TY - GEN
T1 - Lower Bounds on Assumptions Behind Registration-Based Encryption
AU - Hajiabadi, Mohammad
AU - Mahmoody, Mohammad
AU - Qi, Wei
AU - Sarfaraz, Sara
N1 - Publisher Copyright:
© 2023, International Association for Cryptologic Research.
PY - 2023
Y1 - 2023
N2 - Registration-based encryption (RBE) [11] is a primitive that aims to offer what identity-based encryption (IBE) [2] offers without the so-called key-escrow problem. In RBE parties who wish to join the system will generate their own secret and public keys and register their public keys to a transparent party called key curator (KC) who does not have any secret state. The initial constructions of RBE made non-black-box use of building block primitives, due to their use of either indistinguishability obfuscation [11] or some garbling scheme [12]. More recently, it was shown [14, 17] how to achieve black-box constructions of (variants of) RBE and even stronger primitives based on bilinear maps in which the RBE is relaxed to have a CRS whose length can grow with the number of registered identities. Making cryptographic constructions in general, and RBE in particular, black-box is an important step as it can play a significant role in its efficiency and potential deployment. Hence, in this work we ask: what are the minimal assumptions for black-box constructions of RBE? Particularly, can we black-box construct RBE schemes from the same assumptions used for public-key encryption or simpler algebraic assumptions that hold in the generic group model? In this work, we prove the first black-box separation results for RBE beyond the separations that follow from the observation that RBE black-box implies public-key encryption. In particular, we answer both of the questions above negatively and prove that neither trapdoor permutations nor (even Shoup’s) generic group model can be used as the sole source of hardness for building RBE schemes. More generally, we prove that a relaxation of RBE in which all the keys are registered and compressed at the same time is already too complex to be built from either of the above-mentioned primitives in a black-box way. At a technical level, using compression techniques, we prove lemmas in the TDP and GGM oracle settings that prove the following intuitive yet useful fact: that compact strings cannot signal too many trapdoors, even if their generation algorithm takes exponential time. Due to their generality, our lemmas could be of independent interest and find more applications.
AB - Registration-based encryption (RBE) [11] is a primitive that aims to offer what identity-based encryption (IBE) [2] offers without the so-called key-escrow problem. In RBE parties who wish to join the system will generate their own secret and public keys and register their public keys to a transparent party called key curator (KC) who does not have any secret state. The initial constructions of RBE made non-black-box use of building block primitives, due to their use of either indistinguishability obfuscation [11] or some garbling scheme [12]. More recently, it was shown [14, 17] how to achieve black-box constructions of (variants of) RBE and even stronger primitives based on bilinear maps in which the RBE is relaxed to have a CRS whose length can grow with the number of registered identities. Making cryptographic constructions in general, and RBE in particular, black-box is an important step as it can play a significant role in its efficiency and potential deployment. Hence, in this work we ask: what are the minimal assumptions for black-box constructions of RBE? Particularly, can we black-box construct RBE schemes from the same assumptions used for public-key encryption or simpler algebraic assumptions that hold in the generic group model? In this work, we prove the first black-box separation results for RBE beyond the separations that follow from the observation that RBE black-box implies public-key encryption. In particular, we answer both of the questions above negatively and prove that neither trapdoor permutations nor (even Shoup’s) generic group model can be used as the sole source of hardness for building RBE schemes. More generally, we prove that a relaxation of RBE in which all the keys are registered and compressed at the same time is already too complex to be built from either of the above-mentioned primitives in a black-box way. At a technical level, using compression techniques, we prove lemmas in the TDP and GGM oracle settings that prove the following intuitive yet useful fact: that compact strings cannot signal too many trapdoors, even if their generation algorithm takes exponential time. Due to their generality, our lemmas could be of independent interest and find more applications.
UR - http://www.scopus.com/inward/record.url?scp=85178628535&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85178628535&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-48618-0_11
DO - 10.1007/978-3-031-48618-0_11
M3 - Conference contribution
AN - SCOPUS:85178628535
SN - 9783031486173
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 306
EP - 334
BT - Theory of Cryptography - 21st International Conference, TCC 2023, Proceedings
A2 - Rothblum, Guy
A2 - Wee, Hoeteck
PB - Springer Science and Business Media Deutschland GmbH
T2 - 21st International conference on Theory of Cryptography Conference, TCC 2023
Y2 - 29 November 2023 through 2 December 2023
ER -