A Novel Commutative Blinding Identity Based Encryption Scheme Yu Chen ? , Song Luo, Jianbin Hu, and Zhong Chen

??

Institute of Software, School of Electronics Engineering and Computer Science, Peking University, Beijing, China Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education {chenyu,luosong,hujb,chen}@infosec.pku.edu.cn

Abstract. In EUROCRYPT 2004, Boneh and Boyen presented two efficient Identity Based Encryption (IBE) schemes that are selective-identity secure in the standard model. Particularly, the first one known as BB1 IBE, which is characterized by commutative blinding technique (BB1 style), distinguishes itself as the most fertile ground for many applications. They also proved that BB1 -IBE is fully secure in the random oracle model but with a looser reduction. In this paper, we propose a novel IBE scheme of BB1 -style, which is fully secure in the random oracle model with a tighter reduction. Additionally, we give a chosen ciphertext secure construction of our scheme from twin technique. Key words: identity based encryption; provable security; bilinear DiffieHellman problem; twin technique

1

Introduction

Shamir [25] proposed the concept of Identity Based Encryption in 1984. IBE provides a public key encryption mechanism where a public key can be an arbitrary string such as an email address or a telephone number, while the corresponding private key can only be generated by a Private Key Generator (PKG) who has the knowledge of the master secret. The first secure and efficient IBE scheme was proposed by Boneh and Franklin in CRYPTO 2001 [8]. Their scheme, known as BF-IBE, is based on the bilinear maps between groups. Particularly, Boneh and Franklin [8] also defined the formal security notions for IBE setting and proved BF-IBE was chosen ciphertext secure in the random oracle model. ? ??

Supported by National Natural Science Foundation of China (No.61073156). Supported by National Key Technology R&D Program in the 11th five-year Period (No.2008BAH33B01) and National Natural Science Foundation of China (No.60773163).

Since that time, many other IBE schemes have been proposed. One important research direction is achieving provable security in the standard model, because random oracle model only provides heuristic security [2]. Canetti, Halevi, and Katz [11] suggested a weaker security notion for IBE, known as selective-ID model. Shortly afterwards, Boneh and Boyen [5] proposed two efficient schemes (BB1 -IBE and BB2 -IBE) with selective-ID security without random oracles. Waters then proposed a simple extension to BB1 -IBE, which we refer to as Waters-IBE. In EUROCRYPT 2006, Gentry [15] presented an IBE scheme with short public parameters which was provably secure with a tight reduction based on a non-static assumption. In CRYPTO 2009, Waters [28] proposed dual system encryption which resulted in fully secure IBE and HIBE systems under simple assumption and with compact public parameters. 1.1

Related Work

We restrict our attention back to BB1 -IBE. Briefly, the idea of BB1 -IBE is based on the structure that two secret coefficients and two blinding factors that commute with each other under the pairing, which is referred to as commutative blinding [9]. Hereafter, we shorthand it as BB1 -style. Boneh and Boyen proved that BB1 -IBE was selective-ID secure with a tight reduction to the decisional BDH (DBDH) problem. They also presented two general methods about how to achieve full security from selectiveID security, which indicated that BB1 -IBE was also fully secure in both the standard model and the random oracle model. However, the security reduction lost a factor of N ≈ 2160 and a factor of Qh ≈ 260 , respectively. Boneh and Boyen then proposed a coding-theoretic extension to BB1 IBE that allowed them to prove full security without random oracles. However, the extension is mostly viewed as an existence proof of fully secure IBE in the standard model because it is somewhat impractical. Waters [27] further proposed Waters-IBE based on BB1 -IBE, which was proved fully secure with a polynomial reduction to the DBDH problem in the standard model, but with relative larger public parameters. Two independent papers [22] and [13] further showed how to make a tradeoff between the size of public parameters and the tightness of security reduction for Waters-IBE. 1.2

Motivation

It is somewhat surprising to realize that BB1 -IBE and Waters-IBE share the same framework but have quite different security results. The only 2

different part is the identity hash function. This give us a hint that the construction of identity hash function is crucial to provable security. On the other hand, it is well known that a tight security reduction is crucial to cryptographic schemes, not only from theoretic aspects, but also from practical aspects [15]. An inefficient security reduction would imply either the lower security level or the requirement of larger key size to obtain the same security level. However, the security reductions of both BB1 -IBE (proven fully secure in the random oracle model) and WatersIBE are far from tight. It is also worth to remark that the BB1 -style framework naturally supports many valuable extensions: such as forward secure hierarchical IBE [6], fuzzy IBE [23], attribute-based IBE [4], wildcard IBE [1], and direct CCA-secure1 encryption [10]. So our motivation is to construct a novel IBE scheme of BB1 -style with a tighter security reduction by employing some new identity hash function. Be aware of that many cryptographic schemes [1, 4, 6, 20] built from BB1 -IBE or WatersIBE in a more-or-less black-box manner, and their specific schemes are not involved with the construction identity hash function. That is to say, if we can construct a more efficient BB1 -style scheme by employing some new identity hash function, then the resulting BB1 -style scheme would be a better underlying primitive for the aforementioned extensions compared to BB1 -IBE and Waters-IBE. 1.3

