The present invention relates generally to cryptography, and in particular to group encryption.
This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
In this section, the group encryption primitive is defined, the necessary building blocks public key encryption, tag-based encryption, and one-time signatures are presented, and the state-of-the-art in group encryption is described.
Group encryption was introduced by Kiayias-Tsiounis-Yung as an encryption analogue of group signature; see Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung: “Group Encryption”, ASIACRYPT 2007: pp. 181-199. Group encryption is useful in situations where it is desired to conceal a recipient (decryptor) within a group of legitimate users.
An illustrative example is a network service provider (NSP) that wants to send certain ads to a subscribed customer whose profile matches the ads to be sent. At the same time, the NSP wants to prove to its client, i.e. the company that pays the NSP for sending the ads, that it did indeed send the ads in question within his group of subscribers, while keeping the exact identity of the recipient a secret. The privacy of the ad's recipient should also be preserved within the group of the NSP's subscribers.
Group encryption constitutes a plausible solution to this problem as it allows a sender (the NSP in the example) to encrypt a message (the ad) for a targeted user, and additionally makes it possible for a verifier to check that the formed ciphertext is valid (e.g. that the corresponding plaintext satisfies some relation) and that some anonymous member from the subscribers's group is able to decrypt it. Group encryption also supports the functionality of opening the ciphertext and recovering down the recipient's identity in case of disputes by a designated authority.
More formally, a group encryption (GE) scheme involves a group manager (GM) who registers group members, and an opening authority (OA) that is capable of recovering the identity of the recipient from the corresponding ciphertext.
The main procedures that underlay a GE scheme are:
A public key encryption (PKE) scheme comprises a key generation algorithm that generates pairs of the form (public key, private key), an encryption algorithm which produces an encryption of an input message using the public key of the recipient, and a decryption algorithm which recovers the message encrypted in an input ciphertext using the proper private key.
A tag-based encryption scheme (TBE) further requires an additional argument, a tag, for both the encryption and decryption. Informally, a tag is a binary string of appropriate length which specifies information about the encryption (date, context, etc . . . ).
One-time digital signature schemes can be used to sign, at most, one message; otherwise, signatures can be forged. A new public key is required for each message that is signed. They are, like ‘normal’ digital signatures, defined by the key generation algorithm, the signing algorithm, and the verification algorithm. The security of one-time signature schemes relies on the difficulty, given a public key, to come up with a new valid pair of message and corresponding signature.
The paper by Kiayias-Tsiounis-Yung mentioned hereinbefore provides a generic construction for a secure Group Encryption scheme that uses a digital signature scheme S for certification of the users public keys, a tag-based encryption scheme E1 for encrypting the message, another tag-based encrypting scheme E2 for encrypting the recipient public key, and a commitment scheme for committing to the used key and to its certificate. In more detail, the scheme works as follows:
Cathalo-Libert-Yung has provided a concrete realization of a Group Encryption scheme, see Julien Cathalo, Benoît Libert, Moti Yung: “Group Encryption: Non-interactive Realization in the Standard Model”, ASIACRYPT 2009: pp. 179-196. The scheme uses Shacham's encryption scheme [see Hovav Shacham: “A Cramer-Shoup Encryption Scheme from the Linear Assumption and from Progressively Weaker Linear Variants”, Cryptology ePrint Archive, Report 2007/074] for encrypting the message, and Kiltz' encryption [see Eike Kiltz: “Chosen-Ciphertext Security from Tag-Based Encryption”, TCC 2006: pp. 581-600] for encrypting the public key of the recipient. The solution departs from the construction provided by Kiayias-Tsiounis-Yung by waiving the commitments c3 and c4 to the proof underlying the Prove procedure.
More precisely, if S refers to a digital signature scheme given in the paper, OTS refers to any secure one-signature scheme, [Kiltz] refers to Kiltz's encryption scheme and [Shacham] refers to Shacham's encryption scheme, the scheme is defined by:
The schemes provided by Kiayias-Tsiounis-Yung and Cathalo-Libert-Yung achieve secure Group Encryption by instantiating the construction with encryption schemes that satisfy the strong security notions (i.e. encryption schemes that are secure against powerful adversaries). According to the used building blocks, the resulting realizations compare as follows:
The skilled person will thus realise that both Kiayias-Tsiounis-Yung and Cathalo-Libert-Yung remain rather expensive due to the size or cost of the ciphertext and the proof.
