Simple SK-ID-KEM 1. 1 Introduction

Size: px

Start display at page:

Download "Simple SK-ID-KEM 1. 1 Introduction"

Nicholas Terry
5 years ago
Views:

1 1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented the first efficient and security-proved identity-based encryption scheme using pairing on elliptic curve. In 2003 Sakai and Kasahara proposed another IBE scheme with pairing, which has the potential to improve performance. Later, Chen and Cheng proved the security of a variant of Sakai and Kasahara s scheme. While, both the security-provable schemes employ the Fujisaki- Okamoto transformation which restrict the size of messages. To address this issue, Bentahar el al. extended the key encapsulation mechanism to IBE and presented a few constructions in line with Boneh and Franklin s scheme. In this paper we present another ID-KEM as the counterpart of the Sakai-Kasahara style scheme and prove its security. 1 Introduction To simplify the management of public keys in the public key based cryptosystems, Shamir proposed the identity-based cryptography in which the public key of each party is the party s identity that could be an arbitrary string [10]. In 2001, Boneh and Franklin presented a secure and efficient ID-based encryption [3] (BF-IBE for short), based on pairings on elliptic curves. Using the same tool, Sakai and Kasahara [14] proposed another IBE which has the potential to achieve better performance. After employing the Fujisaki-Okamoto transformation [8] as BF-IBE does, Chen and Cheng [5] proved that the security of the strengthened variant of Sakai-Kasahara scheme (SK-IBE for short) can be reduced to the well-exploited complexity assumption (k-bdhi). Because both BF-IBE and SK-IBE make use of the Fujisaki-Okamoto transformation, two schemes have restricted message spaces. A natural way to process arbitrarily long messages is to use hybrid encryption. A hybrid encryption scheme consists of two basic operations. One operation uses a public-key encryption technique (the so called key encapsulation mechanism: KEM) to derive a shared key; another operation uses the shared key in a standard symmetric-key technique (the so called data encapsulation mechanism: DEM) to encrypt the actual message. Cramer and Shoup [7] rigorously formalized the notion of hybrid encryption and presented the sufficient conditions for KEM and DEM to construct an IND-CCA2 secure public key encryption [2] (latest work [9] shows 1 This note was written in Jun Later another SK-ID-KEM was published as [6]. The title is changed to Simple SK-ID-KEM, because the scheme is simpler than SK-ID-KEM in [6] but bases its security on a stronger complexity assumption.

2 2 that the conditions in [7] may not be necessary). Recently, Bentahar el al. [4] extended the hybrid encryption to the identity-based schemes and presented a sufficient condition for ID-KEM to construct an IND-ID-CCA2 secure IBE (formalized by Boneh and Franklin [3]). And in the same work the authors also presented a few ID-KEMs in line with Boneh and Franklin s scheme. In this paper, based on Bentahar el al. s work, we present another ID-KEM as the counterpart of the Sakai-Kasahara style IBE and formally analyze the security of the mechanism. The paper proceeds as follows. In the following section, we review the used primitive and related assumptions and recall the security model of IBE and ID- KEM. In Section 3, we present an ID-KEM following the SK-IBE construction (SK-ID-KEM for short) and prove its security. 2 Preliminary 2.1 Bilinear Pairing and Related Assumptions In this section, we briefly review the necessary facts about bilinear maps. Definition 1 A pairing is a bilinear map ê : G 1 G 1 G 2 with two cyclic groups G 1 and G 2 of prime order q, which has the following properties [3]: 1. Bilinear: ê(sp, tr) = ê(p, R) st for all P, R G 1 and s, t Z q. 2. Non-degenerate: For a given point Q G 1, ê(q, R) = 1 G2 for all R G 1 if and only if Q = 1 G1. 3. Computable: There is an efficient algorithm to compute ê(p, Q) for any P, Q G 1. We recall some widely used assumptions related with pairing, including BDH and its variants, and then propose a new assumption which will be used to analyze the security of SK-ID-KEM. Assumption 1 (Bilinear Diffie-Hellman (BDH) [3]) For x, y, z R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, zp, to compute ê(p, P ) xyz is hard. Assumption 2 (Decisional Bilinear Diffie-Hellman (DBDH)) For x, y, z, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, zp, ê(p, P ) xyz and P, xp, yp, zp, ê(p, P ) r is hard. Assumption 3 (Gap Bilinear Diffie-Hellman (GBDH) [13]) With the help of an oracle to solve the DBDH problem, solving the BDH problem is still hard. Assumption 4 (Bilinear Inverse Diffie-Hellman (BIDH) [15]) For x, y R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, to compute ê(p, P ) x/y is hard.