Our Contributions

We stress that all the following results can be extended to hierarchical IBE [19] in an analogous method used in [5]. 1. In Section 3, we propose a novel IBE scheme of BB1 -style. Compared to BB1 -IBE, the only modification lies at the identity hash function. We show that this minor modification enables us to achieve fully security with a tighter security reduction in the random oracle model. Our scheme compares favorably with other existing BB1 -style schemes in terms of the tightness of security reduction and the ciphertext size. The main drawback is that it is only provably secure in the random oracle model. But from practical aspect, inheriting the flexibility of BB1 -style framework, our scheme can be used as an efficient primitive in the applications where a proof in the random oracle model is acceptable. For example, Abdalla et al. [1] introduced a new system called IBE with wildcards (WIBE for short). In the same paper they also presented a concrete construction 1

We use “CCA-secure” to denote “secure against adaptive chosen ciphertext attacks” throughout this paper.

3

(BB-WIBE) from BB1 -HIBE which was proven secure the random oracle model. Since BB-WIBE construction is not involved with the concrete identity hash function, its security reduction could be immediately tighten if using our scheme instead of BB1 -HIBE. 2. In Section 4, we first identify and correct an error in previous literature [13] about the CCA construction of BB1 -IBE. We then present an efficient CCA construction of our scheme, i.e., encapsulating a fresh symmetric key from a BDH tuple and then employing a chosen ciphertext secure symmetric cipher to perform the encryption. Security of such construction always need to rely on a stronger assumption, e.g., [13, 21]. We avoid resorting on a stronger assumption by applying the twin technique proposed in [12]. With the help of trapdoor test, the security of our construction can be reduced to the usual computational BDH (CBDH) problem. Our CCA construction compares favorably to the scheme obtained from the generic Fujisaki-Okamoto transformation [14] in terms of ciphertext size and the tightness of security reduction. We provide in Table 1.3 a comparison among BB1 -IBE [5], WatersIBE [27], and our scheme. Table 1. Comparison among BB1 -style schemes Scheme BB1 -IBE Waters-IBE Our scheme BB1 -IBE+FO-transformation Our scheme+Twin Technique

Assumption Reduction factor ROM |mpk| DBDH Qh yes 4|G| DBDH 32(n + 1)Qe no (n + 4)|G| DBDH eQe yes 3|G| CBDH CBDH

eQe Qh eQe

yes yes

3|G| 4|G|

For security concern, n is suggested to be at least 128 [27]. Qe ≈ 230 , Qh ≈ 260 refer to the maximum number of private key queries and the maximum number of random oracle queries, respectively. e ≈ 2.71 is the base of the natural logarithm. The efficiency, ciphertext size of BB1 -IBE, Waters-IBE, and our scheme are the same.

2

Preliminary

Notation. We use Zp to denote the group {0, . . . , p − 1} under addition modulo p. For a group G of prime order we use G∗ to denote the set G∗ = G\{1G } where 1G is the identity element in the group G. We use Z+ to denote the set of positive integers. 4

2.1

Bilinear Maps

We briefly review the facts about groups with bilinear map. Let G and GT be two groups of large prime order p, and e : G × G → GT be a map between these two groups. We say e is an admissible bilinear map if it satisfies the following three properties. 1. Bilinearity. The map e : G × G → GT is bilinear if e(ua , v b ) = e(u, v)ab for all u, v ∈ G and arbitrary a, b ∈ Zp . 2. Non-degeneracy. The map does not send all pairs in G × G to the identity in GT . 3. Computability. There is an efficient algorithm to compute e(u, v) for any u, v ∈ G. Bilinear Map Parameter Generator. We say that a randomized algorithm GroupGen is a bilinear map parameter generator, which takes 1κ as input and output a κ bits prime number p, two groups G, GT of order p, and an admissible bilinear map e : G × G → GT . We write GroupGen(1κ ) → (p, G, GT , e). 2.2

Bilinear Diffie-Hellman Problem

Let G be a group of prime order p with bilinear map e : G × G → GT . The computational Bilinear Diffie-Hellman (CBDH) problem [5,8] in G is as follows: given a tuple g, g x , g y , g z ∈ G as input, output e(g, g)xyz ∈ GT . An algorithm A has advantage  in solving the CBDH problem if Pr[A(g, g x , g y , g z ) = e(g, g)xyz ] ≥  where the probability is over the random choice of g in G∗ , the random choice of x, y, z ∈ Zp , and the random bits used by A. Similarly, we say an algorithm B that has advantage  in solving the DBDH problem if |Pr[B(g, g x , g y , g z , e(g, g)xyz ) = 0] − Pr[B(g, g x , g y , g z , T ) = 0]| ≥  where the probability is over the randomly choice of g in G∗ , the random choice of x, y, z in Zp , the random choice of T ∈ GT , and the random bits consumed by B. We refer to the distribution on the left as PBDH and the distribution on the right as RBDH . Definition 2.1 The (decision) (t, ) BDH assumption holds if no t-time adversary has at least advantage  in solving the (decision) BDH problem in G. 5

Due to space constraints, we move the formal definitions and security notions of IBE and symmetric cipher to Appendix A and Appendix B, respectively.

