Remove Key Escrow from The Identity-Based Encryption System

Transcription

1 Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng, Richard Comley and Luminita Vasiu School of Computing Science, Middlesex University, White Hart Lane, London N17 8HR, UK. Abstract. Key escrow is an inherent property in the current proposed Identity-Based Encryption (IBE) systems. However the key escrow is not always a good property for all applications. In this paper, we present a scheme which removes the key escrow from the IBE system proposed by Bonch and Franklin, while at the same time maintaining some important properties of the IBE. We also present some cryptosystems based on our variant including a signature scheme and an authenticated key agreement. We finally show how to integrate our scheme into a hierarchial identity based public key encryption system and a key-insulated system. 1 Introduction Since the landmark paper New directions in cryptography [9] was published in 1976, public key systems have been playing a fundamental role in the modern information security society. To address the security threat of the man-in-themiddle attack, complicated public key certification systems have been developed for years. But the widespread deployment of public key systems depends heavily on the certification distribution systems which suffer from a scalability problem. In an attempt to simplify the public key directory management in a Public Key Center (PKC), in 1984 Shamir [17] first formulated the concept of Identity- Based Cryptography (IBC) in which a public key is the identity (an arbitrary string) of an entity. Shamir presented an identity-based signature scheme in [17] and more signature schemes were proposed later. However constructing a practical Identity-Based Encryption (IBE) scheme has been an open problem for about twenty years. Recently Boneh and Franklin [3] and Cocks [6] presented two different systems separately. Boneh-Franklin s scheme has drawn much attention because of its provable security and efficiency in practice. Our work is based on this scheme. In an IBE system there are four algorithms: (1) Setup generates the global system parameters and a master-key, (2) Extract uses the master-key to generate the private key corresponding to an arbitrary public key string ID {0, 1} which is the identity of an entity, (3) Encrypt encrypts messages using the public key ID, and (4) Decrypt decrypts messages using the corresponding private key.

2 Because an entity s identity (ID) is used as the public key directly, some interesting usages of an IBE can be naturally introduced. For example an ID can include the public key expiry time, or differentiate the entity s credentials. On the other hand a special property is inherent in the proposed IBE scheme. In Shamir s scheme, the PKC uses the Extract algorithm to generate a private key corresponding to the public ID. Hence the PKC knows all the entities private keys. This property is called key escrow. Because the proposed scheme [3] and [6] follow Shamir s scheme to setup systems, they also inherit the key escrow function. However the key escrow function is not necessary for all types of applications and a cryptosystem with a key escrow property has some serious disadvantages. For example once the master-key is exposed, all the entities private keys are leaked in principle and all the prior communication information is under threat of exposure. Some mechanisms can be used to increase the security of the master-key, for example the threshold cryptography [12] [7]. Gentry and Silverberg presented a method in a hierarchical ID-based scheme [13] to restrict the key escrow function in small areas. But the existence of a master-key is still a threat to an entity s privacy. In [1] Al-Riyami and Paterson introduced the concept of Certificateless Public Key Cryptography (CL-PKC) and presented a scheme which removes the key escrow property successfully. In this paper, we introduce the nickname concept and present another variant of Boneh- Franklin s IBE system without the key escrow function. 1 The rest of this paper is structured as follows. In Section 2, we describe the original Boneh-Franklin s IBE scheme which is the basis of our variant, and we also briefly introduce the bilinear map which is the basic mathematical tool used in the scheme. In the next section, we present our scheme to show how to remove the key escrow function. A security analysis of our variant is presented in Section 4. Section 5 and 6 is a signature scheme and an authenticated key agreement based on our variant separately. We show how to integrate our scheme into a hierarchial identity-based public key encryption system in Section 7. And then we show an application of the new property of master-key forward secrecy in a key-insulated system. Finally we make a comparison with the CL-PKC scheme. 2 Boneh-Franklin s IBE Scheme Boneh-Franklin s IBE scheme is the first efficient and security provable identitybased encryption scheme, which is based on a bilinear map (pairing). Definition 1 A pairing is a bilinear map ê : G 1 G 1 G 2 with two cyclic group G 1 and G 2 of prime order q, which has the following properties [3]: 1. Bilinear: For all P, Q, R, S G 1, ê(p +Q, R+S) = ê(p, R) ê(p, S) ê(q, R) ê(q, S) 2. 1 We completed Section 1-4 of this work at the end of September 2003, and at the same time we found the post of [1] on eprint.iacr.org which our work is very much similar to. Hence we extended the original work by adding Section 5, 6, 7 and 9 to echo the work in [1]. 2 In particular ê(sp, tr) = ê(p, R) st for all P, R G 1 and s, t Z q.

3 2. Non-degenerate: For a given point Q G 1, ê(q, R) = 1 G2 for all R G 1 if and only if Q = 1 G1. 3. Computable: There is an efficient algorithm to compute ê(p, Q) for any P, Q G 1. The modified Weil and Tate pairings [18] on elliptic curves can be used to build such bilinear maps. The security of Boneh-Franklin s scheme is based on an assumption of the hardness of the Bilinear Diffie-Hellman (BDH) problem. Assumption 1 Bilinear Diffie-Hellman Assumption (BDH) [3] Let G be a parameter generator which with system parameters 1 k as input generates two cyclic groups G 1, G 2 of prime order q and a bilinear map ê. We define the advantage of an algorithm A in solving the problem (given P, ap, bp, cp, to compute ê(p, P ) abc ) by: Adv G,A (k) = P r[ A(q, G 1, G 2, ê, P, ap, bp, cp ) = ê(p, P ) abc q, G 1, G 2, ê G(1 k ), a generator P G 1, a, b, c R Z q]. For any randomized polynomial time (in k) algorithm A, the advantage Adv G,A (k) is negligible. Boneh-Franklin s IBE scheme also follows the four steps proposed by Shamir. Here is the description of the scheme in detail. Setup: Given a security parameter k, the parameter generator follows the steps. 1. Generate two cyclic groups G 1 and G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P G Pick a random integer s Z q and compute P pub = sp. 3. Pick four cryptographic hash functions H 1 : {0, 1} G 1, H 2 : G 2 {0, 1} n, H 3 : {0, 1} n {0, 1} n Z q and H 4 : {0, 1} n {0, 1} n for some integer n > 0. The message space is M = {0, 1} n. The ciphertext space is C = G 1 {0, 1} n {0, 1} n. The system parameters are params = q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4. s is the master-key of the system. Extract: Given a string ID {0, 1}, the params and the master-key, the algorithm computes Q ID = H 1 (ID) G 1, d ID = sq ID and returns d ID. Encrypt: Given a plaintext m M, the ID of an entity and the public parameters params, follow the steps: 1. Pick a random σ {0, 1} n and compute r = H 3 (σ, m). 2. Compute Q ID = H 1 (ID) and g = ê(p pub, Q ID ). 3. Set the ciphertext to C = rp, σ H 2 (g r ), m H 4 (σ). Decrypt: Given a ciphertext U, V, W C, the private key d ID and the system parameters params, perform the following steps. 1. Compute g = ê(u, d ID ) and σ = V H 2 (g ). 2. Compute m = W H 4 (σ ) and r = H 3 (σ, m )