For instance, both Kiayias-Tsiounis-Yung and Cathalo-Libert-Yung resort to encrypting each component of the public key—the public key always consists of a vector of group elements—and as a consequence apply the same expensive (in terms of resource use) encryption (“E2” or [Kiltz]) n times, where n denotes the number of elements in the public key of the recipient.
The skilled person will appreciate that there is a need for a solution that provides an improved GE scheme. This invention provides such a solution.
In a first aspect, the invention is directed to a method of group encrypting a plaintext m with regard to a tag t for a recipient with a public key pk to obtain a ciphertext c. A device obtains a signing key OTS.sk and a verifying key OTS.vk; creates a first encrypted value c1 and a second encrypted value c2, by calculating c1=E1.Encrypt{pk}(m,OTS.vk) and c2=E2.Encrypt{pkOA}(f(Pk),OTS.vk), wherein E1 is a first encryption algorithm, E2 is a second encryption algorithm and ƒ is a mapping function; produces a signature s on the first encrypted value the second encrypted value c2 and the tag t using the signing key OTS.sk by calculating s=OTS.Sign{OTS.sk}(c1,c2,t), wherein OTS.Sign is a signature algorithm; and outputs the ciphertext c, wherein the ciphertext c comprises the first encrypted value c1, the second encrypted value c2, the verifying key OTS.vk and the signature s.
In a first preferred embodiment, the message m satisfies a publicly verifiable relation R.
In a second aspect, the invention is directed to a method of decrypting a group encryption c comprising a first encrypted value c1, a second encrypted value c2, a verifying key OTS.vk and a signature s, wherein the signature s is on the first encrypted value c1, the second encrypted value c2 and a tag t. A device receives the group encryption c; verifies the signature s with regard to a verifying key OTS.vk; and if the signature s is successfully verified, decrypts the first encrypted value c1 using an decryption algorithm E1 and the verifying key OTS.vk.
In a first preferred embodiment, verifying the signature further comprises verifying that a decryption of the first encrypted value c1 satisfies a public relation R.
In a third aspect, the invention is directed to a device for group encrypting of a plaintext m with regard to a tag t for a recipient with a public key pk to obtain a ciphertext c. The device comprises a processor configured to: obtain a signing key OTS.sk and a verifying key OTS.vk; create a first encrypted value c1 and a second encrypted value c2, by calculating c1=E1.Encrypt{pk}(m,OTS.vk) and c2=E2.EncryPt{pkOA} (f(pk),OTS.vk), wherein E1 is a first encryption algorithm, E2 is a second encryption algorithm and ƒ is a mapping function; produce a signature s on the first commitment c1, the second commitment c2 and the tag t using the signing key OTS.sk by calculating s=OTS.Sign{OTS.sk}(c1,c2,t), wherein OTS.Sign is a signature algorithm; and output the ciphertext c, wherein the ciphertext c comprises the first encrypted value c1, the second encrypted value c2, the verifying key OTS.vk and the signature s.
In a first preferred embodiment, the message m satisfies a publicly verifiable relation R.
In a fourth aspect, the invention is directed to a device for decrypting a group encryption c comprising a first encrypted value c1, a second encrypted value c2, a verifying key OTS.vk and a signature s, wherein the signature s is on the first encrypted value the second encrypted value c2 and a tag t. The device comprises a processor configured to: receive the group encryption c; verify the signature s with regard to a verifying key OTS.vk; and if the signature s is successfully verified, decrypt the first encrypted value c1 using an decryption algorithm E1 and the verifying key OTS.vk.
In a first preferred embodiment, the processor further verifies that a decryption of the first encrypted value c1 satisfies a public relation R.
In a fifth aspect, the invention is directed to a computer program product having stored thereon instructions that, when executed by a processor, perform the method of the first aspect.
In a sixth aspect, the invention is directed to a computer program product having stored thereon instructions that, when executed by a processor, perform the method of the second aspect.
Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which:
A main inventive idea of the present invention is to encrypt an alias of the recipient's public key instead of the public key itself. The Group Manager (GM) publishes the public key, the corresponding encryption of the alias and certificate in the public database DB. The alias is a resulting value of a suitably chosen mapping function ƒ applied on the public key.