3

Our Scheme

In this section, we present our BB1 -style scheme which is provably secure in the random oracle model. Setup. Run GroupGen(1κ ) to generate (p, G, GT , e), randomly select x ∈ Zp , g, Y ∈ G and compute X = g x . Next, pick a cryptographic hash function H : {0, 1}∗ → G. The public parameters are mpk = (g, X, Y, H). The master secret is msk = Y x . KeyGen. To generate the private key dID for an identity ID ∈ {0, 1}∗ , pick a random r ∈ Zp and output dID = (d1 , d2 ) = (Y x Qr , g r ) ∈ G × G where Q = H(ID) is the public key of the identity ID. Encrypt. To encrypt a message M ∈ GT under the identity ID, pick a random z ∈ Zp , compute Q = H(ID). Then the ciphertext is constructed as C = (g z , Qz , e(X, Y )z M ) ∈ G × G × GT Decrypt. To decrypt a given ciphertext C = (C1 , C2 , C3 ) under ID using the private key dID = (d1 , d2 ), output C3

3.1

e(d2 , C2 ) e(g r , Qz ) = e(X, Y )z M e(d1 , C1 ) e(Y x Qr , g z ) e(g, Qrz ) = e(X, Y )z M =M e(X, Y )z e(Qrz , g)

Security Analysis

Theorem 3.1 Our scheme is IND-ID-CPA secure provided that H is a random oracle and the DBDH assumption holds in groups generated by GroupGen. Concretely, suppose there is an IND-ID-CPA adversary A that has advantage  against the scheme. If A makes at most Qe > 0 private key extraction queries. Then there is an algorithm B that solves the DBDH problem with advantage at least: AdvB ≥ 

6

1 eQe

Proof. Suppose A has advantage  in attacking our scheme. We build an algorithm B that solves the DBDH problem. B is given as input a random 5-tuple (g, g x , g y , g z , T ) that is either sampled from PBDH (where T = e(g, g)xyz ) or from RBDH (where T is uniform and independent in G). B’s goal is to output 1 if T = e(g, g)xyz and 0 otherwise. B works by interacting with A in an IND-ID-CPA game as follows. Setup. B sets X = g x , Y = g y , Z = g z . The public parameters are mpk = (g, X, Y, H). Note that the corresponding master secret msk, which is unknown to B, is Y x = g xy ∈ G. From the perspective of the adversary A the distribution of the public parameters are identical to the real construction. H-queries. At any time A can query the random oracle H. To respond to these queries B maintains a list of tuples hID, v, wi as explained below. We refer to this list as the L list, which is initially empty. When A queries the oracle H at a point ID algorithm B responds as follows: 1. If ID already appears on the L in a tuple hID, v, wi then algorithm B responds with H(ID) = g v Y w ∈ G. 2. Otherwise, B picks random v ∈ Zp , w ∈ Zm and adds the tuple hID, v, wi to the L list. B responds to A with H(ID) = g v Y w ∈ G. Phase 1 - Private key queries. Upon receiving the private key query for an identity ID, B run the above algorithm to obtain H(ID). Let hID, v, wi be the corresponding tuple on the L list. If w = 0, B aborts and randomly outputs its answer to the DBDH problem. Otherwise, B picks a random r ∈ Zp and constructs the private key d = (d1 , d2 ) as follows: Let rˆ = r −

x w.

Then we have v

d1 = X − w g rv Y rw x

= Y x (g v Y w )r− w = Y x (H(ID))r = Y x Qr 1

x

d2 = g r X − w = g r− w = g rˆ B can always answer the private key extraction iff w 6= 0. Challenge. The adversary A submits two messages M0 , M1 ∈ GT and an identity ID∗ where it wishes to be challenged. Suppose (ID∗ , v ∗ , w∗ ) is the corresponding entry on the L list. If w∗ 6= 0, B aborts and outputs a random guess for the DBDH challenge. Otherwise, B flips a fair coin ∗ β ∈ {0, 1}, and creates the ciphertext as C = (Z, Z v , T Mβ ). It is easy to see that if T = e(g, g)xyz = e(X, Y )z , the challenge ∗

C = (Z, Z v , e(g, g)xyz Mβ ) = (g z , (Q∗ )z , e(X, Y )z Mβ ) 7

is a valid encryption of Mβ under ID∗ , where Q∗ = H(ID∗ ). On the other hand, when T is uniform and independent in GT then C is independent of β in A’s view. Phase 2 - Private key queries. Except rejecting the query to ID∗ , B responds to the private key extraction queries the same way as it did in Phase 1. Guess. Finally, the adversary A outputs a guess β 0 for β. If β 0 = β, then B outputs 1 meaning Z = e(g, g)xyz . Otherwise, it outputs 0 meaning T 6= e(g, g)xyz . Claim. The responses to the H-queries are as in the real attack since each response is uniformly and independently distributed in G. All responses to private key extraction queries are valid. When the input 5-tuple is sampled from PBDH (where T = e(g, g)xyz ) then A’s view is identical to its view in a real attack and therefore A must satisfy |Pr [β = β 0 ] − 1/2| ≥ . On the other hand, when the input 5-tuple is sampled from RBDH (where T is uniform in GT ) then Pr [β = β 0 ] = 1/2. Therefore, with g uniform in G∗ , x, y, z uniform in Zp , and T uniform in GT we have that |Pr [B(g, g x , g y , g z , e(g, g)xyz ) = 1] −   1 Pr [B(g, g , g , g , T ) = 1] | ≥ ± − 2 x

