Identity-Based Revocation from Subset Difference Methods under Simple Assumptions

Identity-Based Revocation from Subset Difference Methods

under Simple Assumptions

Kwangsu Lee∗ Jong Hwan Park†

Abstract

Identity-based revocation (IBR) is a specific kind of broadcast encryption that can effectively send a ciphertext to a set of receivers. In IBR, a ciphertext is associated with a set of revoked users instead of a set of receivers and the maximum number of users in the system can be an exponential value in the security parameter. In this paper, we reconsider the general method of Lee, Koo, Lee, and Park (ES-ORICS 2014) that constructs a public-key revocation (PKR) scheme by combining the subset difference (SD) method of Naor, Naor, and Lotspiech (CRYPTO 2001) and a single revocation encryption (SRE) scheme. Lee et al. left it as an open problem to construct an SRE scheme under the standard assump-tion without random oracles. In this work, we first propose a selectively secure SRE scheme under the standard assumption without random oracles. We also propose a fully secure SRE scheme under sim-ple static assumptions without random oracles. Next, we present an efficient IBR scheme that supports fast decryption by combining the SD method and our SRE scheme. The security of our IBR scheme depends on that of the underlying SRE scheme. Finally, we implemented our SRE and IBR schemes and measured the performance.

1

Introduction

Public-key broadcast encryption (PKBE) is a special type of public-key encryption (PKE) such that any user can create a compact ciphertext for a dynamic changing set of receivers. PKBE can be used for secure group communication systems, pay-TV systems, content distribution systems, and secure file systems. Public-key revocation (PKR) is a variation of PKBE where a ciphertext is associated with a setR of revoked users instead of a setS of receivers and a user can decrypt the ciphertext if he is not revoked in the ciphertext. PKBE can be extended to identity-based broadcast encryption (IBBE) where a user is mapped to any identity string and the total number of users in the system can be an exponential value in the security parameter. We also can define identity-based revocation (IBR) by associating a ciphertext with a set of revoked users R instead of a set of receiversS.

One method to build a collusion-resistant PKBE scheme is to use bilinear groups. Boneh, Gentry, and Waters [7] proposed the first PKBE scheme with short ciphertexts in bilinear groups and proved its selective security underq-type assumption. After their work, other PKBE, IBBE, and IBR schemes were proposed in bilinear groups [13, 17, 23, 29, 30]. Another method to build a secure PKBE scheme is to combine the subset cover framework of Naor, Naor, and Lotspiech [26] and an identity-based encryption (IBE) scheme [6]. Naor et al. [26] showed that a PKR scheme can be obtained from the complete subtree (CS) method and an IBE scheme and Dodis and Fazio [14] showed that an efficient PKR scheme can be derived from the subset difference (SD) method and an hierarchical IBE (HIBE) scheme. Recently, Lee et al. [20] showed that an improved PKR scheme can be derived by combining the SD method with a single revocation encryption (SRE). An SRE scheme allows to broadcast to a group of users labeled by a group labelGL, but it has the option of revoking a single userMLfrom that group. Compared to PKR schemes that are directly built on bilinear groups, PKR schemes derived from the subset cover framework provide short public parameters and efficient operations in the decryption algorithm.

The PKR scheme of Lee et al. [20] that combines the SD method with an SRE scheme is interesting since it achieves the asymptotically optimal bound in the SD method and it supports fast decryption. The SD method is one instance of the subset cover framework of Naor et al. [26] and it can be used to build an efficient revocation system where a ciphertext is associated to a set of subsets that covers all receivers by excluding revoked users. In SD, a subset is defined by a subtreeTi,jthat is related with two nodesvi andvj

in a binary tree. That is,Ti,j is defined as a set of leaf nodes inTibut not inTj where the root node ofTi,Tj

isvi,vjrespectively. In SRE, a ciphertext is associated with labels(GL,ML)and a private key is associated

with labels(GL0,ML0)and a ciphertext can be decrypted ifGL=GL0andML6=ML0[20]. To construct an improved PKR scheme, Lee et al. [20] observed that a subsetTi,jin the SD method can be directly mapped

to labels(GL,ML)in the SRE scheme. Although the PKR scheme of Lee et al. can reduce the size of public keys and private keys compared to the PKR scheme of Dodis and Fazio, their SRE scheme is proven to be secure underq-type assumption in the random oracle model. Thus, they left it as an interesting problem to build an SRE scheme under standard assumptions without random oracles.

1.1 Our Contributions

In this paper, we give affirmative answers to the above interesting problem. We obtain the following results:

modifying the IBR scheme of Lewko et al. [23]. However, this directly derived SRE scheme essentially used random oracles to support the equality of labels. The main idea of our SRE scheme under the standard assumption is that we can combine an IBE scheme and a simple IBR scheme since the IBE scheme can be directly used to support the equalityGL=GL0 and the simple IBR scheme can be directly used to support the inequalityML6=ML0. In this case, an SRE can be proven to be secure under the standard assumption since both an IBE scheme and a simple IBR scheme can be proved to be secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.

SRE with Full Security. Our first SRE scheme is just secure in the selective model in which an adversary should submit the target labels before it receives public parameters. To construct an SRE scheme with full security, we propose an SRE scheme in composite-order bilinear groups and prove its full security under simple static assumptions. The structure of our second SRE scheme is similar to that of our first scheme except that it uses composite-order bilinear groups to use the dual system encryption technique of Waters [24,31]. To prove the full security of our second SRE scheme, we carefully analyze our SRE scheme and shows that the information theoretic argument of the dual system encryption technique still holds in our SRE scheme.

IBR from Subset Difference. To construct an IBR scheme by combining the SD method with an SRE scheme, we follow the design principle of Lee et al. [20]. As mentioned before, an SRE scheme can be integrated with the SD method since a subset Ti,j in SD can be directly mapped to the labels (GL,ML)

in SRE. Lee et al. only proposed a PKR scheme in which the maximum number of users is fixed to be a polynomial value in the security parameter since their SRE scheme is proven under aq-type assumption whereqis related to the maximum number of users in the systems. However, our scheme can be identity-based one by extending the depth of a binary tree since our SRE scheme can support any label strings. Additionally, our IBR scheme provides better efficiency since it adopts the hybrid approach that encrypts a session key by using an SRE scheme and encrypts a message by using a symmetric-key encryption scheme. The security of our IBR scheme follows that of the underlying SRE scheme. Our IBR scheme can be also integrated with the efficient layered SD (LSD) scheme [19]. The detailed comparisons of IBR schemes are given in Table 1. We also implemented our SRE and IBR schemes in Charm and measured the performance these implementations.

1.2 Related Work

Broadcast encryption, introduced by Fiat and Naor [15], is symmetric-key encryption where a trusted center which knows all private keys of all users can create a ciphertext for a set of receivers. Fiat and Naor proposed broadcast encryption schemes in the bounded collusion security model. The full literature of broadcast encryption is extensive and it is beyond the scope of this paper. We will only review some papers that are relevant to our work. Naor, Naor, and Lotspiech [26] proposed the general methodology named the subset cover framework for revocation systems. The complete subtree (CS) and subset difference (SD) methods in binary trees are two important instances of the subset cover framework. The subset cover framework can be extended to trace-and-revoke by incorporating the tracing functionality that can trace a traitor of the system. After their work, other improved method was proposed [18, 19].

Table 1: Comparisons of identity-based revocation schemes

Scheme PP Size CT Size SK Size Decrypt Cost Model Assumption

NNL [26] O(1) O(rlogN_r) O(logN) 1P RO, AD BDH DF [14] O(logN) O(r) O(log2.5N) 2P SE q-Type LSW1 [23] O(1) O(r) O(1) 3P + 2rE SE q-Type

LSW2 [23] O(1) O(r) O(1) 2rP +rE SE DLIN, DBDH AL1 [3] O(n) O(1) O(n) 2P +rE SE, BR DLIN, DBDH AL2 [3] O(n) O(r/n) O(n) 2r/nP +r/nE SE DLIN, DBDH

CLR [12] O(n) O(1) O(1) 2P +nE SE, BR Static

Ours O(1) O(r) O(log1.5N) 3P + 2E SE DBDH Ours O(1) O(r) O(log1.5N) 3P + 2E AD Static We letλ be a security parameter,Nbe the number of maximum users,rbe the number of revoked users, andnbe a bound parameter. We count the number of group elements to measure the size of parameters. We use symbols P for a pairing operation and E for an exponentiation. We also use symbols RO for random oracle model, AD for adaptive model, SE for selective model, and BR for bounded revocation where the maximum number of revocation is bounded.

al. [7] proposed a fully collusion-resistant PKBE scheme in bilinear groups that achieves short ciphertexts. After that, many PKBE scheme in bilinear groups were presented [8, 16, 17, 21, 23, 29]. The subset cover framework also can be used to build a PKR scheme by combining it with an IBE, HIBE, or SRE scheme [14, 20, 26].