4 3. If U r P, reject the ciphertext, else return m as the plaintext. The consistency of the scheme follows from the bilinearity of ê. Boneh and Franklin proved that the scheme is semantically secure against the adaptive chosen ciphtertext attack (IND-CCA2) [2][3] in the random oracle model [5]. 3 Our Variant of Boneh-Franklin s IBE system Based on Boneh-Franklin s scheme, we introduce another public and private key pair N ID, t into the scheme to remove the key escrow function. The private key t, a random integer in Z q, is only owned by the entity with an identity ID (we use entity ID to refer to the entity with the identity ID in the remaining part of the paper). In our scheme the encryption and decryption operations not only depend on the public key ID (in fact Q ID ) and the private key d ID, but also on the second public key N ID and the corresponding private key t. We name the public keys ID, N ID as ID, Nickname and the private keys d ID, t as P rkeyl, P rkeyr. Because only entity ID knows P rkeyr, we can prove that the key escrow function in the PKC is removed. The effect of introducing N ID, t is discussed after the description of the scheme s details. We can find that to publish a nickname is not a serious new burden for a PKC. For simplicity we name our system as V-IBE and Boneh-Franklin s scheme as B-IBE in the following sections. Our scheme is specified by five algorithms: Setup, Extract, Publish, Encrypt and Decrypt. Setup: As the one in Boneh-Franklin s scheme. Extract: Identical to Extract in Boneh-Franklin s scheme. Publish: Given the system parameters params, an entity selects a random t Z q and computes N ID = N 1, N 2 = tp, tp pub. The entity can ask the PKC to publish this extra parameter N ID or publishes it by itself or via any directory service as its nickname. Note that this publishing operation has no security requirement. Instead, we can construct another Publish operation. Encrypt: Given a plaintext m M, the identity ID, the public parameters params and the nickname N ID = N 1, N 2 corresponding to ID, the following steps are performed. 1. Check that N 1, N 2 G 1 and that the equation ê(n 1, P pub ) = ê(n 2, P ) holds. If not, output and terminate encryption Pick a random σ {0, 1} n and compute r = H 3 (σ, m). 3. Compute Q ID = H 1 (ID) and g = ê(p pub + N 1, Q ID ). 4. Set the ciphertext to C = rp, σ H 2 (g r ), m H 4 (σ). Decrypt: Given a ciphertext U, V, W C, d ID, t and the system parameters params, follow the steps: 1. Compute g = ê(u, d ID + tq ID ) and σ = V H 2 (g ). 3 This operation is same as the corresponding one in [1].

5 2. Compute m = W H 4 (σ ) and r = H 3 (σ, m ). 3. If U r P, reject the ciphertext, else return m as the plaintext. The consistency of the scheme can be verified by g = ê(u, d ID + tq ID ) = ê(rp, sq ID + tq ID ) = ê(sp, Q ID ) r ê(tp, Q ID ) r = ê(p pub + N 1, Q ID ) r = g r Hence σ in decryption equals σ in encryption. Thus, applying decryption on a ciphertext recovers the original message m. Based on the BDH and another assumption stated in the next section, we can prove that the variant is secure against the adaptive chosen ciphtertext attack (IND-CCA2) in the random oracle model. Moreover this scheme achieves some special properties that make it different from the normal public key systems and the existing identity-based encryption schemes. Claim 1 No more key escrow. Without knowing the private key t (P rkeyr) of an entity, an adversary cannot decrypt a message encrypted for the entity, even with the knowledge of the master-key s. This claim follows from Theorem 1 in the following section. Claim 2 Partially identity-based. Without knowing d ID (P rkeyl) of an entity identified by the ID, an adversary cannot decrypt a message encrypted for the entity even if the adversary replaces the entity s nickname N ID with its own choice. This claim follows from Theorem 2 in the following section. Because of this property, some special usages of the original IBE are still applicable in our scheme, e.g., an entity s ID appending with an expiry time or credentials. An application example in Section 8 demonstrates this point. Remark 1 Loosely binding nicknames. The extra public key parameter N ID introduced in our scheme needs not to be bound strictly (by secure method) to the entity ID. N ID can be distributed through an unsafe channel as the entity s nickname. If Alice wants to send a message to Bob, but does not know Bob s nickname, she can ask Bob directly or query the PKC or any directory service publishing Bob s nickname. Because of Claim 2, the security of the communication cannot be compromised by Eve who launches the man-in-the-middle attack and changes Bob s nickname with her own choice except that Eve is the PKC. This characteristic differentiates our scheme from the normal certification-based public key systems. In [1], a simple way is presented to thwart the PKC to impersonate another entity in the man-in-the-middle attack. The basic idea is to bind entity A s identity ID A and nickname N A with A s real public key Q A by re-defining Q A = H 1 (ID A N A ). If the PKC impersonates entity A, there will be two valid private keys for ID A with different nicknames which can only be generated by the PKC.

