Revocable Identity-based Encryption Research Articles

CR-IBE based data sharing and revocation in the cloud

Storing information on the cloud lets users access data quickly. Owners send their files to cloud servers to save money and use helpful tools. Keeping shared data online beyond direct control worries more people about privacy and security. Issues with sharing data in the cloud are a major concern. Several methods can protect user privacy and securely share group information. This paper introduces a secure dynamic way for groups to share and take away access to data using identity-based encryption that can change (R-IBE). A new cloud-based method for sharing data with revocable identity-based encryption (CR-IBE) is suggested. It allows stopping user access. The proposed method is compared to existing attribute-based encryption schemes for how long they take to run and decode. Tests show the proposed method provides better protection and privacy.

Efficient revocable identity-based encryption with equality test

Efficient revocable identity-based encryption with equality test

An efficient revocable identity‐based encryption with ciphertext evolution in the cloud‐assisted system

AbstractIdentity‐based encryption (IBE) is a public key cryptosystem on purpose to remove the traditional certificate management. How to realize efficient user revocation in the IBE is of great importance when considering its application. The drawback of most existing works is that the revoked user can still access the ciphertext prior to revocation. One possible solution proposed by Sun et al. is to evolve the ciphertext in the cloud. However, it is unfortunate that the master time key in their scheme is kept by the private key generator (PKG), which means it is sustained extra burden. In this article, we present an efficient revocable IBE with ciphertext evolution in the cloud‐assisted system and the ciphertext remains constant size. The cloud server keeps only one secret master time update key sent by the PKG in a private channel, and thus our scheme offers scalability. In the meantime, our detailed analysis demonstrates that our proposed scheme is semantically secure against ciphertext chosen attacks based on the k‐CAA problem and enjoys better efficiency in computation and communication costs compared with previous works.

Backward Compatible Identity-Based Encryption.

In this paper, we present a new identity-based encryption (IBE) system that is named Backward Compatible Identity-based Encryption (BC-IBE). Our BC-IBE is proposed to solve the problem caused by the out-of-synchronization between users' private keys and ciphertexts. Encryption systems such as revocable IBE or revocable Attribute-based Encryption (ABE) often require updating private keys to revoke users after a certain time period. However, in those schemes, an updated key can be used to decrypt the ciphertexts created only during the current time period. Once the key is updated and the previous keys are removed, the user, the owner of the updated key, will lose access to the past ciphertexts. In our paper, we propose BC-IBE that supports backward compatibility, to solve this problem. In our proposed system, user's private keys and ciphertexts can be updated periodically with time tags, and these processes can be used to revoke users who do not receive an updated key as the other revocable encryption does. However, in our proposed system, a private key newly issued to a user is backward compatible. This means that it decrypts not only the ciphertexts at the present time period but also all past ciphertexts. This implies that our proposed scheme guarantees the decryption of all encrypted data even if they are not synchronized. Compared to the existing revocable identity-based encryption system, our proposed BC-IBE has the advantage of simplifying key management and securely delegating ciphertext updates. Our proposed scheme only requires a single backward-compatible private key to decrypt all past ciphertexts created. Moreover, the ciphertext update process in our proposed scheme does not require any special privileges and does not require decryption. This means that this process can be securely delegated to a third-party server, such as a cloud server, and it prevents the potential leakage of secrets. For those reasons, BC-IBE is suitable for a system where users are more dynamic, such as the Internet-of-Things (IoT) network, or a system that regularly updates the data, like cloud data storage. In this paper, we provide the construction of BC-IBE and prove its formal security.