Identity-based broadcast encryption (IBBE) is a special type of PKBE where the maximum number of users in the system can be an exponential value in the security parameter since the size of public parameters is not linearly dependent on the number of users. Delerabl´ee [13], Sakai, and Furukawa [30] independently proposed the first IBBE schemes with short ciphertexts and keys, but the maximum size of a receiver set should be fixed in public parameters. After that, ideal IBBE schemes that have constant size ciphertexts and keys with short public parameters were proposed in multilinear maps [9, 32], but many multilinear map candidates were broken.

2

Preliminaries

In this section, we define single revocation encryption (SRE) and identity-based revocation (IBR) and their security models.

2.1 Single Revocation Encryption

Before we define IBR, we first define SRE. The concept of SRE was introduced by Lee et al. [20] and this SRE scheme is a new public-key encryption scheme that can be combined with the subset difference method to construct an efficient IBR scheme. In SRE, each user is associated with a group labelGL0 and a member labelML0and he is given a private key for the labels(GL0,ML0). A sender can create a ciphertext for a specific group labelGLexcluding one revoked member label ML. A receiver who has a private key for labels(GL0,ML0)can decrypt the ciphertext for(GL,ML)if he belongs to the same group but he is not revoked. That is,GL0=GLandML06=ML. The formal syntax of SRE is given as follows:

Definition 2.1(Single Revocation Encryption). An SRE scheme for group and member labels consists of four algorithmsSetup,GenKey,Encrypt, andDecrypt, which are defined as follows:

Setup(1λ_{). The setup algorithm takes as input a security parameter 1}λ_{. It outputs a master keyMK and} public parametersPP.

GenKey((GL,ML),MK,PP). The key generation algorithm takes as input labels(GL,ML), the master key MK, and public parametersPP. It outputs a private keySKfor the labels(GL,ML).

Encrypt((GL,ML),M,PP). The encryption algorithm takes as input labels(GL,ML), a messageM∈ M, and public parametersPP. It outputs a ciphertextCT for(GL,ML)andM.

Decrypt(CT,SK,PP). The decryption algorithm takes as input a ciphertextCT for labels (GL,ML), a private keySK for labels(GL0,ML0), and public parametersPP. It outputs an encrypted messageM or⊥.

The correctness property of SRE is defined as follows: For allMK,PPgenerated bySetup, all(GL,ML), anySK_(GL0_,ML0₎generated byGenKey, and anyM, it is required that

• If(GL=GL0)∧(ML6=ML0), thenDecrypt(Encrypt((GL,ML),M,PP),SK_(GL0_,ML0₎,PK) =M.

• If(GL6=GL0)∨(ML=ML0), thenDecrypt(Encrypt((GL,ML),M,PP),SK_(GL0_,ML0₎,PK) =⊥.

The security model of SRE was defined by Lee et al. [20] and we follow their definition of chosen-plaintext attack (CPA) security of SRE. In the CPA security, an adversary can adaptively obtain a private key for labels(GL,ML)many times. In the challenge step, the adversary submits challenge labels(GL∗,ML∗)

with some restrictions and two challenge messages and then he receives a challenge ciphertext that is an encryption of one of the challenge messages. The adversary may obtain additional private keys and finally outputs a guess of the challenge ciphertext. The detailed description of the security model is given as follows:

1. Setup: C runsSetup(1λ_{) to generate a master key MK and public parametersPP. It keeps MK to} itself and givesPPtoA.

2. Query 1:Aadaptively requests private keys for labels(GL1,ML1), . . . ,(GLq1,MLq1). In response,C

gives the corresponding private keysSK1, . . . ,SKq1 toAby runningGenKey((GLi,MLi),MK,PP).

3. Challenge: Asubmits challenge labels(GL∗,ML∗)and two messagesM₀∗,M₁∗ with the equal length subject to the restriction: for all(GLi,MLi)of private key queries, it is required that(GLi6=GL∗)or

(GLi=GL∗)∧(MLi=ML∗).Cflips a random coinµ∈ {0,1}and gives the challenge ciphertextCT∗

toAby runningEncrypt((GL∗,ML∗),M_µ∗,PP).

4. Query 2:Amay continue to request private keys for labels(GLq1+1,MLq1+1), . . . ,(GLq,MLq).

5. Guess:Aoutputs a guessµ0∈ {0,1}ofµ, and wins the game ifµ=µ0.

The advantage ofAis defined as AdvSREA (λ) =

Pr[µ=µ0]−1₂

where the probability is taken over all the randomness of the game. A SRE scheme is secure under chosen plaintext attacks if for all PPT adversary

A, the advantage ofAin the above game is negligible in the security parameterλ.

Remark1. The selective security of SRE is a weaker security model in which an adversary initially submits the challenge labels(GL∗,ML∗)before receiving public parameters.

2.2 Identity-Based Revocation

IBR is a special type of PKBE where a ciphertext is associated with a revoked setRof users instead of a receiver setSof users and each user is specified by a unique identifier stringID. In IBR, a center generates a private key for a userIDby using his master key and gives it to the user. A sender can create a ciphertext for receivers that excludes the set of revoked usersRand a receiver withIDcan decrypt the ciphertext if ID∈/R. The formal syntax of IBR is given as follows:

Definition 2.3(Identity-Based Revocation). An identity-based revocation (IBR) scheme for the identityI

consists of four algorithmsSetup,GenKey,Encrypt, andDecrypt, which are defined as follows:

Setup(1λ_{). The setup algorithm takes as input a security parameter 1}λ_{. It outputs a master keyMK and} public parametersPP.

GenKey(ID,MK,PP). The key generation algorithm takes as input an identityID∈ I, the master keyMK, and the public parametersPP. It outputs a private keySKID.

Encrypt(R,M,PP). The encryption algorithm takes as input a revoked set R of users, a message M∈ {0,1}m_{, and the public parametersPP. It outputs a ciphertextCT}

RforRandM.

Decrypt(CTR,SKID,PP). The decryption algorithm takes as input a ciphertextCTR for a revoked setR, a

private keySKIDfor an identityID, and the public parametersPP. It outputs an encrypted messageM

or⊥.

The correctness property of IBR is defined as follows: For allMK,PK generated bySetup, allID,R, any SKIDgenerated byGenKey, and anyM, it is required that

• IfID∈R, thenDecrypt(Encrypt(R,M,PP),SKID,PP) =⊥.

The security model of IBR is similar to that of IBBE and we follow the security definition of Lewko et al. [23]. In the CPA security, an adversary can request a private key of a user with ID many times. In the challenge step, the adversary submits a challenge revoked setR∗ and two challenge messages with some restrictions and receives a challenge ciphertext that is the encryption of one challenge message. The adversary further can request private keys of other users and finally outputs the guess of the challenge message. The detailed description of the security is described as follows:

Definition 2.4(IND-CPA Security). The indistinguishability property of IBR under a chosen plaintext attack is defined in terms of the following game between a challengerCand a PPT adversaryA:

1. Setup: C runsSetup(1λ_{) to generate a master key MK and public parametersPP. It keeps MK to} itself and givesPPtoA.

2. Query 1:Amay adaptively request private keys for usersID1, . . . ,IDq1∈ I. In response,Cgives the

corresponding private keysSKID1, . . . ,SKIDq₁ toAby runningGenKey(IDi,MK,PP).

3. Challenge: Asubmits a challenge revoked setR∗ of users and two messagesM₀∗,M₁∗with the equal length subject to the restriction: for allIDi of private key queries, IDi ∈R∗. C flips a random coin

µ ∈ {0,1}and gives the challenge ciphertextCT∗toAby runningEncrypt(R∗,M_µ∗,PP).

4. Query 2:Amay continue to request private keys for usersIDq1+1, . . . ,IDq∈ I.

5. Guess:Aoutputs a guessµ0∈ {0,1}ofµ, and wins the game ifµ=µ0.

The advantage ofAis defined as AdvIBRA (λ) =

Pr[µ =µ0]−1₂

where the probability is taken over all the randomness of the game. An IBR scheme is secure under chosen plaintext attacks if for all PPT adversary

A, the advantage ofAin the above game is negligible in the security parameterλ.

Remark2. The selective security of IBR is a weaker security model in which an adversary initially submits the challenge revoked setR∗before receiving public parameters.

3

SRE with Selective Security

In this section, we propose a selectively secure single revocation encryption (SRE) scheme in prime-order bilinear groups and prove its security under the standard assumption.

3.1 Bilinear Groups of Prime Order

LetGandGT be multiplicative cyclic groups of prime orderp. Letgbe a generator ofG. The bilinear map

e:G×G→GT has the following properties:

1. Bilinearity: ∀u,v∈_Gand∀a,b∈_Zp,e(ua,vb) =e(u,v)ab.

2. Non-degeneracy:∃gsuch thate(g,g)has order p, that is,e(g,g)is a generator ofGT.

We say thatG,GT are bilinear groups if the group operations inGandGT as well as the bilinear mapeare

3.2 Complexity Assumptions

To prove the security of our SRE scheme, we use the well-known standard DBDH assumption. The DBDH assumption was introduced by Boneh and Franklin [6] and widely used to prove the security of IBE, HIBE, and ABE schemes.

