1. Introduction
Identity-based encryption (IBE) was first introduced by Shamir [
1] in 1985, which allows a sender to use the recipient’s identity to encrypt a message. An identity is a unique string directly linking to a user, e.g., an email address, a student ID number, an employee ID, etc. The first IBE scheme was proposed by Boneh and Franklin [
2] in 2001. Though IBE reduces the management cost for traditional public key infrastructures, a drawback of IBE is that an encrypted datum can be only shared at a coarse-grained control level. This may not be suitable in the real world because the sender should know the particular recipient in advance. In a system, there may be a lot of users, and the identities of recipients may be uncertain when a message is encrypted. To solve the issue, Katz, Sahai and Waters [
3] conceptualized inner product encryption (IPE) in 2008. In an IPE scheme, each ciphertext is associated with an attribute vector
that can be decrypted by a private key associated with a predicate vector
if and only if the inner product of
and
is zero, denoted by
. IPE can be viewed as the generalization for several cryptographic primitives. For example, given two identities,
, we can encode it into two vectors,
, and we have
Thus, we are able to represent the functionality of IBE using IPE. Since then, lots of IPE scheme have been proposed [
4,
5,
6,
7,
8,
9,
10,
11]. In additional to its theoretical value, IPE provides lots applications in fine-grained access control as well. Using the encoding technique, IPE can be converted into many types of one-to-many encryption, such as broadcast encryption [
12,
13,
14], attribute-based encryption [
15,
16,
17] and subset predicate encryption [
18,
19,
20]. Therefore, by adopting IPE, one can realize multiple kinds of flexible access control using only a single cryptographic primitive. Recently, more applications for IPE have been developed, e.g., privacy-preserving video streaming [
21], access control for WBAN [
22], secure keyword searching [
23] and outsourced data integration [
24]. It shows the possibility for the application of IPE in various environments.
Traditionally, IPE is a centralized architecture, which needs a trusted server to issue private keys for all users. However, a centralized paradigm may not be practical in a real-world environment. In practice, the privileges of a user are usually given by different authorities. In addition, a centralized architecture would suffer from the problem of a single point of failure. To cope with these problems, Michalevsky and Joye gave the first Decentralized IPE (DIPE) scheme [
25] in 2018. In a DIPE scheme, there are multiple authorities. For a user, each authority will output a partial private key for this user, without interaction with each other.
After studying the DIPE scheme of Michalevsky and Joye, we found two problems. One problem is the large ciphertext size. In their scheme, the ciphertext size is
group elements, where
n is the length of attribute/predicate vector and
k is the parameter of
k-linear assumption. Since
k can be viewed as a part of the security parameter, which is a constant, the ciphertext size is linear to the length of attribute/predicate vector. Another problem is that, in their scheme, each authority is responsible for issuing a private key for only an element in the user’s predicate vector. This setting brings two disadvantages. First, unlike to decentralized attribute-based encryption [
26,
27,
28], where the attributes of a user is independent to each other, the elements in a predicate vector for a user are usually closely bonded. Second, since each authority issues a partial private key for one element in a predicate vector, the number of authorities must equal to the length of predicate vector, which may not be practical, i.e., in the scheme of [
25], an authority cannot responsible for multiple attributes, which is common in practice.
1.1. Contribution
In this manuscript, we propose a novel DIPE scheme with constant-size ciphertexts, and we give a formal security proof for the selective IND-CPA security under q-DBDHE assumption. We also modify the way an authority produces private keys from predicate vectors due to the aforementioned issue. In addition, we implement our construction in Python with Charm-Crypto library and C with PBC library to evaluate the performance.
1.2. Organization
In
Section 2, we introduce the notations and complexity assumption used in our manuscript, and the definition of decentralized inner product encryption. The security of DIPE is defined in
Section 2, as well. In
Section 3, we describe our proposed scheme in detail and show the correctness. In
Section 4, we give the formal security proof for our scheme. In
Section 5, we show the comparison results between our scheme and the DIPE scheme in [
25]. Finally, we conclude our work in
Section 6.
3. The Proposed Scheme
In this section, we present our decentralized inner product encryption scheme with constant-size ciphertexts. The notations used in the proposed scheme are defined in
Table 1.
The algorithm performs the following steps:
Randomly choose bilinear groups of prime order p with a generator ;
Choose an one-way hash function, ;
Output the public parameter .
Each authority in the system performs the following steps to generate its public key and its master secret key:
Choose ;
Choose ;
Choose ;
Output a public key of authority i, ;
Output a master secret key of authority , .
