Identity-Based Group Encryption | SpringerLink
Skip to main content

Identity-Based Group Encryption

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9723))

Included in the following conference series:

Abstract

Cloud computing makes it easy for people to share files anywhere and anytime with mobile end devices. There is a privacy issue in such applications even if the files are encrypted. Specially, the public keys or identities of the receivers will be exposed to the cloud server or hackers. Group Encryption (GE) is designed to achieve anonymity of the receiver(s). The existing GE schemes are all realized in the public key infrastructure (PKI) setting, in which complicated certificates management is required to ensure security. It is observed that GE is especially appealing to institutions which usually have their own closed secure user management system. In this paper, we propose a new concept, referred to as identity-based group encryption (IBGE), which realizes GE in the identity-based cryptography setting. In the IBGE, a private key generator (PKG) designates each user a secret key associated with his identity; and the user can register his identity as a group member to a group manager without leaking his secret key. Then anyone can send confidential messages to the group member without leaking the group member’s identity. However, the group manager can trace the receiver if a dispute occurs or the privacy mechanism is abused. Following this model, we propose the first IBGE scheme that is formally proven secure in the standard model. Analysis shows that our scheme is also efficient and practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  2. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  3. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  5. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  6. Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

    Chapter  Google Scholar 

  8. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  9. Cathalo, J., Libert, B., Yung, M.: Group encryption: non-interactive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  10. Ducas, L.: Anonymity from asymmetry: new constructions for anonymous HIBE. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 148–164. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  11. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

    Chapter  Google Scholar 

  12. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. Int. J. Secur. Netw. 1(1/2), 24–45 (2006)

    Article  Google Scholar 

  16. Libert, B., Yung, M., Joye, M., Peters, T.: Traceable group encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 592–610. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  17. Liu, J.K., Tsang, P.P., Wong, D.S.: Efficient verifiable ring encryption for Ad Hoc groups. In: Molva, R., Tsudik, G., Westhoff, D. (eds.) ESAS 2005. LNCS, vol. 3813, pp. 1–13. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Liu, J.K., Wei, V.K., Wong, D.S.: Custodian-hiding verifiable encryption. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 51–64. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  19. Liu, J.K., Tsang, P.P., Wong, D.S., Zhu, R.W.: Universal custodian-hiding verifiable encryption for discrete logarithms. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 389–409. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  21. Qin, B., Wu, Q., Susilo, W., Mu, Y.: Publicly verifiable privacy-preserving group decryption. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 72–83. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  22. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)

    Chapter  Google Scholar 

Download references

Acknowledgments

This paper is supported by the National Key Basic Research Program (973 program) through project 2012CB315905, by the National High Technology Research and Development Program of China (863 Program) through project 2015AA017205, by the Natural Science Foundation of China through projects 61370190, 61173154, 61272501, 61402029, 61472429, 61202465, 61532021 and 61521091, by the Beijing Natural Science Foundation through project 4132056, by the Guangxi natural science foundation through project 2013GXNSFBB053005, the Innovation Fund of China Aerospace Science and Technology Corporation, Satellite Application Research Institute through project 2014-CXJJ-TX-10, the Open Project of Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Qianhong Wu .

Editor information

Editors and Affiliations

A Proofs of Security

A Proofs of Security

In this section, we prove the following zero-knowledge properties and two security properties of our scheme.

1.1 A.1 Zero-Knowledge Properties

Lemma 1

The protocol \(ZK\{s,n,ID|C_{10}=g_{1}^{s}g^{-s\cdot ID},C_{11}=e(g,g)^{s},k_{1}=g_{2}^{n},k_{2}=g_{3}^{n},\psi =l^{n}t^{ID},v=w^{n}d^{n\epsilon }\}\) is a \(\sum \)-protocol.

Proof

It is straightforward to validate the Correctness and Completeness of the knowledge proof protocol.

Soundness with knowledge extraction: We construct an extractor who plays the role of the verifier. The extractor interacts with prover two times. Because the responses of the extractor are \(c,c'(c\ne c')\), respectively, it obtains two equations \(r_{1}\equiv \bar{s}+cs\ \mathrm {mod}\ p\) and \(r'_{1}\equiv \bar{s}+c's\ \mathrm {mod}\ p\). It is easy to get that \(s=\frac{r_{1}-r'_{1}}{c-c'}\ \mathrm {mod}\ p\). The extractor can obtain \(n, ID, s\cdot ID\) and ns in the same way.

Honest-verifier zero-knowledge: We will construct a simulator \(\mathcal {S}\) as following steps. A simulator will play the role of the prover and interact with verifier.

  1. 1.

    \(\mathcal {S}\) chooses random \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\). It sends them to verifier.