Assumption 1(Decisional Bilinear Diffie-Hellman, DBDH). Let(p,G,GT,e)be a description of the

bilin-ear group of prime orderpwith the security parameterλ. Letgbe a generator ofG. The DBDH assumption is that if the challenge valuesD= ((p,G,GT,e),g,ga,gb,gc)andT are given, no PPT algorithmBcan

dis-tinguishT =T₀=e(g,g)abcfromT =T₁=e(g,g)d with more than a negligible advantage. The advantage ofBis defined as AdvDBDH_B (λ) =Pr[B(D,T₀) =0]−Pr[B(D,T₁) =0]

where the probability is taken over the random choice ofa,b,c,d∈Zp.

3.3 Construction

The previous SRE scheme of Lee et al. [20] was proven to be secure underq-type assumption in the random oracle model. To construct an SRE scheme that is secure under the standard assumption without the random oracle model, we inspect the correctness property of SRE. In SRE, a ciphertext is associated with group and member labels(GL,ML)and a private key is associated with labels(GL0,ML0). The correctness property requires that the group labels should be equal but the member labels should be not equal to decrypt the ciphertext by using the private key. That is,GL=GL0andML6=ML0. We observe that an IBE scheme can be used for equality and a simple IBR scheme where the number of revoked users is just one can be used for inequality. More specifically, the IBE (BB-IBE) scheme of Boneh and Boyen [4] can be used to support the equality of group labels where a private key is structured as(gα_(uGL_h)r_,g−r_{). The simple IBR (LSW-IBR)}

scheme of Lewko et al. [23] can be used to support the inequality of member labels and a private key is described as(gα_wr_,(wML_v)r_,g−r_{). By combining the BB-IBE scheme and the simple LSW-IBR scheme,}

we can derive an SRE scheme with the private key structure of(gα_(uGL_h)r1_wr2_,(wML_v)r2_,g−r1_,g−r2_).

LetHbe a family of collision resistant hash functionH. Our SRE scheme in prime-order bilinear groups is described as follows:

SRE.Setup(1λ_{): It first generates a bilinear group}

Gof prime orderpof bit sizeΘ(λ). Letgbe a generator ofG. It chooses a random exponentα ∈Zp and random elementsu,h,w,v∈G. It also chooses a random hash functionHfromH. It outputs a master keyMK=αand public parameters as

PP=(p,G,GT,e), g,u,h,w,v,H,Ω=e(g,g)α

.

SRE.GenKey((GL,ML),MK,PP): It selects random exponents r1,r2 ∈Zp and outputs a private key by

implicitly including(GL,ML)as

SK_(GL,ML)=

K₀=gα_(uGL

h)r1_wr2_{, K}

1= (wMLv)r2, K2=g−r1,K3=g−r2

.

SRE.Encrypt((GL,ML),M,PP): LetM∈ {0,1}m_{be a message. It chooses a random exponentt∈}

Zpand

outputs a ciphertext by implicitly including(GL,ML)as

CT_(GL,ML)=

C=H(Ωt)⊕M,C0=gt,C1= (uGLh)t,C2= (wMLv)t

SRE.Decrypt(CT(GL,ML),SK(GL0_,ML0₎,PP): If(GL=GL0)∧(ML6=ML0), then it outputs a message as

M=C⊕H e(C₀,K₀)·e(C₁,K₂)· e(C₀,K₁)·e(C₂,K₃)−1/(ML

0_−ML)

.

Otherwise, it outputs⊥.

3.4 Correctness

The correctness of the above SRE scheme is easily verified by the following equation.

e(C0,K0)·e(C1,K1)·(e(C0,K2)·e(C2,K3))−1/(ML

0_−ML)

=e(gt,gα_(uGL

h)r1_wr2_)·e((uGL_h)t_,g−r1_)·

e(gt,(wML0v)r2_)·e((wML_v)t_,g−r2₎

−1/(ML0−ML)

=e(gt,gα_wr2_)·

e(g,w)tr2·(ML0−ML)

−1/(ML0−ML)

=e(g,g)αt_.

3.5 Security Analysis

To prove the security of our SRE scheme in the selective model, we use the partitioning method that was used in the security proof of IBE and its extensions. Since our SRE scheme is derived from the BB-IBE scheme and the simple LSW-IBR scheme [4, 23], we may try to use the partitioning proof method of BB-IBE and LSW-IBR schemes. However, the original LSW-IBR scheme is proven under a complexq-type assumption. To prove the security under the standard assumption, we observe that a simple variant of the LSW-IBR scheme such that a ciphertext is associated with a single ID instead of a set of revoked users Ris enough for SRE. In this case, we can prove the simple LSW-IBR scheme under the standard DBDH assumption. Therefore, we have the following result.

Theorem 3.1. The above SRE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds.

Proof. Suppose there exists an adversary Athat breaks the security game of SRE with a non-negligible advantage. A simulator B that solves the DBDH assumption using A is given: a challenge tuple D= ((p,G,GT,e),g,ga,gb,gc)andT whereT =e(g,g)abcorT=e(g,g)d. ThenBinteracts withAas follows:

Init:Ainitially submits challenge labels(GL∗,ML∗).

Setup:Bselects random exponentsyu,yh,yw,yv∈Zpand creates public parameters implicitly settingα=ab

asPP= (p,G,GT,e),g, u=gagyu,h= (ga)−GL

∗

gyh_,w=ga_gyw_{,v= (g}a₎−ML∗_gyv_{, Ω=e(g}a_,gb_).

Query 1:Amay adaptively request a private key query for labels(GL,ML). If(GL=GL∗)∧(ML6=ML∗), then it aborts since it cannot create a private key. Otherwise, it handles this query as follows:

• CaseGL6=GL∗: It selects random exponentsr0₁,r₂∈_Zpand creates a private key by implicitly setting

r1=−b/(GL−GL∗) +r10 as

K₀= (gb)−(yuGL+yh)/(GL−GL∗)_(uGL_h)r01_wr2_{, K}

1= (gb)1/(GL−GL

∗₎

g−r01_,K

2= (wMLv)r2,K3=g−r2.

• CaseGL=GL∗andML=ML∗: It selects random exponentsr₁,r0₂∈_Zpand creates a private key by

implicitly settingr2=−b+r02as

K₀= (uGLh)r1_(gb₎−yw_wr02_,K

1=g−r1,K2= (gb)−(ywML+yv)(wMLv)r

0

2_,K

3=gbg−r

0

Challenge:Asubmits two messagesM₀∗,M₁∗.Bflips a random coinµ∈ {0,1}internally. Next, it implicitly setst=cand creates a challenge ciphertext as

C=H(T)·M_µ∗,C₀=gc,C₁= (gc)yuGL∗+yh_,C

2= (gc)ywML

∗_+y

v_.

Query 2:Same as Query 1.

Guess: Finally,Aoutputs a guessµ0. Ifµ=µ0,Boutputs 0. Otherwise, it outputs 1.

To finish the proof, we first show that private keys and the challenge ciphertext are correctly distributed. In case ofGL6=GL∗, the private key is correctly distributed since it satisfies the following equation

K0=gα(uGLh)r1wr2 =gab (gagyu)GL(ga)−GL

∗

gyh−b/(GL−GL

∗_)+r0

1_wr2

= (gb)−(yuGL+yh)/(GL−GL∗)_(uGL_h)r01_wr2_,

K1=g−r1 =gb/(GL−GL

∗_)−r0

1_{= (g}b₎1/(GL−GL∗)_g−r01_,K

2= (wMLv)r2,K3=g−r2.

In case of(GL=GL∗)∧(ML=ML∗), the private key is also correctly distributed as

K0=gα(uGLh)r1wr2=gab(uGLh)r1(gagyw)−b+r

0

2 _{= (u}GL_h)r1_(gb₎−yw_wr02_,

K1=g−r1,K2= (wMLv)r2 = ((gagyw)ML(ga)−ML

∗

gyv₎−b+r20 _{= (g}b₎−(ywML+yv)_(wML_v)r02_,

K3=g−r2 =gb−r

0

2 _=gb_g−r02_.

Note that it cannot create a private key for(GL,ML)such that(GL=GL∗)∧(ML6=ML∗)since the element gabcannot be removed. The challenge ciphertext is also correctly distributed since it satisfies the following equation

C=H(e(g,g)αt

)M_µ∗=H(e(g,g)abc)M_µ∗,C₀=gt=gc, C₁= (uGL∗h)t = ((gagyu₎GL∗_(ga₎−GL∗_gyh₎c_{= (g}c₎yuGL∗+yh_, C2= (wML

∗

v)t= ((gagyw₎ML∗_(ga₎−ML∗_gyv₎c_{= (g}c₎ywML∗+yv_.

This completes our proof.

