An Identity-Based Key-Insulated Encryption with Message Linkages for Peer-to-Peer Communication Network

Abstract

Key exposure is a major threat to secure cryptosystems. To mitigate the impact caused by key-compromise attacks, a key-insulated cryptographic mechanism is a better alternative. For securing the large message communication in peer-to-peer networks, in this paper, we propose the first novel identity-based key-insulated encryption (IB-KIE) scheme with message linkages. Our scheme has the properties of unbounded time periods and random-access key-updates. In the proposed scheme, each client can periodically update his private key while the corresponding public one remains unchanged. The essential security assumption of our proposed scheme is based on the well-known bilinear Diffie-Hellman problem (BDHP). To ensure the practical feasibility, we also formally prove that the proposed scheme achieves the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model.

1. Introduction

The first public key cryptosystem was introduced by Diffie and Hellman [1] in 1976. In such a system, each user has a self-chosen private key and a corresponding public one. Two important techniques, the public key encryption and the digital signature scheme [2-4], are commonly adopted for ensuring the properties of integrity, confidentiality [5], authenticity [6] and non-repudiation [7]. In 1984, Shamir [8] proposed an identity-based system in which each user’s public key is explicitly his own identity information (such as the name and e-mail address, etc.) while the corresponding private key is computed by a private key generation center (PKG). The derived private key is then sent to each user via a secure channel. Compared with the traditional public key system, an identity-based system is unnecessary to maintain public key certificates. Yet, in practice the key exposure is a major threat to system security and it sometimes imposes extra burdens to reset the whole system again.

To deal with the issue of key exposure, in 2002, Dodis et al. [9] proposed a key-insulated cryptosystem in which each user has a long-term private key and a short-term one, respectively. The former is stored in a physically-secure but computation limited device (called base or helper) while the latter is kept secret by the user. The general idea of key-insulated systems is that at different time periods each user can periodically update his short-term private key with the assistance of helper while the corresponding public key remains unchanged. The next year, they [10] further presented the notion of strongly key-insulated systems, i.e., even if the helper is corrupted by a malicious adversary, he cannot perform any operation with respect to the user’s private key.

Considering identity-based systems, in 2005, Hanaoka et al. [11] proposed the first identity-based key-insulated system from bilinear maps. They also showed how to construct a partially collusion resistant hierarchical identity-based encryption (HIBEI) from arbitrary IBE in the random oracle model. In 2006, Zhou et al. [12] proposed an identity-based key-insulated signature scheme based on the computational Diffie-Hellman (CDH) problem. The formal security proof is also realized in the random oracle model. Later, Hanaoka et al. [13] proposed a parallel key-insulated public key encryption scheme in which two independent helpers are involved for updating user’s private keys alternatively. Such a mechanism helps with reducing the possibility of helper exposure and increasing the security of helpers. In 2008, Weng et al. [14] addressed an identity-based (k, n) threshold key-insulated encryption scheme in which at least k out of n helpers are sufficient to update the user’s short-term private key. Besides, the security of their scheme is proved in the standard model. For facilitating the delegation operation in an organization, in 2009, Wan et al. [15] proposed a strongly identity-based key-insulated proxy signature scheme with secure key-updates. Their scheme also supports unbounded time periods and random-access key-updates. Recently, Yu et al. [16] proposed a new identity-based key-insulated signature scheme and applied it to a novel application called full delegation proxy signature scheme with time restriction. Their scheme has the advantages of efficient key-update procedures and low computational costs for the verifier.

In a peer-to-peer network, each computer is served as both a server and a client. With an ad-hoc manner, communications can be directly established by two end computers. Consider the real situation that the communication message in a peer-to-peer file transmission system might be large. It therefore causes the difficulty in encrypting such a large plaintext due to the limited system bandwidth. Furthermore, in an identity-based system, the key exposure attack is considered the most serious one, as the corresponding user identity has to be removed from the system. Although previous mentioned works [11-16] have addressed some solutions using key-insulted systems, their schemes are not suitable for large file transmission in peer-to-peer networks. It thus can be seen that extending the capability of current IB-KIE scheme for facilitating the peer-to-peer file transmission system is vital. In this paper, we propose the first identity-based key-insulated encryption (IB-KIE) scheme with message linkages. In our scheme, we first divide a large plaintext into lots of smaller message blocks and then encrypt them, respectively. Each ciphertext of message blocks is chained with its preceding one using a collision-resistant one-way hash function and the exclusive-OR operation. The bilinear computation is only employed to derive the mutual shared private key, rather than chaining all ciphertext blocks. Consequently, the number of required pairing operations remains a constant when the message blocks increase. The division of large files not only benefits the encryption process with limited system bandwidth, but also reduces the retransmission overheads in case of some erroneous blocks. In a peer-to-peer file transmission system, the division of large files enables a client to simultaneously download blocks from one peer and upload previously received blocks to another, as so to save the overall transmission time. The gains obtained through our proposed scheme include lower computational efforts (compared with previous works) and the capability of large file transmission. With our proposed scheme, the impact of key exposure can be minimized and two end computers can encrypt and transfer a large plaintext without increasing extra computational costs, i.e., only one mutual shared private key will be generated for transmitting multiple blocks in one communication session. Additionally, the formal security proof of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) is presented in the random oracle model.

