Identity-Based Matchmaking Encryption with Enhanced Privacy – A Generic Construction with Practical Instantiations

Abstract

Identity-based matchmaking encryption (IB-ME), proposed by Ateniese et al. (Crypto 2019), is a type of matchmaking encryption (ME). In IB-ME, the sender can specify a target identity \(\textsf{rcv}\) during encryption, and the receiver can set a target identity \(\textsf{snd}\) during decryption. The ciphertext can be decrypted if \(\textsf{snd}\) matches the sender’s identity \(\sigma \), and \(\textsf{rcv}\) matches the receiver’s identity \(\rho \). The basic security notion of IB-ME is privacy, whose original definition ensures that \(\sigma \), \(\textsf{rcv}\), and the message remain hidden as long as \(\textsf{rcv}\ne \rho \), regardless the relation between \(\textsf{snd}\) and \(\sigma \). Francati et al. (IndoCrypt 2021) argue that the original privacy notion is unsatisfactory as it does not match the intuitive privacy guarantee of matching encryption. They revise the original privacy notion with an enhanced privacy notion to characterise meaningful privacy under the condition \(\textsf{snd}\ne \sigma \) and construct an IB-ME system with the enhanced security in the plain model, albeit under a q-type pairing-based assumption. Chen et al. (AsiaCrypt 2022) leave how to construct IB-ME systems with enhanced privacy as an open problem. In this paper, we solve the problem by a generic construction of IB-ME with enhanced privacy. Instantiating our construction gives practical IB-ME systems with enhanced privacy from various standard assumptions.

Appendices

Appendix A Identity-Based Encryption and Signature

An Identity-Based Encryption (IBE) system \(\textsf{IBE}\) with identity space \(\mathcal {I}\) and message space \(\mathcal {M}\) and ciphertext space \(\mathcal {C}\) consists of four p.p.t algorithms. \(\textsf{IBE}.\textsf{Setup}(1^\lambda )\) returns a master public key \(\textsf{pub}\) and a master private key \(\textsf{msk}\). We assume that \(\textsf{pub}\) is an implicit input to the other algorithms. \(\textsf{IBE}.\textsf{Extract}(\textsf{msk}, \textsf{id})\) generates a private key \(\textsf{sk}_\textsf{id}\). \(\textsf{IBE}.\textsf{Enc}\) \((\textsf{id}, \textsf{m})\) returns a ciphertext \(\textsf{ct}\in \mathcal {C}\). \(\textsf{IBE}.\textsf{Dec}\) \((\textsf{sk}_\textsf{id}, \textsf{id}, \textsf{ct})\) returns a message \(\textsf{m}\in \mathcal {M}\) or \(\bot \). We define the correctness as follows.

Definition 7

An IBE system \((\textsf{IBE}.\textsf{Setup}\), \(\textsf{IBE}.\textsf{Extract}\), \(\textsf{IBE}.\textsf{Enc}\), \(\textsf{IBE}.\textsf{Dec})\) with identity space \(\mathcal {I}\), message space \(\mathcal {M}\), and ciphertext space \(\mathcal {C}\) is correct if for all \(\lambda \in \mathbb {N}\), \((\textsf{pub}, \textsf{msk})\leftarrow \textsf{IBE}.\textsf{Setup}(1^\lambda )\), \(\textsf{id}\in \mathcal {I}\), \(\textsf{m}\in \mathcal {M}\), we have

$$\begin{aligned} \Pr \left[ \textsf{IBE}.\textsf{Dec}(\textsf{sk}_\textsf{id}, \textsf{id}, \textsf{Enc}(\textsf{id}, \textsf{m})) = \textsf{m}\right] \ge 1- \textsf{negl}(\lambda ) \end{aligned}$$

where \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBE}.\textsf{Extract}(\textsf{msk},\textsf{id})\) and \(\textsf{negl}(\lambda )\) is negligible in \(\lambda \), and the probability is taken over the randomness of the algorithms.

We recall the notions of ciphertext indistinguishability from random under adaptive chosen-identity and chosen plaintext attacks, denoted by INDr-ID-CPA which implies semantic security and recipient identity anonymity.

Definition 8 (INDr-ID-CPA Security)

Let \(\lambda \) be the security parameter. We say that an IBE system \(\textsf{IBE}\) is INDr-ID-CPA secure if for all p.p.t adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) that makes queries to \(\textsf{OExt}\),

$$\begin{aligned} \textsf{Adv}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda ):= \left| \Pr \left[ \textsf{Exp}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda ) = 1\right] - 1/2 \right| \le \textsf{negl}(\lambda ) \end{aligned}$$

where the security experiment \(\textsf{Exp}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda )\)is defined in Fig. 3 and the probability is over the randomness of the \(\textsf{IBE}\) algorithms and the randomness of the attacker.

Fig. 3.

