On the Analysis of the Outsourced Revocable Identity-Based Encryption from Lattices

Abstract

For identity-based encryption (IBE) with identity revocation, or simply revocable IBE (R-IBE), an indirect revocation method in which a trusted center (i.e., private key generator, PKG) initially generates all users’ long-term private keys and periodically issues time update keys for non-revoked users seems to be a flexible choice, because it invites a sender to generate ciphertexts without caring about revoked (and non-revocked) users. However, these computation and communication overheads in frequent time keys update operations remain as a daunting task for PKG. In order to alleviate the offload of PKG and improve its scalability in the quantum computers attack environment, Dong et al. recently extended the concept of R-IBE to support outsourcing computation with a semi-trusted key update cloud service provider (KU-CSP), and proposed an outsourced revocable lattice-based IBE (OR-IBE) scheme.

In this work, we show that the OR-IBE scheme of Dong et al. does not satisfy the correctness property of OR-IBE, meanwhile, it is not decryption key exposure resistance (DKER), a default security requirement for R-IBE. In addition, we provide a modification of their construction to be a correct and secure OR-IBE scheme. In particular, the first lattice-based OR-IBE scheme with DKER is introduced.

Appendices

A The ind-uka Security of OR-IBE

The ind-uka security model of OR-IBE considers the case that KU-CSP that can access to the master time update key muk is an attacker. In this security model, KU-CSP can request long-term private key, revocation, and decryption key queries. Since KU-CSP can issue an arbitrary time update key by using muk and \(\textsf {ok}_{\textsf {id}}\) (Note: KU-CSP owns all users’ identity outsourcing keys), there is a direct restriction that KU-CSP cannot request a long-term private key for the challenge identity \(\textsf {id}^{*}\) to prevent a simple attack. Finally, the goal of KU-CSP is the same as that in the ind-cpa security model, that is, to determine that the challenge ciphertext is completely random or correctly encrypted on the challenge \(\textsf {m}^{*}\) corresponding to \((\textsf {id}^{*},\textsf {t}^{*})\). A detailed definition of the ind-uka security is described as follows:

Definition 6

The ind-uka security of OR-IBE is described as the following game between the challenger \(\hat{\mathcal {C}}_{2}\) and adversary \(\mathcal {A}_{2}\):

• \(\textsf {Initial} \): \(\mathcal {A}_{2}\) first declares a challenge identity and time pair \((\textsf {id} ^{*},\textsf {t} ^{*})\).

• \(\textsf {Setup} \): \(\hat{\mathcal {C}}_{2}\) runs \(\textsf {Setup} (1^{n},N)\) to obtain \((\textsf {msk} ,\textsf {muk} ,\textsf {pp} ,\textsf {RL} , \textsf {st} )\). Note: RL is initially empty. \(\hat{\mathcal {C}}_{2}\) keeps \(\textsf {msk} \) in secret by himself and provides \((\textsf {pp} ,\textsf {muk} )\) to \(\mathcal {A}_{2}\).

• : \(\mathcal {A}_{2}\) adaptively makes a polynomially bounded number of queries on the following oracles (Note: all oracles share the \(\textsf {st} \) and the queries also should be with some restrictions defined later):

  • \(\textsf {PriKenGen} (\cdot )\): For the private key query on an identity \(\textsf {id} \in \mathcal {I}\), it returns a long-term private key \(\textsf {sk} _{\textsf {id} }\) and an outsourcing key \(\textsf {ok} _{\textsf {id} }\) by running \(\textsf {PriKeyGen} (\textsf {msk} ,\textsf {id} ,\textsf {st} )\).

  • \(\textsf {Revoke} (\cdot )\): For the revocation query on \((\textsf {id} ,\textsf {t} )\in \mathcal {I}\times \mathcal {T}\), it returns an updated \(\textsf {RL} '\) by running \(\textsf {Revoke} (\textsf {id} , \textsf {t} ,\textsf {RL} , \textsf {st} )\).

  • \(\textsf {DecKeyGen} (\cdot )\): For the decryption key query on \((\textsf {id} ,\textsf {t} )\in \mathcal {I}\times \mathcal {T}\), it returns a short-term decryption key \(\textsf {dk} _{\textsf {id} ,\textsf {t} }\) by running \(\textsf {DecKeyGen} (\textsf {sk} _{\textsf {id} }, \textsf {uk} _{\textsf {id} ,\textsf {t} })\). Note: similarly, this oracle is also used to define DKER, which is not provided by Dong et al.

• \(\textsf {Challenge} \): \(\mathcal {A}_{2}\) submits a message \(\textsf {m} ^{*}\in \mathcal {M}\). \(\hat{\mathcal {C}}_{1}\) samples a bit . If \(b=0\), \(\hat{\mathcal {C}}_{1}\) returns a challenge ciphertext \(\textsf {ct} ^{*}_{\textsf {id} ^{*},\textsf {t} ^{*}}\) by running \(\textsf {Encrypt} (\textsf {id} ^{*},\textsf {t} ^{*},\textsf {m} ^{*})\), otherwise, a random .

