Revocable cryptosystems from lattices
Date of Issue2018-08-06
School of Physical and Mathematical Sciences
In the last decade, lattices have become one of the most powerful tools in constructing cryptographic schemes, which enjoy conjectured resistance against quantum computers and strong security guarantees from worst-case to average-case reductions, as well as asymptotic efficiency. For a multi-user cryptosystem, user revocation has been a necessary but challenging problem. However, all known revocable schemes are either based on number-theoretic assumptions or lattice-based but less efficient compared to the art-of-date systems. In this thesis, we focus on investigating user revocation model and the associated lattice-based instantiations. Our constructions have two goals: (i) to improve the existing revocable lattice-based cryptosystems in terms of efficiency and security; (ii) to consider the revocation functionality in new contexts from lattices. For the former, we carefully adapt the very recent revocation model into the lattice setting. The latter can be achieved either by using the existing revocation models (without concrete constructions from lattices) or by proposing new revocation models. We construct a series of cryptosystems supporting efficient revocations as follows. A revocable identity-based encryption (IBE) scheme, which is more efficient than all existing such schemes from lattices. We follow the architecture of the server-aided revocable encryptions, proposed by Qin et al. (ESORICS 2015). This paradigm provides significant efficiency advantages over previous revocation techniques in the setting of IBE. In the server-aided revocation model, most of the workloads on the user side are outsourced to an untrusted server, which can be untrusted since it does not possess any private information. With the help of this server, non-revoked users do not need to update anything when the system revokes other users. We equip Agrawal, Boneh, and Boyen's IBE (EUROCRYPT 2010) with the server-aided revocation method. In the technical view, we observe that a ``double encryption'' mechanism is well-suited in such a server-aided system. We also show that our scheme is provably secure provided with the strong hardness of the Learning With Errors (LWE) problem. A revocation model called server-aided revocable predicate encryption (SR-PE) and an instantiation from lattices. We consider the server-aided revocation mechanism in the predicate encryption (PE) setting and formalize the notion of SR-PE with rigorous definitions and security model. Moreover, we introduce a construction of SR-PE for the scheme introduced by Agrawal, Freeman, and Vaikuntanathan (ASIACRYPT 2011) and prove that our scheme is selectively secure in the standard model. The correctness of our scheme relies on a special property of lattice-based encryption schemes. A lattice-based construction of predicate encryption following the direct revocation mechanism. In such a mechanism, it forces the ciphertexts to carry on the revocation information. Nieto, Manulis, and Sun (ACISP 2012) considered direct revocations in the PE setting and suggested the notion of full-hiding security for revocable PE schemes, which demands that the encrypted data keeps the privacy of not only the plaintext and the associated attribute, but also the revocation information. Following their pairing-based construction, we introduce a corresponding instantiation from lattice assumptions. Regarding efficiency, our lattice-based scheme is somewhat comparable to the construction by Nieto, Manulis, and Sun. Our scheme achieves the full-hiding security thanks to the anonymity of one IBE instance we additionally introduce into the system.