Towards Black-Box Accountable Authority IBE with Short Ciphertexts and Private Keys

At Crypto'07, Goyal introduced the concept of Accountable Authority Identity-Based Encryption as a convenient tool to reduce the amount of trust in authorities in Identity-Based Encryption. In this model, if the Private Key Generator (PKG) maliciously re-distributes users’ decryption keys, it runs the risk of being caught and prosecuted. Goyal proposed two constructions: the first one is efficient but can only trace well-formed decryption keys to their source; the second one allows tracing obfuscated decryption boxes in a model (called weak black-box model) where cheating authorities have no decryption oracle. The latter scheme is unfortunately far less efficient in terms of decryption cost and ciphertext size. In this work, we propose a new construction that combines the efficiency of Goyal’s first proposal with a very simple weak black-box tracing mechanism. Our scheme is described in the selective-ID model but readily extends to meet all security properties in the adaptive-ID sense, which is not known to be true for prior black-box schemes.

💡 Research Summary

The paper addresses a fundamental limitation of accountable‑authority identity‑based encryption (A‑IBE) schemes: achieving both practical efficiency and the ability to trace malicious decryption devices in a black‑box setting. Goyal’s original work introduced two constructions. The first (Goyal‑1) is efficient, built on Gentry’s IBE, but its traceability is limited to a white‑box model where the tracing algorithm must see the internal structure of a decryption key. The second (Goyal‑2) provides weak black‑box traceability using the Sahai‑Waters fuzzy IBE, yet it suffers from large ciphertexts (linear in the security parameter λ) and a decryption cost that requires O(λ) pairing operations—far too heavy for realistic deployments.

The authors propose a new A‑IBE construction that merges the efficiency of Goyal‑1 with a simple weak black‑box tracing mechanism. The scheme operates in the selective‑ID model but can be straightforwardly adapted to the adaptive‑ID setting, something that prior black‑box schemes could not achieve. The core technical ideas are a combination of “commutative‑blinding” and “exponent‑inversion” techniques. In the key‑generation protocol, the user and the PKG exchange a short random seed and a hash value; the PKG never learns which “key family” the user’s secret key belongs to, while the user receives a key that contains a hidden family identifier. The tracing algorithm simply extracts this identifier from a well‑formed key (or returns ⊥ for malformed keys). In the weak black‑box model, the algorithm also accepts a decryption box D that correctly decrypts a non‑negligible fraction ε of ciphertexts; by feeding D together with the user’s key to the tracer, it can decide whether the box was produced by a dishonest PKG or by a user.

Security is proved under the standard Decision Bilinear Diffie‑Hellman (DBDH) assumption, the same assumption used for Goyal‑2, but the reduction is tighter because the scheme does not rely on additional, stronger assumptions that grow with the number of queries. The authors define three security games: IND‑ID‑CCA (adaptive chosen‑ciphertext security), FindKey‑CCA (the PKG cannot generate a key in the same family as the user’s without being caught), and ComputeNewKey (the user cannot produce two keys from different families for the same identity). They provide reductions from breaking these games to solving DBDH, showing that the scheme meets all required properties.

Efficiency improvements are substantial. Ciphertexts consist of only a constant number of group elements (typically two or three elements in GT), independent of λ, whereas Goyal‑2’s ciphertexts contain O(λ) elements. Decryption requires just two pairing evaluations, compared with roughly 160 pairings in Goyal‑2 for a 128‑bit security level. Private keys are also short, containing a constant number of G‑group elements plus a small integer family tag. The key‑generation protocol avoids zero‑knowledge proofs and instead uses simple hash‑based checks, which eliminates the need for rewinding in security reductions and makes the protocol naturally concurrent‑secure—an important property for Internet‑scale deployments.

The paper further demonstrates how the same ideas can be applied to other IBE and broadcast encryption schemes. By making a minor modification to Gentry’s IBE key‑generation, the authors obtain a weak‑black‑box accountable version that retains Gentry’s original efficiency. They also extend the construction to the Boneh‑Hamburg identity‑based broadcast encryption (IBBE), showing that accountable authority can be achieved even in multi‑receiver settings. These extensions illustrate the versatility of the proposed tracing mechanism.

In summary, the authors deliver a practically efficient A‑IBE scheme with short ciphertexts and keys, while providing weak black‑box traceability that works in both selective‑ID and adaptive‑ID models. The construction improves upon prior work by dramatically reducing ciphertext size and decryption cost, supporting concurrent key‑generation, and relying on standard bilinear assumptions. This advances the state of the art in accountable IBE, offering a realistic path toward deployment of IBE systems where the PKG’s power is limited by cryptographic accountability.