Identity-based encryption with equality test (IBEET) is a variant of identity-based encryption (IBE), in which any user with trapdoors can check whether two ciphertexts are encryption of the same plaintext. Although several lattice-based IBEET schemes have been proposed, they have drawbacks in either security or efficiency. Specifically, most IBEET schemes only satisfy selective security, while public keys of adaptively secure schemes in the standard model consist of matrices whose numbers are linear in the security parameter. In other words, known lattice-based IBEET schemes perform poorly compared to the state-of-the-art lattice-based IBE schemes (without equality test). In this paper, we propose a semi-generic construction of CCA-secure lattice-based IBEET from a certain class of lattice-based IBE schemes. As a result, we obtain the first lattice-based IBEET schemes with adaptive security and CCA security in the standard model without sacrificing efficiency. This is because, our semi-generic construction can use several state-of-the-art lattice-based IBE schemes as underlying schemes, e.g. Yamada's IBE scheme (CRYPTO'17).

Identity-based encryption with equality test (IBEET) is a generalization of the traditional identity-based encryption (IBE) and public key searchable encryption, where trapdoors enable users to check whether two ciphertexts of distinct identities are encryptions of the same plaintext. By definition, IBEET cannot achieve indistinguishability security against insiders, i.e., users who have trapdoors. To address this issue, IBEET against insider attacks (IBEETIA) was later introduced as a dual primitive. While all users of IBEETIA are able to check whether two ciphertexts are encryptions of the same plaintext, only users who have tokens are able to encrypt plaintexts. Hence, IBEETIA is able to achieve indistinguishability security. On the other hand, the definition of IBEETIA weakens the notion of IBE due to its encryption inability. Nevertheless, known schemes of IBEETIA made use of rich algebraic structures such as bilinear groups and lattices. In this paper, we propose a generic construction of IBEETIA without resorting to rich algebraic structures. In particular, the only building blocks of the proposed construction are symmetric key encryption and pseudo-random permutations in the standard model. If a symmetric key encryption scheme satisfies CCA security, our proposed IBEETIA scheme also satisfies CCA security.

In the situation where there are one sender and multiple receivers, a receiver selective opening (RSO) attack for an identity-based encryption (IBE) scheme considers adversaries that can corrupt some of the receivers and get their user secret keys and plaintexts. Security against RSO attacks for an IBE scheme ensures confidentiality of ciphertexts of uncorrupted receivers. In this paper, we formalize a definition of RSO security against chosen ciphertext attacks (RSO-CCA security) for IBE and propose the first RSO-CCA secure IBE schemes. More specifically, we construct an RSO-CCA secure IBE scheme based on an IND-ID-CPA secure IBE scheme and a non-interactive zero-knowledge proof system with unbounded simulation soundness and multi-theorem zero-knowledge. Through our generic construction, we obtain the first pairing-based and lattice-based RSO-CCA secure IBE schemes.

In this paper, we propose a new leakage-resilient identity-based encryption (IBE) scheme that is secure against chosen-ciphertext attacks (CCA) in the bounded memory leakage model. The security of our scheme is based on the external k-Linear assumption. It is the first CCA-secure leakage-resilient IBE scheme which does not depend on q-type assumptions. The leakage rate 1/10 is achieved under the XDLIN assumption (k=2).

Identity-based encryption (IBE) is an advanced form of public key encryption and one of the most important cryptographic primitives. Of the many constructions of IBE schemes, the one proposed by Boneh and Boyen (in Eurocrypt 2004) is quite important from both practical and theoretical points of view. The scheme was standardized as IEEE P1363.3 and is the basis for many subsequent constructions. In this paper, we investigate its multi-challenge security, which means that an adversary is allowed to query challenge ciphertexts multiple times rather than only once. Since single-challenge security implies multi-challenge security, and since Boneh and Boyen provided a security proof for the scheme in the single-challenge setting, the scheme is also secure in the multi-challenge setting. However, this reduction results in a large security loss. Instead, we give tight security reduction for the scheme in the multi-challenge setting. Our reduction is tight even if the number of challenge queries is not fixed in advance (that is, the queries are unbounded). Unfortunately, we are only able to prove the security in a selective setting and rely on a non-standard parameterized assumption. Nevertheless, we believe that our new security proof is of interest and provides new insight into the security of the Boneh-Boyen IBE scheme.