y

z

1 = 2

To complete the proof of Theorem 3.1 it remains to calculate the probability that B aborts during the simulation. Let abort denote the event that B does not abort during the simulation. B may aborts simulation for the two following events. 1. Event E1 : w = 0 when answering the private key queries either in Phase 1 or Phase 2. 2. Event E2 : w∗ 6= 0 during the challenge phase. Note that w is picked randomly from Zm and hidden from the adversary, we conclude that the w(s) of the private key extraction querying identities and the w∗ of the challenge identity are mutual independent. Therefore for each identity Pr[w = 0] = 1/m, and for the challenge identity Pr[w∗ = 0] = 1/m. Suppose the maximum number of private key extraction queries is Qe , we have   1 Qe 1 Pr[¬E1 ] = 1 − , Pr[¬E2 |¬E1 ] = m m 8

Therefore Pr[abort] = Pr[¬E2 |¬E1 ]Pr[¬E1 ] =

1 m

  1 Qe 1− m

We can optimize the probability by setting mopt = 1 + Qe (a common estimate for Qe is 230 , suggested by Bellare and Rogaway [3]). Using mopt , we have   1 Qe 1 1 Qe 1− ≈ Pr[abort] = Qe m m eQe If the adversary makes less queries Pr[abort] can only be greater. This shows B’s advantage is at least /eQe as required. t u

4

Chosen Ciphertext Security

Chatterjee and Sarkar [13] proposed a CCA construction of BB1 -IBE based on the oracle decisional bilinear Diffie-Hellman (OBDH) assumption [24], which is stronger than the DBDH assumption. Their CCA construction is as follows: compared to Waters-IBE, the Setup and KeyGen remain unaltered. To encrypt a message M , first encapsulate a symmetric key k := K(g z , e(X, Y )z ), then set the ciphertext C := (Enc(k, M ), g z , Qz ). To decrypt, extract e(X, Y )z = e(d1 , g z )/e(d2 , Qz ) using the corresponding private key (d1 , d2 ), then decapsulate the symmetric key k using K. They claimed the proof of the CCA construction would be provided in the full version of their paper. However, their proof does not hold in the standard model as claimed. Consider the following attack of an adversary A: suppose the challenge identity is ID∗ , in Phase 2 A randomly picks zˆ ∈ Zp , M ∈ M, and sets the ciphertext Cˆ = (Enc(k, M ), g zˆ, (Q∗ )zˆ), where k = K(g zˆ, e(X, Y )zˆ) and Q∗ = H(ID∗ ). A issues the decryption ˆ to the simulator B. Recall that for one identity, B can query hID∗ , Ci either embed the underlying intractable problem into it or extract the private key of it, therefore B has to abort since it is unable to recover e(X, Y )zˆ without the corresponding private key and then answer the decryption query. Note that after the challenge identity is fixed in the challenge stage, A can always carry on the above attack in Phase 2. So their CCA construction is not provably secure in the standard model as claimed. Interestingly, we point out that Chatterjee and Sarkar’s CCA construction can be proven secure in the random oracle model. By modeling K as a random oracle, the simulator can answer the decryption queries 9

when it cannot extract the corresponding private keys. More precisely, the simulator set the associated symmetric key k := K(g zˆ, ∗) then return Dec(k, Cˆ1 ), where ∗ denotes the value e(X, Y )zˆ unknown to the simulator for the moment. The simulator uses the patching technique [21] with the help of a decision oracle to ensure the simulation for K is coherent throughout the game. The proof is elegant but has to rely on the OBDH assumption, which is stronger than the DBDH assumption, and much more stronger than the CBDH assumption. Next we show how to adapt the twin technique [12] to achieve the CCA security based on the CBDH assumption. 4.1

Twin Technique and Trapdoor Test

Cash, Kiltz and Shoup proposed a new computational problem called the twin (bilinear) Diffie-Hellman problem in [12]. They also designed a clever “trapdoor test” which allows a DH/BDH adversary to answer decision oracle queries of the twin DH/BDH problem (without knowing any of the corresponding discrete logarithms) correctly with high probability. Theorem 4.1 (Trapdoor Test for BDH Problem) Let G and GT be two cyclic groups of prime order p, g is the generator of G, e : G×G → GT is a bilinear map. Suppose X1 , t, s are mutually independent random variables, where X1 takes value in G, and each of t, s is uniformly distributed over Zp . Define the random variable X2 := g s /X1t and suppose that Y , Z are random variables taking values in G, Tˆ1 and Tˆ2 are two elements in GT . Then we have: 1. X2 is uniformly distributed over G; 2. If X1 = g x1 and X2 = g x2 , then the probability that the truth value of t Tˆ1 Tˆ2 = e(Y, Z)s