6 Remark 2 Forward security of the master key. Our scheme introduces an extra public and private key pair N ID, t and only the entity ID knows the private key t. Hence even if the master key s of the PKC is leaked, the prior communications sent to entity ID would not be exposed, but the following communication would become vulnerable to the man-in-the-middle attack. 4 The V-IBE s Security Before defining the security of the scheme, we describe two primitives of the variant. Firstly we prove that based on the BDH assumption, it is hard for the PKC to compute g in decryption, even though it knows the master key s. To construct g, the PKC needs to use the available information (s, P, U = rp, Q ID = ap, N ID = tp, tp pub ) to compute g = ê(u, d ID + tq ID ) = ê(rp, sap + tap ) = ê(p, P ) ra(s+t). Lemma 1 Given q, G 1, G 2, ê, s, P, ap, rp, tp, where a, r, t Z q and s is a fixed element in Z q, based on the BDH assumption, it is hard to compute ê(p, P ) ra(s+t). Proof. If an adversary A can solve the above problem, we can construct an adversary B using A as a subroutine to solve the BDH problem. Given a BDH challenge P, ap, bp, cp, B randomly selects an element s from Z q and passes s, P, ap, bp, cp as the challenge to A. Upon receiving the response R from A, B computes ê(ap, bp ) s and returns R ê(ap, bp ) s as the response to the BDH challenge. If A wins the game with non-negligible advantage, so does B because if R = ê(p, P ) ab(s+c), B s response is ê(p, P ) ab(s+c) ê(ap, bp ) s = ê(p, P ) abc. Secondly we show that if an adversary without the master key wants to compute g = ê(rp, Q ID ) (s+t) in decryption, it needs to solve some hard problem. Without the check step, the scheme is obviously insecure. An adversary can randomly select j Z q and sets N 1 = tp = P pub +jp (i.e., s+t = j mod q), so as to compute g = ê(u, Q ID ) j. But by applying the check step, the adversary needs to find N 2 = tsp = (j s)sp to pass the check. If the adversary successfully finds N 2, then it is able to compute s 2 P = N 2 jsp. Given G 1, q, P, sp to compute s 2 P is a squaring-dh problem in group G 1, which is as hard as a normal DH problem because the order of G 1 is known [16]. If an adversary A knows t and can compute g, we can slightly modify A to solve the BDH problem. Given R a BDH problem P, sp, ap, rp where s, a, r Z q, after finding N 1 = tp, A computes R = ê(p, P ) sar ê(tp, P ) ra but outputs R ê(rp, ap ) t = ê(p, P ) sar. The output is just the solution to the BDH problem. Note that a legitimate party has both t and sap to compute R. If A does not know t and j = s + t mod q, it seems hard to find such N 1 and N 2 satisfying the check requirement and at the same time making the computation of g easy. Based on this evaluation, we propose an assumption. R

7 Assumption 2 Given q, G 1, G 2, ê, P, sp, ap, where s, a R Z q, it is hard to find N 1, N 2 G 1 satisfying ê(n 1, sp ) = ê(n 2, P ) and at the same time making computation ê(p, P ) sar ê(n 1, P ) ra with rp R G 1 easy (here easy means existing a randomized polynomial time algorithm). (We refer to this assumption as a Bilinear EQuation (BEQ) assumption.) Now by defining two types of adversary, which correspond to an adversary with and without the master-key respectively, we state the security analysis in two theorems. Definition: Type-I Attack An adversary with the master-key launches a Type-I attack by taking one or more of the following actions interacting with a challenger following from the IND-CCA2 security notion. 1. Query the nickname of any entity ID i. 2. Extract P rkeyr of any entity ID i but ID ch. 3. Be challenged on the chosen ID ch by providing two messages m 0, m Issue a decryption query ID i, C i. The adversary can ask the challenger to decrypt the chosen ciphertexts. However,the adversary is prohibited from making a decryption query with the challenge ciphertext C ch on the combination of identity ID ch and the nickname N ch. If the adversary with the master-key also changes the nickname N ch of the entity ID ch on which it wants to be challenged, it knows both d ch and t ch. Hence the scheme cannot protect the information encrypted under ID ch and the changed nickname. In traditional public key cryptosystems this attack is not prevented either. This is the reason for the rules 4 in the challenge phase. In the IND-CCA2 model, an adversary can continue to ask queries after the challenge phase. The advantage of an adversary is defined as the amount by which the probability of guessing the correct b exceeds 1 2 (i.e., Advantage=max {Pr[Guessing the correct b]- 1 2,0}). Theorem 1 If there exists a Type-I IND-CCA2 adversary A with non-negligible advantage against V-IBE, then there exists an adversary B which can solve the BDHP with non-negligible advantage in the random oracle model. Definition: Type-II Attack An adversary without the master-key launching a Type-II attack can take one or more of the following actions when interacting with a challenger. 1. Query the nickname of any entity ID i. 2. Publish a nickname for any entity ID i. 4 In fact, the adversary can publish any nickname for any entity only if in the challenge phase, the challenger uses the original nickname (not published the adversary). For technical reason, we simplify the adversary model which eases the proof of Theorem 1 and we think the restricted model is sufficient enough to address the threat in practice.

8 3. Extract P rkeyl of any entity ID i except ID ch. 4. Extract P rkeyr of any entity ID i. But the adversary should not query P rkeyr of a nickname published by itself. 5. Be challenged on the chosen ID ch by providing two messages m 0, m 1. Note that there is no requirement on the nickname of ID ch. Hence the adversary can be challenged on an entity whose nickname is published by the adversary. The challenger randomly chooses b {0, 1} and provides the ciphertext C ch of m b. 6. Issue a decryption query ID i, C i. The adversary is not allowed to query with the challenge ciphertext C ch on the combination of identity ID ch and the nickname used in the challenge query. The adversary can query private P rkeyl of any entity ID i except ID ch and can publish a nickname for any entity. The advantage is defined similarly to the one of the Type-I adversary. Theorem 2 If there exists a Type-II IND-CCA2 adversary A against V-IBE with advantage, then there exits an adversary B which can solve the BEQ problem with non-negligible advantage in the random oracle model. We follow the method in [3] to prove Theorem 1 and use a similar methodology in [11] to prove Theorem 2. Overall the proofs are similar to the one of Theorem 1 and 2 in [1], but with different assumptions (the authors proposed a GBDH 5 assumption in [1]). To prove Theorem 1 and 2, we first define four encryption schemes, including BasicP ub, BasicP ub hy, BasicP ub and BasicP ub hy. Definition 2 BasicPub BasicPub is specified by three algorithms: keygen, encrypt and decrypt. keygen: Given a security parameter k, the parameter generator follows the steps. 1. Generate two cyclic groups G 1, G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P G Pick a random s Z q and compute P pub = sp. Choose a random Q ID G 1. Pick a random t Z q and compute N ID = N 1, N 2 = tp, tp pub. 3. Pick a cryptographic hash function H 2 : G 2 {0, 1} n for some integer n > 0. The message space is M = {0, 1} n. The ciphertext space is C = G 1 {0, 1} n. The public params is q, G 1, G 2, ê, n, t, P, P pub, Q ID, N ID, H 2 and the private key is d ID = sq ID. N ID and t in the params are replaceable. encrypt: Given a plaintext m M, the ID and the public params, follow the steps: 1. Check that the equation ê(n 1, P pub ) = (N 2, P ) holds. If not, output and abort encryption. 5 Given P, ap, bp, cp such that a, b, c R Z q, it is assumed to be hard to output Q G 1 and ê(p, Q) abc.

