Abstract
This paper present an identity-based encryption (IBE) scheme with full security in prime order bilinear groups by using dual pairing vector space. The security of our scheme is based upon decisional linear and three party Diffie-Hellman assumption by adapting the dual system encryption. We obtain a tighter security reduction compared to previous works based on dual system encryption. The loss for security reduction of our scheme is \({\mathcal {O}}(q_{1})\), where \(q_{1}\) is the number of key queries in Phase 1.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Identity-Based Encryption (IBE) was presented by Shamir [1]. In an IBE system, user’s public key is his identity. The first practical IBE scheme was presented almost twenty years later by Boneh and Franklin by applying pairing technique in 2001 [2]. Since then, a host of IBE schemes was proposed, starting with the early constructions of selective security [3, 4], to more recent constructions of full security [5, 6]. The selective security model is a useful intermediary step, but cannot reflect the real situation comprehensively, since the adversary is required to announce the challenge identity before he receives the public parameters.
Dual system encryption [5] is a powerful tool for building fully secure IBE scheme. There are two forms of ciphertext and secret keys in dual system encryption: normal and semi-functional. Classical dual system encryption utilizes a series of games to prove the security. The real security game is followed by a game that the ciphertext becomes semi-functional. After that, the secret keys become semi-functional one after another, ultimately arrive at the final game, every key and ciphertext becomes semi-functional, which proving security becomes apparent. Each transition is reduce to its underlying security: subgroup or statical indistinguishability. Thus, all the previous works based on dual system encryption except [7, 8] results in \(\mathcal {O}(q)\) loss for security reduction, where q is the total number of key requests.
The IBE of [7, 8] employ two different techniques to achieve the tighter reduction. Chen and Wee [7] choosed an appropriate pseudorandom function with security loss L as a building block. And then, they get an IBE with the security loss \(\mathcal {O}(L)\) owing to similar algebraic structure between the IBE and pseudorandom function. The IBE of [7] can work both in composite order and prime order groups. The technique of [8] is based on the following fact: when a specific key is changed from normal to semi-functional in Phase 2, the simulator has learned the challenge identity \(ID^{*}\) before defining the semi-functional parameters, so it can program the parameter using \(ID^{*}\). This is considerably similar to the requirement of selective security, which is called \(delayed \ parameters\) in [9]. By using the technique of \(delayed \ parameters\), scheme [8] organized all the challenge keys in Phase 2 into the correlated distribution, and modified them from normal to semi-functional all at once, which results in tighter reduction, \(\mathcal {O} (q_{1})\).
Although [8] achieves a tighter reduction, it is built on a composite order bilinear group setting. Compared with prime order bilinear groups, composite order bilinear groups are at a disadvantage both in efficiency and security. In the first place, supersingular curves, which most composite order bilinear groups are based upon, is the main obstacle that affects the efficiency of composite order bilinear groups [10, 11]. There is one more point that the security of schemes based upon composite order bilinear groups crucially depend on the difficulty of factoring N. In order to guarantee the scheme’s security, the system has to increase the size of the underlying groups, which makes condition much worse for calculating speed. Further more, according to the recent results [12, 13], discrete logarithms in supersingular curves may be not as hard as we thought. For these reasons, many research [14, 15] have examined how to simulate composite order bilinear groups by using prime order bilinear groups.
In this article, we present IBE with tighter security reduction that enjoys \(\mathcal {O}(q_{1})\) in prime order bilinear groups. Our scheme is fully secure. The security is rely on the decisional linear and three party Diffie-Hellman assumption. Our construction have a similar structure of scheme [8]. We utilize the techniques developed in [15], taking advantage of the dual pairing vector space as a substitute for the subgroups in the composite order bilinear groups. Likewise, we substitute the subspace assumption for the subgroup decision assumption in the security proof. In addition, we take a 2 dimensional matrix to program the parameters in phase 2 of key queries. We embed \(g^{xy}\) to the semi-functional space, so as to obtain the target element \(g^{xyz}\) in G when combining with r. As we can re-randomize r by multiplying a random values \(r' \in \mathbb {Z}_{p}\) in the prime order setting, we do not need to simulate the additional element u, which is used as a randomizer in [8].
Next, we present the preliminaries that includes the security model and definition of IBE, an overview of dual pairing vector space, and complexity assumptions in Sect. 2. Our IBE scheme is presented in Sect. 3. Finally, we conclude in Sect. 4.
2 Preliminaries
2.1 Identity-Based Encryption Definition
Setup \((\lambda )\rightarrow PP,MSK.\) This algorithm takes as input a security parameter \(\lambda \), outputs the master key MSK and the public parameters PP.
