Abstract
Cloud computing makes it easy for people to share files anywhere and anytime with mobile end devices. There is a privacy issue in such applications even if the files are encrypted. Specially, the public keys or identities of the receivers will be exposed to the cloud server or hackers. Group Encryption (GE) is designed to achieve anonymity of the receiver(s). The existing GE schemes are all realized in the public key infrastructure (PKI) setting, in which complicated certificates management is required to ensure security. It is observed that GE is especially appealing to institutions which usually have their own closed secure user management system. In this paper, we propose a new concept, referred to as identity-based group encryption (IBGE), which realizes GE in the identity-based cryptography setting. In the IBGE, a private key generator (PKG) designates each user a secret key associated with his identity; and the user can register his identity as a group member to a group manager without leaking his secret key. Then anyone can send confidential messages to the group member without leaking the group member’s identity. However, the group manager can trace the receiver if a dispute occurs or the privacy mechanism is abused. Following this model, we propose the first IBGE scheme that is formally proven secure in the standard model. Analysis shows that our scheme is also efficient and practical.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)
Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)
Cathalo, J., Libert, B., Yung, M.: Group encryption: non-interactive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009)
Ducas, L.: Anonymity from asymmetry: new constructions for anonymous HIBE. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 148–164. Springer, Heidelberg (2010)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)
Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007)
Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. Int. J. Secur. Netw. 1(1/2), 24–45 (2006)
Libert, B., Yung, M., Joye, M., Peters, T.: Traceable group encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 592–610. Springer, Heidelberg (2014)
Liu, J.K., Tsang, P.P., Wong, D.S.: Efficient verifiable ring encryption for Ad Hoc groups. In: Molva, R., Tsudik, G., Westhoff, D. (eds.) ESAS 2005. LNCS, vol. 3813, pp. 1–13. Springer, Heidelberg (2005)
Liu, J.K., Wei, V.K., Wong, D.S.: Custodian-hiding verifiable encryption. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 51–64. Springer, Heidelberg (2005)
Liu, J.K., Tsang, P.P., Wong, D.S., Zhu, R.W.: Universal custodian-hiding verifiable encryption for discrete logarithms. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 389–409. Springer, Heidelberg (2006)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)
Qin, B., Wu, Q., Susilo, W., Mu, Y.: Publicly verifiable privacy-preserving group decryption. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 72–83. Springer, Heidelberg (2009)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Acknowledgments
This paper is supported by the National Key Basic Research Program (973 program) through project 2012CB315905, by the National High Technology Research and Development Program of China (863 Program) through project 2015AA017205, by the Natural Science Foundation of China through projects 61370190, 61173154, 61272501, 61402029, 61472429, 61202465, 61532021 and 61521091, by the Beijing Natural Science Foundation through project 4132056, by the Guangxi natural science foundation through project 2013GXNSFBB053005, the Innovation Fund of China Aerospace Science and Technology Corporation, Satellite Application Research Institute through project 2014-CXJJ-TX-10, the Open Project of Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs of Security
A Proofs of Security
In this section, we prove the following zero-knowledge properties and two security properties of our scheme.
1.1 A.1 Zero-Knowledge Properties
Lemma 1
The protocol \(ZK\{s,n,ID|C_{10}=g_{1}^{s}g^{-s\cdot ID},C_{11}=e(g,g)^{s},k_{1}=g_{2}^{n},k_{2}=g_{3}^{n},\psi =l^{n}t^{ID},v=w^{n}d^{n\epsilon }\}\) is a \(\sum \)-protocol.
Proof
It is straightforward to validate the Correctness and Completeness of the knowledge proof protocol.
Soundness with knowledge extraction: We construct an extractor who plays the role of the verifier. The extractor interacts with prover two times. Because the responses of the extractor are \(c,c'(c\ne c')\), respectively, it obtains two equations \(r_{1}\equiv \bar{s}+cs\ \mathrm {mod}\ p\) and \(r'_{1}\equiv \bar{s}+c's\ \mathrm {mod}\ p\). It is easy to get that \(s=\frac{r_{1}-r'_{1}}{c-c'}\ \mathrm {mod}\ p\). The extractor can obtain \(n, ID, s\cdot ID\) and ns in the same way.