3 3 Assumption 5 (Decisional Bilinear Inverse Diffie-Hellman (DBIDH)) For x, y, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, ê(p, P ) x/y and P, xp, yp, ê(p, P ) r is hard. Assumption 6 (Bilinear Square Diffie-Hellman (BSDH) [15]) For x, y R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, to compute ê(p, P ) x2y is hard. Assumption 7 (Decisional Bilinear Square Diffie-Hellman (DBSDH)) For x, y, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, ê(p, P ) x2y and P, xp, yp, ê(p, P ) r is hard. Theorem 1 ([15]) BDH, BSDH, BIDH are polynomial time equivalent. Theorem 2 DBSDH and DBIDH are polynomial time equivalent. Proof: First, prove that DBSDH implies DBIDH. Given a DBIDH question (P, xp, yp, T ), set (Q = yp, Q 1 = P = y 1 Q, Q 2 = xp = x/yq, T ) as the input of DBSDH, and then return the result from the DBSDH oracle. Secondly, prove that DBIDH implies DBSDH. Given a DBSDH question (P, xp, yp, T ), set (Q = xp, Q 1 = yp = y/xq, Q 2 = P = x 1 Q, T ) as the input of DBIDH, and then return the result from the DBIDH oracle. Theorem 3 If DBDH is easy, so are DBSDH and DBIDH. Proof: First, let us prove that if DBDH is easy, so is DBSDH. This is straightforward. Given (P, xp, yp, T ), algorithm A for DBSDH invokes algorithm B for DBDH by asking (P, xp, xp, yp, T ) and returns the result from B. Combine Theorem 2, the theorem follows. Assumption 8 (q-bilinear Diffie-Hellman Inverse (q-bdhi) [1]) For an integer q, and x R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, x 2 P,..., x q P, to compute ê(p, P ) 1/x is hard. Theorem 4 1-BDHI, BDH, BSDH and BIDH are polynomial equivalent. Proof: First, prove that BIDH implies 1-BDHI. Given a 1-BDHI question (P, xp ), randomly choose y Z q and set the input to BIDH to be (P, xp, yp ). For the output T from BIDH, return T 1/y. Second, prove that 1-BDHI implies BDH. Given a BDH question (P, xp, yp, zp ), set the input to 1-BDHI to be (xp, P ) to get T 1 = ê(p, P ) x3. Similarly get T 2 = ê(p, P ) y3, T 3 = ê(p, P ) z3. Set the input to 1-BDHI to be (xp + yp, P ) to get T 4 = ê(p, P ) (x+y)3. Similarly get T 5 = ê(p, P ) (x+z)3, T 6 = ê(p, P ) (y+z)3. Set the input to 1-BDHI to be (xp + yp + zp, P ) to get T 7 = ê(p, P ) (x+y+z)3. Compute ê(p, P ) xyz = ( T7 T1 T2 T3 T 4 T 5 T 6 ) 1/6. Combine Theorem 1, the theorem follows.

