On Constructing Certificateless Cryptosystems
from Identity Based Encryption
Benoı̂t Libert⋆ and Jean-Jacques Quisquater
UCL, Microelectronics Laboratory, Crypto Group
Place du Levant, 3, B-1348, Louvain-La-Neuve, Belgium.
{benoit.libert,jean-jacques.quisquater}@uclouvain.be
Abstract. Certificateless cryptography (CL-PKC) is a concept that aims
at enjoying the advantages of identity based cryptography without suffering from its inherent key escrow. Several methods were recently suggested to generically construct a certificateless encryption (CLE) scheme
by combining identity based schemes with ordinary public key cryptosystems. Whilst the security of one of these generic compositions was proved
in a relaxed security model, we show that all them are insecure against
chosen-ciphertext attacks in the strongest model of Al-Riyami and Paterson. We show how to easily fix these problems and give a method
to achieve generic CLE constructions which are provably CCA-secure
in the random oracle model. We finally propose a new efficient pairingbased scheme that performs better than previous proposals without precomputation. We also prove its security in the random oracle model.
Keywords. Certificateless encryption, provable security, bilinear maps.
1
Introduction
In 2003, Al-Riyami and Paterson [2] invented a paradigm called certificateless
public key cryptography (CL-PKC) which is intermediate between identitybased [27, 12] and traditional PKI-supported cryptography. The concept was
introduced to suppress the inherent key-escrow property of identity-based cryptosystems (ID-PKC) without losing their most attractive advantage which is the
absence of digital certificates and their important management overhead.
Independently of [2] and a bit earlier, Gentry [22] introduced a different but
related concept named certificate based encryption (CBE) for which a signature
analogue was studied in [24]. This approach is closer to the context of a traditional PKI model as it involves a certification authority (CA) providing an
efficient implicit certification service for clients’ public keys.
Although very different at first glance, the CBE and CLE concepts were
first argued [2] to be closely related and both constructions of [2, 22] use the
properties of pairings. A subsequent work of Yum and Lee considered the relations between identity-based (IBE), certificate based (CBE) and certificateless
encryption schemes (CLE) and established a result of essential equivalence [31]
⋆
This author thanks the DGTRE’s First Europe Program in Belgium.
�between the three primitives but this result does not hold for the strongest security model developed in [2] for CLE schemes. The same authors also proposed
generic constructions of certificateless signatures [30] and encryption schemes
[29] but only established the security of their designs in security models that are
seemingly undermined w.r.t. the original model considered in [2] for the public
key encryption case.
A more recent work [3] thoroughly investigated the connections between the
CLE and CBE paradigms by proposing a simplified definition and a revised
security model for certificate based encryption before proving that any secure
certificateless encryption (CLE) scheme can be turned into a secure CBE in the
amended model.
Among other related results, we mention a paper [16] describing a somewhat similar scheme to [3], another work [9] that investigates identity-based
and certificateless extensions of key encapsulation mechanisms. Both works [9,
16] considered a model of security which is noticeably weaker (albeit realistic
in practice) than the original one [2]. A very recent paper by Baek et al. [4]
also showed how to devise a certificateless encryption scheme without pairings.
The latter construction enjoys a better efficiency than pairing-based proposals
[2, 3, 16] but is supported by a weaker security model and prevents users from
generating their public key independently from the system’s authority. Finally,
Dent and Kudla [17] investigated the feasibility of provably secure CLE schemes
in the standard model and ruled out the use of some particular proof techniques
for achieving this purpose in accordance with intuitive arguments given in [16].
The contribution of the present paper to the area of certificateless cryptography is two-fold. It first identifies some weaknesses in generic constructions
independently considered in [1] and [29]. It shows that one of these flaws is also
present in the second provably secure CLE scheme of Al-Riyami and Paterson
[3] where it can be very easily fixed. The paper then explains how to obtain
generic constructions which are provably secure in the random oracle model. It
does so by first giving a generic random oracle-using conversion to turn any CLE
scheme which is only secure against chosen-plaintext attacks into an IND-CCA
scheme in the full model of Al-Riyami and Paterson [2].
