CCA Secure PKE from IBE - A Framework for Identity-Based Encryption with Almost Tight

Here, we show a generic construction of CCA-secure PKE from an IBE scheme and aQ-fold OTS scheme. We require that in the original IBE scheme, the key generation algorithm does not output any secret parameter. Namely, we require thatsp = ⊥. This requirement is satisfied in all of our IBE schemes except for that in Section7. If the original IBE andQ-fold OTS scheme are tightly secure, the resulting PKE is tightly secure as well. We construct PKE schemeΨfrom an IBE schemeΦ= (Φ.Par,Φ.Gen,Φ.Ext,Φ.Enc,Φ.Dec)and a

Q-fold OTS schemeΣ= (Σ.Par,Σ.Gen,Σ.Sign,Σ.Verify)as follows. Without loss of generality, we assume that identity space ofΦcontains all possiblevkoutput byΣ.Gen.

Ψ.Par(1κ) : It runsΣ.Par(1κ)→pp_ΣandΦ.Par(1κ)→(pp_Φ,sp=⊥). Then, it outputspp_Ψ= (pp_Φ,pp_Σ).

Ψ.Gen(pp_Ψ) It parsespp_Ψ → (pp_Φ,pp_Σ)and runsΦ.Gen(pp_Φ,sp = ⊥) → (mpk,msk). Then, it outputs the encryption keyek= (pp_Φ,pp_Σ,mpk)and the decryption keydk= (mpk,msk).

Ψ.Enc(ek,M) It first parsesek→(pp_Φ,pp_Σ,mpk). Then, it runsΣ.Gen(pp_Σ)→(vk,sigk),Φ.Enc(mpk,vk, M)→CTΦ, andΦ.Sign(sigk,CTΦ)→σ. Finally, it outputsCTΨ= (vk,CTΦ, σ).

Ψ.Dec(dk,CTΨ) It first parses the ciphertext asCTΨ → (vk,CTΦ, σ). Any ciphertext not satisfying this format is rejected (i.e., the decryption algorithm outputs ⊥). Then, it checks whether σ is a valid signature on CTΦ by running Σ.Verify(vk,CTΦ, σ). If it is 0, the decryption algorithm outputs ⊥. Otherwise, it runsΦ.Ext(msk,mpk,vk)→skvkand outputsΦ.Dec(skvk,CTΦ)→Mor⊥.

Theorem 16. For any valid adversaryAagainst the above PKE scheme, there exist adversariesB1andB2 such thatAdvPKE_A_,_Ψ_,₍_µ,Q

c,Qk)(κ) ≤Adv

IBE

B1,Φ,(µ,Qc,Qk)(κ) +Adv

OTS

B2,Σ,Qc(κ)andmax{Time(B1),Time(B2)} ≈

Time(A) + (µ+Qk+Qc)·poly(κ)wherepoly(κ)is independent ofTime(A).

Proof. We prove the theorem by the following sequence of the games. We write Advxx(κ) to denote the

advantage ofAinGamexx.

Game0: This is the real security game.

Game1: In this game, the challenger runsΣ.Par(1κ)→ ppΣ and(vki,sigki) $

←Σ.Gen(pp_Σ)fori∈[Qc]at

the outset of the game and use(vki,sigki)to create thei-th challenge ciphertext.

Game2: In this game, the challenger stops the experiment and forcesAto output a random bit ifAsubmits (Decryption, j0,CT0_Ψ = (vk0,CT0_Φ, σ0))that satisfies Σ.Verify(vk0,CT0_Φ, σ0) = 1and one of the following conditions:

(Case A) There existsi?∈[Qc]such thatvk0 =vki?andAhas not made thei?-th challenge query yet.

(Case B) There existsi? ∈ [Qc]such thatvk0 = vki? andA’si?-th challenge query is in the form of (Challenge, j0,M0,M1)for the samej0.

Since the change fromGame0 toGame1 is only conceptual, we haveAdv0(κ) = Adv1(κ). Therefore, we

haveAdvPKE_A_,_Ψ_,₍_µ,Q_c_,Q_k)(κ) =Adv0(κ)≤ |Adv1(κ)−Adv2(κ)|+Adv2(κ)and it suffices to show Lemma33

and34in the following. ut

Lemma 33. (Game1 toGame2). For any adversaryA, there exists an adversary B1 such that|Adv1(κ)−

Adv2(κ)| ≤ AdvOTSB1,Σ,Qc(κ) andTime(B1) ≈ Qc·poly(κ) + Time(A) where poly(κ) is independent of

Time(A).

