On the Analysis of the Revocable-Storage Identity-Based Encryption Scheme
Kwangsu Lee

TL;DR
This paper critically analyzes a revocable-storage identity-based encryption scheme for cloud data sharing, identifies correctness issues, and proposes modifications to ensure security and proper functionality.
Contribution
It reveals correctness flaws in Wei et al.'s RS-IBE scheme and introduces a corrected, secure version of the scheme.
Findings
Wei et al.'s RS-IBE scheme is incorrect in its original form.
A modified scheme achieves correctness and security.
The corrected scheme is suitable for secure cloud data sharing.
Abstract
Cloud computing can provide a flexible way to effectively share data among multiple users since it can overcome the time and location constraints of computing resource usage. However, the users of cloud computing are still reluctant to share sensitive data to a cloud server since the cloud server should be treated as an untrusted entity. In order to support secure and efficient data sharing in cloud computing environment, Wei et al. recently extended the concept of identity-based encryption (IBE) to support key revocation and ciphertext update functionalities, and proposed a revocable-storage identity-based encryption (RS-IBE) scheme. In this paper, we show that the RS-IBE scheme of Wei et al. does not satisfy the correctness property of RS-IBE. In addition, we propose a method to modify the existing RS-IBE scheme to be a correct and secure scheme.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cloud Data Security Solutions · Privacy-Preserving Technologies in Data
On the Analysis of the Revocable-Storage Identity-Based
Encryption Scheme
Kwangsu Lee111Sejong University, Seoul, Korea. Email: [email protected].
Abstract
Cloud computing can provide a flexible way to effectively share data among multiple users since it can overcome the time and location constraints of computing resource usage. However, the users of cloud computing are still reluctant to share sensitive data to a cloud server since the cloud server should be treated as an untrusted entity. In order to support secure and efficient data sharing in cloud computing environment, Wei et al. recently extended the concept of identity-based encryption (IBE) to support key revocation and ciphertext update functionalities, and proposed a revocable-storage identity-based encryption (RS-IBE) scheme. In this paper, we show that the RS-IBE scheme of Wei et al. does not satisfy the correctness property of RS-IBE. In addition, we propose a method to modify the existing RS-IBE scheme to be a correct and secure scheme.
Keywords: Cloud computing, Identity-based encryption, Revocable-storage, Ciphertext update.
1 Introduction
Cloud computing is a new paradigm of computing system that provides computing resources such as computing power or data storage according to the need of users. The advantage of cloud computing is that cloud service users can use their computing resources as a service with low cost at any time from anywhere through the Internet. Many technology companies provide various types of cloud services. The main difference between traditional server computing and cloud computing is that a cloud service provider can no longer be regarded as a trusted entity. In other words, the cloud service provider should be treated as a honest-but-curious adversary.
A typical application of cloud computing is to securely share data among a large number of users. In this system, the data confidentiality should be provided because the cloud service provider is no longer a trusted entity. In addition, if a user’s credential is expired or the user’s private key is compromised, then a proper revocation method should be provided to handle this user. Furthermore, even if a revoked user tries to access past data stored in the cloud server through collusion attacks, the security of data should be guaranteed. Therefore, a secure data sharing system in the cloud server should consider various security issues described above.
Recently, a revocable-storage identity-based encryption (RS-IBE) scheme for secure data sharing in cloud storage was proposed by Wei et al. [7]. The basic idea of this RS-IBE scheme is to modify an identity-based encryption (IBE) scheme to additionally supports the key revocation and ciphertext update functionalities. In particularly, they used the IBE scheme of Waters for the underlying IBE scheme and the tree-based key revocation scheme of Boldyreva et al. [1] for key revocation. Additionally, they modified their scheme to support efficient ciphertext update by following the idea of forward-secure cryptographic systems.
