Abstract
Identity-based matchmaking encryption (IB-ME), proposed by Ateniese et al. (Crypto 2019), is a type of matchmaking encryption (ME). In IB-ME, the sender can specify a target identity \(\textsf{rcv}\) during encryption, and the receiver can set a target identity \(\textsf{snd}\) during decryption. The ciphertext can be decrypted if \(\textsf{snd}\) matches the sender’s identity \(\sigma \), and \(\textsf{rcv}\) matches the receiver’s identity \(\rho \). The basic security notion of IB-ME is privacy, whose original definition ensures that \(\sigma \), \(\textsf{rcv}\), and the message remain hidden as long as \(\textsf{rcv}\ne \rho \), regardless the relation between \(\textsf{snd}\) and \(\sigma \). Francati et al. (IndoCrypt 2021) argue that the original privacy notion is unsatisfactory as it does not match the intuitive privacy guarantee of matching encryption. They revise the original privacy notion with an enhanced privacy notion to characterise meaningful privacy under the condition \(\textsf{snd}\ne \sigma \) and construct an IB-ME system with the enhanced security in the plain model, albeit under a q-type pairing-based assumption. Chen et al. (AsiaCrypt 2022) leave how to construct IB-ME systems with enhanced privacy as an open problem. In this paper, we solve the problem by a generic construction of IB-ME with enhanced privacy. Instantiating our construction gives practical IB-ME systems with enhanced privacy from various standard assumptions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Otherwise the ciphertext decrypts to two different messages.
- 2.
The Lemma was originally for proofs in the Quantum Random Oracle Model. It also applies to the ROM as indicated by Saito et al.
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient Lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_4
Ateniese, G., Francati, D., Nuñez, D., Venturi, D.: Match me if you can: matchmaking encryption and its applications. J. Cryptol. 34(3), 1–50 (2021)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without random Oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_17
Chen, J., Li, Y., Wen, J., Weng, J.: Identity-based matchmaking encryption from standard assumptions. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, pp. 394–422. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_14
Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: STOC 2009, pp. 621–630 (2009)
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Ducas, L., et al.: Crystals-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptographic Hardware Embedded Syst., pp. 238–268 (2018)
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2
Fouque, P.-A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU. Submission to the NIST’s post-quantum cryptography standardization, 36(5) (2018)
Francati, D., Guidi, A., Russo, L., Venturi, D.: Identity-based matchmaking encryption without random oracles. In: Adhikari, A., Küsters, R., Preneel, B. (eds.) INDOCRYPT 2021. LNCS, vol. 13143, pp. 415–435. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92518-5_19
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_27
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008. ACM, pp. 197–206
Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_34
Kiltz, E., Neven, G.: Identity-based signatures. Identity-based cryptography 2(31), 75 (2009)
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. Cryptology ePrint Archive, Paper 2010/264 (2010). https://eprint.iacr.org/
McCarthy, S., Smyth, N., O’Sullivan, E.: A practical implementation of identity-based encryption over NTRU lattices. In: IMACC 2017, pp. 227–246. Springer, Cham (2017)
Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_2
Paterson, K.G., Schuldt, J.C.N.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006). https://doi.org/10.1007/11780656_18
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Wang, Y., Wang, B., Lai, Q., Zhan, Y.: Identity-based matchmaking encryption with stronger security and instantiation on lattices. Cryptology ePrint Archive, Paper 2022/1718, 2022. https://eprint.iacr.org/
Yu, Yu., Zhang, J.: Cryptography with auxiliary input and trapdoor from constant-noise LPN. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 214–243. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A Identity-Based Encryption and Signature
An Identity-Based Encryption (IBE) system \(\textsf{IBE}\) with identity space \(\mathcal {I}\) and message space \(\mathcal {M}\) and ciphertext space \(\mathcal {C}\) consists of four p.p.t algorithms. \(\textsf{IBE}.\textsf{Setup}(1^\lambda )\) returns a master public key \(\textsf{pub}\) and a master private key \(\textsf{msk}\). We assume that \(\textsf{pub}\) is an implicit input to the other algorithms. \(\textsf{IBE}.\textsf{Extract}(\textsf{msk}, \textsf{id})\) generates a private key \(\textsf{sk}_\textsf{id}\). \(\textsf{IBE}.\textsf{Enc}\) \((\textsf{id}, \textsf{m})\) returns a ciphertext \(\textsf{ct}\in \mathcal {C}\). \(\textsf{IBE}.\textsf{Dec}\) \((\textsf{sk}_\textsf{id}, \textsf{id}, \textsf{ct})\) returns a message \(\textsf{m}\in \mathcal {M}\) or \(\bot \). We define the correctness as follows.