Designing secure revocable storage systems for a large number of users in a cloud-based environment is important. Cloud storage systems should allow its users to dynamically join and leave the storage service. Further, the rights of the users to access the data should be changed accordingly. Recently, Liang et al. proposed a cloud-based revocable identity-based proxy re-encryption (CR-IB-PRE) scheme that supports user revocation and delegation of decryption rights. Moreover, to reduce the size of the key update token, they employed a public key broadcast encryption system as a building block. In this paper, we show that the CR-IB-PRE scheme with the reduced key update token size is not secure against collusion attacks.

Recently, Park and Lee suggested a new framework for realizing Identity-Based Encryption (IBE) trapdoor called ‘two-equation-revocation’, and proposed a new IBE system that makes use of a Map-To-Point hash function. In this paper, we present a variant of the PL system by giving a simple way to remove the Map-To-Point hash function from the PL system. Our variant is proven to be secure under non-standard security assumptions, which results in the degradation of security. Instead, our variant can have several efficiency advantages over the PL system: (1) it provides receiver's anonymity, (2) it has no correctness error, (3) it has shorter ciphertext, and (4) it has faster encryption. As a result, (when not considering security assumptions and security losses) our variant is as efficient as the Boneh-Boyen and Sakai-Kasahara IBE systems that are considered as being the most practical ones.

Boneh and Franklin considered to add the revocation functionality to identity-based encryption (IBE). Though this methodology is applicable to any IBE and hierarchical IBE (HIBE), the resulting scheme is non-scalable. Therefore, a generic transformation of scalable revocable (H)IBE (R(H)IBE) from non-scalable R(H)IBE is really desirable. Towards this final goal, in this paper we introduce prototype RHIBE which does not require to be scalable (but requires some conditions), and propose a generic transformation of scalable RHIBE from prototype RHIBE. Moreover, we construct a prototype RHIBE scheme based on the decisional bilinear Diffie-Hellman (DBDH) assumption. Since our prototype RHIBE provides history-free update, insider security, and decryption key exposure resistance, our construction yields the first RHIBE scheme based on the static assumption with these desirable properties.

In the Identity-Based Encryption (IBE) setting, the rejoin functionality seems to be impossible since each user has the unique identity as its public key. Moreover, sometimes these identities are unchangeable, e.g., biological information (finger print iris, and so on) is regarded as the identity. Even if changeable value is indicated as an identity, e.g., e-mail address, it is preferable that the same identity can be used after a secret key is leaked. In this paper, we give a formal security definition of RIBE with the rejoin functionality, and also show that the Seo-Emura RIBE scheme [PKC 2013] (with a slight modification) has the rejoin functionality.

In 2001, Boneh and Franklin realized the first Identity-Based Encryption (IBE), and at the same time they proposed a simple way to revoke users from the system. Later, Boldyreva et al. pointed out that Boneh-Franklin's revocation method is not scalable well and they proposed the first IBE scheme with efficient revocation. Recently, Tseng and Tsai [Computer Journal, Vol.55 No.4, page 475-486, 2012] claimed that Boldyreva et al.'s scheme requires a secure channel between each user and the key generation center in the key update phase, and proposed a new revocable IBE (RIBE) with a public channel by extending the Boneh-Franklin scheme. In this paper, we revisit Tseng and Tsai's result; we first point out that secure channels (except for the initial key setup) are not mandatory in the definition of RIBE scheme formalized by Boldyreva et al. Next, we show that Boldyreva et al.'s scheme does not require any secure channels (except for the initial key setup), which is different from what Tseng and Tsai claimed and so invalidates their contribution of the first RIBE with a public channel. Moreover, we point out that there are simple techniques to remove secure channels from the Boneh-Franklin RIBE. Interestingly, we show that the secure-channel-free Boneh-Franklin RIBE scheme is secure against decryption key exposure, whereas the Tseng-Tsai RIBE scheme is vulnerable to this attack.

Many broadcast encryption schemes have been proposed for conventional networks. However, those schemes are not suitable for wireless sensor networks, which have very limited resources such as communication, computation, and storage. In this paper, we propose an efficient and practical identity-based broadcast encryption scheme for sensor networks by exploiting the characteristics of sensor networks: in the deployment stage, the set of neighboring sensor nodes are determined and most communications are conducted among the neighbors due to radio power limitations of the nodes. The proposed scheme features the following achievements: (1) all of the public keys and private keys are of constant size; (2) it satisfies all the security requirements for sensor networks. The proposed scheme is optimal in the sense that it requires no pairing operation when adopting pre-computation.

