New Constructions of Fuzzy Identity-Based Encryption

Joonsang BaekInstitute for InfocommResearch, Singapore

jsbaek@i2r.a-star.edu.sg

Willy SusiloUniversity of Wollongong,

Australiawsusilo@uow.edu.au

Jianying ZhouInstitute for InfocommResearch, Singapore

jyzhou@i2r.a-star.edu.sg

ABSTRACTIn this paper we construct two new fuzzy identity-based en-cryption (IBE) schemes in the random oracle model. Notonly do our schemes provide public parameters whose sizeis independent of the number of attributes in each identity(used as public key) but they also have useful structureswhich result in more efficient key extraction and/or encryp-tion than the random oracle version of Sahai and Water’sfuzzy IBE scheme, considered recently by Pirretti et al. Weprove that the confidentiality of the proposed schemes isrelative to the Bilinear Decisional Bilinear Diffie-Hellmanproblem.

Categories and Subject DescriptorsE.3 [Data Encryption]: Public key cryptosystems

General TermsSecurity, Performance

KeywordsFuzzy Identity-Based Encryption, Efficient Constructions

1. INTRODUCTIONMotivation. The concept of fuzzy identity-based encryp-tion (IBE) recently introduced by Sahai and Waters [8] isto provide an error-tolerance property for IBE. Namely, infuzzy IBE, a user with the secret key for the identity ω candecrypt a ciphertext encrypted with the public key ω′ if ωand ω′ are within a certain distance of each other.

As noted in [8], fuzzy IBE can directly be applied to thesituation where a user is traveling and another party wantsto encrypt at an ad-hoc meeting between them. Anotherapplication of fuzzy IBE is “attribute-based encryption [8,6, 7]” where a party can encrypt data to all users thathave a certain set of attributes, e.g. {company, division,department}.

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.ASIACCS’07, March 20-22, 2007, Singapore.Copyright 2007 ACM 1-59593-574-6/07/0003 ...$5.00.

Related Work. Since Sahai and Water’s work, fuzzy IBEhas been discussed in the context of the attribute-based en-cryption (ABE). Very recently, Goyal et al. [6] proposedan ABE scheme that provides fine-grained sharing of en-crypted data. Piretti et al. [7] used Sahai and Waters’“large universe” construction of fuzzy IBE, which we sim-ply call “Sahai-Waters construction”, to realize their secureinformation management architecture. They also observedthat if the random oracle [2] is employed, computationaloverhead of the Sahai-Waters construction can greatly bereduced. We remark that the random oracle not only re-duces computational overhead but also provides a very shortpublic parameters whose size is independent of the numberof attributes associated with an identity or the number ofattributes in the defined universe, which is crucial in thestorage constrained applications.

Our Contribution. In this paper, we go one step beyondPirreti et al.’s results by presenting fuzzy IBE schemes in therandom oracle model, which are structurally different fromthe Sahai-Waters construction. We show that the struc-tural difference results in more efficient schemes than eventhe random oracle version of the Sahai-Waters constructionconsidered by Pirretti et al. [7]. We prove that our schemesmeet the security requirements as defined in [8] assumingthat the Decisional Bilinear Diffie-Hellman (DBDH) prob-lem is hard.

2. PRELIMINARIESComputational Primitives. We first review the defini-tion of the admissible bilinear pairing [3], denoted by e. LetG1 and G2 be groups of the same order q which is prime.(By G∗1 and ZZ∗q , we denote G1 \ {1} where 1 is the identityelement of G1, and ZZq \ {0} respectively). Suppose that G1

is generated by g. Then, e : G1 × G1 → G2 has the fol-lowing properties: 1) Bilinear: e(ga, gb) = e(g, g)ab, for alla, b ∈ ZZq and 2) Non-degenerate: e(g, g) 6= 1.

A computational problem that will be used throughoutthis paper is the DBDH problem, a decisional version ofthe Bilinear Diffie-Hellman problem on which Boneh andFranklin’s IBE scheme [3] is based. Informally, the DBDHproblem refers to the problem where, given (g, ga, gb, gc) forrandom a, b, c ∈ ZZ∗q , a polynomial-time attacker A is to

distinguish e(g, g)abc from e(g, g)γ for random γ ∈ ZZ∗q .

Fuzzy IBE and Its Security. The generic fuzzy IBEscheme [8] consists of the following algorithms.