Delegate and Verify the Update Keys of Revocable Identity-Based Encryption

Delegate and Verify the Update Keys of Revocable Identity-Based Encryption

Efficient revocable identity-based encryption with equality test

Efficient revocable identity-based encryption with equality test

An Efficient Revocable Identity-Based Encryption with Equality Test Scheme for the Wireless Body Area Network

With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. Therefore, these data must be encrypted before uploading to the cloud to ensure the confidentiality. To achieve the confidentiality of data and enjoy cloud services, a notion of identity-based encryption with equality test (IBEET) was proposed. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. The equality test can be applied to the wireless body area network system in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether which patient’s status is abnormal. Indeed, revoking illegal or expired users on any cryptosystem is an important issue. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with an equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the proposed scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

IBE-Signal: Reshaping Signal into a MITM-Attack-Resistant Protocol

The Signal Protocol is one of the most popular privacy protocols today for protecting Internet chats and supports end-to-end encryption. Nevertheless, despite its many advantages, the Signal Protocol is not resistant to Man-In-The-Middle (MITM) attacks because a malicious server can distribute the forged identity-based public keys during the user registration phase. To address this problem, we proposed the IBE-Signal scheme that replaced the Extended Triple Diffie–Hellman (X3DH) key agreement protocol with enhanced Identity-Based Encryption (IBE). Specifically, the adoption of verifiable parameter initialization ensures the authenticity of system parameters. At the same time, the Identity-Based Signature (IBS) enables our scheme to support mutual authentication. Moreover, we proposed a distributed key generation mechanism that served as a risk decentralization to mitigate IBE’s key escrow problem. Besides, the proposed revocable IBE scheme is used for the revocation problem. Notably, the IND-ID-CPA security of the IBE-Signal scheme is proven under the random oracle model. Compared with the existing schemes, our scheme provided new security features of mutual authentication, perfect forward secrecy, post-compromise security, and key revocation. Experiments showed that the computational overhead is lower than that of other schemes when the Cloud Privacy Centers (CPCs) number is less than 8.

Designated server-aided revocable identity-based keyword search on lattice

Public key encryption scheme with keyword search is a promising technique supporting search on encrypted data without leaking any information about the keyword. In real applications, it’s critical to find an effective revocation method to revoke users in multi-user cryptosystems, when user’s secret keys are exposed. In this paper, we propose the first designated server-aided revocable identity-based encryption scheme with keyword search (dSR-IBKS) from lattice. The dSR-IBKS model requires each user to keep just one private key corresponding with his identity and does not need to communicate with the key generation center or the server during key updating. We have proved that our scheme can achieve chosen keyword indistinguishability in the standard model. In particular, our scheme can designate a unique tester to test and return the search results, therefore no other entity can guess the keyword embedded in the ciphertext by generating search queries and doing the test by itself. We provide a formal security proof of our scheme assuming the hardness of the learning with errors problem on the standard model.

Adaptively secure lattice-based revocable IBE in the QROM: compact parameters, tight security, and anonymity

Adaptively secure lattice-based revocable IBE in the QROM: compact parameters, tight security, and anonymity

Adaptively secure revocable hierarchical IBE from k-linear assumption

Revocable identity-based encryption (RIBE) is an extension of IBE with an efficient key revocation mechanism. Revocable hierarchical IBE (RHIBE) is its further extension with key delegation functionality. Although there are various adaptively secure pairing-based RIBE schemes, all known hierarchical analogues only satisfy selective security. In addition, the currently known most efficient adaptively secure RIBE and selectively secure RHIBE schemes rely on non-standard assumptions, which are referred to as the augmented DDH assumption and q-type assumptions, respectively. In this paper, we propose a simple but effective design methodology for RHIBE schemes. We provide a generic design framework for RHIBE based on an HIBE scheme with a few properties. Fortunately, several state-of-the-art pairing-based HIBE schemes have the properties. In addition, our construction preserves the sizes of master public keys, ciphertexts, and decryption keys, as well as the complexity assumptions of the underlying HIBE scheme. Thus, we obtain the first RHIBE schemes with adaptive security under the standard k-linear assumption. We prove adaptive security by developing a new proof technique for RHIBE. Due to the compactness-preserving construction, the proposed R(H)IBE schemes have similar efficiencies to the most efficient existing schemes.

