Abstract
Registration-based encryption (Garg, Hajiabadi, Mahmoody, Rahimi, TCC’18) aims to offer what identity-based encryption offers without the key-escrow problem, which refers to the ability of the private-key generator to obtain parties’ decryption keys at wish. In RBE, parties generate their own secret and public keys and register their public keys to the key curator (KC) who updates a compact public parameter after each registration. The updated public parameter can then be used to securely encrypt messages to registered identities.
A major drawback of RBE, compared with IBE, is that in order to decrypt, parties might need to periodically request so-called decryption updates from the KC. Current RBE schemes require \(\varOmega (\log n)\) number of updates after n registrations, while the public parameter is of length \({\text {poly}}(\log n)\). Clearly, it would be highly desirable to have RBEs with only, say, a constant number of updates. This leads to the following natural question: are so many (logarithmic) updates necessary for RBE schemes, or can we decrease the frequency of updates significantly?
In this paper, we prove an almost tight lower bound for the number of updates in RBE schemes, as long as the times that parties receive updates only depend on the registration time of the parties, which is a natural property that holds for all known RBE constructions. More generally, we prove a trade-off between the number of updates in RBEs and the length of the public parameter for any scheme with fixed update times. Indeed, we prove that for any such RBE scheme, if there are \(n \ge \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) \) identities that receive at most d updates, the public parameter needs to be of length \(\varOmega (k)\). As a corollary, we find that RBE systems with fixed update times and public parameters of length \({\text {poly}}(\log n)\), require \(\varOmega (\log n/{\text {loglog}}n)\) decryption updates, which is optimal up to a \(O({\text {loglog}}n)\) factor.
M. Mahmoody—Supported by NSF grants CCF-1910681 and CNS1936799.
W. Qi—Supported by NSF grants CNS1936799.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More formally, there is an “update graph” G that is fixed and tells us if \(\textsf{id}_i\) needs an update after \(\textsf{id}_j\) registers or not.
- 2.
By “meaningful”, here we mean that the novel scheme cannot be trivially turned into one with fixed update patterns, as it is not hard to come up with contrived schemes whose update times depend on the public keys.
- 3.
Notice that, one can always make \(|\textsf{pp}_n|\) non-decreasing using simple padding (with zeros) that prevents \(\textsf{pp}_n\) from shrinking when n grows.
- 4.
See Definition 2.5 for the definition of entropy.
- 5.
See Definition B.1 for the definition of mutual information.
- 6.
See Definition 3.1 for a formal definition.
- 7.
Note that this registered identity itself could be \(\textsf{id}^*\).
- 8.
This update might not be really necessary, but we still run them as instructed.
- 9.
Using our notation, that means \(YX'_i X_{i-1},\dots ,X_0 \equiv (Y|_Z \otimes X_i|_Z)Z\) for \(Z = {X_{i-1}, \dots , X_0}\).
- 10.
Alternatively, one can pretend that there has been true values of \(\textsf{KEY}_{i} \dots \textsf{KEY}_{j}\) that were sampled jointly with \(\textsf{CRS},\textsf{KEY}_1 \dots \textsf{KEY}_{i-1},\textsf{PP}_k\) and were thrown out to be replaced with fresh samples at the end.
- 11.
Note that the public keys and the CRS will still be given to the adversary.
- 12.
As discussed before, this graph can depend on the identities and/or the CRS.
- 13.
For perfectly complete schemes we require this probability to be zero.
- 14.
In the original paper of [GHMR18], the scheme’s security was defined for bit encryption. Even though secure bit-encryption schemes can be extended for full-fledged schemes by independently encrypting every bit, here we write the definition directly for the resulting scheme.
- 15.
For \(k=1\), this graph is the empty graph that has no vertices.