The second contribution of the paper is to describe a new efficient pairingbased scheme yielding some advantages over previous constructions [2, 3, 16, 9]:
its encryption operation does not require to compute a pairing (only the decryption algorithm does) and is thus generally faster than in previous proposals [2,
3, 16, 9]. The security proof of the new scheme is nevertheless obtained under a
stronger computational assumption than for previous schemes in the literature.
In the forthcoming sections of this paper, we first review the formal definition and adversarial model of CLE schemes in section 2. Section 3 illustrates
the power of their security model by showing how several generic constructions
studied so far are insecure in it. We explain in section 4 how to repair them
and we prove the security of the fixed constructions in the random oracle model.
Our new certificateless cryptosystem is then depicted in section 5 where security
proofs in the random oracle model are detailed.
�2
Preliminaries
We now recall the components of a certificateless encryption scheme before detailing the relevant formal security model [2].
2.1
Definition of certificateless encryption (CLE)
Definition 1. A certificateless encryption scheme (CLE) is a 7-tuple of algorithms which are the following:
Setup: is a probabilistic algorithm run by a Key Generation Center (KGC),
that, given a security parameter k, returns a randomly chosen master key
mk and a list of public parameters params.
Partial-Private-Key-Extract: is a possibly probabilistic algorithm, run by the
KGC, that takes as input a user’s identifier IDA and the master key mk to
return his/her partial private key dA .
Set-Secret-Value: is a probabilistic algorithm that, given a list of public parameters params, returns a randomly chosen secret value xA for that user. This
algorithm and the next two are performed by the user himself.
Set-Private-Key: is a deterministic private key generation algorithm that, given
public parameters params, a user’s partial private key dA and secret value
xA , outputs a private key SA .
Set-Public-Key: is a deterministic public key generation algorithm that, given
public parameters params and a user’s secret value xA , computes his/her
public key pkA . The latter’s well-formedness (i.e. its belonging to a specific
group or set) must be publicly verifiable given params.
Encrypt: is a probabilistic algorithm taking as input a plaintext m, parameters
params, a receiver’s identity IDA and his public key pkA to produce a ciphertext C = Encrypt(m, params, IDA , pkA ).
Decrypt: is a deterministic algorithm that, given a ciphertext C, a list of public
paramaters params and user IDA ’s private key, outputs a plaintext m or a
distinguished symbol ⊥.
For completeness, it is obviously required that Decrypt(C, params, SA ) = m whenever C = Encrypt(m, params, IDA , pkA ) for all messages m ∈ M and public
keys pkA = Set-Public-Key(params, xA ) for which the matching private key is
SA = Set-Private-Key(params, Partial-Private-Key-Extract(IDA ), xA ) and the secret value is xA = Set-Secret-Value(params).
Unlike Setup and Partial-Private-Key-Extract that are run by a Key Generation
Center (KGC), algorithms Set-Secret-Value, Set-Private-Key and Set-Public-Key
are executed by the user whose private key remains hidden from the KGC.
The recent pairing-free scheme of Baek et al. [4] fits a slightly different model
where users have to obtain their partial private key and a partial public key before generating their full public key. This approach is closer to the “self-certified”
paradigm [23] which is another approach suggested by Girault in 1991 to use
public key cryptography without traditional digital certificates and without involving an escrow authority.
�2.2
Security model
In [2], two kinds of adversaries are distinguished against CLE schemes. A Type I
adversary ignores the KGC’s master key but can replace public keys of arbitrary
identities with other public keys of her choosing. Such an adversarial behavior
seems natural as, in the absence of digital certificates, anyone can alter public
directories by replacing public keys without being caught or detected. As attackers against IBE schemes (recalled in appendix A), Type I adversaries can also
obtain partial and full private keys of arbitrary identities.
In contrast, a Type II adversary knows the KGC’s master key (and does not
need a partial key exposure oracle) and may still obtain full private keys for
arbitrary identities but is disallowed to replace public keys during the game.
For both types of adversaries, depending on the strength of the attack, we
may or may not provide them with an oracle decrypting arbitrary ciphertexts
using the private key associated with arbitrary identities.
