1. Introduction
In modern IoT infrastructure, it is often essential to encrypt data to multiple devices at once on a group-basis, which let the data security require more advanced functionality of multi-encryption. Specifically, IoT devices are often defined and categorized by their own features, such as device types, manufacturers, affiliations, or locations; users (or devices) often need to send secure messages to a group of devices by specifying particular features. Some well-known examples are described as follows.
In smart city networks, an occupant may need to encrypt command reservations to home devices (e.g., turn-off devices of type: “lamp” and location: “living room”).
In secure firmware updates, the firmware is encrypted to a group of devices which satisfies specific conditions (e.g., update devices of manufacturer: “Tesla”).
In military communications, tactical data are encrypted to classified groups based on specific authorities (e.g., send strategy to devices of affiliation: “Air Force”).
When we apply simple encryption technique such as RSA encryption to the IoT data security, the result becomes inefficient: one should encrypt the message to each user one by one, which requires encryption process and different ciphertext as many as the number of receivers. Moreover, the RSA public key system needs to manage a public key infrastructure (PKI) to identify devices, which increases the communication and storage costs. Therefore, in the IoT data security, it is recommended to consider group-based encryption structure rather than a simple standard encryption.
Related works. Considering that the identities are often defined by attributes, attribute-based encryption (ABE) can provide a suitable functionality for secure communications. Ciphertext-policy attribute-based encryption (CP-ABE) [
1,
2,
3] associates an access policy to each ciphertext, where the access policy is defined by logical combinations (i.e., AND and OR gates) of attribute values. In this setting, the secret key is issued for a set of attributes, and users can decrypt the message only when their attributes satisfy the access policy of the ciphertext. Unfortunately, ABE focuses on more complicated access policy based on variative attributes, while IoT devices are sufficient to handle with fixed identities. To support general access policy, existing ABE schemes either suffer from large ciphertext linearly with the number of attributes or suffer from exponential keys when the ciphertext is fixed as constant.
Identity-based encryption (IBE) [
4,
5,
6] is a useful primitive where the user’s identity (e.g.,
alice@cs.univ.edu) can be utilized as a public key for encryption, which eliminates a requirement of public key certification such as public key infrastructure (PKI). The IBE can provide an interface for representing the groups or attributes, which is a building block for group-basis secure communications. Later, it advanced to hierarchical identity-based encryption (HIBE) [
7], where the identity is defined by a hierarchical set of identity strings such that keys for the identity can be distributed in a hierarchical delegation, i.e., a user at level
i can delegate keys for the user at level
. While traditional IBE requires the certificate authority (CA) to issue keys for the entire users, the HIBE allows each user to share the burden of key delegation to resolve the bottleneck problem. The intuition of key delegation technique in the HIBE system has been advanced to other various cryptographic primitives, such as broadcast encryption [
8,
9,
10].
Considering the fact that many email addresses consist of affiliations, Abdalla et al. [
11] extended HIBE to an advanced primitive called wildcarded identity-based encryption (WIBE) by introducing wildcard (*), which can be superceded by any identity string in a set of identity strings. A pattern (or an identity) is defined as a set of multiple identity strings and wildcards, and it efficiently determines a group of identities or a single identity. WIBE utilizes a pattern as a public key for encryption; a single ciphertext encrypted for a pattern (edu, univ, cs, *) (corresponding to *@cs.univ.edu) can be delivered to multiple identities such as
alice@cs.univ.edu and
bob@cs.univ.edu.
Abdalla’s group proposed three different WIBE systems by extending the existing HIBE schemes. However, all of them suffer from large ciphertext size which is at least
where
L is the maximum depth of pattern (i.e., the number of identity strings). Birkett et al. [
12] devised compilation techniques called WIB-KEM, which can convert any CPA-secure WIBE into CCA-secure identity-based key encapsulation mechanisms with wildcards. They achieved more efficient CCA-secure WIBE systems by applying their techniques to the Abdalla’s CPA-secure WIBE schemes [
11]. However, the ciphertext size still remains as
, which is as large as the underlying WIBE schemes. Later, Abdalla’s group introduced IBE with wildcarded key derivation (WKD-IBE) [
13], which can include wildcarded pattern in the key derivation of HIBE. They combined the WKD-IBE with their WIBE [
11] construction, where wildcarded pattern can be included both in encryption and key derivation, and upgraded the notion of WIBE to WW-IBE [
14]. Still, the ciphertext size in WW-IBE [
14] is not improved from the original WIBE [
11], which is not scalable in IoT systems.
