Server-Aided Revocable Predicate Encryption: Formalization and Lattice-Based Instantiation

Efficient user revocation is a necessary but challenging problem in many multi-user cryptosystems. Among known approaches, server-aided revocation yields a promising solution, because it allows to outsource the major workloads of system users to a computationally powerful third party, called the server, whose only requirement is to carry out the computations correctly. Such a revocation mechanism was considered in the settings of identity-based encryption and attribute-based encryption by Qin et al. (ESORICS 2015) and Cui et al. (ESORICS 2016), respectively. In this work, we consider the server-aided revocation mechanism in the more elaborate setting of predicate encryption (PE). The latter, introduced by Katz, Sahai, and Waters (EUROCRYPT 2008), provides fine-grained and role-based access to encrypted data and can be viewed as a generalization of identity-based and attribute-based encryption. Our contribution is two-fold. First, we formalize the model of server-aided revocable predicate encryption (SR-PE), with rigorous definitions and security notions. Our model can be seen as a non-trivial adaptation of Cui et al.'s work into the PE context. Second, we put forward a lattice-based instantiation of SR-PE. The scheme employs the PE scheme of Agrawal, Freeman and Vaikuntanathan (ASIACRYPT 2011) and the complete subtree method of Naor, Naor, and Lotspiech (CRYPTO 2001) as the two main ingredients, which work smoothly together thanks to a few additional techniques. Our scheme is proven secure in the standard model (in a selective manner), based on the hardness of the Learning With Errors (LWE) problem.Comment: 24 page

Adaptive-ID Secure Revocable Identity-Based Encryption from Lattices via Subset Difference Method

In view of the expiration or reveal of user\u27s private credential (or private key) in a realistic scenario, identity-based encryption (IBE) schemes with an efficient key revocation mechanism, or for short, revocable identity-based encryption (RIBE) schemes, become prominently significant. In this paper, we present an RIBE scheme from lattices by combining two Agrawal et al.\u27s IBE schemes with the subset difference (SD) method. Our scheme is secure against adaptive identity-time attacks in the standard model under the learning with errors (LWE) assumption. In particular, our scheme serves as one solution to the challenge posed by Chen et al.(ACISP \u2712)

Server-Aided Revocable Identity-Based Encryption from Lattices

Server-aided revocable identity-based encryption (SR-IBE), recently proposed by Qin et al. at ESORICS 2015, offers significant advantages over previous user revocation mechanisms in the scope of IBE. In this new system model, almost all the workloads on users are delegated to an untrusted server, and users can compute decryption keys at any time period without having to communicate with either the key generation center or the server. In this paper, inspired by Qin et al.’s work, we design the first SR-IBE scheme from lattice assumptions. Our scheme is more efficient than existing constructions of lattice-based revocable IBE. We prove that the scheme is selectively secure in the standard model, based on the hardness of the Learning with Errors problem. At the heart of our design is a “double encryption” mechanism that enables smooth interactions between the message sender and the server, as well as between the server and the recipient, while ensuring the confidentiality of messages

Simplified Revocable Hierarchical Identity-Based Encryption from Lattices

As an extension of identity-based encryption (IBE), revocable hierarchical IBE (RHIBE) supports both key revocation and key delegation simultaneously, which are two important functionalities for cryptographic use in practice. Recently in PKC 2019, Katsumata et al. constructed the first lattice-based RHIBE scheme with decryption key exposure resistance (DKER). Such constructions are all based on bilinear or multilinear maps before their work. In this paper, we simplify the construction of RHIBE scheme with DKER provided by Katsumata et al. With our new treatment of the identity spaces and the time period space, there is only one short trapdoor base in the master secret key and in the secret key of each identity. In addition, we claim that some items in the keys can also be removed due to the DKER setting. Our first RHIBE scheme in the standard model is presented as a result of the above simplification. Furthermore, based on the technique for lattice basis delegation in fixed dimension, we construct our second RHIBE scheme in the random oracle model. It has much shorter items in keys and ciphertexts than before, and also achieves the adaptive-identity security under the learning with errors (LWE) assumption

Revocable cryptosystems from lattices

In the last decade, lattices have become one of the most powerful tools in constructing cryptographic schemes, which enjoy conjectured resistance against quantum computers and strong security guarantees from worst-case to average-case reductions, as well as asymptotic efficiency. For a multi-user cryptosystem, user revocation has been a necessary but challenging problem. However, all known revocable schemes are either based on number-theoretic assumptions or lattice-based but less efficient compared to the art-of-date systems. In this thesis, we focus on investigating user revocation model and the associated lattice-based instantiations. Our constructions have two goals: (i) to improve the existing revocable lattice-based cryptosystems in terms of efficiency and security; (ii) to consider the revocation functionality in new contexts from lattices. For the former, we carefully adapt the very recent revocation model into the lattice setting. The latter can be achieved either by using the existing revocation models (without concrete constructions from lattices) or by proposing new revocation models. We construct a series of cryptosystems supporting efficient revocations as follows. A revocable identity-based encryption (IBE) scheme, which is more efficient than all existing such schemes from lattices. We follow the architecture of the server-aided revocable encryptions, proposed by Qin et al. (ESORICS 2015). This paradigm provides significant efficiency advantages over previous revocation techniques in the setting of IBE. In the server-aided revocation model, most of the workloads on the user side are outsourced to an untrusted server, which can be untrusted since it does not possess any private information. With the help of this server, non-revoked users do not need to update anything when the system revokes other users. We equip Agrawal, Boneh, and Boyen's IBE (EUROCRYPT 2010) with the server-aided revocation method. In the technical view, we observe that a ``double encryption'' mechanism is well-suited in such a server-aided system. We also show that our scheme is provably secure provided with the strong hardness of the Learning With Errors (LWE) problem. A revocation model called server-aided revocable predicate encryption (SR-PE) and an instantiation from lattices. We consider the server-aided revocation mechanism in the predicate encryption (PE) setting and formalize the notion of SR-PE with rigorous definitions and security model. Moreover, we introduce a construction of SR-PE for the scheme introduced by Agrawal, Freeman, and Vaikuntanathan (ASIACRYPT 2011) and prove that our scheme is selectively secure in the standard model. The correctness of our scheme relies on a special property of lattice-based encryption schemes. A lattice-based construction of predicate encryption following the direct revocation mechanism. In such a mechanism, it forces the ciphertexts to carry on the revocation information. Nieto, Manulis, and Sun (ACISP 2012) considered direct revocations in the PE setting and suggested the notion of full-hiding security for revocable PE schemes, which demands that the encrypted data keeps the privacy of not only the plaintext and the associated attribute, but also the revocation information. Following their pairing-based construction, we introduce a corresponding instantiation from lattice assumptions. Regarding efficiency, our lattice-based scheme is somewhat comparable to the construction by Nieto, Manulis, and Sun. Our scheme achieves the full-hiding security thanks to the anonymity of one IBE instance we additionally introduce into the system.​Doctor of Philosophy (SPMS