9 2. Choose a random r Z q and compute C = rp, m H 2 (g r ), where g = ê(p pub + N 1, Q ID ). decrypt: Given a ciphertext C = U, V, the public params and the private key d ID, follow the steps: 1. Compute g = ê(u, d ID + tq ID ), 2. Compute m = V H 2 (g ). Definition 3 BasicP ub BasicP ub is similar to BasicP ub except that s is publicly available, so is d ID, but t is kept secret. Hence the public params is K pub = q, G 1, G 2, ê, n, s, P, P pub, Q ID, d ID, N ID, H 2 and the private key is t. Note that in this scheme N ID in the params cannot be changed. Definition 4 BasicP ub hy BasicP ub hy is specified by three algorithms: keygen, encrypt, decrypt. keygen: This algorithm is identical to keygen of BasicPub, except that it chooses two additional hash functions H 3 : {0, 1} n {0, 1} n Z q and H 4 : {0, 1} n {0, 1} n. The message space is M = {0, 1} n. The ciphertext space is C = G 1 {0, 1} n {0, 1} n. The public params is q, G 1, G 2, ê, n, t, P, P pub, Q ID, N ID, H 2, H 3, H 4 and the private key is d ID = sq ID. N ID and t in the params are replaceable. encrypt: Given a plaintext m M, the ID and the public key, follow the steps: 1. Check that the equation ê(n 1, P pub ) = (N 2, P ) holds. If not, output and abort encryption. 2. Pick a random σ {0, 1} n and compute r = H 3 (σ, m), 3. Compute g = ê(p pub + N 1, Q ID ), 4. Set the ciphertext to C = rp, σ H 2 (g r ), m H 4 (σ). decrypt: Given a ciphertext C = U, V, W, the public key and the private key d ID, t, follow the steps. 1. Compute g = ê(u, d ID + tq ID ) and σ = V H 2 (g ), 2. Compute m = W H 4 (σ ) and r = H 3 (σ, m ), 3. If U r P, reject the ciphertext, else return m as the plaintext. Definition 5 BasicP ub hy BasicP ub hy is similar to BasicP ub hy except that s is publicly available, so is d ID, but t is the private key. Hence the public params is q, G 1, G 2, ê, n, s, P, P pub, Q ID, d ID, N ID, H 2, H 3, H 4 and the private key is t. Note that in this scheme N ID in the params cannot be changed. Proof of Theorem 1. Proof. This theorem straightforwardly follows from the following Lemma 2, Lemma 3 and Lemma 4.

10 Lemma 2 Suppose that H 1 is a random oracle and that there exists a Type- I IND-CCA2 adversary A against V-IBE with advantage n(k) which makes at most q 1 queries to H 1. Then there exits a Type-I IND-CCA2 adversary B against BasicP ub hy with advantage at least n(k)/q 1 which runs in time O(time(A )). Proof. We construct an IND-CCA2 adversary B that uses A to gain advantage again BasicP ub hy. The game between challenger C and adversary B starts with the challenger first generating a random public key by running algorithm keygen of BasicP ub hy. The result is a public params K pub = q, G 1, G 2, ê, n, s, P, P pub, Q ID, d ID, N ID, H 2, H 3, H 4 and a private key t. The challenger passes K pub to adversary B. Adversary B mounts an IND-CCA2 attack on the BasicP ub hy with params K pub using the help of A. B interacts with A as follows. B chooses an index I with 1 I q 1 and simulates the algorithm Setup of V-IBE for A by supplying A with V-IBE params= q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4 where H 1 is a random oracle controlled by B. B uses value s as the master-key. Adversary A can make queries of H 1 at any time. These queries are handled by the algorithm H 1 -queries. H 1 -queries (ID i ): B maintains a list of tuples ID j, Q j, h j, t j, N j as explained below. We refer to this list as H1 list. The list is initially empty. When A queries the oracle H 1 at a point ID i, B responds as follows: 1. If the query ID i already appears on the H1 list in a tuple ID i, Q i, h i, t i, N i then B responds with H 1 (ID i ) = Q i G 1 2. If the query is on the I-th distinct ID, then B stores ID I, Q ID,,, N ID into the tuple list and responds with H 1 (ID I ) = Q ID. 3. Otherwise, B selects a random integer h i and t i from Z q, computes Q i = h i P and N i = t i P, t i P pub, stores ID i, Q i, h i, t i, N i into the tuple list, and responds with H 1 (ID I ) = Q i. Phase 1: A launches Phase 1 of its attack, by make a series of requests, each of which is either a query for an entity s nickname, a P rkeyl extraction, a decryption query, or to publish a nickname. B replies to these requests as follows: Query Nickname (ID i ): B returns N i which is the component of the tuple corresponding to ID i in H1 list. Extract P rkeyr (ID i ): If the query is on ID I, B aborts the game (Event 1); otherwise B responds with t i which is from the tuple corresponding to ID i in H1 list. Decryption Query (ID i, C i ): If the request is to decrypt C i = U, V, W under the private key for ID I, then B relays the decryption query U, V, W to C and simply relays the plaintext got from C to A directly. Otherwise B tries to perform the decryption by computing ê(u, sq i + t i Q i ). Note that even B knows t i it still possibly outputs because it is likely that the ciphertext is generated under another nickname. Challenge Phase: At some point, A decides to end Phase 1 and picks ID ch and two messages m 0, m 1 on which it wants to be challenged. We assume that ID ch has been queried of H 1 ; otherwise, B can simply query H 1 on ID ch. B responds as follows. If ID ch ID I then B aborts (Event 2). Otherwise B passes C the