• : \(\mathcal {A}_{2}\) can continue to make additional queries as before with the same restrictions.

• \(\textsf {Guess} \): \(\mathcal {A}_{2}\) outputs a bit \(b^{*}\in \{0,1\}\), and wins if \(b^{*}=b\).

In the above game, the following restrictions must hold:

• \(\textsf {Revoke}(\cdot )\) can only be queried in a non-decreasing order of time (i.e., at time that is greater than or equal to the time of all previous queries).

• \(\textsf {PriKenGen}(\cdot )\) can be queried on identity \(\textsf {id}^{*}\) while only the outsourcing key \(\textsf {ok}^{*}_{\textsf {id}^{*}}\) is returned.

• \(\textsf {DecKeyGen}(\cdot )\) can not be queried on \((\textsf {id}^{*},\textsf {t}^{*})\).

The advantage of \(\mathcal {A}_{2}\) in the above game is defined as . An OR-IBE scheme is ind-uka secure if for all ppt adversary \(\mathcal {A}_{2}\), is negligible in the security parameter n.

B Correctness and Security

Correctness: If the above scheme is operated correctly as specified, and the recipient \(\textsf {id}\in \mathcal {I}\) is not revoked at time \(\textsf {t}\in \mathcal {T}\), then \(\textsf {dk}_{\textsf {id},\textsf {t}}=(\mathbf {E}_{0},\mathbf {E}_{1,\theta },\mathbf {E}_{2,\theta })\) satisfies that \(\mathbf {A}'_{\textsf {id}}\cdot \mathbf {E}_{0}=\mathbf {U}\ \mathrm {mod} \ q\), and \(\mathbf {A}_{\textsf {id}}\cdot \mathbf {E}_{1,\theta }+\mathbf {B}_{\textsf {t}}\cdot \mathbf {E}_{2,\theta }=\mathbf {U}\ \mathrm {mod} \ q\).

In the decryption algorithm, the non-revoked \(\textsf {id}\) first tries to derive \(\textsf {m}_{0}\) by using \((\mathbf {E}_{1,\theta },\mathbf {E}_{2,\theta })\):

$$\begin{aligned} \begin{aligned} \mathbf {w}_{0}&=\mathbf {c}_{0}-\mathbf {E}_{1,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {c}_{1,0} \\ \mathbf {c}_{1,1} \end{array} \right) -\mathbf {E}_{2,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {c}_{1,2} \\ \mathbf {c}_{1,3} \end{array} \right) \\&=\mathbf {c}_{0}-\mathbf {E}_{1,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {A}^{\text {T}}\mathbf {s}_{0}+\mathbf {e}_{0} \\ (\mathbf {A}_{0}+\mathcal {H}(\textsf {id})\mathbf {A}_{1})^{\text {T}}\mathbf {s}_{0}+\mathbf {R}_{0}^{\text {T}}\mathbf {e}_{0} \end{array} \right) -\mathbf {E}_{2,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {B}^{\text {T}}\mathbf {s}_{0}+\mathbf {e}_{1} \\ (\mathbf {B}_{0}+\mathcal {H}(\textsf {t})\mathbf {B}_{1})^{\text {T}}\mathbf {s}_{0}+\mathbf {R}_{1}^{\text {T}}\mathbf {e}_{1} \end{array} \right) \\&=\mathbf {c}_{0}- \underbrace{([\mathbf {A}|\mathbf {A}_{0}+\mathcal {H}(\textsf {id})\mathbf {A}_{1}]\mathbf {E}_{1,\theta })^{\text {T}}\mathbf {s}_{0}}_{=\mathbf {U}_{1,\theta }^{\text {T}}\mathbf {s}_{0}} -\mathbf {E}_{1,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{0} \\ \mathbf {R}_{0}^{\text {T}}\mathbf {e}_{0} \end{array} \right) -\underbrace{([\mathbf {B}|\mathbf {B}_{0}+\mathcal {H}(\textsf {t})\mathbf {B}_{1}]\mathbf {E}_{2,\theta })^{\text {T}}\mathbf {s}_{0}}_{= \mathbf {U}_{2,\theta }^{\text {T}}\mathbf {s}_{0}} -\mathbf {E}_{2,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{1} \\ \mathbf {R}_{1}^{\text {T}}\mathbf {e}_{1} \end{array} \right) \\&=\textsf {m}_{0}\lfloor \frac{q}{2}\rfloor +\underbrace{\mathbf {e}'_{0}-\mathbf {E}_{1,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{0} \\ \mathbf {R}_{0}^{\text {T}}\mathbf {e}_{0} \end{array} \right) -\mathbf {E}_{2,\theta }^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{1} \\ \mathbf {R}_{1}^{\text {T}}\mathbf {e}_{1} \end{array} \right) }_{\textsf {error}'}\\ \end{aligned} \end{aligned}$$

According to our parameters settings, it can be checked that the error term \(\textsf {error}'\) is bounded by q/5 (i.e., \(\Vert \textsf {error}'\Vert _{\infty }<q/5\)), thus, we have the conclusion \(\lfloor \frac{2}{q}\mathbf {w}_{0}\rceil =\textsf {m}_{0}\) with overwhelming probability.

