New Constructions of Revocable Identity-Based Encryption from Multilinear Maps

New Constructions of Revocable Identity-Based Encryption

from Multilinear Maps

Seunghwan Park∗ Kwangsu Lee† Dong Hoon Lee‡

Abstract

A revocation mechanism in cryptosystems for a large number of users is absolutely necessary for maintaining the security of whole systems. A revocable identity-based encryption (RIBE) provides an efficient revocation method in IBE in which a trusted authority periodically broadcasts an update key for non-revoked users and a user can decrypt a ciphertext if his private key is not revoked in the update key. Boldyreva, Goyal, and Kumar (CCS 2008) defined RIBE and proposed an RIBE scheme that uses a tree-based revocation encryption scheme to revoke users’ private keys. However, this approach has an inherent limitation in that the number of private key elements and update key elements cannot be constant. In this paper, to overcome this limitation, we devise a new technique for RIBE and propose RIBE schemes with a constant number of private key elements. We achieve the following results:

• We first devise a new technique for RIBE that combines a hierarchical IBE (HIBE) scheme and a public-key broadcast encryption (PKBE) scheme by using multilinear maps. In contrast to the previous technique for RIBE, our technique uses a PKBE scheme in bilinear maps for revocation to achieve short private keys and update keys.

• Following our new technique for RIBE, we propose an RIBE scheme in three-leveled multilinear maps that combines the HIBE scheme of Boneh and Boyen (EUROCRYPT 2004) and the PKBE scheme of Boneh, Gentry, and Waters (CRYPTO 2005). The private key and update key of our scheme possess a constant number of group elements. We introduce a new complexity assumption in multilinear maps and prove the security of our scheme in the selective revocation list model.

• Next, we propose another RIBE scheme with reduced public parameters by combining the HIBE scheme of Boneh and Boyen and the PKBE scheme of Boneh, Waters, and Zhandry (CRYPTO 2014), which uses multilinear maps. Compared with our first RIBE scheme, our second RIBE scheme requires high-leveled multilinear maps since the underlying PKBE scheme is based on high-leveled multilinear maps.

Keywords:Identity-based encryption, Key revocation, Broadcast encryption, Multilinear maps.

∗_{Korea University, Seoul, Korea. Email:[email protected].}

Contents

1 Introduction 3

1.1 Our Results . . . 3

1.2 Our Technique . . . 4

1.3 Related Work . . . 6

2 Preliminaries 7 2.1 Revocable Identity-Based Encryption . . . 7

2.2 Leveled Multilinear Maps . . . 9

2.3 Complexity Assumptions . . . 9

3 Revocable IBE with Shorter Keys 10 3.1 Construction . . . 10

3.2 Correctness . . . 12

3.3 Security Analysis . . . 13

3.4 Discussions . . . 16

4 Revocable IBE with Shorter Parameters 17 4.1 Construction . . . 17

4.2 Correctness . . . 19

4.3 Security Analysis . . . 20

4.4 Discussions . . . 22

5 Conclusion 22 A Revocable IBE in Graded Encoding Systems 26 A.1 Graded Encoding Systems . . . 26

A.2 Construction . . . 28

B Revocable IBE for Small Universe 29 B.1 Construction . . . 29

B.2 Security Analysis . . . 30

B.3 Construction in the GGH Framework . . . 32

B.4 Security Analysis in the GGH Framework . . . 33

C Revocable IBE with Trade-Offs 36 C.1 Construction . . . 36

C.2 Security Analysis . . . 37

D Security in Generic Multilinear Groups 39 D.1 Generic Multilinear Groups . . . 39

1

Introduction

Providing an efficient revocation mechanism in cryptosystems for a large number of users is very important since it can prevent a user from accessing sensitive data in cryptosystems by revoking the private key of a user when the private key is revealed or expired. In public-key encryption (PKE), which employs the public-key infrastructure (PKI), there are many studies that deal with the certificate revocation problem [1, 16, 30, 32]. In identity-based encryption (IBE) [7, 37], a natural approach for this revocation problem is that a trusted authority periodically renews a user’s private key for his identity at a current time period and then a sender creates a ciphertext for both a receiver identity and a current time period. However, this approach has some problems: the trusted authority should always be online to renew the user’s private keys, users should always renew their private keys regardless of whether their private keys are revoked, and a secure channel should be established between the trusted authority and a user to transmit a renewed private key.

An IBE scheme that provides an efficient revocation mechanism (RIBE) was proposed by Boldyreva, Goyal, and Kumar [3]. In RIBE, each user receives a (long-term) private keySKID for his identityIDfrom

a trusted authority, and the trusted authority periodically broadcasts an update keyU KT,Rat a current time

T by including a revoked identity setR. If a user has a private keySKID that is not revoked by the revoked

identity setRof the update keyU KT,R, then he can derive his (short-term) decryption keyDKID,T from his

private keySKIDand the update keyU KT,R. This decryption key can be used to decrypt a ciphertextCTID,T

for a receiver identity ID and a time period T. The main advantage of this approach is that the trusted authority can be offline because the authority only need to broadcast the update key periodically. To build an RIBE scheme, Boldyreva et al. [3] used the tree-based revocation encryption scheme of Naor, Naor, and Lotspiech [31] for revocation and the ABE scheme of Sahai and Waters [34] for encryption of an identity and a time period. Other RIBE schemes also follow this design approach that uses the tree-based revocation encryption scheme for revocation [29, 35, 36]. This design approach, however, has an inherent limitation in that the number of private key elements and update key elements cannot be constant since a private key is associated with path nodes in a tree and an update key is associated with covering nodes in the tree [31]. Therefore, in this paper, we ask the following questions about RIBE: “Can we build an RIBE scheme with a constant number of private key elements and update key elements? Can we devise a new technique for efficient RIBE that is different from the previous approach?”

1.1 Our Results

In this work, we give affirmative answers to both of the above questions. That is, we first devise a new technique for RIBE that is quite different from the previous technique, and we propose two RIBE schemes with a constant number of private key elements. The following is our results:

New Techniques for Revocable IBE.Previous RIBE schemes [3, 29, 36] use IBE (or ABE) schemes for the main encryption functionality and the tree-based revocation encryption of Naor, Naor, and Lotspiech [31] for the revocation functionality. As mentioned, the inherent limitation of the tree-based revocation encryption scheme is that the number of private key elements and update key elements cannot be constant. To achieve an RIBE scheme with a constant number of private key elements and update key elements, we observe that PKBE schemes [8, 19] in bilinear groups can be directly used for delivering a partial key of IBE to non-revoked users because these broadcast schemes have short private keys and short ciphertexts. That is, the private keySKID,T of a two-level HIBE scheme with an identityIDand a time periodT is divided into two

authority broadcasts an update keyU KT,R that is the encryption ofSKT0, which excludes revoked users R.

If the user is not revoked, then he can deriveSKID,T of HIBE combiningSKID0 in his actual key andSKT0

inU KT,R. However, this simple RIBE scheme is vulnerable under a simple attack–that is, if an adversary

corrupts a userIDat timeT0, then he can obtain a partial keySK_ID0 and a PKBE key forID. The adversary then can decrypt a previous ciphertextCTID,T such thatT <T0 by obtaining a partial keySKT0 fromU KT,R

since the PKBE key that was obtained at timeT0can still be applied to decryptU KT,Rat timeT. To overcome

the simple attack, we set the private keySK of RIBE by binding the private key of HIBE and the private key of PKBE, and set the update keyU K of RIBE by binding the private key of HIBE and the ciphertext of PKBE. However, this RIBE scheme possesses another problem–a decryption key derived from a private key and an update key by performing a pairing operation cannot be used to decrypt a ciphertext since the decryption key is the result of the pairing operation in bilinear groups. To solve this new problem, we use multilinear maps that were recently proposed by Garg, Gentry, and Halevi [15]. The detailed techniques are discussed below in this section.

RIBE with Shorter Private Keys and Update Keys. We first propose an RIBE scheme with a constant number of private key elements and update key elements by applying our new technique for RIBE on the three-leveled multilinear maps. For a concrete RIBE construction, we use the PKBE scheme of Boneh, Gentry, and Waters (BGW-PKBE) [8] for revocation and the HIBE scheme of Boneh and Boyen (BB-HIBE) [5] for encryption of an identityIDand a timeT. The public parameters, the private key, the update key, and the ciphertext of our RIBE scheme just consist ofO(N+λ),O(1),O(1), andO(1)group elements, respectively. As far as we know, our RIBE scheme is the first one that achieves a constant number of private key elements and update key elements. To prove the security of our RIBE scheme, we introduce a new complexity assumption called the Multilinear Diffie-Hellman Exponent (MDHE) assumption that is a natural multilinear version of the Bilinear Diffie-Hellman Exponent (BDHE) assumption of Boneh et al. [8]. We prove the security of our scheme in the selective revocation list model, where an adversary should initially submit a challenge identity, a challenge time, and the revoked set of identities at the challenge time.