11 pair of m 0, m 1 as the messages on which it wishes to be challenged. C responds with the challenger ciphertext C ch = U, V, W, such that C ch is the encryption of m b under K pub for a random b R {0, 1}. Then B forwards C ch to A. Note that according to the challenge rule, A has to be challenged under ID ch s original nickname N ID. Hence C ch is a valid ciphertext of m b for the challenge purpose. Phase 2: B continues to respond to requests in the same way as it did in Phase 1. But if any decryption query relayed to C is equal to the challenger ciphertext C ch then B aborts (Event 3). Guess: A makes a guess b for b. B outputs b as its own guess. Claim: If the algorithm B does not abort during the simulation then algorithm A s view is identical to its view in the real attack. Proof. B s responses to H 1 queries are uniformly and independently distributed in G 1 as in the real attack. All responses to A s requests are valid, if B does not abort. Furthermore, the challenge ciphertext C ch is a valid encryption in V-IBE for m b where b {0, 1} is random. Thus, by definition of algorithm A we have that 2(P r[b = b ] 1 2 ) n(k). The remaining problem is to calculate the probability that B does not abort during simulation. The algorithm B could abort when one of the following events happens: (1) Event 1, denoted as H 1 : A queries P rkeyr for ID I at some point; (2) Event 2, denoted as H 2 : A did not choose ID I as ID ch ; or (3) Event 3, denoted as H 3 : A relayed a decryption query on C ch = U, V, W to C in phase 2. Because of the way that B forwards ciphertexts, the last event implies that A didn t choose ID I. We also notice that the Event H 2 implies that the event H 1. Hence we have P r[b does not abort] = P r[ H 1 H 2 H 3 ] = P r[ H 2 ] = 1/q 1. So, the lemma follows. Lemma 3 Suppose that H 3, H 4 are random oracles. Let A be a Type-I IND- CCA2 adversary against BasicP ub hy. If A has non-negligible advantage against BasicP ub hy, then there exists a Type-I IND-CPA (chosen plaintext attack [2]) adversary B against BasicP ub with non-negligible advantage. Proof. The proof can easily follow from Theorem 4.5 in [3]. We can regard t and N 1 = tp in BasicP ub hy of V-IBE as s and P pub = sp in the BasicP ub hy of B-IBE in [3] respectively. s, P pub and d ID in BasicP ub hy are fixed value which will not affect the scheme s security. Lemma 4 Suppose that H 2 is a random oracle. Suppose there exists a Type-I IND-CPA adversary A against BasicP ub which has non-negligible advantage n(k) and queries H 2 at most q 2 times. Then there exists an algorithm B to solve the BDH problem with non-negligible advantage n(k)/q 2.

12 Proof. The proof is similar to Lemma 4.3 in [3]. Algorithm B is given as input the BDH parameters q, G 1, G 2, ê produced by G and a random instance P, ap, bp, cp where a, b, c are random in Z q and P is random in G 1. Let D = ê(p, P ) abc G 2 be the solution to this BDH problem. Algorithm B finds D by interacting with A as follows: Algorithm B simulate algorithm keygen of BasicP ub to create the public params K pub = q, G 1, G 2, ê, n, s, P, P pub, Q ID, d ID, N ID, H 2 by randomly choosing s from Z q and setting P pub = sp, N ID = ap, sap, Q ID = bp and d ID = sbp. H 2 is a random oracle controlled by B. So, the private key t equals to a which B does not know. Algorithm B passes the public key K pub of BasicP ub to A and responds queries as follows. H 2 -queries (X i ): At any time algorithm A can issues queries to the random oracle H 2. To response these queries B maintains a list of tuples called H2 list. Each entry in the list is a tuple of the form X i, H i. To response query X i, B does the following operations: 1. If the query X i is on the list in a tuple X i, H i then respond with H 2 (X i ) = H i. 2. Otherwise, B randomly chooses a string H i {0, 1} n and adds the tuple to the list. It responds to A with H 2 (X i ) = H i. Challenge: Algorithm A outputs two messages m 0, m 1 on which it wants to be challenged. B choose a random string R {0, 1} n and defines C ch = U, V = cp, R. B gives C ch as the challenge to A. Observe that the decryption of C ch is V H 2 (ê(u, d ID +tq ID )) = R H 2 (ê(cp, d ID +abp )) = R H 2 (D ê(cp, bp ) s ) Guess: Algorithm A outputs its guess c {0, 1}. At this point B picks a random tuple X i, H i from the H2 list and outputs X i ê(cp, bp ) s. Let H be the event that algorithm A issues a query for H 2 (D ê(cp, bp ) s ) at some point during the simulation above. Using the same methods in [3], we can prove the following two claims: Claim 1: Pr[H] in the simulation above is equal to Pr[H] in the real attack. Claim 2: In the real attack we have P r[h] 2n(k). Assume that A has queried q 2 distinct value on H 2, following from the above two claims, we have that B produces the correct answer with probability at least 2n(k)/q 2. Proof of Theorem 2. Proof. This theorem directly follows from the following Lemma 5, Lemma 6 and Lemma 7. The basic strategy follows from the method in [11] which implies that the scheme has the plaintext-awareness property. Note that in the random oracle model, a plaintext-aware system is IND-CCA2 secure [2]. Lemma 5 Suppose that H 2 is a random oracle. Suppose there exists a Type-II OWE (one-way encryption [11]) adversary A against BasicP ub which has nonnegligible advantage. Then there exists an algorithm B to solve the BEQ problem with non-negligible advantage.