Efficient revocable identity-based encryption with short public parameters

Revocation functionality is vital to real-world cryptographic systems for managing their reliability. In the context of identity-based encryption (IBE), Boldyreva, Goyal, and Kumar (ACM CCS 2008) first showed an efficient revocation method for IBE, and such an IBE scheme with the scalable revocation method is called revocable IBE (RIBE). Seo and Emura (PKC 2013) introduced a new security notion, called decryption key exposure resistance (DKER), which is a desirable security notion for RIBE. However, all existing RIBE schemes that achieve adaptive security with DKER require long public parameters or composite-order bilinear groups.In this paper, we first show an RIBE scheme that (1) satisfies adaptive security; (2) achieves DKER; (3) realizes constant-size public parameters; and (4) is constructed over prime-order bilinear groups. Our core technique relies on Seo and Emura's one (PKC 2013), which transform the Waters IBE (EUROCRYPT 2005) to the corresponding RIBE scheme. Specifically, we construct an IBE scheme that satisfies constant-size public parameters over prime-order groups and some requirements for the Seo-Emura technique, and then transform the IBE scheme to an RIBE scheme. We also discuss how to extend the proposed RIBE scheme to a chosen-ciphertext secure one and server-aided one (ESORICS 2015).

An Efficient Identity Based Encryption in Cloud Computing with Outsourced Revocation

Identity-Based Encryption (IBE) which simplifies the public key and certificate management at Public Key Infrastructure (PKI) is an important alternative to public key encryption. However, one of the main efficiency drawbacks of IBE is the overhead computation at Private Key Generator (PKG) during user revocation. Efficient revocation has been well studied in traditional PKI setting, but the cumbersome management of certificates is precisely the burden that IBE strives to alleviate [2]. It aiming at tackling the critical issue of identity revocation, we introduce outsourcing computation into IBE for the first time and propose a revocable IBE scheme in the server-aided setting. Our scheme offloads most of the key generation related operations during key-issuing and key-update processes to a Key Update Cloud Service Provider, leaving only a constant number of simple operations for PKG and users to perform locally [3]. This goal is achieved by utilizing a novel collusion-resistant technique: we employ a hybrid private key for each user, in which an AND gate is involved to connect and bound the identity component and the time component [4]. Furthermore, we propose another construction which is provable secure under the recently formulized Refereed Delegation of Computation model. Finally, we provide extensive experimental results to demonstrate the efficiency of our proposed construction. In public key encryption every user must have a pair of keys, public key and private key, for encrypting and decrypting messages. An Identity-based encryption (IBE) eliminates the need for a Public Key Infrastructure (PKI). IBE uses the human intelligible identities (e.g., unique name, email address, IP address, etc) as public keys [5]. The sender using IBE encrypts message with the receivers’ identity rather than looking for receivers’ public key and corresponding certificate. Accordingly, receiver decrypts ciphertext using private key associated with the corresponding identity [6]. The private keys of users are obtained from a trusted third party called as Private Key Generator (PKG). The motivation of this paper is to study and review an efficient and secure Identity based encryption scheme with outsourced revocation for cloud computing [7].

Revocable identity-based encryption with bounded decryption key exposure resistance: Lattice-based construction and more

In general, identity-based encryption (IBE) does not support an efficient revocation procedure. In ACM CCS'08, Boldyreva et al. proposed revocable identity-based encryption (RIBE), which enables us to efficiently revoke (malicious) users in IBE. In PKC 2013, Seo and Emura introduced an additional security notion for RIBE, called decryption key exposure resistance (DKER). Roughly speaking, RIBE with DKER guarantees that the security is not compromised even if an adversary gets (a number of) short-term decryption keys. Therefore, DKER captures realistic scenarios and is an important notion.In this paper, we introduce bounded decryption key exposure resistance (B-DKER), where an adversary is allowed to get a-priori bounded number of short-term decryption keys in the security game. B-DKER is a weak version of DKER, but it seems to be sufficient for practical use. We obtain the following results:•We propose a lattice-based (anonymous) RIBE scheme with B-DKER, which is the first lattice-based construction resilient to decryption key exposure. Our lattice-based construction is secure under the learning with errors assumption. A previous lattice-based construction satisfies anonymity but is vulnerable even with a single decryption key exposure.•We propose the first pairing-based RIBE scheme that simultaneously realizes anonymity and B-DKER. Our pairing-based construction is adaptively secure under the symmetric external Diffie-Hellman assumption.Our two constructions rely on cover free families to satisfy B-DKER, whereas all the existing works rely on the key re-randomization property to achieve DKER.

