Efficient Fully Secure Leakage-Deterring Encryption

Abstract

Encryption is an indispensable tool for securing digital infra-structures as it reduces the problem of protecting the data to just protecting decryption keys. Unfortunately, this also makes it easier for users to share protected data by simply sharing decryption keys.

Kiayias and Tang (ACM CCS 2013) were the first to address this important issue pre-emptively rather than a posteriori like traitor tracing schemes do. They proposed leakage-deterring encryption schemes that work as follows. For each user, a piece of secret information valuable to her is embedded into her public key. As long as she does not share her ability to decrypt with someone else, her secret is safe. As soon as she does, her secret is revealed to her beneficiaries. However, their solution suffers from serious drawbacks: (1) their model requires a fully-trusted registration authority that is privy to user secrets; (2) it only captures a CPA-type of privacy for user secrets, which is a very weak guarantee; (3) in their construction which turns any public-key encryption scheme into a leakage-deterring one, the new public keys consist of linearly (in the bit-size of the secrets) many public keys of the original scheme, and the ciphertexts are large.

In this paper, we redefine leakage-deterring schemes. We remove the trust in the authority and guarantee full protection of user secrets under CCA attacks. Furthermore, in our construction, all keys and ciphertexts are short and constant in the size of the secrets. We achieve this by taking a different approach: we require users to periodically refresh their secret keys by running a protocol with a third party. Users do so anonymously, which ensures that they cannot be linked, and that the third party cannot perform selective failure attacks. We then leverage this refresh protocol to allow for the retrieval of user secrets in case they share their decryption capabilities. This refresh protocol also allows for the revocation of user keys and for the protection of user secrets in case of loss or theft of a decryption device. We provide security definitions for our new model as well as efficient instantiations that we prove secure.

A Preliminaries

We here give the hardness assumptions and instantiations of the building blocks on which our constructions rely.

1.1 A.1 Pairing Groups and Hardness Assumptions

This section introduces pairing groups and classical hardness assumptions underlying our constructions.

Asymmetric Bilinear Pairing Groups. An asymmetric bilinear pairing group (or simply pairing group) consists of a tuple such that p is a prime number, \(\mathbb {G}_1, \mathbb {G}_2\) and \(\mathbb {G}_T\) are (cyclic) p-order groups, and \(e :\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) is an efficiently-computable non-degenerate bilinear map (also called pairing), i.e., \(e(P_1, P_2) \ne 1_{\mathbb {G}_T}\), and \(\forall a, b \in \mathbb {Z}_p, e(P_1^a, P_2^b) = e(P_1, P_2)^{ab}\). Let denote an algorithm that takes as an input a security parameter \( 1^{ \lambda }\), and outputs the description of a pairing group.

\({\varvec{q}}\)-Strong Diffie–Hellman Assumption. Let and be two p-order groups. The q-Strong Diffie–Hellman (qSDH) problem [5] in \((\mathbb {G}_1, \mathbb {G}_2)\) consists in computing a pair \(\left( y, P_1^{1/(u + y)} \right) \in \mathbb {Z}_p\backslash {\{-u\}} \times \mathbb {G}_1\) given a \((p+3)\)-tuple \((P_1, P_1^u, P_1^{u^2}, \ldots , P_1^{u^q}, P_2, P_2^u) \in \mathbb {G}_1^{p+1} \times \mathbb {G}_2^2.\) The qSDH assumption over \((\mathbb {G}_1, \mathbb {G}_2)\) is that no efficient algorithm has a non-negligible probability to solve the qSDH problem in \((\mathbb {G}_1,\mathbb {G}_2)\).

Decisional Linear Assumption. The (2-)Decisional Linear (DLIN) assumption [6] over a p-order group is that, for \(a, b, x, y, z \in _R \mathbb {Z}_p\), the distributions of \((P, P^a, P^b, P^{ax}, P^{by}, P^{x+y})\) and \((P, P^a, P^b, P^{ax}, P^{by}, P^z)\) are computationally indistinguishable.