In this paper, we show that there is a serious problem in the RS-IBE scheme of Wei et al. That is, if a ciphertext generated at time is updated to another ciphertext with time by the ciphertext update algorithm, then this updated ciphertext with time cannot be decrypted by using a decryption key with time . The reason of this decryption failure problem is that the decryption algorithm uses a random value which is different from the random value used to encrypt a message if a ciphertext is updated. A more detailed explanation of this problem is given in the later part of this work. To remedy this problem, we propose a method to modify the RS-IBE scheme of Wei et al. to be a secure scheme without the decryption failure problem.
The organization of the paper is as follows. In Section 2, we review the definition and scheme of RS-IBE proposed by Wei et al. In Section 3, we point out that there is a correctness problem in Wei et al.’s RS-IBE scheme. In Section 4, we propose a method to solve this problem by. Finally, we conclude the paper in Section 5.
2 Review of the RS-IBE Scheme
In this section, we review the definition of RS-IBE including the correctness property and describe the RS-IBE scheme of Wei et al.
2.1 Revocable-Storage Identity-Based Encryption
Definition 2.1** (Revocable-Storage Identity-Based Encryption).**
A revocable-storage identity-based encryption (RS-IBE) scheme consists of eight algorithms Setup, GenKey, UpdateKey, DeriveDK, Encrypt, UpdateCT, Decrypt, and Revoke, which are defined as follows:
Setup(). The setup algorithm takes as input a security parameter , the maximum number of users , and the total number of time periods . It outputs a master key and public parameters .
GenKey(). The key generation algorithm takes as input an identity , the master key , and the public parameters . It outputs a private key .
UpdateKey(). The key update algorithm takes as input update time , a revocation list , the master key , a state , and the public parameters . It outputs a key update .
DeriveDK(). The decryption key derivation algorithm takes as input a private key , a key update , and the public parameters . It outputs a decryption key .
Encrypt(). The encryption algorithm takes as input an identity , time , a message , and the public parameters . It outputs a ciphertext .
UpdateCT(). The ciphertext update algorithm takes as a ciphertext , update time , and the public parameters . It outputs an updated ciphertext .
Decrypt(). The decryption algorithm takes as input a ciphertext , a decryption key , and the public parameters . It outputs an encrypted message or .
Revoke(). The revocation algorithm takes as input an identity , revoked time , a revocation list , and a state . It outputs an updated revocation list .
The correctness property of RS-IBE is defined as follows: For all generated by Setup, any generated by for any , any generated by for any , generated by for any , if is not revoked at time in , then it is required that can be derived by and
- •
If , then .
- •
If , then .
Additionally, it is required that the ciphertext distribution of is statistically equal to that of .
2.2 Wei et al.’s RS-IBE Construction
To provide key revocation functionality, the RS-IBE scheme of Wei et al. [7] follows the binary tree-based broadcast encryption method proposed by Boldyreva et al. [1]. Let be a binary tree for handling key revocation. A user is randomly assigned to a leaf node in this . At this time, the private key of a user with an identity is associated with the set of nodes defined by which is the set of path nodes from the root node to the leaf node , and a key update at time is associated with the set of covering nodes defined by which is the set of nodes that covers all non-revoked leaf nodes at time . If the leaf node (or the private key) of a user is not revoked at time , then there is a common node satisfying . The decryption of a ciphertext at time can be possible by using the private key element and key update element corresponding to the node . For the detailed description of , please refer the work of Boldyreva et al. [1].
To provide ciphertext update functionality, this RS-IBE scheme uses the binary tree idea of Canetti et al. [2] used to build forward-secure encryption schemes. Note that the binary tree idea for time management was widely used in other RS-ABE schemes [6, 4, 5, 3]. Let be a binary tree to handle time in a ciphertext. In this case, each time is sequentially allocated to a leaf node in from left to right. In this case, is defined as where is a set of of any node [6, 4]. Note that Wei et al. wrongly defined because this (wrongly defined) set can include the left child node of , which will allow access to the past time node. To support ciphertext update, a ciphertext is constructed to have ciphertext elements associated with . The main property of CTNodes is that if , a ciphertext with can be updated to a ciphertext with because for any node there is a node that matches to and the ciphertext component for can be delegated to be a ciphertext for . For other properties of CTNodes, please refer the work of Sahai et al. [6].