In the chosen-ciphertext scenario, the authors of [2] consider decryption oracles that should be able (thanks to suitable knowledge extractors) to output
consistent answers even for identities whose public key has been replaced and
for which they do not know the new private key. The latter requirement might
look too strong but it may be argued that decryption queries involving identities
of replaced public key are far more useful to a Type I attacker (especially when
the latter does not know the private key associated with the new public key).
In the security analysis of generic constructions in section 3.1, we will illustrate the importance of considering adversaries who replace public keys instead
of merely corrupting their owner and learning his/her secret value.
Definition 2. A CLE scheme is IND-CCA secure if no probabilistic polynomial
time (PPT) adversary A of Type I or II has a non-negligible advantage in the
following game:
1. Given a security parameter k, the challenger runs Setup(k) and then delivers
the resulting parameters params to A who also receives the master key mk if
she is of Type II. Otherwise, mk is kept secret.
2. A is given access to
- a public key broadcast oracle Public-Key-Broadcast taking as input identities and returning the matching public keys.
- a partial key exposure oracle Partial-Private-Key-Extract (if she is of Type
I as such an oracle is useless otherwise) returning partial private keys
associated with users’ identities.
- a private key exposure oracle Private-Key-Extract revealing private keys
of entities whose public key was not replaced.
- a decryption oracle Decrypt which, given a ciphertext and an identity
(C, ID), returns the decryption of C using the private key corresponding
to the current value of entity ID’s public key.
If A is of Type I, she has also access to a public key replacement oracle
Public-Key-Replace which, given an identifier ID and a valid public key pk′ ,
replaces user ID’s public key with pk′ .
�3. A outputs messages m0 , m1 together with an identity ID∗ of uncorrupted
private key. If A is of Type I, ID∗ may not have been submitted to both oracles Public-Key-Replace and Partial-Private-Key-Extract. She gets a ciphertext
R
C ∗ = Encrypt(mb , params, ID∗ , pk∗ ) where b ←
{0, 1} and pk∗ is the public
∗
key currently associated with ID .
4. She then issues a new sequence of queries but is not permitted to ask for
the decryption of C ∗ for the combination (ID∗ , pk∗ ) under which mb was
encrypted at step 3. Moreover no private key exposure query can be made on
ID∗ at any time and, in a Type I attack, ID∗ may not be submitted to both
oracles Public-Key-Replace and Partial-Private-Key-Extract.
5. A eventually outputs a bit b′ and wins if b′ = b. As usual, her advantage is
ind−cca
AdvCLE
(A) := 2 × Pr[b′ = b] − 1.
The above definition captures a chosen-ciphertext scenario. The weaker chosenplaintext security (or IND-CPA security) notion is formalized by a similar game
where attackers have no decryption oracles.
The security models considered in [4, 16, 29] are weaker in that they disallow
Type I attackers to ever extract the partial private key of the target entity. In
contrast, the above model allows them to do so as long as they do not additionally
replace the associated public key. Besides, the models of [16, 29] only require
challengers to correctly handle decryption queries for entities whose public key
was not replaced. From here on, we will stick to the model of definition 2.
3
On the power of public key replacement oracles
This section underlines the strength of the security model captured by definition 2. We first explain simple attacks that compromise the security of some
generic constructions of certificateless encryption. We then exemplify that allowing decryption queries even for entities whose public keys have been replaced
also harms the security of the scheme proposed by Al-Riyami and Paterson published in [3]. We also show how to very easily fix the problem.
3.1
The case of generic constructions
In [1] and [29], generic constructions of certificateless encryption were independently proposed. Their idea is basically to combine strongly secure identity-based
and traditional public key encryption schemes in a sequential or parallel fashion. More precisely, let Π IBE = (SetupIBE , ExtractIBE , E IBE , DIBE ) be an IBE
scheme (see appendix A for details on the formal syntax of such a primitive)
P KE
P KE
and Π P KE = (KP KE , Epk
, Dsk
) denote a traditional public key encryption
scheme (the latter being made of a key generation algorithm KP KE , a probaP KE
bilistic encryption algorithm Epk
and the deterministic decryption algorithm
P KE
CLE
Dsk ), a CLE scheme Π
can be obtained with the present sequential composition. Its security was proved by Yum and Lee [29] in a model where adversaries are restricted not to issue a partial key exposure query on the target
�identity ID∗ (recall that such a query is allowed in the strong model if entity ID∗ ’s
public key is never replaced) nor to require the correct decryption of ciphertexts
encrypted under identities of replaced public keys.