4 4 From Theorem 3 and 4, we have GBDH implies that 1-BDHI is still hard even provided the existence of a DBIDH oracle. In this paper, we are going to use a (possibly) stronger assumption than GBDH as follow. Assumption 9 q-gap Bilinear Diffie-Hellman Inverse (q-gbdhi) With the help of an oracle to solve the DBIDH problem, solving the q-bdhi problem is still hard. 2.2 Security Model of IBE Following from Shamir s proposal, an identity-based encryption is specified by four algorithms: Setup G ID (1 k ): Given a security parameter k, the probabilistic polynomialtime algorithms (PPT) algorithm generates a public system parameter M pk and the master secret key M sk. Extract X ID (M pk, M sk, ID A ): Given the system parameter M pk, the master key M sk and an identity string ID A {0, 1} of party A, the PPT algorithm returns the corresponding private key d IDA for A. Encrypt E ID (M pk, ID A, m): Given the system parameter M pk, an identifier ID A and a message m from the message space M, the PPT algorithm outputs the ciphertext c in the cipherspace C. Decrypt D ID (M pk, d IDA, c): Given the system parameter M pk, the private key d IDA and a ciphertext c, the deterministic polynomial-time algorithm outputs the corresponding plaintext m. If the ciphertext is invalid, a reject symbol is returned instead. Boneh and Franklin [3] formalized a strong security notion of IBE: IND-ID- CCA2 security, by the following game between a challenger and an adversary A which consists of a pair of PPT algorithms (A 1, A 2 ). IND-ID-CCA2 IBE Game (M pk, M sk ) G ID (1 k ); (ID, (m 1, m 2 ), σ) A X ID(M pk,m sk, ),D ID (M pk,m sk,, ) 1 (M pk ); b {0, 1}; c E ID (M pk, ID, m b ); b A X ID(M pk,m sk, ),D ID (M pk,m sk,, ) 2 (σ, c ). where m 1, m 2 M (the message space) with same size; σ is some state information passed from A 1 to A 2 ; X ID (M pk, M sk, ) is the Extract oracle that the adversary can access by providing an identifier to get the corresponding private key; and D ID (M pk, M sk,, ) is the Decrypt oracle that the adversary can access by providing an identifier and a ciphertext to get the plaintext decrypted with the private key corresponding to the input identifier or a reject symbol. There are two constraints when A 2 accesses the oracles. (1) A 2 cannot access oracle X ID with input ID ; (2) A 2 cannot access oracle D ID with input (ID, c ).

5 5 We define adversary A s advantage in attacking an IBE scheme E as the following function of the security parameter k: Adv IND-ID-CCA2 A,E (k) = 2 Pr[b = b ] 1. A secure IBE requires that for any adversary A, Adv IND-ID-CCA2 A,E (k) is negligible. Recall that a function f(k) is negligible if for every polynomial p(k), there exists n 0 such that for every n > n 0, f(n) < p(n). 2.3 ID-KEM Following up Cramer and Shoup s formalization of hybrid encryption [7], Bentahar el al. [4] extended the hybrid encryption to identity-based schemes. Their main result is that an IND-ID-CCA2 secure IBE can be constructed from an IND-KEM-CCA2 secure ID-KEM and a secure DEM. Similar to IBE, an ID-KEM scheme is specified by four algorithms as well. Setup G ID KEM (1 k ): Given a security parameter k, the PPT algorithm generates a public system parameter M pk and the master secret key M sk. Extract X ID KEM (M pk, M sk, ID A ): Given the system parameter M pk, the master key M sk and an identity string ID A {0, 1} of party A, the PPT algorithm returns the corresponding private key d IDA for A. Encapsulate E ID KEM (M pk, ID A ): Given the system parameter M pk and an identifier ID A, the PPT algorithm outputs a pair (e, c) where e is a key in the key space K corresponding to the security parameter k and c is the key encapsulation of e. Decapsulate D ID KEM (M pk, d IDA, c): Given the system parameter M pk, the private key d IDA and an encapsulation c, the deterministic polynomialtime algorithm outputs the corresponding key e or a reject symbol. Again, ID-KEM-CCA2 security is formalized by a two stage game between a challenger and an adversary which consists of a pair of PPT algorithms (A 1, A 2 ). IND-ID-CCA2 KEM Game (M pk, M sk ) G ID KEM (1 k ); (ID, σ) A X ID KEM (M pk,m sk, ),D ID KEM (M pk,m sk,, ) 1 (M pk ); (e 0, c ) E ID KEM (M pk, ID ); e 1 K; b {0, 1}; b A X ID KEM (M pk,m sk, ),D ID KEM (M pk,m sk,, ) 2 (σ, c, e b ). where σ is some state information passed from A 1 to A 2 ; X ID KEM (M pk, M sk, ) is the Extract oracle that the adversary can access by providing an identifier to get the corresponding private key; and D ID KEM (M pk, M sk,, ) is the Decapsulate oracle that the adversary can access by providing an identifier and an encapsulation to get the key e decapsulated with the private key corresponding