KeyGen \((MSK,ID)\rightarrow SK_{ID}.\) This algorithm takes as input an identity \(ID\in \{0,1\}^{*}\), MSK, and returns a private key \(SK_{ID}\).
Encrypt \((PP,ID,M)\rightarrow CT.\) This algorithm takes as input PP, an identity ID, and a message M, and outputs a ciphertext CT.
Decrypt \((PP,SK_{ID})\rightarrow M.\) This algorithm takes as input \(SK_{ID}\) and CT. If the identity of the private key and ciphertext is identical, it returns the message M.
2.2 Security Model
Setup. The challenger \(\mathcal {B}\) executes the setup algorithm. It gives the public parameters to the adversary \(\mathcal {A}\).
Phase 1. When receives a query for private key of identity \(ID_{i}\) that makes by \(\mathcal {A}\), \(\mathcal {B}\) executes KeyGen algorithm to obtain the private key \(SK_{ID_{i}}\). It sends \(SK_{ID_{i}}\) to \(\mathcal {A}\), where \(i=1,\ldots ,q_{1}\).
Challenge. \(\mathcal {A}\) submits an challenge identity \(ID^{*}\) along with two messages \(M_{0}\) and \(M_{1}\), where the length of \(M_{0}\) and \(M_{1}\) are the same. The only constraint is that \(\mathcal {A}\) never queried \(ID^{*}\) in Phase 1. \(\mathcal {B}\) randomly encrypts \(M_{b}\) (\(b \in \{0,1\}\)) and sends it to \(\mathcal {A}\).
Phase 2. \(\mathcal {A}\) continually queries the private keys of identities \(ID_{q_{1}+1},\ldots ,ID_{q}\), with the constraint that \(ID^{*}\) can not be queried. \(\mathcal {B}\) responds as the same as Phase 1.
Guess. \(\mathcal {A}\) outputs a guess \(b'\) for b.
The adversary’s advantage is defined to be \(Pr[b'=b]-1/2\).
Definition 1
An Identity-based Encryption scheme is fully secure, if for all polynomial time adversaries, the advantage is negligible in the security game.
2.3 Dual Pairing Vector Spaces
Dual pairing vector spaces [16] is a useful tool. It works as follows. Given \((p,G,G_{T},g,g_{T},e)\), G and \(G_{T}\) are cyclic multiplicative groups of order p (where p is a prime), g is a generator of G, \(e:G \times G \rightarrow G_{T}\) is an effective computable non-degenerate bilinear pairing, \(i.e., e(g^{a},g^{b})=e(g,g)^{ab}\) and \(g_{T}=e(g,g)\ne 1\).
We let \(\varvec{v}\) denote the vector \((v_{1},\ldots ,v_{n})\in \mathbb {Z}^{n}_{p}\), and \(g^{\varvec{v}}:=(g^{v_{1}},\ldots ,g^{v_{n}})\). For \(\varvec{v},\varvec{w} \in \mathbb {Z}_{p}^{n}\) and \(a \in \mathbb {Z}_{p}\), we let \(g^{a\varvec{v}}:=(g^{av_{1}},\ldots ,g^{av_{n}}),g^{\varvec{v}+\varvec{w}}:=(g^{v_{1}+w_{1}},\ldots ,g^{v_{n}+w_{n}})\).
We define \(e(g^{\varvec{v}},g^{\varvec{w}}):=\prod _{i=1}^{n}e(g^{v_{i}},g^{w_{i}})=e(g,g)^{\varvec{v}\cdot \varvec{w}}\), where \(\varvec{v}\cdot \varvec{w}=v_{1}w_{1}+\cdots +v_{n}w_{n}\) (mod p).
The following lemma from [17] is required in our proof of security.
Lemma 1
(Statistical Indistinguishable). Let \(C:=\{(\varvec{x},\varvec{v})|\varvec{x} \cdot \varvec{v} \ne 0\}\subset V \times V^{*}\), where V is a n-dimensional vector space, and \(V^{*}\) is its dual. For all \((\varvec{x},\varvec{v}) \in C\), for all \((\varvec{r},\varvec{w}) \in C, \rho ,\tau \leftarrow \mathbb {Z}_{p}\), and \(A\xleftarrow {R}\mathbb {Z}_{p}^{n\times n}\),
where \(\# C=(p^{n}-1)(p^{n}-p^{n-1})\).