Setup: is an algorithm running the setup algorithm of Π IBE . The message space
of Π CLE is the message space of Π P KE while its ciphertext space is the one
of Π IBE . Both schemes have to be compatible in that the plaintext space of
Π IBE must contain the ciphertext space of Π P KE .
Partial-Private-Key-Extract: is the private key generation algorithm of Π IBE .
Set-Secret-Value and Set-Public-Key: run the key generation procedure of
Π P KE to obtain a private key sk and a public key pk. The former is the
secret value and the latter becomes the public key.
Set-Private-Key: returns SA := (dA , skA ) where dA is obtained by running the
key generation algorithm of Π IBE for the identity IDA and skA is entity A’s
secret value obtained from Π P KE ’s key generation algorithm.
Encrypt: to encrypt m ∈ MP KE using the identifier IDA ∈ {0, 1}∗ and the
public key pkA ,
1. Check that pkA has the right shape for Π P KE .
P KE
IBE
IBE
(Epk
2. Compute and output the ciphertext C = EID
(m)) where EID
A
A
A
P KE
IBE
and EpkA respectively denote the encryption algorithms of Π
and
Π P KE for the identity IDA and the public key pkA .
Decrypt: to decrypt C using SA = (dA , skA ),
1. Compute DdIBE
(C) using the decryption algorithm of Π IBE . If the result
A
is ⊥, return ⊥ and reject the ciphertext.
P KE
2. Otherwise, compute Dsk
(DdIBE
(C)) using the decryption algorithm of
A
A
P KE
Π
and return the result.
This construction is insecure against Type I attacks in the full model of definition 2 even if its building blocks Π IBE and Π P KE are each IND-CCA secure
in their model. We show it using simple arguments such as those given in [18, 32]
IBE
P KE
against the security of naive multiple-encryptions. Let C ∗ = EID
(m∗b ))
∗ (Epk∗
be the challenge ciphertext in the game of definition 2 where m∗b (for a random
bit b ∈ {0, 1}) denotes one of the messages produced by the adversary AI in
her challenge request. Assume that AI never replaces the public key of ID∗ but
rather extracts the partial private key dID∗ after the challenge phase. She then
P KE
obtains E1 = DdIBE
(C ∗ ) = Epk
(mb ) and she may compute another encryption
∗
ID∗
∗
′
IBE
C = EID∗ (E1 ) 6= C of the same plaintext and obtain m∗b .
This does not contradict the result of [29] that considers a weaker model
where attackers may not extract the partial private key for the target identity.
In [1], a reverse-ordered composition (that we call Generic-CLE-2) where ciP KE
IBE
phertexts have the form C = Epk
(EID
(m)) is suggested. This composition is
A
vulnerable against an attacker replacing the target entity’s public key before the
challenge phase. Knowing the secret value sk∗ in the challenge phase, the adverIBE
′
P KE
IBE
∗
sary obtains EID
(EID
∗ (mb ) that is re-encrypted into C = Epk∗
∗ (mb )) 6= C
∗
which may be submitted to the decryption oracle even though entity ID ’s public
�key was replaced in the model of [2].
In [1], a ‘parallel’ construction (that we will call Generic-CLE-3) was also
considered. It encrypts a plaintext m into
P KE
IBE
C = hEpk
(m1 ), EID
(m2 )i
A
where m1 and m2 are subject to the constraint m = m1 ⊕ m2 . This parallel approach is vulnerable to a similar attack to those outlined by Dodis and Katz [18]
or Zhang et al. [32] against multiple-encryption schemes: if C ∗ = hE1∗ , E2∗ i is the
challenge ciphertext in the IND-CCA game, both kinds of adversaries AI or AII
IBE IBE
(0
)i and then the decrypmay first request the decryption of C1′ = hE1∗ , EID
′
P KE P KE
∗
P KE
tion of C2 = hEpk (0
), E2 i, where 0
and 0IBE are plaintexts made of
zeros in Π IBE and Π P KE . By combining the results m′1 and m′2 of both decryption requests into m′1 ⊕ m′2 , the adversary AI gets back the plaintext encrypted
in C ∗ . This attack works even if Π IBE and Π P KE are both IND-CCA secure
and it does not even require AI to replace any public key. Unlike the previous
two attacks, it also works in the weaker models of [16, 29].