Ciphertext size. The ciphertext size is an important factor, since ciphertext is an actual payload which is transmitted to the network in real applications. Unfortunately, ciphertext size in existing WIBE schemes [
11,
14] are not constant; it increases linear to the maximum depth of pattern. The main reason is that the WIBE construction let the decryptor transform the ciphertext to his own matching pattern. In brief, the ciphertext should include additional parameters for the wildcarded pattern so that the wildcard can be transformed to the matching key element, based on the key delegation technique from BBG-HIBE [
7].
As an alternative approach, the authors of WIBE [
11] describes a generic construction of WIBE from HIBE, which can maintain the constant-size ciphertext of the HIBE ingredient. However, this technique results in an excessive secret key size, exponential to the depth of pattern. The main idea in this generic construction is to let the user store secret keys for every possible cases for decryption, instead of transforming the ciphertext. For example, to decrypt the ciphertext encrypted for pattern (
,
), a user stores keys for every possible matching patterns: (
,
), (*,
), (
, *), (*, *). This leads to the secret key size exploded up to
which is not reasonable to be used, e.g., in small IoT devices.
Solution. The main barrier of ciphertext size in WIBE is that the decryptor needs to delegate the ciphertext to his own matching pattern. For instance, if a decryptor with an identity (, ) decrypts a ciphertext for (, *), he transforms the * to by the help of additional parameters in order to match his own pattern (, ). This lets the ciphertext include extra parameters related to each wildcard, which cannot be compressed to a constant value.
The problem can be resolved by reversing the transformation method: instead of delegating the wildcard to the matching pattern, the decryptor may prune his own pattern to match the wildcard. Specifically, the wildcard is considered as a distinct pattern, and additional pruning keys corresponding to the user’s patterns can be provided so that any pattern can be transformed to the wildcard pattern. For example, if a decryptor with an identity (, ) decrypts a ciphertext for (, *), he transforms his to * by using his own pruning key, in order to match the ciphertext pattern (, *). Note that the pruning key is only required for the depth of pattern L, which just doubles the secret key. As a result, the ciphertext does not require any additional parameters for delegation and the size can remain constant.
Scalable WIBE. Based on the idea, Kim et al. [
15] proposed scalable wildcarded identity-based encryption (SWIBE), which achieves a constant-size ciphertext while maintaining the order of other parameters. SWIBE can efficiently cover the multi-encryption requirements in the IoT examples: with a single encryption and a constant ciphertext, one can encrypt to any group of multiple users by specifying the attributes of receivers.
SWIBE scheme also allows wildcarded patterns both in encryption and key derivation as in WW-IBE [
14], i.e., one can encrypt a message to multiple users by using wildcarded patterns, or delegate keys to other users if the identity includes wildcards. Compared to the WW-IBE, SWIBE also improves decryption time, since a user in WW-IBE requires a delegation of the given ciphertext to his own pattern while SWIBE allows a user to decrypt the ciphertext immediately. The practicality of SWIBE is justified by implementing the protocol on a real IoT device, and comparing experimental results with the existing works.
Table 1 shows an overall comparison between hierarchical IBE (HIBE) [
7], wildcarded IBE (WIBE) [
11], wildcarded key derivation IBE (WKD-IBE) [
13], WW-IBE [
14], ciphertext policy ABE (CP-ABE) [
3], and our proposed scalable WIBE (SWIBE) scheme. The comparison focuses on the size of public parameter (pp), secret key (SK), ciphertext (CT) and execution time of encryption (Enc), decryption (Dec), while the identity (pattern) depth is fixed as
L and each identity is a q-bit string.
For the wildcard use, HIBE does not support wildcard, WIBE and CP-ABE supports wildcard only in encryption, WKD-IBE supports wildcard only in key derivation, while WW-IBE and SWIBE allow wildcard both in encryption and key derivation. For the ciphertext policy in CP-ABE, we assumed each bit in the ID as an attribute. Among the WIBE schemes which allow wildcards in encryption (WIBE, WW-IBE, SWIBE), only SWIBE has a constant-size ciphertext of 4 group elements regardless of the depth L. While supporting wildcarded pattern both in key derivation and encryption, SWIBE improves the decryption time compared to the WW-IBE.