Honest-verifier zero-knowledge: We will construct a simulator \(\mathcal {S}\) as following steps. A simulator will play the role of the prover and interact with verifier.
-
1.
\(\mathcal {S}\) chooses random \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\). It sends them to verifier.
-
2.
\(\mathcal {S}\) receives c from verifier, then chooses random \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) and computes new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\).
-
3.
\(\mathcal {S}\) interacts with verifier again. It sends new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2}, \bar{A}_{2}^{-1},\bar{k}\) to verifier.
-
4.
\(\mathcal {S}\) receives c from verifier, then sends \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) to verifier.
Let the output of verifier be \(\{\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k},c, r_{1},r_{2}, r_{3},r_{4},r_{5}\}\), and it is uniform random. Let the output of \(\mathcal {S}\) be \(\{\bar{C}_{10}',\bar{C}_{11}',\bar{k}_{1}',\bar{k}_{2}',\bar{\psi }', \bar{v}',\bar{A}',\bar{A}_{1}',\bar{A}_{2}',\bar{A}_{2}'^{-1},\bar{k}',c', r'_{1},r'_{2}, r'_{3},r'_{4},r'_{5}\}\), and it is also uniform random. We say that this protocol is perfect zero knowledge.
Equality of Identity: Let \(C_{10}=g_{1}^{s}g^{-s\cdot ID}, A_{2}^{-1}=t^{-s\cdot ID'}, ID\ne ID'\). Prover chooses \(-\bar{s}\cdot \bar{ID_{1}},-\bar{s}\cdot \bar{ID_{2}},\bar{ID_{1}}\ne \bar{ID_{2}}\) (if \(\bar{ID_{1}}=\bar{ID_{2}}\), since \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c},t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\), we obtain \(r_{4}\equiv -\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\ \mathrm {mod}\ p, r_{4}\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p, ID=ID'\)), then computes \(\bar{C}_{10}=g_{1}^{\bar{s}}g^{-\bar{s}\cdot \bar{ID_{1}}}, \bar{A}_{2}^{-1}=t^{-\bar{s}\cdot \bar{ID_{2}}}\). \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c}\) and \(t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\) both hold, if and only if \(-\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p\) holds. This means that \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\). This equation holds if and only if the verifier chooses this c exactly. But the probability is negligible.
1.2 A.2 Proof of Theorem 1
Proof
Suppose \(\mathcal {A}\) is an \((t',\varepsilon ',q_{ID})\) ANO-IND-CIA-CPA adversary against our scheme. We construct a simulator \(\mathcal {B}\) solves the truncated decision q-ABDHE problem. \(\mathcal {B}\) takes as input \((g',g'_{q+2},g,g_{1},...g_{q},Z)\), where \(Z=e(g_{q+1},g')\) or a random element of \(\mathbb {G}_{T}\).
Setup. \(\mathcal {B}\) generates a random polynomial \(f(x)\in \mathbb {Z}_{p}[x]\) of degree q. It let \(h=g^{f(\alpha )}\) and computes h from \((g,g_{1},...,g_{q})\). It sends public parameters \((g,g_{1},h)\) to \(\mathcal {A}\).
Phase 1. \(\mathcal {A}\) adaptively queries Extract oracle. \(\mathcal {B}\) responds as follows. If \(ID=\alpha \), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, let \(F_{ID}(x)=(f(x)-f(ID))/(x-ID)\) be the \((q-1)\)-degree polynomial. \(\mathcal {B}\) let \((f(ID), g^{F_{ID}(\alpha )})\) be the user’s secret key \((r,h_{ID})\). Since \(g^{F_{ID}(\alpha )}=g^{(f(\alpha )-f(ID)/(\alpha -ID))}=(hg^{-f(ID)})^{1/(\alpha -ID)}\), secret key \((r,h_{ID})\) is valid of ID.
Challenge. \(\mathcal {A}\) outputs two identities \(ID_{0},ID_{1}\) and two messages \(M_{0},M_{1}\). The restriction is that the two identities did not appear in any secret key extraction query. Note that if \(\alpha \in \{ID_{0},ID_{1}\}\), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, \(\mathcal {B}\) chooses bits \(b,c\in \{0,1\}\), and computes secret key \((r_{b},h_{ID_{b}})\) for \(ID_{b}\) same to phase 1.