RIBE with Reduced Pubic Parameters. The number of group elements in the public parameters of our first RIBE scheme is proportional to the maximum number of users. To overcome this problem, we propose another RIBE scheme with reduced public parameters onO(logN)-leveled multilinear maps by employing the PKBE scheme of Boneh, Waters, and Zhandry (PKBE) [12]. The interesting feature of the BWZ-PKBE scheme is that the public key just consists ofO(logN)group elements whereas the public key of the BGW-PKBE scheme [8] consists ofO(N)group elements. Additionally, the BWZ-PKBE scheme has a sim-ilar structure to the BGW-PKBE scheme except that it usesO(logN)-leveled multilinear maps. Because of this structural similarity, we can build an RIBE scheme based on the BWZ-PKBE scheme by following our new technique for RIBE. We prove the security of our second RIBE scheme in the selective revocation list model by using the compressed MDHE (cMDHE) assumption. Although the number of group elements in public parameters is reduced, our second RIBE scheme is not a truly identity-based one since the maximum size of the receiver set is restricted to being polynomial in the BWZ-PKBE scheme. A detailed comparison between our RIBE schemes and other RIBE schemes is given in Table 1. Note that the bit size of private keys and update keys in our RIBE schemes is not constant since the bit size of group elements in leveled multilinear maps is not constant [24].

1.2 Our Technique

Table 1: Comparison of revocable identity-based encryption schemes

Scheme PP Size SK Size UK Size Model Maps Assumption

BF [7] O(1) O(1) O(N−r) Full BLM RO, BDH

BGK [3] O(1) O(logN) O(rlog(N/r)) Selective BLM DBDH LV [29] O(λ) O(logN) O(rlog(N/r)) Full BLM DBDH SE [36] O(λ) O(logN) O(rlog(N/r)) Full BLM DBDH LLP [27] O(1) O(log1.5N) O(r) Full BLM Static

Our-1 O(N+λ) O(1) O(1) SelectiveRL MLM MDHE

Our-2 O(logN+λ) O(1) O(1) SelectiveRL MLM cMDHE Letλ be a security parameter,Nbe the maximum number of users, andrbe the maximum number of revoked users. Sizes for public parameters (PP), private keys (SK), and update keys (UK) count the number of group elements. BLM stands for bilinear maps and MLM stands for multilinear maps. The bit sizes of elements in bilinear maps, elements in three-leveled multilinear maps, and elements ink-leveled multilinear maps areO(λ),

O(λlog2λ), andO(k2λlog2(kλ)), respectively.

and Lotspiech [31]. The revocation encryption of the NNL framework mainly uses a tree for broadcasting, and it is hard to provide a constant number of RIBE private key elements since the private key of the NNL framework is associated with path nodes in the tree and the update key is associated with subset covering nodes in the tree [31]. The BGW-PKBE scheme, by contrast, can provide a constant number of RIBE private key elements since the PKBE scheme has a constant number of private key elements.

For our RIBE construction, we use the BGW-PKBE scheme [8] for revocation and the two-level HIBE scheme of Boneh and Boyen [5] for encryption of an identityIDand a time periodT. As mentioned before, the simple approach is vulnerable under a simple attack. To address this problem, we first set the RIBE private key asSKID= gα

d_γ

F(ID)r1_,gr1_{, which is a careful combination of the PKBE private keySK} BE,d=

gαdγ_{and the HIBE private keySK}

HIBE,ID= (gaF(ID)r1,gr1), where an indexdis associated with the identity

IDandF(·)is a function from identities to group elements. That is, we replace the master key part gaof the HIBE private key component with the PKBE private key component. Next, we set the RIBE update key asU KT,R= (gγ∏j∈N\Rgα

N+1−j

)β_H(T)r2_,gr2_{, which is a careful combination of the PKBE ciphertext}

CTBE,R = gβ,(gγ∏j∈N\RgN+1−j)β

and the HIBE private key SKHIBE,T = gaH(T)r2,gr2

whereRis a revocation set,T is an update time period, andH(·)is a function from times to group elements. That is, we replace the master key partga of the HIBE private key component with the PKBE ciphertext component. If a user with a private keySKID is not revoked in an update keyU KT,R at a timeT, then he can derive a

decryption keyDKID,T= gα

N+1_β

F(ID)r1_H(T)r2_,gr1_,gr2_{for his identityIDand the timeT. This decryption}

key can be used to decrypt a ciphertextCTID,T = e(gα

N+1

,gβ₎s_·M,gs_,F(ID)s_,H(T)s

.

However, there is a major problem with this idea. That is, a session key that is derived from the ciphertext and the private key of PKBE in bilinear groups is an element inGT, and this session key cannot be used

for pairing in bilinear groups. This means that the RIBE decryption keyDKID,T, which is related with the

session key of PKBE, cannot be used to decrypt a RIBE ciphertextCTID,T since the pairing operation can

no longer be applicable. To address this problem, we use three-leveled multilinear maps [15]. Note that bilinear maps correspond to two-leveled multilinear maps. In our RIBE scheme, which uses three-leveled multilinear maps, a private keySKID is inG1, an update keyU KT,R is inG1, a decryption keyDKID,T is

can be used to derive a session key by using a bilinear mape1,2(−,−), which is additionally provided by three-leveled multilinear maps. Therefore, we can build an RIBE scheme with a constant number of private key elements and update key elements from three-leveled multilinear maps. This technique also applies to the BWZ-PKBE scheme [12].

1.3 Related Work

Identity-Based Encryption and Its Extensions. IBE, introduced by Shamir [37], can solve the key man-agement problem of PKE since it uses an identity string as a public key instead of using a random value. The first IBE scheme was proposed by Boneh and Franklin [7] by using bilinear groups, and many other IBE schemes have been proposed in bilinear maps [5, 39]. IBE also can be realized under different primitives such as quadratic residues or lattices [14, 17]. Another importance of IBE is that it has many surprising extensions such as hierarchical IBE (HIBE), attribute-based encryption (ABE), predicate encryption (PE), and functional encryption (FE). HIBE was introduced by Horwitz and Lynn [22] and it additionally provides private key delegation functionality [5, 6, 18, 40]. ABE was introduced by Sahai and Waters [34] and it can provide access controls on ciphertexts by associating a ciphertext with attributes and a private key with a policy [21, 28]. PE can provide searches on encrypted data by hiding attributes in ciphertexts [11, 23]. Re-cently, the concept of FE, which includes all the extensions of IBE, was introduced by Boneh, Sahai, and Waters [9], and it was shown that FE schemes for general circuits can be constructed [20].

Revocation in IBE. As mentioned, providing an efficient revocation mechanism that can revoke a user whose private key is revealed is a very important issue in cryptosystems. In PKE, which employs the public-key infrastructure (PKI), the certificate revocation problem was widely studied [1, 16, 30, 32]. In IBE, there are some works that deal with the key revocation problem [2, 3, 7, 29, 36]. We can categorize the revocation methods for IBE in the following two ways. In the first revocation method, a trusted authority periodically broadcasts a revoked user set R, and a sender creates a ciphertext by additionally including a receiver set S that excludes the revoked user set R [2]. That is, this method conceptually combines an IBE scheme with a PKBE scheme. Though this method is simple to construct and does not require a user to update his private key, the sender should check the validity of the revoked list and the sender has the responsibility for the revocation. Ideally, the sender should proceed as in any IBE scheme and encrypt a message without worrying about potential revoked users.

2

Preliminaries

In this subsection, we first define revocable identity-based encryption (RIBE) and its security model, and then we review multilinear maps and complexity assumptions for our RIBE schemes.

2.1 Revocable Identity-Based Encryption

Revocable identity-based encryption (RIBE) is an extension of identity-based encryption (IBE) in that a user with an identityID can be revoked later if his credential is expired [3]. In RIBE, each user receives his (long-term) private key that is associated with an identityIDfrom a key generation center. After that, the key generation center periodically broadcasts an update key for the non-revoked set of users where the update key is associated with a timeT and a revoked setR. If a user is not revoked in the update key, then he can derive his (short-term) decryption key for his identityIDand the current timeT from the private key and the update key. Using the decryption key forIDandT, the user can decrypt a ciphertext for a receiver identityIDcand a timeTc ifID=IDcandT =Tc. The following is the syntax of RIBE.