1.2 A.2 BBS+ Signature Scheme

The BBS+ signature scheme (as described by Au et al. [1] and inspired by a group signature [6] introduced by Boneh et al.) is a tuple of algorithms \((\mathsf {SignSetup}, \mathsf {SignKeyGen}, \mathsf {Sign}, \mathsf {Verify})\) with

• output the description of a pairing group calling on

• generate \(H_0, \ldots , H_n \in _R \mathbb {G}_1, u \in _R \mathbb {Z}_p\), computes \(U = P_2^u\), and output \({ sk}= u, vk = (U, H_0, \ldots , H_n)\)

• \(\mathsf {Sign}({ sk}, \mathbf {m} \in \mathbb {Z}_p^n) \rightarrow \sigma :\) generate \(y, z \in _R \mathbb {Z}_p\), compute \(V = P_1 H_0^z \prod _{i \ge 1} H_i^{m_i}\) and \(W = V^{1/(u + y)}\), and outputs \(\sigma = (W, y, z)\)

• \(\mathsf {Verify}( vk , \mathbf {m}, \sigma ) \rightarrow b \in \{0, 1\}:\) output 1 if \(\mathbf {m} \in \mathbb {Z}_p^n\), \(\sigma \) can be parsed as (W, y, z) and \(e(W, U P_2^y) = e\left( P_1 H_0^z \prod _{i \ge 1} H_i^{m_i}, P_2\right) \), and otherwise 0.

Camenisch et al. [10, Lemma 1] proved that the BBS+ signature scheme is existentially unforgeable against chosen-message attacks under the qSDH assumption over \((\mathbb {G}_1, \mathbb {G}_2)\). They showed [10, Section 4.5] how to prove knowledge of a BBS+ signature. We recall it in the full version.

1.3 A.3 Dual Pairing Vector Spaces

Dual Pairing Vector Spaces (DPVSs) were introduced by Okamoto and Takashima [24]. They provide a mechanism for parameter hiding [21] in prime-order pairing groups. The latter feature allows to proves the full security of functional encryption schemes in prime-order settings.

Definition 6 (Dual Pairing Vector Space)

Let \(N \ge 1\) be an integer. A dual pairing vector space by direct product of a pairing group is a tuple \((p, \mathbb {V}, \mathbb {V}^*, \mathbb {G}_T, \mathbb {A}, \mathbb {A}^*, e)\) such that \(\mathbb {V}= \mathbb {G}_1^N\) and \(\mathbb {V}^* = \mathbb {G}_2^N\) are two N-dimensional \(\mathbb {Z}_p\) vector spaces, \(\mathbb {A}= (\mathbf {a}_1, \ldots , \mathbf {a}_N)\) is the canonical basis of \(\mathbb {V}\) (i.e., \(\mathbf {a}_i = (\mathbf {1}_{\mathbb {G}_1^{i-1}}, P_1, \mathbf {1}_{\mathbb {G}_1^{N-i}})\)), \(\mathbb {A}^* = (\mathbf {a}_1^*, \ldots , \mathbf {a}_N^*)\) is the canonical basis of \(\mathbb {V}^*\) (i.e., \(\mathbf {a}_i^* = (\mathbf {1}_{\mathbb {G}_2^{i-1}}, P_2, \mathbf {1}_{\mathbb {G}_2^{N-i}})\)) and

$$\begin{aligned} e :\mathbb {V}\times \mathbb {V}^*&\rightarrow \mathbb {G}_T\\ (\mathbf {x} = (X_1, \ldots , X_N), \mathbf {y} = (Y_1, \ldots , Y_N))&\mapsto \prod _{i} e(X_i, Y_i) \end{aligned}$$

(note the abuse of notation) is a pairing, i.e., \(\mathbf {x} = \mathbf {1 }_{\mathbb {G}_1^N}\) if \(e(\mathbf {x},\cdot )\) is the \(1_{\mathbb {G}_T}\) map, and \(\forall a, b \in \mathbb {Z}_p, \mathbf {x} \in \mathbb {V}, \mathbf {y} \in \mathbb {V}^*, e(\mathbf {x}^a, \mathbf {y}^b) = e(\mathbf {x}, \mathbf {y})^{ab}\).

Note that for all \(1 \le i, j \le N, e(\mathbf {a}_i, \mathbf {a}_j^*) = e(P_1, P_2)^{\delta _{ij}}\), with \(\delta _{ij}\) being the Kronecker delta, i.e., \(\delta _{ij} = 1\) if \(i = j\), and otherwise 0.

Let denote an algorithm that takes as an input a security parameter \( 1^{ \lambda }\), the description of a pairing group and an integer N, and outputs the description of a DPVS \((p, \mathbb {V}, \mathbb {V}^*, \mathbb {G}_T, \mathbb {A}, \mathbb {A}^*, e)\).