3.6 Discussions

Efficiency Analysis. In our SRE scheme, a private key and a ciphertext consist of four group elements respectively. The decryption algorithm requires four pairing operations and one exponentiation. To im-prove the efficiency, we can reduce one pairing operation by restating e(C0,K0)·e(C0,K1)1/(ML

0_−ML)

to e(C0,K0K1/(ML

0_−ML)

1 ). Compared to the SRE scheme of Lee et al. [20] that is secure in the random oracle

model, our SRE scheme requires one additional group element in the private key and the ciphertext, but our SRE scheme is secure under the standard assumption without random oracles.

4

SRE with Full Security

In this section, we propose a single revocation encryption (SRE) scheme in composite-order bilinear groups and prove its full-model security under simple assumptions.

4.1 Bilinear Groups of Composite Order

LetN=p₁p₂p₃wherep₁,p₂, andp₃are distinct prime numbers. LetGandGTbe two multiplicative cyclic

groups of same composite orderN andgbe a generator ofG. The bilinear mape:G×G→GT has the

following properties:

1. Bilinearity: ∀u,v∈_Gand∀a,b∈_ZN,e(ua,vb) =e(u,v)ab.

2. Non-degeneracy:∃gsuch thate(g,g)has orderN, that is,e(g,g)is a generator ofGT.

We say thatG is a bilinear group if the group operations inGandGT as well as the bilinear map e are

all efficiently computable. Furthermore, we assume that the description ofGandGT includes generators

ofGandGT respectively. We use the notationGpi to denote the subgroups of order pi ofGrespectively. Similarly, we use the notationGT,pi to denote the subgroups of order piofGT respectively.

4.2 Complexity Assumptions

To prove the security of our SRE scheme, we introduce simple static assumptions that were used by Lewko and Waters [24] to prove the full model security of ABE schemes by using the dual system encryption technique.

Assumption 2(Subgroup Decision, SD). Let(N,G,GT,e)be a description of the bilinear group of

com-posite order N= p1p2p3. Letg1,g2,g3 be generators of subgroups Gp1,Gp2,Gp3 respectively. The SD

assumption is that if the challenge tupleD= ((N,G,GT,e),g1,g3)andT are given, no PPT algorithm A

can distinguishT =T0=X1∈Gp1 fromT =T1=X1R1∈Gp1p2 with more than a negligible advantage.

The advantage ofAis defined as AdvSD_A(λ) =Pr[A(D,T₀) =0]−Pr[A(D,T₁) =0]

where the probability is taken over random choices ofX1∈Gp1 andR1∈Gp2.

Assumption 3(General Subgroup Decision, GSD). Let(N,G,GT,e)be a description of the bilinear group

of composite orderN=p1p2p3. Letg1,g2,g3be generators of subgroupsGp1,Gp2,Gp3 respectively. The

GSD assumption is that if the challenge tupleD= ((N,G,GT,e),g1,g3,X1R1,R2Y1)andT are given, no

PPT algorithmAcan distinguishT=T₀=X₂Y₂∈_Gp1p3 fromT=T1=X2R3Y2∈Gp1p2p3 with more than a

negligible advantage. The advantage ofBis defined as AdvGSD_A (λ) =Pr[A(D,T₀) =0]−Pr[A(D,T₁) =0] where the probability is taken over random choices ofX1,X2∈Gp1,R1,R2,R3∈Gp2, andY1,Y2∈Gp3.

Assumption 4 (Composite Diffie-Hellman, ComDH). Let (N,G,GT,e) be a description of the bilinear

group of composite orderN=p1p2p3. Letg1,g2,g3be generators of subgroupsGp1,Gp2,Gp3 respectively.

The ComDH assumption is that if the challenge tupleD= ((N,G,GT,e),g1,g2,g3,ga1R1,gb1R2)andT are

given, no PPT algorithmAcan distinguishT=T0=e(g1,g1)abfromT =T1=e(g1,g1)cwith more than a

negligible advantage. The advantage ofAis defined as AdvComDHA (λ) =

4.3 Construction

To construct a fully secure SRE scheme, we build our SRE scheme in composite-order bilinear groups instead of prime-order bilinear groups. To prove the security of SRE, we use the dual system encryption technique of Lewko and Waters [24]. Our fully secure SRE scheme has the similar structure with that of the selectively secure SRE scheme in prime order groups. LetHbe a family of collision resistant hash function H. Our SRE scheme in composite-order bilinear groups is described as follows:

SRE.Setup(1λ_{): It first generates a bilinear group}

Gof composite orderN=p1p2p3where p1,p2,andp3

are random primes. Letg1be a generator ofGp1. It chooses a random exponentα ∈ZN and random

elementsu,h,w,v∈_Gp1,Y ∈Gp3. It also chooses a random hash functionH fromH. It outputs a

master keyMK=α and public parameters as

PP=(N,G,GT,e),g=g1,Y, u,h,w,v, H,Ω=e(g1,g1)α

.

SRE.GenKey((GL,ML),MK,PP): It selects randomr1,r2∈ZN,Y0,Y1,Y2,Y3∈Gp3 and outputs a private

key as

SK_(GL,ML)=K0=gα(uGLh)r1wr2Y0,K1= (wMLv)r2Y1, K2=g−r1Y2, K3=g−r2Y3

.

SRE.Encrypt((GL,ML),M,PP): LetM∈ {0,1}m_{be a message. It chooses a random exponentt∈}

ZNand

outputs a ciphertext as

CT_(GL,ML)=C=H(Ωt)⊕M,C0=gt,C1= (uGLh)t,C2= (wMLv)t

.

SRE.Decrypt(CT_(GL,ML),SK_(GL0_,ML0₎,PP): If(GL=GL0)∧(ML6=ML0), then it outputs a message as

M=C⊕H e(C0,K0)·e(C1,K2)· e(C0,K1)·e(C2,K3)

−1/(ML0−ML) .

Otherwise, it outputs⊥.

4.4 Security Analysis

For the security proof of our SRE scheme, we use the dual system encryption technique [24, 31] that was successfully used to prove the full security of IBE, HIBE, and ABE schemes. In dual system encryption, a private key and a ciphertext can be normal type or semi-functional type. In the security proof, we use hybrid games such that a challenge ciphertext is changed from the normal type to the semi-functional type and then each private key is changed from the normal type to the semi-functional type one by one. In the final game, it is hard for an adversary to obtains the encrypted message since semi-functional private keys given to the adversary are not related with the semi-functional challenge ciphertext. The technical difficulty of the dual system encryption technique is to define nominal semi-functional private key in order to solve the paradox in the proof and to show the information theoretic argument between the nominal semi-functional private key and the semi-functional private key.

a private key for labels(GL,ML)such that(GL=GL∗)and(ML=ML∗)where(GL∗,ML∗)is the challenge ciphertext labels. In IBE (or HIBE), it is relatively easy to show the information theoretic argument by using a pair-wise independent hash function and the restriction of an adversary such thatID6=ID∗is only allowed in private key queries. To solve this problem, we carefully analyze our SRE scheme and show that the information theoretic argument still holds even though the adversary queries (GL,ML) such that

(GL=GL∗)and(ML=ML∗). The security proof of our SRE scheme is described as follows:

Theorem 4.1. The above SRE scheme is fully secure under chosen plaintext attacks if the SD, GSD and ComDH assumptions hold.

Proof. We first define the semi-functional type of private keys and ciphertexts. For the semi-functional type, we letg₂denote a fixed generator of the subgroupGp2.

SRE.GenKeySF. This algorithm first creates a normal private key SK_GL0 _,ML= (K₀0,K₁0,K₂0,K₃0) by using MK. It chooses a random element R∈_Gp2 and outputs a semi-functional private key SKGL,ML=

K0=K00R,K1=K10,K2=K20,K3=K30

.

SRE.EncryptSF. This algorithm first creates a normal ciphertextCT_GL0 _,ML= (C0,C₀0,C₁0,C₂0). It chooses random exponents τ,η1,η2,θ1,θ2 ∈ZN and outputs semi-functional ciphertext CTGL,ML = C0 =

C0₀gτ

2,C1=C10g

(η1GL+η2)τ

2 ,C2 =C20g

(θ1ML+θ2)τ

2

. Note that η1,η2,θ1,θ2 are randomly chosen once

and fixed to be used in other types of private keys that will be defined later.

Note that if a semi-functional private key is used to decrypt a semi-functional ciphertext, then the decryption fails since an additional random elemente(gτ

2,R)is left.

The security proof consists of the sequence of hybrid games: The first game is the original security game and the last one is a game such that the adversary has no advantage. We define the games as follows:

Game G0. This game is the original security game. In this game, all private keys and the challenge

cipher-text are normal.

Game G1. In the gameG1, all private keys are still normal, but the challenge ciphertext is semi-functional.