Calculations using the function ƒ are preferably easy to perform, the function preferably reduces the size of the input, and two different input values should not result in identical entries in the database DB. The mapping function ƒ may be said to be a sort of hash function that is collision resistant by having the group manager ensures this property by, for example, randomizing a new message until its entry in the database is unique.
This can allow a significant decrease in the size and cost of the resulting construction as the alias can be made smaller than the public key. In particular, there is no need to apply the second encryption scheme as many times as there are group elements in the recipient's public key.
However a drawback is that, in the Open procedure, the opening authority OA is required to look in the database DB for the preimage (public key) of the alias. Fortunately, the recourse to the Open procedure occurs very rarely; i.e. only in case of disputes.
The Group Encryption scheme of the present invention uses a number of building blocks (examples will be given later in the description):
Certain classes of signature and encryption schemes allow an efficient performance of these proofs.
For non-interactive proofs, it is preferred to use components that accept efficient non-interactive proofs of knowledge of the witness in question (e.g. message or key in case of signature/encryption schemes, preimage in case of the function ƒ or witness in case of the relation R) such as Groth-Sahai [Jens Groth, Amit Sahai: Efficient Non-interactive Proof Systems for Bilinear Groups. EUROCRYPT 2008: 415-432] compatible cryptosystems. In this sense, one can use the so-called automorphic signatures (i.e. signature schemes where the verification key message and resulting signature are group elements and where the verification algorithm consists of a conjunction of pairing product equations) and encryption schemes where the encryption algorithm performs group or pairing operations on the input (this entails that the message, public key and ciphertext are group elements). The function ƒ also performs group (or pairing in case of bilinear groups) operations on the input. The same thing applies for the relation R.
Similarly, it is preferred to use components that accept efficient interactive proofs of the witness. In this sense, it is preferred to use signature schemes that make it possible to define a homomorphic function cp, given a signature σ on a message M, such that φ(S,M) evaluates to g(R,vk) where vk is the verification key, g is a public function, and (S,R) is a pair converted from a where R reveals no information about σ or M, and S is a “vital” part of the signature; the underlying conversion algorithm is referred to as the CONVERT algorithm. It is also preferred to use encryption schemes that accept efficient proofs of correctness of a decryption with regard to a given key and a given tag. Moreover, the scheme used to encrypt the public key (E2) should be homomorphic with regard to the message and the scheme E1 should be homomorphic with regard to both the public key and the message. Further, encryption scheme E1 comes with an algorithm, referred to as the COMPUTE algorithm, which on input an encryption c1 of a message m under a public key pk with respect to a given tag t produces another encryption c′1 of another message m′ under another public key pk′ with respect to the same tag t such that the composition of c1 and c′1 is equal to the encryption of the composition of m and m′ under the composition of pk and pk′ with respect to tag t; wherein composition has to be understood as applying the algebraic group operation equipping the set the involved elements belong to. Moreover, the function ƒ is preferably a homomorphic function (f applied to the composition of two inputs is the composition of the values of ƒ at these two inputs). And similarly, the relation R should allow, given an instance x, to define a homorphic function F_R and an image I such that F_R(w)=I, where w is the witness corresponding to the instance x.
A preferred signature scheme for use with the present invention is the scheme proposed by Masayuki Abe, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev and Miyako Ohkubo in “Structure-Preserving Signatures and Commitments to Group Elements”; CRYPTO 2010: 209-236.
A preferred encryption scheme for use with the present invention is the weakly secure tag-based variant provided by David Cash, Eike Kiltz and Victor Shoup in “The Twin Diffie-Hellman Problem and Applications”; Journal of Cryptology 22(4): 470-504 (2009).
A preferred function ƒ, if the public keys are n-vectors of group elements, is the following:
f: Gn→G
Finally a preferred relation R is (m,x,y)∈ R⇄e(m,P)=e(x,y) where e is an efficient pairing with domain G×H (G and H are cryptographic bilinear groups), and P is a fixed element from H.