In [18], Dodis and Katz gave generic techniques to counteract such attacks
and build IND-CCA secure (possibly parallel) multiple-encryption schemes from
public key encryption schemes which are individually IND-CCA. They showed
that their methods apply to the design of certificate-based encryption schemes
[22] without resorting to the random oracle model. Because of the strong constraint imposed on decryption oracles in definition 2, those techniques do not
seem to directly apply in the present context (although they do so in the relaxed
models considered in [16, 29]). In security proofs, the difficulty is that the simulator does not know the secret value of entities whose public key was replaced.
3.2
The second Al-Riyami-Paterson scheme
In [3], the inventors of the certificateless paradigm proposed a variant (named
FullCLE∗ ) of their original scheme that is significantly more efficient. It again
uses bilinear map groups which are groups (G1 , G2 ) of prime order q for which
there exists a bilinear map ê : G1 × G1 → G2 satisfying the following properties:
1. Bilinearity: ∀ P, Q ∈ G1 , ∀ a, b ∈ Z∗p , we have ê(P a , Qb ) = ê(P, Q)ab
2. Non-degeneracy: if P generates G1 , then ê(P, P ) generates G2
3. Computability: ∀ P, Q ∈ G1 , ê(P, Q) can be efficiently computed
In FullCLE∗ , public keys are made of a single group element YA = xA P ∈ G1 ,
for a secret value xA ∈ Z∗q , and checking their validity only requires an elliptic
curve scalar multiplication. The plaintext is actually scrambled twice using two
distinct superposed one-time masks. In some sense, this scheme may be regarded
as an optimized composition of the Boneh-Franklin IBE [12] with an ElGamallike cryptosystem [21]. In order to achieve the security in the sense of definition
2, the authors of [3] again applied the Fujisaki-Okamoto conversion [20].
In more details, the KGC has a master key s ∈ Z∗q and a master public
key Ppub = sP . It computes partial private keys as dA = sh1 (IDA ), where h1 :
�{0, 1}∗ → G∗1 maps public identifiers onto the group G1 , while end-users’ private
keys consist of a secret value xA and a partial private key dA . In accordance
with the Fujisaki-Okamoto construction, messages m are encrypted into
C = hU, V, W i = hrP, σ ⊕ h2 (ê(Ppub , h1 (IDA ))r ) ⊕ h′2 (rYA ), m ⊕ h4 (σ)i
R
where r = h3 (σ, m) for a random string σ ←
{0, 1}k1 (for some k1 ∈ N) and
′
k1
hash functions h2 : G2 → {0, 1} , h2 : G1 → {0, 1}k1 , h3 : {0, 1}n+k1 → Z∗q ,
h4 : {0, 1}k1 → {0, 1}n .
It turns out that the original Fujisaki-Okamoto padding [20] does not suffice to achieve the security level modelled in definition 2. We find that a Type
I adversary AI can break the non-malleability of FullCLE∗ in the scenario of
definition 2 by replacing twice the target identity’s public key. If the challenge
ciphertext is C ∗ = hU ∗ , V ∗ , W ∗ i and x∗ denotes the secret value of the target
identity ID∗ (which is known to a Type I adversary A replacing entity ID∗ ’s
public key before the challenge phase), the attacker can replace entity ID∗ ’s
public key with x′ P after the challenge phase and then ask for the decryption of
C ′ = hU ∗ , V ∗ ⊕ h′2 (x∗ U ∗ ) ⊕ h′2 (x′ U ∗ ), W ∗ i (which is an encryption of the same
plaintext as C ∗ for the combination (ID∗ , x′ P )). Since decryption queries remain
allowed even for entities of a replaced public key, AI can issue a decryption query
on C ′ 6= C for the identity ID′ and recover the plaintext.
Fortunately, such an attack is easily defeated by hashing the recipient’s public key along with his identity and the pair (σ, m) when computing r in the
encryption algorithm. A variant of FullCLE∗ independently proposed by Cheng
and Comley [16] is immune to the latter attack because it scrambles σ with a
hash value of both rYA and ê(Ppub , QIDA )r instead of using separate masks.
