Lower Bounds for the Number of Decryption Updates in Registration-Based Encryption

Abstract

Registration-based encryption (Garg, Hajiabadi, Mahmoody, Rahimi, TCC’18) aims to offer what identity-based encryption offers without the key-escrow problem, which refers to the ability of the private-key generator to obtain parties’ decryption keys at wish. In RBE, parties generate their own secret and public keys and register their public keys to the key curator (KC) who updates a compact public parameter after each registration. The updated public parameter can then be used to securely encrypt messages to registered identities.

A major drawback of RBE, compared with IBE, is that in order to decrypt, parties might need to periodically request so-called decryption updates from the KC. Current RBE schemes require \(\varOmega (\log n)\) number of updates after n registrations, while the public parameter is of length \({\text {poly}}(\log n)\). Clearly, it would be highly desirable to have RBEs with only, say, a constant number of updates. This leads to the following natural question: are so many (logarithmic) updates necessary for RBE schemes, or can we decrease the frequency of updates significantly?

In this paper, we prove an almost tight lower bound for the number of updates in RBE schemes, as long as the times that parties receive updates only depend on the registration time of the parties, which is a natural property that holds for all known RBE constructions. More generally, we prove a trade-off between the number of updates in RBEs and the length of the public parameter for any scheme with fixed update times. Indeed, we prove that for any such RBE scheme, if there are \(n \ge \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) \) identities that receive at most d updates, the public parameter needs to be of length \(\varOmega (k)\). As a corollary, we find that RBE systems with fixed update times and public parameters of length \({\text {poly}}(\log n)\), require \(\varOmega (\log n/{\text {loglog}}n)\) decryption updates, which is optimal up to a \(O({\text {loglog}}n)\) factor.

M. Mahmoody—Supported by NSF grants CCF-1910681 and CNS1936799.

W. Qi—Supported by NSF grants CNS1936799.

Appendices

Appendix

Completeness and Security of RBE Schemes

Definition A.1

(Completeness, Compactness, and Efficiency of RBE). Consider the following game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\) between a challenger \(\mathcal {C}\) and an interactive computationally unbounded adversary \(\mathcal {A}\) who is yet limited to \({\text {poly}}(\mathrm {\kappa })\) rounds of interaction.

1. 1.

   Initialization. \(\mathcal {C}\) sets \(\textsf{pp}= \bot \), \(\textsf{aux}= \bot \), \(\textsf{u}= \bot \), \(\mathcal {D}= \emptyset \), \(\textsf{id}^* = \bot \), \(t = 0\), and \(\textsf{crs}\leftarrow U _{{\text {poly}}(\kappa )}\), and sends the sampled \(\textsf{crs}\) to \(\mathcal {A}\).

2. 2.

   Till \(\mathcal {A}\) continues (which is at most \({\text {poly}}(\kappa )\) steps), proceed as follows. At every iteration, \(\mathcal {A}\) chooses exactly one of the actions below to perform.

   1. (a)

      Registering a corrupted (non-target) identity. \(\mathcal {A}\) sends some \(\textsf{id}\notin \mathcal {D}\) and \(\textsf{pk}\) to \(\mathcal {C}\). \(\mathcal {C}\) registers \((\textsf{id}, \textsf{pk})\) by letting \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}, \textsf{pk})\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}\}\).

   2. (b)

      Registering the (uncorrupted) target identity. This step is allowed only if \(\textsf{id}^* = \bot \). In that case, \(\mathcal {A}\) sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\). \(\mathcal {C}\) then samples \((\textsf{pk}^*, \textsf{sk}^*) \leftarrow \textsf{Gen}(1^\kappa )\), updates \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{pk}^*)\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}^*\}\), and sends \(\textsf{pk}^*\) to \(\mathcal {A}\).