The rest of this paper is organized as follows. Section 2 states some preliminaries. We introduce the proposed IB-KIE scheme with message linkages in Section 3. The security proof is detailed in Section 4. Finally, a conclusion is made in Section 5.

 

2. Preliminaries

In this section, we briefly review some security notions and the computational assumptions. The proposed scheme is based on the bilinear pairing from elliptic curve systems. A commonly adopted security assumption comes from the Bilinear Diffie-Hellman problem (BDHP). We state the basic operations of bilinear pairing and the BDH assumption below:

Bilinear Pairing

Let (G1, +) and (G2, ×) denote two groups of the same prime order q and e: G1 × G1 → G2 be a bilinear map which satisfies the following properties:

(i) Bilinearity:

e(P1 + P2, Q) = e(P1, Q)e(P2, Q);

e(P, Q1 + Q2) = e(P, Q1)e(P, Q2);

(ii) Non-degeneracy:

If P is a generator of G1, e(P, P) is a generator of G2.

(iii) Computability:

Given P, Q ∈G1, the value of e(P, Q) can be efficiently computed by a polynomial-time algorithm.

Bilinear Diffie-Hellman Problem; BDHP

The BDHP is, given an instance (P, A, B, C) ∈ G14 where P is a generator, A = aP, B = bP and C = cP for some a, b, c ∈ Zq, to compute e(P, P)abc ∈G2.

Bilinear Diffie-Hellman (BDH) Assumption

For every probabilistic polynomial-time algorithm A, every positive polynomial Q(·) and all sufficiently large k, the algorithm A can solve the BDHP with an advantage at most 1/Q(k), i.e.,

Pr[A(P, aP, bP, cP) = e(P, P)abc; a, b, c ← Zq, (P, aP, bP, cP) ← G14] ≤ 1/Q(k).

The probability is taken over the uniformly and independently chosen instance and over the random choices of A.

Definition 1. The (t, ε)-BDH assumption holds if there is no polynomial-time adversary that can solve the BDHP in time at most t and with the advantage ε.

 

3. Proposed IB-KIE Scheme with Message Linkages

In this section, we first address involved parties and algorithms of our proposed scheme and then give concrete constructions. Some performance analyses with previous works are also demonstrated.

3.1 Involved Parties

An IB-KIE scheme has four involved parties: a private key generation center (PKG), a helper (device) and two communication clients. Each one is a Probabilistic Polynomial-time Turing Machine (PPTM). The PKG is responsible for generating each user’s initial private key and a master helper key. Each client can periodically update his i-th private key at time period i with the assistance of his helper.

3.2 Algorithms

The proposed IB-KIE scheme consists of the following algorithms:

– Setup: Taking as input 1k where k is a security parameter, the PKG generates system’s public parameters params and a master helper key.

– KeyExtract (KE): The KE algorithm takes as input the system parameters params, an identity ID, the master secret key of PKG. It generates an initial private key SID, 0 with respect to the identity ID.

–KeyUpdate (KU): The KU algorithm takes as input the system parameters params, a time period i, a helper key HKID,i and a private key SID, i-1. It generates a private key SID,i for the time period i.

– Encryption (Enc): The Enc algorithm takes as input the system parameters params, a time period i, a plaintext and the identity of receiver. It generates a corresponding ciphertext δ.

– Decryption (Dec): The Dec algorithm takes as input the system parameters params, a ciphertext δ and the private key of receiver. It outputs the recovered plaintext or an error symbol ⊥.

