Adaptively secure certificate-based broadcast encryption and its application to cloud storage service
Introduction
There is an emerging trend that more and more users choose to preserve and share their personal data in virtue of the cloud storage service. As a consequence, how to guarantee the confidentiality of the data preserved in public clouds has become a challenge. So far, numerous methods have been introduced, in which broadcast encryption (BE) provides a promising solution. BE was firstly put forward by Fiat and Naor [11]. In short, BE is a significant cryptographic primitive and it can support a sender to deliver encrypted data for multiple authorized receivers. Adopting BE, a broadcaster encrypts messages for the authorized receivers within a dynamic set . Meanwhile, any authorized receiver within is able to decrypt the ciphertexts. Nevertheless, any user outside is unable to decrypt the ciphertexts. Since the primitive BE is introduced, it has been widely applied in video conference, file sharing, remote education, video on demand (VOD), high-definition (HD) pay-TV system, etc. For the past few years, with the increasingly extensive utilization of cloud storage services [16], [19], [20], [21], [22], [23], [24], [25], [27], [28], [29], [31], [33], [34], [43], [45], [46], [50], BE has also been deemd as a promising data access control mechanism.
Generally, BE can be classified into two categories. One is symmetric key BE, in which only the trusted authority, who is in charge of distributing the users’ decryption keys, can initiate a broadcast session. The other one is public key BE (PKBE), in which any user who possesses the system public parameters is able to initiate a broadcast session for multiple authorized receivers he/she chooses. Obviously, PKBE is more suitable for the applications in modern communication networks such as cloud computing.
There are three types of security level when constructing PKBE schemes.
(1) Adaptive security, also known as full security, was put forward by Gentry and Waters [14]. It means that, for an adversary, it is allowed to adaptively choose a target receiver set in challenge phase. Specifically, the adversary selects challenging receiver set according to the system public parameters and those previously queried user private keys in the first phase.
(2) Static security, also known as selective security, as defined in the literature [2], is a weaker version of adaptive security for PKBE schemes. It means that, an adversary must state openly the challenging target receiver set before obtaining the system public parameters.
(3) Semi-static security was also presented by Gentry and Waters [14]. This level is between the above two levels. Concretely, an adversary for semi-static security also needs to state the target receiver set before obtaining the system public parameters. Subsequently, in challenge phase, the adversary selects any proper subset of the target receiver set as challenging receiver set.
Most of the existing PKBE schemes [3], [6], [8], [9], [14], [15], [17], [35], [36], [37], [47], [48], [49] are constructed with the form of identity-based broadcast encryption (IBBE) [32], which is a natural extension for the notion of identity-based encryption (IBE). IBBE could be viewed as a specific type for PKBE which combines BE and IBE. Essentially, IBE is a particular case of IBBE with a single receiver in the broadcast process. The previous IBBE schemes mainly focused on enhancing efficiency and security property. However, the inherent key escrow problem and key distribution problem for identity-based cryptosystem (IBC) still need to be solved in those IBBE schemes.
To integrate the virtues of IBC into traditional public key infrastructure (PKI), Gentry [12] proposed the notion of certificate-based encryption (CBE). For a CBE construction, it tactfully incorporates public key encryption (PKE) as well as IBE on the premise that their best characteristics are preserved. The mechanism of implicit certificate in CBE effectively eliminates the problems of certificate revocation and third-party queries for traditional PKI. Moreover, it concurrently addresses the problems of key distribution and key escrow which are inherent for IBC.
It is intuitively feasible that, the idea of CBE could be employed to construct PKBE schemes which can avert the above problems. For now, multi-receiver certificate-based encryption [10], [39] and certificate-based group encryption [38] solved this issue to some extent. Nevertheless, to our best knowledge, there is still no formal definition or concrete security model for PKBE based on CBE. Furthermore, it is challenging to construct adaptively secure and efficient PKBE scheme from CBE in the standard model.