Selective security. Despite the novel advantages, one remaining challenge is that the security of SWIBE relies on the selective security. In the selective security, the security model assumes that the target devices (i.e., devices which adversary desires to attack) are fixed before the security game. However, in real-life situation, we often cannot predict which devices are vulnerable, and which devices the attackers are planning to exploit. Therefore, for more robust security, it is recommended to advance the scheme to achieve full-security, i.e., IND-CPA secure without selective security.
Fully-secure SWIBE. In this paper, we extend selectively-secure SWIBE [
15] to a fully-secure version, by modifying the SWIBE construction based on the composite order group. The composite order group sets the size of the cyclic group
N as a composite number instead of a prime, to create different subgroups and let them cancel each other when computed in the pairing operation. This technique can disguise public elements while maintaining the correctness of the protocol, which can achieve the full security instead of the selective security. Based on the idea, we propose a new version of SWIBE protocol which satisfies full security, and formally prove the security under the standard assumptions.
We now summarize the main contributions of SWIBE, and SWIBE with full security.
- -
Scalable wildcarded identity-based encryption (SWIBE) achieves constant-size ciphertext among the WIBE systems, without sacrificing the order of other parameters.
- -
SWIBE is formally proved to satisfy IND-sID-CPA security, and it is extended to satisfy IND-sID-CCA security.
- -
We provide practical experimental results based on a small IoT device with 500 MHz Atom processor.
- -
This paper additionally proposes a fully secure (IND-ID-CPA-secure) SWIBE construction to overcome the selective security, and we formally prove the IND-ID-CPA security.
The rest of this paper is organized as follows.
Section 2 introduces the basic definitions and complexity assumptions. In
Section 3, we formally define the wildcard identity-based encryption as a universal primitive.
Section 4 explains the main idea of the SWIBE scheme and how to construct it in details, along with the security proof.
Section 5 extends it to be CCA secure, and
Section 6 proposes a new version of SWIBE in composite order to obtain full security instead of selective security. In
Section 7, we show the experimental results and in
Section 8, we conclude.
3. Model
SWIBE allows general key delegation and encryption to a group that is denoted by multiple identity strings and wildcards. To make the further description simple and clear, we define the following notations similarly to [
11].
Definition 2. A pattern P is a vector , where * is a special wildcard symbol, p is a q-bit prime number, and L is the maximal depth of the SWIBE scheme. We denote pattern P as in instead of , since can be easily mapped to with a hash function.
Definition 3. A pattern belongs to P, denoted , if and only if ∨.
Definition 4. A pattern matches P, denoted , if and only if , ∨∨.
Notice that a set of patterns matching P is includes patterns belonging to P. For a pattern , we define as a set of all wildcard indices in P, i.e., the indices such that , and as a complementary set including all non-wildcard indices. Clearly, and .
Definition 5. denotes a set including all wildcard indices in a pattern P.
Definition 6. represents a complementary set containing all non-wildcard indices in a pattern P.
A scalable wildcarded identity-based encryption consists of four algorithms:
takes as input the maximal hierarchy depth L. It outputs a public parameter and master secret key .
takes as input a user secret key for a pattern and can derive a secret key for any pattern . The secret key of the root identity is .
takes as input pattern , message and public parameter . It outputs ciphertext C for pattern P.
takes as input user secret key for pattern and ciphertext C for pattern . Any user with the secret key for a pattern P which matches can decrypt the ciphertext using , and the algorithm outputs message m.
Correctness requires that for all key pairs (, ) output by , all messages , and all patterns such that , .
SECURITY. We define the security of SWIBE scheme similar to the original WIBE [
11], except we also consider the key delegation property. We allow an adversary to select an arbitrary pattern and query secret keys for the corresponding pattern. The adversary is disallowed to ask a key derivation query for any pattern matching the challenge pattern. The security of SWIBE is defined by an adversary
and a challenger
via the following game. Both
and
are given the hierarchy depth
L and the identity bit-length
q as inputs.
- Setup:
Challenger runs to obtain public parameter and master secret key . gives public parameter .
- Key derivation queries:1:
Adversary issues key derivation queries , , in which a key derivation query consists of a pattern , and challenger responds with .
- Query phase1:
Adversary issues decryption queries in which a decryption query consists of a pattern and ciphertext C, next challenger responds with a message .
- Challenge:
outputs two equal-length challenge messages and a challenge identity s.t. for all queried . runs algorithm for random bit b and gives to .
