1 Introduction

Identity-based encryption (IBE) is a concept introduced by Shamir in [Sha84] allowing encrypting for a specific recipient using solely his identity (for example an email address or phone number) instead of public key. Decryption is done by using a user secret key for the said identity, obtained via a trusted authority. This concept avoids the use of Public Key Infrastructure in order to get a user’s public key securely. This was the main argument to build such scheme, however a lot of works expose the fact that Identity-based Encryption schemes can be used to build other primitives like Adaptive Oblivious Transfer [GH07, BCG16].

The first instantiations of an IBE scheme arose in 2001 [Coc01, BF01, SOK00]. It was only in 2005 in [Wat05], that the first construction, with adaptive security in the standard model, was proposed. Adaptive security meaning that an adversary may select the challenge identity \(\mathsf {id}^*\) after seeing the public key and arbitrarily many user secret keys for identities of his choice. The concept of IBE generalizes naturally to hierarchical IBE (HIBE). In an L-level HIBE, hierarchical identities are vectors of identities of maximal length L and user secret keys for a hierarchical identity can be delegated. An IBE is simply a L-level HIBE with \(L=1\).

From One Receiver to Multi-receiver Setting: Introduction of Wildcard. As in the case of public-key encryption, passing from one receiver setting to multi-receiver setting is an important step. For this aim, wildcard IBE (WIBE) was introduced in [ACD+06] where the wildcard symbol (*) is added in identities to encrypt for a broad range of users at once. Along the same line, another generalization called WKD-IBE [AKN07] allows joker (*) symbol in users’ secret keys to decrypt several targeted identities with a single key. Many others primitives, namely identity-based broadcast encryption [AKN07], identity-based traitor tracing [ADML+07], identity-based trace and revoke [PT11] schemes can be then constructed from WIBE and WKD-IBE.

Is Wildcard Really Necessary for the Multi-receiver Setting? While the introduction of wildcard is very interesting, it makes the construction of WIBE, Wicked-IBE more complicated and thus less efficient than the underlying IBE. Basically the alphabet is extended from a conventional binary alphabet to a ternary alphabet \(\{0,1,*\}\) and the wildcard \(*\) is treated in a special and different way than \(\{0,1\}\). Beside the efficiency, there is often a significant loss in reducing the security of the WIBE, Wicked-IBE to the underlying IBE.

We are thus interested in the following question: can we avoid wildcard in considering IBE in multi-receiver setting? This paper gives the positive answer. We propose a new property for IBE, called downgradable IBE (DIBE). While keeping the binary alphabet unchanged, we show that downgradable IBE is not less powerful than the other wildcard based IBE: efficient transformations from downgradable IBE to wildcard based IBE schemes will be given.

Interestingly, avoiding wildcard helps us to get very efficient constructions. We simply need to show that the downgradable property can be obtained from existing constructions. A recent paper [KLLO18] found instantiations for Wicked-IBE and wildcarded IBE with good improve of the previous schemes, showing the interest of the research for this subject. Our instantiation of DIBE, once transformed into WIBE or Wkd-IBE is even more efficient allowing a constant size ciphertext, a master public key linear in the size of the identity (instead of \(n^2\)) and is fully secure under the standard assumption DLin. Indirectly our instantiation also improve the identity-based broadcast encryption, identity-based traitor tracing, identity-based trace and revoke schemes which rely on the WIBE and Wicked-IBE.

Toward Efficient Transformations from DIBE to ABE. Attribute-Based Encryption (ABE), introduced by Sahai and Waters [SW05], is a generalization of both identity-based encryption and broadcast encryption. It gives a flexible way to define the target group of people who can receive the message: the target set can be defined in a more structural way via access policies on the user’s attributes. While broadcast encryption can be obtained from WIBE, as far as we know, there is still no generic construction of ABE from any variant of IBE. We will show a transformation from DIBE to ABE where the access policies is in DNF.

In the papers [AKN07, FP12], they show how some variant of IBE, WKD-IBE for the first one and HIBE for the second one, can be used to create broadcast encryption. ABE encompass the notion of Broadcast Encryption, thus our work achieves the willing of constructing the complex primitive like ABE from the much more simple IBE.

1.1 This Work

Downgradable IBE. In this work we introduce the notion of Downgradable Identity-based Encryption (DIBE). A downgradable IBE is an identity-based encryption where a user possessing a key for an identity \(\mathsf {usk}[id]\) can downgrade his key to any identity \(\tilde{\mathsf {id}}\) with the restriction that he can only transform 1 into 0 in his identity string. More formally, the set \(\tilde{\mathsf {ID}} = \{\tilde{\mathsf {id}} | \forall i, \tilde{\mathsf {id}_i}=1 \Rightarrow \mathsf {id}_i=1\}\).

From Downgradable IBE to HIBE, WIBE, WKD-IBE. We later show that our new primitive encompasses other previous primitives, and that it can be tightly transformed into all of them. We then propose a generic framework, and an instantiation inspired by [BKP14], and show that thanks to our transform, we can obtain efficient WIBE, and WKD-IBE. This can be seen as a new method to design Wildcard-based IBE: one just need to prove the downgradable property of the IBE and then apply our direct transformation.

Moving to Attribute-Based Encryption. We also show how to generically transform a Downgradable IBE into an Attribute-based Encryption by using the properties of the DIBE and associating each attribute to a bit in the identity bit string. Our instantiation of DIBE lead to a secure ABE scheme with boolean formula in DNF (Fig. 6).

Fig. 1.
figure 1

Relations between primitives

Full size image

1.2 Comparison to Existing Work

We propose a construction of DIBE inspired by the Hash-Proof based HIBE from [BKP14]. Interestingly, our construction combined with the WKD-DIBE, Wild-DIBE transformations are way more efficient than the existing WIBE and WKD-IBE. We compare them in Fig. 2, where we set the number of pattern and the size of the identity to the same value n, \(q_k\) correspond to the number adversary’s key derivation queries. \(\ell \) is the number of bits of identity that a user is allow to delegate a key to (e.g. his height in the hierarchical tree). A more detailed comparison can be found in Sect. 7. The improvements both in term of security and efficiency make those schemes now more suitable for practical applications.

Fig. 2.
figure 2

Efficiency comparison between our transformations and previous schemes

Full size image

1.3 Open Problems

We managed to create an efficient Ciphertext Policy Attribute-based Encryption for boolean formula in DNF. This improve our knowledge of the relation Between IBE and ABE. But finally how close IBE and ABE are? Is it possible to extend efficiently our idea to fit other/any kind of access structure.

2 Definitions

2.1 Notation

  • If \(\varvec{x} \in \mathcal {BS}^n\), then \(|\varvec{x}|\) denotes the length n of the vector. Further, \({x {\mathop {\leftarrow }\limits ^{{}_\$}}\mathcal {BS}}\) denotes the process of sampling an element x from set \(\mathcal {BS}\) uniformly at random.

  • If \(\mathbf {{A}} \in \mathbb {Z}_p^{(k+1) \times n}\) is a matrix, then denotes the upper matrix of \(\mathbf {{A}}\) and then denotes the last row of \(\mathbf {{A}}\).

  • We are going to define a relation \(\preceq \) between two strings st of the same length \(\ell \), such that \(s \preceq t\) if and only if \(\forall i \in \llbracket 1,\ell \rrbracket , s[i] \le t[i]\). As an extension, given a set S of strings of length \(\ell \) and a similarly long string t, we are going to say that \(t \preceq S\), if there exists \(s \in S\) such that \(t \preceq s\). One has to pay attention that \(\preceq \) is not total, for example, 10 and 01 can not be compared. Similarly, we define a relation \(\preceq _*\) between two strings st of the same length \(\ell \), such that \(s \preceq _* t\) if and only if \(\forall i \in \llbracket 1,\ell \rrbracket , s[i] \preceq t[i] \vee s[i]=*\).

  • Games. We use games for our security reductions. A game \(\mathsf {G}\) is defined by procedures \(\mathsf {Initialize}\) and \(\mathsf {Finalize}\), plus some optional procedures \(\mathsf {P}_1,\ldots , \mathsf {P}_n\). All procedures are given using pseudo-code, where initially all variables are undefined. An adversary \(\mathcal {A}\) is executed in game \(\mathsf {G}\) if it first calls \(\mathsf {Initialize}\), obtaining its output. Next, it may make arbitrary queries to \(\mathsf {P}_i\) (according to their specification), again obtaining their output. Finally, it makes one single call to \(\mathsf {Finalize}(\cdot )\) and stops. We define \(\mathsf {G}^\mathcal {A}\) as the output of \(\mathcal {A}\)’s call to \(\mathsf {Finalize}\).

2.2 Pairing Groups and Matrix Diffie-Hellman Assumption

Let \(\mathsf {GGen}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\mathfrak {K}\) returns a description \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,q,g_1,g_2,e)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic groups of order q for a \(\lambda \)-bit prime q, \(g_1\) and \(g_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1\times \mathbb {G}_2\) is an efficiently computable (non-degenerated) bilinear map. Define \(g_T:=e(g_1, g_2)\), which is a generator in \(\mathbb {G}_T\).

We use implicit representation of group elements as introduced in [EHK+13]. For \(s \in \{1,2,T\}\) and \(a \in \mathbb {Z}_p\) define \([a]_s = g_s^a \in \mathbb {G}_s\) as the implicit representation of a in \(\mathbb {G}_s\). More generally, for a matrix \(\mathbf {{A}} = (a_{ij}) \in \mathbb {Z}_p^{n\times m}\) we define \([\mathbf {{A}}]_s\) as the implicit representation of \(\mathbf {{A}}\) in \(\mathbb {G}_s\). Obviously, given \([a]_s \in \mathbb {G}_s\) and a scalar \(x \in \mathbb {Z}_p\), one can efficiently compute \([ax]_s \in \mathbb {G}_s\). Further, given \([a]_1, [a]_2\) one can efficiently compute \([ab]_T\) using the pairing e. For \(\varvec{a}, \varvec{b} \in \mathbb {Z}_p^k\) define \(e([\varvec{a}]_1, [\varvec{b}]_2):= [\varvec{a}^\top \varvec{b}]_T \in \mathbb {G}_T\).

We recall the definition of the matrix Diffie-Hellman (\(\mathsf {MDDH} \)) assumption [EHK+13].

Definition 1

(Matrix Distribution). Let \(k\in \mathbb {N}\). We call \(\mathcal {D}_{k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{(k+1)\times k}\) of full rank k in polynomial time.

We assume the first k rows of \(\mathbf {{A}} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathcal {D}_{k}\) form an invertible matrix. The \(\mathcal {D}_k\)-Matrix Diffie-Hellman problem is to distinguish the two distributions \(([\mathbf {{A}}], [\mathbf {{A}} \varvec{w}])\) and \(([\mathbf {{A}} ],[\varvec{u}])\) where \(\mathbf {{A}}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathcal {D}_{k}\), \(\varvec{w}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p^k\) and \(\varvec{u}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p^{k+1}\).

Definition 2

 Let \(\mathcal {D}_{k}\) be a matrix distribution and \(s \in \{1,2,T\}\). We say that the \(\mathcal {D}_{k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{k}\)-\(\mathsf {MDDH}\)) Assumption holds relative to \(\mathsf {GGen}\) in group \(\mathbb {G}_s\) if for all PPT adversaries \(\mathcal {D}\),

$$\begin{aligned}&\mathbf {Adv}_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {D}) \\:= & {} | \Pr [\mathcal {D}(\mathcal {G},[\mathbf {{A}}]_s, [\mathbf {{A}} \varvec{w}]_s)=1]-\Pr [\mathcal {D}(\mathcal {G},[\mathbf {{A}}]_s, [\varvec{u} ]_s) =1] |= { \textsf {negl}}(\lambda ), \end{aligned}$$

where the probability is taken over \(\mathcal {G}{\mathop {\leftarrow }\limits ^{{}_\$}}\mathsf {GGen}(1^\lambda )\), \(\mathbf {{A}} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathcal {D}_{k}, \varvec{w} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p^k, \varvec{u} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p^{k+1}\). This assumption is Random Self Reducible.

2.3 Identity-Based Key Encapsulation

We now recall syntax and security of IBE in terms of an ID-based key encapsulation mechanism \(\mathsf {IBKEM}\). Every \(\mathsf {IBKEM}\) can be transformed into an ID-based encryption scheme \(\mathsf {IBE}\) using a (one-time secure) symmetric cipher.

Definition 3

(Identity-based Key Encapsulation Scheme). An identity-based key encapsulation (IBKEM) scheme \(\mathsf {IBKEM}\) consists of four PPT algorithms \(\mathsf {IBKEM}=(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec})\) with the following properties.

  • The probabilistic key generation algorithm \(\mathsf {Gen}(\mathfrak {K})\) returns the (master) public/secret key \((\mathsf {mpk},\mathsf {msk})\). We assume that \(\mathsf {mpk}\) implicitly defines a message space \(\mathcal{M}\), an identity space \(\mathsf {ID}\), a key space \(\mathcal {K}\), and ciphertext space \(\mathsf {CS} \).

  • The probabilistic user secret key generation algorithm \(\mathsf {USKGen}(\mathsf {msk},\mathsf {id})\) returns the user secret-key \(\mathsf {usk}[\mathsf {id}]\) for identity \(\mathsf {id}\in \mathsf {ID}\).

  • The probabilistic encapsulation algorithm \(\mathsf {Enc}(\mathsf {mpk},\mathsf {id})\) returns the symmetric key \(\mathsf {sk}\in \mathcal {K}\) together with a ciphertext \(\mathsf {C}\in \mathsf {CS} \) with respect to identity \(\mathsf {id}\).

  • The deterministic decapsulation algorithm \(\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {C})\) returns the decapsulated key \(\mathsf {sk}\in \mathcal{K}\) or the reject symbol \(\bot \).

For perfect correctness we require that for all \(\mathfrak {K}\in \mathbb {N}\), all pairs \((\mathsf {mpk},\mathsf {msk})\) honestly generated by \(\mathsf {Gen}(\mathfrak {K})\), all identities \(\mathsf {id}\in \mathsf {ID}\), all \(\mathsf {usk}[\mathsf {id}]\) generated by \(\mathsf {USKGen}(\mathsf {msk},\mathsf {id})\) and all \((\mathsf {sk},\mathsf {C})\) output by \(\mathsf {Enc}(\mathsf {mpk},\mathsf {id})\):

$$\Pr [\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {C})=\mathsf {sk}]=1.$$

The security requirements for an IBKEM we consider here are indistinguishability and anonymity against chosen plaintext and identity attacks (\(\mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) and \(\mathsf {ANON}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)). Instead of defining both security notions separately, we define pseudorandom ciphertexts against chosen plaintext and identity attacks (\(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)) which means that challenge key and ciphertext are both pseudorandom. Note that \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) trivially implies \(\mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) and \(\mathsf {ANON}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\). We define \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-security of \(\mathsf {IBKEM}\) formally via the games given in Fig. 3.

Fig. 3.
figure 3

Security games \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {real}}\) and for defining \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-security.

Full size image

Definition 4

(\(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) Security). An identity-based key encapsulation scheme \(\mathsf {IBKEM}\) is \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-secure if for all PPT \(\mathcal {A}\), \({\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {IBKEM}}(\mathcal {A}):=|\Pr [\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {real}}^\mathcal {A}\Rightarrow 1]-\Pr [\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {rand}}^\mathcal {A}\Rightarrow 1]|\) is negligible.

3 Downgradable Identity-Based Encryption

In this section we introduce the notion of Downgradable Identity-Based Encryption. There is a lot of different variant of IBE in the nowadays, add another one seems to be not useful but we stress that our is not here to be used as a simple scheme but as a key pillar to create ABE from IBE. Also in Sect. 4 we explain the relations between different variant of IBE and how DIBE can be transformed into them. For simplicity we are going to express in term of Key Encapsulation, as it can then be trivially transformed into an encryption.

Definition 5

(Downgradable Identity-Based Key Encapsulation Scheme). A Downgradable identity-based key encapsulation (DIBKEM) scheme \(\mathsf {DIBKEM}\) consists of five PPT algorithms \(\mathsf {DIBKEM}=(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec}, \mathsf {USKDown})\) with the following properties.

  • The probabilistic key generation algorithm \(\mathsf {Gen}(\mathfrak {K})\) returns the (master) public/secret key \((\mathsf {mpk},\mathsf {msk})\). We assume that \(\mathsf {mpk}\) implicitly defines a message space \(\mathcal{M}\), an identity space \(\mathsf {ID}\), a key space \(\mathcal {K}\), and ciphertext space \(\mathsf {CS} \).

  • The probabilistic user secret key generation algorithm \(\mathsf {USKGen}(\mathsf {msk},\mathsf {id})\) returns the user secret-key \(\mathsf {usk}[\mathsf {id}]\) for identity \(\mathsf {id}\in \mathsf {ID}\).

  • The probabilistic encapsulation algorithm \(\mathsf {Enc}(\mathsf {mpk},\mathsf {id})\) returns the symmetric key \(\mathsf {sk}\in \mathcal {K}\) together with a ciphertext \(\mathsf {C}\in \mathsf {CS} \) with respect to identity \(\mathsf {id}\).

  • The deterministic decapsulation algorithm \(\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {C})\) returns the decapsulated key \(\mathsf {sk}\in \mathcal{K}\) or the reject symbol \(\bot \).

  • The probabilistic user secret key downgrade algorithm \(\mathsf {USKDown}(\mathsf {usk}[\mathsf {id}],\tilde{\mathsf {id}})\) returns the user secret-key \(\mathsf {usk}[\tilde{\mathsf {id}}]\) as long as \(\tilde{\mathsf {id}} \preceq \mathsf {id}\).

For perfect correctness we require that for all \(\mathfrak {K}\in \mathbb {N}\), all pairs \((\mathsf {mpk},\mathsf {msk})\) honestly generated by \(\mathsf {Gen}(\mathfrak {K})\), all identities \(\mathsf {id}\in \mathsf {ID}\), all \(\mathsf {usk}[\mathsf {id}]\) generated by \(\mathsf {USKGen}(\mathsf {msk},\mathsf {id})\) and all \((\mathsf {sk},\mathsf {C})\) output by \(\mathsf {Enc}(\mathsf {mpk},\mathsf {id})\):

$$\Pr [\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {C})=\mathsf {sk}]=1.$$

We also require the distribution of \(\mathsf {usk}[\tilde{\mathsf {id}}]\) from \(\mathsf {USKDown}(\mathsf {usk}[\mathsf {id}],\tilde{\mathsf {id}})\) to be identical to the one from \(\mathsf {USKGen}(\mathsf {msk},\tilde{\mathsf {id}})\).

The security requirements we consider here are indistinguishability and anonymity against chosen plaintext and identity attacks (\(\mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) and \(\mathsf {ANON}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)). Instead of defining both security notions separately, we define pseudorandom ciphertexts against chosen plaintext and identity attacks (\(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)) which means that challenge key and ciphertext are both pseudorandom. We define \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-security of \(\mathsf {DIBKEM}\) formally via the games given in Fig. 4.

Fig. 4.
figure 4

Security games \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {real}}\) and for defining \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-security for \(\mathsf {DIBKEM}\).

Full size image

Definition 6

(\(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) Security). A downgradable identity-based key encapsulation scheme \(\mathsf {DIBKEM}\) is \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\)-secure if for all PPT \(\mathcal {A}\), \({\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBKEM}}(\mathcal {A}):=|\Pr [\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {real}}^\mathcal {A}\Rightarrow 1]-\Pr [\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}_{\mathsf {rand}}^\mathcal {A}\Rightarrow 1]|\) is negligible.

We stress the importance of the condition: \((\lnot (\mathsf {id}^* \preceq {\mathcal Q}_{\mathsf {ID}})) \). This is here to guarantee that the adversary did not query an identity that can be downgraded to the challenge one, as this would allow for a trivial attack.

4 Transformation to Classical Primitives

Here, we are going to show how a Downgradable IBE relates to other primitives from the same family. Note that there is notions generalizing WIBE and WKD-IBE called WW-IBE described in [ACP12] and SWIBE described in [KLLO18] but their instantiation lead to not practical schemes. We can note that HIBE and WIBE have been linked in [AFL12]. In our work we are motivated in achieving a fully secure HIBE which would be inefficient using their construction.

4.1 From DIBE to WIBE

Wildcard Identity-Based Encryption is a concept introduced in [ACD+06]. The idea is to be able to encrypt message for serveral identities by fixing some identity bits and letting others free (symbolized by the \(*\)). Thus only people with identity matching the one used to encrypt can decrypt. We say that \(\mathsf {id}\) matches \(\mathsf {id}'\) if \(\forall i\) \(\mathsf {id}_i=\mathsf {id}_i'\) or \(\mathsf {id}_i'=*\). Detailed definitions are included in the full version.

We are now given a \(\mathsf {DIBKEM}(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec}, \mathsf {USKDown})\), let us show how to build the corresponding Wild-IBKEM.

As with all the following constructions, the heart of the transformation will be to use a \(\mathsf {DIBKEM}\) for identity of size \(2\ell \) to handle identities of size \(\ell \).

Let’s consider an identity \(\textsf {wid}\) of size \(\ell \), we define \(\mathsf {id}=\phi (\textsf {wid})\) as follows:

Now we can define:

  • \(\textsf {WIBE}.\mathsf {Gen}(\mathfrak {K}){:}~\mathsf {Gen}(\mathfrak {K})\), except that instead of defining \(\mathsf {ID}\) as strings of size \(2\ell \), we suppose the public key define \(\textsf {WID}\) of enriched identities of size \(\ell \).

  • \(\textsf {WIBE}.\mathsf {USKGen}(\mathsf {sk},\mathsf {id})=\mathsf {USKGen}(\mathsf {sk},\phi (\mathsf {id}))\).

  • \(\textsf {WIBE}.\mathsf {Enc}(\mathsf {mpk},\mathsf {id})=\mathsf {Enc}(\mathsf {mpk},\phi (\mathsf {id}))\).

  • \(\textsf {WIBE}.\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\hat{\mathsf {id}},\mathsf {C})\) checks if \(\hat{\mathsf {id}}\preceq \mathsf {id}\), then computes \(\mathsf {usk}[\phi (\hat{\mathsf {id}})]=\mathsf {USKDown}(\mathsf {usk}[\phi (\mathsf {id})])\). Returns \(\mathsf {Dec}(\mathsf {usk}[\phi (\hat{\mathsf {id}})],\hat{\mathsf {id}},\mathsf {C})\) or rejects with \(\bot \).

4.2 From DIBE to HIBE

Hierarchical Identity-Based Encryption is a concept introduced in [GS02]. The idea of this primitive is to introduce a hierarchy in the user secret key. A user can create a secret key from his one for any identity with prefix his own identity. Detailed definitions are included in the full version.

This time, we are going to map the identity space to a bigger set, with joker identity that can be downgraded to both 0 or 1.

Let’s consider an identity \(\textsf {hid}\) of size \(\ell \), we define \(\mathsf {id}=\phi (\textsf {hid})\) as follows:

Now we can define:

  • \(\textsf {HIB}.\mathsf {Gen}(\mathfrak {K}){:}~\mathsf {Gen}(\mathfrak {K})\), except instead of defining \(\mathsf {ID}\) as strings of size \(2\ell \), we suppose the public key define \(\textsf {HID}\) of enriched identities of size \(\ell \).

  • \(\textsf {HIB}.\mathsf {USKGen}(\mathsf {sk},\mathsf {id})=\mathsf {USKGen}(\mathsf {sk},\phi (\mathsf {id}))\). It should be noted that in case of an \(\mathsf {DIBKEM}\), some identities are never to be queried to the downgradable IBKEM: those with 00 is \(2i, 2i+1\), or those with 11 at \(2i,2i+1\) and then a 0 (this would correspond to punctured identities).

  • \(\textsf {HIB}.\mathsf {USKDel}(\mathsf {usk}[\mathsf {id}],\mathsf {id}\in \mathcal {BS}^p,\mathsf {id}_{p+1} )=\mathsf {USKDown}(\mathsf {usk}[\phi (\mathsf {id})],\phi (\mathsf {id}||\mathsf {id}_{p+1}))\). By construction we have \(\phi (\mathsf {id}||\mathsf {id}_{p+1}) \preceq \phi (\mathsf {id})\).

  • \(\textsf {HIB}.\mathsf {Enc}(\mathsf {mpk},\mathsf {id})=\mathsf {Enc}(\mathsf {mpk},\phi (\mathsf {id}))\).

  • \(\textsf {HIB}.\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],{\mathsf {id}},\mathsf {C})\) returns \(\mathsf {Dec}(\mathsf {usk}[\phi ({\mathsf {id}})],\phi (\mathsf {id}),\mathsf {C})\) or the reject symbol \(\bot \).

4.3 From DIBE to Wicked IBE

The paper [AKN07] presents a variant of Identity-based Encryption called Wicked IBE (WKD-IBE). A wicked IBE or wildcard key derivation IBE is a generalization of the concept of limited delegation concept by Boneh-Boyen-Goh [BBG05].

This scheme allows secret key associated with a pattern \(P=(P_1, \ldots ,P_l) \in \{\{0,1\}^*\cup \{*\}\}^l\) to be delegated for a pattern \(P'=(P'_1, \ldots ,P'_{l'})\) that matches P. We say that \(P'\) match P if \(\forall i \le l'\) \(P'_{i}=P_i\) or \(P_i=*\) and \(\forall l'+1 \le i \le l\) \(P_i=*\).

Here again, we are going to map the identity space to a bigger set.

Let’s consider an identity \(\mathsf {id}\) of size \(\ell \), we define \(\mathsf {id}=\phi (\textsf {wkdid})\) as follows:

Now we can define:

  • \(\textsf {WKDIB}.\mathsf {Gen}(\mathfrak {K}){:}~\mathsf {Gen}(\mathfrak {K})\), except instead of defining \(\mathsf {ID}\) as strings of size \(2\ell \), we suppose the public key define \(\textsf {WKDID}\) of enriched identities of size \(\ell \).

  • \(\textsf {WKDIB}.\mathsf {USKGen}(\mathsf {msk},\mathsf {id})=\mathsf {USKGen}(\mathsf {msk},\phi (\mathsf {id}))\). It should be noted that in case of an WKD-DIBE, some identities are never to be queried to the downgradable IBE: those with 00.

  • \(\textsf {WKDIB}.\mathsf {USKDel}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {id}')=\mathsf {USKDown}(\mathsf {usk}[\phi (\mathsf {id})],\phi (\mathsf {id}),\phi (\mathsf {id}'))\).

  • \(\textsf {WKDIB}.\mathsf {Enc}(\mathsf {mpk},\mathsf {id})=\mathsf {Enc}(\mathsf {mpk},\phi (\mathsf {id}))\).

  • \(\textsf {WKDIB}.\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],{\mathsf {id}},\mathsf {C})\) returns \(\mathsf {Dec}(\mathsf {usk}[\phi ({\mathsf {id}})],\phi (\mathsf {id}),\mathsf {C})\) or the reject symbol \(\bot \).

Remark 7

It can be noted, that all those transformations end up using 4 bits instead to encode a ternary alphabet. So there is a bit wasted in every given transformation. This could easily be avoided by using a more convoluted encoding, however this is already enough to show the link between the construction; also, this allows to build a scheme both wicked and wildcarded.

4.4 From Wicked IBE to DIBE

We can easily transform a Wicked IBE scheme into DIBE by using only identity made of 0 and \(*\). In fact the element 1 of the DIBE play the role of the \(*\) of the Wicked IBE. Morally a DIBE can be seen as a Wicked IBE where the patterns are made of only 2 distinct elements instead of 3.

5 ABE

In this section, we consider Attribute Based Encryption (ABE) and present a transformation from DIBE to ABE. We recall the definition and the security requirement:

Definition 8

(Attribute-based Encryption). An Attribute-based encryption (ABE) scheme \(\mathsf {ABE}\) consists of four PPT algorithms \(\mathsf {ABKEM}=(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec})\) with the following properties.

  • The probabilistic key generation algorithm \(\mathsf {Gen}(\mathfrak {K})\) returns the (master) public/secret key \((\mathsf {pk},\mathsf {sk})\). We assume that \(\mathsf {pk}\) implicitly defines a message space \(\mathcal{M}\), an Attribute space \(\mathsf {AS} \), and ciphertext space \(\mathsf {CS} \).

  • The probabilistic user secret key generation algorithm \(\mathsf {USKGen}(\mathsf {sk},\mathbb {A})\) that takes as input the master secret key \(\mathsf {sk}\) and a set of attributes \(\mathbb {A} \subset \mathsf {AS} \) and returns the user secret-key \(\mathsf {usk}[\mathbb {A}]\).

  • The probabilistic encryption algorithm \(\mathsf {Enc}(\mathsf {pk},\mathbb {F},M)\) returns a ciphertext \(\mathsf {C}\in \mathsf {CS} \) with respect to the access structure \(\mathbb {F}\).

  • The deterministic decryption algorithm \(\mathsf {Dec}(\mathsf {usk}[\mathbb {A}],\mathbb {F},\mathbb {A},\mathsf {C})\) returns the decrypted message \(M \in \mathcal{M}\) or the reject symbol \(\bot \).

For perfect correctness we require that for all \(\mathfrak {K}\in \mathbb {N}\), all pairs \((\mathsf {pk},\mathsf {sk})\) generated by \(\mathsf {Gen}(\mathfrak {K})\), all access structure \(\mathbb {F}\), all set of attribute \(\mathbb {A} \subset \mathsf {AS} \) satisfying \(\mathbb {F}\), all \(\mathsf {usk}[\mathbb {A}]\) generated by \(\mathsf {USKGen}(\mathsf {sk},\mathbb {A})\) and all \(\mathsf {C}\) output by \(\mathsf {Enc}(\mathsf {pk},\mathbb {F},M)\):

$$\Pr [\mathsf {Dec}(\mathsf {usk}[\mathbb {A}],\mathbb {F}, \mathbb {A},\mathsf {C})=M]=1.$$

Like before, we encompass the classical security hypotheses for an ABE, with a \(\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}\) one as described in Fig. 5.

Fig. 5.
figure 5

Security games \(\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}_{\mathsf {real}}\) and for defining \(\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}\)-security.

Full size image

Definition 9

(\(\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}\) Security). An identity-based key encapsulation scheme \(\mathsf {ABKEM}\) is \(\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}\)-secure if for all PPT \(\mathcal {A}\), \({\mathsf {Adv}}^{\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}}_{\mathsf {ABKEM}}(\mathcal {A}):=|\Pr [\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}_{\mathsf {real}}^\mathcal {A}\Rightarrow 1]-\Pr [\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}_{\mathsf {rand}}^\mathcal {A}\Rightarrow 1]|\) is negligible.

In a usual notion of (ciphertext-policy) ABE, a key is associated with a set \(\mathbb {A}\) of attributes in the attribute universe \(\mathcal {U}\), while a ciphertext is associated with an access policy \(\mathbb {F}\) (or called access structure) over attributes. The decryption can be done if \(\mathbb {A}\) satisfies \(\mathbb {F}\). We can see that IBE is a special case of ABE where both \(\mathbb {A}\) and \(\mathbb {F}\) are singletons, that is, each is an identity in the universe \(\mathcal {U}\).

In this paper, we confine ABE in the two following aspects. First, we restrict the universe \(\mathcal {U}\) to be of polynomial size in security parameter; this is often called small-universe ABE (as opposed to large-universe ABE where \(\mathcal {U}\) can be of super polynomial size.). Second, we allow only DNF formulae in expressing policies (as opposed to any boolean formulae, or equivalently, any access structures).

Our idea for obtaining a (small-universe) ABE scheme for DNF formulae from any DIBE scheme is as follows. For simplicity and wlog, we set the universe as \(\mathcal {U}=\{1,\ldots ,n\}\). We will use DIBE with identity length n. For any set \(S \subseteq \mathcal {U}\), we define \(\mathsf {id}_S \in \{0,1\}^n\) where its i-th position is defined by

$$\begin{aligned} \mathsf {id}_S[i] := {\left\{ \begin{array}{ll} 1 &{} \text { if }i \in S \\ 0 &{} \text { if }i \not \in S \end{array}\right. }. \end{aligned}$$

To issue an ABE key for a set \(\mathbb {A} \subseteq \mathcal {U}\), we use a DIBE key for \(\mathsf {id}_\mathbb {A}\). On the other hand, to encrypt a message M in ABE with a DNF policy \(\mathbb {F}=\bigvee _{j=1}^k (\bigwedge _{a \in S_j} a)\), where each attribute a is in \(\mathcal {U}\), we encrypt the same message M in DIBE each with \(\mathsf {id}_{S_j}\) for all \(j\in [1,k]\); this will result in k ciphertexts of the DIBE scheme. Note that k is the number of OR, the disjunction, in the DNF formula.

Decryption can be done as follows. Suppose \(\mathbb {A}\) satisfies \(\mathbb {F}\). Hence, we have that there exists \(S_j\) (defined in the formula \(\mathbb {F}\)) such that \(S_j \subseteq \mathbb {A}\). We then derive a DIBE key for \(\mathsf {id}_{S_j}\) from our ABE key for \(\mathbb {A}\) (which is then a DIBE key for \(\mathsf {id}_\mathbb {A}\)); this can be done since \(S_j \subseteq \mathbb {A}\) implies that any positions of 1 in \(\mathsf {id}_{S_j}\) will also contain 1 in \(\mathsf {id}_\mathbb {A}\) (and thus the derivation is possible). We finally decrypt the ciphertext associated with \(\mathsf {id}_{S_j}\) to obtain the message M. We summarize this transformation in Fig. 6.

Fig. 6.
figure 6

\(\mathsf {ABE}\) from \(\mathsf {DIBE}\)

Full size image

We have the following security theorem for the above ABE scheme. The proof is very simple and is done by a straightforward hybrid argument over k ciphertexts of DIBE. Note that the advantage definition for ABE is defined similarly to other primitives and is captured in The full version.

Theorem 10

The above \(\mathsf {ABE}\) from \(\mathsf {DIBE}\) is \(\mathsf {pr}\text{- }\mathsf {a}\text{- }\mathsf {cpa}\) secure under the \(\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}\) security of the \(\mathsf {DIBE}\) scheme used. In particular for all adversaries \(\mathcal {A}\), we have that \({\mathsf {Adv}}^{\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}}_{\mathsf {ABE}}(\mathcal {A}) \le k \cdot {\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBE}}(\mathcal {A})\) where k is the number of OR in the DNF formula (associated to the challenge ciphertext).

Proof

We prove our transformation via a sequence of games beginning with the real game for the \(\mathsf {pr}\text{- }\mathsf {a}\text{- }\mathsf {cpa}\) security of the ABE and ending up with a game where the ciphertext of the ABE is uniformly chosen at random e.g. a game where adversary’s advantage is reduce to 0.

Let \(\mathcal {A}\) be an adversary against the \(\mathsf {pr}\text{- }\mathsf {a}\text{- }\mathsf {cpa}\) security of our transformation. Let C be the simulator of the \(\mathsf {pr}\text{- }\mathsf {a}\text{- }\mathsf {cpa}\) experience.

Game \(\mathsf {G}_0\): This is the real security game.

Game \(\mathsf {G}_{1.1}\): In this game the simulator generates correctly every ciphertexts but the first one. The first ciphertext is replaced by a random element of the ciphertext space. \(\mathsf {G}_{1.1}\) is indistinguishable from Game 0 if the \(\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}\) security holds for the \(\mathsf {DIBE}\) used.

$$\begin{aligned} {\mathsf {Adv}}^{\mathsf {G}_0,\mathsf {G}_{1.1}}(\mathcal {A}) \le {\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBE}}(\mathcal {A}) \end{aligned}$$

Game \(\mathsf {G}_{1.i}\): This game is the same than the game \(\mathsf {G}_{1.i-1}\) but the i-th ciphertext is replaced by a random element of the ciphertext space. \(\mathsf {G}_{1.i}\) is indistinguishable from \(\mathsf {G}_{1.i-1}\) if the \(\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}\) security holds for the \(\mathsf {DIBE}\) used.

$$\begin{aligned} {\mathsf {Adv}}^{\mathsf {G}_{1.i-1},\mathsf {G}_{1.i}}(\mathcal {A}) \le {\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBE}}(\mathcal {A}) \end{aligned}$$

Game \(\mathsf {G}_{1.k}\): in this game all ciphertexts are random elements, \(\mathsf {G}_{1.k}\) is indistinguishable from \(\mathsf {G}_{1.k-1}\) if the \(\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}\) security holds for the \(\mathsf {DIBE}\) used.

$$\begin{aligned} {\mathsf {Adv}}^{\mathsf {G}_{1.k-1},\mathsf {G}_{1.k}}(\mathcal {A}) \le {\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBE}}(\mathcal {A}) \end{aligned}$$

At this point our current game \(\mathsf {G}_{1.k}\) has for challenge encryption only random elements. This means that an adversary has no advantage in winning this game. We finally end up with the advantage of \(\mathcal {A}\) in winning the original security game:

$$\begin{aligned} {\mathsf {Adv}}^{\mathsf {PR}\text {-}\mathsf {A}\text {-}\mathsf {CPA}}_{\mathsf {ABE}}(\mathcal {A})&\le {\mathsf {Adv}}^{\mathsf {G}_{0},\mathsf {G}_{1.k}}(\mathcal {A})\\&\le \sum _{i=1}^k {\mathsf {Adv}}^{\mathsf {G}_{1.i-1},\mathsf {G}_{1.i}}(\mathcal {A})\\&\le k \times {\mathsf {Adv}}^{\mathsf {pr}\text {-}\mathsf {id}\text {-}\mathsf {cpa}}_{\mathsf {DIBE}}(\mathcal {A}) \end{aligned}$$

   \(\square \)

6 Instantiation

Theorem 11

Under the \(\mathcal {D}_k\)-\(\mathsf {MDDH} \) assumption, the scheme presented in Fig. 7 is \(\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) secure. For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with \(\mathbf {T}(\mathcal {A}) \approx \mathbf {T}(\mathcal {B})\) and \(\mathbf {Adv}_{\mathsf {DIBKEM},\mathcal {D}_k}(\mathcal {B})^{\mathsf {PR}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}}(\mathcal {A}) \le (\mathbf {Adv}_{\mathcal {D}_k,\mathsf {GGen}}(\mathcal {B})+ 2q_k(\mathbf {Adv}_{\mathcal {D}_k,\mathsf {GGen}}(\mathcal {B})+1/q)\)Footnote 1.

Fig. 7.
figure 7

A downgradable IBE based on \(\mathsf {MDDH} \). For readability, the user secret key is split here between \(\mathsf {usk}\) for the decapsulation, and \(\textsf {udk}\) used for the downgrade operation.

Full size image

The proof is detailed in the full version.

Remark 12

This instantiation respect the formal definition of \(\mathsf {DIBKEM}\) of Sect. 3. However for efficiency purpose one can remark that for realizing WIBE or ABE the user’s secret keys does not need to be rerandomize during the delegation phase since it will not be used by another user. It introduce the concept of self-delegatable-only scheme. Thus we can avoid the heavy elements \(\varvec{T}, \varvec{S}, \varvec{E}\) of the user secret keys, the self-delegetable-only scheme is describe in Fig. 7 when removing the gray parts.

7 Efficiency Comparison

In this section we compare the schemes obtained by using our instantiation of DIBE (see Sect. 6) and our transformations described in the Sect. 4. We end up with the most efficient scheme for full security in the standard model and under classical hypothesis for WIBE, WKD-IBE and of similar efficiency for HIBE.

In the example of WIBE and WKD-IBE given below the parameters will grow exponentially in the number of query from the adversary, where our will be only linear. This is a parameter to take into account because the size of the keys for the same security will depend on this security loss (Fig. 8).

To compare efficiency in a simple way, we choose to consider the case where the number of pattern is maximal e.g. the size of pattern is equal to 1, thus the number of pattern is n which is the length of the identity. The value \(q_k\) correspond to the number of derivation key oracle request made by the adversaryFootnote 2.

Fig. 8.
figure 8

Efficiency comparison between our transformations and previous schemes

Full size image

Efficiency Comparison for HIBE. The Fig. 9 compares the HIBE built via our DIBE. Our instantiation of DIBE inherit its efficiency from the HIBE from [BKP14], except we need to artificially double the size of the identities. Here \(\ell \) is the number of free bits in an identity (the ones to delegate). Note that for the case of root of the hierarchy e.g. the user with an empty bit string as identity, \(\ell =n\).

It should be noted, that while we rely on the same underlying principle, our security reduction does not need handle \(\bot \) symbol as [BKP14], which allows to circumvent the worrisome parts of their proofs.

Fig. 9.
figure 9

Efficiency comparison between our transformations and HIBE schemes

Full size image

Efficiency Comparison for ABE. Our instantiation leads to a very efficient ABE scheme. This scheme would be one of the most practical. However we achieve ABE where the access structure has to be a boolean formula in the DNF which is less general than allowing any kind of access structure (which is done in others practical schemes).

Fig. 10.
figure 10

Efficiency comparison of practical CP-ABE schemes

Full size image

Figure 10 presents a non exhaustive comparison of our ABE schemes with efficient ones. They are all full secure under the classical assumption \(\textsf {DLin} \). \(U\) is the size of the universe of attributes. m is the number of attributes in a policy. t is the size of an attribute set, and T is the maximum size of t (if bounded). R is the maximum number of attributes multi used in one policy (if bounded). \(q_k\) is again the number of all the key queries made by the adversary during security game. For our scheme, k is the number of OR, the disjunction, in the associated DNF formula.