References
Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_29
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Blocki, J., Holman, B.: Sustained space and cumulative complexity trade-offs for data-dependent memory-hard functions. Cryptology ePrint Archive, Paper 2022/832 (2022). eprint.iacr.org/2022/832
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Cheng, Z., Comley, R., Vasiu, L.: Remove key escrow from the identity-based encryption system. In: Levy, J.-J., Mayr, E.W., Mitchell, J.C. (eds.) TCS 2004. IIFIP, vol. 155, pp. 37–50. Springer, Boston, MA (2004). https://doi.org/10.1007/1-4020-8141-3_6
Cong, K., Eldefrawy, K., Smart, N.P.: Optimizing registration based encryption. In: Paterson, M.B. (ed.) IMACC 2021. LNCS, vol. 13129, pp. 129–157. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92641-0_7
Chow, S.S.M.: Removing escrow from identity-based encryption. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 256–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_15
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Döttling, N., Garg, S.: Identity-based encryption from the diffie-hellman assumption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 537–569. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_18
Emura, K., Katsumata, S., Watanabe, Y.: Identity-based encryption with security against the KGC: a formal model and its instantiation from lattices. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 113–133. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_6
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual Symposium on Foundations of Computer Science, 26–29 Oct 2013, pp. 40–49. IEEE Computer Society Press, Berkeley, CA, USA (2013)
Garg, S., Hajiabadi, M., Mahmoody, M., Rahimi, A., Sekar, S.: Registration-based encryption from standard assumptions. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 63–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_3
Garg, S., Hajiabadi, M., Mahmoody, M., Rahimi, A.: Registration-based encryption: removing private-key generator from IBE. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 689–718. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_25
Goyal, V., Lu, S., Sahai, A., Waters, B.: Black-box accountable authority identity-based encryption. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 427–436. ACM (2008)
Goyal, V.: Reducing trust in the PKG in identity based cryptosystems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 430–447. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_24
Goyal, R., Vusirikala, S.: Verifiable registration-based encryption. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 621–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_21
Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: Roughgarden, T. (ed.) ITCS 2015: 6th Conference on Innovations in Theoretical Computer Science, 11–13 Jan 2015, pp. 163–172. Association for Computing Machinery, Rehovot, Israel (2015)
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 60–73 (2021)
Rogaway, P.: The moral character of cryptographic work. Cryptology ePrint Archive, Report 2015/1162 (2015). eprint.iacr.org/2015/1162
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Wei, Q., Qi, F., Tang, Z.: Remove key escrow from the BF and Gentry identity-based encryption with non-interactive key generation. Telecommunication Systems, pp. 1–10 (2018)
Acknowledgements
We thank Sanjam Garg, Mohammad Hajiabadi, and Saeed Mahloujifar for useful discussions. We also thank the anonymous reviewers of TCC 2022 for useful suggestions, including the extension of the main result allowing some identities to receive frequent updates.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
Completeness and Security of RBE Schemes
Definition A.1
(Completeness, Compactness, and Efficiency of RBE). Consider the following game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\) between a challenger \(\mathcal {C}\) and an interactive computationally unbounded adversary \(\mathcal {A}\) who is yet limited to \({\text {poly}}(\mathrm {\kappa })\) rounds of interaction.
-
1.
Initialization. \(\mathcal {C}\) sets \(\textsf{pp}= \bot \), \(\textsf{aux}= \bot \), \(\textsf{u}= \bot \), \(\mathcal {D}= \emptyset \), \(\textsf{id}^* = \bot \), \(t = 0\), and \(\textsf{crs}\leftarrow U _{{\text {poly}}(\kappa )}\), and sends the sampled \(\textsf{crs}\) to \(\mathcal {A}\).
-
2.
Till \(\mathcal {A}\) continues (which is at most \({\text {poly}}(\kappa )\) steps), proceed as follows. At every iteration, \(\mathcal {A}\) chooses exactly one of the actions below to perform.
-
(a)
Registering a corrupted (non-target) identity. \(\mathcal {A}\) sends some \(\textsf{id}\notin \mathcal {D}\) and \(\textsf{pk}\) to \(\mathcal {C}\). \(\mathcal {C}\) registers \((\textsf{id}, \textsf{pk})\) by letting \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}, \textsf{pk})\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}\}\).
-
(b)
Registering the (uncorrupted) target identity. This step is allowed only if \(\textsf{id}^* = \bot \). In that case, \(\mathcal {A}\) sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\). \(\mathcal {C}\) then samples \((\textsf{pk}^*, \textsf{sk}^*) \leftarrow \textsf{Gen}(1^\kappa )\), updates \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{pk}^*)\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}^*\}\), and sends \(\textsf{pk}^*\) to \(\mathcal {A}\).