  2. 2.

    \(\mathcal {S}\) receives c from verifier, then chooses random \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) and computes new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\).

  3. 3.

    \(\mathcal {S}\) interacts with verifier again. It sends new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2}, \bar{A}_{2}^{-1},\bar{k}\) to verifier.

  4. 4.

    \(\mathcal {S}\) receives c from verifier, then sends \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) to verifier.

Let the output of verifier be \(\{\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k},c, r_{1},r_{2}, r_{3},r_{4},r_{5}\}\), and it is uniform random. Let the output of \(\mathcal {S}\) be \(\{\bar{C}_{10}',\bar{C}_{11}',\bar{k}_{1}',\bar{k}_{2}',\bar{\psi }', \bar{v}',\bar{A}',\bar{A}_{1}',\bar{A}_{2}',\bar{A}_{2}'^{-1},\bar{k}',c', r'_{1},r'_{2}, r'_{3},r'_{4},r'_{5}\}\), and it is also uniform random. We say that this protocol is perfect zero knowledge.

Equality of Identity: Let \(C_{10}=g_{1}^{s}g^{-s\cdot ID}, A_{2}^{-1}=t^{-s\cdot ID'}, ID\ne ID'\). Prover chooses \(-\bar{s}\cdot \bar{ID_{1}},-\bar{s}\cdot \bar{ID_{2}},\bar{ID_{1}}\ne \bar{ID_{2}}\) (if \(\bar{ID_{1}}=\bar{ID_{2}}\), since \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c},t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\), we obtain \(r_{4}\equiv -\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\ \mathrm {mod}\ p, r_{4}\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p, ID=ID'\)), then computes \(\bar{C}_{10}=g_{1}^{\bar{s}}g^{-\bar{s}\cdot \bar{ID_{1}}}, \bar{A}_{2}^{-1}=t^{-\bar{s}\cdot \bar{ID_{2}}}\). \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c}\) and \(t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\) both hold, if and only if \(-\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p\) holds. This means that \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\). This equation holds if and only if the verifier chooses this c exactly. But the probability is negligible.

1.2 A.2 Proof of Theorem 1

Proof

Suppose \(\mathcal {A}\) is an \((t',\varepsilon ',q_{ID})\) ANO-IND-CIA-CPA adversary against our scheme. We construct a simulator \(\mathcal {B}\) solves the truncated decision q-ABDHE problem. \(\mathcal {B}\) takes as input \((g',g'_{q+2},g,g_{1},...g_{q},Z)\), where \(Z=e(g_{q+1},g')\) or a random element of \(\mathbb {G}_{T}\).

Setup. \(\mathcal {B}\) generates a random polynomial \(f(x)\in \mathbb {Z}_{p}[x]\) of degree q. It let \(h=g^{f(\alpha )}\) and computes h from \((g,g_{1},...,g_{q})\). It sends public parameters \((g,g_{1},h)\) to \(\mathcal {A}\).

Phase 1. \(\mathcal {A}\) adaptively queries Extract oracle. \(\mathcal {B}\) responds as follows. If \(ID=\alpha \), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, let \(F_{ID}(x)=(f(x)-f(ID))/(x-ID)\) be the \((q-1)\)-degree polynomial. \(\mathcal {B}\) let \((f(ID), g^{F_{ID}(\alpha )})\) be the user’s secret key \((r,h_{ID})\). Since \(g^{F_{ID}(\alpha )}=g^{(f(\alpha )-f(ID)/(\alpha -ID))}=(hg^{-f(ID)})^{1/(\alpha -ID)}\), secret key \((r,h_{ID})\) is valid of ID.

Challenge. \(\mathcal {A}\) outputs two identities \(ID_{0},ID_{1}\) and two messages \(M_{0},M_{1}\). The restriction is that the two identities did not appear in any secret key extraction query. Note that if \(\alpha \in \{ID_{0},ID_{1}\}\), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, \(\mathcal {B}\) chooses bits \(b,c\in \{0,1\}\), and computes secret key \((r_{b},h_{ID_{b}})\) for \(ID_{b}\) same to phase 1.

Let \(f_{2}(x)=x^{q+2}\) and let \(F_{2,ID_{b}(x)}=(f_{2}(x)-f_{2}(ID_{b}))/(x-ID_{b})\), which is a polynomial of degree of \(q+1\). \(\mathcal {B}\) sets

$$ C_{10}=g'^{f_{2}(\alpha )-f_{2}(ID_{b})}, C_{11}=Z\cdot e(g', \mathop {\prod }\limits ^q _{i=0}g^{F_{2,ID_{b}},i^{\alpha ^{i}}}), C_{12}=M_{c}/e(C_{10},h_{ID_{b}})C_{11}^{r_{b}} $$

where \(F_{2,ID_{b},i}\) is the coefficient of \(x^{i}\) in \(F_{2,ID_{b}}(x)\). It sends \(C_{1}=(C_{10},C_{11},C_{12})\) as the ciphertext to be challenged.