• Setup(): Providing some security parameter as input,the Private Key Generator (PKG) runs this algorithm to

368

generate its master key mk and public parameters paramswhich contains an error tolerance parameter d. Note thatparams is given to all interested parties while mk is keptsecret.

• Extract(mk, ID): Providing the master key mk and anidentity ID as input, the PKG runs this algorithm to gener-ate a private key associated with ID, denoted by DID.

• Encrypt(params, ID′, M): Providing the public parame-ters params, an identity ID′, and a plaintext M as input, asender runs this algorithm to generate a ciphertext C′.• Decrypt(params, DID, C

′): Providing the public param-eters params, a private key DID associated with the identityID and a ciphertext C′ encrypted with an identity ID′ suchthat |ID′ ∩ ID| ≥ d as input, a receiver runs this algorithmto get a decryption, which is either a plaintext or a “Reject”message.

A first security requirement of fuzzy IBE is “indistin-guishability of encryptions under fuzzy selective-ID, cho-sen plaintext attack (IND-FSID-CPA)” [8]. (Note that the“selective-ID attack” [4] refers to the attack in which an at-tacker commits ahead of time an identity that it intends toattack.) The formal definition based on the game betweenan attacker A and the “Challenger” is as follows.

In Phase 1, A outputs a challenge identity ID∗. In Phase2, the Challenger then runs the Setup algorithm to gener-ate a master key mk and public parameters params. TheChallenger gives params to A while keeps mk secret fromA. In Phase 3, A issues private key extraction queries, eachof which is denoted by ID. A restriction here is that forall ID, |ID ∩ ID∗| < d. In Phase 4, A outputs equal-lengthmessages M0 and M1. Upon receiving (M0, M1), the Chal-lenger picks β ∈ {0, 1} at random and creates a challengeciphertext C∗ = Encrypt(params, ID∗, Mβ). The Challengerreturns C∗ to A. In Phase 5, A issues a number of privatekey extraction queries as in Phase 3. In Phase 6, A outputsits guess β′ ∈ {0, 1}.

We define A’s guessing advantage by |Pr[β′ = β]− 12|.

Notice that a stronger notion “indistinguishability of en-cryptions under fuzzy selective-ID, chosen ciphertext attack(IND-FSID-CCA)” can also be defined by giving A an accessto a decryption oracle.

Another important security requirement for a fuzzy IBEscheme is the security against colluding attack, which im-plies that no group of users should be able to combine theirkeys in such a way that they can decrypt a ciphertext thatnone of them alone could [8].

3. PROPOSED FUZZY IBE SCHEMESIn the rest of the paper, ∆a,S denotes the Lagrange co-

efficient for a ∈ ZZ∗q (q, a prime) and a set S of elements inZZ∗q . Notice that

∆a,S(x) =Y

a∈S,b6=a

x− b

a− b.

Without loss of generality, we assume that an identity is aset of n different elements in ZZ∗q . For example, each of nstrings of arbitrary length with an index i ∈ Z can be hashedusing some collision-resistant hash function whose range isZZ∗q .Efficient Fuzzy IBE-I (EFIBE-I) Scheme. As men-tioned earlier the hash function H in our first fuzzy IBE

scheme is assumed to be the random oracle, which gives riseto very short public parameters. However, we note that ourscheme has a different structure compared to the randomoracle version of the Sahai-Waters construction consideredin [7]. The unique feature of EFIBE-I is that its privatekey extraction algorithm (Extract) is structurally simple andhighly efficient.

• Setup(): Generate a group G1 of prime order q. Con-struct a bilinear map e : G1 × G1 → G2, where G2 is agroup of the same order q. Pick a generator g of the groupG1. Pick g1 ∈ G1 at random. Pick s ∈ ZZ∗q at random andcompute g2 = gs. Choose a hash function H : ZZ∗q → G1.Select a tolerance parameter d. Output a public parame-ter params = (q, g, e,G1,G2, H, g1, g2, d) and a master keymk = (q, g, e,G1,G2, H, g1, g2, x).

• Extract(mk, ID), where ID = (µ1, . . . , µn): Pick a ran-dom polynomial p(·) of degree d − 1 over ZZq such thatp(0) = s and compute a private key Dµi = (γµi , δµi) =

(H(µi)p(µi), gp(µi)) for i = 1, . . . , n. Return DID =

(Dµ1 , . . . , Dµn).