1.4 A.4 Okamoto–Takashima Adaptively-Secure CP-ABE Scheme

Let be a dual-orthonormal-basis generator which proceeds as follows:

1. 1.

   it generates a pairing group , a value \(\psi \in _R \mathbb {Z}_p^*\), and sets \(N_0 = 5\) and \(N_k = 3 n_k + 1\) for \(1 \le k \le d\)

2. 2.

   for \(0 \le k \le d\), it generates a Dual Pairing Vector Space (DPVS) (see Appendix A.3) , generates a matrix \(\mathbf {X}_k \in _R \mathrm {GL}_{N_k}(\mathbb {Z}_p)\), and computes \(\mathbf {V}_k = \psi \left( \mathbf {X}_k^\mathrm {T} \right) ^{-1}\). Let \(\mathbf {M}_{\mathbb {A}_k}\) and \(\mathbf {M}_{\mathbb {A}_k^*}\) respectively denote the diagonal matrices \( {{\text {diag}}(P_1)} \in \mathbb {G}_1^{N_k \times N_k}\) and \( {{\text {diag}}(P_2)} \in \mathbb {G}_2^{N_k \times N_k}\). Generator computes \(\mathbf {B}_k = \begin{bmatrix} \mathbf {b}_{k,1} \\ \vdots \\ \mathbf {b}_{k,n} \end{bmatrix} = \mathbf {X}_k \mathbf {M}_{\mathbb {A}_k} \in \mathbb {G}_1^{N_k \times N_k}\) and \(\mathbf {B}_k^* = \begin{bmatrix} \mathbf {b}_{k,1}^*\\ \vdots \\ \mathbf {b}_{k,n}^* \end{bmatrix} = \mathbf {V}_k \mathbf {M}_{\mathbb {A}_k^*} \in \mathbb {G}_2^{N_k \times N_k}\) with \(\mathbf {b}_{k,i} = \left( \mathbf {e}_i \cdot \mathbf {X}_k\right) \mathbf {M}_{\mathbb {A}_k} = \begin{bmatrix} P_1^{\mathbf {X}_{k,i,1}}&\cdots&P_1^{\mathbf {X}_{k,i,N_k}} \end{bmatrix}\) and \(\mathbf {b}_{k,i}^* = \left( \mathbf {e}_i \cdot \mathbf {V}_k\right) \mathbf {M}_{\mathbb {A}_k^*} = \begin{bmatrix} P_2^{\mathbf {V}_{k,i,1}}&\cdots&P_2^{\mathbf {V}_{k,i,N_k}} \end{bmatrix}\)

3. 3.

   it computes \(G_T = e(P_1, P_2)^{\psi }\), sets , and eventually outputs .

Notice that for all \(i, k, G_T = e(\mathbf {b}_{k,i}, \mathbf {b}_{k, i}^*)\). Indeed,

$$\begin{aligned} e(\mathbf {b}_{k,i}, \mathbf {b}_{k, i}^*)&= e\left( \prod _j \mathbf {a}_j^{\mathbf {X}_{ij}}, \prod _l \mathbf {a}_l^{*\mathbf {V}_{il}}\right) = \prod _{j, l} e(\mathbf {a}_j, \mathbf {a}_l^*)^{\mathbf {X}_{ij} \mathbf {V}_{il}}\\&= \prod _{j, l} e(P_1, P_2)^{\delta _{jl} \mathbf {X}_{ij} \mathbf {V}_{il}} = e(P_1, P_2)^{\psi } = G_T. \end{aligned}$$

Consider now the (monotone-span-program) Okamato–Takashima CP-ABE scheme [25, Section 7.1] in the case \(d = 2\). The access structure associated to a ciphertext is determined by two 2-dimensional vectors \(\mathbf {v}_1\) and \(\mathbf {v}_2\). A pair of attributes (a pair of \(\mathbb {Z}_p\)-lines) represented by a pair of vectors \((\mathbf {x}_1, \mathbf {x}_2)\) is “accepted” by the structure if and only if \(\mathbf {x}_k \cdot \mathbf {v}_k^\mathrm {T} = 0\): that is, the structure specifies two accepted \(\mathbb {Z}_p\)-lines. Their CP-ABE scheme is defined as follows:

• \(\mathsf {Setup}( 1^{ \lambda }, \mathbf {n} = (2; n_1 = 2, n_2 = 2)) \rightarrow ({ pk}, msk ):\) generate an orthonormal basis , set \(\hat{\mathbf {B}}_0 = \begin{bmatrix} \mathbf {b}_{0, 1}\\ \mathbf {b}_{0, 3}\\ \mathbf {b}_{0, 5} \end{bmatrix}, \hat{\mathbf {B}}_0^* = \begin{bmatrix} \mathbf {b}_{0, 1}^*\\ \mathbf {b}_{0, 3}^*\\ \mathbf {b}_{0, 4}^* \end{bmatrix}\), \(\hat{\mathbf {B}}_k = \begin{bmatrix} \mathbf {b}_{k, 1}\\ \mathbf {b}_{k, 2}\\ \mathbf {b}_{k, 7} \end{bmatrix}, \hat{\mathbf {B}}_k^* = \begin{bmatrix} \mathbf {b}_{k, 1}^*\\ \mathbf {b}_{k, 2}^*\\ \mathbf {b}_{k, 5}^*\\ \mathbf {b}_{k, 6}^* \end{bmatrix}\) for \(k = 1, 2\), and then output

