Anonymous communication system provides a secure environment without leaking metadata, which has many application scenarios in IoT

Anonymous Identity Based Encryption (AIBET) scheme allows a tracer to use the tracing key to reveal the recipient's identity from the ciphertext while keeping other data anonymous. This special feature makes AIBET a promising solution to distributed IoT data security. In this paper, we construct an efficient quantum-safe Hierarchical Identity-Based cryptosystem with Traceable Identities (AHIBET) with fully anonymous ciphertexts. We prove the security of the AHIBET scheme under the Learning with Errors (LWE) problem in the standard model.

Authors

• 1 publication
• 1 publication
06/15/2018

Anonymous Identity-Based Encryption with Identity Recovery

Anonymous Identity-Based Encryption can protect privacy of the receiver....
07/21/2021

A low-overhead approach for self-sovereign identity in IoT

We present a low-overhead mechanism for self-sovereign identification an...
03/16/2021

Compatible Certificateless and Identity-Based Cryptosystems for Heterogeneous IoT

Certificates ensure the authenticity of users' public keys, however thei...
12/08/2020

Quantum Fully Homomorphic Encryption without Clifford Decomposition and Real Representation

We present a novel quantum fully homomorphic encryption (QFHE) scheme, w...
07/13/2018

An Improved Bound for Security in an Identity Disclosure Problem

Identity disclosure of an individual from a released data is a matter of...
01/04/2019

Off-Policy Evaluation of Probabilistic Identity Data in Lookalike Modeling

We evaluate the impact of probabilistically-constructed digital identity...
05/18/2019

Discrete Logarithmic Fuzzy Vault Scheme

In this paper a three fuzzy vault schemes which integrated with discrete...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Internet of Things (IoT) has emerged as a set of interconnected technologies like Wireless Sensors Networks (WSN) and Radio Frequency Identification (RFID), that provide identification, computation, and mutual information exchange among the connected devices all over the world. The key idea of the IoT is to obtain information about our environment to understand and control and act on it [DMR16].

Identity-Based Encryption (IBE) is a type of public-key encryption where the public key is an arbitrary string that uniquely defined the user (for example an email address or a telephone number). The Private-key Generator (PKG) who has knowledge of a master secret key generates the private key for the corresponding identities. This concept was first introduced by Shamir [Sha84] and then in 2001, Boneh and Franklin [BF01] proposed the first practical IBE scheme based on bilinear map. The idea of Hierarchical Identity-Based Encryption (HIBE), which is an extension of IBE where each level can issue private keys for identites of the next level, was first proposed in the work of Gentry and Silverberg [GS02]. Since then, there have been many efficient constructions of HIBE, ranging from classical setting [BB04, BBG05, Wat05] to post-quantum setting [ABB10a, CHKP10, SRB14] just to name a few.

The concept of “Anonymous” IBE offers an additional privacy guarantee to standard IBE schemes where the ciphertexts do not leak the identity of the recipients. AIBE is a promising solution to anonymous communications and it can be applied to many realistic scenarios that provide privacy-preserving and security under cloud environment. It can also bring a secure environment without leaking metadata which has many application scenarios in the aforementioned distributed IoT system [JLL18]. However, the first AIBE construction of Boneh and Frankl in [BF01] is just anonymous in the random oracle model and it was a challenging problem to achieve anonymous IBE in the standard model until [BW06b]. In [BW06a], Boyen and Waters proposed the first secure anonymous HIBE scheme without random oracles. More recently, the HIBE constructions in the post-quantum setting [ABB10a, SRB14] are proven to be anonymous secure in the standard model in the mean of a ciphertext encrypted for a target identity is indistinguishable from a random element in the ciphertext space which helps hide this identity from any malicious attacker.

Although this strong unconditional privacy seems very attractive from the user’s point of view, it can potentially be a dangerous tool against public safety if there is no way to revoke such privacy when illegal behavior is detected. For example, in the case where the email filtering system has to filter out all encrypted email from members are suspected of illegal activity, standard anonymous IBE and HIBE prevent the system reveal the recipients of those ciphertexts. Traceability can provide a solution to this problem in which an additional traceability function can detect specific identities in ciphertexts and all the others remain anonymous.

