Towards Anonymous Ciphertext Indistinguishability with Identity Leakage

摘要

Key escrow is a major drawback of identity-based encryption (IBE). The key generation centre (KGC) can generate the user secret key of any user by using the master secret key and the user's identity. This paper presents a systematic study of what it takes to prevent a malicious KGC from decrypting a ciphertext encrypted for an honest user, which covers the case for certificateless encryption, and shows the impossibility of ideal escrow-free IBE, unless there is uncertainty in the user's identity. Our study also explains the underpinning idea of anonymous cipher-text indistinguishability (ACI), formalized by Chow in PKC 2009. An ACI-secure IBE prevent a KGC (or any logical entity which get holds of the master secret key, such as the collusion of a number of authorities holding the sufficient number of master secret's shares) from decrypting if it does not know the intended recipient of the ciphertext, a guarantee that none of the existing attempts in the literature can provide. The notion of ACI crucially relies on the privacy of user's identity in the eyes of the KGC. The only privacy leakage allowed in Chow's model is via querying an embedded-identity encryption oracle. In this paper, we strengthen his model to allow arbitrary bounded leakage of the recipient's identity. We also give a generic construction on how to achieve this notion when the identity has enough entropy.