Semantic Definition of Anonymity in Identity-Based Encryption and Its Relation to Indistinguishability-Based Definition

Abstract

In this paper we point out an overlooked subtlety in providing proper security definitions of anonymous identity-based encryption (anonymous IBE) and its applications such as searchable encryption. Namely, we find that until now there is no discussion whether the widely used indistinguishability-based notion of anonymity for IBE implies simulation-based definition of anonymity, which directly captures the intuition that recipients’ IDs are not leaked from ciphertexts. We compensate this undesirable situation by providing a simulation-based notion, which requires that a ciphertext can be simulated without knowing the associated ID, by specializing the anonymity notion defined for more generalized notion of attribute-based encryption in previous work to the setting of IBE and then proving that this definition is equivalent to the conventional indistinguishability-based definition. We note that while the final result is something one would expect, our proof is not completely trivial. In particular, previous proofs that show the equivalence between semantic security and indistinguishability-based one in the setting where the security of payload is the main concern do not work immediately in our setting due to the difference between the semantics of identities and messages and the existence of the key extraction oracles.

A Attempt to Define Anonymity Based on Goldwasser and Micali’s Approach

Definition Based on Goldwasser-Micali   [24]. Here, we briefly recall the notion of semantic security (SS) defined by Goldwasser and Micali  [24]. We say that a PKE scheme satisfies SS if there exists a simulator that can simulate view for an adversary that is indistinguishable from that of the real world where the adversary chooses a message and is given a ciphertext that encrypts it and the simulator is not provided any information of the message. In this section, we attempt to define SS for anonymity of IB-KEM following their approach  [24] and observe that there seems no straightforward way to do so.

Let \(\varSigma =(S,K,E,D)\) be an IB-KEM scheme, and \(C=(C_1,C_2)\) be a PPT adversary. We also let \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) be a simulator. We formulate Ano-SS as follows: if the game () where the adversary receives the ciphertext and guesses the information of the identity and the game () where the simulator \(\mathcal {S}\) generates a simulated ciphertext without receiving the identity, is indistinguishable, then the IB-KEM scheme is said to satisfy Ano-SS.

In the above, P and F are PPT algorithms. P samples \(id^*\) from the ID space \(\mathcal {ID}\), and F outputs partial information of the input. Key generation oracle \( K(\,msk,\,\cdot \,)\) in gets as input msk and arbitrary \(id\in \mathcal {ID}\), and outputs a user secret key \(usk_{id}\) associated with id. \(C_1\) cannot use the challenge identity \(id^*\) that is queried to \(K^{\{ id ^*\}}( msk ,{\cdot })\) as the target ID. We define \(\mathbf {Adv}^\mathrm{SS}_{ {\varSigma },{C,\mathcal {S}}}(k)\), the advantage of the adversary as follows

Definition 4

We say that IB-KEM scheme \(\varSigma =(S,K,E,D)\) is secure if for any PPT adversary \(C=(C_1,C_2)\) there exists PPT simulator \(\mathcal {S}\) such that is negligible.

Discussion on Definition  4. As we discuss here, Definition 4 is an incomplete security definition since there is an adversary that trivially breaks the security. For example, let us assume that \( K(\,msk,\,\cdot \,)\) returns the user secret key \(usk_{id^*}\) associated with \(id^*\) when \(id^*\) is queried to the key generation oracle. In this case, the adversary can decrypt (ct, kem) encrypted with respect to the target ID \(id^*\) using \(usk_{id^*}\) and the adversary can identify the target ID by seeing if the decryption result matches with kem. We then discuss whether the adversary can indeed get a secret key for \(id^*\) from the oracle, since this is a sufficient condition for the above attack to succeed. Recall that \(id^*\) is sampled from the ID space \(\mathcal {ID}\) by the polynomial time algorithm P. If the total number of IDs that P can output is at most a polynomial size, C is in fact able to find \(id^*\) by brute force attack in polynomial time. For this reason, in order to make Definition 4 an achievable security definition, it is necessary to add some constraint on the adversary’s behavior. However, with such a constraint, we do not know whether the security notion is still meaningful. For example, we can consider following constraints. However, all of them have problems as we explain below.

• Prohibit queries on key generation oracle

  As mentioned above, one of the trivial attacks is to query \(id^*\) on key generation oracle. If the user secret key \(usk_{id^*}\) is given to the adversary, it can learn the information of the target identity from it. To prevent this kind of attack, let us restrict the adversary so that it cannot make a key query for \(id^*\). More concretely, let us consider an alternative security definition where key generation oracle \( K(\,msk,\,\cdot \,)\) sends \(\bot \) back to the adversary \(C_2\) when it queries \(id^*\) to key generation oracle \( K(\,msk,\,\cdot \,)\) in the environment. However, the adversary can learn the information of \(id^*\) from the fact that the user secret key query is prohibited for this particular identity.

• Changing the sampling P settings

  In the above discussion, it was assumed that the total number of ID that P will output is of polynomial size, and thus the above attack was possible. A natural approach to prevent the attack is to restrict the adversary C to output P such that the number of ID that P can output is exponential. In this case, it seems that there is no trivial attack on the security. However, this restriction is less general because we pose a strict restriction on the sampler chosen by the adversary and thus significantly narrow the class of adversaries we capture. Since the meaning of the definition is unclear, we do not take this approach either.

As we discussed above, we do not know of any natural restrictions on the adversary that makes the security notion natural and meaningful. Therefore, we do not adopt the approach by [24] for defining semantic security style notion of anonymity.