This paper provides a sufficient condition to construct timed-release public-key encryption (TRPKE), where the constructed TRPKE scheme guarantees strong security against malicious time servers, proposed by Chow et al., and strong security against malicious receivers, defined by Cathalo et al., in the random oracle model if the component IBE scheme is IND-ID-CPA secure, the component PKE scheme is IND-ID-CPA secure, and the PKE scheme satisfies negligible γ-uniformity for every public key. Although Chow et al. proposed a strongly secure TRPKE scheme, which is concrete in the standard model, to the best of our knowledge, the proposed construction is the first generic one for TRPKE that guarantees strong security even in the random oracle model.

In proxy re-encryption schemes, a semi-trusted entity called a proxy can convert a ciphertext encrypted for Alice into a new ciphertext for Bob without seeing the underlying plaintext. Several proxy re-encryption schemes have been proposed, however, only two schemes which enables the conversion of IBE ciphertexts to PKE ciphertexts has been proposed. One of schemes has some drawbacks such that the size of the re-encrypted ciphertext increases and Bob must be aware of existence of the proxy, which means Bob cannot decrypt a re-encrypted ciphertext with same PKE decryption algorithm. The other one achieves security under Selective-ID model. We propose a new, efficient scheme that enables the conversion of IBE ciphertexts to PKE ciphertexts, and prove full-ID CPA security in the standard model. In our scheme, the size of the re-encrypted ciphertext is optimal and Bob should not aware of existence of the proxy. As far as we know, this is the first IBE-PKE type scheme that holds the above properties.

We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme with short ciphertexts. Prior to our work, most anonymous HIBE schemes have long ciphertexts increased according to the hierarchical depth of recipient. The size of the ciphertext in our scheme does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles. Our scheme achieves selective-ID security notion.

Recently, Hu et al. have suggested a fully secure hierarchical identity-based encryption (HIBE) scheme that achieves constant size ciphertext and tight security reduction. Their construction was based on Gentry's IBE scheme that supports their security proof. In this paper, we show that their security proof is incorrect. We point out the difference between Gentry's proof and that of Hu et al., and we show that the security of Hu et al.'s HIBE scheme cannot be reduced to their claimed complexity assumption.

Hierarchical Identity-Based Encryption (HIBE) is a generalization of identity-based encryption that mirrors an organizational hierarchy, and allows the root Private Key Generator (PKG) to distribute the workload of key generations to lower-level PKGs. In Indocrypt'08, Ren and Gu proposed a new HIBE scheme, and claimed that their scheme is fully chosen-ciphertext secure in the standard model. However, by giving a concrete attack, we show that Ren-Gu's HIBE is even not chosen-plaintext secure.

In 2006, Chatterjee and Sarkar proposed a hierarchical identity-based encryption (HIBE) scheme which can support an unbounded number of identity levels. This property is particularly useful in providing forward secrecy by embedding time components within hierarchical identities. In this paper we show that their scheme does not provide the claimed property. Our analysis shows that if the number of identity levels becomes larger than the value of a fixed public parameter, an unintended receiver can reconstruct a new valid ciphertext and decrypt the ciphertext using his or her own private key. The analysis is similarly applied to a multi-receiver identity-based encryption scheme presented as an application of Chatterjee and Sarkar's HIBE scheme.

Recently, Au et al. proposed a practical hierarchical identity-based encryption (HIBE) scheme and a hierarchical identity-based signature (HIBS) scheme. In this paper, we point out that there exists security weakness both for their HIBE and HIBS scheme. Furthermore, based on q-ABDHE, we present a new HIBE scheme which is proved secure in the standard model and it is also efficient. Compared with all previous HIBE schemes, ciphertext size as well as decryption cost are independent of the hierarchy depth. Ciphertexts in our HIBE scheme are always just four group elements and decryption requires only two bilinear map computations.

Scalability is one of the most important requirements for secure multicast in a multi-group environment. In this study, we propose a decentralized multi-group key management scheme that allows each multicast group sender to control the access to its group communication independently. Scalability is enhanced by local rekeying and inter-working among different subgroups. The group key secrecy and backward/forward secrecy are also guaranteed.

We present IND-ID-CPA secure identity-based encryption (IBE) schemes with tight reductions to the bilinear Diffie-Hellman (BDH) problem. Since the methods for obtaining IND-ID-CCA secure schemes from IND-ID-CPA secure schemes with tight reductions are already known, we can consequently obtain IND-ID-CCA secure schemes with tight reductions to the BDH problem. Our constructions are based on IBE schemes with tight reductions to the list bilinear Diffie-Hellman (LBDH) problem, and the schemes are converted to those with tight reductions to the BDH problem. Interestingly, it can be shown that there exists a black box construction, in which the former IBE schemes are given as black boxes. Our constructions are very simple and reasonably efficient.