Definition 2.1(Revocable IBE). A revocable IBE (RIBE) scheme that is associated with the identity space

I, the time spaceT, and the message spaceM, consists of seven algorithmsSetup,GenKey,UpdateKey,

DeriveKey,Encrypt,Decrypt, andRevoke, which are defined as follows:

Setup(1λ_{,N): The setup algorithm takes as input a security parameter1}λ _{and the maximum number of}

users N. It outputs a master key MK, an (empty) revocation list RL, a state ST , and public parameters PP.

GenKey(ID,MK,ST,PP): The private key generation algorithm takes as input an identity ID∈ I, the master key MK, the state ST , and public parameters PP. It outputs a private key SKIDfor ID and an

updated state ST .

UpdateKey(T,RL,MK,ST,PP): The update key generation algorithm takes as input an update time T∈ T, the revocation list RL, the master key MK, the state ST , and the public parameters PP. It outputs an update key U KT,R for T and R where R is a revoked identity set at the time T .

DeriveKey(SKID,U KT,R,PP): The decryption key derivation algorithm takes as input a private key SKID,

an update key U KT,R, and the public parameters PP. It outputs a decryption key DKID,T or⊥.

Encrypt(ID,T,M,PP): The encryption algorithm takes as input an identity ID∈ I, a time T , a message M∈ M, and the public parameters PP. It outputs a ciphertext CTID,T for ID and T .

Decrypt(CTID,T,DKID0_,T0,PP): The decryption algorithm takes as input a ciphertext CT_ID,T, a decryption

key DKID0_,T0, and the public parameters PP. It outputs an encrypted message M or⊥.

Revoke(ID,T,RL,ST ): The revocation algorithm takes as input an identity ID to be revoked and a revoca-tion time T , a revocarevoca-tion list RL, and a state ST . It outputs an updated revocarevoca-tion list RL.

The correctness property of RIBE is defined as follows: For all MK, RL, ST , and PP generated bySetup(1λ_,N),

SKIDgenerated byGenKey(ID,MK,ST,PP)for any ID, U KT,Rgenerated byUpdateKey(T,RL,MK,ST,PP)

for any T and RL, CTIDc,Tc generated byEncrypt(IDc,Tc,M,PP)for any IDc, Tc, and M, it is required that

• If(ID∈R), thenDeriveKey(SKID,U KT,R,PP) =⊥with all but negligible probability.

• If(IDc=ID)∧(Tc=T), thenDecrypt(CTIDc,Tc,DKID,T,PP) =M.

• If(IDc6=ID)∨(Tc6=T), thenDecrypt(CTID,T,DKID,T,PP) =⊥with all but negligible probability.

The security property of RIBE was formally defined by Boldyreva, Goyal, and Kumar [3]. Recently Seo and Emura [36] refined the security model of RIBE by considering decryption key exposure attacks. In this paper, we consider the selective revocation list security model of the refined security model. In the selective revocation list security game, an adversary initially submits a challenge identityID∗, a challenge timeT∗, and a revoked identity setR∗at the timeT∗, and then he can adaptively request private key, update key, and decryption key queries with restrictions. In the challenge step, the adversary submits two challenge messagesM₀∗,M₁∗, and then he receives a challenge ciphertextCT∗that is an encryption ofM_b∗wherebis a random coin used to create the ciphertext. The adversary may continue to request private key, update key, and decryption key queries. Finally, the adversary outputs a guess for the random coinb. If the queries of the adversary satisfy the non-trivial conditions and the guess is correct, then the adversary wins the game. The following is the formal definition of the selective revocation security.

Definition 2.2(Selective Revocation List Security). The selective revocation list security property of RIBE under chosen plaintext attacks is defined in terms of the following experiment between a challengerCand a PPT adversaryA:

1. Init: Ainitially submits a challenge identity ID∗∈ I, a challenge time T∗∈ T, and a revoked identity set R∗⊆ Iat the time T∗.

2. Setup: Cgenerates a master key MK, a revocation list RL, a state ST , and public parameters PP by runningSetup(1λ_{,N). It keeps MK,RL,ST to itself and gives PP toA.}

3. Phase 1: Aadaptively requests a polynomial number of queries. These queries are processed as follows:

• If this is a private key query for an identity ID, then it gives the corresponding private key SKID

toAby runningGenKey(ID,MK,ST,PP)with the restriction: If ID=ID∗, then the revocation query for ID∗and T must be queried for some T ≤T∗.

• If this is an update key query for a time T , then it gives the corresponding update key U KT,Rto

Aby runningUpdateKey(T,RL,MK,ST,PP) with the restriction: If T=T∗, then the revoked identity set of RL at the time T∗should be equal to R∗.

• If this is a decryption key query for an identity ID and a time T , then it gives the corresponding decryption key DKID,T toAby running DeriveKey(SKID,U KT,R,PP) with the restriction: The

decryption key query for ID∗and T∗cannot be queried.

• If this is a revocation query for an identity ID and a revocation time T , then it updates the revocation list RL by runningRevoke(ID,T,RL,ST)with the restriction: The revocation query for a time T cannot be queried if the update key query for the time T was already requested.

Note thatA is allowed to request the update key query and the revocation query in non-decreasing order of time, and an update key U KT,Rimplicitly includes a revoked identity set R derived from RL.

5. Phase 2: Amay continue to request a polynomial number of private keys, update keys, and decryption keys subject to the same restrictions as before.

6. Guess: Finally,Aoutputs a guess b0∈ {0,1}, and wins the game if b=b0.

The advantage ofAis defined asAdvIND-sRL-CPARIBE,A (λ) =

Pr[b=b0]−1

2

where the probability is taken over

all the randomness of the experiment. A RIBE scheme is secure in the selective revocation list model under chosen plaintext attacks if for all PPT adversaryA, the advantage ofAin the above experiment is negligible in the security parameterλ.

Remark 2.3. The selective revocation list security model is weaker than the well-known selective security model since the adversary additionally submits the revoked identity set R∗in advance. However, this weaker model was already introduced by Boldyreva et al. [3] to prove the security of their revocable ABE scheme1.

2.2 Leveled Multilinear Maps

We define generic leveled multilinear maps that are the leveled version of the cryptographic multilinear maps introduced by Boneh and Silverberg [10]. We follow the definition of Garg, Gentry, and Halevi [15].

Definition 2.4(Leveled Multilinear Maps). We assume the existence of a group generator G, which takes as input a security parameterλ and a positive integer k. Let~G= (G1, . . . ,Gk)be a sequence of groups of

large prime order p>2λ_{. In addition, we let g}

i be a canonical generator ofGi respectively. We assume

the existence of a set of bilinear maps{ei,j :Gi×Gj →Gi+j|i,j≥1;i+j≤k} that have the following

properties:

• Bilinearity: The map ei,jsatisfies the following relation: ei,j(gai,gbj) =gabi+j:∀a,b∈Zp

• Non-degeneracy: We have that ei,j(gi,gj) =gi+jfor each valid i,j.

We say that~Gis a multilinear group if the group operations in~Gas well as all bilinear maps are efficiently

computable. We often omit the subscripts of ei,jand just write e.

2.3 Complexity Assumptions

We introduce new complexity assumptions in multilinear maps. The first assumption is the multilinear version of the well-known Bilinear Diffie-Hellman Exponent (BDHE) assumption of Boneh, Gentry, and Waters [8].

Assumption 2.5(Multilinear Diffie-Hellman Exponent,(k,N)-MDHE). Let(p,~G,{ei,j|i,j≥1;i+j≤k})

be the description of a k-leveled multilinear group of order p. Let gibe a generator ofGi. The decisional

(k,N)-MDHE assumption is that if the challenge tuple

D= g1,ga1,g

a2

1 , . . . ,g

aN 1 ,g

aN+2

1 , . . . ,g

a2N 1 ,g

c1

1, . . . ,g

ck−1

1

and Z

are given, no PPT algorithmAcan distinguish Z=Z0=g

aN+1

∏ki=−11ci

k from a random element Z=Z1∈Gk

with more than a negligible advantage. The advantage ofAis defined asAdv(_Ak,N)-MDHE(λ) =Pr[A(D,Z₀) =

0]−Pr[A(D,Z1) =0]

where the probability is taken over random choices of a,c₁, . . . ,ck−1∈Zp.