In 2019, Blazy et al. [BBP19] first considered the traceability for identity-based encryption and constructed an Anonymous Identity Based Encryption (AIBET) scheme in the standard model but under the matrix Diffie Hellman (MDDH) assumption. Two security notions are formally defined in [4] are anonymity and ciphertext indistinguishability. Anonymity requires that someone without an associated user secret key or tracing key should not be able to guess the targeted identity. The notion of indistinguishability requires that no one can distinguish between a valid ciphertext and a random string from the ciphertext space even having access to the tracing key of the target identity. Recent, in [LTT21], Liu et al. proposed a lattice-based construction for AIBET which is based on the anonymous IBE by Katsumata and Yamada [KY16]. However, they do not address the notion of indistinguishability which is the main difference between an AIBET and a standard anonymous IBE. Note that the role of the tracer and the Private-key Generator PKG are distinguishable where the tracer has less power than the PKG. For example, it could be a gateway that checks whether an email for a suspected illegal user is passed. Even if the tracers are corrupted, the privacy and the confidentiality of the system will still remain intact.

Our contribution: We propose a concrete construction of an Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET) scheme which is secure in the standard model based on the hardness assumption of lattices. In particular, our AHIBET construction is anonymous across all the levels of hierarchy, i.e., ciphertexts conceal recipients’ identities from everyone which does not know the corresponding keys for decryption or tracing. Traceability cannot be extended down the hierarchy, i.e., knowing the tracing key for identity doesn’t imply knowing tracing key for any of its descendants. Besides, our construction is ciphertext indistinguishable, i.e., even having the tracing key for identity , one cannot distinguish the ciphertexts of message from the one of random messages for identity .

An instance of our AHIBET yields a lattice-based construction of AIBET that can be easily converted to a construction over ideal lattices using the techniques in [BFRS18], which outperforms the AIBET by Liu et al. [LTT21]111In fact, the public parameter in Liu et al. [LTT21] will be a factor of greater than ours where is some fixed constant (e.g., d=2 or 3) and for the security parameter..

Technical Overview:
The first main idea is that an AHIBET system must be controlled by three levels of trapdoors:

• The master secret key can be used to generate secret key and tracing key for each identity of any level.

• The secret keys enable recipients to decrypt the corresponding ciphertexts. Each secret key can be used to generate the secret keys for identities of the next level and thus control all descendants of .

• The tracing keys enable tracers to detect only the ciphertexts sent to identities without leaking information of the messages.

To achieve the identity traceability property, we attach each ciphertext a random tag and its encapsulation whereas tracing keys are the trapdoors for decapsulation.

We exploit the power of lattice trapdoors in [MP12, CHKP10] combining with the HIBE construction by Agrawal et al. [ABB10a] to achieve our AHIBET.

In [ABB10a], each identity is assigned a matrix and message is encrypted following the dual-Regev scheme:

 cT=sTFid+eT,   c′T=sTU+e′T+mT⌊q2⌋.

In our scheme, we use one dual-Regev part to encrypt the message and another one to encapsulate the random tag to allow the ciphertext to reveal the recipients’ identity from the tracing key holder.

In [MP12], the authors introduced a so-called -trapdoor where is a gadget matrix in . A -trapdoor for matrix is a matrix such that

for some invertible matrix

where . The authors called it “strong trapdoor” since a good basis for can be obtained from the knowledge of the matrix but the reverse is hard. Moreover, with either or , one can easily generate a low norm matrix satisfying

with respect to a given random matrix

using the sampling algorithms from [ABB10a] and [MP12]. Since is a kind of weaker trapdoor than , we can use such matrices , and as the three levels of trapdoors , , respectively for a traceable identity-based encryption where the matrix is associated to an identity , namely, for the public matrices and the full-rank difference encoding function . However, such trapdoors do not guarantee the anonymity and even the secrecy of messages across the hierarchy of identities. For example, knowing and , one can easily find a low norm matrix of the same size as such that , which reveals information of the messages. Therefore, we use a collision resistance hash function to construct a matrix and use the sampling algorithms to generate the tracing key of the identity such that . Such tracing keys are determined uniquely by the identities and independent of the secret keys, which ensures the anonymity and secrecy of the messages.