13 Proof. We construct the algorithm B by using A as a sub-routine. B will call A only once. Assume that B queries H 2 for q 2 times. Given a BEQ oracle C, which provides q, G 1, G 2, ê, P, sp, ap, B simulates algorithm keygen of BaiscP ub to generate the system parameters q, G 1, G 2, ê, n, t, P, P pub = sp, Q ID = ap, N ID, H 2 where t is chosen from Z q randomly by B and N ID = tp, tsp and H 2 is a random oracle controlled by B. B answers the H 2 -queries as follows. B maintains an initially empty list H2 list storing pairs of σ i, H 2,i. If the queried σ j is on the list, then return H 2,j ; otherwise, randomly choose r R {0, 1} n and reply with r, and at some time insert the pair σ j, r into the list. In the attack, A, as a Type-II OWE, can update the nickname N ID with its own selection N 1, N 2. B checks if the equation ê(n 1, sp ) = ê(n 2, P ) holds. If not, then B terminates the game and, in this case A failed. When A requires a ciphertext, B asks C to generate a random rp (B needs to compute R = ê(p, P ) sar ê(n 1, P ) ar ). Then B generates the challenge ciphertext C = U, V = rp, V to A by randomly choosing V R {0, 1} n. To recover the correct plaintext m corresponding to C, A needs to compute V H 2 (R). B randomly chooses i from {1,..., q 2 } and returns H 2,i. Assume A wins the game with non-negligible probability n(k). Let H denote the event that H 2 (R) was queried. Because H 2 is a random oracle, if A does not query H 2 (R), it can only guess the correct H 2 (R) with negligible probability ɛ(k) by some means. Hence n(k) = P r[a wins] = P r[a wins H]P r[h] + P r[a wins H]P r[ H] P r[a wins H]P r[h] + ɛ(k) P r[h] + ɛ(k) Hence And so, P r[h] n(k) ε(k) = n (k). P r[b wins] n (k)/q 2. Lemma 6 Suppose that H 3, H 4 are random oracles. Let A be a Type-II IND- CPA adversary against BasicP ub hy. If A has non-negligible advantage against BasicP ub hy, then there exists a Type-II OWE adversary B against BasicP ub with non-negligible advantage. Proof. We use A as a sub-routine to construct the algorithm B. Given the system parameters q, G 1, G 2, ê, n, t, P, P pub, Q ID, N ID, H 2 of a BasicP ub scheme from the challenger C, B generates the system parameters q, G 1, G 2, ê, n, t, P, P pub, Q ID, N ID, H 2, H 3, H 4 of BasicP ub hy to A, where H 3 and H 4 are two random oracles controlled by B. B responds to A s queries in the following way. H 3 -queries. B responds as a normal random oracle. H 4 -queries. B maintains an initially empty list H4 list storing the pairs of form σ j, H 4,j. For a query σ l, if the query has been asked, then B responds with the corresponding H 4,l ; otherwise, B randomly chooses r R {0, 1} n and replies with r after inserting a new tuple σ l, r into the list. Publish Nickname (N ID = N 1, N 2 ). As a Type-II adversary, A can possibly change the nickname in the system parameters. B checks if the equation

14 ê(n 1, sp ) = ê(n 2, P ) holds. If not, A fails and B terminates the game. Otherwise, B asks C to change N ID with the new N ID and to update t =. Challenge Phase. A provides two messages m 0, m 1 and requires B to respond with a ciphertext. B first asks its challenger C to generate a ciphertext C = U, V. Then B constructs the ciphertext C = U, V, W to A by randomly chooses W R {0, 1} n. Note that B needs to recover the plaintext m = V H 2 (R) where R = ê(u, Q ID ) s ê(u, Q t ID ) and N 1 = tp. And if A can fully recover the plaintext corresponding to C, it needs to compute m = W H 4 (σ) where σ = V H 2 (R) which is the message m that B should compute to win the game with C. After A responds, assuming A has asked H 4 -query for q 4 times, B randomly chooses j {1,..., q 4 } and responds to C with H 4,j. Analysis: First, except the challenge phase, A cannot differentiate the simulation from the real attack. Because H 4 is supposed to be a random oracle, hence before H 4 (σ) is queried, denoted by Event H, the equation m = m b (i.e., the corresponding plaintext (m ) of the ciphertext (C) generated by B in the challenge phase equals to any one of the messages (m bs) provided by A ) holds with equal probability for b {0, 1}. Hence, without querying H 2 (σ), A wins the game with probability 1/2 + ɛ(k) for some negligible function ɛ(k). However, A wins the game with advantage of some non-negligible function n(k). We have 1/2 + n(k) = P r[a wins] = P r[a wins H]P r[h] + P r[a wins H]P r[ H] P r[a wins H]P r[h] + 1/2 + ɛ(k) P r[h] + 1/2 + ɛ(k) So P r[h] n(k) ɛ(k) n (k) for some non-negligible function n (k). Because, B randomly chooses an item from H list 4, so P r[b wins] n (k) q 4 Lemma 7 Suppose that H 1 is a random oracle and that there exists a Type- II IND-CCA2 adversary A against V-IBE with non-negligible advantage. Then there exits a Type-II IND-CPA adversary B against BasicP ub hy with non-negligible advantage. Proof. : If there exits an CCA adversary A to break V-IBE, we can use A to construct another adversary CPA B which can break BasicP ub hy. The game between adversary B and challenger C of BasicP ub hy starts with challenger C first generating the system params by running algorithm keygen of BasicP ub hy. The result is the system params= q, G 1, G 2, ê, n, t, P, P pub, Q ID, N ID, H 2, H 3, H 4. The challenger passes the system params to B. Adversary B mounts an IND- CPA attack on the system using the help of A. B interacts with A as follows. Assume A wins the game with non-negligible advantage n(k) and queries H 1 for q 1 times. B chooses an index I with 1 I q 1 and simulates algorithm Setup of V-IBE to A by supplying A with params= q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4. Here q, G 1, G 2, ê, n, P, P pub, H 2, H 3, H 4 are supplied by challenger C, and H 1 is a random oracle controlled by B as described below.