   3. (c)

      Encrypting for the target identity. This step is allowed only if \(\textsf{id}^* \ne \bot \). In that case, \(\mathcal {C}\) sets \(t = t + 1\). \(\mathcal {A}\) sends \(\textsf{m}_t \in \{0,1\}^*\) to \(\mathcal {C}\) who then sets \(\textsf{m}'_t {:}{=}\textsf{m}_t\) and sends back a corresponding ciphertext \(\textsf{ct}_t \leftarrow \textsf{Enc}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{m}_t)\) to \(\mathcal {A}\).

   4. (d)

      Decryption for the target identity. \(\mathcal {A}\) sends a \(j \in [t]\) to \(\mathcal {C}\). \(\mathcal {C}\) then lets \(\textsf{m}'_j = \textsf{Dec}(\textsf{sk}^*, \textsf{u}, \textsf{ct}_j)\). If \(\textsf{m}'_j = \textsf{GetUpd}\), \(\mathcal {C}\) gets \(\textsf{u}= \textsf{Upd}^{\textsf{aux}}(\textsf{pp}, \textsf{id}^*)\) and then \(\textsf{m}'_j = \textsf{Dec}(\textsf{sk}^*, \textsf{u}, \textsf{ct}_j)\).

Let \(n = \vert \mathcal {D}\vert \) be the number of identities registered when the adversary ends the game. We require the following properties to hold for such \(\mathcal {A}\) (as specified above) in the game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\).

• Completeness. The adversary \(\mathcal {A}\) wins, if there is some \(j \in [t]\) for which \(\textsf{m}'_j \ne \textsf{m}_j\). We require that \(\textsf{P}[\mathcal {A} \text {wins} \textsf{Comp}_{\mathcal {A}}(\kappa )] = {\text {negl}}(\kappa )\).¹³

• Compactness and efficiency. For the following three properties, here we state the default requirements for standard RBE; however, in this work, we also consider the relaxed version of RBE in which these quantities could be other parameters that are still sublinear in n (e.g., \({\text {poly}}(\mathrm {\kappa }) \cdot \sqrt{n}\)) for compactness and runtime efficiency. For number of updates, we also allow any sublinear function of n to be a feasible number for RBE.

  • Compactness. \(\vert \textsf{pp}\vert , \vert \textsf{u}\vert \le {\text {poly}}(\kappa , \log (n))\).

  • Efficiency of runtime of registration and update. The running time of each invocation of \(\textsf{Reg}\) and \(\textsf{Upd}\) is at most \({\text {poly}}(\kappa , \log (n))\).

  • Efficiency of the number of updates. The total number of invocations of \(\textsf{Upd}\) for identity \(\textsf{id}^*\) in Step 2(d) of the game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\) is at most \(O(\log (n))\).

Definition A.2

(Security of RBE). For any interactive PPT adversary \(\mathcal {A}\), consider the following game \(\textsf{Sec}_{\mathcal {A}}(\kappa )\) between \(\mathcal {A}\) and a challenger \(\mathcal {C}\).

1. 1.

   Initialization. \(\mathcal {C}\) sets \(\textsf{pp}= \bot \), \(\textsf{aux}= \bot \), \(\mathcal {D}= \emptyset \), \(\textsf{id}^* = \bot \), \(\textsf{crs}\leftarrow U _{{\text {poly}}(\kappa )}\) and sends the sampled \(\textsf{crs}\) to \(\mathcal {A}\).

2. 2.

   Till \(\mathcal {A}\) continues (which is at most \({\text {poly}}(\kappa )\) steps), proceed as follows. At every iteration, \(\mathcal {A}\) chooses exactly one of the actions below to perform.

   1. (a)

      Registering non-target identity. \(\mathcal {A}\) sends some \(\textsf{id}\notin \mathcal {D}\) and \(\textsf{pk}\) to \(\mathcal {C}\). \(\mathcal {C}\) registers \((\textsf{id}, \textsf{pk})\) by \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}, \textsf{pk})\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}\}\).

