Identity-Based Revocation From Subset Difference Methods Under Simple Assumptions

Abstract

Identity-based revocation (IBR) is a specific kind of broadcast encryption that can effectively send ciphertext to a set of receivers. In IBR, a ciphertext is associated with a set of revoked users instead of a set of receivers and the maximum number of users in the system can be an exponential value in the security parameter. In this paper, we reconsider the general method of Lee et al. (ESORICS 2014) that constructs a public-key revocation (PKR) scheme by combining the subset difference (SD) method of Naor, Naor, and Lotspiech (CRYPTO 2001) and a single revocation encryption (SRE) scheme. Lee et al. left it as an open problem to construct an SRE scheme under the standard assumption without random oracles. In this paper, we first propose a selectively secure SRE scheme under the standard assumption without random oracles. We also propose a fully secure SRE scheme under simple static assumptions without random oracles. Next, we present an efficient IBR scheme that supports fast decryption by combining the SD method and our SRE scheme. The security of our IBR scheme depends on that of the underlying SRE scheme. Finally, we implemented our SRE and IBR schemes and measured the performance.