3.3 Basic Construction of IB-KIE Scheme

Motivated by Wan et al.’s [15] and Yu et al.’s [16] schemes, in this subsection, we first give a basic construction of our IB-KIE scheme without message linkages. Details of each algorithm are described below:

– Setup: Taking as input 1k, the private key generation center (PKG) chooses a master secret key s ∈R Zq along with a master helper key w ∈R Zq, and then computes the corresponding public keys PTA = sP and PHK = wP , respectively. The master helper key w is sent to the helper via a secure channel. The PKG also selects two groups (G1, +) and (G2, ×) of the same prime order q where |q| = k. Let P be a generator of order q over G1, e: G1 × G1 → G2 a bilinear pairing, H: {0, 1}k → G1 and F: G1 × G2 → Zq collision resistant hash functions. The PKG announces public parameters params = {PTA, PHK, G1, G2, q, P, e, H, F}.

– KeyExtract (KE): Given an identity, say IDA of the client Alice, the PKG computes the initial private key as

and then returns it to Alice via a secure channel.

– KeyUpdate (KU): Given an identity IDA and a time period i ∈ {1, …, N}, the helper first generates a helper key as

and then sends it to Alice who can therefore update her private key by computing

The values (SA,i-1, HKA,i) are deleted subsequently.

– Encryption (Enc): At time period i ∈ {1, …, N}, to encrypt a plaintext M for Alice, a sender first chooses t ∈R Zq and then computes

The ciphertext is δ = (i, T, C) which is then delivered to Alice.

– Decryption (Dec): Upon receiving the ciphertext δ = (i, T, C), Alice decrypts it with her private key SA, i at time period i ∈ {1, …, N} by computing

If the recovered redundancy in M is valid, Alice accepts the plaintext. Otherwise, an error symbol ⊥ is returned to signal that δ is invalid. We show that Eq. (7) works correctly. From the right-hand side of Eq. (7), we have

which leads to the left-hand side of Eq. (7).

3.4 Construction of IB-KIE Scheme with Message Linkages

Based on our basic IB-KIE scheme, we introduce an IB-KIE scheme with message linkages to benefit the encryption of a large plaintext by dividing it into lots of small blocks. Let F1: Zq → Zq be a collision resistant hash function. The construction is similar as our basic IB-KIE scheme stated in Section 3.3. We only describe the different parts as follows:

– Encryption (Enc): At time period i ∈ {1, …, N}, to encrypt a large plaintext M for Alice, a sender first divides M into l pieces, i.e., M = M1 ║ M2 ║ … ║ Ml, Mr’s ∈ Zq, and then chooses t ∈R Zq and C0 = 0 to compute (T, σ) as Eqs. (4) and (5). The sender further computes

The ciphertext is δ = (i, T, C1, C2, …, Cl) which is then delivered to Alice.

– Decryption (Dec): Upon receiving δ = (i, T, C1, C2, …, Cl), Alice first decrypts it with her private key SA, i at time period i ∈ {1, …, N} by computing

and then recovers the original plaintext M as M1 ║ M2 ║ … ║ Ml. If the recovered redundancy in M is valid, Alice accepts the plaintext. Otherwise, an error symbol ⊥ is returned to signal that δ is invalid.

We show that Alice can recover M with her private key by Eq. (7*). From the right-hand side of Eq. (7*), we have

Which leas to the left-hand side of Eq.(7*).

3.5 Performance Analyses

In a pairing-based IB-KIE scheme, it will incur more computational efforts to extend such an algorithm to the scheme with message linkages when the encrypted message is tightly combined with the pairing computation. For example, the pairing computation of Hanaoka et al.’s scheme [11] takes as input the encrypted message. When we extend their algorithm to the scheme with message linkages by our construction, a sender has to employ the pairing operation for chaining all ciphertext blocks. That is to say, the number of bilinear pairing will be proportional to that of message blocks. Yet, in our proposed scheme, the bilinear computation is only adopted to derive the mutual shared private key. Table 1 demonstrates the efficiency comparisons among the proposed and previous works including Hanaoka et al.’s [11] (HHS for short) and Weng et al.’s [14] (WLC for short) schemes in terms of the number of required pairing computation which is considered the most time-consuming operation. It can be seen that both HHS and WLC schemes incur more computational efforts as the message blocks increase while ours remains a constant, i.e., 3.

Table 1.Comparisons of required pairing computation

 

4. Security Proof

In this section, we define the crucial security requirement of our proposed IB-KIE scheme and prove it in the random oracle model. Since our IB-KIE scheme with message linkages has almost the same structures as those in the basic scheme, it is sufficient to show the security of our basic scheme. The security of the proposed IB-KIE scheme with message linkages is directly implied by it.