-
(c)
Encrypting for the target identity. This step is allowed only if \(\textsf{id}^* \ne \bot \). In that case, \(\mathcal {C}\) sets \(t = t + 1\). \(\mathcal {A}\) sends \(\textsf{m}_t \in \{0,1\}^*\) to \(\mathcal {C}\) who then sets \(\textsf{m}'_t {:}{=}\textsf{m}_t\) and sends back a corresponding ciphertext \(\textsf{ct}_t \leftarrow \textsf{Enc}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{m}_t)\) to \(\mathcal {A}\).
-
(d)
Decryption for the target identity. \(\mathcal {A}\) sends a \(j \in [t]\) to \(\mathcal {C}\). \(\mathcal {C}\) then lets \(\textsf{m}'_j = \textsf{Dec}(\textsf{sk}^*, \textsf{u}, \textsf{ct}_j)\). If \(\textsf{m}'_j = \textsf{GetUpd}\), \(\mathcal {C}\) gets \(\textsf{u}= \textsf{Upd}^{\textsf{aux}}(\textsf{pp}, \textsf{id}^*)\) and then \(\textsf{m}'_j = \textsf{Dec}(\textsf{sk}^*, \textsf{u}, \textsf{ct}_j)\).
-
(a)
Let \(n = \vert \mathcal {D}\vert \) be the number of identities registered when the adversary ends the game. We require the following properties to hold for such \(\mathcal {A}\) (as specified above) in the game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\).
-
Completeness. The adversary \(\mathcal {A}\) wins, if there is some \(j \in [t]\) for which \(\textsf{m}'_j \ne \textsf{m}_j\). We require that \(\textsf{P}[\mathcal {A} \text {wins} \textsf{Comp}_{\mathcal {A}}(\kappa )] = {\text {negl}}(\kappa )\).Footnote 13
-
Compactness and efficiency. For the following three properties, here we state the default requirements for standard RBE; however, in this work, we also consider the relaxed version of RBE in which these quantities could be other parameters that are still sublinear in n (e.g., \({\text {poly}}(\mathrm {\kappa }) \cdot \sqrt{n}\)) for compactness and runtime efficiency. For number of updates, we also allow any sublinear function of n to be a feasible number for RBE.
-
Compactness. \(\vert \textsf{pp}\vert , \vert \textsf{u}\vert \le {\text {poly}}(\kappa , \log (n))\).
-
Efficiency of runtime of registration and update. The running time of each invocation of \(\textsf{Reg}\) and \(\textsf{Upd}\) is at most \({\text {poly}}(\kappa , \log (n))\).
-
Efficiency of the number of updates. The total number of invocations of \(\textsf{Upd}\) for identity \(\textsf{id}^*\) in Step 2(d) of the game \(\textsf{Comp}_{\mathcal {A}}(\kappa )\) is at most \(O(\log (n))\).
-
Definition A.2
(Security of RBE). For any interactive PPT adversary \(\mathcal {A}\), consider the following game \(\textsf{Sec}_{\mathcal {A}}(\kappa )\) between \(\mathcal {A}\) and a challenger \(\mathcal {C}\).
-
1.
Initialization. \(\mathcal {C}\) sets \(\textsf{pp}= \bot \), \(\textsf{aux}= \bot \), \(\mathcal {D}= \emptyset \), \(\textsf{id}^* = \bot \), \(\textsf{crs}\leftarrow U _{{\text {poly}}(\kappa )}\) and sends the sampled \(\textsf{crs}\) to \(\mathcal {A}\).
-
2.
Till \(\mathcal {A}\) continues (which is at most \({\text {poly}}(\kappa )\) steps), proceed as follows. At every iteration, \(\mathcal {A}\) chooses exactly one of the actions below to perform.
-
(a)
Registering non-target identity. \(\mathcal {A}\) sends some \(\textsf{id}\notin \mathcal {D}\) and \(\textsf{pk}\) to \(\mathcal {C}\). \(\mathcal {C}\) registers \((\textsf{id}, \textsf{pk})\) by \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}, \textsf{pk})\) and \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}\}\).