Game G2. Next, we define a new gameG2. In this game, all private keys are semi-functional. For the

security proof, we additionally define a sequence of sub-gamesG1,1, . . . ,G1,k, . . . ,G1,q whereG1=

G1,0 and q is the maximum number of private keys. In the gameG1,k, the challenge ciphertext is

semi-functional, all jth private keys such that j≤kare semi-functional, and the remaining jth private keys such thatk< jare normal. It is obvious thatG1,q=G2.

Game G3. In the final gameG3, all private keys and the challenge ciphertext are semi-functional, but the

challenge ciphertext componentCis random.

Let AdvG_Aj be the advantage ofA in the game Gj. We have AdvSREA (λ) =Adv

G0

A, Adv

G1

A =Adv

G1,0

A , AdvG2

A =Adv

G1,q

A , and Adv

G3

A =0. Through the following Lemmas 4.2, 4.3, and 4.7, we obtain the following equation

Adv_ASRE(λ)≤Adv_AG0−AdvG_A1+

q

∑

k=1

AdvG1,k−1

A −Adv

G1,k A

+

AdvG2

A −Adv

G3

A

≤AdvSDB (λ) +2qAdvBGSD(λ) +AdvComDHB (λ).

Lemma 4.2. If the SD assumption holds, then no polynomial-time adversary can distinguish betweenG0

andG1with a non-negligible advantage.

Proof. Suppose there exists an adversaryAthat distinguishes betweenG0andG1with a non-negligible

ad-vantage. A simulatorBthat solves the SD assumption usingAis given: a challenge tupleD= ((N,G,GT,e),

g1,g3)andTwhereT =X1∈Gp1orT=X1R1∈Gp1p2. ThenBthat interacts withAis described as follows: Setup: B first chooses random exponents u0,h0,w0,v0,z0,α ∈_ZN. It sets MK =α and publishes PP=

(N,G,GT,e),g=g1,Y =g3,u=gu

0

1,h=gh

0

1,w=gw

0

1,v=gv

0

1H,Ω=e(g1,g1)α

.

Query 1: To response private key queries,Bcreates normal private keys since it knowsMK. Note that it cannot create semi-functional private keys since it does not knowgp2.

Challenge: Asubmits challenge labels(GL∗,ML∗)and challenge messagesM₀∗,M₁∗.Bflips a random coin µ ∈ {0,1}and creates a challenge ciphertextCT∗by implicitly settinggt to be theGp1 part ofT as

CT∗= C=H(e(T,g)α_)·M∗

µ,C0=T,C1= (T)

u0GL∗+h0

,C₂= (T)w0ML∗+v0.

IfT =X1, this is a normal ciphertext. IfT =X1R1, this is a semi-functional ciphertext sinceτ≡logg2(R1)

modp2,η1≡u0 modp2,η2≡h0 modp2,θ1≡w0 modp2,θ2≡v0 modp2 are not correlated with their

values modulo p₁by CRT.

Query 2:Same as Query 1.

Guess:Aoutputs a guessµ0. Ifµ =µ0, thenBoutputs 1. Otherwise, it outputs 0.

Lemma 4.3. If the GSD assumption holds, then no polynomial-time adversary can distinguish between

G1,k−1andG1,k with a non-negligible advantage.

Proof. We additionally define two additional semi-functional private keys. Letg₂denote a fixed generator of the subgroupGp2.

SRE.GenKeyNSF. This algorithm first creates a normal private key SK_GL0 _,ML= (K₀0,K₁0,K₂0,K₃0) by using MK. Next, it chooses random exponentsγ1,γ2∈ZN and outputs a nominal semi-functional private

keySKGL,ML= K0=K00g

(η1GL+η2)γ1+θ1γ2

2 ,K1=K10g

(θ1ML+θ2)γ2

2 ,K2=K20g

−γ1

2 ,K3=K30g

−γ2

2

.

SRE.GenKeyTSF. This algorithm first creates a normal private keySK_GL0 _,ML= (K₀0,K₁0,K₂0,K₃0) by using MK. Next, it chooses a random elementR∈_Gp2 and outputs a temporary semi-functional private key

SKGL,ML= K0=K00R,K1=K10g

(θ1ML+θ2)γ2

2 ,K2=K20g

−γ1

2 ,K3=K30g

−γ2

2

.

We also additionally define hybrid gamesHk−1,0,Hk−1,1,Hk−1,2, and Hk−1,3. The games are formally

defined as follows: The gameHk−1,0is equal to the gameG1,k−1. That is, thekth private key is normal. The

gameHk−1,1is almost the same asG1,k−1except thatkth private key is nominal semi-functional. The game

Hk−1,2 is almost the same asG1,k−1 except thatkth private key is temporary semi-functional. The game

Hk−1,3is equal to the gameG1,k. That is, thekth private key is semi-functional.

Let AdvHj

A be the advantage ofAin the gameHj. Through the following Lemmas 4.4, 4.5 and 4.6, we

obtain the following equation

Adv

G1,k−1

A −Adv

G1,k A

=

Adv

Hk−1,0

A −Adv

Hk−1,3

A

≤Adv

Hk−1,0

A −Adv

Hk−1,1

A +

Adv

Hk−1,1

A −Adv

Hk−1,2

A +

Adv

Hk−1,2

A −Adv

Hk−1,3

A

≤AdvGSDB (λ) +AdvGSDB (λ).

Lemma 4.4. If the GSD assumption holds, then no polynomial-time adversary can distinguish between

Hk−1,0andHk−1,1with a non-negligible advantage.

Proof. Suppose there exists an adversary A that distinguishes between Hk−1,0 and Hk−1,1 with a

non-negligible advantage. A simulatorB that solves the GSD assumption usingA is given: a challenge tuple D= ((N,G,GT,e),g1,g3,X1R1,R2Y1)andT whereT =X2Y2orT =X2R3Y2. ThenBthat interacts withA

is described as follows:

Setup:Bfirst chooses random exponentsu0,h0,w0,v0,α∈_ZN. It setsMK=αand publishesPP= (N,G,GT,e),

g=g1,Y=g3,u=gu

0

1,h=gh

0

1,w=gw

0

1 ,v=gv

0

1,Ω=e(g1,g1)α

.

Query 1: To response the jth private key query, B proceeds as follows: If j<k, then it creates a semi-functional private key since it knows MK andR₂Y₁ is given in the assumption. If j>k, then it creates a normal private key since it knowsMK. If j=k, then it selects randomr0₁,r0₂,r0₃∈_ZN,Y₀0,Y₁0,Y₂0,Y₃0,Y₄0∈Gp3

and creates a private keySK_(GL,ML)as

K₀=gα_(T)(u0GL+h0)r01+w

0

r0₂+z0r0_3Y0

0,K1= (T)(w

0_ML+v0_)r0

1_Y0

1, K2= (T)−r

0

1_Y0

2, K3= (T)−r

0

2_Y0

3.

IfT =X2Y2, this is a normal private key. IfT =X2R3Y2, this is a nominally semi-functional private key since

γ1≡logg2(R3)r

0

1 modp2,γ2 ≡logg2(R3)r

0

2 modp2,γ3 ≡logg2(R3)r

0

3 modp2,η1≡u0 modp2,η2 ≡h0

modp2,θ1≡w0 modp2, andθ2≡v0 modp2.

Challenge: B flips a random coin µ ∈ {0,1} and creates a semi-functional ciphertext by implicitly set-ting gt =X₁ and gτ

2 =R1 asCT∗= C=H(e(X1R1,g)α)·M∗µ, C0=X1R1, C1= (X1R1)

u0GL∗+h0_{, C}

2=

(X1R1)w

0_ML∗_+v0

.

Query 2: Same as Query 1.

Guess:Aoutputs a guessµ0. Ifµ =µ0, thenBoutputs 1. Otherwise, it outputs 0.

Lemma 4.5. No polynomial-time adversary can distinguish betweenHk−1,1andHk−1,2with a non-negligible

advantage.

Proof. To argue that any adversary cannot distinguish the nominally semi-functional private key from the semi-functional private key, we show that even an unbounded adversary cannot distinguish the type of private keys.

Suppose there exists an unbounded adversary. Let β be a random exponent in Z∗p2 and x∈ {0,1}.

This adversary can gatherxβ+ (η1GL+η2)γ1+θ1γ2 modp2,(θ1ML+θ2)γ2 modp2,−γ1 modp2,−γ2

modp2from thekth private key andτ modp2,(η1GL∗+η2)τ modp2,(θ1ML∗+θ2)τ modp2from the

challenge ciphertext. Note that thek-the private key is nominally semi-functional ifx=0, otherwise it is semi-functional by implicitly setting log_g

2(R) =β+ (η1GL+η2)γ1+θ1γ2 modp2. These values can be

restated as a linear equationM~u=~vsuch that



  

x GLγ1 γ1 γ2 0

0 0 0 MLγ2 γ2

0 GL∗τ τ 0 0 0 0 0 ML∗τ τ

          β η1 η2 θ1 θ2       =    

xβ+ (η1GL+η2)γ1+θ1γ2

(θ1ML+θ2)γ2

(η1GL∗+η2)τ

(θ1ML∗+θ2)τ



   .