Mu et al. [32] first put forward the notion of IBBE, which is very similar to multi-receiver identity-based key encapsulation mechanism (mID-KEM) [1]. IBBE integrates IBE into BE. The difference between normal BE and IBBE is that, the users in the former are usually identified by sequential indexes from 1 to , while the users in the latter are differentiated with their identities. When a sender intends to broadcast sensitive messages to multiple authorized receivers, for a concrete IBE scheme, the sender needs to encrypt these messages for each receiver separately. Obviously, it is very inefficient. For IBBE, the sender encrypts the message with only one time and then broadcasts the corresponding ciphertext to multiple authorized receivers. The first practical IBBE scheme with constant-size user private key as well as ciphertext was put forward by Delerablée [8]. It achieves static security against chosen-plaintext attack (CPA) adversaries with random oracles. The IBBE schemes with adaptive security were proposed in the literature [14], [37], [47], [49]. For the IBBE scheme proposed in the literature [14]1, the size for ciphertext is sublinear, and in encryption phase, a sub-algorithm is utilized to obtain adaptive security. Ren and Gu [37] proposed a construction for IBBE and alleged it is the first fully adaptive chosen-ciphertext attack (CCA2)2 secure IBBE construction without random oracles. Nevertheless, Wang et al. [44] proved the scheme in the literature [37] is even not CPA secure. Under q-type complexity assumptions, the two IBBE schemes presented in the literature [47], [49] implement CPA and CCA2 security, respectively. The IBBE schemes proposed in the literature [17], [48] are adaptively CPA-secure under simple assumptions from the subgroups, but the sizes for system parameters and user private key depend on the maximum number of receivers. Based on multilinear maps, Boneh et al. [4] proposed three IBBE schemes. The first two schemes are selectively CPA-secure, while the third one achieves adaptive CPA security. For the three schemes, the ciphertext sizes are all constant, but the sizes for system parameters grow logarithmically with the maximum number of receivers. Besides, the decryption cost for all three schemes increases linearly with the amount of intended receivers. In virtue of the symmetric external Diffie–Hellman assumption, Ramanna and Sarkar [36] advanced two IBBE schemes with adaptive CPA security, in which the lengths of public parameters grow linearly and sublinearly with the maximum number of receivers, respectively. Li et al. [26] came up with an IBBE scheme which can achieve continuous leakage resilience. Recently, Chen et al. [5] put forward an efficient anonymous IBBE scheme combined its application to the system of data access control in cloud storage service.
Gentry [12] first presented the concept of certificate-based cryptosystem, which absorbs the best characteristics for traditional PKI and IBC. Certificate-based cryptosystem efficiently avoids problems of the key distribution and key escrow for IBC. Moreover, it also addresses the issues of certificate management and third-party queries for traditional PKI. The notion of multi-receiver certificate-based encryption was first introduced by Sur et al. [39]. Further, they proposed an instance scheme of multi-receiver CBE. However, in the literature [39], both the security model and formal definition were not provided. Besides, the security proof of the instance scheme was not rigid. Subsequently, an anonymous multi-receiver CBE scheme was put forward by Fan et al. [10]. The scheme achieved selective security against CPA adversaries. Ren et al. [38] proposed certificate-based group encryption, in which anyone is able to verifiably deliver confidential messages to a group member whose identity is hidden within a group of certified users. The concrete scheme presented in the literature [38] achieves adaptive CPA security in the random oracle model. Nevertheless, when it needs to transmit messages to the whole group certified users simultaneously, the scheme will bear great overhead of computation and communication, which makes the scheme hardly feasible for realistic BE application scenarios.
For the advantage of IBC in management of public key certificates, most of the existing PKBE schemes are in IBBE forms. In a nutshell, the previous IBBE schemes mainly focus on improving performance and promoting security level. More specifically, in the aspect of performance, the existing work on IBBE endeavor to implement system public parameters, user private key and ciphertext with shorter, preferably constant size, as well as the cost of encryption and decryption which does not grow with the number of receivers, preferably also constant. While in the aspect of security, the existing IBBE schemes are committed to achieving adaptive CCA2 security in the standard model. As a matter of fact, however, constructing PKBE (including IBBE) schemes with ideal performance and security simultaneously is still an open challenging issue so far. The reason lies in the contradiction between performance and security, and in many cases, it needs to strive for trade-off between performance and security, e.g., for obtaining higher security level at the cost of degrading performance. But what’s even worse, all the existing IBBE schemes suffer the inherent problems of key escrow and key distribution for IBC.
The introduction of certificate-based cryptosystem provides a new way to address the above problem. Certificate-based cryptosystem effectively fuses the advantage of traditional PKI and IBC. Meanwhile, it tactfully avoids the problems of certificate management and third-party queries for traditional PKI, as well as solves the problems of key escrow and key distribution for IBC. However, to the best of our knowledge, there is only a few works studied on how to adopt certificate-based cryptosystem to construct encryption schemes for multi-receivers or a group of members so far. Furthermore, the existing work is unsatisfactory whether for performance or for security, hence it is not practical for the realistic BE application scenarios.
In short, the area of application of certificate-based cryptosystem in PKBE is still not covered in great detail and lacks comprehensive solutions. Therefore, the main motivation of this paper is to investigate the feasibility of designing both efficient and secure PKBE schemes in certificate-based cryptosystem.
In summary, the contributions of this paper are threefold.