The RS-IBE scheme of Wei et al. is described as follows:
Setup():
Let be the security parameter, be the maximum number of users, and be the total number of time periods. It chooses a bilinear group with a prime order . It selects random and , and sets . It also chooses random and defines , where and are the th bit of and respectively. It sets a binary tree with number of leaf nodes and sets a revocation list , a state . It outputs a master key , and public parameters PP=\big{(}(p,\mathbb{G},\mathbb{G}_{T},e),g,g_{1},g_{2},\{u_{i}\}_{i=0}^{n},\{h_{i}\}_{i=0}^{\ell}\big{)}.
GenKey():
It assigns to a leaf node . For each node , it performs:
- It fetches from the node . If is not defined before, then it chooses random and stores the pair in the node .
- It chooses random and obtains SK_{ID,x}=\big{(}K_{x,0}=g_{x,0}^{\alpha}F_{u}(ID)^{r_{x,0}},K_{x,1}=g^{r_{x,0}}\big{)}. Finally, it outputs a private key SK_{ID}=\big{(}\{(x,SK_{ID,x})\}_{x\in\textbf{Path}(x_{ID})}\big{)} and an updated .
UpdateKey():
For each node , it performs:
- It fetches from the node . If is not defined, then it sets the value similar to the key generation algorithm.
- It chooses random and obtains KU_{T,x}=\big{(}U_{0}=g_{x,1}^{\alpha}F_{h}(T)^{r_{x,1}},U_{1}=g^{r_{x,1}}\big{)}. Finally, it outputs a key update KU_{T}=\big{(}\{(x,KU_{T,x})\}_{x\in\textbf{KUNodes}(\mathcal{BT},RL,T)}\big{)}.
DeriveDK():
It finds a common node in both and . If it fails to find, then it returns . Note that If was not revoked during the time period , then there exist a node . For this node , it retrieves and from and respectively. It chooses random and outputs a decryption key DK_{ID,T}=\big{(}D_{1}=K_{x,0}\cdot U_{x,0}\cdot F_{u}(ID)^{r_{0}}\cdot F_{h}(T)^{r_{1}},D_{2}=K_{x,1}\cdot g^{r_{0}},D_{3}=U_{x,1}\cdot g^{r_{1}}\big{)}.
Encrypt():
Let be a binary tree for time periods and be a leaf node associated with in . It chooses random and computes . For each node , it performs: 1) It chooses random and sets if . 2) It calculates CT_{v}=\big{(}C_{v,0}=\big{(}h_{0}\prod_{j=1}^{|b_{v}|}h_{j}^{b_{v}[j]}\big{)}^{s_{v}},C_{v,|b_{v}|+1}=h_{|b_{v}|+1}^{s_{v}},\ldots,C_{v,\ell}=h_{\ell}^{s_{v}}\big{)}. Finally, it outputs a ciphertext CT_{ID,T}=\big{(}ID,T,C_{0},C_{1},C_{2},\{CT_{v}\}_{v\in\textbf{CTNodes}(\mathcal{ET},T)}\big{)}.
