], which has been extensively investigated and utilized in cloud computing.

Section 2 first introduces bilinear map and two complexity assumptions. Subsequently, the formal definition and security model for CBBE are provided. An instantiation scheme of CBBE is presented in detail in Section 3. Section 4 proves the security of the scheme under the model defined in Section 2. The performance of our scheme is analyzed in Section 5. Section 6 presents the application of CBBE for data access control in cloud storage service. Lastly, in Section 7, we make a conclusion.

Section snippets

Bilinear map

Inputting the security parameter λ, the algorithm G outputs two bilinear groups (p,G,GT,e), where G and GT are two multiplicative cyclic groups with large prime order p. Denote g as a generator of G, then e:G×GGT is deemed as a bilinear map when satisfying the following three properties.

(1) Bilinearity: For any u,vG as well as a,bZp, e(ua,vb)=e(ub,va)=e(u,v)ab.

(2) Non-degeneracy: e(g,g)1.

(3) Computability: e(u,v) is an effective algorithm to compute the bilinear pairing, where u,vG.

Complexity assumptions

The

The proposed scheme

According to the definition of CBBE, we present a construction instantiation of CBBE scheme. As mentioned previously, the user space is N={1,2,,N} in which N represents the maximum amount of authorized receivers.

Setup. Inputting the security parameter λ, the CA executes G(1λ) to produce (p,G,GT,e). Denote g as a generator of G. Then the CA chooses αZp, h1,h2G, and computes g1=gα as well as gT=e(g,g). Four hash functions H1:{0,1}×G3Zp, H2:G×GTZp, H3:GTZp, and H4:GZp are selected by

Security analysis

In this section, we prove that the above CBBE scheme both achieves adaptive CCA2 security against two types of adversaries in the standard model by the following two theorems.

Theorem 1

If there is an adversary AI which can win Game-I with the advantage at least ε, after issuing at most qC certificate queries as well as qD decryption queries. Then there must exist an algorithm B with advantage ε for solving the truncated decisional q-ABDHE problem, where q=qC+qD+1.

Proof

The basic idea is to build B for solving

Performance analysis

For evaluating the performance of the proposed CBBE scheme comprehensively, we first compare our CBBE scheme with the existing PKBE (including IBBE) schemes in the aspects of sizes for system public parameters, user private key and ciphertext, cost for encryption and decryption, map type as well as security level, etc. Subsequently, for more accurate performance evaluation, we further compare our CBBE scheme with the two similar schemes, i.e. the multi-receiver CBE scheme [10] and the

Application of CBBE in cloud storage service

With the arrival of social media era, a great many applications of social network service are in widespread use, e.g., Facebook, Twitter, WeChat and MicroBlog, etc. With these applications, people can play the roles of information receiver and information disseminator simultaneously. Specifically, by means of social network service applications, people can obtain hotspot information, participate the dissemination of information, and set up specific groups of friends for sharing personal opinion

Conclusion

For averting the inherent problems in the existing work on IBBE, i.e. key distribution and key escrow, we come up with the new cryptographic primitive CBBE by extending CBE into the setting of PKBE. The formal definition of CBBE, and what is more important, the security model against two different types of adversaries for CBBE, are presented in detail. Subsequently, we give an efficient instantiation scheme of CBBE in virtue of prime order bilinear groups. To our best knowledge, this is the

CRediT authorship contribution statement

Liqing Chen: Methodology, Software, Writing - original draft. Jiguo Li: Conceptualization, Formal analysis, Supervision, Writing - review & editing. Yang Lu: Visualization, Writing - review & editing. Yichen Zhang: Data curation, Software, Validation.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

This work was supported by the National Natural Science Foundation of China (61972095, U1736112, 61772009, 61672207), the Project of Scientific Research Innovation for College Graduate Student of Jiangsu Province (KYZZ15_0151), Transverse Research Project of Huaiyin Institute of Technology (Z421A19815, Z421A20643), and the Doctoral Scientific Research Starting Foundation of Huaiyin Institute of Technology (Z301B19563).

References (50)

  • X. Zhao et al.

    Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority

    J. Systems Software

    (March 2012)
  • J. Baek et al.

    Efficient Multi-Receiver Identity-Based Encryption And Its Application To Broadcast Encryption, PKC 2005, LNCS

    (2005)
  • D. Boneh et al.

    Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles, EUROCRYPT 2004, LNCS

    (2004)
  • D. Boneh et al.

    Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys, CRYPTO 2005, LNCS

    (2005)
  • D. Boneh et al.

    Low Overhead Broadcast Encryption From Multilinear Maps, CRYPTO 2014, LNCS

    (2014)
  • L. Chen et al.

    Adaptively secure anonymous identity-based broadcast encryption for data access control in cloud storage service

    KSII Trans. Int. Inf. Systems

    (2019)
  • L. Chen et al.

    Adaptively secure efficient broadcast encryption with constant-size secret key and ciphertext

    Soft Comput.

    (2020)
  • L. Chen et al.

    Anonymous certificate-based broadcast encryption with personalized messages

    IEEE Trans. Broadcast.

    (2020)
  • C. Delerablée

    Identity-Based Broadcast Encryption With Constant Size Ciphertexts And Private Keys, ASIACRYPT 2007, LNCS

    (2007)
  • C. Delerablée et al.

    Fully Collusion Secure Dynamic Broadcast Encryption With Constant-Size Ciphertexts Or Decryption Keys, Pairing 2007, LNCS

    (2007)
  • C.-I. Fan et al.

    Anonymous Multi-Receiver Certificate-Based Encryption, CyberC 2013

    (2013)
  • A. Fiat et al.

    Broadcast Encryption, CRYPTO 1993, LNCS

    (1994)
  • C. Gentry

    Certificate-based encryption and the certificate revocation problem, EUROCRYPT 2003, LNCS

    (2003)
  • C. Gentry

    Practical Identity-Based Encryption Without Random Oracles, EUROCRYPT 2006, LNCS

    (2006)
  • C. Gentry et al.

    Adaptive Security In Broadcast Encryption Systems (with short ciphertexts), EUROCRYPT 2009, LNCS

    (2009)
  • Cited by (27)

    • Lightweight ID-based broadcast signcryption for cloud–fog-assisted IoT

      2022, Journal of Systems Architecture
      Citation Excerpt :

      Recently, Agrawal et al. [14] improved the scheme in [13] to achieve fully collusion-resistant against any number of colluders. Chen et al. [15] designed a new primitive, certificate-based broadcast encryption, which also simplified the certificate revocation issue for the traditional public-key cryptosystem. IBBE was introduced by Delerablée [16] and Sakai and Furkawa [4], where a sender encrypts data for a set of recipients based on their identities.

    • An efficient identity-based signature scheme with provable security

      2021, Information Sciences
      Citation Excerpt :

      In order to solve this problem, we utilize the idea of certificate-based encryption [41] to design IBS scheme without key escrow problem in our future work.

    View all citing articles on Scopus
    View full text