(1)

does not agree with the truth value of Tˆ1 = e(Y, Z)x1 ∧ Tˆ2 = e(Y, Z)x2

(2)

is at most 1/p; moreover, if (2) holds, then (1) certainly holds. Proof. Observe that s = tx1 + x2 . It is easy to verify that X2 is uniformly distributed over G. To prove the item 2, condition on fixed values of X1 and X2 . In the resulting conditional probability space, while X1 , X2 , Y , Z, Tˆ1 and Tˆ2 are fixed, t is uniformly distributed over Zp . If (2) holds, 10

then by substituting the two equations in (2) into (1), we see that (1) certainly holds. Conversely, if (2) does not hold, we show that (1) holds with probability at most 1/q. Observe that (2) is equivalent to (Tˆ1 /e(Y, Z)x1 )t = e(Y, Z)x2 /Tˆ2 (3) If Tˆ1 = e(Y, Z)x1 and Tˆ2 6= e(Y, Z)x2 , then (3) certainly does not hold. This leaves us with the case Tˆ1 6= e(Y, Z)x1 . In this case, the left hand side of the equation is a random element of GT (since t is uniformly distributed over Zp ), but the right hand side is a fixed element of GT . Thus, (3) holds with probability 1/p this case. t u 4.2

CCA Construction from the Twin Technique

To suit the twin technique and the trapdoor test, we present our CCA construction of our scheme as follows: Setup. Select random x1 , x2 ∈ Zp , g, Y ∈ G and compute X1 = g x1 , X2 = g x2 . Pick two cryptographic hash functions H : {0, 1}∗ → G and K : {0, 1}∗ × G × GT × GT → {0, 1}λ . The master public parameters are mpk = (g, X1 , X2 , Y, H, K). The master secret is msk = (Y x1 , Y x2 ). Choose a CCA secure symmetric-key cipher SE, of which the length of message is n, the length of key is λ. KeyGen. To generate the private key dID for an identity ID ∈ {0, 1}∗ , pick random r1 , r2 ∈ Zp and output dID = (d11 , d12 , d21 , d22 ) = (Y x1 Qr1 , g r1 , Y x2 Qr2 , g r2 ) ∈ G4 where Q = H(ID) can be viewed as the public key of the identity ID. Encrypt. To encrypt a message M ∈ {0, 1}n under the identity ID, randomly pick z ∈ Zp , and set k := K(ID, g z , e(X1 , Y )z , e(X2 , Y )z ), the ciphertext is C = (g z , Qz , Enc(k, M )) ∈ G × G × {0, 1}n For a well-formed ciphertext, e(C1 , Q) is equal to e(C2 , g). Decrypt. To decrypt a given ciphertext C = (C1 , C2 , C3 ) under ID, the algorithm first check if e(C1 , Q) = e(C2 , g) holds. If not, reject the ciphertext. Otherwise, use the private key dID = (d1 , d2 , d3 , d4 ) to compute e(d11 , C1 ) e(Y x1 Qr1 , g z ) = = e(X1 , Y )z ; e(d12 , C2 ) e(g r1 , Qz ) e(d21 , C1 ) e(Y x2 Qr2 , g z ) = = e(X2 , Y )z . e(d22 , C2 ) e(g r2 , Qz ) 11

then derive k := K(ID, g z , e(X1 , Y )z , e(X2 , Y )z ) and returns Dec(k, C3 ). Remark 1. Our CCA scheme is essentially a KEM-DEM (Key Encapsulation Mechanism - Data Encapsulation Mechanism) construction. Compared to the CCA scheme obtained from applying Fujisaki-Okamoto transformation [14], our CCA construction has shorter ciphertext at the cost of increasing one element in public parameters. Remark 2. The session key of BB1 -IBE is only related to the randomness z used by the encryption algorithm, which means an adversary learning one session key associated to the randomness z is able to decrypt any ciphertext with the same randomness (the same first component C1 of the ciphertext). Our CCA construction eliminates such issue by including the identity to the input of the K hash function. 4.3

Security Analysis

Theorem 4.2 Our CCA construction is IND-ID-CCA secure assuming H and K are random oracles, the CBDH assumption holds in the groups generated by GroupGen, and the underlying symmetric cipher SE is unbreakable under chosen ciphertext attack. Concretely, suppose there is an IND-ID-CCA adversary A that has advantage  against the scheme. If A makes at most Qk K-queries, Qe > 0 private key extraction queries. Then there is an algorithm B that solves the CBDH problem with advantage at least:   Qk 1 AdvB ≥ 2 1 − p eQe Proof. Suppose A has advantage  in attacking the scheme. We build an algorithm B that solves the CBDH problem by interacting with A in an IND-ID-CCA game as follows. Setup. Given the CBDH challenge (g, g x , g y , g z ), B set X1 = g x , Y = g y , Z = g z , randomly picks s, t ∈ Zp , and set X2 = g s /X1t (x2 = s − tx1 ). The mpk is (g, X1 , X2 , Y ). The corresponding msk, which is unknown to B, is (Y x1 , Y x2 ) ∈ G. From the perspective of the adversary A the distribution of the public parameters are identical to the real construction. H-queries. The same as the proof in Section 3. K-queries. To respond to these queries B maintains a list of tuples hID, C1 , T1 , T2 , ki as explained below. We refer to this list as the R list, which is initially empty. When A queries K on point (ID, C1 , T1 , T2 ), B proceeds as follows: 12