Proof. The Game2 differs fromGame1 only ifAmakes a decryption query of the specific form defined as

above (Case A and B). We let the probability of this event in Game1 be . We construct an adversary B1

against theQc-fold OTS scheme whose advantage isfromA.

Setup. At the outset of the game, B1 is given (ppΣ,{vki}i∈[Qc]). Then, it runs Φ.Par(1κ) → ppΦ and

Φ.Gen(pp_Φ) → (mpk(j),msk(j)) for j ∈ [µ] and returns pp_Ψ = (pp_Φ,pp_Σ) and {ek(j) _{= (}_pp

Φ,ppΣ,

mpk(j))}_j∈[µ]toA. It also pickscoin

← {0,1}.

Challenge Queries. For the i-th challenge query(Challenge, j,M0,M1) made by A, B1 proceeds as

follows. It first runsΦ.Enc(mpk(j),vki,Mcoin) → CTΦ and then submits(Sign, i,CTΦ)to its challenger. Then,Σ.Sign(sigk_i,CTΦ)→σis returned toB3. Finally,B3returnsCTΨ= (vki,CTΦ, σ)toA.

Decryption Queries. When A makes query (Decryption, j0,CT0_Ψ = (vk0,CT0_Φ, σ0)), B₁ proceeds as follows. IfΣ.Verify(vk0,CT0_Φ, σ0) = 0, it returns⊥toA. If not,B₁ searches fori? _{such that}_vk0 ₌ _vk

i?. If

there is suchi?,B1 checks whether (Case A) or (Case B) holds. If it holds,B1 stops the game and outputs (i?,CT0_Φ, σ0)as its forgery. Otherwise, it answers the decryption query using{dk(j)= (mpk(j),msk(j))}_j_∈_[_µ_].

Analysis. Let (i?,CT0_Φ, σ0) be the output of B1. If (Case A) holds, B1 has not made signing query for

i?. Therefore, B₁ wins the game in this case. We then consider (Case B). Let the i?-th challenge query be(Challenge, j0,M0,M1) and answer to the query beCTΨ00 = (vki?,CT00_Φ, σ00). Note thatB₁ has made

a signing query (Sign, i?,CT00_Φ) to obtain σ00. Since A is a valid adversary, we have that (j0,CT0_Ψ) 6= (j0,CT00_Ψ). In particular, we have(CT0_Φ, σ0)6= (CT00_Φ, σ00). Therefore,B₁wins the game also in this case. ut

Lemma 34. For any adversaryA, there exists an adversaryB2 such thatAdv2(κ) ≤AdvIBEB2,Φ,(µ,Qc,Qk)(κ) andTime(B2)≈(Qc+Qk)·poly(κ) +Time(A)wherepoly(κ)is independent ofTime(A).

Proof. We construct an adversaryB2 against(µ, Qc, Qk)-security of the IBE scheme fromA. B2 simulates

Game2forAas follows.

Setup. At the outset of the game, B2 is given ppΦ and{mpk(j)}j∈[µ]. Then, it runs Σ.Par(1κ) → ppΣ and returnspp_Ψ = (pp_Φ,pp_Σ) and{ek(j) _{= (}_pp

Φ,ppΣ,mpk(j))}j∈[µ] toA. B2 also picks (vki,sigki) $ ← Σ.Gen(pp_Σ)fori∈[Qc].

Challenge Queries.When the adversaryAmakes thei-th challenge query(Challenge, j,M0,M1),B2first

requests(Challenge, j,vki,M0,M1) for its challenger and receives Φ.Enc(mpk(j),vki,Mcoin) → CTΦ.

Then,B₂runsΣ.Sign(sigk,CTΦ)→σand returns the challenge ciphertext(vk,CTΦ, σ)toA.

Decryption Queries. WhenAmakes query(Decryption, j,CT0_Ψ = (vk0,CT0_Φ, σ0)),B2 first checks the

validity ofσ0 by Σ.Verify(vk0,CT0_Φ, σ0). If it is0, it returns ⊥. Otherwise,B2 checks whether (j0,CT0Ψ =

(vk0,CT0_Φ, σ0))satisfies (Case A) or (Case B) condition. If it satisfies,B₂ aborts and outputs a random bit. Otherwise,B2makes key extraction query(Extraction, j0,vk0)to its challenger to obtainsk(j

0₎

vk0 and returns

Φ.Dec(CT0_Φ,sk_vk(j00))→M/⊥.

Output.Finally,B2outputs the same bit asAas its guess.

