Revocable Identity-Based Cryptosystem Revisited: Security Models and Constructions

Boneh and Franklin gave a naive revocation method in identity-based encryption (IBE) which imposes a huge overhead into the key generation center. Later, Boldyreva, Goyal, and Kumar proposed an elegant way of achieving an IBE with efficient revocation, called revocable IBE (RIBE). In this paper, we revisit RIBE from the viewpoint of both security models and constructions. First, we introduce a realistic threat, which we call decryption key exposure, and show that all prior RIBE constructions, except the Boneh-Franklin one, are vulnerable to decryption key exposure. Next, we propose the first scalable RIBE scheme with decryption key exposure resistance by combining the (adaptively secure) Waters IBE scheme and the (selectively secure) Boneh-Boyen IBE scheme, and show that our RIBE scheme is more efficient than all previous adaptively secure scalable RIBE schemes. In addition, we extend our interest into identity-based signatures; we introduce a new security definition of revocable identity-based signature (RIBS) with signing key exposure resistance, and propose the first scalable RIBS scheme based on the Paterson-Schuldt IBS. Finally, we provide implementation results of our schemes to adduce the feasibility of our schemes.