2 Preliminaries

2.1 Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET)

In this section, we describe the model of Anonymous Lattice Hierarchical Identity-Based Encryption with Traceable Identities (AHIBET) based on the Anonymous Lattice Identity-Based Encryption with Traceable Identities (AIBET) from [BBP19] and its security model.

Definition 1 (Ahibet).

An AHIBET scheme consists of the following seven algorithms:

• takes as input the security parameter and the maximal hierarchy depth of the scheme and outputs the master public key and the master secret key .

• uses the master public key and the master secret key to generate the secret key for an identity at depth .

• takes as input the master public key and a secret key corresponding to an identity at depth , outputs the secret key for the identity at depth .

• uses the master public key and the master secret key to generate the tracing key for a given identity .

• takes as input the master public key , a given identity and a message , outputs the ciphertext .

• takes as input the master public key , a ciphertext and a secret key . The algorithm outputs the message if is encrypted for ; otherwise, it outputs the rejection symbol .

• takes as input the master public key , an identity and a ciphertext , uses the tracing key to check whether a ciphertext is encrypted for . outputs if is for the user with identity ; otherwise, it outputs .

Correctness and soundness.
The correctness of AHIBET scheme requires that if for all key pairs output by , all , all identities where and all messages , it holds that

 Pr⎡⎢ ⎢ ⎢⎣Decrypt(MPK,SKid,CT)=m∣∣ ∣ ∣ ∣∣(MPK,MSK)←Setup(λ,d)SKid←Derive(MPK,MSK,id)CT←Encrypt(MPK,id,m)1←TkVer(MPK,id,Tskid,CT)⎤⎥ ⎥ ⎥⎦=1

and the soundness of AHIBET requires

 Pr⎡⎢ ⎢ ⎢⎣Decrypt(MPK,SKid,CT)=⊥∣∣ ∣ ∣ ∣∣(MPK,MSK)←Setup(λ,d)SKid←Derive(MPK,MSK,id)CT←Encrypt(MPK,id,m)0←TkVer(MPK,id,Tskid,CT)⎤⎥ ⎥ ⎥⎦=1

Security models of AHIBET. For the security models, we give the definition of anonymity and ciphertext indistinguishability for the AHIBET scheme.

• Anonymity is the property that the adversary can not distinguish the encryption of a chosen message for a first chosen identity from the encryption on the same message for a second chosen identity. Similarly, the adversary can not decide whether a ciphertext it received from the challenger was encrypted for a chosen challenge identity, or for a random identity in the identity space. The anonymity game, denoted ANON-sID-CPA, is played between an adversary and a challenger , provided that the adversary does not have the corresponding tracing key of the challenge identity, is defined through the following game:

• Init: The adversary is given the maximum depth of the hierarchy and then decides a target pattern , .

• Setup: At the beginning of the game, the challenger runs to obtain and gives the resulting master public key to the adversary .

• Phase 1: may adaptively make queries polynomial many times to the key derivation oracle and the tracing key oracle where:

• Oracle takes input an identity different from and its prefixes, returns the output of .

• Oracle takes input an identity different from , returns the output of .

• Challenge: The adversary chooses a message and gives it to the challenger . then selects a random bit and a random identity in the identity space which has the same depth with the challenge identity . If , runs ; otherwise, it runs . Finally, passes through to the adversary .

• Phase 2: continues to issue additional key derivation and tracing key queries and responds as in Phase 1.

• Guess: outputs its guess and wins if .

The advantage of is defined as

• In the ciphertext indistinguishability game, we use a privacy property called indistinguishable from random which means that the challenge ciphertext encrypted for a given message is computationally indistinguishable from a the challenge ciphertext encrypted for a random message on the same challenge identity , even the adversary has the corresponding tracing key of . The IND-sID-CPA security model is defined through the following game, played between an adversary and a challenger :

• Init: The adversary is given the maximum depth of the hierarchy and then decides a target pattern , .