For the security proof of our first RIBE scheme, we use (3,N)-MDHE assumption that is a specific instance of the MDHE assumption since the scheme is built on the three-leveled multilinear maps.

Assumption 2.6(Three-Leveled Multilinear Diffie-Hellman Exponent,(3,N)-MDHE). Let(p,~G,e1,1,e1,2,e2,1) be the description of a three-leveled multilinear group of order p. Let gibe a generator ofGi. The decisional

(3,N)-MDHE assumption is that if the challenge tuple

D= g1,ga1,g

a2

1, . . . ,g

aN 1 ,g

aN+2

1 , . . . ,g

a2N 1 ,g

b

1,g

c

1

and Z

are given, no PPT algorithmAcan distinguish Z=Z0=ga N+1_bc

3 from a random element Z=Z1∈G3with more than a negligible advantage. The advantage ofAis defined asAdv(_A3,N)-MDHE(λ) =Pr[A(D,Z₀) =

0]−Pr[A(D,Z₁) =0]where the probability is taken over random choices of a,b,c∈Zp.

The second assumption in multilinear maps is the compressed version of the BDHE assumption. Boneh, Waters, and Zhandry [12] introduced this compressed assumption to prove the security of their broadcast encryption in multilinear maps2. We slightly modify their assumption for our second RIBE scheme by adding additional one element.

Assumption 2.7(Compressed Multilinear Diffie-Hellman Exponent,(k,n,l)-cMDHE). Let(p,~G,{ei,j|i,j≥

1;i+j≤k})be the description of a k-leveled multilinear groups of order p where k=2n+l−2. Let gi be

a generator of_Gi. The decisional(k,n,l)-cMDHE assumption is that if the challenge tuple

D= g1,ga

20

1 ,g

a21

1 , . . . ,g

a2n

1 ,g

b l,g

c n−1

and Z

are given, no PPT algorithmAcan distinguish Z=Z0=ga

2n−1_bc

2n+l−2from a random element Z=Z1∈G2n+l−2 with more than a negligible advantage. The advantage ofAis defined asAdv(_Ak,n,l)-MDHE(λ) =Pr[A(D,Z₀) =

0]−Pr[A(D,Z1) =0]

where the probability is taken over random choices of a,b,c∈Zp.

We discuss the difficulty of our new assumptions in generic multilinear groups in Appendix D.

3

Revocable IBE with Shorter Keys

In this section, we propose an RIBE scheme with a constant number of private key elements and update key elements from three-leveled multilinear maps and prove its selective revocation list security. Essentially, we use the broadcast encryption of Boneh, Gentry, and Waters [8], which uses bilinear maps.

3.1 Construction

LetN ={1, . . . ,N}whereNis the (polynomial) number of users. LetI={0,1}l1_{be the identity space and} T ={0,1}l2_{be the time space wherel}

1=2λ andl2=λfor a security parameterλ. Our RIBE scheme from three-leveled multilinear maps is described as follows:

RIBE.Setup(1λ_{,N): This algorithm takes as input a security parameter 1}λ _{and the maximum numberNof}

users. It generates a 3-leveled multilinear group~G= (G1,G2,G3)of prime order p. Let g1,g2,g3 be generators ofG1,G2,G3respectively. LetPPMLM be the description of the multilinear group with

generators.

1. It selects random elements f1,0,{f1,i,j}1≤i≤l1,j∈{0,1},h1,0,{h1,i,j}1≤i≤l2,j∈{0,1} ∈G1. Let ~fk =

(fk,0,{fk,i,j}1≤i≤l1,j∈{0,1})and~hk= (hk,0,{hk,i,j}1≤i≤l2,j∈{0,1})for a levelk. Note that we can

ob-tain~f₂and~h₂from~f₁and~h₁by performing pairing operations. We defineFk(ID) =fk,0∏li1=1fk,i,ID[i]

andHk(T) =hk,0∏li2=1hk,i,T[i]whereID[i]is a bit value at the positioniandT[i]is a bit value at

the positioni.

2. Next, it selects random exponents α,β,γ ∈Zp. It outputs a master key MK= (α,β,γ), an

empty revocation listRL, an empty stateST, and public parameters as

PP=PPMLM,{gαj

1 }1≤j,j6=N+1≤2N, gβ₁, ~f1, ~h1,Ω=gα N+1_β

3

∈_G2N+2l1+2l2+3

1 ×G3.

RIBE.GenKey(ID,MK,ST,PP): This algorithm takes as input an identityID∈ I, the master keyMK, the stateST, and public parametersPP.

1. It first assigns an indexd∈ N that is not inST to the identityID, and updates the stateST by adding a tuple(ID,d)toST.

2. Next, it selects a random exponentr1∈Zpand outputs a private key by implicitly includingID

and the indexdas

SKID=

K0=gα d_γ 1 F1(ID)

−r1_,K

1=g−₁r1

∈_G2 1.

RIBE.UpdateKey(T,RL,MK,ST,PP): This algorithm takes as input a timeT ∈ T, the revocation listRL, the master keyMK, the stateST, and public parametersPP.

1. It first defines the revoked setRof user identities at the timeT fromRL. That is, if there exists

(ID0,T0)such that(ID0,T0)∈RLfor anyT0≤T, thenID0∈R. It defines the revoked index set RI⊆ N of the revoked identity setR by using the stateST sinceST contains(ID,d). It also defines the non-revoked index setSI=N \RI.

2. Next, it selects a random exponentr₂∈_Zpand outputs an update key by implicitly includingT,

R, and the revoked index setRI as

U KT,R=

U0= gγ1

∏

j∈SI

gαN+1−j

1

β

H1(T)r2,U1=g−1r2

∈_G2 1.

RIBE.DeriveKey(SKID,U KT,R,PP): This algorithm takes as input a private key SKID= (K0,K1) for an identityID, an update keyU KT,R = (U0,U1)for a timeT and a revoked setRof identities, and the public parametersPP. If ID∈R, then it outputs⊥since the identity ID is revoked. Otherwise, it proceeds the following steps:

1. Let d be the index ofID andRI be the revoked index set of R. Note that these are implicitly included inSK andU K respectively. It sets a non-revoked index set SI=N \RI and derives temporal componentsT0,T1andT2as

T0=e(gα d

1 ,U0)·e gβ1,K0

∏

j∈SI,j6=d

gαN+1−j+d

1

−1

,T1=e(gβ1,K1), T2=e(gα d 1 ,U1).

2. Next, it chooses random exponents r₁0,r0₂∈_Zp and re-randomizes these components asD0= T0·F2(ID)r

0

1H₂(T)r

0

2,D₁=T₁·g−r

0

1

2 ,D2=T2·g

−r0₂

2 . Note that these components are formed as D₀=gα₂N+1βF₂(ID)r001H₂(T)r

00

2, D₁=g−r

00

1

2 ,D2=g

−r00₂

2 wherer

00

1 =βr1+r01andr

00

2=α

d_r

3. Finally, it outputs a decryption key asDKID,T = D0,D1,D2

∈_G3 2.

RIBE.Encrypt(ID,T,M,PP): This algorithm takes as input an identityID, a timeT, a messageM, and the public parametersPP. It first chooses a random exponents∈_Zpand outputs a ciphertext by implicitly

includingIDandT as

CTID,T =

C=Ωs·M,C0=gs1,C1=F1(ID)s,C2=H1(T)s

∈_G3×_G3₁.

RIBE.Decrypt(CTID,T,DKID0_,T0,PP): This algorithm takes as input a ciphertextCT_ID,T = (C,C₀,C₁,C₂), a

decryption keyDKID0_,T0= (D₀,D₁,D₂), and the public parametersPP. If(ID=ID0)∧(T=T0), then

it outputs the encrypted messageMasM=C· ∏2i=0e1,2(Ci,Di)

−1

. Otherwise, it outputs⊥.

RIBE.Revoke(ID,T,RL,ST): This algorithm takes as input an identityID, a revocation timeT, the revo-cation listRL, and the stateST. If(ID,−)∈/ST, then it outputs⊥since the private key ofIDwas not generated. Otherwise, it adds(ID,T)toRL. It outputs the updated revocation listRL.