• Encrypt(params, ID′, M), where ID′ = (µ′1, . . . , µ′n) and

M ∈ G2: Pick r ∈ ZZ∗q at random and compute

C′ = (ID′, U, Vµ′1 , . . . , Vµ′n , W )

= (ID, gr, (g1H(µ′1))r, . . . , (g1H(µ′n))r, e(g1, g2)

rM)

• Decrypt(params, DID, C′), where C′ is encrypted with

ID′ such that |ID′∩ID| ≥ d (Recall that ID = (µ1, . . . , µn)).:Choose an arbitrary set S ⊆ ID ∩ ID′ such that |S| = d andcompute

M =e(Q

µj∈S γ∆µj,S(0)

µj , U)

Qµj∈S e(Vµj , δ

∆µj,S(0)

µj )·W

(Here, notice that µ′j = µj if µj ∈ S). Return M .

It is easy to see that the decryption algorithm is correct.The above EFIBE-I scheme is proven to be IND-FSID-CPAsecure in the random oracle model assuming that the DBDHproblem is hard. The proof is given in the full version of thispaper [1].

By the same argument as [8], the EFIBE-I scheme pre-vents collusion attacks since each users’ private key com-ponents are generated with different random polynomials.–Even if multiple users collude, they will not be able to com-bine their private key components to form a key which isuseful to compromise the confidentiality of the scheme.

Efficient Fuzzy IBE-II (EFIBE-II) Scheme. Our sec-ond fuzzy IBE scheme bears some similarities to the secondscheme based on the DBDH problem [8]. However, its pri-vate key extraction has been simplified by using the outputsof the chosen random polynomial as random exponents forg1, in contrast to the scheme in [8] which introduces extrarandom exponents and hence incurs extra exponentiations.More precisely, our scheme computes ((g1H(µi))

p(µi), gp(µi))

instead of (gp(µi)1 H(µi)

ri , gri) [8] to generate a private keyassociated with an identity ID′ = (µ′1, . . . , µ

′n). A descrip-

tion of the scheme is as follows.

• Setup(): Generate a group G1 of prime order q. Con-struct a bilinear map e : G1 × G1 → G2, where G2 is agroup of the same order q. Pick a generator g of the group

369

G1. Pick g1 ∈ G1 at random. Pick s ∈ ZZ∗q at random andcompute g2 = gs. Choose a hash function H : ZZ∗q → G1.Select a tolerance parameter d. Output a public parame-ter params = (q, g, e,G1,G2, H, g1, g2, d) and a master keymk = (q, g, e,G1,G2, H, g1, g2, x).

• Extract(mk, ID), where ID = (µ1, . . . , µn): Pick a ran-dom polynomial p(·) of degree d − 1 over ZZq such thatp(0) = s and compute a private key Dµi = (γµi , δµi) =

((g1H(µi))p(µi), gp(µi)) for i = 1, . . . , n. Return DID =

(Dµ1 , . . . , Dµn).

• Encrypt(params, ID′, M), where ID′ = (µ′1, . . . , µ′n) and

M ∈ G2: Pick r ∈ ZZ∗q at random and compute

C′ = (ID′, U, Vµ′1 , . . . , Vµ′n , W )

= (ID′, gr, H(µ′1)r, . . . , H(µ′n)r, e(g1, g2)

rM)

• Decrypt(params, DID, C′), where C′ is encrypted with

ID′ such that |ID′∩ID| ≥ d (Recall that ID = (µ1, . . . , µn)).:Choose an arbitrary set S ⊆ ID ∩ ID′ such that |S| = d andcompute

M =

Qµj∈S e(Vµj , δ

∆µj,S(0)

µj )

e(Q

µj∈S γ∆µj,S(0)

µj , U)·W

(Here, notice that µ′j = µj if µj ∈ S). Return M .

Note that one can easily show that the above decryptionalgorithm is correct. The above EFIBE-II scheme is provento be IND-FSID-CPA secure in the random oracle modelassuming that the DBDH problem is hard. The proof isgiven in the full version of this paper [1].

We also note that from the same reason as EFIBE-I,EFIBE-II is also secure against collusion attacks.

Finally we remark that EFIBE-I and EFIBE-II can be ex-tended to achieve chosen ciphertext security using the tech-nique like the Fujisaki-Okamoto transform [5].