1. If there is already an entry indexed by (ID, C1 , T1 , T2 ), then returns the corresponding k. 2. Otherwise, generates a random k ∈ {0, 1}λ and insert hID, C1 , T1 , T2 , ki into the R list, then responds with k. For each new tuple, B marks it as “good” or “bad” according to its trapdoor test. If T1t T2 = e(Y, C1 )s holds marks “good”. Otherwise marks “bad”. Phase 1 - Private key queries. Upon receiving the private key query for an identity ID, B runs the above algorithm to obtain H(ID) = Q. Let hID, v, wi be the corresponding tuple on L. If w = 0, B aborts. Otherwise, B picks random r1 , r2 ∈ Zp and constructs the private key d = (d11 , d12 , d21 , d22 ) as: v −w r1 v

d11 = X1

g

1 −w

d12 = g r1 X1

x

= g r1 − w = g rˆ1

v −w r2 v

d21 = X2

g

1 −w

d22 = g r2 X2

x1

Y r1 w = Y x1 (g v Y w )r1 − w = Y x1 (H(ID))rˆ1 = Y x1 Qrˆ1 x2

Y r2 w = Y x2 (g v Y w )r2 − w = Y x2 (H(ID))rˆ2 = Y x2 Qrˆ2 x

= g r2 − w = g rˆ2

Let rˆ1 = r1 − xw1 , rˆ2 = r2 − xw2 . It is easy to see that B can always answer the private key queries iff w 6= 0. Phase 1 - Decryption queries. Let hID, Ci be a decryption query issued by algorithm A, where C = (C1 , C2 , C3 ) = (g z , Qz , Enc(k, M )). 1. If B can extract the private key of ID, then responds the decryption query normally using the private key. 2. Otherwise, B first checks if e(C1 , Q) = e(C2 , g) holds. If not, B rejects the ciphertext. Else, B proceeds by checking if there is a “good” tuple in the R list indexed by (ID, C1 ), if so, B gets the associated k; if not, B generates a random k ∈ {0, 1}λ , and it will stay on the lookout for a good tuple indexed by (ID, C1 ) in future K-queries, associating this key with that tuple to keep things consistent. Challenge. The adversary A submits two messages M0 , M1 ∈ {0, 1}n and an identity ID∗ where it wishes to be challenged. Suppose hID∗ , v ∗ , w∗ i is the corresponding entry on the L list. If w∗ 6= 0, B aborts. Otherwise, B checks whether the entry indexed by (ID∗ , Z) on the R list is marked as good. If so, B gets the associated k. If not, B generates a random symmetric key, and watches for a good tuple to come up as a K-hash query, when it sees one, it “patches” that query by returning the symmetric key generated earlier. B returns the challenge ciphertext as 13

∗

C = (Z, Z v , Enc(k, Mβ )). C is a valid encryption of Mβ under ID∗ since ∗ ∗ ∗ ∗ ∗ Z v = (g v )z = (Q∗ )z , where Q∗ = g v Y w = g v . Phase 2. B responds to the private key extraction queries and the decryption queries the same way it did in Phase 1. Guess. Finally, the adversary A outputs a guess β 0 for β. B examines K and looks for a good entry of the form hID∗ , Z, T1 , T2 , ki. If it finds one, it outputs T1 as its answer to the CBDH challenge. It is straightforward to check the good entry of the form hID∗ , Z, T1 , T2 , ki appears on the final R list with probability 2 whenever A breaks the IND-ID-CCA security of our CCA construction with advantage . The probability analysis of B aborts during the simulation is the same as that of the above CPA scheme in Section 3:   1 Qe 1 Pr[abort] = Pr[¬E2 |¬E1 ]Pr[¬E1 ] = 1− (4) m m Pr[abort] can be maximized to be 1/eQe by setting mopt = 1 + Qe . To complete the proof of Theorem 4.2 it remains to calculate the probability that K can be perfectly simulated. Lemma 1. The K oracle can be simulated perfectly with probability at least 1 − Qk /p. Proof. Note that the probability of the BDH trapdoor test described in 4.1 returning a wrong decision result for a distinguish query is at most 1/p, and this happens at most Qk times. Therefore B can use the trapdoor test to mark all the entries on the R list correctly with probability at least 1 − Qk /p. Lemma 1 follows immediately. Combining Equation (4) and Lemma 1, B’s advantage is at least 2(1 − Qk /p)/eQe as required. t u

5

Further Discussion

The proving technique we use is essentially the “partitioning strategy” summarized by Waters in [28]. In the security reduction, the simulation algorithm partitions the identities space I into two subspaces: (1) I1 identities of which simulator can create private keys; and (2) I2 - identities in which simulator can embed the underlying intractable problem. In order to have a successful simulation, the simulator expects that the private key querying identities in Phase 1 or Phase 2 come from I1 and 14