-
(b)
Registering the target identity. This step can be run only if \(\textsf{id}^* = \bot \). \(\mathcal {A}\) sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\). \(\mathcal {C}\) then samples \((\textsf{pk}^*, \textsf{sk}^*) \leftarrow \textsf{Gen}(1^\kappa )\), updates \(\textsf{pp}{:}{=}\textsf{Reg}^{[\textsf{aux}]}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, \textsf{pk}^*)\), \(\mathcal {D}{:}{=}\mathcal {D}\cup \{\textsf{id}^*\}\), and sends \(\textsf{pk}^*\) to \(\mathcal {A}\).
-
(a)
-
3.
Encrypting for the target identity. If \(\textsf{id}^* = \bot \), then \(\mathcal {A}\) first sends some \(\textsf{id}^* \notin \mathcal {D}\) to \(\mathcal {C}\) (this is for modeling encryptions for non-registered target identities.) Next \(\mathcal {A}\) sends two messages \(m_0,m_1\) of the same length to C. Next, \(\mathcal {C}\) generates \(\textsf{ct}\leftarrow \textsf{Enc}(\textsf{crs}, \textsf{pp}, \textsf{id}^*, m_b)\), where \(b \leftarrow \{0,1\}\) is a random bit, and sends \(\textsf{ct}\) to \(\mathcal {A}\).Footnote 14
-
4.
The adversary \(\mathcal {A}\) outputs a bit \(b'\) and wins the game if \(b = b'\).
An RBE scheme is secure if for all PPT \(\mathcal {A}\), \(\textsf{P}[\mathcal {A} \text {wins} \textsf{Sec}_{\mathcal {A}}(\kappa )] < \frac{1}{2} + {\text {negl}}(\kappa ).\)
Information-Theoretic Notions and Lemmas
Definition B.1
(Mutual Information). The mutual information of two discrete random variables X, Y is defined as
The conditional mutual information I(X;Â Y|Z) is defined as \({\text {*}}{\mathbb {E}}_{z \leftarrow Z} [I(X|_z; Y|_z)]\). The chain rule for mutual information states that \(I(X;YZ) = I(X;Y)+I(X;Z|Y)\).
Definition B.2
(Kullback-Leibler Divergence). For any two random variables X and Y where \(X \subseteq Y\), the he Kullback-Leibler (KL) divergence (in base 2) is defined as
Lemma B.3
(Conditional Mutual Information vs. KL Div). For any three jointly distributed random variables X, Y, Z the following holds:
In particular, when Z does not exist, we have
We give a proof for completeness.
Proof
By definition, we know
Now, if we call \(P=X|_z\) and \(Q=Y|_z\), then \(I(X|_z; Y|_z)=I(P;Q)\) is equal to:
Therefore, we get
   \(\square \)
Theorem B.4
(Pinsker’s Inequality). For random variables X, Y we have
The following lemma follows from Lemma B.3 and Pinsker’s inequality.
Lemma B.5
For random variables X, Y, Z, it holds that
In particular, when Z does not exist, we have
We finally prove the twig lemma (i.e., Lemma 2.7).
Proof
(of Lemma 2.7). Let \(I(Y; X_0\dots X_\ell ) = \alpha \) and \(\alpha _i = I(Y; X_i | X_{i-1} \dots X_0)\). Firstly, we have \(\alpha = H(Y) - H(Y|X_0\dots X_\ell ) \le H(Y)\). By repeated applications of the chain rule of mutual information,
For each \(i \in [\ell ]\), we get  by letting \(X=X_i,Z=X_{0}\dots X_{i-1}\) in Lemma B.3. By applying Pinsker’s inequality through Lemma B.5 we now get
To conclude, we get
The first inequality is due to the concavity of \(\sqrt{\cdot }\), and Jensen’s inequality.
Theorem 3.2 is Optimal
In this section, we show that the bound in Theorem 3.2 is tight. Namely, we prove the following theorem.
Theorem C.1
(Optimality of Theorem 3.2). For all \(n = \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -1\) where integers \(k\ge 1, d \ge 0\), there exists a forward DAG \(G_{k, d}\) of n vertices and \(\textrm{deg}^{\tiny +}(G_{k, d}) \le d\) that does not have any skipping sequence of size k.
