Exposure-resilience for free: the hierarchical ID-based encryption case

In the problem of gradual key exposure, the secret key is assumed to be slowly compromised over time, so that more and more information about a secret key is eventually leaked. This models the general situation in the real world where memory, storage systems and devices cannot perfectly hide all information for long time. In this setting, in order to protect against exposure threats, the secret key is represented in an "exposure- resilient" form, which is periodically refreshed with the following guarantee: as long as the adversary does not learn "too much" information about the current representation of the secret between successive refreshes, the system should remain secure. To measure the efficiency of a given solution, one considers the "natural" secret key representation A, the "exposure- resilient" representation B, and examines the following three measures: (1) space loss which is the extra space required by B over A; (2) time loss which is the operation slowdown when B is used in place of A: and (3) exposure-resilience which is the fraction of B which can be "safely leaked". All the current solutions to the problem - including proactive secret sharing, all-or-nothing transforms and exposure-resilient functions - always suffered from non-trivial losses in both space and time in order to achieve varying levels of exposure-resilience. It was, therefore, informally believed that these losses are inevitable in even, reasonable application, since a "natural" representation A is unlikely to offer any exposure-resilience. We show this belief is false for the elegant "hierarchical identity-based encryption" (HIBE) of Gentry and Silverberg (2002), which is the only known fully junctional HIBE up to date. Specifically, we show that the natural secret key representation for the HIBE admits a simple and efficient refresh operation, which offers very high level of exposure-resilience, while incurring absolutely no space or time losses for decryption. We argue that this simple fact is quite powerful from a key storage security perspective, is highly applicable for such tasks as threshold decryption, and that it further makes HIBE a much more attractive alternative in various real life scenarios. On a philosophical level, while previous techniques protected against gradual key exposure in a generic way, oblivious to the application, we show that in certain situations one might achieve much better parameters by concentrating on the application at hand.

[1]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[2]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[3]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[4]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[5]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[6]  Jonathan Katz,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[7]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[8]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[9]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[10]  Shouhuai Xu,et al.  Strong Key-Insulated Signature Schemes , 2003, Public Key Cryptography.

[11]  Gene Itkis,et al.  Intrusion-Resilient Signatures: Generic Constructions, or Defeating Strong Adversary with Minimal Assumptions , 2002, SCN.

[12]  Antoine Joux,et al.  The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems , 2002, ANTS.

[13]  Antoine Joux,et al.  Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups , 2001, IACR Cryptology ePrint Archive.

[14]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[15]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[16]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[17]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[18]  Ross J. Anderson,et al.  Two remarks on public key cryptology , 2002 .

[19]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..

[20]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[21]  Gene Itkis,et al.  SiBIR: Signer-Base Intrusion-Resilient Signatures , 2002, CRYPTO.

[22]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[23]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[24]  Tal Malkin,et al.  Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods , 2002, EUROCRYPT.

[25]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[26]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[27]  Matthew K. Franklin,et al.  Intrusion-Resilient Public-Key Encryption , 2003, CT-RSA.

[28]  Adi Shamir,et al.  How to share a secret , 1979, CACM.