In what follows generic methods of constructing CL-PKE schemes by combining a general ID-PKE scheme with a standard PKE schemes will be briefly considered. We will provide three generic CL-PKE schemes constructed in this way: CL-1, CL-2 and CL-3. Roughly speaking, for each of the constructions, the Partial-Private-Key-Extract algorithm is handled by the ID-PKE scheme, and the Set-Private-Key/Set-Public-Key algorithms are handled by the standard PKE scheme.
A generic scheme of the type constructed here can be used to add cryptographic workflow to a standard PKE scheme by composing the standard PKE scheme with an ID-PKE scheme; the resultant scheme no longer requires certificates. Similarly, a generic scheme can be constructed to enhance the level of trust offered by an ID- PKE scheme by composing the ID-PKE scheme with a standard PKE scheme; the resultant scheme will, however, no longer be identifier-based.
Now let us consider an IND-ID-CCA secure ID-PKE scheme, ΠID, and an IND-CCA secure standard PKE scheme, ΠPK. These will be composed in order to create our
first generic CL-PKE scheme, denoted ΠCL−1. Note that Canetti et al. [44] show how IND-CCA secure PKE schemes can be constructed using any CPA secure ID-PKE scheme. The result in [44] allows ΠID and ΠPK to share many algorithms.
In what follows we assume that ΠID and ΠPK are compatible in the sense that the
ciphertext space of ΠPKis equal to the message (plaintext) space of ΠID. The seven algorithms needed to define ΠCL−1are described next. We assume that schemes ΠPK and ΠID take as input security parameters k1 and k2 respectively.
Setup: This algorithm runs the Setup algorithm of the scheme ΠPK and the Setup
algorithm of the scheme ΠID. The message space of ΠCL−1 will be the message space of ΠID, denoted M, while the ciphertext space of ΠCL−1 will be the ciphertext space of ΠID.
Partial-Private-Key-Extract: This algorithm is defined to be the Extract algorithm of ΠID. So the partial private key DA of IDA in ΠCL−1 is set to be the private key dA
of IDA in the scheme ΠID.
Set-Secret-Value and Set-Public-Key: These algorithms are obtained from the Key- Generation algorithm of ΠPK. Algorithm Key-Generation is run, and the output of
Set-Secret-Value algorithm, xA, is defined to be the private key Kpriv for ΠPK, while
the output of the Set-Public-Key algorithm, PA, is defined to be the public key Kpub
for ΠPK.
Set-Private-Key: This algorithm outputs SA= hDA, xAi, where, as above DA is the
private key corresponding to identifier IDA in the scheme ΠID and xA is a private
key obtained from the scheme ΠPK.
Encrypt: To encrypt M ∈ M for identifier IDA and public key PA, perform the
1. Check that PA is a valid public key for ΠPK, if not output ⊥ .
2. Compute and output the ciphertext:
C = EID(EPK(M, PA), IDA).
Here, EIDdenotes the encryption algorithm of the scheme ΠID and EPKdenotes the encryption algorithm of the scheme ΠPK.
Decrypt: Suppose C ∈ C. To decrypt this ciphertext using the private key SA =
hDA, xAi, firstly compute DID(C, DA). If the result is equal to ⊥ , then output
⊥ and reject the ciphertext. Otherwise output DPK(DID(C, D
A), xA). Here, DID
denotes the decryption algorithm of ΠID and DPKdenotes the decryption algorithm of ΠPK.
An alternative serial encryption scheme to ΠCL−1 is one which reverses the order of encryption, such that C = EPK(EID(M, IDA), PA). This scheme will be labelled
ΠCL−2. Here, of course, we require that the ciphertexts output by EID can be used as plaintext for the encryption algorithm of EID.
The scheme denoted ΠCL−3is a parallel encryption scheme. As we shall see, details in the algorithms differ. For ΠCL−3, we need to assume that ΠPK and ΠID are compat- ible in the sense that they both have the same plaintext space, denoted M. We also assume that M consists of the set of strings of some length n. The seven algorithms needed to define ΠCL−3 are described next. As with ΠCL−1, here EID/DID denotes the encryption/decryption algorithm of the scheme ΠID and EPK/DPK denotes the
encryption/decryption algorithm of the scheme ΠPK.
Setup: This algorithm runs the Setup algorithm of the scheme ΠPK and the Setup algorithm of scheme ΠID.
Partial-Private-Key-Extract: Identical to Partial-Private-Key-Extract of ΠCL−1.
of ΠCL−1.
Set-Private-Key: Identical to Set-Private-Key of ΠCL−1.
Encrypt: To encrypt M ∈ M for identifier IDA and public key PA, perform the
following steps:
1. Check that PA is a valid public key for ΠPK, if not output ⊥ .
2. Choose a random MAwith the same bit length as M .
3. Set MB = MA⊕ M .
4. Compute and output the ciphertext:
C = hEID(MA, IDA), EPK(MB, PA)i.
Decrypt: Suppose C = hcA, cBi ∈ C. To decrypt this ciphertext using the private
key SA = hDA, xAi, firstly compute DID(cA, DA) and DPK(cB, xA). If either result
is equal to ⊥ , then output ⊥ and reject the ciphertext. Otherwise output M = DID(c
A, DA) ⊕ DPK(cB, xA).
This concludes the description of ΠCL−3.
Notice that if the BF ID-PKE scheme [32] and the ElGamal PKE scheme [68] are used directly in the generic construction ΠCL−1, the resulting construction is com- putationally rather inefficient: in ΠCL−1 both EID and EPK are run independently
using different plaintexts, random values and redundancies. The scheme FullCL-PKE in Chapter 6 can be regarded as an optimisation of ΠCL−1 where the components of the scheme are FullIdent of [32] and ElG-HybridPub of Section 6.5.1. Our proof of security for that scheme utilised a particular knowledge extractor which decrypts ciphertexts with a high probability of success.
Given the proof techniques developed in previous chapters, the main obstacle in proving the security of these generic constructions in the security model developed
in Chapter 6 appears to be the construction of a general knowledge extractor that is appropriate to the Type I adversary setting (which is very different to existing settings). This knowledge extractor is required to decrypt ciphertexts with high probability of success for an entity whose public key may have been replaced.