Analysis. It is clear that we have Adv2(κ) ≤ AdvIBEB2,Φ,(µ,Qc,Qk)(κ). Here, we check that B2 is a valid

adversary. At first, we check thatB₂ never makes any prohibited key extraction query. For a decryption query(Decryption, j0,CT0_Ψ = (vk0,CT0_Φ, σ0))that satisfies neither (Case A) nor (Case B) condition, we have thatvk0 6∈ {vk_i}_i_∈_[_Q_c], or, for alli? ∈ [Qc]such that vki? = vk0, we have that the i?-th challenge

query made byAis(Challenge, j00,M00₀,M00₁)for somej00 6= j0. In any case,B₂ is allowed to make key extraction query of the form(Extraction, j0,vk0). Next, we check that B2 never makes any prohibited

challenge query. Let us assume thatB₂ makes the i-th challenge query(Challenge, j,vki,M0,M1) for

somej,M0, andM1. Then, sinceB2 has not aborted until then,Ahas not made any decryption query that

satisfies (Case A). Therefore, for all key extraction query(Extraction, j0,vk0)made byB2until then, we

have thatvk0 6=vki. ut

H

Concrete Descriptions of Our Schemes

Here, we show concrete description of our proposed schemes. In all of the following schemes, we let the identity space be{0,1}`_.

H.1 Description of IBE SchemeΦcomp_cc

Let the message space beM={0,1}m_{. We also let}_H_{be a family of pairwise independent hash functions} H:GT → M. We assume that

|M|

p2 = 2

Par(1κ_{) :} _{It first runs} ₍_N,

G,GT, g1, g2, g3, g4, e(·))

← Gcomp(1κ) and picks w = (w1. . . , w2`) $ ← Z2N`, a←$ Z∗N,H

← H. Then it setsh:= (g1g2g3g4)aand outputspp= (g1, g1w, g4, h,H)andsp=⊥.

Gen(pp,sp) : It picksα←$ _ZN and outputs master public keympk= (pp, e(g1, h)α)andmsk=α.

Ext(msk,mpk,ID) : It first setsS ={2i−IDi|i∈[`]}whereIDi ∈ {0,1}is thei-th bit ofID ∈ {0,1}`. It

then picksr, δ1, δ2 $ ←_ZN and returns skID= K1 =hαg rP j∈Swj 1 g δ1 4 , K2 =g −r 1 g δ2 4 .

Enc(mpk,ID,M) : It first setsS ={2i−IDi|i∈[`]}. Then it pickss←$ ZN and outputs

CT=C1 =g1s, C2=g sP j∈Swj 1 , C3 =H e(g1, h)sα ⊕M.

Dec(skID,CT) : It parses CT → (C1, C2, C3) and computes e(C1, K1)e(C2, K2) = e(g1, h)sα. Then, it

recovers the messageMbyM=C3⊕H(e(g1, h)sα).

REMARK. There is a slight gap from the description of the above scheme to the resulting scheme obtained by

our conversion in Section4toΠcc. We call the former scheme (A) and the latter scheme (B). In particular, the description of the key extraction algorithmExt in scheme (A) is slightly simplified compared to that of scheme (B). We explain this. In the key extraction algorithm of scheme (B),skj defined as Equation (6) is

computed for allj∈S. We have

skj = (hαjg1rjwjg δj,j 4 , {g rjwk 1 g δj,k 4 }k∈S\{j}, g1rjg δj,0 4 ) whererj, δj,0, δj,k $

←_ZN for allk∈S. From the Equation (12), we have that

skEj j = hαjg rjwj 1 g δj,j 4 · Y k∈S\{j} (grjwk 1 g δj,k 4 ), g −rj 1 g δj0 4 = hαj_g P k∈Srjwk 1 g P k∈Sδj,k 4 , g −rj 1 g δj,0 4 .

Therefore, we have thatskIDin scheme (B) is in the form of

skID= Y j∈S skE_jj = hαg( P j∈Srj)( P k∈Swk) 1 g P j∈S,k∈Sδj,k 4 , g −P j∈Srj 1 g P j∈Sδj,0 4 .

The above private key corresponds to that of scheme (A) if we replaceP

j∈S,k∈Sδj,k,

j∈Srj, and

j∈Sδj,0

withδ1,r, andδ2, respectively. It is clear that this does not change the distribution of the private key and thus

does not harm the security at all.

We note that we will apply similar simplification to the key extraction algorithms that appear in this Appendix.

In document A Framework for Identity-Based Encryption with Almost Tight Security (Page 62-65)