   2. (b)

      Registering the target identity. This step can be run only if \(\textsf{id}^* = \bot \). \(\mathcal {A}\) sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\). \(\mathcal {C}\) then samples \((\textsf{pk}^*, \textsf{sk}^*) \leftarrow \textsf{Gen}(1^\kappa )\), updates \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{pk}^*)\), \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}^*\}\), and sends \(\textsf{pk}^*\) to \(\mathcal {A}\).

3. 3.

   Encrypting for the target identity. If \(\textsf{id}^* = \bot \), then \(\mathcal {A}\) first sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\) (this is for modeling encryptions for non-registered target identities.) Next \(\mathcal {A}\) sends two messages \(m_0,m_1\) of the same length to C. Next, \(\mathcal {C}\) generates \(\textsf{ct}\leftarrow \textsf{Enc}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, m_b)\), where \(b \leftarrow \{0,1\}\) is a random bit, and sends \(\textsf{ct}\) to \(\mathcal {A}\).¹⁴

4. 4.

   The adversary \(\mathcal {A}\) outputs a bit \(b'\) and wins the game if \(b = b'\).

An RBE scheme is secure if for all PPT \(\mathcal {A}\), \(\textsf{P}[\mathcal {A} \text {wins} \textsf{Sec}_{\mathcal {A}}(\kappa )] < \frac{1}{2} + {\text {negl}}(\kappa ).\)

Information-Theoretic Notions and Lemmas

Definition B.1

(Mutual Information). The mutual information of two discrete random variables X, Y is defined as

$$I(X;Y) = H(X) + H(Y) - H(XY) = H(X)-H(X|Y) = H(Y)-H(Y|X).$$

The conditional mutual information I(X; Y|Z) is defined as \({\text {*}}{\mathbb {E}}_{z \leftarrow Z} [I(X|_z; Y|_z)]\). The chain rule for mutual information states that \(I(X;YZ) = I(X;Y)+I(X;Z|Y)\).

Definition B.2

(Kullback-Leibler Divergence). For any two random variables X and Y where \(X \subseteq Y\), the he Kullback-Leibler (KL) divergence (in base 2) is defined as

Lemma B.3

(Conditional Mutual Information vs. KL Div). For any three jointly distributed random variables X, Y, Z the following holds:

In particular, when Z does not exist, we have

We give a proof for completeness.

Proof

By definition, we know

$$\begin{aligned} I(X;Y|Z) = {\text {*}}{\mathbb {E}}_{z \leftarrow Z} [I(X|_z; Y|_z)] = \sum _{z \in Z} \textsf{P}_Z[z]I(X|_z; Y|_z)\text {.} \end{aligned}$$

Now, if we call \(P=X|_z\) and \(Q=Y|_z\), then \(I(X|_z; Y|_z)=I(P;Q)\) is equal to:

$$ {\begin{matrix} &{} = H(P) + H(Q) - H(PQ)\\ &{} = - \sum _{x \in P} \textsf{P}_{P}[x] \log \textsf{P}_{P}[x] - \sum _{y \in Q} \textsf{P}_{Q}[y] \log \textsf{P}_{Q}[y] + \sum _{x \in P}\sum _{y \in Q} \textsf{P}_{PQ}[x,y] \log \textsf{P}_{PQ}[x,y] \\ &{} = - \sum _{x \in P}\sum _{y \in Q} \textsf{P}_{PQ}[x,y] \log \textsf{P}_{P}[x] - \sum _{y \in Q}\sum _{x \in P} \textsf{P}_{PQ}[x,y] \log \textsf{P}_{Q}[y] \\ &{}~~~~~~~~~~~~+ \sum _{x \in P}\sum _{y \in Q} \textsf{P}_{PQ}[x,y] \log \textsf{P}_{PQ}[x,y]\\ &{} = \sum _{x \in P}\sum _{y \in Q} \textsf{P}_{PQ}[x,y] \log \frac{\textsf{P}_{PQ}[x,y]}{\textsf{P}_{P}[x] \cdot \textsf{P}_{Q}[y]}\text {.}\\ \end{matrix}} $$

Therefore, we get

   \(\square \)

Theorem B.4

(Pinsker’s Inequality). For random variables X, Y we have

The following lemma follows from Lemma B.3 and Pinsker’s inequality.