INDr-ID-CPA and EUF-ID-CMA Security Experiments

An IBS system \(\textsf{IBS}\) with identity space \(\mathcal {I}\) consists of four p.p.t algorithms. \(\textsf{IBS}.\textsf{Setup}(1^\lambda )\) returns a master public key \(\textsf{pub}\) and a master private key \(\textsf{msk}\). We assume that \(\textsf{pub}\) is an implicit input to other algorithms. \(\textsf{IBS}.\textsf{Extract}(\textsf{msk}, \textsf{id})\). \(\textsf{IBS}.\textsf{Sign}(\textsf{sk}_\textsf{id}, \textsf{m})\) returns a signature s. \(\textsf{IBS}.\textsf{Ver}(\textsf{id}, \textsf{m}, s)\) returns 1 or 0. We define the correctness as follows.

Definition 9

An IBS system \(\textsf{IBS}=\) \((\textsf{IBS}.\textsf{Setup}\), \(\textsf{IBS}.\textsf{Extract}\), \(\textsf{IBS}.\textsf{Sign}\), \(\textsf{IBS}.\textsf{Ver})\) is correct if for all \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBS}.\textsf{Extract}( \textsf{IBS}.\textsf{msk}, \textsf{id})\),

$$\begin{aligned} \Pr \left[ \textsf{Ver}(\textsf{id}, \textsf{m}, \textsf{Sign}(\textsf{sk}_\textsf{id}, \textsf{m}) = 1 \right] \ge 1-\textsf{negl}(\lambda ) \end{aligned}$$

where \(\textsf{negl}(\lambda )\) is negligible in \(\lambda \), and the probability is over the algorithms.

We consider the standard unforgeability under chosen-identity and chosen-message attacks (EUF-ID-CMA). We also need a property called identity lossiness.

Definition 10

Let \(\lambda \) be the security parameter. Consider the security experiment (game) defined in Fig. 3. We say an IBS system \( \textsf{IBS}\) is EUF-ID-CMA secure if for any p.p.t adversary \(\mathcal {A}\) that makes polynomially many (in \(\lambda \)) queries the oracles \(\textsf{OExt}()\) and \(\textsf{OSig}()\),

$$ \textsf{Adv}_{\textsf{IBS},\mathcal {A}}^{\textsf{euf}}(\lambda ) := \Pr [\textsf{Exp}_{\textsf{IBS},\mathcal {A}}^{\textsf{euf}}(\lambda ) = 1] \le \textsf{negl}(\lambda ) $$

where the probability is over the randomness of \(\mathcal {A}\) and the IBS system.

Definition 11

We say that an IBS system \(\textsf{IBS}=\) \((\textsf{IBS}.\textsf{Setup}\), \(\textsf{IBS}.\textsf{Extract}\), \(\textsf{IBS}.\textsf{Sign}\), \(\textsf{IBS}.\textsf{Ver})\) with identity space \(\mathcal {I}\) is \(\eta \)-identity lossy with respect to distribution \(\mathcal{I}\mathcal{D}\) over \(\mathcal {I}\) if \(\tilde{\textrm{H}}_\infty \left( \textsf{id}| \textsf{sk}_\textsf{id}\right) \ge \textrm{H}_\infty (\textsf{id}) - \eta \) for all \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), \(\textsf{sk}_\textsf{id}\leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk},\textsf{id})\), \(\textsf{id}\leftarrow \mathcal{I}\mathcal{D}\).

Appendix B Reduction for Proving Inequality (1)

We construct the reduction algorithm \(\mathcal {B}\) that uses a distinguisher that distinguishes between \(\textsf{Hyb}_0\) and \(\textsf{Hyb}_1\) to break the INDr-ID-CPA security of the underlying IBE system \(\textsf{IBE}\). We note that the proof works under the condition \(\bar{\textsf{M}}_1:\forall \rho \in L_2, \rho \ne \textsf{rcv}_0^*\wedge \rho \ne \textsf{rcv}_1^* \). \(\mathcal {B}\) is interacting with an INDr-ID-CPA challenger and works as follows.

\(\mathcal {B}\) initialises three empty list \(L_1\), \(L_2\), and \(L_3\). On receiving a master public key \(\textsf{IBE}.\textsf{pub}\) of the IBE system \(\textsf{IBE}\). \(\mathcal {B}\) sets \((\textsf{IBS}.\textsf{pub},\textsf{IBS}.\textsf{msk})\leftarrow \textsf{IBS}.\textsf{Setup}(1^\lambda )\), and \(\textsf{pub}:=(\textsf{IBE}.\textsf{pub}, \textsf{IBS}.\textsf{pub})\), \(\textsf{msk}:=\textsf{IBS}.\textsf{msk}\)

Then, \(\mathcal {B}\) responds to the IB-ME adversary \(\mathcal {A}\)’s queries as follows:

1. 1.

   Query \(\mathcal {O}_1(\sigma )\): \(\mathcal {B}\) simply runs \(\textsf{sk}_\sigma \leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk}, \sigma )\), returns \(\textsf{ek}_\sigma = (\textsf{sk}_\sigma , \sigma )\), and sets \(L_1 = \{\sigma \}\sup L_1\).