6 6 to the input identifier or a reject symbol. There are two constraints when A 2 accesses the oracles. (1) A 2 cannot access oracle X ID KEM with input ID ; (2) A 2 cannot access oracle D ID KEM with input (ID, c ). We define adversary A s advantage in attacking an ID-KEM scheme E as the following function of the security parameter k: Adv ID-KEM-CCA2 A,E (k) = 2 Pr[b = b ] 1. A secure ID-KEM requires that for any adversary A, Adv ID-KEM-CCA2 A,E (k) is negligible. Apart from the security requirement, we also require in this paper that the ID-KEM has an extra property as follow. In an ID-KEM, for the pair (M pk, M sk ) generated by the Setup algorithm and every (ID A, d IDA ) where ID A {0, 1} and d IDA is generated by the Extract algorithm using (M pk, M sk, ID A ), all encapsulations created with (M pk, ID A ) decapsulate properly with (M pk, d IDA ) (in other words, BadKeyPairs (Section 7.1 [7]) are negligibly few). It is easy to see that SK-ID-KEM presented in this paper has this property. 2.4 DEM A DEM uses the key generated by a KEM to encrypt the actual messages. As the key will only be used for one messages, a DEM can be constructed from a one-time symmetric-key encryption which consists of two deterministic polynomial-time algorithms: Encrypt E SK (e, m): Given a secret key e K and a message m, the algorithm outputs the ciphertext c. Decrypt D SK (e, c): Given a secret key e K and a cipertext c, the algorithm outputs the plaintext m, or a reject symbol if the ciphertext c is invalid. Security of one-time symmetric-key encryption is defined by the following game (the called Find and Guess game or FG-CCA) between a challenger and an adversary which consists of a pair of PPT algorithms (A 1, A 2 ). FG-CCA One-time Symmetric-key Encryption Game ((m 1, m 2 ), σ) A 1 (1 k ); b {0, 1}; e K; c E SK (e, m b ); b A D SK(e, ) 2 (σ, c ). where m 1, m 2 are of equal length; σ is some state information passed from A 1 to A 2 ; and D SK (e, ) is the Decrypt oracle that the adversary can access by providing a ciphertext to get the plaintext decrypted with the secret key e or a reject symbol. In the game, A 2 cannot access oracle D SK with input c.

7 7 We define adversary A s advantage in attacking a one-time symmetric-key encryption E as the following function of the security parameter k: Adv FG-CCA A,E (k) = 2 Pr[b = b ] 1. A secure one-time symmetric-key encryption requires that for any adversary A, Adv FG-CCA A,E (k) is negligible. 2.5 Hybrid IBE A hybrid IBE construction consisting of the concatenation of an ID-KEM with a DEM proceeds as follows. Here, we assume that the key space output by the KEM is identical with the secret key space used by the DEM. Encryption Input: (M pk, ID A, m) (e, c 1 ) E ID KEM (M pk, ID A ); c 2 E SK (e, m); Output: c = (c 1, c 2 ). A Hybrid IBE Decryption Input: (M pk, d IDA, c) parse c as (c 1, c 2 ); e D ID KEM (M pk, d IDA, c 1 ); if e =, return ; m D SK (e, c 2 ); Output: m. Similar to the result of hybrid encryption in [7], Bentahar et al. obtained the following theorem of the security of a hybrid IBE. Theorem 5 ([4]) Let A be a PPT adversary against the hybrid ID-based encryption scheme E (with an ID-KEM-CCA2 secure KEM E 1 and an FG-CCA secure DEM E 2 ) in the sense of ID-IND-CCA2 adversaries, then there exists PPT adversaries B 1 and B 2, whose running time is essentially that of A, such that Adv IND-ID-CCA2 A,E (k) 2Adv ID-KEM-CCA2 (k) + Adv FG-CCA (k) B 1,E 1 B 2,E 2 Some FG-CCA secure DEMs are already on the shelf [12]. Bentahar et al. presented a few secure ID-KEMs in line with the Boneh-Franklin s IBE. In the following section, we introduce another ID-KEM based on Sakai and Kasahara s IBE proposal which has the potential to achieve even better performance. 3 SK-ID-KEM 3.1 Construction Setup G ID KEM (1 k ): Given the security parameter k, the algorithm proceeds as follow. Generate two cyclic groups G 1 and G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P G 1.