Let \(f_{2}(x)=x^{q+2}\) and let \(F_{2,ID_{b}(x)}=(f_{2}(x)-f_{2}(ID_{b}))/(x-ID_{b})\), which is a polynomial of degree of \(q+1\). \(\mathcal {B}\) sets
where \(F_{2,ID_{b},i}\) is the coefficient of \(x^{i}\) in \(F_{2,ID_{b}}(x)\). It sends \(C_{1}=(C_{10},C_{11},C_{12})\) as the ciphertext to be challenged.
Let \(s=(\log _{g}g')F_{2,ID_{b}}(\alpha )\). If \(Z=e(g_{q+1},g')\), then \(C_{10}=g^{s(\alpha -ID_{b})}, C_{11}=e(g,g)^{s}\), and \(M_{c}/C_{12}=e(C_{10},h_{ID_{b}})C_{11}^{r_{b}}=e(g,h)^{s}\), We let \(C_{1}=(C_{10},C_{11},C_{12})\) be an effective ciphertext of identity \(ID_{b}\) as well as message \(M_{c}\) under random value s.
Phase 2. \(\mathcal {A}\) adaptively queries Extract oracle as in phase 1. The restriction is that the two identities did not appear in any private key extraction query. Besides, the adversary \(\mathcal {A}\) can not query Trace oracle.
Guess. Finally, adversar \(\mathcal {A}\) outputs guesses \(b', c'\in \{0,1\}\) of b, c. If \(b'=b\wedge c'=c\) \(\mathcal {B}\) outputs 1 else 0.
The analysis of probability and time complexity is as follow.
Analysis of probability. If \(Z=e(g_{q+1},g')\) the simulation is perfect. Adversary \(\mathcal {A}\) can guess the bits (b, c) correctly with probability \(\frac{1}{4}+\epsilon '\). Otherwise, Z is uniformly random, so \((C_{10},C_{11})\) is a uniformly random and independent element of \((\mathbb {G},\mathbb {G}_{T})\). When this happen, the inequalities
both hold in the same time with probability \(1-2/p\). When the two inequalities hold,
is a uniformly random and independent value from the view of adversar \(\mathcal {A}\), because of \(r_{b}\) is a uniformly random and independent value from the view of adversar \(\mathcal {A}\). So, \(C_{12}\) is uniformly random and independent. \(C_{1}\) will not reveal any information of the bits (b, c). Assuming that no queried identity equals \(\alpha \), it is easy to see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \leqslant \frac{2}{p}\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(R_{ABDHE}\). To the contrary, we can see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \geqslant \epsilon '\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(P_{ABDHE}\). Thus, we have that
Analysis of Time Complexity. In the simulation procedure, the overhead of \(\mathcal {B}\) is computing \(g^{F_{ID}(\alpha )}\) in order to response \(\mathcal {A}\)’s extraction query for the ID, where \(F_{ID}(x)\) is polynomial of \(q-1\) degree. Every computation requires O(q) exponentiation in \(\mathbb {G}\). \(\mathcal {A}\) makes at most \(q-1\) queries, thus \(t=t'+O(t_{exp}\cdot q^{2})\).
1.3 A.3 Proof of Theorem 2
Proof
Setup is same as the above proof. In inspect phase adversary can adaptability query all of the oracles. The challenger will respond adversary. The adversary will choose a group public key \(PK'_{GM}=(g_{2},g_{3},w',d',l',H')\) and obtain secret key are \(SK'_{GM}=(x'_{1},x'_{2},y'_{1},y'_{2},z')\). Adversary will choose an identity ID and obtain use’s private key \(SK_{ID}\), as well as an other \(ID'\). Adversary computes \(C'_{1}\) using ID and computes \(C'_{2}\) using \(ID'\). Thus, adversary outputs a valid ciphertext \(C'=(C'_{1},C'_{2})\) which the GM can not trace correctly if and only if \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\) (Part 5.1). But the probability is negligible.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Luo, X. et al. (2016). Identity-Based Group Encryption. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)