Efficient Identity-Based Encryption with Minimal Server Trust

• Published in: Proceedings - Symposium on Reliable Distributed Systems pp. 104 - 114
• Main Authors: Liang, Yuan, Di Crescenzo, Giovanni, Wang, Haining, Patni, Zahir
• Format: Conference Proceeding
• Language: English
• Published: IEEE 30.09.2024
• Subjects: Data models; Encryption; Identity-based encryption; Internet of Things; Protocols; Public key; Receivers; Reliability; Sensors; Servers
• ISSN: 2575-8462
• DOI: 10.1109/SRDS64841.2024.00020

Boneh and Franklin proposed one of the first constructions of the very elegant concept of identity-based encryption (IBE) two decades ago. Despite many research advances and its several potential applications, IBE has not achieved enough in real-life use. One likely reason is that it puts too much trust in the key derivation server, also known as the IBE key escrow problem or the problem of reducing server trust in IBE schemes. Specifically, its PKG (private key generator) can implicitly decrypt all ciphertexts. In this paper, we propose a new approach to address the IBE key escrow/server trust problem: enhance IBE schemes by distributing key derivation across all receivers, and thus moving most or even all of the key derivation capability from the server to the decrypting receivers. Specifically, we target solutions with minimal server needs: either no central server or a repository server that only maintains a master public key of size independent of the number of users, but does not maintain any secret data or secret keys. Indeed, we show protocols based on well-known conventional IBE schemes, which work in a public parameter model (i.e., including neither a common reference string with private data kept by the server, nor a common random string model generated by a third party). Our main performance objective is to have no or minimal modification to the encryption algorithm, so as to make the resulting schemes usable for Internet of Things (IoT) applications and minimize any extra resource cost at encrypting sensors in this domain. No previous work achieved this performance goal in conjunction with minimal server needs before, and our solutions are optimal on our performance goal, while achieving essentially minimal server needs. The closest results from previous work consist of either replicating the key derivation server into many of which only a threshold is trusted, or of the recent notion of registration-based encryption, whose main performance goal is to reduce the number of receiver accesses to the server during key derivation.