4.1 Security Requirement

The crucial security requirement of proposed IB-KIE scheme is confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2). We define the notion as follows:

Definition 2. An IB-KIE scheme is said to achieve the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) if there is no probabilistic polynomial-time adversary A with non-negligible advantage in the following game played with a challenger B:

Setup: B first runs the Setup(1k) algorithm and sends the system’s public parameters params to the adversary A.

Phase 1: The adversary A can issue several queries adaptively, i.e., each query might be based on the result of previous queries:

– KeyExtract (KE) queries: A makes a KE query for some identity ID. B returns the initial private key SID, 0.

– Helper-Keye (HK) queries: A makes an HK query for some identity ID and the time period i ∈ {1, …, N}. B returns the corresponding helper key HKID,i.

– KeyUpdate (KU) queries: A makes a KU query for some identity ID and the time period i ∈ {1, …, N}. B returns the corresponding private key SID,i.

– Encryption (Enc) queries: A makes an Enc query for a plaintext M, a time period i ∈ {1, …, N} and an identity ID. B returns the corresponding ciphertext δ to A.

– Decryption (Dec) queries: A makes a Dec query for a ciphertext δ with respect to an identity ID. If the decrypted plaintext has correct redundancy, B returns it. Otherwise, an error symbol ⊥ is returned as a result.

Challenge: The adversary A produces two messages, M0 and M1, of the same length and chooses a fresh identity ID* along with a time period i* ∈ {1, …, N}. The challenger B flips a coin λ ← {0, 1} and generates a ciphertext δ* in relation to (i*, Mλ, ID*). The ciphertext δ* is then delivered to A as a target challenge.

Phase 2: The adversary A can issue new queries as those in Phase 1 except the KE(ID*), HK(i*, ID*), KU(i*, ID*) and Dec(δ*, ID*) queries.

Guess: At the end of the game, A outputs a bit λ’. The adversary A wins this game if λ’= λ. We define A’s advantage as Adv(A) = | Pr[λ’= λ] − 1/2 |.

4.2 Security Proof

We prove that the proposed scheme achieves the IND-CCA2 security in the random oracle model as Theorem 1.

Theorem 1. The proposed IB-KIE scheme is (t, qH, qF, qKE, qHK, qKU, qEnc, qDec, ε)-secure against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the BDHP, where

Here N is the number of total time periods and tλ is the time for performing one bilinear pairing operation.

Fig. 1.The proof structure of Theorem 1

Proof: Fig. 1 depicts the proof structure of this theorem. Suppose that a probabilistic polynomial-time adversary A can (t, qH, qF, qKE, qHK, qKU, qEnc, qDec, ε)-break the proposed IB-KIE scheme with non-negligible advantage ε under adaptive chosen ciphertext attacks after running at most t steps and making at most qHH, qFF, qKEKE, qHKHK, qKUKU, qEncEnc and qDec Dec queries. Then we can construct another algorithm B that (t', ε')-breaks the BDHP by taking A as a subroutine. The objective of B is to obtain e(P, P)xyz by taking (P, xP, yP, zP) as inputs. In this proof, B simulates a challenger to A in the following game.

Setup: The challenger B runs the Setup(1k) algorithm to obtain the system’s public parameters params = {G1, G2, q, P, e}. Then B sets PTA = xP and PHK = dP where d ∈R Zq. After that, B returns (params, PTA, PHK) to the adversary A.

Phase 1: A makes the following queries adaptively:

– H oracle: When A queries an H oracle of H(IDj), B first checks H_list for a matched entry. Otherwise, B chooses hj ∈R Zq, adds the entry (IDj, hj, hjP) to H_list, and returns hjP as a result.

– F oracle: When A queries an F oracle of F(Tj,σj), B first checks F_list for a matched entry. Otherwise, B chooses fj ∈R Zq and adds the entry (Tj,σj, fj) to F_list. Finally, B returns fj as a result.

–KE queries: When A makes a KE query for IDj, B returns the initial private key Sj, 0 = hj(xP) + (hj, 0P) to A.

– HK queries: When A makes an HK query for (i, IDj) where i ∈ {1, …, N} is the time period, B returns the helper key HKj,i = d[H(IDj, i) - H(IDj, i-1)] to A.

– KU queries: When A makes a KU query for (i, IDj) where i ∈ {1, …, N} is the time period, B returns the corresponding private key Sj,i = hj(xP) + d(hj, iP) to A.