Let \(s=(\log _{g}g')F_{2,ID_{b}}(\alpha )\). If \(Z=e(g_{q+1},g')\), then \(C_{10}=g^{s(\alpha -ID_{b})}, C_{11}=e(g,g)^{s}\), and \(M_{c}/C_{12}=e(C_{10},h_{ID_{b}})C_{11}^{r_{b}}=e(g,h)^{s}\), We let \(C_{1}=(C_{10},C_{11},C_{12})\) be an effective ciphertext of identity \(ID_{b}\) as well as message \(M_{c}\) under random value s.

Phase 2. \(\mathcal {A}\) adaptively queries Extract oracle as in phase 1. The restriction is that the two identities did not appear in any private key extraction query. Besides, the adversary \(\mathcal {A}\) can not query Trace oracle.

Guess. Finally, adversar \(\mathcal {A}\) outputs guesses \(b', c'\in \{0,1\}\) of bc. If \(b'=b\wedge c'=c\) \(\mathcal {B}\) outputs 1 else 0.

The analysis of probability and time complexity is as follow.

Analysis of probability. If \(Z=e(g_{q+1},g')\) the simulation is perfect. Adversary \(\mathcal {A}\) can guess the bits (bc) correctly with probability \(\frac{1}{4}+\epsilon '\). Otherwise, Z is uniformly random, so \((C_{10},C_{11})\) is a uniformly random and independent element of \((\mathbb {G},\mathbb {G}_{T})\). When this happen, the inequalities

$$\begin{aligned} C_{11}\ne e(C_{10},g)^{1/(\alpha -ID_{0})},C_{11}\ne e(C_{10},g)^{1/(\alpha -ID_{1})} \end{aligned}$$

both hold in the same time with probability \(1-2/p\). When the two inequalities hold,

$$\begin{aligned} e(C_{10},h_{ID_{b}})C_{11}^{r_{b}}&=e(C_{10},(hg^{-r_{b}})^{1/(\alpha -ID_{b})})C_{11}^{r_{b}} \\&=e(C_{10},h)^{\alpha -ID_{b}}(C_{11}/e(C_{10},g)^{1/(\alpha -ID_{b})})^{r_{b}} \end{aligned}$$

is a uniformly random and independent value from the view of adversar \(\mathcal {A}\), because of \(r_{b}\) is a uniformly random and independent value from the view of adversar \(\mathcal {A}\). So, \(C_{12}\) is uniformly random and independent. \(C_{1}\) will not reveal any information of the bits (bc). Assuming that no queried identity equals \(\alpha \), it is easy to see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \leqslant \frac{2}{p}\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(R_{ABDHE}\). To the contrary, we can see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \geqslant \epsilon '\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(P_{ABDHE}\). Thus, we have that

$$\begin{aligned}&\,\,\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},e(g_{q+1},g'))=0] \\&-\Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]\mid \geqslant \epsilon '-\frac{2}{p}. \end{aligned}$$

Analysis of Time Complexity. In the simulation procedure, the overhead of \(\mathcal {B}\) is computing \(g^{F_{ID}(\alpha )}\) in order to response \(\mathcal {A}\)’s extraction query for the ID, where \(F_{ID}(x)\) is polynomial of \(q-1\) degree. Every computation requires O(q) exponentiation in \(\mathbb {G}\). \(\mathcal {A}\) makes at most \(q-1\) queries, thus \(t=t'+O(t_{exp}\cdot q^{2})\).

1.3 A.3 Proof of Theorem 2

Proof

Setup is same as the above proof. In inspect phase adversary can adaptability query all of the oracles. The challenger will respond adversary. The adversary will choose a group public key \(PK'_{GM}=(g_{2},g_{3},w',d',l',H')\) and obtain secret key are \(SK'_{GM}=(x'_{1},x'_{2},y'_{1},y'_{2},z')\). Adversary will choose an identity ID and obtain use’s private key \(SK_{ID}\), as well as an other \(ID'\). Adversary computes \(C'_{1}\) using ID and computes \(C'_{2}\) using \(ID'\). Thus, adversary outputs a valid ciphertext \(C'=(C'_{1},C'_{2})\) which the GM can not trace correctly if and only if \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\) (Part 5.1). But the probability is negligible.

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Luo, X. et al. (2016). Identity-Based Group Encryption. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40367-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40366-3

  • Online ISBN: 978-3-319-40367-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics