# «Abstract. In this paper, we examine issues related to the construction of identity-based threshold decryption schemes and argue that it is important ...»

Identity-Based Threshold Decryption

Joonsang Baek1 and Yuliang Zheng2

School of Network Computing, Monash University,

McMahons Road, Frankston, VIC 3199, Australia

joonsang.baek@infotech.monash.edu.au

Dept. Software and Info. Systems, UNC Charlotte, NC 28223, USA

yzheng@uncc.edu

Abstract. In this paper, we examine issues related to the construction of identity-based threshold decryption schemes and argue that it is

important in practice to design an identity-based threshold decryption scheme in which a private key associated with an identity is shared. A major contribution of this paper is to construct the ﬁrst identity-based threshold decryption scheme secure against chosen-ciphertext attack. A formal proof of security of the scheme is provided in the random oracle model, assuming the Bilinear Diﬃe-Hellman problem is computationally hard. Another contribution of this paper is, by extending the proposed identity-based threshold decryption scheme, to construct a mediated identity-based encryption scheme secure against more powerful attacks than those considered previously.

1 Introduction Threshold decryption is particularly useful where the centralization of the power to decrypt is a concern. And the motivation of identity (ID)-based encryption originally proposed by Shamir [17] is to provide conﬁdentiality without the need of exchanging public keys or keeping public key directories. A major advantage of ID-based encryption is that it allows one to encrypt a message by using a recipient’s identiﬁers such as an email address.

A combination of these two concepts will allow one to build an “ID-based threshold decryption” scheme. One possible application of such a scheme can be considered in a situation where an identity denotes the name of the group sharing a decryption key. As an example, suppose that Alice wishes to send a conﬁdential message to a committee in an organization. Alice can ﬁrst encrypt the message using the identity (name) of the committee and then send over the ciphertext. Let us assume that Bob who is the committee’s president has created the identity and hence has obtained a matching private decryption key from the Private Key Generator (PKG). Preparing for the time when Bob is away, he can share his private key out among a number of decryption servers in such a way that any committee member can successfully decrypt the ciphertext if, and only if, the committee member obtains a certain number of decryption shares from the decryption servers.

F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 262–276, 2004.

c International Association for Cryptologic Research 2004 Identity-BasedThreshold Decryption 263 Another application of the ID-based threshold decryption scheme is to use it as a building block to construct a mediated ID-based encryption scheme [7].

The idea is to split a private key associated with the receiver Bob’s ID into two parts, and give one share to Bob and the other to the Security Mediator (SEM).

Accordingly, Bob can decrypt a ciphertext only with the help of the SEM. As a result, instantaneous revocation of Bob’s privilege to perform decryption is possible by instructing the SEM not to help him any more.

In this paper, we deal with the problem of constructing an ID-based threshold decryption scheme which is eﬃcient and practical while meets a strong security requirement. We also treat the problem of applying the ID-based threshold decryption scheme to design a mediated ID-based encryption scheme secure against more powerful attacks than those considered previously in the literature.

Throughout this paper, we will simply use the term “Bilinear map” to refer to the admissible bilinear map deﬁned above.

The “BasicIdent” Scheme. We now describe Boneh and Franklin’s basic version of ID-based encryption scheme called “BasicIdent” which only gives semantic security (that is, indistinguishability under chosen plaintext attack).

In the setup stage, the PKG speciﬁes a group G generated by P ∈ G ∗ and the Bilinear map e : G ×G → F. It also speciﬁes two hash functions H1 : {0, 1}∗ → G ∗ ˆ and H2 : F → {0, 1}l, where l denotes the length of a plaintext.The PKG then picks a master key x uniformly at random from Z ∗ and computes a public Zq key YPKG = xP. The PKG publishes descriptions of the group G and F and the hash functions H1 and H2. Bob, the receiver, then contacts the PKG to get his private key DID = xQID where QID = H1 (ID). Alice, the sender, can now 264 Joonsang Baek and Yuliang Zheng

3 Related Work and Discussion Boneh and Franklin’s “Distributed PKG”. In order to prevent a single PKG from full possession of the master key in ID-based encryption, Boneh and Franklin [5] suggested that the PKG’s master key should be shared among a number of PKGs using the techniques of threshold cryptography, which they call “Distributed PKG”. More precisely, the PKG’s master key x is distributed into a number of PKGs in such a way that each of the PKG holds a share xi ∈ Z ∗ of a Zq Shamir’s (t, n)-secret-sharing [16] of x ∈ Z ∗ and responds to a user’s private Zq i key extraction request with DID = xi QID, where QID = H1 (ID). If the technique of [11] is used, one can ensure that the master key is jointly generated by PKGs so that the master key is not stored or computed in any single location.

As an extension of the above technique, Boneh and Franklin suggested that the distributed PKGs should function as decryption servers for threshold decryption. That is, each PKG responds to a decryption query C = (U, V ) in BasicIdent with e(xi QID, U ). However, we argue that this method is not quite ˆ practical in practice since it requires each PKG to be involved at all times (that is, on-line) in the generation of decryption shares because the value “U ” changes whenever a new ciphertext is created. Obviously, this creates a bottleneck on the PKGs and also violates one of the basic requirements of an ID-based encryption scheme, “the PKG can be closed after key generation”, which was envisioned by Shamir in his original proposal of ID-based cryptography [17]. Moreover, there is a scalability problem when the number of available distributed PKGs is not matched against the number of decryption servers required, say, there are only 3 available PKGs while a certain application requires 5 decryption servers.

Therefore, a better approach would be sharing a private key associated with an identity rather than sharing a master key of the PKG. In addition to its easy adaptability to the situation where an identity denotes a group sharing a decryption key as described in Section 1, an advantage of this approach is that one can fully utilize Boneh and Franklin’s Distributed PKG method without the above-mentioned scalability problem, dividing the role of “distributed PKGs” from that of “decryption servers”. That is, an authorized dealer (a representative of group, such as “Bob” described in Section 1, or a single PKG) may ask an identity to each of the “distributed PKGs” for a partial private key associated the identity. Having obtained enough partial private keys, the dealer can construct the whole private key and distribute it into the “decryption servers” in his domain at will while the master key remains secret from any parties.

Other Related Work on ID-Based Threshold Decryption. To our knowledge, other papers that have treated “threshold decryption” in the context of ID-based cryptography are [8] and [13]. Dodis and Yung [8] observed how threshold deIdentity-Based Threshold Decryption 265 cryption can be realized in Gentry and Silverberg [12]’s “hierarchical ID-based encryption” setting. Interestingly, their approach is to share a private key (not the master key of the PKG) obtained from a user at a higher level. Although this was inevitable in the hierarchical ID-based encryption setting and its advantage in general ID-based cryptography was not mentioned in [8], it is more sound approach than sharing the master key of the PKG as we discussed above. However, their threshold decryption scheme is very-sketched and chosen-ciphertext security for the scheme was not considered in [8]. More recently, Libert and Quisquater [13] also constructed an ID-based threshold decryption scheme. However, their approach was to share a master key of the PKG, which is diﬀerent from ours. Moreover, our scheme gives chosen ciphertext security while Libert and Quisquater’s scheme does not.

4 Security Notion for ID-based Threshold Decryption

4.1 Description of Generic ID-based Threshold Decryption A generic ID-based threshold decryption scheme, which we denote by “IDT HD”, consists of algorithms GK, EX, DK, E, D, SV, and SC. Below, we describe each of the algorithms.

Like other ID-based cryptographic schemes, we assume the existence of a trusted PKG. The PKG runs the key/common parameter generation algorithm GK to generate its master/public key pair and all the necessary common parameters. The PKG’s public key and the common parameters are given to every interested party.

On receiving a user’s private key extraction request which consists of an identity, the PKG then runs the private key extraction algorithm EX to generate the private key associated with the requested identity.

An authorized dealer who possesses the private key associated with an identity can run the private key distribution algorithm DK to distribute the private key into n decryption servers. DK makes use of an appropriate secret-sharing technique to generate shares of the private key as well as veriﬁcation keys that will be used for checking the validity of decryption shares. Each share of the private key and its corresponding veriﬁcation key are sent to an appropriate decryption server. The decryption servers then keep their private key shares secret but publish the veriﬁcation keys. It is important to note here that the entity that runs DK can vary ﬂexibly depending on the cryptographic services that the PKG can oﬀer. For example, if the PKG has an only functionality of issuing private keys, the authorized dealer that runs DK would be a normal user (such as Bob in the example given in Section 1) other than the PKG. However, if the PKG has other functionalities, for example, organizing threshold decryption, the PKG can run DK.

Given a user’s identity, any user that wants to encrypt a plaintext can run the encryption algorithm E to obtain a ciphertext. A legitimate user that wants to decrypt a ciphertext gives it to the decryption servers requesting decryption 266 Joonsang Baek and Yuliang Zheng shares. The decryption servers then run the decryption share generation algorithm D taking the ciphertext as input and send the resulting decryption shares to the user. Note that the validity of the shares can be checked by running the decryption share veriﬁcation algorithm SV. When the user collects valid decryption shares from at least t servers, the plaintext can be reconstructed by running the share combining algorithm SC.

4.2 Chosen Ciphertext Security for ID-based Threshold Decryption We now deﬁne a security notion for the IDT HD scheme against chosen-ciphertext attack, which we call “IND-IDTHD-CCA”.

Deﬁnition 1 (IND-IDTHD-CCA). Let ACCA be an attacker assumed to be a probabilistic Turing machine. Suppose that a security parameter k is given to ACCA as input. Now, consider the following game in which the attacker ACCA interacts with the “Challenger”.

Phase 1: The Challenger runs the PKG’s key/common parameter generation algorithm taking a security parameter k as input. The Challenger gives ACCA the resulting common parameter cp which includes the PKG’s public key pkPKG. However, the Challenger keeps the master key skPKG secret from ACCA.

Phase 2: ACCA issues a number of private key extraction queries. We denote each of these queries by ID. On receiving the identity query ID, the Challenger runs the private key extraction algorithm on input ID and obtains a corresponding private key skID. Then, the Challenger returns skID to ACCA.

Phase 3: ACCA corrupts t − 1 out of n decryption servers.

Phase 4: ACCA issues a target identity query ID∗. On receiving ID∗, the Challenger runs the private key extraction algorithm to obtain a private key skID∗ associated with the target identity. The Challenger then runs the private key distribution algorithm on input skID∗ with parameter (t, n) and obtains a set of private/veriﬁcation key pairs {(skID∗ i, vkID∗ i )}, where 1 ≤ i ≤ n. Next, the Challenger gives ACCA the private keys of corrupted decryption servers and the veriﬁcations keys of all the decryption servers. However, the private keys of uncorrupted servers are kept secret from ACCA.

Phase 5: ACCA issues arbitrary private key extraction queries and arbitrary decryption share generation queries to the uncorrupted decryption servers. We denote each of these queries by ID and C respectively. On receiving ID, the Challenger runs the private key extraction algorithm to obtain a private key associated with ID and returns it to ACCA. The only restriction here is that ACCA is not allowed to query the target identity ID∗ to the private key extraction algorithm. On receiving C, the Challenger runs the decryption share generation algorithm taking C and the target identity ID∗ as input to obtain a corresponding decryption share and returns it to ACCA.

Phase 6: ACCA outputs two equal-length plaintexts (M0, M1 ). Then the Challenger chooses a bit β uniformly at random and runs the encryption algorithm on input cp, Mβ and ID∗ to obtain a target ciphertext C ∗ = E(cp, ID∗, Mβ ). Finally, the Challenger gives (C ∗, ID∗ ) to ACCA.

Phase 7: ACCA issues arbitrary private key extraction queries and arbitrary decryption share generation queries. We denote each of these queries by ID and C Identity-Based Threshold Decryption 267 respectively. On receiving ID, the Challenger runs the private key extraction algorithm to obtain a private key associated with ID and returns it to ACCA. As Phase 5, the only restriction here is that ACCA is not allowed to query the target identity ID∗ to the private key extraction algorithm. On receiving C, the Challenger runs the decryption share generation algorithm on input C to obtain a corresponding decryption share and returns it to ACCA. Diﬀerently from Phase 5, the target ciphertext C ∗ is not allowed to query in this phase.

Phase 8: ACCA outputs a guess β ∈ {0, 1}.