3.2 Correctness

LetSKID be a private key for an identityID that is associated with an index d, andU KT,R be an update

key for a timeT and a revoked identity setR. IfID∈/R, then the decryption key derivation algorithm first correctly derives temporal components as

T0=e(gα d

1 ,U0)·e(gβ1,K0

∏

j∈SI,j6=d

gαN+1−j+d

1 )−1

=e(gαd

1 ,(g

γ

1

∏

j∈SI

gαN+1−j

1 )βH1(T)r2)·e(gβ1,g

αdγ

1 F1(ID)−r1·

∏

j∈SI,j6=d

gαN+1−j+d

1 )−1

=e(gβ₁,gαN+1

1 )·e(g

β

1,F1(ID)

r1_)·e(gαd

1 ,H1(T)r2),

=gα₂N+1βF2(ID)βr1H2(T)α d_r

2_,

T1=e(gβ₁,K1) =e(gβ₁,g−₁r1) =g

−βr1

2 ,T2=e(g

αd

1 ,U1) =e(gα d 1 ,g

−r2

1 ) =g

−αdr2

2

whereRIis the revoked index set ofRandSI=N \RI. Next, a decryption key is correctly derived from the temporal components by performing re-randomization as

D0=T0·F2(ID)r

0

1_H2(T)r

0

2_=gα N+1

β

2 F2(ID)

βr1_H

2(T)α d_r

2_·F

2(ID)r

0

1_H2(T)r

0

2

=gα₂N+1βF2(ID)βr1+r

0

1_H

2(T)α d_r

2+r02 _=gα N+1_β

2 F2(ID)

r00₁

H2(T)r

00

2_,

D₁=T₁·g−r

0

1

2 =g

−βr1−r01

2 =g

−r00₁

2 ,D2=T2·g

−r0₂

2 =g

−αdr2−r02

2 =g

−r00₂

2

wherer₁00=βr1+r01andr

00

2=α

d_r

2+r20.

LetCTID,T be a ciphertext for an identityID and a timeT, andDKID0_,T0 be a decryption key for an

identityID0 and a timeT0. If(ID=ID0)∧(T =T0), then the decryption algorithm correctly outputs an encrypted message by the following equation.

2

∏

i=0

e(Ci,Di) =e(gs₁,gα

N+1_β

2 F2(ID)

r00₁

H2(T)r

00

2₎·_e(F

1(ID)s,g

−r₁00

2 )·e(H1(T)

s_,

g−r

00

2

=e(gs₁,g₂αN+1β)·e(g

s

1,F2(ID)r

00

1)·e(gs

1,H2(T)r

00

2)

e(F1(ID)s,g

r00₁

2)·e(H1(T)s,g

r00₂

2 )

=e(gs₁,gα₂N+1β) = (gα₃N+1β)s=Ωs.

3.3 Security Analysis

To prove the security of our RIBE scheme, we carefully combine the partitioning methods of the PKBE scheme of Boneh, Gentry, and Waters [8] and the HIBE scheme of Boneh and Boyen [5].

Theorem 3.1. The above RIBE scheme is secure in the selective revocation list model under chosen plaintext attacks if the(3,N)-MDHE assumption holds where N is the maximum number of users in the system. That is, for any PPT adversaryA, we have thatAdvIND-sRL-CPARIBE,A (λ)≤Adv

(3,N)-MDHE

B (λ).

Proof. Suppose there exists an adversary A that attacks the above RIBE scheme with a non-negligible advantage. A simulator B that solves the MDHE assumption using A is given: a challenge tuple D=

g1,ga₁,ga

2

1 , . . . ,g

aN 1 ,g

aN+2

1 , . . . ,g

a2N 1 ,g

b

1,g

c

1

and Z where Z =Z0=ga N+1_bc

3 or Z=Z1 ∈G3. Then B that interacts withAis described as follows:

Init: Ainitially submits a challenge identityID∗, a challenge timeT∗, and a revoked identity setR∗ at the timeT∗. It first sets a stateST and a revocation listRLas empty one. For eachID∈ {ID∗} ∪R∗, it selects an indexd∈ N such that(−,d)∈/ST and adds(ID,d)toST. LetRI∗⊆ N be the revoked index set ofR∗ at the timeT∗andSI∗be the non-revoked index set at the timeT∗such thatSI∗=N \RI∗.

Setup: Bfirst chooses random exponents f₀0,{f_i0_,j}₁≤i≤l1,j∈{0,1},h0₀,{h0i,j}1≤i≤l2,j∈{0,1},θ∈Zp. It implicitly

setsα=a,β=b,γ=θ−∑j∈SI∗aN+1−jand publishes the public parametersPPas

gαi

1 =g

ai

1 1≤i,i6=N+1≤2N,g β

1 =g

b

1,

~_f1=f1,0=gf₀0

1

l1

∏

i=1

f₁,i,ID∗_[i] −1

,

f1,i,j= ga

N 1

fi,j0

1≤i≤l1,j∈{0,1}

,

~_h1=h1,0=gh0₀

1

l2

∏

i=1

h_1,i,T∗_[i] −1

,

h1,i,j= gb1

h0i,j

1≤i≤l2,j∈{0,1}

,

Ω=e e(gα₁,gα

N 1 ),g

b

1

=gαN+1b

3 .

For notational simplicity, we define∆ID=∑li1=1(f

0

i,ID[i]−f 0

i,ID∗_[i])and∆T =∑

l2 i=1(h

0

i,T[i]−h 0

i,T∗_[i]). We have

∆ID6≡0 modpexcept with negligible probability ifID6=ID∗since there exists at least one indexisuch that f_i0_,ID[i]6= f_i0_,ID∗_[i] and{f_i0_,j}are randomly chosen. We also have∆T 6≡0 modpexcept with negligible

probability ifT 6=T∗.

Phase 1:Aadaptively requests a polynomial number of private key, update key, and decryption key queries. If this is a private key query for an identityID, thenBproceeds as follows:

• CaseID∈R∗: In this case, the simulator can use the partitioning method of Boneh et al. [8]. It first retrieves a tuple(ID,d)fromST where the indexdis associated withID. Note that the tuple(ID,d)

exists since all identities inR∗were added to ST in the initialization step. Next, it selects a random exponentr1∈Zpand creates a private keySKIDas

K₀= ga₁dθ

_∏

j∈SI∗

ga₁N+1−j+d−1F₁(ID)−r1_,K

• CaseID6∈R∗: In this case, we haveID6=ID∗from the restriction of Definition 2.2 and the simulator can use the partitioning method of Boneh and Boyen [5]. It first selects an indexd ∈ N such that

(−,d)∈/ST and adds(ID,d)toST. Next, it selects a random exponentsr0₁∈Zpand creates a private

keySKIDby implicitly settingr1=−a/∆ID+r01as

K0=ga d

θ

1

∏

j∈SI∗_\{d}

g−₁aN+1−j+d(ga₁)f00/∆ID_F

1(ID)−r

0

1_,K

1= (ga1)

−1/∆ID

gr

0

1

1.

If this is an update key query for a timeT, thenBdefines a revoked identity setRat the timeT fromRLand proceeds as follows:

• CaseT 6=T∗: In this case, the simulator can use the partitioning method of Boneh and Boyen [5]. It first sets a revoked index setRIofRby usingST. It also setsSI=N \RI. Next, it selects a random exponentr₂0 ∈_Zpand creates an update keyU KT,R by implicitly settingr2=−(−∑j∈SI∗_\SIaN+1−j+

∑j∈SI\SI∗aN+1−j)/∆T+r0₂as

U0= (gb1)θ

∏

j∈SI∗_\SI

g−₁aN+1−j

_∏

j∈SI\SI∗

ga₁N+1−j

−h0₀/∆T

H1(T)r

0

2_,

U1=

∏

j∈SI∗_\SI

g−₁aN+1−j

_∏

j∈SI\SI∗

ga₁N+1−j

−1/∆T

gr

0

2

1.

• CaseT =T∗: In this case, we have R=R∗ and the simulator can use the partitioning method of Boneh et al. [8]. For eachID∈R∗, it adds(ID,T∗)toRLif(ID,T0)∈/RLfor anyT0≤T∗. Next, it selects a random exponentr2∈Zpand creates an update keyU KT,Ras

U0= (gb1)θH1(T∗)r2,U1=g−1r2.

If this is a decryption key query for an identityIDand a timeT, thenBproceeds as follows:

• CaseID6=ID∗: In this case, the simulator can use the partitioning method of Boneh and Boyen [5]. If(ID,−)∈/ST, then it selects an indexd∈ N such that(−,d)∈/ST and adds(ID,d)toST. Next, it selects random exponents r0₁,r2 ∈Zp and creates a decryption key DKID,T by implicitly setting

r1= (−a/∆ID+r₁0)bas

D0=e (ga1)

−f₀0/∆ID

F1(ID)r

0

1_,gb

1

·H2(T)r2, D1=e (ga1)

−1/∆ID

gr

0

1

1,g

b

1

,D2=gr₂2.