8 8 Pick a random s Z q and compute P pub = sp. Pick two cryptographic hash functions H 1 : {0, 1} Z q and H 2 : G 2 {0, 1} n for some integer n > 0. Set M pk = q, G 1, G 2, ê, n, P, P pub, H 1, H 2 and M sk = s. Extract X ID KEM (M pk, M sk, ID A ): Given a string ID A {0, 1}, public system parameters M pk and the master-key M sk = s, the algorithm returns 1 d IDA = s+h 1(ID A ) P. Encapsulate E ID KEM (M pk, ID A ): 1. Compute P A = H 1 (ID A )P + P pub. 2. Pick a random r Z q and compute c = rp A. 3. Compute g r = ê(p, P ) r and e = H 2 (c, g r ). 4. Output (e, c). Decapsulate D ID KEM (M pk, d IDA, c): 1. Compute g r = ê(c, d IDA ) and e = H 2 (c, g r ). 2. Output e. 3.2 Security Proof of SK-ID-KEM The security strength of SK-ID-KEM can be defined by the following theorem. Theorem 6 The SK-ID-KEM is secure against adaptive chosen ciphertext attacks provided that the q-gbdhi assumption is sound, and H 1 and H 2 are random oracles. Specifically, suppose there exists an ID-KEM-CCA2 adversary A against SK- ID-KEM that has advantage ɛ(k) and running time t(k). Suppose also that during the attack A makes at most q D queries on Decapsulation query, q i queries on H i for i = 1, 2, note that H 1 can be queried directly by A or indirectly by an Extraction query, a Decapsulation query or the Challenge operation. Then there exists an algorithm B to solve the q 1 -GBDHI problem with advantage Adv B (k) and running time t B (k) where Adv B (k) ɛ(k) q 1 t B (k) O(t(k) + q D χ + q 2 1 (T + O)) where χ is the time of computing pairing, T is the time of a scalar operation in G 1, and O is time of one access to the DBIDH oracle. Proof: Algorithm B is given as input a random q 1 -BDHI instance q, G 1, G 2, ê, P, xp, x 2 P,... x q1 P where x is a random element from Z q and has the access to the DBIDH oracle O ( ) DBIDH. Algorithm B finds ê(p, P )1/x by interacting with A and O ( ) DBIDH as follows: Algorithm B first chooses an index I with 1 I q 1 and simulates algorithm Setup of SK-ID-KEM to create the public system parameters M pk as follow. 1. Randomly choose different h 0,..., h q1 1 Z q and let f(z) be the polynomial f(z) = q 1 1 i=1 (z +h i). Reformulate f to get f(z) = q 1 1 i=0 c iz i. The constant term c 0 is non-zero because h i 0 and c i are computable from h i.