the challenge identity comes from I2 . We remark that the two subspaces are orthogonal, i.e. I = I1 ∪ I2 , I1 ∩ I2 = Ø. The H(ID) is programmed to be the binomial combination based on 2-generators (g, Y ): g v Y w , thereby the public key space corresponding to I is g v Y w (v ∈ Zp , w ∈ Zm ), while the public key space corresponding to I1 is g v Y w (v ∈ Zp , w ∈ Z∗m ) and the public key space corresponding to I2 is g v Y w (v ∈ Zp , w = 0). It is easy to see that |I2 |/|I1 | = 1/(m − 1). Recall the proofs in Section 3 and Section 4, m is a crucial factor that dominates the tightness of reduction. Our scheme and Waters-IBE are quite similar to BB1 -IBE. Other than the notational differences, the distinguishing features are different constructions of the identity hash function (IHF). We use the uniform notation to review the identity hash functions of BB1 -IBE, Waters-IBE, and our scheme as follows: – In BB1 -IBE [5], IHF(ID) = U 0 Y F (ID) , where U 0 , Y are elements from G, F : ID → Zp is a hash function. Q – In Waters-IBE [27], IHF(ID) = U 0 ni=1 vi Ui (U 0 and Ui are elements from G, vi is the i-th bit of the bitstring ID), which is known as Waters hash. Recently, Hofheinz and Kiltz [18] pointed out that Waters hash is essentially a (1, poly)- programmable hash function. – In our scheme, IHF(ID) = H(ID), where H : {0, 1}∗ → G is modeled as a random oracle, which is an ideally programmable hash function.

6

Conclusion

In this paper we proposed a novel IBE scheme of BB1 -style, which can be viewed as an efficient variant of BB1 -IBE in the random oracle model. Our scheme can benefit the schemes that used to construct on BB1 -IBE (proven fully secure in the random oracle model). We also propose a CCA construction for our scheme from the twin technique. Our analysis indicates the concrete construction of the identity hash function is an important factor that determines if we can achieve an efficient or a loose security reduction with or without random oracles.

7

Acknowledgements

We would like to thank the anonymous reviewers for their valuable suggestions. 15

References 1. Abdalla, M., Catalano, D., Dent, A., Malone-Lee, J., Neven, G., Smart, N.: Identity-Based Encryption Gone Wild. In: ICALP 2006. LNCS, vol. 4052, pp. 300–311 (2006) 2. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. ACM conference on Computers and Communication Security pp. 62–73 (1995) 3. Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Advances in Cryptology - EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416 (1996) 4. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-Policy Attribute-Based Encryption. IEEE Symposium on Security and Privacy 2007 (SP’ 2007) pp. 321–334 (2007) 5. Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity Based Encryption without Random Oracles. In: Advances in Cryptology - EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238 (2004) 6. Boneh, D., Boyen, X., jin Goh, E.: Hierarchical identity based encryption with constant size ciphertext. In: Advances in Cryptology - EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456 (2005) 7. Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Advances in Cryptology - CRYPTO 2001. LNCS, vol. 2139, pp. 213–229 (2001) 8. Boneh, D., Franklin, M.K.: Identity-Based Encryption from the Weil Pairing. SIAM Journal on Computation 32, 586–615 (2003) 9. Boyen, X.: General ad hoc encryption from exponent inversion ibe. In: Advances in Cryptology - EUROCRYPT 2007. LNCS, vol. 4515, pp. 394–411 (2007) 10. Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identitybased techniques. ACM CCS 2005 pp. 320–329 (2005) 11. Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public-Key Encryption Scheme. In: Advances in Cryptology - EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271 (2003) 12. Cash, D., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications. In: Advances in Cryptology - EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145 (2008) 13. Chatterjee, S., Sarkar, P.: Trading Time for Space: Towards an Efficient IBE Scheme with Short(er) Public Parameters in the Standard Model. In: International Conference on Information Security and Cryptology - ICISC 2005. LNCS, vol. 3935, pp. 424–440 (2005) 14. Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Advances in Cryptology - CRYPTO 1999. LNCS, vol. 1666, pp. 537–554 (1999) 15. Gentry, C.: Practical Identity-Based Encryption Without Random Oracles. In: Advances in Cryptology - EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464 (2006) 16. Halevi, S., Rogaway, P.: A Tweakable Enciphering Mode. In: Advances in Cryptology -CRYPTO 2003. LNCS, vol. 2729, pp. 482–499 (2003) 17. Halevi, S., Rogaway, P.: A Parallelizable Enciphering Mode. In: CT-RSA 2004. LNCS, vol. 2964, pp. 292–304 (2004) 18. Hofheinz, D., Kiltz, E.: Programmable Hash Functions and Their Applications. In: Advances in Cryptology - CRYPTO 2008. LNCS, vol. 5157, pp. 21–38 (2008) 19. Horwitz, J., Lynn, B.: Toward Hierarchical Identity-Based Encryption. In: Advances in Cryptology - EUROCRYPT 2002. LNCS, vol. 2322, pp. 466–481 (2002)