• CaseID=ID∗: In this case, we haveT 6=T∗from the restriction of Definition 2.2, and the simulator can use the partitioning method of Boneh and Boyen [5]. It selects random exponentsr1,r02∈Zpand

creates a decryption keyDKID,T by implicitly settingr2= (−a/∆T+r20)a

N_as

D0=e (ga1)−h

0

0/∆T_H

1(T)r

0

2_,gaN

1

·F2(ID)r1, D1=gr21, D2=e (ga1)−1/∆Tg

r0₂

1,g

aN

1

.

Challenge:Asubmits two challenge messagesM₀∗,M₁∗. Bchooses a random bitδ ∈ {0,1}and creates the challenge ciphertextCT∗by implicitly settings=cas

C=Z·M_δ∗,C0=gc1,C1= (gc1)

f₀0

,C2= (gc1)

Phase 2: Same as Phase 1.

Guess: Finally,Aoutputs a guessδ0∈ {0,1}.Boutputs 0 ifδ=δ0or 1 otherwise.

To finish the proof, we first show that the distribution of the simulation is correct from Lemma 3.2. Letη be a random bit forZη. From the above simulation, we have Pr[δ=δ0|η=0] =1₂+Adv

IND-sRL-CPA

RIBE,A (λ)since the distribution of the simulation is correct, and we also have Pr[δ =δ0|η=1] = 1₂ sinceδ is completely hidden toA. Therefore we can obtain the following equation

Adv(_B3,N)-MDHE(λ)

=Pr[B(D,Z₀) =0]−Pr[B(D,Z₁) =0] ≥

Pr[δ =δ0|η=0] −

Pr[δ=δ0|η=1]

=1

2+Adv

IND-sRL-CPA RIBE,A (λ)−

1

2 =Adv

IND-sRL-CPA RIBE,A (λ).

This completes our proof.

Lemma 3.2. The distribution of the above simulation is correct if Z=Z0, and the challenge ciphertext is independent ofδ in the adversary’s view if Z=Z1.

Proof. The distribution of public parameters is correct since random exponents f₀0,{f_i0_,j},h0₀,{h0_i,j},θ∈Zp

are chosen. We show that the distribution of private keys is correct. In case ofID∈R∗, we have that the private key is correctly distributed from the settingγ=θ−∑j∈SI∗aN+1−j as the following equation

K0=gα d

γ

1 F1(ID)

−r1 _=ga d_(θ−

∑j∈SI∗aN+1−j) 1 F1(ID)

−r1_=gadθ

1

∏

j∈SI∗

ga₁N+1−j+d−1F1(ID)−r1.

In case ofID∈/R∗, we have that the private key is correctly distributed from the settingγ=θ−∑j∈SI∗aN+1−j

andr1=−a/∆ID+r01as the following equation

K0=gα d_γ

1 F1(ID)−r1 =ga d

θ

1

∏

j∈SI∗

g−aN+1−j+d f1,0

l

∏

i=1 f_1,i,ID[i]

−r1

=gadθ

1

∏

j∈SI∗_\{d}

g−₁aN+1−j+d·g−₁aN+1 gf

0

0

1g

aN_∆ID 1

a/∆ID−r0₁

=gadθ

1

∏

j∈SI∗_\{d}

g−₁aN+1−j+d(ga₁)f00/∆ID_F

1(ID)−r

0

1_,

K1=gr₁1 = (ga1)

−1/∆ID

gr

0

1

1.

Next, we show that the distribution of update keys is correct. In case of T 6=T∗, we have that the update key is correctly distributed from the settingγ=θ−∑j∈SI∗aN+1−j andr₂=−(−_∑j∈SI∗_\SIaN+1−j+

∑j∈SI\SI∗aN+1−j)/∆T+r0₂as the following equation

U₀= gγ₁

_∏

j∈SI

gαN+1−j

1

β

H₁(T)r2 _=gθ

1

∏

j∈SI∗

ga₁N+1−j−1

_∏

j∈SI

ga₁N+1−j

b

h_1,0

t

∏

i=1

h_1,i,T[i]r2

= (gb₁)θ

∏

j∈SI∗_\SI

g−₁aN+1−j

_∏

j∈SI\SI∗

ga₁N+1−j

b

gh

0

0

1g

b∆T

1

−(−∑j∈SI∗\SIaN+1−j+∑j∈SI\SI∗aN+1−j)/∆T+r20

= (gb₁)θ

∏

j∈SI∗_\SI

g−₁aN+1−j

_∏

j∈SI\SI∗

ga₁N+1−j

−h0₀/∆T

U1=gr₁2=

∏

j∈SI∗\SI

g−₁aN+1−j

_∏

j∈SI\SI∗

ga₁N+1−j

−1/∆T

gr

0

2

1.

In case ofT=T∗, we have that the update key is correctly distributed from the settingγ=θ−∑j∈SI∗aN+1−j

as the following equation

U₀= gγ₁

_∏

j∈SI∗

gαN+1−j

1

β

·H₁(T∗)r2₌

gθ

1

∏

j∈SI∗

ga₁N+1−j−1·

_∏

j∈SI∗

ga₁N+1−j

b

H₁(T∗)r2

= (gb₁)θ_H

1(T∗)r2.

We show that the distribution of decryption keys is correct. In case of ID6=ID∗, the decryption key is correctly distributed from the setting logg2F2(ID) =α

N_∆IDandr

1= (−α/∆ID+r0₁)bas the following equation

D0=gα N+1

β

2 F2(ID)

r1_H

2(T)r2 =ga N+1_b

2 f2,0

l

∏

i=1 f_2,i,ID[i]

(−a/∆ID+r0₁)b

H2(T)r2

=e ga₁N+1 gf

0

0

1g

aN_∆ID 1

−a/∆ID+r₁0

,gb₁·H2(T)r2=e (ga1)

−f₀0/∆ID

F1(ID)r

0

1_,gb

1

·H2(T)r2,

D1=gr21=e(g1,g1)(−a/∆ID)b=e (ga1)−1/∆IDg

r₁0

1,g

b

1

.

In case ofID=ID∗, the decryption key is correctly distributed from the setting logg2H2(T) =b∆T and

r2= (−a/∆T+r20)aNas the following equation

D0=gα N+1_β

2 F2(ID)

r1_H

2(T)r2 =ga N+1_b

2 F2(ID)r1(uT2,2h2,2)(−a/∆T+r

0

2)aN

=e gab₁ gb∆T

1 g

h0₂

1

−a/∆T+r0₂

,ga₁N·F2(ID)r1 =e (ga1)

−h0₀/∆T

H1(T)r

0

2_,gaN

1

·F2(ID)r1,

D2=gr₂2=e(g1,g1)(−a/∆T+r

0

2)aN_=e((ga

1)

−1/∆T

gr

0

2

1,g

aN 1 ).

Finally, we show that the distribution of the challenge ciphertext is correct. IfZ=Z₀=ga₃N+1bcis given, then the challenge ciphertext is correctly distributed as the following equation

C =Ωs·M_δ∗=ga

N+1_bs

3 ·M

∗

δ=Z0·M

∗

δ,C0=g s

1=g

c

1,

C1= g

f₀0

1

l

∏

i=1

f_1,i,ID∗_[i]f−1

1,i,ID∗_[i]

c

= (gc₁)f00_,C

2= g

h0₀

1

t

∏

i=1

h_1,i,T∗_[i]h−1

1,i,T∗_[i]

c

= (gc₁)h00_.

Otherwise, the componentCof the challenge ciphertext is independent ofδ in theA’s view sinceZ1 is a random element inG3. This completes our proof.

3.4 Discussions

Asymptotic Analysis.The number of group elements in public parameters, a private key, an update key, and a ciphertext of our RIBE scheme isO(N+λ),O(1),O(1), andO(1)respectively, whereNis the maximum number of users. Although our RIBE scheme provides efficient asymptotic parameters, except for the public parameters, it is not actually efficient since the underlying multilinear maps are not yet practically efficient. Letλ =80 andk=3. The multilinear maps of Garg et al. [15] have the following asymptotic parameters such that the bit size of the public parameters is O(k3λ5log(kλ))≈7.1∗1011 and the bit size of group elements isO(k2λ3)≈4.6∗106. To improve the efficiency, we may use the multilinear maps of Langlois et al. [24] such that the bit size of the public parameters isO(k3λlog2(kλ))≈1.8∗105and the bit size of the group elements isO(k2λlog2(kλ))≈4.6∗104. Note that the bit size of the group elements in bilinear groups is 160.