- Key derivation queries:2:
Attacker continues to issue key derivation queries same as where query pattern . responds as in key derivation query 1.
- Query phase2:
Attacker continues to issue decryption queries same as . It should be satisfied that queried ciphertext . responds as in query phase 1.
- Guess:
outputs its guess for b and wins the game if .
Definition 7. A is IND-ID-CCA-secure if all t-time adversaries making at most queries to the key derivation oracle and at most queries to the decryption oracle have at most advantage ϵ in the IND-ID-CCA game described above.
We also define IND-ID-CPA-secure similar as IND-ID-CCA game except forbidden all decryption queries.
Definition 8. A is IND-ID-CPA-secure if all t-time adversaries making at most queries to the key derivation oracle have at most advantage ϵ in the IND-ID-CPA game described above.
SELECTIVE-IDENTITY SECURITY. A weaker selective-identity (sID) security notion IND-sID-CPA is defined analogously to the IND-ID-CPA one: every procedure is the same except that the adversary must commit to the challenge identity at the beginning of the game, before the public parameter is made available.
4. The Proposed Scheme
In this section, we describe the proposed scalable wildcarded identity based encryption scheme (SWIBE). Before presenting the formal scheme, we first describe the BBG-HIBE construction [
7], which is a main building block for WIBE systems including SWIBE, along with our main idea to achieve constant-size ciphertext in
Section 4.1. Then we provide SWIBE construction in
Section 4.2, and show the formal security proof in
Section 4.3.
4.1. Overview: BBG-HIBE and Our Idea
The BBG-HIBE scheme [
7] is described as follows:
Setup(L):L indicates the maximum hierarchy depth. Select a random integer , and random group elements , and compute .
The public parameters and the master secret key are given by
KeyDer(,
P): To compute the secret key
for an identity
where
from the master secret key, a random
is chosen, then secret key
for
P is constructed as
The private key for
P can be generated incrementally, given a private key for the parent identity
. Let
be the private key for
. To generate
, pick a random
and output
Encrypt(,
P,
M): To encrypt a message
to pattern
, choose
, and compute
Decrypt(,
C): Consider an identity pattern
. To decrypt a given ciphertext
with private key
, output
The BBG-HIBE scheme [
7] has the advantage of constant-sized ciphertexts. The ciphertext consists of only three elements:
. When observing the secret key,
and
are responsible for the decryption, while
stands for further key delegations. The pattern
is combined as a single element
, and we can delegate
to another extended pattern
by additionally combining the
into the
. Since the united element
directly involves the pattern and the element can be canceled by multiplying its inverse, we observe that secret key for some pattern can be replaced to another secret key for a different pattern by multiplication. For instance, it is possible to compute
by multiplying
to
.
The wildcard pattern can work in a similar way: when we consider the wildcard * as a fixed identity, i.e., a mapped element , we may change an identity to the wildcard by including for every identity string in a secret key and replacing with . However, this approach has a security problem; the extra allows the adversary to compute by combining , which reveals the top level secret key by canceling from . With the top level secret key, the adversary can generate any secret keys as he desires, which is a significant problem.
We resolve this issue by randomizing the wildcard part, by using another random independent from r. Specifically, we revise the extra key as , and also provide with , to let the decryption work correctly. For instance, the key for is changed to for by multiplying .
The remaining issue is that the encryption requires some adjustments, to be compatible with the modification of random t. For example, to encrypt for the pattern , the pattern is divided into wildcard part and non-wildcard part. The non-wildcard identity part is encrypted as , same as the BBG-HIBE. Then the wildcard identity part is encrypted as , which can later be used in decryption to cancel out the wildcard part of user secret key. In summary, the ciphertext can remain as constant with an additional single group element to the original BBG-HIBE ciphertext which is three group elements, and the key size also remains efficient, linear to the number of patterns, within the same order compared with the BBG-HIBE.
The complete scheme is represented in the following
Section 4.2 with assuming the value
. Then we formally prove the security of the scheme in
Section 4.3.
4.2. SWIBE Construction
We now describe the SWIBE scheme which achieves constant size ciphertext and size keys.
Setup(L): Let L indicate the maximum depth of the pattern. The initial set of keys are generated as follows. Sample , and group elements randomly, and compute .
The public parameter is given by
A master secret key is set as .