UpdateCT():
Let be leaf nodes in assigned to , respectively. If , then it returns to indicate that is invalid. It chooses random and computes . For each node , it performs: 1) It find a node such that is a prefix of . 2) It chooses random and sets if . 3) It calculates CT_{v^{\prime}}=\big{(}C_{v^{\prime},0}=C_{v,0}\cdot\prod_{j=|b_{v}|+1}^{|b_{v^{\prime}}|}C_{v,j}\cdot\big{(}h_{0}\prod_{j=1}^{|b_{v^{\prime}}|}h_{j}^{b_{v^{\prime}}[j]}\big{)}^{s_{v^{\prime}}},C_{v^{\prime},|b_{v^{\prime}}|+1}=C_{v,|b_{v^{\prime}}|+1}\cdot h_{|b_{v^{\prime}}|+1}^{s_{v^{\prime}}},\ldots,C_{v^{\prime},|b_{v^{\prime}}|+\ell}=C_{v,\ell}\cdot h_{\ell}^{s_{v^{\prime}}}\big{)}. Finally, it outputs an updated ciphertext CT_{ID,T^{\prime}}=\big{(}ID,T^{\prime},\linebreak[0]C^{\prime}_{0},C^{\prime}_{1},C^{\prime}_{2},\{CT_{v^{\prime}}\}_{v^{\prime}\in\textbf{CTNodes}(\mathcal{ET},T^{\prime})}\big{)}.
Decrypt():
Let . If , then it returns . Otherwise, it updates to obtains where by running . It outputs a message by computing where is a leaf node associated with .
Revoke():
It adds to and returns the updated .
Wei et al. claimed that above RS-IBE scheme is correct and secure if the -BDHE assumption holds.
3 Analysis of the RS-IBE Scheme
In this section, we show that the above RS-IBE scheme is not correct since the decryption fails if the ciphertext time is less than the decryption key time .
Lemma 3.1**.**
Let be a binary tree for time periods and be leaf nodes associated with time , respectively. If , then there exists a node but . That is, , is an ancestor node of , and .
Proof.
By the main property of CTNodes, we have that for any node there is a common node such that if . Therefore, for both nodes and associated with time and , there exists a node . Now, Let’s show that the node and the node are different. In the given condition, is established, and each time is sequentially assigned to a leaf node in . Therefore, two nodes are different nodes since and they are assigned to leaf nodes. Since the node belongs to the path nodes , the node can never be a leaf node if . Therefore, is established, since and is a leaf node. ∎
Theorem 3.2**.**
Let be a ciphertext associated with time and be a decryption key associated with time . If , then the ciphertext cannot be decrypted by using the decryption key in the decryption algorithm.
Proof.
To prove this theorem, we first analyze nodes in the binary tree which are associated with the ciphertext elements used in the decryption algorithm and then analyze how the random exponents of these ciphertext elements are constructed. After that, we argue that the decryption algorithm will fail due to the random exponents of the ciphertext elements which are used for decryption.
The decryption algorithm takes an original ciphertext and a decryption key as input. Then, it performs the UpdateCT algorithm to derive an updated ciphertext since . Next, it uses the updated ciphertext element , which is related to a leaf node associated with the time , for the decryption. Here, the UpdateCT algorithm finds the node which is an ancestor node of and belongs to the set , and delegates the ciphertext element to obtain the ciphertext element . From the Lemma 3.1, we have that the node which belongs to is not equal to the node if .
Now, we analyze random exponents in the original ciphertext which are associated with the nodes in . The encryption algorithm generates ciphertext elements for nodes in . According to the encryption algorithm, for each node , if , then the same random exponent which is used for message encryption is used to generate . If , then a new random exponent is selected to generate . However, since from the previous Lemma 3.1, the random exponent is not equal to with high probability where is used for the node .
The decryption algorithm finally calculates the following equation by using the ciphertext elements and decryption elements.
[TABLE]
Note that we ignored the re-randomization process since it does not affect our analysis. In order to correctly obtain the message contained in the ciphertext, it is required that should be satisfied. However, in the previous analysis, this relation cannot be satisfied because the ciphertext element associated with the node of the original ciphertext uses a new random exponent . Thus, the decryption can be successful if , but the decryption always fails except with negligible probability if . ∎
4 Modification to the RS-IBE Scheme
In the previous section, we have shown that the RS-IBE scheme of Wei et al. does not satisfy the correctness, which is the minimum requirement that the cryptographic scheme must satisfy, due to the problem of random exponents in the encryption algorithm. In this section, we propose a modification to the RS-IBE scheme of Wei et al. to guarantee the correctness and the security.