Parameter Trade-offs.In our RIBE scheme, the number of group elements in public parameters is propor-tional to the maximum number of usersN and the security parameter λ. To reduce the size of the public parameters, we can use the parallel construction technique of PKBE [8] by increasing the size of the update keys since some elements in public parameters can be moved into an update key. This RIBE scheme with parameter trade-offs is described in Appendix C.

Chosen-Ciphertext Security. Security against chosen-ciphertext attacks (CCA security) is similar to se-curity against chosen-plaintext attacks (CPA sese-curity) except that an adversary can request a ciphertext decryption query. To provide CCA security, we can use the general transformation of Canetti, Halevi, and Katz [13] since the structure of our RIBE scheme is similar to that of the BB-HIBE scheme [5]. That is, we can modify our RIBE scheme to support three-level hierarchies by providing additional elements, and then the modified RIBE scheme is easily converted to a CCA-secure RIBE scheme since this tree-level HIBE scheme with CPA security is converted to a two-level HIBE scheme with CCA security.

Achieving Full Security. Our RIBE scheme is only secure in the selective revocation list model since the underlying BGW-PKBE scheme [8] only provides static security. If we are willing to use complexity leveraging arguments, then it can be adaptively secure by loosing an exponential factor in the security reduction. Alternatively, we may try to use other PKBE schemes that are adaptively secure [19, 26], but it is not yet clear how to combine the schemes and prove their security in multilinear maps.

4

Revocable IBE with Shorter Parameters

In this section, we propose an RIBE scheme with short public parameters and short keys from multilinear maps and prove its selective revocation list security. To achieve shorter size of public parameters, we use the BWZ-PKBE scheme [12] that uses multilinear maps since it has short public parameters and the structure of it is almost similar to that of the BGW-PKBE scheme [8].

4.1 Construction

We setN=2n−2 for some integern. Note thatN should be polynomial in the security parameterλ. Let N ={1, . . . ,N}. LetI ={0,1}l1 _{be the identity space andT ={0,1}}l2 _{be the time space wherel}

1=2λ andl2=λ. We suppose that an index d that is assigned to an identityIDhas a Hamming weightl. Our RIBE scheme from 2n+l−2-leveled multilinear maps is described as follows:

RIBE.Setup(1λ_{,N): This algorithm takes as input a security parameter 1}λ _{and the maximum numberNof}

Letgi be generators ofGi respectively. LetPPMLM be the description of the multilinear group with

generators.

1. It selects random elements fn−1,0,{fn−1,i,j}1≤i≤l1,j∈{0,1},hn−1,0,{hn−1,i,j}1≤i≤l2,j∈{0,1}∈Gn−1.

Let ~fk = fk,0,{fk,i,j}1≤i≤l1,j∈{0,1}

and~hk= hk,0,{hk,i,j}1≤i≤l2,j∈{0,1}

for a levelk≥n−1. Note that we can obtain ~fk and~hk from~fn−1 and~hn−1 by performing pairing operations. We defineFk(ID) = fk,0∏il=11fk,i,ID[i]andHk(T) =hk,0∏li2=1hk,i,T[i] whereID[i]is a bit value at the

positioniandT[i]is a bit value at the positioni.

2. Next, it selects random exponents α,β,γ ∈Zp. It outputs a master key MK= (α,β,γ), an

empty revocation listRL, an empty stateST, and public parameters as

PP=PPMLM,

gα2i

1 0≤i≤n, g β

l , ~fn−1, ~hn−1, Ω=g α2n−1β

2n+l−2

∈_Gn₁+1×_Gl×G2nl−1+12l2+2×G2n+l−2.

RIBE.GenKey(ID,MK,ST,PP): This algorithm takes as input an identityID∈ I, the master keyMK, the stateST, and public parametersPP.

1. It first assigns an indexd∈ {0,1}n_{of Hamming weightlthat is not inST to the identityIDand}

updates the stateST by adding a tuple(ID,d)toST.

2. It computesgαd

n−1by performing multiplications and pairing operations on the elements that are given inPP.

3. Next, it selects a random exponentr1∈Zpand outputs a private key by implicitly includingID

and the indexdas

SKID=

K₀=gα_n−dγ₁Fn−1(ID)−r1, K1=g−n−r11

∈_G2

n−1.

RIBE.UpdateKey(T,RL,MK,ST,PP): This algorithm takes as input a timeT ∈ T, the revocation listRL, the master keyMK, the stateST, and public parametersPP.

1. It first defines the revoked setRof user identities at the timeT fromRL. That is, if there exists

(ID0,T0) such that(ID0,T0)∈RLfor any T0≤T, thenID0 ∈R. It defines the revoked index set RI ⊆ N of the revoked identity set R by using the stateST since ST contains(ID,d). It also defines the non-revoked index set SI=N \RI. Note that |SI|is polynomial since N is polynomial.

2. It computes{gα2n−1−j

n−1 }j∈SIby performing multiplications and pairing operations on the elements that are given inPP.

3. Next, it selects a random exponentr2∈Zpand outputs an update key by implicitly includingT,

R, and the revoked index setRI as

U KT,R=

U₀= gγ_n−1

_∏

j∈SI

gα2n−1−j n−1

β

Hn−1(T)r2,U1=g−n−r21

∈_G2_n−1.

1. Let d be the index ofID andRI be the revoked index set of R. Note that these are implicitly included inSK andU Krespectively. It sets a non-revoked index setSI=N \RI. Note that|SI| is polynomial sinceNis polynomial.

2. It computes gαd l ,{gα

2n−1−j+d

n−1 }j∈SI,j6=d by performing multiplications and pairing operations on

the elements that are given inPP. Using these elements, it derives temporal componentsT0,T1 andT₂as

T0=e(gα d

l ,U0)·e gβl ,K0

∏

gα2n−1−j+d n−1

−1

, T1=e(gβl ,K1),T2=e(g αd l ,U1).

3. Next, it chooses random exponents r₁0,r0₂∈_Zp and re-randomizes these components asD0= T₀·Fn+l−1(ID)r

0

1H_n+l−1(T)r

0

2, D₁=T₁·g−r

0

1

n+l−1, D2=T2·g

−r0₂

n+l−1. Note that these components are formed asD0=gα

2n−1 β

n+l−1Fn+l−1(ID)

r00_1H

n+l−1(T)r

00

2_{, D1=g}−r

00

1

n+l−1, D2=g

−r00₂

n+l−1 where r

00

1 = βr1+r01andr200=αdr2+r02.

4. Finally, it outputs a decryption key asDKID,T = D0,D1,D2

∈G3n+l−1.

RIBE.Encrypt(ID,T,M,PP): This algorithm takes as input an identityID, a timeT, a messageM, and the public parametersPP. It chooses a random exponent s∈_Zp and outputs a ciphertext by implicitly

includingIDandT as

CTID,T=

C=Ωs·M,C0=gsn−1,C1=Fn−1(ID)s,C2=Hn−1(T)s

∈G2n+l−2×G3n−1.

RIBE.Decrypt(CTID,T,DKID0_,T0,PP): This algorithm takes as input a ciphertextCT_ID,T = (C,C₀,C₁,C₂), a

decryption keyDKID0,T0= (D0,D1,D2), and the public parametersPP. If(ID=ID0)∧(T=T0), then it outputs the encrypted messageMasM=C· ∏i2=0e(Ci,Di)

−1

. Otherwise, it outputs⊥.

RIBE.Revoke(ID,T,RL,ST): This algorithm takes as input an identityID, a revocation timeT, the revo-cation listRL, and the stateST. If(ID,−)∈/ST, then it outputs⊥since the private key ofIDwas not generated. Otherwise, it adds(ID,T)toRL. It outputs the updated revocation listRL.

4.2 Correctness

We first show that some elements that are needed for the scheme can be easily computed from the elements inPP. We use the following claim of Boneh, Waters, and Zhandry.

Claim 4.1( [12]). Using group multiplications and pairing operations on the gα2i

1 for i∈[0,n], it is possible to compute gαj

l for j∈[1,2

n_{−2]of weight exactly l, g}α2n−1−j

n−1 for j∈[1,2

n_{−2]of weight exactly l, and}

gα2n−1−j+u

n−1 for j,u∈[1,2n−2],j6=u of weight exactly l.