2. 2.

   Query \(\mathcal {O}_2(\rho )\): \(\mathcal {B}\) makes an \(\textsf{OExt}\) query on \(\rho \) to its IBE challenger, receives back \(\textsf{sk}_\textsf{id}\) and sets \(\textsf{dk}_\rho :=(\textsf{sk}_\rho , \rho )\), and sets \(L_2 = \{\sigma \}\cup L_2\).

Then, \(\mathcal {A}\) announces \((\textsf{m}_0^*, \textsf{m}_1^*,\textsf{rcv}^*_0, \textsf{rcv}_1^*, \mathcal{I}\mathcal{D}_0, \mathcal{I}\mathcal{D}_1, st)\) and \(\mathcal {B}\) creates the challenge ciphertext as follows:

1. 1.

   For \(i=0, 1\), \(\sigma _i^*\leftarrow \mathcal{I}\mathcal{D}_i\), \(\textsf{ek}_{\sigma _i^*}\leftarrow \textsf{IBS}.\textsf{Extract}(\textsf{IBS}.\textsf{msk}, \sigma _i^*)\)

2. 2.

   \(r^*\leftarrow U(\{0,1\}^\ell )\), \(K^*_1\leftarrow U(\{0,1\}^s)\), \(K_2^*\leftarrow U(\{0,1\}^v)\)

3. 3.

   \(\kappa _1^*\leftarrow \textsf{ReExt}(K_1^*, \sigma _0^*))\), \(\kappa _2\leftarrow \textsf{Ext}(K_2^*, r^*)\)

4. 4.

   Send \((\textsf{id}^* = \textsf{rcv}_0^*, m^*:= \textsf{m}_0^*||r^*, st=\emptyset )\) to the challenger, receive back \(\textsf{ct}_b^*\) and set \( \tilde{c}^* \leftarrow \textsf{ct}^*_b\).

5. 5.

   \(\tilde{s}\leftarrow \textsf{IBS}.\textsf{Sign}\left( \textsf{sk}_\sigma , H(c^*||r^*||K_1^*||K_2^*)\right) \), \(s^*\leftarrow \tilde{s}^*\oplus \kappa _2^*\)

6. 6.

   Return \(\textsf{ct}:=(c^*, s^*, K^*_1, K^*_2)\).

Then \(\mathcal {A}\) makes oracle queries to \(\mathcal {O}_1\), \(\mathcal {O}_2\), \(\mathcal {O}_{3,\beta }\). The \(\mathcal {O}_1\) and \(\mathcal {O}_2\) queries are answered in the same way as before. For the query \((\textsf{rcv},\textsf{m})\) to \(\mathcal {O}_{3, \beta }\), \(\mathcal {B}\) returns \(\textsf{ct}= \textsf{Enc}(\textsf{ek}_{\sigma _\beta ^*}, \textsf{rcv}, \textsf{m})\) where \(\textsf{Enc}\) is the encryption algorithm of the IB-ME construction. Finally, \(\mathcal {B}\) outputs what \(\mathcal {A}\) outputs.

We analyse the reduction. First of all, \(\textsf{Hyb}_0\) and \(\textsf{Hyb}_1\) have the same distribution on \(\textsf{pub}\), which is correctly simulated by \(\mathcal {B}\). Second, all \(\mathcal {B}\) answers all queries properly. The only difference between \(\textsf{Hyb}_1\) and \(\textsf{Hyb}_0\) is the distribution of the value \(\tilde{c}\). We can see that when the IBE challenger chose \(b=0\), i.e., the IBE challenge ciphertext \(\textsf{ct}^*\) is an encryption of \(\textsf{IBE}\) system, and \(\mathcal {B}\) simulates \(\textsf{Hyb}_0\). On the other hand, when the IBE challenger chose \(b=1\), \(\textsf{ct}^*\) is a random ciphertext, and \(\mathcal {B}\) simulates \(\textsf{Hyb}_1\). Let \(\mathcal {B}\textsf {Win}\) be the event that \(\mathcal {B}\)’s output equals to b. So,

$$\begin{aligned} \Pr [\mathcal {B}\textsf {Win}] & = \frac{1}{2}\left( \Pr [\mathcal {B}\textsf {Win}|b=1] + \Pr [\mathcal {B}\textsf {Win}|b=0]\right) \\ & = \frac{1}{2}\left( 1-\Pr [\mathcal {A}\rightarrow 0|b=1] + \Pr [\mathcal {A}\rightarrow 0|b=0]\right) \\ & = \frac{1}{2}\left( 1-\Pr [\textsf{Hyb}_1\Rightarrow 1] + \Pr [\textsf{Hyb}_0\Rightarrow 1] \right) \end{aligned}$$

which gives \(|\Pr [\textsf{Hyb}_0\Rightarrow 1] - \Pr [\textsf{Hyb}_0\Rightarrow 1] | \le 2\cdot \textsf{Adv}_{\textsf{IBE},\mathcal {A}}^{\textsf{indr}}(\lambda )\) and ends the proof.