Security of a biometric identity-based encryption scheme

Biometric identity-based encryption (Bio-IBE) is a kind of fuzzy identity-based encryption (fuzzy IBE) where a ciphertext encrypted under an identity w’ can be decrypted using a secret key corresponding to the identity w which is close to w’ as measured by some metric. Recently, Yang et al. proposed a constant-size Bio-IBE scheme and proved that it is secure against adaptive chosen-ciphertext attack (CCA2) in the random oracle model. Unfortunately, in this paper, we will show that their Bio-IBE scheme is even not chosen-plaintext secure. Specifically, user w using his secret key is able to decrypt any ciphertext encrypted under an identity w’ even though w is not close to w'.

💡 Research Summary

The paper conducts a cryptanalytic study of the biometric identity‑based encryption (Bio‑IBE) scheme proposed by Yang et al. (2011), which claimed constant‑size ciphertexts and IND‑sID‑CCA2 security in the random‑oracle model. The authors demonstrate that the scheme fails to achieve even the weaker IND‑sID‑CPA security.

The Bio‑IBE framework treats a user’s biometric template as a set of attributes w. A ciphertext encrypted under an identity w′ can be decrypted with a secret key for w only when the overlap |w ∩ w′| meets a threshold d. Yang et al.’s construction works over bilinear groups (G, G_T) with a master secret s. During extraction, the private key for w consists of pairs (d_{i,1}, d_{i,2}) for each attribute µ_i, where d_{i,1}= (g₁·g^{H₁(ID)})^{q(µ_i)} and d_{i,2}= g^{q(µ_i)}. The polynomial q(x) is randomly chosen of degree d‑1 with q(0)=s. Encryption of a message m under w′ selects a random r and outputs C₁=g^r, C₂=g^{H₁(ID′)·r}, C₃=m·e(g₁,g₂)^r. Decryption, assuming |w ∩ w′|≥d, picks any subset S⊆w ∩ w′ of size d and uses Lagrange coefficients Δ_{µ_i,S}(0) to compute

m = C₃·e(C₂,∏{i∈S} d{i,2}^{Δ_{µ_i,S}(0)}) / e(C₁,∏{i∈S} d{i,1}^{Δ_{µ_i,S}(0)}).

The authors of the current paper construct an adaptive chosen‑plaintext attack. The adversary first obtains the public parameters, then requests a secret key for an attribute set w such that |w ∩ w′|<d (i.e., the key should be useless according to the scheme’s specification). Because the secret key components are derived from the same polynomial q(x), the adversary can compute g^{q(µ_i)} = d_{i,1} / d_{i,2}^{H₁(ID)} for each i∈w. By selecting any d attributes from w and applying the same Lagrange coefficients used in the legitimate decryption, the adversary evaluates

∏{i∈S} e(C₁, g^{q(µ_i)})^{Δ{µ_i,S}(0)} = e(g^r, g)^{r·s} = e(g₁, g₂)^r.

Dividing C₃ by this value yields the original plaintext m, regardless of the overlap between w and w′. Consequently, a user possessing a secret key for an unrelated identity can decrypt any ciphertext, violating IND‑sID‑CPA security.

The attack reveals two fundamental flaws: (1) the secret‑key components are not independent; they expose the underlying polynomial q(x), which is sufficient to recover the message, and (2) the security proof relies on the hash function H₁ being evaluated on the identity ID only, while the original decryption correctness required H₁(ID) = H₁(ID′) – a condition that holds only when the overlap meets the threshold. This mismatch between the proof assumptions and the actual construction invalidates the claimed CCA2 security.

In conclusion, the paper shows that Yang et al.’s Bio‑IBE scheme is insecure even against chosen‑plaintext attacks. The authors suggest that a secure design must either make secret‑key components independent of a common polynomial or bind the decryption operation to the public parameters in a way that prevents extraction of q(x) from a single key. Their analysis underscores the importance of aligning security models with concrete scheme implementations, especially in biometric‑driven IBE where attribute similarity is a core feature.