First, we introduce the novel cryptographic primitive certificate-based broadcast encryption (CBBE) which skillfully integrates CBE into PKBE. The formal definition of CBBE is presented in detail. CBBE preserves the merits of certificate-based cryptosystem well. In fact, it is also intuitively feasible to construct PKBE in virtue of CBE, because CBE itself is just generated by combining PKE and IBE, while the study on designing PKBE based on IBE, i.e. IBBE, is quiet mature. The difficulty lies in how to portray and capture the attack capabilities and behaviors of adversaries in CBBE. To this end, by referring to the classic definitions of two types of adversaries in the relevant research on CBE, as well as considering the attack process in the security model of general PKBE, we define the security model of CBBE for the two types of adversaries with different attack capabilities, respectively.
Second, we present a construction instantiation of CBBE scheme with prime order bilinear groups, and discuss the performance and security of the schme in detail. The key of construction is how to seek effective trade-off between performance and security. The strict security analysis shows that, the CBBE scheme both achieves adaptive CCA2 security against two types of adversaries in the standard model. Compared with the existing PKBE (including IBBE) schemes, the proposed CBBE scheme has advantages in the aspects of sizes of system public parameters and user private key as well as security level. While comparing with the similar multi-receiver CBE scheme [10] and certificate-based group encryption scheme [38], which are also constructed in certificate-based cryptosystem, our CBBE scheme has significant advantages in terms of cost for encryption and decryption as well as security level.
Third, we provide the general system model of data access control in cloud strorage service adopting the primitive CBBE. Furthermore, taking the use case in the scenario of online photo and video sharing with the aid of cloud storage service as an example, we demonstrate how to implement the mechanism of data access control based on the proposed CBBE scheme. In addition, we discuss the feasibility of designing more efficient and secure data access control mechanism by combining the primitive CBBE and two-factor authentication technique [40], [41], [42], which has been extensively investigated and utilized in cloud computing.
Section 2 first introduces bilinear map and two complexity assumptions. Subsequently, the formal definition and security model for CBBE are provided. An instantiation scheme of CBBE is presented in detail in Section 3. Section 4 proves the security of the scheme under the model defined in Section 2. The performance of our scheme is analyzed in Section 5. Section 6 presents the application of CBBE for data access control in cloud storage service. Lastly, in Section 7, we make a conclusion.
Section snippets
Bilinear map
Inputting the security parameter , the algorithm outputs two bilinear groups , where and are two multiplicative cyclic groups with large prime order . Denote as a generator of , then is deemed as a bilinear map when satisfying the following three properties.
(1) Bilinearity: For any as well as , .
(2) Non-degeneracy: .
(3) Computability: is an effective algorithm to compute the bilinear pairing, where .
Complexity assumptions
The
The proposed scheme
According to the definition of CBBE, we present a construction instantiation of CBBE scheme. As mentioned previously, the user space is in which represents the maximum amount of authorized receivers.
. Inputting the security parameter , the CA executes to produce . Denote as a generator of . Then the CA chooses , , and computes as well as . Four hash functions , , , and are selected by
Security analysis
In this section, we prove that the above CBBE scheme both achieves adaptive CCA2 security against two types of adversaries in the standard model by the following two theorems. Theorem 1 If there is an adversary which can win Game-I with the advantage at least , after issuing at most certificate queries as well as decryption queries. Then there must exist an algorithm with advantage for solving the truncated decisional q-ABDHE problem, where . Proof The basic idea is to build for solving
Performance analysis
For evaluating the performance of the proposed CBBE scheme comprehensively, we first compare our CBBE scheme with the existing PKBE (including IBBE) schemes in the aspects of sizes for system public parameters, user private key and ciphertext, cost for encryption and decryption, map type as well as security level, etc. Subsequently, for more accurate performance evaluation, we further compare our CBBE scheme with the two similar schemes, i.e. the multi-receiver CBE scheme [10] and the
Application of CBBE in cloud storage service
With the arrival of social media era, a great many applications of social network service are in widespread use, e.g., Facebook, Twitter, WeChat and MicroBlog, etc. With these applications, people can play the roles of information receiver and information disseminator simultaneously. Specifically, by means of social network service applications, people can obtain hotspot information, participate the dissemination of information, and set up specific groups of friends for sharing personal opinion
Conclusion
For averting the inherent problems in the existing work on IBBE, i.e. key distribution and key escrow, we come up with the new cryptographic primitive CBBE by extending CBE into the setting of PKBE. The formal definition of CBBE, and what is more important, the security model against two different types of adversaries for CBBE, are presented in detail. Subsequently, we give an efficient instantiation scheme of CBBE in virtue of prime order bilinear groups. To our best knowledge, this is the
CRediT authorship contribution statement
Liqing Chen: Methodology, Software, Writing - original draft. Jiguo Li: Conceptualization, Formal analysis, Supervision, Writing - review & editing. Yang Lu: Visualization, Writing - review & editing. Yichen Zhang: Data curation, Software, Validation.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgements
This work was supported by the National Natural Science Foundation of China (61972095, U1736112, 61772009, 61672207), the Project of Scientific Research Innovation for College Graduate Student of Jiangsu Province (KYZZ15_0151), Transverse Research Project of Huaiyin Institute of Technology (Z421A19815, Z421A20643), and the Doctoral Scientific Research Starting Foundation of Huaiyin Institute of Technology (Z301B19563).
