Identity-Based Revocation from Subset Difference Methods under Simple Assumptions

Identity-based revocation (IBR) is a specific kind of broadcast encryption that can effectively send a ciphertext to a set of receivers. In IBR, a ciphertext is associated with a set of revoked users instead of a set of receivers and the maximum number of users in the system can be an exponential value in the security parameter. In this paper, we reconsider the general method of Lee, Koo, Lee, and Park (ESORICS 2014) that constructs a public-key revocation (PKR) scheme by combining the subset difference (SD) method of Naor, Naor, and Lotspiech (CRYPTO 2001) and a single revocation encryption (SRE) scheme. Lee et al. left it as an open problem to construct an SRE scheme under the standard assumption without random oracles. In this work, we first propose a selectively secure SRE scheme under the standard assumption without random oracles. We also propose a fully secure SRE scheme under simple static assumptions without random oracles. Next, we present an efficient IBR scheme derived from the SD method and our SRE scheme. The security of our IBR scheme depends on that of the underlying SRE scheme. Finally, we implemented our SRE and IBR schemes and measured the performance

Comments on “Identity-Based Revocation From Subset Difference Methods Under Simple Assumptions”

An identity-based revocation (IBR) scheme is a useful one-to-many cryptographic message transmission method in which a message can be encrypted using receivers’ identities such as e-mail addresses as public keys and a trusted message sender who holds users’ private keys is not required. Recently, a construction method for an IBR scheme was presented with symmetric broadcast encryption (SBE) schemes called SD or LSD. In this article we clarify that the SBE schemes are completely different from the original subset difference (SD) scheme by Naor, Naor, and Lotspietch or the layered SD (LSD) by Halevy and Shamir. To be precise, we show that the IBR schemes built on top of the original SD or the original LSD scheme is insecure so that even revoked users can easily decrypt a ciphertext generated for a user group excluding the revoked users