• Setup: At the beginning of the game, the challenger runs to obtain and gives the resulting master public key to the adversary .

• Phase 1: may adaptively make queries polynomial many times to the key derivation oracle and the tracing key oracle where:

• Oracle takes input an identity different from and its prefixes, returns the output of .

• Oracle takes input an identity different from , returns the output of .

• Challenge: The adversary chooses a message and gives it to the challenger . sets and chooses a random message in the message space. then selects a random bit . If , runs ; otherwise, it runs . Finally, passes through to the adversary .

• Phase 2: continues to issue additional key derivation and tracing key queries and responds as in Phase 1.

• Guess: outputs its guess and wins if .

The advantage of is defined as

2.2 Lattices

A lattice in

is a set of all integer linear combinations of (linearly independent) basis vectors

, i.e.,

 Λ:={n∑i=1bixi|xi∈Z ∀i=1,⋯,n}⊆Zm.

We call the rank of and if we say that is a full rank lattice. In this paper, we mainly consider full rank lattices containing , called -ary lattices,

 Λq(A) :={e∈Zm s.t. ∃s∈Znq where ATs=emodq} Λ⊥q(A) :={e∈Zm s.t. Ae=0modq}

and translations of lattice defined as follows

 Λuq(A):={e∈Zm s.t. Ae=umodq}

for given matrices and .

Let be a set of vectors in . We denote by the maximum length of the vectors in . We also denote the Gram-Schmidt orthogonalization of the vectors in that order. We refer to the Gram-Schmidt norm of .

Note that for any matrix

, there exists a singular value decomposition

, where , are orthogonal matrices, and is a diagonal matrix with nonnegative entries on the diagonal, in non-increasing order. The are called the singular values of . Under this convention, is uniquely determined and where the maxima are taken over all unit vectors

. Note that the singular values of

and are the same.

Gaussian distribution.

We will use the following definitions of the discrete Gaussian distributions.

Definition 2.

Let be a lattice. For a vector and a positive parameter , define:

 ρσ,c(x)=exp(−π∥x−c∥2σ2)andρσ,c(Λ)=∑x∈Λρσ,c(x).

The discrete Gaussian distribution over with center and parameter is

 ∀y∈Λ,DΛ,σ,c(y)=ρσ,c(y)ρσ,c(Λ).

For convenience, we will denote by and for and respectively. When we will write instead of .

It is well-known that for a vector sampled from , one has that

with overwhelming probability.

For , .

Lemma 4.

For a prime and a positive integer , let . For , with , the distribution of

is statistically close to the uniform distribution over

.
Furthermore, fix , the distribution of conditioned on is .

The security of our construction reduces to the LWE (Learning With Errors) problem introduced by Regev [Reg09].

Definition 5 (Learning With Errors - LWE problem).

Consider a prime , a positive integer , and a distribution over . An problem instance consists of access to an unspecified challenge oracle , being either a noisy pseudorandom sampler associated with a secret , or a truly random sampler who behaviors are as follows:

:

samples of the form where is a uniform secret key, is uniform and is a noise withdrawn from .

:

samples are uniform pairs in .

The problem allows respond queries to the challenge oracle . We say that an algorithm decides the problem if

is non-negligible for a random .

Regev [Reg09] showed that (see Theorem 6 below) when is a distribution with , the LWE problem is hard.

Theorem 6.

If there exists an efficient, possibly quantum, algorithm for deciding the problem for then there is an efficient quantum algorithm for approximating the SIVP and GapSVP problems, to within factors in the norm, in the worst case.

The theorem implies, for is a polynomial in , the LWE problem is as hard as approximating the SIVP and GapSVP problems in lattices of dimension to within polynomial (in ) factors.

In this paper, we will use the discrete Gaussian distribution and denote instead of for convenience.

We use the following lemma which was introduced by Katsumata and Yamada in [KY16] to rerandomize LWE instances:

Lemma 7.

Let be positive integers and let be a positive real number satisfying . Let be arbitrary and . Then there exists an efficient algorithm such that for any and positive real , the output of is distributed as where the distribution of is close to .