2.4 Complexity Assumption
Definition 2
(Three Party Diffie-Hellman Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution:
The advantage of algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:
We say that the Three Party Diffie-Hellman Assumption is hard if \(Adv^{3DH}_{\mathcal {A}}(\lambda )\) is negligible.
Definition 3
(Decisional Linear Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution:
The advantage of algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:
We say that the Decisional Linear Assumption is hard if \(Adv^{DL}_{\mathcal {A}}(\lambda )\) is negligible.
Definition 4
(Subspace Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution \((n\ge 3, k\le \frac{n}{3})\):
The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:
We say that the Subspace Assumption is hard if \(Adv^{SD}_{\mathcal {A}}(\lambda )\) is negligible.
Lemma 2
[15] If \(\mathcal {G}\) satisfies decisional linear assumption, then \(\mathcal {G}\) also satisfies the subspace assumption.
3 Identity-Based Encryption
3.1 Our Construction
Setup \((\lambda )\rightarrow PP,MSK.\) First, it selects a bilinear group \(\mathbf {G}\) of prime order p along with a generetor g. Then, a couple of dual orthonormal bases \((\mathbb {D},\mathbb {D^{*}})\) of dimension 6 is chosen randomly. The elements of \(\mathbb {D}\) is denoted by \(\varvec{d_{1}},\ldots ,\varvec{d_{6}}\), and the elements of \(\mathbb {D^{*}}\) is denoted by \(\varvec{d^{*}_{1}},\ldots ,\varvec{d^{*}_{6}}\). What’s more, \(\varvec{d}_{i }\cdot \varvec{d}^{*}_{i } = \psi ,\) for i = 1,...,6. It also chooses two random values \(\alpha _{1},\alpha _{2}\in \mathbb {Z_{p }}\). It publishes the public parameters:
and keeps the master secret key:
KeyGen(MSK, ID) \(\rightarrow SK_{ID}.\) This algorithm picks random values \(r_{1},r_{2}\in \mathbb {Z_{p }}\), and computes:
Encrypt(PP, ID, M) \(\rightarrow CT.\) This algorithm picks up two random values \(s_{1},s_{2}\in \mathbb {Z_{p }}\), and computes as follows:
Decrypt(\(CT,SK_{ID}\)) \(\rightarrow M.\) This algorithm is executed as follows:
3.2 Correctness
Observe that
Thus,
3.3 Proof of Security
Theorem 1
The IBE scheme can be proven fully secure based on the three party Diffie-Hellman and decisional linear assumption. Or rather, for any PPT adversary \(\mathcal {A}\), there exist a PPT algorithm \(\mathcal {B}\) with the same running time, such that
where \(q_{1}\) is the number of quereies in phase 1.
We describe our semi-functional algorithms as follows.
EncryptSF. There are two forms of semi-functional ciphertext. Type-1 semi-functional ciphertext can be generated as follows. The algorithm picks random values \(s_{1},s_{2},s_{3} \in \mathbb {Z}_{p }\). Then:
A semi-functional ciphertext of type-2 is as same as type-1 except that the coefficients of \(\varvec{d_{5}},\varvec{d_{6}}\) are two random values. The algorithm picks \(s_{1},s_{2},z_{5},z_{6}\in \mathbb {Z}_{p }\) randomly. Then:
KeyGenSF. There are two types of semi-functional keys. Type-1 semi-functional key can be generated as follows. The algorithm picks random values \(r_{1},r_{2},r_{3} \in \mathbb {Z}_{p }\). Then:
A semi-functional key of type-2 is as same as type-1 except that the coefficients of \(\varvec{d^{*}_{5}},\varvec{d^{*}_{6}}\) are two random values. The algorithm picks \(r_{1},r_{2},r_{5},r_{6}\in \mathbb {Z}_{p }\) randomly. Then:
Game Sequence. We let \(\texttt {Adv}^{\texttt {Game}_{X}}_{\mathcal {A}}\) denote an adversary \(\mathcal {A}^{'}s\) advantage in \(\texttt {Game}_{X}\).
-
\(\texttt {Game}_{\texttt {Real}}\): the real security game.
-
\(\texttt {Game}_{\texttt {0}}\): there is no difference the with \(\texttt {Game}_{\texttt {Real}}\) except that challenge ciphertext becomes type-1 semi-functional ciphertext.
-
\(\texttt {Game}_{\texttt {1}}\): there is no difference the with \(\texttt {Game}_{\texttt {0}}\) except that the challenge ciphertext becomes type-2 semi-functional ciphertext.
