Revocable Identity-based Encryption with Bounded Decryption Key Exposure Resistance: Lattice-based Construction and More
- A. Takayasu and Y. Watanabe
- Theoretical Computer Science
In general, identity-based encryption (IBE) does not support an efficient revocation procedure. In ACM CCS’08, Boldyreva et al. proposed revocable identity-based encryption (RIBE), which enables us to efficiently revoke (malicious) users in IBE. In PKC 2013, Seo and Emura introduced an additional security notion for RIBE, called decryption key exposure resistance (DKER). Roughly speaking, RIBE with DKER guarantees that the security is not compromised even if an adversary gets (a number of) short-term decryption keys. Therefore, DKER captures realistic scenarios and is an important notion. In this paper, we introduce bounded decryption key exposure resistance (B-DKER), where an adversary is allowed to get a-priori bounded number of short-term decryption keys in the security game. B-DKER is a weak version of DKER, but it seems to be sufficient for practical use. We obtain the following results: - We propose a lattice-based (anonymous) RIBE scheme with B-DKER, which is the first lattice-based construction resilient to decryption key exposure. Our lattice-based construction is secure under the learning with errors assumption. A previous lattice-based construction satisfies anonymity but is vulnerable even with a single decryption key exposure. - We propose the first pairing-based RIBE scheme that simultaneously realizes anonymity and B-DKER. Our pairing-based construction is adaptively secure under the symmetric external Diffie-Hellman assumption. Our two constructions rely on cover free families to satisfy B-DKER, whereas all the existing works rely on the key re-randomization property to achieve DKER.