Now we show that the correctness of decryption keys and the decryption algorithm. Let SKID be a

private key for an identityIDthat is associated with an indexd, andU KT,R be an update key for a timeT

and a revoked identity setR. IfID∈/R, then the decryption key derivation algorithm first correctly derives temporal components as

T₀=e(gαd

l ,U0)·e(gβl ,K0

∏

gα2n−1−j+d n−1 )−1

=e gαd l ,(g

γ n−1

∏

j∈SI

gα2n−1−j

n−1 )βHn−1(T)r2

·e gβ_l ,gα_n−dγ₁Fn−1(ID)−r1·

∏

j∈SI,j6=d

gα2n−1−j+d n−1

=e(gβ_l,gα2n−1 n−1 )·e(g

β

l ,Fn−1(ID)r1)·e(gα d

l ,Hn−1(T)r2),

=gα2

n₋₁

β

n+l−1Fn+l−1(ID)βr1Hn+l−1(T)α d_r

2_,

T₁=e(gβ_l,K₁) =e(gβ_l ,g−r1 n−1) =g

−βr1

n+l−1,T2=e(gα d

l ,U1) =e(gα d

l ,g

−r2 n−1) =g

−αdr2 n+l−1

whereRI is the revoked index set ofRandSI=N \RI. Next, a decryption key is correctly derived from these components by performing re-randomization as

D0=T0·Fn+l−1(ID)r

0

1_H

n+l−1(T)r

0

2

=gα2

n₋₁

β

n+l−1Fn+l−1(ID)βr1Hn+l−1(T)α d_r

2_·F

n+l−1(ID)r

0

1_H

n+l−1(T)r

0

2

=gα2

n₋₁

β

n+l−1Fn+l−1(ID)βr1+r

0

1_H

n+l−1(T)α d_r

2+r02_=gα 2n−1

β

n+l−1Fn+l−1(ID)r

00

1_H

n+l−1(T)r

00

2_,

D1=T1·g

−r₁0 n+l−1=g

−βr1−r01 n+l−1 =g

−r00₁

n+l−1, D2=T2·g

−r0₂ n+l−1=g

−αdr2−r02 n+l−1 =g

−r00₂

2

wherer₁00=βr1+r0₁andr00₂=αdr2+r₂0.

LetCTID,T be a ciphertext for an identityID and a timeT, andDKID0_,T0 be a decryption key for an

identityID0 and a timeT0. If(ID=ID0)∧(T =T0), then the decryption algorithm correctly outputs an encrypted message by the following equation.

2

∏

i=0

e(Ci,Di) =e(gsn−1,g

α2n−1β

n+l−1Fn+l−1(ID)

r00_1H

n+l−1(T)r

00

2₎·_e(F

n−1(ID)s,g

−r00₁

n+l−1)·e(Hn−1(T)

s_,g−r002 n+l−1)

=e(gs_n−1,gα2

n₋₁

β n+l−1)·

e(gs_n−1,Fn+l−1(ID)r

00

1)·e(gs

n−1,Hn+l−1(T)r

00

2)

e(Fn−1(ID)s,g

r00

1

n+l−1)·e(Hn−1(T)s,g

r00

2 n+l−1)

=e(gs_n−1,gα2

n₋₁

β n+l−1) = (g

α2n−1β

2n+l−2)

s

=Ωs.

4.3 Security Analysis

The proof of security is almost similar to that in Theorem 3.1.

Theorem 4.2. The above RIBE scheme is secure in the selective revocation list model under chosen plaintext attacks if the (k,n,l)-cMDHE assumption holds where N=2n−2 is the maximum number of users and k=2n+l−2. That is, for any PPT adversaryA, we have thatAdvIND-sRL-CPA_RIBE,A (λ)≤Adv(_Bk,n,l)-cMDHE(λ).

Proof. Suppose there exists an adversary A that attacks the above RIBE scheme with a non-negligible advantage. A simulator B that solves the cMDHE assumption usingA is given: a challenge tuple D=

g1,ga

20

1 ,g

a21

1 , . . . ,g

a2n

1 ,g

b l,g

c n−1

andZ whereZ=Z0=ga

2n−1_bc

2n+l−2orZ=Z1∈G2n+l−2. ThenBthat interacts

withAis described as follows:

Init: Ainitially submits a challenge identityID∗, a challenge timeT∗, and a revoked identity setR∗ at the timeT∗. It first sets a stateST and a revocation listRLas empty one. For eachID∈ {ID∗} ∪R∗, it selects an indexd ∈ N with Hamming weightl such that(−,d)∈/ST and adds(ID,d) toST. LetRI∗⊆ N be the revoked index set ofR∗ at the timeT∗ andSI∗ be the non-revoked index set at the timeT∗ such that SI∗=N \RI∗.

Setup: Bfirst chooses random exponents f₀0,{f_i0_,j}_1≤i≤l

1,j∈{0,1},h

0

0,{h0i,j}1≤i≤l2,j∈{0,1},θ∈Zp. It implicitly

setsα=a,β=b,γ=θ−∑j∈SI∗a2

n_−1−j

and publishes the public parametersPPas

gα2i

1 =g

a2i

1 0≤i≤n,g β l =g

~_{fn−1=fn−1,0=g}f00 n−1

l1

∏

i=1

fn−1,i,ID∗_[i] −1

,

fn−1,i,j= (ga 2n−2 n−1 )

f_i,j0

1≤i≤l1,j∈{0,1}

,

~_{hn−1=hn−1,0=g}h0₀ n−1

l2

∏

i=1

hn−1,i,T∗_[i]−1,h_n−1,i,j= (gb_n−1)h 0

i,j

1≤i≤l2,j∈{0,1}

,

Ω=e e(gα

1,gα

2n−2

n−1 ),gbl,gn−2

=gα2n−1b

2n+l−2.

For notational simplicity, we define∆ID=∑li1=1(f

0

i,ID[i]−f 0

i,ID∗_[i])and∆T =∑

l2 i=1(h

0

i,T[i]−h 0

i,T∗_[i]). We have

∆ID6≡0 modpexcept with negligible probability ifID6=ID∗since there exists at least one indexisuch that f_i0_,ID[i]6= f_i0_,ID∗_[i] and{f_i0_,j}are randomly chosen. We also have∆T 6≡0 modpexcept with negligible

probability ifT 6=T∗.

Phase 1:Aadaptively requests a polynomial number of private key, update key, and decryption key queries. If this is a private key query for an identityID, thenBproceeds as follows:

• CaseID∈R∗: It first retrieves a tuple(ID,d)fromST where the indexd is associated withID. Note that the tuple(ID,d)exists since all identities inR∗were added toST in the initialization step. Next, it selects a random exponentr1∈Zpand creates a private keySKIDas

K0= ga d

n−1

θ

∏

j∈SI∗

ga2

n_−1−j+d

n−1

−1

Fn−1(ID)−r1,K1=g−n−r11.

• CaseID6∈R∗: In this case, we have ID6=ID∗ from the restriction of Definition 2.2. It first selects an indexd∈ N such that(−,d)∈/ST and adds(ID,d) toST. Next, it selects a random exponents r₁0 ∈Zpand creates a private keySKIDby implicitly settingr1=−a/∆ID+r0₁as

K₀=gadθ n−1

∏

j∈SI∗_\{d}

g−a2

n−1−j+d

n−1 (g

a n−1)

f₀0/∆ID

Fn−1(ID)−r

0

1_{, K}

1= (gan−1)−1/∆

ID

gr

0

1 n−1.

If this is an update key query for a timeT, thenBdefines a revoked identity setRat the timeT fromRLand proceeds as follows:

• CaseT 6=T∗: It first sets a revoked index setRI ofRby usingST. It also setsSI=N \RI. Next, it selects a random exponent r0₂∈_Zp and creates an update keyU KT,R by implicitly setting r2= −(−∑j∈SI∗_\SIa2

n_−1−j

+∑j∈SI\SI∗a2

n_−1−j

)/∆T+r0₂as

U0= (gbn−1)θ

∏

j∈SI∗_\SI

g−a2

n_−1−j

n−1

∏

j∈SI\SI∗

ga2

n_−1−j

n−1

−h0₀/∆T

Hn−1(T)r

0

2_,

U1=

∏

j∈SI∗_\SI

g−a2

n−1−j

n−1

∏

j∈SI\SI∗

ga2

n−1−j

n−1

−1/∆T

gr

0

2 n−1.

• CaseT=T∗: In this case, we haveR=R∗. For eachID∈R∗, it adds(ID,T∗)toRLif(ID,T0)∈/RL for anyT0≤T∗. Next, it selects a random exponentr₂∈_Zpand creates an update keyU KT,Ras

U0= (gbn−1)θHn−1(T∗)r2,U1=g−n−r21.