For further analysis, we divide the behavior of an adversary as two types: Type-A and Type-B. Let

(GL∗,ML∗)be the challenge labels. An adversary is Type-A if it queries a private key for labels(GL,ML)

such that GL6=GL∗. An adversary is Type-B if it queries a private key for labels (GL,ML) such that GL=GL∗andML=ML∗. First, we show that a Type-A (unbounded) adversary cannot distinguish the type of private keys. From the aboveM~u=~v, we have another linear equationM2,3~η=~v0 by just taking second

and third columns ofMas follows

GLγ1 γ1

GL∗τ τ

η1

η2

=

(η1GL+η2)γ1

(η1GL∗+η2)τ

.

To show that~1> 6∈RowSpace(M), it is enough to show that~0> = (0,0)6∈RowSpace(M₂,3). For

con-tradiction, if we suppose that~0∈RowSpace(M2,3), then there exists~z such that~zM2,3=~0> and~z6=~0.

However we have~z=~0>M₂−_,31=~0 since GL6=GL∗ by the restriction of the Type-A adversary. Thus, we have~0>∈/RowSpace(M2,3).

Next, we show that a Type-B (unbounded) adversary cannot distinguish the type of private keys. From the aboveM~u=~v, we have another linear equationM4,5~θ=~v00by just taking forth and fifth columns ofM

as follows

γ2 0

MLγ2 γ2

θ1

θ2

=

θ1γ1

(θ1ML∗+θ2)γ2

.

Note that the forth row vector ofMcan be removed since the forth row vector is a linear span of the second row vector ofM ifML=ML∗. Similar to the analysis of the Type-A adversary, we can easily show that ~₀>_{6∈RowSpace(M}

4,5)sinceM4,5is invertable ifγ26=0 modp2. This completes our proof.

Lemma 4.6. If the GSD assumption holds, then no polynomial-time adversary can distinguish between

Hk−1,2andHk−1,3with a non-negligible advantage.

Proof. The proof of this lemma is almost the same as that of Lemma 4.4 except the generation of thekth private key. The kth private key for (GL,ML) is generated as follows: If j=k, then it selects random r₁0,r0₂,a0∈_ZN,Y₀0,Y₁0,Y₂0,Y₃0∈Gp3 and creates a private keySK(GL,ML)as

K₀=gα_(T)(u0GL+h0)r01+w0r02_(R

2Y1)a

0

Y₀0,K₁= (T)(w0ML+v0)r10_Y0

1,K2= (T)−r

0

1_Y0

2,K3= (T)−r

0

2_Y0

3.

Note that the kth private key is no longer correlated withCT∗ sinceK0 is re-randomized by(R2Y1)a

0

. If T =X2Y2, this is a semi-functional private key. If T =X2R3Y2, this is a temporary semi-functional private

key.

Lemma 4.7. If the ComDH assumption holds, then no polynomial-time adversary can distinguish between

G2andG3with a non-negligible advantage.

Proof. Suppose there exists an adversaryAthat distinguishG2fromG3with a non-negligible advantage. A

simulatorBthat solves the ComDH assumption usingAis given: a challenge tupleD= ((N,G,GT,e),g1,g2,

g3,ga1R1,g1bR2)andT whereT =e(g1,g1)aborT =e(g1,g1)c. ThenBthat interacts withAis described as

follows:

Setup: Bchooses random exponentsu0,h0,w0,v0,z0∈_ZN and implicitly setsα =afrom the termga₁R1. It

publishes the public parametersPP= (N,G,GT,e),g=g1,Y=g3,u=gu

0

1,h=gh

0

1,w=gw

0

1 ,v=gv

0

1,H,Ω=

e(g1,ga₁R1)

Query 1: To response private key queries, B creates semi-functional private keys since ga₂R1 andg2 are

given. Note that it cannot create normal private keys since it does not knowga₁∈_Gp1.

Challenge: Bfirst flips a random coin µ ∈ {0,1} and creates a challenge ciphertextCT∗= C=H(T)· M∗_µ,C0=gb1R2,C1= (gb1R2)u

0

GL∗+h0_,C

2= (gb1R2)w

0

ML∗+v0 .

Query 2: Same as Phase 1.

Guess:Aoutputs a guessµ0. Ifµ =µ0, thenBoutputs 1. Otherwise, it outputs 0.

5

Identity-Based Revocation from SD

In this section, we propose an identity-based revocation (IBR) scheme by combining the subset difference (SD) method with a single revocation encryption (SRE) scheme and prove its security. For the construction of an IBR scheme, we follow the design principle of Lee et al. [20]. Compared to the scheme of Lee et al., our scheme is an identity-based one whereas their scheme is a public-key based one.

5.1 Subset Difference Scheme

The subset difference (SD) scheme is one instance of the subset cover framework proposed by Naor et al. [26]. The subset cover framework is a general method to construct a revocation system for a set of usersN. In this framework, a collectionS of subsets is defined for the system and each user is assigned to a private setPV that is a subset ofS where each subset is associated with a unique key. When a center broadcasts an encrypted message for all users except a revoked setRof users, it first finds coverCV that is a set of subsets that can cover all usersN \Rand creates ciphertexts for each subset by using their unique key. A receiver can decrypt the ciphertext if he is not revoked inR.

Before we describe the SD scheme, we define some notation. LetBT be a perfect binary tree andvi be

a node inBT. The depthdi of a nodevi is the length of a path from the root node to the nodevi where the

root node is at depth zero. A level ofBT is a set of all nodes at given depth. For any nodevi∈ BT,Ti is

defined as a subtree that is rooted atvi. For any two nodesvi,vj∈ BT such thatvjis a descendant ofvi,Ti,j

is defined as a subtreeTi− Tj, that is, all nodes that are descendants ofvibut notvj. For any nodevi∈ BT,

Si is defined as the set of leaf nodes inTi. Similarly,Si,j is defined as the set of leaf nodes inTi,j, that is,

Si,j=Si\Sj. For any nodevi∈ BT, we letLi be a fixed and unique label ofvi. The labelLi of a nodeviis

assigned as follows: Each edge in the tree is assigned with 0 or 1 depending on whether it is connected to its left or right child node. The labelLiofviis the bitstring obtained by reading all the bits of edges in the

path from the root node to the nodevi. For a subtreeTi, we define the label ofTi as the labelLiofviwhere

vi is the root node ofTi. For a subtreeTi,j, we also define the label ofTi,jas(Li,Lj)whereLi,Lj are labels

ofvi,vj ofTi,j. Similarly, we can define the label ofSi as the same as that ofTiand the label ofSi,j as the

same as that ofTi,j.

As mentioned before, the SD scheme is one instance of the subset cover framework. To describe the SD scheme, we use the abstraction of Lee et al. [20] since their abstraction of SD is independent of a key assignment method. They defined the SD scheme as four algorithms: Setup, Assign,Cover, andMatch. The setup algorithm first defines a binary treeBT and the collectionSof subsets where each subsetSi,j is

associated with a subtreeTi,j. The assign algorithm first assigns a user to a leaf node ofBT and defines a

private setPV for the user where any two nodesvi,vj in the path nodes from the root node to the leaf node

defines a subtreeTi,j inPV. The cover algorithm takes as input a revoked set Rof users and finds a cover

and a cover setCV and finds two matching subsets inPV andCV respectively. The detailed description of the SD scheme is given as follows:

SD.Setup(N): It takes as input the maximum numberNof users. LetN=2n _{for simplicity. It first sets a}

perfect binary treeBT of depthn. Each user is assigned to a different leaf node inBT. The collection

S of SD is the set of all subsets{Si,j}wherevi,vj ∈ BT andvj is a descendant ofvi. It outputs the

treeBT.

SD.Assign(BT,ID): It takes as input the treeBT and a userID. LetvID be the leaf node ofBT that is

assigned to the user ID. Let (vk0,vk1, . . . ,vkn) be the path from the root nodevk0 to the leaf node

vkn =vID. It first sets a private setPVID as an empty one. For alli,j∈ {k0, . . . ,kn}such that vj is a descendant ofvi, it adds the subsetSi,jdefined by two nodesviandvjin the path intoPVID. It outputs

the private setPVID={Si,j}.

SD.Cover(BT,R): It as input the treeBT and a revoked setRof users. It first sets a subtreeT asST(R), and then it builds a covering setCVR iteratively by removing nodes fromT untilT consists of just a

single node as follows:

1. It finds two leaf nodesviandvjinT such that the least-common-ancestorvofviandvjdoes not

contain any other leaf nodes ofT in its subtree. Letvl andvk be the two child nodes ofvsuch

thatvi is a descendant ofvl andvj is a descendant ofvk. If there is only one leaf node left, it

makesvi=vjto the leaf node,vto be the root ofT andvl =vk=v.

2. Ifvl6=vi, then it adds the subsetSl,i toCVR; likewise, ifvk6=vj, it adds the subsetSk,j toCVR.

3. It removes fromT all the descendants ofvand makesva leaf node.

It outputs the covering setCVR={Si,j}.