References (50)
- et al.
Anonymous certificate-based broadcast encryption with constant decryption cost
Inf. Sci.
(July 2018) - et al.
Identity-based broadcast encryption with continuous leakage resilience
Inf. Sci.
(March 2018) - et al.
Key-policy attribute-based encryption against continual auxiliary input leakage
Inf. Sci.
(January 2019) - et al.
Hierarchical attribute based encryption with continuous leakage-resilience
Inf. Sci.
(May 2019) - et al.
A pairing-free certificate-based proxy re-encryption scheme for secure data sharing in public clouds
Future Generation Computer Systems
(September 2016) - et al.
Fully CCA2 secure identity based broadcast encryption without random oracles
Inf. Process. Lett.
(May 2009) - et al.
Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity
Inf. Sci.
(November 2015) - et al.
Cryptanalysis of an identity based broadcast encryption scheme without random oracles
Inf. Process. Lett.
(April 2011) Broadcast encryption based non-interactive key distribution in MANETs
J. Computer System Sci.
(May 2014)- et al.
Adaptively secure identity-based broadcast encryption with constant size private keys and ciphertexts from the subgroups
Math. Computer Modell.
(January 2012)
Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority
J. Systems Software
Efficient Multi-Receiver Identity-Based Encryption And Its Application To Broadcast Encryption, PKC 2005, LNCS
Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles, EUROCRYPT 2004, LNCS
Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys, CRYPTO 2005, LNCS
Low Overhead Broadcast Encryption From Multilinear Maps, CRYPTO 2014, LNCS
Adaptively secure anonymous identity-based broadcast encryption for data access control in cloud storage service
KSII Trans. Int. Inf. Systems
Adaptively secure efficient broadcast encryption with constant-size secret key and ciphertext
Soft Comput.
Anonymous certificate-based broadcast encryption with personalized messages
IEEE Trans. Broadcast.
Identity-Based Broadcast Encryption With Constant Size Ciphertexts And Private Keys, ASIACRYPT 2007, LNCS
Fully Collusion Secure Dynamic Broadcast Encryption With Constant-Size Ciphertexts Or Decryption Keys, Pairing 2007, LNCS
Anonymous Multi-Receiver Certificate-Based Encryption, CyberC 2013
Broadcast Encryption, CRYPTO 1993, LNCS
Certificate-based encryption and the certificate revocation problem, EUROCRYPT 2003, LNCS
Practical Identity-Based Encryption Without Random Oracles, EUROCRYPT 2006, LNCS
Adaptive Security In Broadcast Encryption Systems (with short ciphertexts), EUROCRYPT 2009, LNCS
Cited by (27)
A novel and lightweight wireless communication scheme for Vehicular Ad hoc Networks
2023, Ad Hoc NetworksLightweight ID-based broadcast signcryption for cloud–fog-assisted IoT
2022, Journal of Systems ArchitectureCitation Excerpt :Recently, Agrawal et al. [14] improved the scheme in [13] to achieve fully collusion-resistant against any number of colluders. Chen et al. [15] designed a new primitive, certificate-based broadcast encryption, which also simplified the certificate revocation issue for the traditional public-key cryptosystem. IBBE was introduced by Delerablée [16] and Sakai and Furkawa [4], where a sender encrypts data for a set of recipients based on their identities.
An efficient identity-based signature scheme with provable security
2021, Information SciencesCitation Excerpt :In order to solve this problem, we utilize the idea of certificate-based encryption [41] to design IBS scheme without key escrow problem in our future work.
Multiple Blind Signature for e-Voting and e-Cash
2023, Computer JournalToward Forward and Backward Private Dynamic Searchable Symmetric Encryption Supporting Data Deduplication and Conjunctive Queries
2023, IEEE Internet of Things JournalEfficient Hierarchical Signature Scheme With Batch Verification Function Suitable for ADS-B System
2023, IEEE Transactions on Aerospace and Electronic Systems