4. COMPARISONSTable 1 summarizes the size of various parameters and the

cost of computing sub-algorithms of the proposed fuzzy IBEschemes and the random oracle version of the Sahai-Watersconstruction [7], which we denote by SW-RO.

Notice that both Extract and Encrypt algorithms of EFIBE-II are more efficient than those of SW-RO. The Extract al-gorithm of EFIBE-I is the most efficient among the threeschemes but its Encrypt is slightly less efficient than those ofEFIBE-II and SW-RO.

5. CONCLUDING REMARKSIn this paper we proposed two efficient fuzzy IBE schemes,

which are proven to be secure in the random oracle model.We expect that our new fuzzy IBE schemes will serve

as efficient building blocks for biometric authentication sys-tems or attribute-based encryption systems. Construction offuzzy IBE schemes that have the exactly the same structuresas ours (that is, non-random oracle version of our schemesusing the technique of [8]) is an interesting open problem.

6. ACKNOWLEDGMENTSThe authors are grateful to the anonymous reviewers of

ASIACCS’07 for their truly helpful suggestions.

EFIBE-I EFIBE-II SW-RO

Size of params\ 2|G1| 2|G1| 2|G1|{q, g, e,G1,G2, d}Size of DID 2n|G1| 2n|G1| 2n|G1|Size of C \ ID (n + 1)|G1| (n + 1)|G1| (n + 1)|G1|

+|G2| +|G2| +|G2|Cost of Extract n(TH + 2Te) n(TH + Tm n(TH + Tm

+2Te) +3Te)Cost of Encrypt n(Tm + Te n(Te + TH) n(Te + TH)

+TH) + 2Te +2Te + Tp +2Te + Tp

+Tp + T ′m +T ′m +T ′mCost of Decrypt d(Te + Tm) d(Te + Tm) d(Te + Tm)

+d(Te + Tp) +d(Te + Tp) + d(Te + Tp)+Tp + T ′i +Tp + T ′i +Tp + T ′i+T ′m +T ′m +T ′m

Security Rel. to DBDH DBDH DBDH

Table 1: Comparisons of Various Fuzzy IBE Schemes.

Abbreviations: |S| – the bit-length of an element in set

(or group) S; n – the number of elements in an identity;

Te – the computation time for a single exponentiation in

G1; TH – the computation time for a function H modeled

as a random oracle; Tm – the computation time for a sin-

gle multiplication in G1; Ti – the computation time for

a single inverse operation in G1; Tp – the computation

a single fora single pairing operation; T ′m – the compu-

tation time for a single multiplication in G2; T ′i – the

computation time for a single inverse operation in G2; d

– an error tolerance parameter

7. REFERENCES[1] J. Baek, W. Susilo and J. Zhou, New Constructions of

Fuzzy Identity-Based Encryption, Full version,Available at http://www1.i2r.a-star.edu.sg/ jsbaek/

[2] M. Bellare and P. Rogaway, Random Oracles arePractical: A Paradigm for Designing EfficientProtocols, In ACM CCS ’93, pp. 62–73, ACM Press,1993.

[3] D. Boneh and M. Franklin, Identity-Based Encryptionfrom the Weil Pairing, In Crypto ’01, LNCS 2139, pp.213–229, Springer-Verlag, 2001.

[4] R. Canetti, S. Halevi, and J. Katz, A Forward-SecurePublic-Key Encryption Scheme, In Eurocrypt 2003,LNCS 2656, pp. 255–271, Springer-Verlag, 2003.

[5] E. Fujisaki and T. Okamoto, Secure Integration ofAsymmetric and Symmetric Encryption Schemes, InCrypto ’99, LNCS 1666, pp. 537 – 554,Springer-Verlag, 1999.

[6] V. Goyal, O. Pandey, A. Sahai and B. Waters,Attribute-Based Encryption for Fine-Grained AccessControl of Encrypted Data, In ACM CCS ’06.

[7] M. Pirretti, P. Traynor, P. McDaniel and B. Waters,Secure Attribute-Based Systems, In ACM CCS ’06.

[8] A. Sahai and B. Waters, Fuzzy Identity-BasedEncryption, In Eurocrypt 2005, LNCS 3494, pp.457–473, Springer-Verlag, 2005.

370