• \( \mathsf {KeyDer}( msk , \mathcal {A}= \{\mathbf {x}_{k = 1, 2} \in \mathbb {Z}_p^2 :\mathbf {x}_{k, 1} = 1\}) \rightarrow { sk}_{\mathcal {A}}:\) generate \(\alpha , y_0 \in _R \mathbb {Z}_p,\) \(\mathbf {y}_k \in _R \mathbb {Z}_p^2\) for \(k = 1, 2\), compute vectors \(\mathbf {k}_0^* = \begin{bmatrix} \alpha&0&1&y_0&0 \end{bmatrix} \mathbf {B}_0^* = \begin{bmatrix} \alpha&1&y_0 \end{bmatrix} \hat{\mathbf {B}}_0^* \), \(\mathbf {k}_k^* = \begin{bmatrix} \alpha \mathbf {x}_k&\mathbf {0}_{\mathbb {Z}_p^2}&\mathbf {y}_k&0 \end{bmatrix} \mathbf {B}_k^* = \begin{bmatrix} \alpha \mathbf {x}_k&\mathbf {y}_k \end{bmatrix} \hat{\mathbf {B}}_k^* \), and output secret key \({ sk}_{\mathcal {A}}= ({ pk}, \mathcal {A},\{\mathbf {k}_k^*\}_{k = 0, \ldots , 2})\)

• \(\mathsf {Enc}({ pk}, M \in \mathbb {G}_T, \mathbb {S}= (\mathbf {v}_1, \mathbf {v}_2)) \rightarrow { ct}:\) generate uniformly random values \(a_1, a_2, \zeta ,\eta _0, \eta _k, \theta _k\) for \(k = 1, 2\) from \(\mathbb {Z}_p\), computes \(a = a_1 + a_2\),

  $$\begin{aligned} \mathbf {c}_0&= \begin{bmatrix} -a&0&\zeta&0&\eta _0 \end{bmatrix} \mathbf {B}_0 = \begin{bmatrix} -a&\zeta&\eta _0 \end{bmatrix} \hat{\mathbf {B}}_0,\\ \mathbf {c}_k&= \begin{bmatrix} a_k \mathbf {e}_{k, 1} + \theta _k \mathbf {v}_k&\mathbf {0}_{\mathbb {Z}_p^4}&\eta _1 \end{bmatrix} \mathbf {B}_k = \begin{bmatrix} a_k \mathbf {e}_{k, 1} + \theta _k \mathbf {v}_k&\eta _1 \end{bmatrix} \hat{\mathbf {B}}_k \quad \text {for } k = 1, 2,\\ c_3&= G_T^{\zeta } M, \end{aligned}$$

  and output \({ ct}= (\mathbb {S}, \mathbf {c}_0, \mathbf {c}_1, \mathbf {c}_2, c_3) \in \mathbb {Z}_p^4 \times \mathbb {G}_1^{19} \times \mathbb {G}_T\) and

• \(\mathsf {Dec}({ sk}_{\mathcal {A}}, { ct}) \rightarrow M:\) output \(M = c_3/e(\mathbf {c}_0, \mathbf {k}_0^*) e(\mathbf {c}_1, \mathbf {k}_1^*) e(\mathbf {c}_2, \mathbf {k}_2^*)\) if the key and the ciphertext can be properly parsed and \(\mathbf {x}_k \cdot \mathbf {v}_k^\mathrm {T} = 0 \mod p\) for \(k = 1,2\), and otherwise output \(\bot \).

Since attribute vectors have their first coordinates set to 1, (the second coordinates specify the slopes of the \(\mathbb {Z}_p\)-lines accepted by the access structure), the attribute set may be identified with \(\mathbb {Z}_p^2\). Okamoto and Takashima proved that this CP-ABE scheme is correct and adaptively payload-hiding against chosen-message attacks under the DLIN assumption over \(\mathbb {G}_1\) and \(\mathbb {G}_2\) [25, Theorem 2].