15 H 1 -queries (ID i ): At any time adversary A can query the random oracle H 1. To respond to these queries adversary B maintains a list of tuples ID j, Q j, h j, t j, N j as explained below. We refer to this list as H1 list. The list is initially empty. When A queries the oracle H 1 at a point ID i adversary B responds as follows: 1. If the query ID i already appears on H list 1 in a tuple ID i, Q i, h i, t i, N i then adversary B responds with H 1 (ID i ) = Q i G If the query is the I-th distinct query on H 1, B returns Q ID after adding the tuple ID I, Q ID,, t, N ID in the list. 3. Otherwise, B selects two random integers h i, t i from Z q, computes Q i = h i P, N i = t i P, t i P pub and adds the tuple ID i, Q i, h i, t i, N i into the list. B returns H 1 (ID i ) = Q i. H 2 -queries: B relays the queries and answers between A and C. H 3 -queries (σ i, m i ): B replays the queries and answers between A and C. However, B makes a record on an initially empty list H3 list in form of σ i, m i, H 3,i where H 3,i is the answer from C on the query. H 4 -queries (σ j ): B replays the queries and answers between A and C. However, B makes a record on an initially empty list H4 list in form of σ j, H 4,j where H 4,j is the answer from C on query σ j. Phase 1: A launches Phase 1 of its attack, by making a series of requests, each of which is either a query for an entity s nickname, a P rkeyl extraction, a P rkeyr extraction, a decryption query, or to publish a nickname. B replies to these requests as follows: Query Nickname (ID i ): B responds to the query by returning N i in the tuple corresponding to the ID i. We assume that such a tuple exists. Otherwise, it means there is no such entity in the system, and B can use H 1 -queries to create the tuple for ID i. Publish Nickname (ID i, N i ): B responds with following steps: 1. If no tuple corresponding to ID i exists on the list H list 1, B follows the H 1 - queries algorithm to create the tuple and uses N i as the nickname and sets t i =. 2. Otherwise, B updates N i in the tuple corresponding to ID i and sets t i =. 3. If ID i = ID I, then B updates N ID the system parameters of BasicP ub hy with the given N i and set t =. Extract P rkeyl (ID i ): To respond to the Extract query adversary B takes the following actions: 1. If the query is on ID I, then B aborts the game (Event 1). 2. Otherwise, B returns d i = h i P pub = sh i P = sq i where h i is from the tuple corresponding to ID i. Extract P rkeyr (ID i ): B returns t i of the tuple corresponding to the queried ID i. Decryption Queries. Because, B is supposed to be a CPA adversary, it has no access to the decryption oracle. To answer this type of query, B will use a so called

16 knowledge extractor algorithm K [1] [11]. Given a ciphertext C = U, V, W, the used identity ID l and the nickname N l, K proceeds as follows: 1. Set two empty lists, S 1 and S Find all elements in H3 list such that U, V =BasicPub IDl,N l (σ i ; H 3,i ) and put them into list S 1. BasicPub IDl,N l is the BasciPub algorithm with the system parameters q, G 1, G 2, ê, n,, P, P pub, ID l, N l, H 2. Note that for encryption of BasciPub, the corresponding P rkeyr (i.e., t) is not necessary. If S 1 is empty, then abort the game (Event 2). 3. For every σ i, m i, H 3,i in S 1, find all elements in H4 list such that σ i = σ j and put them ( σ i, m i, H 3,i, H 4,j s) into S 2. If S 2 is empty, then abort the game (Event 2). 4. Check in S 2 if there exists a σ i, m i, H 3,i, H 4,j such that W = m i H 4,j. If such an entry exists, the output m i as the decryption of C. Otherwise, abort the game (Event 2). Challenge Phase: At some point, A decides to end Phase 1 and picks ID ch with nickname N ch (the nickname possibly was published by the adversary) and two messages m 0, m 1 on which it wants to be challenged. We assume that ID ch has been queried on H 1 ; otherwise B can just query H 1 (ID ch ). B responds as follows. 1. If ID ch ID I, then B aborts the game (Event 3). 2. Otherwise B gives C the pair m 0, m 1 as the messages. C responds with the challenger ciphertext C = U, V, W, such that C is the encryption of m b under Q ID and some nickname N ch for a random b {0, 1}. Then B relays C to A. Phase 2: B continues to respond to requests in the same way as it did in Phase 1. And the common CCA2 restriction of phase 2 is applied. Guess: A makes a guess b for b. B outputs b as its guess. Claim: If the adversary B does not abort during the simulation and K answers correctly then adversary A s view is identical to its view in the real attack. B s responses to H 1 queries are uniformly and independently distributed in G 1 as in the real attack. All responses to A s requests are valid (note that it can be proved that with only negligible probability that the response to a decryption using K is invalid), if B doesn t abort. Furthermore, the challenge ciphertext C is a valid encryption in V-IBE under ID I and the nickname N ch for m b where b {0, 1} is random. Thus, by definition of adversary A we have that 2(P r[b = b ] 1 2 ) n(k). The remaining problem is to calculate the probability that B can simulate the real system to A during the attack. B can simulate the real system if none of the following events happens: (1) Event 1, denoted by H 1, that A extracted P rkeyl on ID I at some point; (2) Event 2, denoted by H 2, that B cannot answer the decryption query correctly (the abortion or an invalid answer); or (3) Event 3, denoted by H 3, that A does not choose ID I as the challenger. Assume that, A has asked q e decryption queried and the knowledge extractor

17 used answers a query correctly with probability at least λ. (Based on the results of Lemma 5 and 6, we can use a similar method used to prove Lemma 11 in [11] or Lemma 9 in [1] to prove that 1 λ(k) is negligible.). As H 3 implies H 1, we have P r[b wins] = P r[ H 3 H 2 A wins] n(k)λq e 5 A Signature Scheme Based on Our Variant We describe a public key signature (PKS) scheme based on a provably secure signature scheme in [14] and our variant. The PKS scheme can be specified by algorithms: Setup, Extract, Publish, Sign and Verify. Setup: Given a security parameter k, the parameter generator follows the steps. 1. Generate two cyclic groups G 1 and G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P G Pick a random s Z q and compute P pub = sp. 3. Pick two cryptographic hash functions H 1 : {0, 1} G 1 and H 2 : {0, 1} G 2 Z q. The system parameters are params= q, G 1, G 2, ê, n, P, P pub, H 1, H 2. s is the master-key of the system. Extract: Given a string ID {0, 1}, the params and the master-key, the algorithm computes Q ID = H 1 (ID) G 1, d ID = sq ID and returns d ID. Publish: Given the system parameter params and an entity ID, select a random t Z q, and compute N ID = N 1, N 2 = tp, tp pub. Sign: To sign a message m M using the private key d ID, t of entity ID, the following steps are performed. 1. Choose an arbitrary point P 1 G 1 and pick a random integer k Z q. 2. Compute r = ê(kp 1, P ) and v = H(m, r). 3. Compute Q ID = H 1 (ID) and U = v(d ID + tq ID ) + kp Output as the signature U, v. Verify: To verify a signature U, v of entity ID with nickname N ID = N 1, N 2 on a message m M, follow the steps: 1. Check that N 1, N 2 G 1 and that the equation ê(n 1, P pub ) = ê(n 2, P ) holds. If not, output and terminate verification. 2. Compute Q ID = H 1 (ID). 3. Compute r = ê(u, P ) ê(q ID, P pub N 1 ) v. 4. Accept the signature if and only if v = H(m, r ). The consistency of the scheme easily follows from r = ê(u, P ) ê(q ID, P pub N 1 ) v = ê(vd ID + vtq ID + kp 1, P ) ê(vq ID, sp )ê(vq ID, N ID ) = ê(vsq ID, P ) ê(vtq ID, P ) ê(kp 1, P ) ê(vsq ID, P ) ê(vtq ID, P ) = ê(kp 1, P ) q 1