The interactive Prove protocol between the prover who generated the ciphertext c for receiver with public key pk and any verifier proceeds in three passes: commitment, challenge, and response. In the commitment pass, the prover runs the CONVERT algorithm on input the group manager's public key S.pk, public pk and corresponding certificate to obtain the pair (S, R). The prover also runs the COMPUTE algorithm on input c1 and obtains the tuple (pk′, m′, c′1). Next, the prover computes F′=f(pk′), I′_R=F_R(m′), and I′=pk′). Finally, the prover computes c′2 which is the encryption of F′ under public key pkOA. The prover sends the tuple (R, I′, I′_R, c′2) to the verifier. Upon receiving this tuple, in the challenge pass, the verifier selects at random an integer b and computes I=g(R, S.pk) and I_R such that F_R(m)=I_R. The verifier sends the challenge b to the prover. Upon receiving this challenge, the prover computes and sends the values zs, zpk, zm and zF where zpk is the composition of pk′ and pkb, zS is the composition of S′ and Sb, zm is the composition of m′ and mb, and zF is the composition of F′ and Fb. Finally, the prover proves the knowledge that (PoK1) the composition of c′1 and c1b is the encryption of zm under public key zpk with respect to tag t, and (PoK2) the composition of c′2and c2″ is the encryption of zF under public key pkOA with respect to tag t. At the end of protocol, the verifier accepts if (1) φ(zS, zpk) is equal to the composition of I′ and Ib, (2) F_R(zm) is the composition of I′_R and Ib_R, (3) f(zpk) is equal to zF, and (4) PoK1 and PoK2 are valid. The skilled person will observe that, when instantiated with the preferred encryption schemes, the proofs of knowledge PoK1 and PoK2 boil down to showing the equality of discrete logarithms; efficient methods thereof can be derived from the seminal work of Claus P. Schnorr, “Efficient signature generation by smart cards”, Journal of Cryptology, 4(3):161-179, 1991. See also Jan Camenisch, “Group signature schemes and payment systems based on the discrete logarithm problem”, PhD thesis, vol. 2 of ETH Series in Information Security and Cryptography, Hartung-Gorre Verlag, 1998 (ISBN 3-89649-286-1).
The system 100 comprises a sender 110 and a receiver 120, each comprising at least one interface unit 111, 121 configured for communication with the other device, at least one processor (“processor”) 112, 122 and at least one memory 113, 123 configured for storing data, such as accumulators and intermediary calculation results. The system 100 further comprises a Group Manager 130, a database 140, a third party 150 and an Opening Authority 160; although not illustrated for the sake of clarity, each of these devices comprises the necessary hardware such as processors and memory.
The processor 112 of the sender 110 is configured to perform the Encrypt and Prove parts of the present group encryption scheme, and the processor 122 of the receiver 120 is adapted to decrypt a received group encryption, i.e. perform Decrypt. The Group manager 130 is configured to perform the Join part and thereby store data in the database 140. The third party 150 is configured to verify proofs provided by the sender and the Opening Authority 160 is configured to perform the Open part of the group encryption scheme. A first computer program product 114 such as a CD-ROM or a DVD comprises stored instructions that, when executed by the processor 112 of the sender 110, performs Encryption and Prove according to the invention. A second computer program product 124 comprises stored instructions that, when executed by the processor 122 of the receiver 120, performs Decrypt according to the invention.
The skilled person will appreciate that the Group Encryption scheme of the present invention can allow a significant reduction of the size and cost when compared to prior art schemes. For instance, the GE scheme of the present invention results in a 0.4 kB ciphertext (instead of 1.25 kB or 2.5 kB in the prior art) if it is instantiate with:
In addition, the proofs are shorter and can be carried out with or without interaction with the verifier (1 kB for the interactive proof, and 2 kB for the non-interactive one), leaving to the latter the choice of performing cheap, interactive proofs, or expensive, non-interactive proofs. Moreover, verification of the proof requires 325 pairing computations (to be compared to 3895 pairing computations in the prior art).
As mentioned previously, the GE scheme of the present invention has the drawback of accessing the database DB in each Open procedure in order to find the preimage of the alias of the public key's. Fortunately, the recourse to Open happens only in case conflicts, and thus very rarely.
While the present invention has been described in the context of GE, its scope is not limited to this kind of cryptographic schemes. Any cryptographic scheme involving the encryption of (long) messages present in (online) public DB may equally benefit from the invention. Applying the present invention, (short) aliases will be associated with each message of the DB and added to the DB. The encryption of the message will then be replaced with the encryption of the alias, shortening therefore the size of the ciphertext. Upon decryption, the alias will be recovered and, using a request to the online DB, the associated message will also be recovered.
Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
11306672.4 | Dec 2011 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2012/075091 | 12/11/2012 | WO | 00 | 6/11/2014 |