A generic construction for revocable identity-based encryption with subset difference methods.

To deal with dynamically changing user's credentials in identity-based encryption (IBE), providing an efficient key revocation method is a very important issue. Recently, Ma and Lin proposed a generic method of designing a revocable IBE (RIBE) scheme that uses the complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. In this paper, we propose a new generic method for designing an RIBE scheme that uses the subset difference (SD) method instead of using the CS method. In order to use the SD method, we generically design an RIBE scheme by combining IBE, identity-based revocation (IBR), and two-level HIBE schemes. If the underlying IBE, IBR, and HIBE schemes are adaptively (or selectively) secure, then our RIBE scheme is also adaptively (or selectively) secure. In addition, we show that the layered SD (LSD) method can be applied to our RIBE scheme and a chosen-ciphertext secure RIBE scheme also can be designed generically.

Revocable identity-based encryption with server-aided ciphertext evolution

The utmost important problem in identity-based cryptosystems is the issue of user revocation. One of the existing solutions in the literature is to issue extra time keys periodically for every non-revoked user over public channels. Unfortunately, this solution is inefficient and very impractical when applying to the cloud. Because the scheme requires different time keys to allow data decryption for different time periods, and therefore the user has to keep a long list of time keys, which grows linearly with time. Furthermore, it is worth noting that ciphertexts produced prior to the revocation will remain available to the revoked users, which is undesirable for most application scenarios. To the best of our knowledge, there is no existing work that can solve both the aforementioned problems simultaneously in a practical manner. In this paper, we present an efficient solution called ciphertext evolution. The ciphertexts evolve to new ones with cloud's aid and the old ones are deleted. At any time, the data user has to utilize its current decryption key to decrypt ciphertexts in the cloud. So, all the past time keys become invalid and the user only needs to keep the current one. If the user is revoked, it cannot decrypt any ciphertext in the cloud because it does not have the current time key. We present generic and concrete constructions of revocable identity-based encryption with ciphertext evolution (RIBE-CE), which are proven based on the IND-CPA security model. Subsequently, we also extend RIBE-CE to the broadcast setting by giving generic and concrete constructions of revocable identity-based broadcast encryption with ciphertext evolution, which are secure under the IND-sID-CPA security model. Our schemes can be applied to the (group) data sharing, which is very practical and applicable to the cloud setting.

Revocable IBE combined with CRA to overcome the Inadaptability Problem

Identity based encryption (IBE) is an open key cryptographic system and takes out the requesting of the Public key infrastructure(PKI) and confirmation relationship by and large key settings. Due to the nonappearance in PKI, the cancelation problem has become a primary issue in the IBE settings. Two or three cancellable IBE plans have been already proposed concerning this point. As of late, by embeddings an outsourcing figuring framework into the IBE, Li et al. presented a cancellable IBE scheme with the feature of key-update cloud authority association (KU-CSP). Regardless, their arrangement faces two disadvantages. One demerit is that the costs of figuring, correspondence are more than past cancellable IBE designs. Alternate limitation is nonattendance of adaptability as in KU-CSP should maintain secret regard for individual customer. Here another cancellable IBE plot with cloud cancellation authority (CRA) to understand the two disadvantages in which the execution is by and large upgraded and the CRA has only a system puzzle for each one of their customers.

Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance

Revocable identity-based encryption (RIBE) is an extension of IBE that supports a key revocation mechanism, which is an indispensable feature for practical cryptographic schemes. Due to this extra feature, RIBE is often required to satisfy a strong security notion unique to the revocation setting called decryption key exposure resistance (DKER). Additionally, hierarchal IBE (HIBE) is another orthogonal extension of IBE that supports key delegation functionalities allowing for scalable deployments of cryptographic schemes. So far, R(H)IBE constructions with DKER are only known from bilinear maps, where all constructions rely heavily on the so-called key re-randomization property to achieve the DKER and/or hierarchal feature. Since lattice-based schemes seem to be inherently ill-fit with the key re-randomization property, no construction of lattice-based R(H)IBE schemes with DKER are known.In this paper, we propose the first lattice-based RHIBE scheme with DKER without relying on the key re-randomization property, departing from all the previously known methods. We start our work by providing a generic construction of RIBE schemes with DKER, which uses as building blocks any two-level standard HIBE scheme and (weak) RIBE scheme without DKER. Based on previous lattice-based RIBE constructions without DKER, our result implies the first lattice-based RIBE scheme with DKER. Then, building on top of our generic construction, we construct the first lattice-based RHIBE scheme with DKER, by further exploiting the algebraic structure of lattices. To this end, we prepare a new tool called the level conversion keys, which enables us to achieve the hierarchal feature without relying on the key re-randomization property. In this full version, we give the formal proofs of our proposed schemes.

Server-aided Revocable IBE with Identity Reuse

Abstract Efficient key revocation in Identity-based Encryption (IBE) has been a both fundamental and critical problem when deploying an IBE system in practice. Boneh and Franklin proposed the first revocable IBE (RIBE) scheme where the size of key updates is linear in the number of users. Then, Boldyreva, Goyal and Kumar proposed the first scalable RIBE by using the tree-based approach where the size of key updates is $O(r\log (N/r))$ and the size of every user’s long-term secret key is $O(\log N)$ with $N$ being the number of users and $r$ the number of revoked users. Recently, Qin et al. presented the notion of server-aided RIBE where the size of every user’s long-term secret key is $O(1),$ and users do not need to communicate with Key Generator Center (KGC) during every key updates. However, users must change their identities once their secret keys are revoked as they cannot decrypt ciphertexts by using their revoked secret keys. To address the above problem, we formalize the notion of RIBE with identity reuse. In our system model, users can obtain a new secret key called the reuse secret key from KGC when their secret keys are revoked. The decryption key can be derived from the reuse secret key and new key updates while it cannot be derived from the revoked secret key and the new key updates. We present a concrete construction that is secure against adaptive-ID chosen plaintext attacks and decryption key exposure attacks under the $\mathsf{ADDH}1$ and $\mathsf{DDH}2$ assumptions in the standard model. Furthermore, we extend it to server-aided RIBE scheme with identity reuse property that is more suitable for lightweight devices.

Revocable Identity-Based Encryption and Server-Aided Revocable IBE from the Computational Diffie-Hellman Assumption

An Identity-based encryption (IBE) simplifies key management by taking users’ identities as public keys. However, how to dynamically revoke users in an IBE scheme is not a trivial problem. To solve this problem, IBE scheme with revocation (namely revocable IBE scheme) has been proposed. Apart from those lattice-based IBE, most of the existing schemes are based on decisional assumptions over pairing-groups. In this paper, we propose a revocable IBE scheme based on a weaker assumption, namely Computational Diffie-Hellman (CDH) assumption over non-pairing groups. Our revocable IBE scheme is inspired by the IBE scheme proposed by Döttling and Garg in Crypto2017. Like Döttling and Garg’s IBE scheme, the key authority maintains a complete binary tree where every user is assigned to a leaf node. To adapt such an IBE scheme to a revocable IBE, we update the nodes along the paths of the revoked users in each time slot. Upon this updating, all revoked users are forced to be equipped with new encryption keys but without decryption keys, thus they are unable to perform decryption any more. We prove that our revocable IBE is adaptive IND-ID-CPA secure in the standard model. Our scheme serves as the first revocable IBE scheme from the CDH assumption. Moreover, we extend our scheme to support Decryption Key Exposure Resistance (DKER) and also propose a server-aided revocable IBE to decrease the decryption workload of the receiver. In our schemes, the size of updating key in each time slot is only related to the number of newly revoked users in the past time slot.