KeyDer(,
,
): To derive the secret key
for a pattern
from the
, two randoms
are chosen. Then, the secret key
for
is computed as
In order to generate secret key
for a pattern
from secret key
for a pattern
P such that
, simply choose two randoms
and output
, where
Encrypt(,
P,
m): To encrypt a message
to pattern
under
, choose
, and compute
Decrypt(,
C,
): Consider patterns
P and
∪
, where
P is a key pattern and
is a ciphertext pattern. To decrypt a given ciphertext
with private key
, compute
and output
The correctness of the decryption is described as follows. We denote = , = , = , and = to simplify notations.
Since
,
,
, and
,
Since
=
and
= ∅,
=
. Similarly, since
=
and
= ∅,
=
. Therefore,
Since
,
for
.
Since
=
and
= ∅,
=
.
4.3. Security Proof
In this section, we show the formal proof for IND-sID-CPA-security of SWIBE scheme in the standard model.
Theorem 1. Let be a bilinear group of prime order p. Suppose the decisional -BDHE assumption holds in . Then our SWIBE is sID-CPA secure for arbitrary L, and , where and denote the execution times of scalar multiplication and pairing in , respectively.
Proof. Suppose has advantage in attacking the SWIBE scheme. Using , we build an algorithm that solves the (decisional) L-BDHE problem in .
For a generator and , let . Algorithm is given as input a random tuple (, , , , , T) that is either chosen from where or from where T is uniformly distributed in . The goal of algorithm is to output 1 when the input is sampled from and 0 otherwise. Algorithm interacts with in a selective subset game as follows:
Init: The game begins with first outputting an identity vector .
Setup: To generate the public parameter, algorithm picks a random in and sets and . Next, picks random for , and sets for and for . Algorithm also picks a random in and sets .
Key derivation queries: Suppose that adversary
queries a key derivation query for pattern
. The definition of the security experiment says that
. Therefore, there exists an index
such that
. We define
k to be the smallest one among all possible indices.
picks two random
and (implicitly) sets
and
. Secret key
for
P is constructed as
We split this term up into two factors
, where
is the third product only. We can check that
Z can be computed by
, i.e., the terms
only appear with indices
. Term
A can be expressed as
Hence,
can be computed by
. Furthermore,
and for each
,
can be computed since
.
And for each
,
If , . So can compute it. Otherwise also can compute it since and does not appear in the equation.
Challenge: For the challenge,
computes
,
, and
as
h,
, and
. Then, it selects a random bit
and sets
. It returns
as a challenge to
. We claim that if
(i.e., the input to
is an
L-BDHE tuple) then
is a valid challenge to
as in a real attack. To see this, write
for some (unknown)
. Then
and
Therefore, by definition, and hence is a valid challenge to . On the other hand, when T is randomly chosen in (i.e., the input to is a random tuple) then is just a random independent element in to .
Guess: Finally, outputs a guess . Algorithm terminates its own game by outputting a guess as follows. If then outputs 1 meaning . Otherwise, it outputs 0 denoting that T is random in .
When the input tuple is chosen from
(where
) then
satisfies
. When the input tuple is selected from
(where
T is uniform in
) then
. Therefore, with
uniform in
,
uniform in
, and
T uniform in
we have that
□
5. Extension to CCA Security
In this section, we show the extension of CPA-secure SWIBE to satisfy CCA-security, by applying the similar technique from the extension in [
19]. Given any one-time signature scheme
with a verification key as a
q-bit string, we construct an
L-level SWIBE
,
,
,
secure against chosen-ciphertext attacks using the
-level
,
semantically secure SWIBE. The idea is that
∪
in
is mapped to
,
,
,
∪
in
. Thus, the secret key
for
P in
is the secret key
in
. Recall that
can generate secret keys for all descendants of node
. When encrypting a message
m to
in
, the sender generates a
q-bit verification key
and encrypts
m to
using
.
The construction of L-level utilizing -level and a one-time signature scheme is as follows:
Setup(L) runs to obtain . Given , , and , the public parameter is and the master secret key is .
KeyDer(, , ) is the same as the algorithm.
Encrypt() runs algorithm to obtain a signature signing key and a verification key . For a given pattern , encode P to , compute and , and output
Decrypt(): Let .
Verify that is the valid signature of C under the key . If invalid, output ⊥.
Otherwise, check , generate , for , and run (, C, ) to extract the message.