Definition 7
An IBE system \((\textsf{IBE}.\textsf{Setup}\), \(\textsf{IBE}.\textsf{Extract}\), \(\textsf{IBE}.\textsf{Enc}\), \(\textsf{IBE}.\textsf{Dec})\) with identity space \(\mathcal {I}\), message space \(\mathcal {M}\), and ciphertext space \(\mathcal {C}\) is correct if for all \(\lambda \in \mathbb {N}\), \((\textsf{pub}, \textsf{msk})\leftarrow \textsf{IBE}.\textsf{Setup}(1^\lambda )\), \(\textsf{id}\in \mathcal {I}\), \(\textsf{m}\in \mathcal {M}\), we have
where \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBE}.\textsf{Extract}(\textsf{msk},\textsf{id})\) and \(\textsf{negl}(\lambda )\) is negligible in \(\lambda \), and the probability is taken over the randomness of the algorithms.
We recall the notions of ciphertext indistinguishability from random under adaptive chosen-identity and chosen plaintext attacks, denoted by INDr-ID-CPA which implies semantic security and recipient identity anonymity.
Definition 8 (INDr-ID-CPA Security)
Let \(\lambda \) be the security parameter. We say that an IBE system \(\textsf{IBE}\) is INDr-ID-CPA secure if for all p.p.t adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) that makes queries to \(\textsf{OExt}\),
where the security experiment \(\textsf{Exp}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda )\)is defined in Fig. 3 and the probability is over the randomness of the \(\textsf{IBE}\) algorithms and the randomness of the attacker.
An IBS system \(\textsf{IBS}\) with identity space \(\mathcal {I}\) consists of four p.p.t algorithms. \(\textsf{IBS}.\textsf{Setup}(1^\lambda )\) returns a master public key \(\textsf{pub}\) and a master private key \(\textsf{msk}\). We assume that \(\textsf{pub}\) is an implicit input to other algorithms. \(\textsf{IBS}.\textsf{Extract}(\textsf{msk}, \textsf{id})\). \(\textsf{IBS}.\textsf{Sign}(\textsf{sk}_\textsf{id}, \textsf{m})\) returns a signature s. \(\textsf{IBS}.\textsf{Ver}(\textsf{id}, \textsf{m}, s)\) returns 1 or 0. We define the correctness as follows.
Definition 9
An IBS system \(\textsf{IBS}=\) \((\textsf{IBS}.\textsf{Setup}\), \(\textsf{IBS}.\textsf{Extract}\), \(\textsf{IBS}.\textsf{Sign}\), \(\textsf{IBS}.\textsf{Ver})\) is correct if for all \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBS}.\textsf{Extract}( \textsf{IBS}.\textsf{msk}, \textsf{id})\),
where \(\textsf{negl}(\lambda )\) is negligible in \(\lambda \), and the probability is over the algorithms.
We consider the standard unforgeability under chosen-identity and chosen-message attacks (EUF-ID-CMA). We also need a property called identity lossiness.
Definition 10
Let \(\lambda \) be the security parameter. Consider the security experiment (game) defined in Fig. 3. We say an IBS system \( \textsf{IBS}\) is EUF-ID-CMA secure if for any p.p.t adversary \(\mathcal {A}\) that makes polynomially many (in \(\lambda \)) queries the oracles \(\textsf{OExt}()\) and \(\textsf{OSig}()\),
where the probability is over the randomness of \(\mathcal {A}\) and the IBS system.
Definition 11
We say that an IBS system \(\textsf{IBS}=\) \((\textsf{IBS}.\textsf{Setup}\), \(\textsf{IBS}.\textsf{Extract}\), \(\textsf{IBS}.\textsf{Sign}\), \(\textsf{IBS}.\textsf{Ver})\) with identity space \(\mathcal {I}\) is \(\eta \)-identity lossy with respect to distribution \(\mathcal{I}\mathcal{D}\) over \(\mathcal {I}\) if \(\tilde{\textrm{H}}_\infty \left( \textsf{id}| \textsf{sk}_\textsf{id}\right) \ge \textrm{H}_\infty (\textsf{id}) - \eta \) for all \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk},\textsf{id})\), \(\textsf{id}\leftarrow \mathcal{I}\mathcal{D}\).
Appendix B Reduction for Proving Inequality (1)
We construct the reduction algorithm \(\mathcal {B}\) that uses a distinguisher that distinguishes between \(\textsf{Hyb}_0\) and \(\textsf{Hyb}_1\) to break the INDr-ID-CPA security of the underlying IBE system \(\textsf{IBE}\). We note that the proof works under the condition \(\bar{\textsf{M}}_1:\forall \rho \in L_2, \rho \ne \textsf{rcv}_0^*\wedge \rho \ne \textsf{rcv}_1^* \). \(\mathcal {B}\) is interacting with an INDr-ID-CPA challenger and works as follows.
\(\mathcal {B}\) initialises three empty list \(L_1\), \(L_2\), and \(L_3\). On receiving a master public key \(\textsf{IBE}.\textsf{pub}\) of the IBE system \(\textsf{IBE}\). \(\mathcal {B}\) sets \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), and \(\textsf{pub}:=(\textsf{IBE}.\textsf{pub}, \textsf{IBS}.\textsf{pub})\), \(\textsf{msk}:=\textsf{IBS}.\textsf{msk}\)
Then, \(\mathcal {B}\) responds to the IB-ME adversary \(\mathcal {A}\)’s queries as follows:
-
1.
