Identity-Based Group Encryption

Abstract

Cloud computing makes it easy for people to share files anywhere and anytime with mobile end devices. There is a privacy issue in such applications even if the files are encrypted. Specially, the public keys or identities of the receivers will be exposed to the cloud server or hackers. Group Encryption (GE) is designed to achieve anonymity of the receiver(s). The existing GE schemes are all realized in the public key infrastructure (PKI) setting, in which complicated certificates management is required to ensure security. It is observed that GE is especially appealing to institutions which usually have their own closed secure user management system. In this paper, we propose a new concept, referred to as identity-based group encryption (IBGE), which realizes GE in the identity-based cryptography setting. In the IBGE, a private key generator (PKG) designates each user a secret key associated with his identity; and the user can register his identity as a group member to a group manager without leaking his secret key. Then anyone can send confidential messages to the group member without leaking the group member’s identity. However, the group manager can trace the receiver if a dispute occurs or the privacy mechanism is abused. Following this model, we propose the first IBGE scheme that is formally proven secure in the standard model. Analysis shows that our scheme is also efficient and practical.

A Proofs of Security

In this section, we prove the following zero-knowledge properties and two security properties of our scheme.

1.1 A.1 Zero-Knowledge Properties

Lemma 1

The protocol \(ZK\{s,n,ID|C_{10}=g_{1}^{s}g^{-s\cdot ID},C_{11}=e(g,g)^{s},k_{1}=g_{2}^{n},k_{2}=g_{3}^{n},\psi =l^{n}t^{ID},v=w^{n}d^{n\epsilon }\}\) is a \(\sum \)-protocol.

Proof

It is straightforward to validate the Correctness and Completeness of the knowledge proof protocol.

Soundness with knowledge extraction: We construct an extractor who plays the role of the verifier. The extractor interacts with prover two times. Because the responses of the extractor are \(c,c'(c\ne c')\), respectively, it obtains two equations \(r_{1}\equiv \bar{s}+cs\ \mathrm {mod}\ p\) and \(r'_{1}\equiv \bar{s}+c's\ \mathrm {mod}\ p\). It is easy to get that \(s=\frac{r_{1}-r'_{1}}{c-c'}\ \mathrm {mod}\ p\). The extractor can obtain \(n, ID, s\cdot ID\) and ns in the same way.

Honest-verifier zero-knowledge: We will construct a simulator \(\mathcal {S}\) as following steps. A simulator will play the role of the prover and interact with verifier.

1. 1.

   \(\mathcal {S}\) chooses random \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\). It sends them to verifier.

2. 2.

   \(\mathcal {S}\) receives c from verifier, then chooses random \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) and computes new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k}\).

3. 3.

   \(\mathcal {S}\) interacts with verifier again. It sends new \(\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2}, \bar{A}_{2}^{-1},\bar{k}\) to verifier.

4. 4.

   \(\mathcal {S}\) receives c from verifier, then sends \(r_{1},r_{2},r_{3},r_{4},r_{5}\in \mathbb {Z}_{p}\) to verifier.

Let the output of verifier be \(\{\bar{C}_{10},\bar{C}_{11},\bar{k}_{1},\bar{k}_{2},\bar{\psi },\bar{v},\bar{A},\bar{A}_{1},\bar{A}_{2},\bar{A}_{2}^{-1},\bar{k},c, r_{1},r_{2}, r_{3},r_{4},r_{5}\}\), and it is uniform random. Let the output of \(\mathcal {S}\) be \(\{\bar{C}_{10}',\bar{C}_{11}',\bar{k}_{1}',\bar{k}_{2}',\bar{\psi }', \bar{v}',\bar{A}',\bar{A}_{1}',\bar{A}_{2}',\bar{A}_{2}'^{-1},\bar{k}',c', r'_{1},r'_{2}, r'_{3},r'_{4},r'_{5}\}\), and it is also uniform random. We say that this protocol is perfect zero knowledge.