Theorem 2. Let be a bilinear group of prime order p. The above SWIBE Π is , +, CCA-secure assuming the SWIBE is , , 0, semantically secure in and signature scheme is , strongly existentially unforgeable with , , where is exponential time, is pairing time, and is sum of , and computation time.
Proof. Assume there exists a t-time adversary, , such that . We build an algorithm , which has advantage in . Algorithm proceeds as follows.
Setup: gets the public parameter of and also gets secret keys for from challenger .
Since generates secret keys in a compressed way using wildcard *, can be categorized into the following two cases:
for
for and .
responds with and secret keys of the first type of . (Recall that the secret key where .) The secret keys of the second type of are utilized to respond to the decryption queries of as described in the below.
Query phase1: Algorithm issues decryption queries. Let be a decryption query where and where is a pattern of ciphertext. Let , , . Algorithm responds as following:
Execute to verify the signature on using verification key . If the signature is invalid, then responds with ⊥.
If , a forge event occurs, algorithm outputs a random bit and aborts the simulation.
Otherwise, decrypts the ciphertext using the second type of secret keys. Since , can query the key generation query for , which is second type pattern. Using , B can decrypt , where , since .
Challenge: gives the challenge
to
.
gives the challenge
to
and gets the challenge
from
. To generate challenge for
, algorithm
computes
as follows:
replies to .
Query phase2: Same as in query phase1 except can not decrypt query for C*.
Guess: The outputs a guess . outputs b.
We see that algorithm
can simulate all queries to run
.
’s success probability as follows:
To conclude the proof of Theorem 2, the remaining process is to bound the probability that aborts the simulation as a result of forge, which we claim as . Otherwise, one can use to forge signatures with a probability of at least . In brief, we can construct another simulator which knows the private key, but receives as a challenge in an existential forgery game.
In the experiment above, aborts by submitting a query which includes an existential forgery under on some ciphertexts. Our simulator utilizes the forgery to win the existential forgery game. Note that a single chosen message query is asked by adversary to generate a signature for the challenge ciphertext. Thus, . It now follows that ’s advantage is at least as required. □
6. Fully Secure Scheme
In this section, we present a new version of SWIBE based on composite order bilinear groups, to obtain full security (IND-ID-CPA) instead of selective security (IND-sID-CPA). In the original SWIBE scheme (
Section 4), the security proof was limited to the selective security, since the scheme was bound to a single group. In this case, if the challenge pattern is not committed before the game, the reduction algorithm cannot simulate secret keys (without knowing the secret factor
) for key queries from the adversary. To resolve this issue, we now construct the scheme with parameters from multiple subgroups similar to [
14], using the fact that it is difficult to determine from which group the element came from. When using the subgroup assumptions, for each pattern, the reduction can both simulate the secret key in one subgroup and embed the problem in another subgroup. Therefore, the full security can be achieved. We first introduce the definition and features of composite order bilinear groups. Then we show the decisional subgroup assumptions from Lewko and Waters (LW.1–LW.3), and present our composite order (fully-secure) SWIBE which also has a constant-size ciphertext. Finally, we prove the full security of our composite order SWIBE based on LW assumptions.
6.1. Composite Order Bilinear Groups
We describe the composite order bilinear groups as in [
14]. We use groups where the order is a product of three primes and a generator G which takes security parameter
as input and generates a description
where
are distinct primes of
bits,
and
are cyclic groups of order
N. For
, we denote the subgroup of order
as
. Considering the fact that the group is cyclic, it is easy to verify that if
g and
h are group elements of different order (belonging to different subgroups), then
.
6.2. Complexity Assumptions
We first restate the complexity assumptions we use, which were originally introduced by Lewko and Waters in [
20] and used in [
14].
Assumption LW.1: For a generator G of bilinear settings, first pick a bilinear setting and then pick and set . We define the advantage of an algorithm in breaking Assumption 1 to be: .
Assumption LW.2: For a generator G of bilinear settings, first pick a bilinear setting and then pick and set . We define the advantage of an algorithm in breaking Assumption 2 to be: .
Assumption LW.3: For a generator G of bilinear settings, first pick a bilinear setting and then pick and set and . We define the advantage of an algorithm in breaking Assumption 3 to be: .
6.3. Fully-Secure SWIBE Construction
We present the fully-secure SWIBE with constant size ciphertexts and size keys, which is based on the composite order bilinear group (). Note that W from subgroup is only a blinding factor, to be eliminated when computed in a pairing operation (due to the orthogonal property of composite order bilinear groups).