SD.Match(CVR,PVID): It takes input as a covering setCVR={Si,j}and a private setPVID={Si,j}. It finds

two subsetsSi,j∈CVR andSi0_,j0 ∈PV_ID such that(v_i =v_i0)∧(d_j =d_j0)∧(v_j 6=v_j0)whered_j is the

depth ofvj. If it found two subsets, then it outputs(Si,j,Si0_,j0). Otherwise, it outputs⊥.

5.2 Construction

The general method that combines the SD scheme with an SRE scheme for the construction of a revocation system was introduced by Lee et al. [20]. The basic idea of their method is that there exists a one-to-one mapping between a subsetSi,j in the SD scheme and labels(GL,ML)in the SRE scheme. That is, we can

setGL=Likdj andML=Lj where(Li,Lj)is the labels of a subtreeTi,j anddj is the depth of the nodevj

since the subtreeTi,j is associated with the subsetSi,j. Thus, we can derive a public-key revocation system

by using an SRE scheme instead of using a pseudo-random generator. We follow the design method of Lee et al. [20], but we slightly modify it to use a symmetric key encryption scheme in order to improve the efficiency.

LetSD= (Setup,Assign,Cover,Match)be the SD scheme andSKE= (Gen,Enc,Dec)be a symmet-ric key encryption scheme. Our IBR scheme for the identity spaceI={0,1}n_{is described as follows:}

IBR.Setup(1λ_{): It first define a perfect binary treeBT by runningSD.Setup(2}n_{). Next, it obtainsMK} SRE

andPPSRE by runningSRE.Setup(1λ). It outputs a master keyMK=MKSRE and public parameters

IBR.GenKey(ID,MK,PP): It first obtains a private setPVID={Si,j}by runningSD.Assign(BT,ID). Note

that we assign ID to the leaf node where the label of the leaf node is equal to ID. Let dj be the

depth of a node vj associated with a label Lj. For each Si,j ∈PVID, it derives (Li,Lj) from Si,j

and obtainsSKSRE,Si,j by runningSRE.GenKey((Li||dj,Lj),MKSRE,PPSRE). It outputs a private key SKID= PVID,{SKSRE,Si,j}Si,j∈PVID

.

IBR.Encrypt(R,M,PP): It first finds a covering setCVR ={Si,j} by running SD.Cover(BT,R). Let dj

be the depth of a nodevj associated with Lj. Next, it chooses a session keyK∈ {0,1}λ. For each

Si,j ∈CVR, it derives two labels (Li,Lj) from Si,j and obtainsCTSRE,Si,j by running SRE.Encrypt

((Li||dj,Lj),K,PPSRE). It obtains an encrypted messageCby runningSKE.Encrypt(K,M). Finally,

it outputs a ciphertextCTR= CVR,C,{CTSRE,Si,j}Si,j∈CVR

.

IBR.Decrypt(CTR,SKID,PP): IfID6∈R, it finds a matching tuple(Si,j,Si0_,j0)by runningSD.Match(CV_R,PV_ID)

and obtains a session keyKby runningSRE.Decrypt(CTSRE,Si,j,SKSRE,Si0,j0,PPSRE). Otherwise, it out-puts⊥. Finally, it outputs a messageMby runningSKE.Decrypt(K,C).

Remark3. Our revocation scheme is identity-based one whereas the revocation scheme of Lee et al. [20] is public-key one since the SRE scheme of Lee et al. is proven under aq-type assumption whereqis depends on the number of users. Another difference is that our IBR scheme encrypts a session key by using an SRE scheme and this session key is used to encrypt a message by using a symmetric-key encryption scheme.

Remark4. In our IBR scheme, an SRE scheme is integrated with the SD scheme. It is relatively straightfor-ward to integrate an SRE scheme with the LSD scheme instead of the SD scheme. The detailed description of the LSD scheme is given in [19].

5.3 Security Analysis

The security model of our IBR scheme in the proof depends on the security model of the underlying SRE scheme. That is, if the underlying SRE scheme is fully (or selectively) secure, then our IBR scheme is also fully (or selectively) secure.

Theorem 5.1. The above IBR scheme is selectively (or fully) secure under chosen plaintext attacks if the SRE scheme is selectively (or fully) secure under chosen plaintext attacks and the SKE scheme is secure under chosen plaintext attacks.

Proof. LetR∗be the set of revoked users in the challenge ciphertext andCVR∗ be the covering set where the

number of subsets inCVR∗ is`. The challenge ciphertext is described asCT∗= (CV_R∗,C∗,{CT∗

SRE,S_ik,_jk}

`

k=1).

For the security proof, we define hybrid gamesG0,G1,G2,G3as follows:

Game G0 This game is the original security game defined in the security model except that the challenge

bitµ is fixed to 0. In this game, all componentsCT_SRE∗ _,j are encryption on a correct session keyK∗ and the componentC∗is an encryption on the messageM₀∗by using the session keyK∗.

Game G1 In this game, all componentsCTSRE∗ ,jin the challenge ciphertextCT

∗_{are encryption on a random}

session keyZthat is not related to the correct oneK∗. However, the componentC∗is still an encryption on the messageM₀∗by using the correct oneK∗.

For the security proof, we additionally define hybrid gamesG0,0, . . . ,G0,ρ, . . . ,G0,`whereG0,0=G0

encryption on a random session keyZ. Specifically, each componentCT_SRE∗ _,kfork≤ρis an encryption on a random session keyZand each componentCT_SRE∗ _,kforρ<kis an encryption on the session key K∗.

Game G2 This game is similar to the game G1 except that the component C∗ is an encryption on the

messageM₁∗by using the session keyK∗. That is, the challenge ciphertextCT∗ is an encryption on the messageM₁∗.

Game G3 In this game, all componentsCTSRE∗ ,j in the challenge ciphertextCT

∗ _{are encryption on the}

correct session keyK∗instead of the random session keyZ. Thus, this game is the original security game in the definition except that the challenge bitµ is fixed to 1.

For the security proof, we also define additional hybrid gamesG2,0, . . . ,G2,ρ, . . . ,G2,` whereG2,0=

G2 and G2,`=G3. The game G2,ρ is almost identical to the gameG2,ρ−1 except thatCTSRE∗ ,ρ is an encryption on the correct session keyK∗. Specifically, each componentCT_SRE∗ _,k for k≤ρ is an encryption on the session key K∗ and each componentCT_SRE∗ _,k for ρ <k is an encryption on the random session keyZ.

LetSGi

A be the event thatAoutputs 0 inGi. From Lemmas 5.2, 5.3 and 5.4, we obtain the following result

AdvIBR_A (λ)≤1 2 Pr[S

G0

A]−Pr[S

G3 A] ≤1 2 `

∑

Pr[S

G0,ρ−1

A ]−Pr[S

G0,ρ

A ] + Pr[S

G1

A]−Pr[S

G2 A] + `

∑

Pr[S

G2,ρ−1

A ]−Pr[S

G2,ρ

A ]

≤`AdvSREB (λ) +AdvSKEB (λ) +`AdvSREB (λ).

This completes our proof.

Lemma 5.2. If the SRE scheme is secure under chosen plaintext attacks, then no polynomial time adversary can distinguish betweenG0,ρ−1andG0,ρwith non-negligible advantage.

Proof. Suppose there exists an adversaryAthat distinguishes betweenG0,ρ−1andG0,ρwith non-negligible advantage. A simulator B that breaks the security game of the SRE scheme is given: challenge public parametersPPSRE. ThenBthat interacts withAis described as follows:

Setup:Bfirst sets a perfect binary treeBT by runningSD.Setup(2n)and givesPP= (BT,PPSRE)toA. Query 1: IfAadaptively requests a private key query for a userID, thenBproceeds this query as follows: It first obtains a private setPVID={Si,j}by runningSD.Assign(BT,ID). For eachSi,j∈PVID, it sets labels

(GL,ML) fromSi,j and requests SK_SRE0 _,Si,j for labels (GL,ML)to the key generation oracle that simulates SRE.GenKey. It setsSKID= (PVID,{SKSRE0 ,Si,j})and gives this toA.

Challenge: A submits a challenge revoked set R∗ and two challenge messages M₀∗,M₁∗ subject to the restrictions. It sets µ =0 and proceeds as follows: It obtains two session keys K∗ and Z by running

SKE.GenKey(1λ_{) and computes C}∗ _{by running SKE.Encrypt(M}∗ µ,K

∗_{). Next, it obtains a covering set}

CVR∗={S_i

1,j1, . . . ,Si`,j`}by runningSD.Cover(BT,R

∗_{)and obtains each componentCT}

SRE,S_ik,_jk as follows:

1. For 1≤k≤ρ−1, it computesCT_SRE∗ _,S

ik,_jk by runningSRE.Encrypt((Lijkdjk,Ljk),Z,PPSRE)where

2. Fork=ρ, it submits challenge labelsGL0 =Liρkdjρ,ML

0 _=L

jρ and two challenge messagesM

0

0=

K∗,M₁0 =Z to the challenge oracle of SRE and receives a challenge ciphertextCT_SRE0 . It simply sets CT_SRE∗ _,ρ=CT_SRE0 .