Equality of Identity: Let \(C_{10}=g_{1}^{s}g^{-s\cdot ID}, A_{2}^{-1}=t^{-s\cdot ID'}, ID\ne ID'\). Prover chooses \(-\bar{s}\cdot \bar{ID_{1}},-\bar{s}\cdot \bar{ID_{2}},\bar{ID_{1}}\ne \bar{ID_{2}}\) (if \(\bar{ID_{1}}=\bar{ID_{2}}\), since \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c},t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\), we obtain \(r_{4}\equiv -\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\ \mathrm {mod}\ p, r_{4}\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p, ID=ID'\)), then computes \(\bar{C}_{10}=g_{1}^{\bar{s}}g^{-\bar{s}\cdot \bar{ID_{1}}}, \bar{A}_{2}^{-1}=t^{-\bar{s}\cdot \bar{ID_{2}}}\). \(g_{1}^{r_{1}}g^{r_{4}}=\bar{C_{10}}C_{10}^{c}\) and \(t^{r_{4}}=\bar{A_{2}^{-1}}(A_{2}^{-1})^{c}\) both hold, if and only if \(-\bar{s}\bar{ID_{1}}+(-s\cdot ID)c\equiv -\bar{s}\bar{ID_{2}}+(-s\cdot ID')c\ \mathrm {mod}\ p\) holds. This means that \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\). This equation holds if and only if the verifier chooses this c exactly. But the probability is negligible.

1.2 A.2 Proof of Theorem 1

Proof

Suppose \(\mathcal {A}\) is an \((t',\varepsilon ',q_{ID})\) ANO-IND-CIA-CPA adversary against our scheme. We construct a simulator \(\mathcal {B}\) solves the truncated decision q-ABDHE problem. \(\mathcal {B}\) takes as input \((g',g'_{q+2},g,g_{1},...g_{q},Z)\), where \(Z=e(g_{q+1},g')\) or a random element of \(\mathbb {G}_{T}\).

Setup. \(\mathcal {B}\) generates a random polynomial \(f(x)\in \mathbb {Z}_{p}[x]\) of degree q. It let \(h=g^{f(\alpha )}\) and computes h from \((g,g_{1},...,g_{q})\). It sends public parameters \((g,g_{1},h)\) to \(\mathcal {A}\).

Phase 1. \(\mathcal {A}\) adaptively queries Extract oracle. \(\mathcal {B}\) responds as follows. If \(ID=\alpha \), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, let \(F_{ID}(x)=(f(x)-f(ID))/(x-ID)\) be the \((q-1)\)-degree polynomial. \(\mathcal {B}\) let \((f(ID), g^{F_{ID}(\alpha )})\) be the user’s secret key \((r,h_{ID})\). Since \(g^{F_{ID}(\alpha )}=g^{(f(\alpha )-f(ID)/(\alpha -ID))}=(hg^{-f(ID)})^{1/(\alpha -ID)}\), secret key \((r,h_{ID})\) is valid of ID.

Challenge. \(\mathcal {A}\) outputs two identities \(ID_{0},ID_{1}\) and two messages \(M_{0},M_{1}\). The restriction is that the two identities did not appear in any secret key extraction query. Note that if \(\alpha \in \{ID_{0},ID_{1}\}\), \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, \(\mathcal {B}\) chooses bits \(b,c\in \{0,1\}\), and computes secret key \((r_{b},h_{ID_{b}})\) for \(ID_{b}\) same to phase 1.

Let \(f_{2}(x)=x^{q+2}\) and let \(F_{2,ID_{b}(x)}=(f_{2}(x)-f_{2}(ID_{b}))/(x-ID_{b})\), which is a polynomial of degree of \(q+1\). \(\mathcal {B}\) sets

$$ C_{10}=g'^{f_{2}(\alpha )-f_{2}(ID_{b})}, C_{11}=Z\cdot e(g', \mathop {\prod }\limits ^q _{i=0}g^{F_{2,ID_{b}},i^{\alpha ^{i}}}), C_{12}=M_{c}/e(C_{10},h_{ID_{b}})C_{11}^{r_{b}} $$

where \(F_{2,ID_{b},i}\) is the coefficient of \(x^{i}\) in \(F_{2,ID_{b}}(x)\). It sends \(C_{1}=(C_{10},C_{11},C_{12})\) as the ciphertext to be challenged.