Setup(L):L indicates the maximum hierarchy depth. Choose a description of a bilinear group with known factorization and . Choose and , and compute .
The public parameter is given by
A master secret key is defined as .
KeyDer(,
,
): To compute secret key
according to pattern
from the master secret key, first two randoms
are chosen. Then random blinding factors from different subgroup
,
, and
are chosen. Secret key
for
is constructed as
In order to generate secret key
for a pattern
from secret key
for a pattern
P such that
, simply choose two randoms
, and blinding randoms
,
, and
and output
, where
Encrypt(,
P,
m): To encrypt a message
to pattern
under
, choose
, and compute
Decrypt(,
C,
): The decryption is similar to the decryption in
Section 4.2, since the elements in
will work in an equivalent way compared to the original SWIBE construction. Consider patterns
P and
∪
, where
P is a key pattern and
is a ciphertext pattern. To decrypt a given ciphertext
with private key
, compute
and output
The fact that decryption works is similar to the decryption of original SWIBE construction in
Section 4.2. Note that the blinding factors
W from subgroup
make no difference, since they will be eliminated in the pairing operations due to the orthogonal property in
Section 6.1.
6.4. Security Proof
In this section, we prove that our fully-secure SWIBE scheme in
Section 6.3 is IND-ID-CPA-secure under the Lewko and Waters assumptions (LW.1–LW.3) in
Section 6.2. The security proof is based on the hybrid games.
Before presenting hybrid games, we introduce two additional structures used in the proofs of security similar to [
14,
20]:
Semi-Functional (SF) Ciphertext. Let denote a generator of . An SF ciphertext is constructed as follows: we use the encryption algorithm to form a normal ciphertext . We choose random exponents and . Then we set: .
Semi-Functional (SF) Keys. To generate a SF key, a normal secret key
is first created, using the key derivation algorithm with
,
, and pattern
P. Then randoms are chosen:
,
, and
. Then the SF secret key is constructed as follows.
Note that SF ciphertexts can be decrypted by normal secret keys and SF secret keys can be used to decrypt normal ciphertext. But an SF ciphertext, for pattern , cannot be decrypted by an SF secret key. The decryption algorithm will compute the blinding factor multiplied by the additional term . If , decryption will still work. Such ciphertexts and secret keys are defined as nominally SF.
Theorem 3. If Assumptions LW.1, LW.2, and LW.3 hold, then our fully-secure SWIBE scheme is IND-ID-CPA (or IND-WWID-CPA [14]) secure. Proof. We prove the security via sets of hybrid games, and by showing that two games are computationally indistinguishable in each step. For the sketch of our proof, we first define the series of games. Let us assume PPT adversary with q key queries. Then we define games between and a challenger as follows.
It is the real IND-ID-CPA (or IND-WWID-CPA [
14]) security game.
This game is same as , except the fact that all key queries from the adversary is answered by fresh key generation algorithm. In the security proof, we use the term key generation for the key delegation from , which is equivalent.
It is a same game as , except the fact that the adversary cannot query for keys if the pattern is a prefix of the challenge pattern mod . We say that the pattern P is a prefix of mod if there exists i s.t. mod N and mod .
It is a same game as , except the fact that the challenge ciphertext is given as a SF ciphertext.
For k from 1 to q, is same as except the fact that the first k keys are given as SF keys. The other keys are given as normal keys from the key generation algorithm.
This game is same as , but where of challenge ciphertext has a random element in . Since is distorted with a random element, the ciphertext is now independent from the message and the adversary can have no advantage.
With the games defined above, we now introduce the outline of our hybrid games as follows.
Since the key generation algorithm has an identical distribution, it is exactly the same to call key delegation or fresh key generation from the adversary’s view.
We require that the adversary cannot obtain the key for prefix pattern of challenge ciphertext, to prevent the adversary to find the nominality in SF randoms. We prove the hybrid game by showing that prefix query itself can break the Assumption LW.2.
We construct algorithm which breaks Assumption LW.1 with a help of SWIBE CPA distinguisher . The nature of the challenge ciphertext (normal or SF) is decided by T given from the Assumption LW.1, which indicates that two games are indistinguishable from the adversary’s view.