Each authority in the system performs the following steps to generate a part of private key for receivers in the system"
Return failure symbol ⊥ if ;
Output the private key , where
.
Unlike the
KeyGen algorithm in [
25], we use the entire predicate vector
in
performed by a single authority
.
A sender computes the ciphertext for a message and an attribute vector by the following steps:
Choose ;
Output the ciphertexts as , where
.
To decrypt, a receiver uses the private key to recover the message M from a ciphertext C as follows:
If , perform the following computation; otherwise, return ⊥;
Compute
.
Compute .
The correctness of the decryption algorithm is described as follows. For convenience, let
, for
. It is enough to show that
We first take a look at the numerator:
where
. Using the fact that
we have:
In addition, the denominator is:
4. Security Proof
In this section, we will prove the sIND-CPA security for the proposed under the ℓ-DBDHE assumption in the random oracle model.
Theorem 1.
The proposed DIPE scheme is sIND-CPA secure if the q-DBDHE assumption holds.
Proof . Assume there is a polynomial-time adversary that can win the sIND-CPA game with a non-negligible advantage. Then, we construct a PPT challenger able to solve the ℓ-DBDHE problem as follows:
First of all,
is given an instance of the
q-DBDHE problem, that is,
where
T is
or a random element of
. Then,
interacts with
in the game as follows.
Initialization.
first sends the target vector to .
Setup.
Without loss of generality, we may assume that can obtain the first master secret keys of authorities, where :
Set . Define ;
Choose ;
Compute and ;
For
,
, compute
and
following the
AuthSetup shown in
Section 3;
Send to the public keys , and the master secret key s .
Phase1.
maintains a hash list, H-list, to store the mapping result of . Then, is allowed to query the following oracles:
Hash oracle:
This oracle takes and (global identity) as input and outputs an element of . If there exists a record in the H-list, return . Otherwise, the oracle performs the following steps:
If , then randomly choose and return to ;
Choose ;
Implicitly set
by computing
This can be efficiently computed with the instance of q-DBDHE problem;
Return to and store into the H-list.
KeyExtract oracle:
Upon receiving a vector
and a global identity
from
, where
(As shown in Definition 3,
is not allowed to make a KeyExtract query with
, otherwise
can break the security trivially.)
performs as follows. For
,
can be easily computed using the algorithm
shown in
Section 3 since
knows
. As for
, it can be computed from the instance of the
ℓ-DBDHE problem by the following steps:
Query
and set
. Let
, where
Note that can be found in the H-list;
For
, compute
One can note that, in the exponent of
,
the only unknown term is
. However, the coefficient of
is
Thus, can be easily computed using the knowledge of and the instance of the ℓ-DBDHE problem;
One can note that the exponent of
is
Again, the coefficient of the unknown term
is
Therefore, can be also computed using the knowledge of and the instance of the ℓ-DBDHE problem.
Challenge.
submits two message and of the same length, and computes the challenge ciphertext as follows:
Phase2.
Same as Phase1.
Guess.
outputs a bit . outputs 1 if ; otherwise, outputs 0.
If
, then:
and hence
is a valid ciphertext. Thus, we have:
and
If
T is a random element from
, then the message
is completely hidden from the adversary’s view, since
,
and
are all independently random elements. Therefore, the advantage of the adversary is:
and
Finally, the advantage of
in solving the
ℓ-DBDHE problem is:
Therefore, if there is an adversary that wins the sIND-CPA game with a non-negligible advantage, then we can construct an algorithm to solve the ℓ-DBDHE problem with a non-negligible advantage in polynomial time. □
6. Conclusions
Thus far, there is only one decentralized inner product encryption, proposed by Michalevsky et al. in 2018. In their scheme, however, the length of ciphertexts are dependent on the number of authorities, which may become a bottleneck in the system. Therefore, we would like to solve this problem. In this manuscript, we present a novel decentralized inner product encryption which achieves constant-size ciphertexts. In addition, our scheme is proven to be selectively secure under the
ℓ-DBDHE assumption. We further implement our scheme and the scheme of [
25] to analyze the execution time. Except for the KeyGen algorithm, our work has better performance in the remaining four algorithms (Setup, AuthSetup, Encrypt, Decrypt). Yet, our scheme is the first DIPE scheme achieving constant-size ciphertext, and there are several potential improvements. One direction could be to upgrade the security to chosen-ciphertext security. Several generic methods [
31,
32,
33,
34,
35] have been proposed in the literature, however, constructing a DIPE scheme with direct chosen-ciphertext security is an open problem. In addition, the security of our scheme is proven under the random oracle model. How to construct a DIPE scheme that is secure in the standard model is also a worth-fighting goal.