3. Forρ+1≤k≤`, it computesCT_SRE∗ _,S

ik,_jk by runningSRE.Encrypt((Likkdjk,Ljk),K

∗_,PP

SRE)where

(Lik,Ljk)is the label ofSik,jk anddjk is the depth of the nodevjk.

It gives a challenge ciphertextCT = (CVR∗,C∗,{CT∗

SRE,S_ik,_jk}

`

k=1)toA.

Query 2: Same as Query 1.

Guess: Finally,Aoutputs a bitµ0.Balso outputsµ0.

Lemma 5.3. If the SKE scheme is secure under chosen plaintext attacks, then no polynomial time adversary can distinguish betweenG1andG2with non-negligible advantage.

Proof. Suppose there exists an adversary A that distinguishes between G1 and G2 with non-negligible

advantage. A simulatorBthat breaks the security game of the SKE scheme is described as follows:

Setup:Bfirst obtainsMKandPPby runningIBR.Setup(1λ_{,n)and gives it toA.}

Query 1: IfAadaptively requests a private key query for a userID, thenBcreates the private key by using the master keyMK.

Challenge:Asubmits a challenge revoked setR∗and two challenge messagesM₀∗,M₁∗. It also submits two challenge messagesM₀0 =M₀∗,M₁0 =M₁∗ and receives a challenge ciphertextCT0 of SKE. It setsC∗=CT0. It chooses a random session keyZand prepare all componentsCT_SRE∗ _,S

ik,_jk that are encryption on the random

session keyZ. It gives a challenge ciphertextCT = (CVR∗,C∗,{CTSRE∗ ,S_ik,_jk}

`

k=1)toA.

Query 2: Same as Query 1.

Guess: Finally,Aoutputs a bitµ0.Balso outputsµ0.

Lemma 5.4. If the SRE scheme is secure under chosen plaintext attacks, then no polynomial time adversary can distinguish betweenG2,ρ−1andG2,ρwith non-negligible advantage.

The proof of this Lemma is almost similar to that of Lemma 5.2.

5.4 Comparisons

In this section, we compare our IBR scheme to previous IBR schemes. IBR schemes can be categorized as tree-based schemes that combine a tree data structure with an IBE or HIBE scheme [14,26] or pairing-based schemes that directly are built from bilinear groups [3, 23].

Naor, Naor, and Lotspiech [26] proposed an IBR scheme (NNL-IBR) by combining the tree-based CS revocation scheme with the Boneh-Franklin IBE scheme [6] to reduce the size of public parameters. The NNL-IBR scheme is secure under standard assumption in the random oracle model, but a ciphertext is consists of O(rlogN/r) group elements wherer is the number of revoked users and N is the number of maximum users. Dodis and Fazio [14] proposed an improved IBR scheme (DF-IBR) by combining the SD (or LSD) scheme with an HIBE scheme. If the DF-IBR scheme is instantiated with the Boneh-Boyen-Goh HIBE scheme [5], then the size of ciphertexts can be reduced to haveO(r)group elements. However, the private key of this DF-IBR scheme consists ofO(log2.5N)group elements.

Table 2: Benchmarks of basic group operations

Curve ExpG1 ExpG2 ExpGT Pairing

SS512 2.63 2.63 0.74 3.02

MNT159 0.83 7.65 1.91 6.38

All benchmarks are measured in milliseconds. Exp denotes the exponentiation and Pairing denotes the pairing operation.

of justO(1)group elements. However, the number of pairing or exponentiation operations increases propor-tional to the number of revoked usersr. Thus their IBR schemes are only appropriate in a situation where the number of revoked users is very small. Attrapadung and Libert [3] proposed an improved IBR scheme. They showed that the size of ciphertexts and the cost of decryption can be reduced if the size of public parameters and private keys increases.

Our IBR schemes are built by combining the SD (or LSD) revocation scheme and our SRE schemes instead of IBE or HIBE schemes. In our IBR schemes that use the LSD scheme, public parameters are consists of O(1) group elements because of the underlying SRE scheme, a ciphertext and a private key are consists ofO(r)andO(log1.5N)group elements respectively. Additionally the decryption algorithm of our IBR scheme only requires three pairing and two exponentiation operations. Thus our IBR scheme in prime-order groups provides efficient decryption compared to those of LSW-IBR and AL-IBR schemes.

6

Implementation

We implemented our identity-based revocation (IBR) schemes by using Charm [1], which is a framework for rapidly prototyping public-key cryptographic schemes by using the Python language. Charm provides three mathematical groups: integer group, elliptic curve group, and pairing group by using OpenSSL, GMP, PBC, RELIC, and MIRACL libraries that are written in the C language. Additionally, it also provides a bunch of public-key schemes and protocols. To measure the performance of our implementation, we used a desktop with Intel Core i5-4590 3.3GHz CPU and 16.0GB RAM that runs Windows 7 with Python-3.2.5.

To implement our IBR schemes, we selected two pairing groups: SS512 and MNT159. The SS512 pairing group is a super-singular elliptic curve group where the base field size is 512 bits and the embedding degree is two. In this SS512 group, the bit size of a group element inG1 andG2 is 512 bits and the bit

size of a group element inGT is 1024 bits. The MNT159 pairing group is an asymmetric group created by

Miyaji, Nakabayashi, and Takano where the base field size is 159 bits and the embedding degree is six. In this MNT159 group. the bit size of a group elementG1is 159 bits and the bit size of a group element inG2

andGT is 954 bits. The details of these groups can be found in [25]. The benchmark result of basic group

operations in these pairing groups is given in Table 2. In the MNT159 group, the basic operations inG1is

very efficient compared with operations inG2andGT.

By using the selected pairing groups, we implemented our SRE scheme with selective security and measured the performance of our construction. Although our SRE scheme is originally built on a symmetric pairing group, it can be easily translated to an asymmetric pairing group. In our SRE scheme, theGenKey

algorithm requires four group exponentiations inG2 if additional elements are stored in a master key, the

Encryptalgorithm requires five group exponentiations inG1and one exponentiation inGT, and theDecrypt

Table 3: Benchmarks of our SRE scheme

Scheme Curve Setup GenKey Encrypt Decrypt

SRE SS512 20.02 11.02 13.75 11.40

MNT159 27.23 30.87 6.27 27.29

All benchmarks are measured in milliseconds. Setup, GenKey, Encrypt, and Decrypt algorithms denote the setup, key generation, encryption, and decryption algorithm respectively.

Table 4: Benchmarks of CS, SD, and LSD schemes

Scheme Algorithm r=10 r=50 r=100 r=200 r=300

CS Cover 0.51 2.69 5.32 7.89 14.42

|CV| 105 420 747 1316 1826

SD Cover 3.40 10.65 15.80 44.66 85.50

|CV| 13 63 119 256 374

LSD Cover 3.72 13.17 26.77 46.17 87.50

|CV| 17 95 201 392 589

All benchmarks are measured in milliseconds. We set the depthd of a binary tree to be 15 and letrto be the number of revoked leaf nodes.

our SRE scheme in SS512 and MNT159 groups is given in Table 3. Note that theEncrypt algorithm is two-times fast in the MNT159 group, but theGenKey andDecrypt algorithms are slow in the MNT159 group.

For our IBR schemes, we implemented (tree-based) SD and LSD schemes that belong to the subset cover framework of Naor et al. [26] and compared their performance with that of the CS scheme. A simple way to represent a binary tree is to assign a unique node numberito each nodeviby using the depth-first search

tree traversal. In this case, the root node is assigned to 1, the child nodevLof a parent nodevwith a number

iis assigned to 2iand the right child ofvRis assigned to 2i+1. The detailed algorithms of the SD scheme

is given in Section 5.1 and the details of the LSD scheme is given in [19]. To measure the performance of SD and LSD schemes, we set the depthd of a binary tree as 15. In this case, the numberN of leaf nodes is 215=3.2∗104. LetRbe a set of revoked nodes andr be the size of R. In the SD scheme, the size of a covering setCV for a revoked setR is theoretically bounded by 2r−1, but it is approximately 1.25r if revoked leaf nodes are randomly selected. In the LSD scheme, the size of CV is bounded by 4r−2, but it is about 1.98ron average. The benchmark result of SD and LSD schemes is given in Table 4. In SD and LSD schemes, the performance of theCoveralgorithm that findsCV for a non-revoked set is relatively slow. If theSD.Coveralgorithm of Naor et al. [26] is naively implemented, then the running time of this algorithm isO(r4log2N)wherer is the size of R. For our IBR scheme, we optimized theSD.Cover algorithm and obtained an improved one with O(r2log2N) running time. Note that the running time of the CS.Cover

algorithm is justO(rlogN).