We construct algorithm which breaks Assumption LW.2 with a help of SWIBE CPA distinguisher . The nature of the k-th key (normal or SF) is decided by T given from the Assumption LW.2, which indicates that two games are indistinguishable from the adversary’s view.
We construct algorithm which breaks Assumption LW.3 with a help of SWIBE CPA distinguisher . The nature of the ciphertext (SF or random) is decided by T given from the Assumption LW.3, which indicates that two games are indistinguishable from the adversary’s view. This concludes the proof, since the adversary can have no advantage in the final game.
We now give formal proofs for each hybrid game stated above.
- (1)
The delegated key from the key delegation algorithm has an identical distribution as the freshly generated key from the key generation algorithm. Therefore, it is straightforward that it is exactly the same whether to provide the key with delegating the previous key or to provide the key from a fresh call to the key generation algorithm.
- (2)
We define that pattern is a prefix of pattern modulo , if there exists and such that mod N and mod . In this case, divides , and therefore is a nontrivial factor of N. Since divides a, let us set . There are two cases: (1) b is in , or (2) b is not in but in . Suppose that case 1 has probability of at least . We describe algorithm that breaks Assumption LW.2. receives and T and constructs and by choosing and , and setting and . Then runs on input and uses knowledge of to answer ’s queries. At the end of the game, computes , for all Ps which are patterns for the key queries that has asked, and for which is the challenge pattern. If is the identity element of , tests if is also the identity element of . When the second test is successful, declares . Otherwise, declares . It is from the simple fact that divides a and divides b. For case 2, can break Assumption LW.2 in the same way by exchanging the roles of and , i.e., and .
- (3)
We construct algorithm that breaks Assumption LW.1 with the help of SWIBE CPA distinguisher . first receives and T from LW.1. Then starts the IND-ID-CPA game with and simulates or depending on the nature of T.
Setup: chooses , , then set and .
Key derivation queries: can answer all key generation queries from since knows .
Challenge: sends
challenge message
and a challenge pattern
where
.
flips a coin
and computes the challenge ciphertext
C as follows:
Notice that if , then T can be written as and C is a normal ciphertext with randomness s. Instead, if , then T can be written as and C is SF with randomness .
- (4)
We construct algorithm that breaks Assumption LW.2 with the help of SWIBE CPA distinguisher . first receives and T from LW.2. Then starts the IND-ID-CPA game with and simulates or depending on the nature of T.
Setup: chooses , , then set and .
Key derivation queries: There are three cases for the i-th key query with pattern P.
- (i)
case 1:
. Choose SF randoms
, and
, and
. Then choose random
,
,
, and
. Then we set the
as follows:
By writing as , we have that this is a properly distributed SF key with randomness y, , .
- (ii)
case 2: . runs key generation algorithm using .
- (iii)
case 3:
. To answer the
k-th key query,
chooses
,
,
, and
. Then the
is constructed as follows:
Notice that, if , T can be written as and the k-th secret key is a normal key with randomness . Otherwise, if , T can be written as and the k-th secret key is SF with randomness .
Challenge: sends
challenge message
and a challenge pattern
where
.
flips a coin
and computes the challenge ciphertext
C as follows:
Notice that T can be written as , and therefore this is a proper SF ciphertext with randomness .
Since the k-th secret key pattern is not a prefix of the challenge pattern modulo , we have that set and set are independent and randomly distributed. If checks that the k-th key is SF by using the above procedure (to create an SF ciphertext for k-th secret key pattern), then , which is nominally SF, and thus decryption always works (independently of T).
- (5)
We construct algorithm that breaks Assumption LW.3 with the help of SWIBE CPA distinguisher . first receives and T from LW.3. Then starts the IND-ID-CPA game with and simulates or depending on the nature of T.
Setup: chooses , then set .
Key derivation queries: For pattern
where
,
chooses
, and
, and
. Next it chooses
,
,
, and
. Then it creates a SF secret key by setting:
Challenge: sends
challenge message
and a challenge pattern
where
.
flips a coin
and computes the challenge ciphertext
C as follows:
This sets . We note that are elements of , so when are randomly chosen from , their value mod and mod are random and independent. We observe that, if , then the challenge ciphertext is a properly distributed SF with message . Otherwise, if , then the ciphertext is an SF with a random message.
Since the adversary has no advantage in (where is information-theoretically hidden), and by hybrid game is indistinguishable from , we conclude that the adversary in has a negligible advantage. □