Revocable identity-based encryption with server-aided ciphertext evolution

Abstract

The utmost important problem in identity-based cryptosystems is the issue of user revocation. One of the existing solutions in the literature is to issue extra time keys periodically for every non-revoked user over public channels. Unfortunately, this solution is inefficient and very impractical when applying to the cloud. Because the scheme requires different time keys to allow data decryption for different time periods, and therefore the user has to keep a long list of time keys, which grows linearly with time. Furthermore, it is worth noting that ciphertexts produced prior to the revocation will remain available to the revoked users, which is undesirable for most application scenarios. To the best of our knowledge, there is no existing work that can solve both the aforementioned problems simultaneously in a practical manner. In this paper, we present an efficient solution called ciphertext evolution. The ciphertexts evolve to new ones with cloud's aid and the old ones are deleted. At any time, the data user has to utilize its current decryption key to decrypt ciphertexts in the cloud. So, all the past time keys become invalid and the user only needs to keep the current one. If the user is revoked, it cannot decrypt any ciphertext in the cloud because it does not have the current time key. We present generic and concrete constructions of revocable identity-based encryption with ciphertext evolution (RIBE-CE), which are proven based on the IND-CPA security model. Subsequently, we also extend RIBE-CE to the broadcast setting by giving generic and concrete constructions of revocable identity-based broadcast encryption with ciphertext evolution, which are secure under the IND-sID-CPA security model. Our schemes can be applied to the (group) data sharing, which is very practical and applicable to the cloud setting.