Lemma B.5

For random variables X, Y, Z, it holds that

$$\textrm{SD}(XYZ,(X|_Z\otimes Y|_Z)Z) \le \sqrt{\frac{I(X;Y|Z) \cdot \ln 2}{2}}.$$

In particular, when Z does not exist, we have

We finally prove the twig lemma (i.e., Lemma 2.7).

Proof

(of Lemma 2.7). Let \(I(Y; X_0\dots X_\ell ) = \alpha \) and \(\alpha _i = I(Y; X_i | X_{i-1} \dots X_0)\). Firstly, we have \(\alpha = H(Y) - H(Y|X_0\dots X_\ell ) \le H(Y)\). By repeated applications of the chain rule of mutual information,

$$H(Y) \ge \alpha = I(Y;X_0) + \sum _{i \in [\ell ]} I(Y;X_i|X_0\dots X_{i-1}) \ge \ell \cdot {\text {*}}{\mathbb {E}}_{i \in [\ell ]} [\alpha _i].$$

For each \(i \in [\ell ]\), we get   by letting \(X=X_i,Z=X_{0}\dots X_{i-1}\) in Lemma B.3. By applying Pinsker’s inequality through Lemma B.5 we now get

$$\textrm{SD}(Y X_i \dots , X_0,Y X'_i X_{i-1} \dots X_0) \le \sqrt{\frac{\alpha _i \ln 2}{2}}.$$

To conclude, we get

$${\text {*}}{\mathbb {E}}_{i \leftarrow [\ell ] } \left[ \sqrt{\frac{\alpha _i \ln 2}{2}}\right] \le \sqrt{\frac{{\text {*}}{\mathbb {E}}_{i \leftarrow [\ell ]} [\alpha _i \ln 2]}{2}} \le \sqrt{\frac{(\alpha /\ell ) \ln 2}{2}} \le \sqrt{\frac{H(Y) \ln 2}{2\ell }}.$$

The first inequality is due to the concavity of \(\sqrt{\cdot }\), and Jensen’s inequality.

Theorem 3.2 is Optimal

In this section, we show that the bound in Theorem 3.2 is tight. Namely, we prove the following theorem.

Theorem C.1

(Optimality of Theorem 3.2). For all \(n = \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -1\) where integers \(k\ge 1, d \ge 0\), there exists a forward DAG \(G_{k, d}\) of n vertices and \(\textrm{deg}^{\tiny +}(G_{k, d}) \le d\) that does not have any skipping sequence of size k.

We will use induction on d to prove Theorem C.1.

Construction C.2

(Construction of Optimal DAG of Out-Degree d) Let \(k\ge 1, d \ge 0\) be integer. We construct a graph \(G_{k,d}\) recursively as follows (Fig. 3).

1. 1.

   If \(d=0\), \(G_{k,0}\) has \(k-1\) vertices and no edges.¹⁵

2. 2.

   If \(d \ge 1\), do the following.

   1. 1.

      For \(i \in [k-1]\) let \({\mathcal G}_i\) be a copy of \(G_{k-i+1, d-1}\) followed by a new vertex \(u_i\) at the end. Moreover, in addition to the edges in \(G_{k-i+1, d-1}\), for all \(v \in {\mathcal G}_i\) (including \(v=u_i\)) add the edge \((v,u_i)\) to \({\mathcal G}_i\).

   2. 2.

      Divide the vertices of \(G_{k,d}\) into \(k-1\) groups, such that the i-th group is a copy of \({\mathcal G}_i\) that comes right after \({\mathcal G}_{i-1}\).