Let \(s=(\log _{g}g')F_{2,ID_{b}}(\alpha )\). If \(Z=e(g_{q+1},g')\), then \(C_{10}=g^{s(\alpha -ID_{b})}, C_{11}=e(g,g)^{s}\), and \(M_{c}/C_{12}=e(C_{10},h_{ID_{b}})C_{11}^{r_{b}}=e(g,h)^{s}\), We let \(C_{1}=(C_{10},C_{11},C_{12})\) be an effective ciphertext of identity \(ID_{b}\) as well as message \(M_{c}\) under random value s.

Phase 2. \(\mathcal {A}\) adaptively queries Extract oracle as in phase 1. The restriction is that the two identities did not appear in any private key extraction query. Besides, the adversary \(\mathcal {A}\) can not query Trace oracle.

Guess. Finally, adversar \(\mathcal {A}\) outputs guesses \(b', c'\in \{0,1\}\) of b, c. If \(b'=b\wedge c'=c\) \(\mathcal {B}\) outputs 1 else 0.

The analysis of probability and time complexity is as follow.

Analysis of probability. If \(Z=e(g_{q+1},g')\) the simulation is perfect. Adversary \(\mathcal {A}\) can guess the bits (b, c) correctly with probability \(\frac{1}{4}+\epsilon '\). Otherwise, Z is uniformly random, so \((C_{10},C_{11})\) is a uniformly random and independent element of \((\mathbb {G},\mathbb {G}_{T})\). When this happen, the inequalities

$$\begin{aligned} C_{11}\ne e(C_{10},g)^{1/(\alpha -ID_{0})},C_{11}\ne e(C_{10},g)^{1/(\alpha -ID_{1})} \end{aligned}$$

both hold in the same time with probability \(1-2/p\). When the two inequalities hold,

$$\begin{aligned} e(C_{10},h_{ID_{b}})C_{11}^{r_{b}}&=e(C_{10},(hg^{-r_{b}})^{1/(\alpha -ID_{b})})C_{11}^{r_{b}} \\&=e(C_{10},h)^{\alpha -ID_{b}}(C_{11}/e(C_{10},g)^{1/(\alpha -ID_{b})})^{r_{b}} \end{aligned}$$

is a uniformly random and independent value from the view of adversar \(\mathcal {A}\), because of \(r_{b}\) is a uniformly random and independent value from the view of adversar \(\mathcal {A}\). So, \(C_{12}\) is uniformly random and independent. \(C_{1}\) will not reveal any information of the bits (b, c). Assuming that no queried identity equals \(\alpha \), it is easy to see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \leqslant \frac{2}{p}\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(R_{ABDHE}\). To the contrary, we can see that \(\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]-\frac{1}{4}\mid \geqslant \epsilon '\) when \((g',g'_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from \(P_{ABDHE}\). Thus, we have that

$$\begin{aligned}&\,\,\mid \Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},e(g_{q+1},g'))=0] \\&-\Pr [\mathcal {B}(g',g'_{q+2},g,g_{1},...,g_{q},Z)=0]\mid \geqslant \epsilon '-\frac{2}{p}. \end{aligned}$$

Analysis of Time Complexity. In the simulation procedure, the overhead of \(\mathcal {B}\) is computing \(g^{F_{ID}(\alpha )}\) in order to response \(\mathcal {A}\)’s extraction query for the ID, where \(F_{ID}(x)\) is polynomial of \(q-1\) degree. Every computation requires O(q) exponentiation in \(\mathbb {G}\). \(\mathcal {A}\) makes at most \(q-1\) queries, thus \(t=t'+O(t_{exp}\cdot q^{2})\).

1.3 A.3 Proof of Theorem 2

Proof

Setup is same as the above proof. In inspect phase adversary can adaptability query all of the oracles. The challenger will respond adversary. The adversary will choose a group public key \(PK'_{GM}=(g_{2},g_{3},w',d',l',H')\) and obtain secret key are \(SK'_{GM}=(x'_{1},x'_{2},y'_{1},y'_{2},z')\). Adversary will choose an identity ID and obtain use’s private key \(SK_{ID}\), as well as an other \(ID'\). Adversary computes \(C'_{1}\) using ID and computes \(C'_{2}\) using \(ID'\). Thus, adversary outputs a valid ciphertext \(C'=(C'_{1},C'_{2})\) which the GM can not trace correctly if and only if \(c\equiv \frac{\bar{s}(\bar{ID_{1}}-\bar{ID_{2}})}{s(ID'-ID)}\) (Part 5.1). But the probability is negligible.