Query \(\mathcal {O}_1(\sigma )\): \(\mathcal {B}\) simply runs \(\textsf{sk}_\sigma \leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk}, \sigma )\), returns \(\textsf{ek}_\sigma = (\textsf{sk}_\sigma , \sigma )\), and sets \(L_1 = \{\sigma \}\sup L_1\).
-
2.
Query \(\mathcal {O}_2(\rho )\): \(\mathcal {B}\) makes an \(\textsf{OExt}\) query on \(\rho \) to its IBE challenger, receives back \(\textsf{sk}_\textsf{id}\) and sets \(\textsf{dk}_\rho :=(\textsf{sk}_\rho , \rho )\), and sets \(L_2 = \{\sigma \}\cup L_2\).
Then, \(\mathcal {A}\) announces \((\textsf{m}_0^*, \textsf{m}_1^*,\textsf{rcv}^*_0, \textsf{rcv}_1^*, \mathcal{I}\mathcal{D}_0, \mathcal{I}\mathcal{D}_1, st)\) and \(\mathcal {B}\) creates the challenge ciphertext as follows:
-
1.
For \(i=0, 1\), \(\sigma _i^*\leftarrow \mathcal{I}\mathcal{D}_i\), \(\textsf{ek}_{\sigma _i^*}\leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk}, \sigma _i^*)\)
-
2.
\(r^*\leftarrow U(\{0,1\}^\ell )\), \(K^*_1\leftarrow U(\{0,1\}^s)\), \(K_2^*\leftarrow U(\{0,1\}^v)\)
-
3.
\(\kappa _1^*\leftarrow \textsf{ReExt}(K_1^*, \sigma _0^*))\), \(\kappa _2\leftarrow \textsf{Ext}(K_2^*, r^*)\)
-
4.
Send \((\textsf{id}^* = \textsf{rcv}_0^*, m^*:= \textsf{m}_0^*||r^*, st=\emptyset )\) to the challenger, receive back \(\textsf{ct}_b^*\) and set \( \tilde{c}^* \leftarrow \textsf{ct}^*_b\).
-
5.
\(\tilde{s}\leftarrow \textsf{IBS}.\textsf{Sign}\left( \textsf{sk}_\sigma , H(c^*||r^*||K_1^*||K_2^*)\right) \), \(s^*\leftarrow \tilde{s}^*\oplus \kappa _2^*\)
-
6.
Return \(\textsf{ct}:=(c^*, s^*, K^*_1, K^*_2)\).
Then \(\mathcal {A}\) makes oracle queries to \(\mathcal {O}_1\), \(\mathcal {O}_2\), \(\mathcal {O}_{3,\beta }\). The \(\mathcal {O}_1\) and \(\mathcal {O}_2\) queries are answered in the same way as before. For the query \((\textsf{rcv},\textsf{m})\) to \(\mathcal {O}_{3, \beta }\), \(\mathcal {B}\) returns \(\textsf{ct}= \textsf{Enc}(\textsf{ek}_{\sigma _\beta ^*}, \textsf{rcv}, \textsf{m})\) where \(\textsf{Enc}\) is the encryption algorithm of the IB-ME construction. Finally, \(\mathcal {B}\) outputs what \(\mathcal {A}\) outputs.
We analyse the reduction. First of all, \(\textsf{Hyb}_0\) and \(\textsf{Hyb}_1\) have the same distribution on \(\textsf{pub}\), which is correctly simulated by \(\mathcal {B}\). Second, all \(\mathcal {B}\) answers all queries properly. The only difference between \(\textsf{Hyb}_1\) and \(\textsf{Hyb}_0\) is the distribution of the value \(\tilde{c}\). We can see that when the IBE challenger chose \(b=0\), i.e., the IBE challenge ciphertext \(\textsf{ct}^*\) is an encryption of \(\textsf{IBE}\) system, and \(\mathcal {B}\) simulates \(\textsf{Hyb}_0\). On the other hand, when the IBE challenger chose \(b=1\), \(\textsf{ct}^*\) is a random ciphertext, and \(\mathcal {B}\) simulates \(\textsf{Hyb}_1\). Let \(\mathcal {B}\textsf {Win}\) be the event that \(\mathcal {B}\)’s output equals to b. So,
which gives \(|\Pr [\textsf{Hyb}_0\Rightarrow 1] - \Pr [\textsf{Hyb}_0\Rightarrow 1] | \le 2\cdot \textsf{Adv}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda )\) and ends the proof.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Boyen, X., Li, Q. (2024). Identity-Based Matchmaking Encryption with Enhanced Privacy – A Generic Construction with Practical Instantiations. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)