We will use induction on d to prove Theorem C.1.
Construction C.2
(Construction of Optimal DAG of Out-Degree d) Let \(k\ge 1, d \ge 0\) be integer. We construct a graph \(G_{k,d}\) recursively as follows (Fig. 3).
-
1.
If \(d=0\), \(G_{k,0}\) has \(k-1\) vertices and no edges.Footnote 15
-
2.
If \(d \ge 1\), do the following.
-
1.
For \(i \in [k-1]\) let \({\mathcal G}_i\) be a copy of \(G_{k-i+1, d-1}\) followed by a new vertex \(u_i\) at the end. Moreover, in addition to the edges in \(G_{k-i+1, d-1}\), for all \(v \in {\mathcal G}_i\) (including \(v=u_i\)) add the edge \((v,u_i)\) to \({\mathcal G}_i\).
-
2.
Divide the vertices of \(G_{k,d}\) into \(k-1\) groups, such that the i-th group is a copy of \({\mathcal G}_i\) that comes right after \({\mathcal G}_{i-1}\).
-
1.
To prove Theorem C.1, it suffices to prove the following lemma.
Lemma C.3
Graph \(G_{k,d}\) of Construction C.2 has \(n = \left( {\begin{array}{c}k+d\\ d+1\end{array}}\right) -1\) vertices, degree d and all of its skipping sequences are of size at most \(k-1\).
Note that by Theorem C.1 we already know that if \(k\ge 1\), then \(G_{k,d}\) has a skipping sequence of size \(\ge k-1\); so by proving Lemma C.3 we actually conclude that its maximum size of skipping sequences will be exactly \(k-1\).
Proof
(of Lemma C.3). The proof is by induction. For \(d=0\), the proof is trivial.
Now suppose \(d \ge 1\). The number vertices of \(G_{k,d}\) by induction and the hockey-stick identity will be
Let \({\mathcal S}\) be any skipping sequence in \(G_{k,d}\). Let \(j \in [k-1]\) be the largest integer such that there is a vertex from \({\mathcal G}_j\) in \({\mathcal S}\). We first show that there can be at most one vertex from each of the previous \(j-1\) groups \(\{{\mathcal G}_i\}_{i \in [j-1]}\) in \({\mathcal S}\). Assume that there are two vertices \(u < v\) such that \(u,v \in {\mathcal S}\cap {\mathcal G}_i\). Let \(x \in {\mathcal G}_j \cap {\mathcal S}\). Then, \(v<u<x\) will all be in \({\mathcal S}\), while v has an outgoing edge to \(u_i\) (the last vertex in \({\mathcal G}_i\)) with \(u \le u_i < x\), but this contradicts the definition of skipping sequences.
Let \({\mathcal S}= {\mathcal S}_1 \cup {\mathcal S}_2\), where \({\mathcal S}_1 = {\mathcal S}\cap (\cup _{i<j} {\mathcal G}_i)\) and \({\mathcal S}_2 = {\mathcal S}\cap {\mathcal G}_j\). We already know that \(|{\mathcal S}_1|\le j-1\). It is sufficient to show that \(|{\mathcal S}_2| \le k-j\). Firstly, note that if \(u_j\) (i.e., the last node in \({\mathcal G}_j\)) belongs to \({\mathcal S}\), then no other vertex in \({\mathcal G}_j\) can belong to \({\mathcal S}\), as otherwise, it will contradict the definition of skipping sequences. Secondly, note that if \({\mathcal S}\) is a skipping sequence, then its restriction \({\mathcal S}_2 = {\mathcal S}\cap {\mathcal G}_j\) shall be skipping as well. Therefore, by induction \(|{\mathcal S}_2|\le \max \left\{ 1,k-j \right\} = k-j\), and so \(|{\mathcal S}| =|{\mathcal S}_1| +|{\mathcal S}_2| \le j-1 + k-j=k-1\). Â Â Â \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mahmoody, M., Qi, W., Rahimi, A. (2022). Lower Bounds for the Number of Decryption Updates in Registration-Based Encryption. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-22318-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22317-4
Online ISBN: 978-3-031-22318-1
eBook Packages: Computer ScienceComputer Science (R0)