Server-aided Revocable IBE with Identity Reuse

Abstract

Abstract Efficient key revocation in Identity-based Encryption (IBE) has been a both fundamental and critical problem when deploying an IBE system in practice. Boneh and Franklin proposed the first revocable IBE (RIBE) scheme where the size of key updates is linear in the number of users. Then, Boldyreva, Goyal and Kumar proposed the first scalable RIBE by using the tree-based approach where the size of key updates is $O(r\log (N/r))$ and the size of every user’s long-term secret key is $O(\log N)$ with $N$ being the number of users and $r$ the number of revoked users. Recently, Qin et al. presented the notion of server-aided RIBE where the size of every user’s long-term secret key is $O(1),$ and users do not need to communicate with Key Generator Center (KGC) during every key updates. However, users must change their identities once their secret keys are revoked as they cannot decrypt ciphertexts by using their revoked secret keys. To address the above problem, we formalize the notion of RIBE with identity reuse. In our system model, users can obtain a new secret key called the reuse secret key from KGC when their secret keys are revoked. The decryption key can be derived from the reuse secret key and new key updates while it cannot be derived from the revoked secret key and the new key updates. We present a concrete construction that is secure against adaptive-ID chosen plaintext attacks and decryption key exposure attacks under the $\mathsf{ADDH}1$ and $\mathsf{DDH}2$ assumptions in the standard model. Furthermore, we extend it to server-aided RIBE scheme with identity reuse property that is more suitable for lightweight devices.