18 6 An Authenticated Key Agreement Protocol The following is a two-party key agreement protocol which extends Smart s protocol [19]. A B : xp, NID A = (N 1 A, N2 A ) = (ap, ap pub ) (1) B A : yp, NID B = (N 1 B, N2 B ) = (bp, bp pub ) (2) Upon the completion of message exchanges, A and B first check the exchanged nickname (NID B and N ID A respectively). After that A computes K A = ê(q B ID, P pub + N1 B ) x ê(d A ID + aqa ID, yp ), and B computes K B = ê(q A ID, P pub + N1 A ) y ê(d B ID + bqb ID, xp ) respectively. It is easy to see that the secret key K = K A = K B is shared between A and B. K A = ê(q B ID, sp + bp )x ê(sq A ID + aqa ID, yp ) = ê(sq B ID + bqb ID, xp ) ê(qa ID, sp + ap )y = K B Although A and B can use H(K xyp ) as the shared key, where H is a proper hash function to achieve forward security, Shim s protocol and its descendant [8] are vulnerable to the man-in-the-middle attack launched by the PKC. The new variant still suffers from such attack if the PKC replaces the nicknames in the two messages with its own selections. However we can use the same method mentioned in Section 3 to thwart such attacks. 7 Hierarchical PKE In [13] Gentry and Silverberg introduced a totally collusion-resistant hierarchical ID-based infrastructure for encryption and signature. We integrate our scheme into this hierarchical system to eliminate all kinds of key escrow to any ancestor of an entity. In the system, every entity is located in one level of a hierarchical system. Except the root entity, every entity is identified by an ID-tuple which identifies every ancestor along the path to the root. The major steps of our scheme are identical to the ones in [13]. Root Setup: Given a security parameter k, the parameter generator follows the steps. 1. Generate two cyclic groups G 1 and G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P 0 G Pick a random integer s 0 Z q and compute Q 0 = s 0 P Pick two cryptographic hash functions H 1 : {0, 1} G 1 and H 2 : G 2 {0, 1} n for some integer n > 0. Low-lever Setup: Entity E t Level t picks a random s t Z q, which it keeps secret. Extract: Let E t be an entity in Level t with an ID-tuple ID 1,..., ID t, where ID 1,..., ID i for 1 i < t is the ID-tuple of E t s ancestor at Level i. Follow the steps:

19 1. Compute P t = H 1 (ID 1 ID 2... ID t ) G Set E t s secret point S t = S t 1 + s t 1 P t = t i=1 s i 1P i. 3. Set Q i = s i P 0 for 1 i t 1. Publish: For ID t, select a random b t Z q and compute the nickname N t = N t 1, N t 2 = b t P 0, b t Q 0. Encrypt: To encrypt m M with the ID-tuple ID 1,..., ID t and the corresponding nicknames N i = N i 1, N i 2 for 1 i t, take the following steps: 1. For each 1 i t, check that N i 1, N i 2 G 1 and that the equation ê(n i 1, Q 0 ) = ê(n i 2, P 0 ) holds. If not output and terminate encryption. 2. Compute P i = H 1 (ID 1 ID 2... ID i ) G 1 for 1 i t. 3. Choose random r Z q and compute ciphertext C = U 0, U 2,..., U t, V = rp 0, rp 2,..., rp t, m H 2 (g r ), where g = ê(q 0 + N t 1, P 1 ) = ê(s 0 P 0, P 1 ) ê(b t P 0, P 1 ). Decrypt: To decrypt the ciphertext C = U 0, U 2,..., U t, V C t for an entity in level t with the ID-tuple (ID 1, ID 2,..., ID t ), follow the steps: 1. Compute g = ê(u0,st+btp1) t i=2 ê(q i 1,U i ) = ê(rp 0, s 0 P 1 +b t P 1 ) = ê(s 0 P 0, P 1 ) r ê(b t P 0, P 1 ) r. 2. Compute m = V H 2 (g ) as the plaintext. 8 Application in Key-Insulated System Dodis et al. proposed a key-insulated framework to reduce the threat of keycompromise attacks [10]. The basic idea of the framework is to make use of both key splitting and key evolution method at the same time. In the system implementing the framework, there is an auxiliary helper which can be a smartcard or a remote device equipped with a master helper key hsk for each user. The life cycle of a user is separated into N stages. In each stage, a user has different (stage) private key used for decryption of ciphertexts intended for that stage. In stage 0, an initial secret key usk 0 is pre-installed. At the beginning of stage i(i > 0), the user adopts a key evolution method to generate his private key usk i with the help from his helper. Specifically, first, the helper securely sends to the user the helper key hsk i of the stage computed by a helper key-update algorithm HKU on hsk and i; second, the user computes usk i by applying a user key-update algorithm UKU on usk i 1 and hsk i ; and third, the user erases the last stage private key usk i 1. The user s public encryption key pk is still similar to the one of an ordinary public key scheme. However, the encryption operation takes the stage information i as an argument. Note that in some key splitting settings, there exists an extra party to help the users to decrypt ciphertexts, while the key-insulated system allows each user himself to complete this operation. A strongly key-insulated system with threshold t requires that: (1) the exposure of any t (stage) private keys leaves the ciphertexts in the non-exposed stages