9 2. Compute Q = q 1 1 i=0 c ix i P = f(x)p and xq = q 1 1 i=0 c ix i+1 P = xf(x)p. 3. Check that Q G 1. If Q = 1 G1, then there must be such h i = x which can be easily identified, and so, B solves the q 1 -BDHI problem directly. Otherwise, B continues. 4. Compute f i (z) = f(z)/(z + h i ) = q 1 2 j=0 d jz j 1 and x+h i Q = f i (x)p = q1 2 j=0 d jx j P for 1 i < q Set T = q 1 1 i=1 c ix i 1 P and compute T 0 = ê(t, Q + c 0 P ). 6. Now, B maintains a list P S list = (h 0, ), (h 1 +h 0, 1 h 1+x Q),..., (h i+h 0, 1 9 h i+x Q),..., (h q1 1 + h 0, 1 h q1 1+x Q) 7. Finally, B set M pk = q, G 1, G 2, ê, n, Q, xq h 0 Q, H 1, H 2 (i.e., setting P pub = xq h 0 Q and M sk = x h 0 which B does not know). H 1 and H 2 are two random oracles controlled by B. Now B starts to respond to queries as follows. H 1 -query(id i ): B maintains an initially empty list of tuples ID i, h i, d i indexed by ID i as explained below. We refer to this list as H1 list. When A queries the oracle H 1 at a point ID i, B responds as follows: 1. If ID i already appears on the H1 list in a tuple ID i, h i, d i, then B responds with H 1 (ID i ) = h i. 2. Otherwise, if the query is on the I-th distinct ID, then B stores ID I, h 0, into the tuple list and responds with H 1 (ID I ) = h Otherwise, B selects a random integer h i + h 0 (i > 0) from P S list which has 1 not been chosen by B and stores ID i, h i + h 0, h i+xp into the tuple list. B responds with H 1 (ID i ) = h i + h 0. H 2 -query(x i, Y i ): At any time algorithm A can issue queries to the random oracle H 2. To respond to these queries, B maintains an initially empty list of tuples called H2 list. Each entry in the list is a tuple in the form X i, Y i, Z i indexed by (X i, Y i ). To respond to a query on (X i, Y i ), B does the following operations: 1. If on the list there is a tuple indexed by (X i, Y i ), then B responds with Z i. 2. Otherwise, B searches L D (a list maintained in the Decapsulation step specified later) to find the pairs (c j, e j ) with c j = X i. For every such pair, B queries O ( ) DBIDH with (Q, X i, xq, Y i ). Once O ( ) DBIDH returns 1 for one pair, B inserts the tuple X i, Y i, e j into H2 list, meanwhile removes the tuple (c j, e j ) from L D and returns e j. For other situations, B continues. 3. B randomly chooses a string Z i {0, 1} n and inserts a new tuple X i, Y i, Z i into the list. It responds to A with Z i. Extraction query(id i ): B first looks through list H list 1. If ID i is not on the list, B queries H 1 (ID i ). B then checks the value d i : if d i, B responds with d i ; otherwise, B aborts the game (Event 1). Decapsulation query(id i, c i ): B maintains an initially empty list, denoted by L D, of pairs in the form c i, e i. To respond to the query, B first looks through

10 10 list H1 list. If ID i is not on the list, then B queries H 1 (ID i ). Depending on the value of d i for ID i on H1 list, B responds differently. If d i, then B first computes g r = ê(c i, d i ), and then queries Z i = H 2 (c i, g r ). B responds with Z i. Otherwise (d i = ), B takes following actions: 1. B searches H2 list and puts all the tuples with X j = c i into an initially empty set L T. 2. For every tuple X j, Y j, Z j in L T, B queries O ( ) DBIDH with (Q, c i, xq, Y j ). If O ( ) DBIDH returns 1 for one query, then B returns the corresponding Z j. 3. Otherwise, B randomly chooses e {0, 1} n and inserts c i, e into the list L D. Finally B returns e. Challenge query(id ). If ID is not on the list H list 1, B queries H 1 (ID ) first. 2 If d ID on H 1 is not represented by, B aborts the game (Event 2). Otherwise, B randomly chooses r Z q and e {0, 1} n, and returns (e, rq) as the challenge (k, C ). For simplicity, if (ID, rq) has been queried on the Decapsulation query, B tries another random r. Guessing. Once A outputs its guess, B answers the q 1 -BDHI challenge in the following way. 1. B searches H2 list and puts all the tuples with X j = rq into an initially empty set L T. 2. For each tuple X j, Y j, Z j in L T, B queries O ( ) DBIDH with (Q, rq, xq, Y j). If O ( ) DBIDH returns 1 (i.e., Y j = (Q, Q) r/x ), B computes T = Y 1/r j and returns (T/T 0 ) 1/c2 0 as the answer to the q1 -BDHI problem. Note that ê(p, P ) 1/x = (T/T 0 ) 1/c2 0 if T = ê(q, Q) 1/x. 3. Otherwise, B failed (Event 3). Claim: If algorithm B does not abort during the simulation, then algorithm A s view is identical to its view in the real attack. Proof: B s responses to H 1 queries are uniformly and independently distributed in Z q as in the real attack because of the behavior of the Setup phase in the simulation. H 2 is modelled as a random oracle which requires that for each unique input, there should be only one response. We note that the simulation substantially makes use of the programmability of random oracle and the access to the DBIDH oracle to guarantee the unique response for every H 2 query. There are two subcases in the simulation. 2 In fact we can assume that the adversary has queried H 1(ID ) before the challenge phase in the attack. This assumption is reasonable because if in the real attack, A does not issue this query before the challenge phase or even in the whole game, we can tweak the adversary in mind so that the last step of A 1 is to issue the query H 1(ID ), after the adversary has chosen the challenge identifier ID. This obviously does not affect the adversary s ability to win the game.

