Paper 2022/649

IBE with Incompressible Master Secret and Small Identity Secrets

Nico Döttling, Helmholtz Center for Information Security (CISPA)
Sanjam Garg, University of California, Berkeley, NTT Research
Sruthi Sekar, University of California, Berkeley
Mingyuan Wang, University of California, Berkeley

Side-stepping the protection provided by cryptography, exfiltration attacks are becoming a considerable real-world threat. With the goal of mitigating the exfiltration of cryptographic keys, big-key cryptosystems have been developed over the past few years. These systems come with very large secret keys which are thus hard to exfiltrate. Typically, in such systems, the setup time must be large as it generates the large secret key. However, subsequently, the encryption and decryption operations, that must be performed repeatedly, are required to be efficient. Specifically, the encryption uses only a small public key and the decryption only accesses small ciphertext-dependent parts of the full secret key. Nonetheless, these schemes require decryption to have access to the entire secret key. Thus, using such big-key cryptosystems necessitate that users carry around large secret keys on their devices, which can be a hassle and in some cases might also render exfiltration easy. With the goal of removing this problem, in this work, we initiate the study of big-key identity-based encryption (bk-IBE). In such a system, the master secret key is allowed to be large but we require that the identity-based secret keys are short. This allows users to use the identity-based short keys as the ephemeral secret keys that can be more easily carried around and allow for decrypting ciphertexts matching a particular identity, e.g. messages that were encrypted on a particular date. In particular: -We build a new definitional framework for bk-IBE capturing a range of applications. In the case when the exfiltration is small our definition promises stronger security --- namely, an adversary can break semantic security for only a few identities, proportional to the amount of leakage it gets. In contrast, in the catastrophic case where a large fraction of the master secret key has been ex-filtrated, we can still resort to a guarantee that the ciphertexts generated for a randomly chosen identity (or, an identity with enough entropy) remain protected. We demonstrate how this framework captures the best possible security guarantees. -We show the first construction of such a bk-IBE offering strong security properties. Our construction is based on standard assumptions on groups with bilinear pairings and brings together techniques from seemingly different contexts such as leakage resilient cryptography, reusable two-round MPC, and laconic oblivious transfer. We expect our techniques to be of independent interest.

Available format(s)
Public-key cryptography
Publication info
Big-key Cryptography Identity Based Encryption Leakage Resilience
Contact author(s)
nico doettling @ gmail com
sanjamg @ berkeley edu
sruthi sekar1 @ gmail com
mingyuan @ berkeley edu
2022-05-28: approved
2022-05-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nico Döttling and Sanjam Garg and Sruthi Sekar and Mingyuan Wang},
      title = {IBE with Incompressible Master Secret and Small Identity Secrets},
      howpublished = {Cryptology ePrint Archive, Paper 2022/649},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.