A simple way to modify the RS-IBE scheme of Wei et al. [7] is to force the ciphertext elements associated with to use the same random exponent which is used to encrypt a message in the ciphertext component . In this case, there is no problem such that the decryption algorithm fails when the ciphertext is updated since for all nodes . However, this simple modification does not lead to a secure RS-IBE scheme. The reason is that if multiple nodes are provided with ciphertext elements associated with the same random , it is possible for anyone to use these elements to modify the original ciphertext element with current time to derive another ciphertext element with past time. This makes it possible for a revoked user to modify the ciphertext with current time to obtain a ciphertext with past time to decrypt the original ciphertext. Therefore, this simple method does not work.
A secure and efficient method to modify the RS-IBE scheme is to use a cryptographic scheme that supports ciphertext update functionality. Lee et al. [4, 5, 3] introduced the concept of self-updatable encryption and proposed secure SUE schemes that efficiently handle ciphertext updates. Thus, we can modify the RS-IBE scheme of Wei et al. to use the SUE scheme for the ciphertext update components and key update components. The secure SUE scheme proposed by Lee et al. supports correct decryption although it uses different random exponents in ciphertext elements associated with . Additionally, this modified RS-IBE scheme can reduce the number of ciphertext elements from to because of the efficiency of the SUE scheme. We also note that the existing RS-ABE scheme can be easily converted to an RS-IBE scheme by changing the attribute set of ABE to the identity of IBE.
5 Conclusion
In this paper, we pointed out that the RS-IBE scheme of Wei et al. does not provide the correctness property. The problem of the RS-IBE scheme was that when a ciphertext with time is updated to a ciphertext with time , this updated ciphertext cannot be decrypted by using a decryption key with time . The main reason of this problem was that the random exponent of the ciphertext element associated with a tree node corresponding to time was not the same as the random exponent used to encrypt a message in the ciphertext. This decryption problem cannot be solved in a simple way, so we proposed a method to modify the previous RS-IBE scheme to be a secure and efficient RS-IBE scheme using a self-updatable encryption scheme.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Alexandra Boldyreva, Vipul Goyal, and Virendra Kumar. Identity-based encryption with efficient revocation. In Peng Ning, Paul F. Syverson, and Somesh Jha, editors, ACM Conference on Computer and Communications Security - CCS 2008 , pages 417–426. ACM, 2008.
- 2[2] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key encryption scheme. In Eli Biham, editor, Advances in Cryptology - EUROCRYPT 2003 , volume 2656 of Lecture Notes in Computer Science , pages 255–271. Springer, 2003.
- 3[3] Kwangsu Lee. Self-updatable encryption with short public parameters and its extensions. Des. Codes Cryptogr. , 79(1):121–161, 2016.
- 4[4] Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park, and Moti Yung. Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In Kazue Sako and Palash Sarkar, editors, Advances in Cryptology - ASIACRYPT 2013 , volume 8269 of Lecture Notes in Computer Science , pages 235–254. Springer, 2013.
- 5[5] Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park, and Moti Yung. Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. Theor. Comput. Sci. , 667:51–92, 2017.
- 6[6] Amit Sahai, Hakan Seyalioglu, and Brent Waters. Dynamic credentials and ciphertext delegation for attribute-based encryption. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012 , volume 7417 of Lecture Notes in Computer Science , pages 199–217. Springer, 2012.
- 7[7] Jianghong Wei, Wenfen Liu, and Xuexian Hu. Secure data sharing in cloud computing using revocable-storage identity-based encryption. IEEE Trans. Cloud Computing , 6(4):1136–1148, 2018.