To prove Theorem C.1, it suffices to prove the following lemma.

Fig. 3.

Illustration of the construction of the optimal forward DAG \(G_{k,d} = ({\mathcal V}_{G_{k,d}}, {\mathcal E}_{G_{k,d}})\) where \({\mathcal V}_{G_{k,d}} = [\left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -1]\). Group \({\mathcal G}_1\) has \(\left( {\begin{array}{c}k+d-1\\ d\end{array}}\right) \) vertices and each vertex of \({\mathcal G}_1\) has an out-going edge to vertex \(u_1\) which is the last vertex of \({\mathcal G}_1\). Group \({\mathcal G}_{k-1}\) has \(\left( {\begin{array}{c}d+1\\ d\end{array}}\right) \) vertices and each vertex of \({\mathcal G}_{k-1}\) has an out-going edge to vertex \(u_{k-1}\).

Lemma C.3

Graph \(G_{k,d}\) of Construction C.2 has \(n = \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -1\) vertices, degree d and all of its skipping sequences are of size at most \(k-1\).

Note that by Theorem C.1 we already know that if \(k\ge 1\), then \(G_{k,d}\) has a skipping sequence of size \(\ge k-1\); so by proving Lemma C.3 we actually conclude that its maximum size of skipping sequences will be exactly \(k-1\).

Proof

(of Lemma C.3). The proof is by induction. For \(d=0\), the proof is trivial.

Now suppose \(d \ge 1\). The number vertices of \(G_{k,d}\) by induction and the hockey-stick identity will be

$$\sum _{i \in [k-1]} |{\mathcal V}_{G_{k-i+1, d-1}}|+1 = \sum _{i \in [k-1]} \left( {\begin{array}{c}k+d-i\\ d\end{array}}\right) = \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -\left( {\begin{array}{c}d\\ d\end{array}}\right) .$$

Let \({\mathcal S}\) be any skipping sequence in \(G_{k,d}\). Let \(j \in [k-1]\) be the largest integer such that there is a vertex from \({\mathcal G}_j\) in \({\mathcal S}\). We first show that there can be at most one vertex from each of the previous \(j-1\) groups \(\{{\mathcal G}_i\}_{i \in [j-1]}\) in \({\mathcal S}\). Assume that there are two vertices \(u < v\) such that \(u,v \in {\mathcal S}\cap {\mathcal G}_i\). Let \(x \in {\mathcal G}_j \cap {\mathcal S}\). Then, \(v<u<x\) will all be in \({\mathcal S}\), while v has an outgoing edge to \(u_i\) (the last vertex in \({\mathcal G}_i\)) with \(u \le u_i < x\), but this contradicts the definition of skipping sequences.

Let \({\mathcal S}= {\mathcal S}_1 \cup {\mathcal S}_2\), where \({\mathcal S}_1 = {\mathcal S}\cap (\cup _{i<j} {\mathcal G}_i)\) and \({\mathcal S}_2 = {\mathcal S}\cap {\mathcal G}_j\). We already know that \(|{\mathcal S}_1|\le j-1\). It is sufficient to show that \(|{\mathcal S}_2| \le k-j\). Firstly, note that if \(u_j\) (i.e., the last node in \({\mathcal G}_j\)) belongs to \({\mathcal S}\), then no other vertex in \({\mathcal G}_j\) can belong to \({\mathcal S}\), as otherwise, it will contradict the definition of skipping sequences. Secondly, note that if \({\mathcal S}\) is a skipping sequence, then its restriction \({\mathcal S}_2 = {\mathcal S}\cap {\mathcal G}_j\) shall be skipping as well. Therefore, by induction \(|{\mathcal S}_2|\le \max \left\{ 1,k-j \right\} = k-j\), and so \(|{\mathcal S}| =|{\mathcal S}_1| +|{\mathcal S}_2| \le j-1 + k-j=k-1\).    \(\square \)