The non-revoked \(\textsf {id}\) then tries to derive \(\textsf {m}_{1}\) by using \(\mathbf {E}_{0}\):

$$\begin{aligned} \begin{aligned} \mathbf {w}_{1}&=\mathbf {{c}}_{2}-\mathbf {E}_{0}^{\text {T}} \mathbf {c}_{3}=\mathbf {U}^{\text {T}}\mathbf {s}_{1}+\mathbf {e}'_{1}+\textsf {m}_{1}\lfloor \frac{q}{2}\rfloor - \underbrace{([\mathbf {A}'|\mathbf {A}'_{0}+\mathcal {H}(\textsf {id})\mathbf {A}'_{1}|\mathbf {B}'_{0}+\mathcal {H}(\textsf {t})\mathbf {A}'_{1}] \mathbf {E}_{0})^{\text {T}}\mathbf {s}_{1}}_{=\mathbf {U}^{\text {T}}\mathbf {s}_{1}}\\&-\mathbf {E}_{0}^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{2} \\ \mathbf {R}_{2}^{\text {T}}\mathbf {e}_{2}\\ \mathbf {R}_{3}^{\text {T}}\mathbf {e}_{2} \end{array} \right) =\textsf {m}_{1}\lfloor \frac{q}{2}\rfloor +\underbrace{\mathbf {e}'_{1}-\mathbf {E}_{0}^{\text {T}}\left( \begin{array}{c} \mathbf {e}_{2} \\ \mathbf {R}_{2}^{\text {T}}\mathbf {e}_{2}\\ \mathbf {R}_{3}^{\text {T}}\mathbf {e}_{2} \end{array} \right) }_{\textsf {error}''}\\ \end{aligned} \end{aligned}$$

Similarly, according to our parameters settings, it can be checked that the error term \(\textsf {error}''\) is bounded by q/5 (i.e., \(\Vert \textsf {error}''\Vert _{\infty }<q/5\)), thus, we have the conclusion \(\lfloor \frac{2}{q}\mathbf {w}_{1}\rceil =\textsf {m}_{1}\) with overwhelming probability.

Thus, the decryption can be successful and recovers the message \(\lfloor \frac{2}{q}\mathbf {w}_{0}\rceil \oplus \lfloor \frac{2}{q}\mathbf {w}_{1}\rceil =\textsf {m}_{0}\oplus \textsf {m}_{1}=\textsf {m}\) with overwhelming probability.

ind-cpa: For the ind-cpa security, we show the following theorem.

Theorem 3

The modified lattice-based OR-IBE is ind-cpa secure if the \(\textsf {LWE} _{n,q,\chi }\) assumption holds.

Proof. To proof this theorem, we define a list of games where the first one is identical to the original ind-cpa game as in Definition 2 and show that a ppt adversary \(\mathcal {A}_{1}\) has advantage zero in the last game. We show that \(\mathcal {A}_{1}\) cannot distinguish between these games, and thus \(\mathcal {A}_{1}\) has negligible advantage in winning the original ind-cpa game.

Let \(\textsf {id}^{*}\) be a challenge identity and \(\textsf {t}^{*}\) be a challenge time, we consider two types of adversaries:

• Type-0: \(\mathcal {A}_{1}\) requests a long-term private key on the challenge identity \(\textsf {id}^{*}\). In this case, \(\textsf {id}^{*}\) must be revoked at time \(\textsf {t}\le \textsf {t}^{*}\).

• Type-1: \(\mathcal {A}_{1}\) only requests a long-term private key on the identity \(\textsf {id}\ne \textsf {id}^{*}\). In this case, \(\mathcal {A}_{1}\) may request a short-term decryption key on \((\textsf {id}^{*},\textsf {t})\) where \(\textsf {t}\ne \textsf {t}^{*}\).

ind-uka: For the ind-uka security, we show the following theorem.

Theorem 4

The modified lattice-based OR-IBE is ind-uka secure if the \(\textsf {LWE} _{n,q,\chi }\) assumption holds.

Proof. The proof almost enjoys the same description as that of Theorem 3, and we will show the different details later. To proof this theorem, we also define a list of games where the first one is identical to the original ind-uka game as in Definition 3 and show that a ppt adversary \(\mathcal {A}_{2}\) has advantage zero in the last game. We show that \(\mathcal {A}_{2}\) cannot distinguish between these games, and thus \(\mathcal {A}_{2}\) has a negligible advantage in winning the original ind-uka game.

Because the KU-CSP can issue an arbitrary time update key by using the master update key muk and the outsourcing key \(\textsf {ok}_{\textsf {id}}\), a direct restriction is that KU-CSP cannot request a long-term private key for the challenge identity \(\textsf {id}^{*}\), thus, the Type-0 adversary in the proof of Theorem 3 is not considered and only a Type-1 adversary exists.

Due to the limited space, we omit the detailed proofs of Theorems 3 and 4, if any necessary, please contact the corresponding author for the full version.