Lattice trapdoors

Our work heavily bases on the notion -trapdoor introduced in [MP12]. In the following, we recap this notion as well as some usefull algorithms.

As in [MP12], let , and let , we will use the vector and extend it to get the gadget matrix such that the lattice has a public known matrix with and .

Definition 8.

(-trapdoor) Let , and , . Let , . Let be some invertible matrix. A matrix is called a -trapdoor for with tag if it holds that . The quality of the trapdoor is measured by its largest singular value .

[MP12] also presented an algorithm to generate a pseudorandom matrix together with a “strong” -trapdoor for the lattice :

1. Sample , and an invertible matrix

2. Return and the -trapdoor .

The matrix can do everything that a low-norm basis of does. Moreover, can be used to efficiently generate low-norm basis for .

Next, we recall the following lemma from [GPV08]:

Lemma 9.

Let be integers with , and let , . Let be a basis for . For , there is a PPT algorithm that returns a matrix sampled from a distribution statistically close to , whenever is not empty such that .

The following lemma consists of algorithms for generating bases for lattices collected from the sampling technique in the work of Agrawal et al. [ABB10a] and the algorithm from the work of Micciancio et al. [MP12, Theorem 5.1] which will be used in our construction. Note that the algorithm in [MP12] is different from the algorithm from [ABB10a] in Lemma 9 above.

Lemma 10.

Let , , , . Let .

• Let be a basis for , and . Then there exists a PPT algorithm that outputs a basis of .

• Let , , and let be an invertible matrix. Let . Then for , there exists a PPT algorithm that outputs a matrix distributed statistically close to s.t. .
In particular, there exits a PPT algorithm that outputs a basis of which distributes statistically close to , i.e., .

Here, we note that the algorithm basically runs many times until there are enough linearly independent output vectors to form a basis of . According to [ABB10b], samples are needed in expectation to get the basis for .

Peikert [Pei09] shows how to construct a basis for from a basis for .

Theorem 11.

For , let be a matrix in and let . Let be a basis of . There is a deterministic polynomial time algorithm that outputs a basis for such that .

We will also use the following lemma in the decryption algorithm to recover the message.

Lemma 12.

Let be a uniformly random matrix in where . Let be a basis of . Given where , with , there exists an algorithm that outputs and with overwhelming probability.

It can be easily seen that the lemma is true since the algorithm works by computing . We have , so . Since is a basis of lattice , has linearly independent columns, one can simply use the Gaussian elimination to recover and then get . Finally, can be recovered by Gaussian elimination because has at least linearly independent column vectors.

3 AHIBET Construction over Integer Lattices

• Let be the security parameter, be the hierarchy depth and identities are vector () where all components are in .

• Let be a full-rank difference encoding (FRD) from [ABB10a] s.t. for all distinct , is an invertible matrix.

• Let be a collision resistant hash function.

• For an integer , , the algorithm returns if is closer to than to modulo ; otherwise, it returns .

In the construction of the AHIBET scheme, we assume each identity can only be given exactly one tracing key .

Setup()

On input security parameter and a maximum hierarchy depth , set the parameters as in section 3.1, the algorithm does:

1. Sample uniformly random matrices , and .

2. Set , and choose uniformly at random.

3. Output the master public key and the master secret key

Extract()

On input the master pubic key , the master secret key and an identity of level , the algorithm generates secret key for as follows:

1. Compute .

2. Sample s.t. .

3. Output .

Derive()

On input the master pubic key , a secret key corresponding to an identity at depth and an identity of level , the algorithm generates secret key for as follows:

1. Set with .

2. Sample s.t. .

3. Output .

TskGen()

On input the master pubic key , the master secret key and an identity , the algorithm generates the tracing key for as follows:

1. Compute .

2. Sample s.t. .

3. Sample .

4. Output .

Encrypt()

On input the master pubic key , the algorithm encrypts the message for identity at depth as follows:

1. Compute .

2. Sample .

3. Sample a uniformly random vector .

4. Choose noise vectors , .

5. Set

 cT0=sTA+eT0,     cT1=sTBid+eT1,     cT2=sTU1+eT2+mT⌊q2⌋,

and

 cT