– Enc queries: When A makes an Enc query with respect to (i, M, ID) where i ∈ {1, …, N} is the time period, B follows the steps in Section 3.3 to return the ciphertext δ = (i, T, C).

– Dec queries: When A makes a Dec query for some pair (IDj,δ = (i, T, C)) where δ = (i, T, C), B first derives the private key Sj,i = hj(xP) + d(hj, iP) to run the Decryption algorithm in Section 3.3 and then returns the corresponding result.

Challenge: The adversary A produces two messages, M0 and M1, of the same length and chooses a fresh identity ID* along with a time period i* ∈ {1, …, N}. The challenger B flips a coin λ ← {0, 1} and generates a ciphertext δ* in relation to (i*, Mλ, ID*) as follows:

The ciphertext δ* = (i*, T*, C*) is then delivered to A as a target challenge.

Phase 2: A makes new queries as those stated in Phase 1 except the KE(ID*), HK(i*, ID*), KU(i*, ID*) and Dec(δ*, ID*) queries. When A makes a KU query for (i, ID*) where i ∈ {1, …, i*-1, i* + 1, …, N}, B directly terminates. When A makes a Dec query for some pair (ID*, δ) where δ= (i, T, C), B searches F_list for a matched entry (Tj, δj, fj) where Tj = T and then returns M = C·fj-1 to A. Otherwise, an error symbol ⊥ is returned as a result.

δ*

Analysis of the game: We first evaluate the simulation of Dec queries. One can observe that it is possible for a Dec query of some valid pair (ID*, δ) where δ = (i, T, C) to return the error symbol ⊥ on condition that A doesn’t query the corresponding F(T, σ) random oracle. However, such the probability for any Dec query is not greater than 2-k. Since A is allowed to make at most qDec Dec queries, the above situation happens during the entire simulation game, denoted by Dec_ERR, would be less than (qDec)2-k, i.e., Pr[Dec_ERR]≤(qDec)2-k. Also note that B terminates for some KU queries with respect to (i, ID*) where i ∈ {1, …, i*-1, i* + 1, …, N}. We express such an event during the entire simulation game as KU_ERR and Pr[KU_ERR]≤(N -1)(qKU)-1. Additionally, in the challenge phase, B has returned a simulated ciphertext δ* = (i*, T*, C*) where H(ID*) = yP and T* = zP, which implies the parameter σ* is implicitly defined as

Let NA be the event that the entire simulation game does not abort. Obviously, if the adversary A never asks an F(T*, σ*) oracle query in Phase 2, the entire simulation game could be normally terminated. We denote the event that A does ask such an oracle query in Phase 2 by QF*. When the entire simulation game does not abort, it can be seen A gains no advantage in guessing λ due to the randomness of random oracles, i.e.,

Rewriting the expression of Pr[λ’= λ], we have

On the other hand, we can also derive that

With inequalities (9) and (10), we know that

Recall that in Definition 2, A’s advantage is defined as Adv(A) = | Pr[λ’= λ] − 1/2 |. By assumption, A has non-negligible probability ε to break the proposed scheme. We therefore have

Rewriting the above inequality, we get

If the event QF* happens, we claim that σ* = e(P, P)xyz e(dP, (h*, i*)(zP)) will be left in some entry of F_list. Consequently, B has non-negligible probability

to solve the BDHP by computing e(dP, (h*, i*)(zP))-1σ*. The computational time required for B is t'≈t + tλ(2qEnc + qDec).

Q.E.D.

 

5. Conclusions

Key-insulated cryptosystems aim at reducing the damage caused by the key exposure. In this paper, we combine identity-based and key-insulated systems to propose the first novel IB-KIE scheme with message linkages for facilitating the encryption of a large plaintext in peer-to-peer communication networks. In addition to the inherent property of key-insulated systems that each client can periodically update his private key while the public one remains unchanged, the proposed scheme also supports unbounded time periods and random-access key-updates. By integrating with identity-based systems, it is unnecessary to maintain public key certificates. The underlining computational assumption of our scheme is based on the well-known bilinear Diffie-Hellman problem (BDHP) which is believed to be no harder than the computational Diffie-Hellman (CDH) problem and is intractable in polynomial time. Furthermore, the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) is realized in the random oracle model. Our proposed scheme is also suitable for the encryption and transmission of DNA/RNA biological sequences and the data structure such as linked list. In the future research, we will attempt to develop an enhanced variant with error correction capability. That is, the receiving client can identify the erroneous ciphertext blocks during the transmission and request to resend only these blocks again, rather than all ones, which helps gain more bandwidth saving.