11 11 The adversary queries the Decapsulation oracle on (ID, c i ). Although B cannot compute F = ê(c i, 1 xq) (note that if the game does not abort, d ID = 1 x Q), B makes use of O( ) DBIDH to test if F has been queried to H 2 as an input Y i. If F has been queried, B uses the existing response. Otherwise, B randomly generates the response and keeps a record in L D. The adversary queries on H 2 (c i, Y i ). If (c i, Y i ) has not been queried before on H 2, B should make sure that the response must be consistent with the possible existing response generated in the Decapsulation queries. Again, B exploits the access to the DBIDH oracle. By testing ê(c j, 1 x Q)? = Y i for all c j s in L D and, if the equation holds, returning the corresponding response in L D, B guarantees that the output in this query is consistent with the one in the Decapsulation query. Without programmability of a random oracle, this cannot be done. The responses in other types of query are valid as well. Hence the claim is founded. The left problem is to calculate the probability that B does not abort the game. The game could abort when at least one of following events happened. (1) Event 1, denoted as H 1 : A queried a private key which is represented by at some point. (2) Event 2, denoted as H 2 : A did not choose ID I as the challenge identity. (3) Event 3, denoted as H 3 : A did not query (rq, ê(q, Q) r/x ) on H 2. Since H 2 is a random oracle, Pr[A wins H 3 ] = 1 2, we have Pr[A wins] = Pr[A wins H 3 ] Pr[H 3 ] + Pr[A wins H 3 ] Pr[H 3 ] 1 2 (1 Pr[H 3]) + Pr[H 3 ] = Pr[H 3]. Pr[A wins] Pr[A wins H 3 ] Pr[H 3 ] = 1 2 (1 Pr[H 3]) = Pr[H 3]. So, we have Pr[H 3 ] ɛ(k). We note that H 2 implies H 1 because of the rules of the game. Overall, we have Adv B (k) = Pr[H 2 H 3 ] ɛ(k) q 1. References 1. D. Boneh and X. Boyen. Efficient selective-id secure identity-based encryption without random oracles. In Proceedings of Advances in Cryptology - Eurocrypt 2004, LNCS 3027, pp , Springer-Verlag, M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among notions of security for public-key encryption schemes. In Proceedings of Advances in Cryptology-Crypto 98, LNCS 1462, pp , Springer-Verlag, 1998.

12 12 3. D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. In Proceedings of Advances in Cryptology - Crypto 2001, LNCS 2139, pp , Springer-Verlag, K. Bentahar, P. Farshim, J. Malone-Lee, N. P. Smart. Generic Constructions of Identity-Based and Certificateless KEMs. Cryptology eprint Archive, Report 2005/ L. Chen and Z. Cheng. Security proof of the Sakai-Kasahara s identity-based encryption scheme. In submission. 6. L. Chen Z. Cheng J. Malone-Lee and N.P. Smart. An efficient ID-KEM based on the Sakai-Kasahara key construction. IEE Proceedings Information Security R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33, 167C226, E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of Advances in Cryptology - CRYPTO 99, LNCS 1666, pp , Springer-Verlag, K. Kurosawa and Y. Desmedt. A New Paradigm of Hybrid Encryption Scheme. In Proceedings of Advances in Cryptology - CRYPTO 04, LNCS 3152, pp , Springer-Verlag, A. Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of Advances in Cryptology - Crypto 84, LNCS 196, pp.47 53, Springer-Verlag, V. Shoup. A Proposal for an ISO Standard for Public Key Encryption ISO CD Encryption algorithms Part 2: Asymmetric ciphers T. Okamoto and D. Pointcheval. The gap-problems: a new class of problems for the security of cryptographic schemes. In Proceedings of Public Key Cryptography - PKC 2001, LNCS 1992, PP , Springer-Verlag, R. Sakai and M. Kasahara. ID based cryptosystems with pairing on elliptic curve. Cryptology eprint Archive, Report 2003/ F. Zhang, R. Safavi-Naini and W. Susilo. An efficient signature scheme from bilinear pairings and its applications. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography - PKC 2004, 2004.

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,