16

20. Huang, X., Mu, Y., Susilo, W., Wu, W., Xiang, Y.: Further observations on optimistic fair exchange protocols in the multi-user setting. In: Public Key in Cryptography - PKC 2010. LNCS, vol. 6056, pp. 124–141 (2010) 21. Libert, B., Quisquater, J.J.: Identity based encryption without redundancy. In: International Conference on Applied Cryptography and Network Security - ACNS 2005. LNCS, vol. 3531, pp. 285–300 (2005) 22. Naccache, D.: Secure and Practical Identity-Based Encryption. Cryptology ePrint Archive, Report 2005/369 (2005), http://eprint.iacr.org/ 23. Sahai, A., Waters, B.: Fuzzy Identity Based Encryption. In: Advances in Cryptology - EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473 (2005) 24. Sarkar, P.: HEAD: Hybrid Encryption with Delegated Decryption Capability. In: Progress in Cryptology - INDOCRYPT 2004. LNCS, vol. 3348, pp. 230–244 (2004) 25. Shamir, A.: Identity-Based Cryptosystems and Signatures Schemes. In: Advances in Cryptology - Crypto 1984. LNCS, vol. 196, pp. 47–53 (1984) 26. U.S. Department of Commerce/National Bureau of Standards, National Technical Information Service, Springfield, Virginia. FIPS 197: Advanced Encryption Standard. Federal Information Processing Standards Publication 197 (2001) 27. Waters, B.: Efficient Identity-Based Encryption Without Random Oracles. In: Advances in Cryptology - EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127 (2005) 28. Waters, B.: Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In: Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 619–636 (2009)

A

Identity Based Encryption

Recall that an IBE scheme consists of four algorithms [8, 25], Setup, Extract, Encrypt and Decrypt, as follows: – Setup: takes as security parameter 1κ , and returns system public parameters mpk and master secret msk. The description of message space M and the description of ciphertext space C are included in the system parameters. – Extract: takes as input mpk, msk and an arbitrary ID ∈ {0, 1}∗ , and returns a associated private key dID . – Encrypt: takes as input mpk, ID, and M ∈ M, and returns a ciphertext C ∈ C. – Decrypt: takes as input mpk, C ∈ C, and a private key dID , and returns M ∈ M. A.1

Security of Chosen Ciphertext Attack for IBE

Boneh and Franklin formalized the chosen ciphertext security for IBE in [7, 8]. Concretely, an IBE scheme E is said to be secure against adaptively chosen ciphertext attack (IND-ID-CCA) if no probabilistic polynomial time (PPT) algorithm A has a non-negligible advantage against the challenger in the following game: 17

Setup. The challenger takes the security parameter 1κ and runs the Setup algorithm. It gives the adversary the resulting system parameters and keeps the master secret to itself. Phase 1. The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query hIDi i. The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It sends di to the adversary A. – Decryption query hIDi , Ci i. The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary A. These queries may be asked adaptively, that is, each query qi may depend on the replies to q1 , . . . , qi−1 . Challenge. Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1. The challenger picks a random bit β ∈ {0, 1} and sets C ∗ = Encrypt(mpk, ID∗ , Mβ ). It sends C ∗ as the challenge to the adversary. Phase 2. The adversary issues more queries qm+1 , . . . , qr where qi is one of: – Extraction query hIDi i with the constraint that IDi 6= ID∗ . The challenger responds as in Phase 1. – Decryption query hIDi , Ci i = 6 hID∗ , C ∗ i. The challenger responds as in Phase 1. These queries may be asked adaptively as in Phase 1. Guess. Finally, the adversary outputs a guess β 0 ∈ {0, 1} and wins the game if β = β 0 . We refer to such an adversary A as an IND-ID-CCA adversary, whose Pr[β = β 0 ] − 1 , advantage over the scheme E is defined by AdvCCA (κ) = E,A 2 where κ is the security parameter. The probability is over the random bits used by the challenger and the adversary. Definition 1.1 We say that an IBE scheme E is IND-ID-CCA secure if for any probabilistic polynomial time IND-ID-CCA adversary A the advantage AdvCCA E,A (κ) is negligible. 18

B

Symmetric-Key Encryption Scheme (SE)

A symmetric-key encryption scheme consists of two algorithms (Enc, Dec). For a symmetric key sk, the encryption algorithm Enc encrypts a plaintext M as C = Enc(sk, M ); the decryption algorithm Dec decrypts a ciphertext C as M = Dec(sk, C). Moreover, we say that SE is length preserving if |Enc(sk, M )| = |M |. Definition 2.1 A symmetric-key encryption scheme is IND-CCA secure if no probabilistic polynomial time (PPT) adversary A has a non negligible advantage in the following game. 1. In the setup stage, the challenger randomly chooses a symmetric key sk. 2. In Phase 1, A starts probing the scheme by querying the encryption oracle Enc(sk, ·) and the decryption oracle Dec(sk, ·). 3. In the challenge stage, A outputs two equal length messages (M0 , M1 ) that were not submitted to Enc(sk, ·) or obtained from Dec(sk, ·) and gets C ∗ = Enc(sk, Mβ ) for a random bit β ∈ {0, 1}. 4. In Phase 2, A issues new queries as in Phase 1 but is disallowed to ask for the decryption of C ∗ and the encryptions of M0 and M1 . 5. In the guess stage, A eventually outputs a guess β 0 for β. A’s advantage is defined by AdvA (κ) = |Pr[β 0 = β] − 1/2|. We will use a length preserving IND-CCA secure symmetric-key encryption scheme in our construction. Such a scheme can be built by applying CMC [16] or EME [17] mode of operation to a block cipher, if the underlying block cipher is modeled as strong pseudorandom permutation (for example, AES [26] can be used).

19