-
\(\texttt {Game}_{\texttt {2,i }}\) for i = 0,...,\(q_{1}\) : there is no difference the with \(\texttt {Game}_{\texttt {1}}\) except that the first i keys become type-2 semi-functional keys. We let \(\texttt {Game}_{\texttt {2,0}}\) denote \(\texttt {Game}_{\texttt {1}}\), and \(\texttt {Game}_{\texttt {2},\texttt {q}_{1}}\) denote \(\texttt {Game}_{\texttt {2}}\).
-
\(\texttt {Game}_{\texttt {3}}\): there is no difference the with \(\texttt {Game}_{\texttt {2}}\) except that the challenge ciphertext becomes type-1 semi-functional ciphertext.
-
\(\texttt {Game}_{\texttt {4}}\): there is no difference the with \(\texttt {Game}_{\texttt {3}}\) except that the last \(q_{2}\) keys are all type-1 semi-functional keys.
-
\(\texttt {Game}_{\texttt {5}}\): there is no difference the with \(\texttt {Game}_{\texttt {4}}\) except that the last \(q_{2}\) keys are all type-2 semi-functional keys.
-
\(\texttt {Game}_{\texttt {Final}}\): there is no difference the with \(\texttt {Game}_{\texttt {5}}\) except that we encrypt a random message \(M'\in \mathbf {G}_{T}\) as the challenge ciphertext.
From \(\texttt {Game}_{\texttt {1}}\) to \(\texttt {Game}_{\texttt {2},q_{1}}\), we convert the first \(q_{1}\) keys from normal to semi-functional type-2 one after another, which requires \(\mathcal {O}(q_{1})\) steps. However, as to the last \(q_{2}\) keys, we can modify them from semi-functional type-1 to type-2 all at once. Hence, we can get a tighter reduction, \(\mathcal {O}(q_{1})\).
Theorem 1 is accomplished in the following lemmas.
Lemma 3
Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).
Lemma 4
For any adversary \(\mathcal {A}\), \(\texttt {Adv}^{\texttt {Game}_{\texttt {0}}}_{\mathcal {A}}(\lambda )\) = \(\texttt {Adv}^{\texttt {Game}_{\texttt {1}}}_{\mathcal {A}}(\lambda )\).
Lemma 5
Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).
Lemma 6
For any adversary \(\mathcal {A}\), \(\texttt {Adv}^{\texttt {Game}_{\texttt {2}}}_{\mathcal {A}}(\lambda )\) = \(\texttt {Adv}^{\texttt {Game}_{\texttt {3}}}_{\mathcal {A}}(\lambda )\).
Lemma 7
Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).
Lemma 8
Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the three party Diffie-Hellman assumption.
Lemma 9
Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).
4 Conclusions
We have presented a fully secure IBE with tighter security in prime order bilinear groups. The full security of our scheme has been proven under DLIN and 3-DH assumption by extending dual system encryption over dual pairing vector space. We used the technique of delayed parameters to achieve the tighter reduction. What’s more, it would be interesting to apply this technique to obtain more advanced functional encryption [18] such as inner product encryption [19].
References
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)
Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. J. Cryptology 20(3), 265–294 (2007)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Chen, J., Wee, H.: Fully, (almost) tightly secure ibe and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013)
Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014)
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012)
Aranha, D.F., Beuchat, J.-L., Detrey, J., Estibals, N.: Optimal eta pairing on supersingular genus-2 binary hyperelliptic curves. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 98–115. Springer, Heidelberg (2012)
Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)
Joux, A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 177–193. Springer, Heidelberg (2013)
Adj, G., Menezes, A., Oliveira, T., RodrÃguez-HenrÃquez, F.: Weakness of \(\mathbb{F}_{3^{6 \cdot 509}}\) for discrete logarithm cryptography. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 20–44. Springer, Heidelberg (2014)
Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010)
Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012)
Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009)
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)
Acknowledgment
The authors would like to thank the anonymous reviewers for their critical suggestions that greatly improved the quality of this paper. This work is supported by the National Natural Science Foundation of China (No. 61379150, 61309016, 61502529).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, J., Ge, A., **ao, S., Ma, C. (2016). Fully Secure IBE with Tighter Reduction in Prime Order Bilinear Groups. In: Qing, S., Okamoto, E., Kim, K., Liu, D. (eds) Information and Communications Security. ICICS 2015. Lecture Notes in Computer Science(), vol 9543. Springer, Cham. https://doi.org/10.1007/978-3-319-29814-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-29814-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29813-9
Online ISBN: 978-3-319-29814-6
eBook Packages: Computer ScienceComputer Science (R0)