Abstract
Revocable Identity-Based Encryption (RIBE) can dynamically revoke users whose secret keys have been compromised, ensuring a system's backward security. An RIBE scheme with decryption key exposure resistance (DKER) guarantees the confidentiality of ciphertext during any time period where the decryption key remains undisclosed. Existing RIBE schemes with DKER generate O(rlog(N/r)) ciphertexts for each plaintext message. Redundant ciphertexts impose significant computational burdens on users and substantial communication overhead on the system. To reduce high computation and communication overhead in existing schemes, this paper proposes a dual-key combination trapdoor generation method. Based on the proposed method, an indirect RIBE scheme with DKER is constructed, reducing ciphertext redundancy and obtaining computation and communication efficiency. Firstly, this paper proposes a dual-key combination trapdoor generation mechanism. By constructing an Inhomogeneous Small Integer Solution (ISIS) instance, the Key Generation Center (KGC) generates and distributes short bases to users as their identity keys. Subsequently, based on the constructed ISIS instance, a new inverse ISIS instance is derived. Furthermore, during each time period, KGC generates short bases for all non-revoked users as their time keys. By linearly combining their identity key with the corresponding time key, every non-revoked user can derive a re-randomized decryption key, achieving controlled key derivation. Secondly, based on the proposed method, a Post-Quantum Secure, Lightweight RIBE scheme with DKER (PQS-LRIBE-DKER) is constructed. For every non-revoked user, their identity key and time key serve as their own user secret key and key update, respectively. Controllable key derivation enables indirect revocation of the scheme. By adopting an indirect revocation, the PQS-LRIBE-DKER scheme achieves a single ciphertext per plaintext message, significantly reducing the sender's computational load and the system's communication overhead. Finally, under the hardness assumptions of the Learning with Errors (LWE) and ISIS problems, we prove that the proposed scheme achieves selective identity security in the standard model.