These observations shed new lights on the power of attackers replacing entities’ public keys instead of merely obtaining their secret value. Indeed, the
FullCLE∗ scheme remains secure in a model where attackers cannot replace public keys but are rather provided with an oracle returning secret values of arbitrary
identities. The latter model is thus strictly weaker than the one of [2].
4
Secure combinations in the random oracle model
We now explain how to obtain generic constructions that withstand the attacks
outlined in section 3.1 and that are provably secure in the random oracle model.
We first show a generic random oracle-based transformation that turns any
IND-CPA certificateless encryption scheme into a secure CLE system in the
chosen-ciphertext scenario of definition 2. We then show that all the generic
compositions recalled in section 3.1 are IND-CPA if they start from chosenplaintext secure IBE and public key encryption schemes.
4.1
From chosen-plaintext to chosen-ciphertext security
This transformation is a modification of the first Fujisaki-Okamoto conversion
[19] which provides IND-CCA secure public key encryption schemes from INDCPA ones. Our modification is to include the recipient’s identity and public key
�among the inputs of the hash function deriving random coins from the message
and a random string in the encryption algorithm.
To handle decryption queries of the chosen-ciphertext attacker, the strategy
of the plaintext extractor is essentially the following: for every new random
oracle query on a string (m||σ||pk||ID), it returns a random value r and runs
the encryption algorithm of the weakly secure CLE scheme with the identity ID
and the public key pk (that may have been replaced or not) to encrypt (m||σ)
using the randomness r. The resulting ciphertext C is stored in a list. By doing
so, the simulator anticipates subsequent decryption queries, knowing that any
valid ciphertext submitted in a decryption query was previously computed and
stored in the list with all but negligible probability. The latter strategy allows
us to handle decryption queries even when the relevant public key was replaced.
It is a generic knowledge extractor (in the random oracle model) while previous
works [2–4] that considered the treatment of this kind of decryption requests
only used knowledge extractors that were specific to their schemes.
Theorem 1. Let Π CLE be an IND-CPA certificateless encryption scheme and
suppose that
params
EID,pk
(M, R) and DSparams
ID
are its encryption and decryption algorithms where ID and pk respectively denote
the recipient’s identity and his public key, M is a message of n + k0 bits, R is
a random string of ℓ bits while SID is the recipient’s private decryption key.
CLE
can be obtained using modified
Then, an IND-CCA certificateless scheme Π
encryption and decryption algorithms
params
params
(m||σ, H(m||σ||pk||ID))
E ID,pk (m, σ) = EID,pk
where H : {0, 1}∗ → {0, 1}ℓ is a random oracle, m ∈ {0, 1}n is the plaintext and
σ ∈ {0, 1}k0 is a random string. The modified decryption algorithm is
params
DSID
params
(C) = m if C = EID,pk
(m||σ, H(m||σ||pk||ID))
and ⊥ otherwise
where (m||σ) = DSparams
(C).
ID
More precisely, assume that a Type I (resp. Type II) IND-CCA attacker A has
CLE
advantage ǫ over Π
when running in time τ , making qD decryption queries
and qH random oracle queries. It implies a Type I (resp. Type II) IND-CPA
attacker B with advantage
ǫ′ > (ǫ − qH /2k0 −1 )(1 − 2−ℓ0 )qD
over Π CLE when running in time τ ′ < τ + O(qH τE ), where τE is the the cost the
original encryption algorithm and
�
params
ℓ0 = log2
min
[#{EID,pk
(m, r)|r ∈ {0, 1}ℓ }]
m∈{0,1}n+k0
ID,pk
is the logarithm of the cardinality of the smallest set of encrypted values that can
be obtained for fixed plaintext, identity and public key.
�Proof. The proof is quite similar to the one of theorem 3 in [19] but we have to
show that the adapted conversion generically works in our context. We outline
how B uses A to succeed in a chosen-plaintext attack against her challenger CH.
B starts by forwarding to A the public parameters (together with the KGC’s
master key in the scenario of a Type II attack) she obtains from CH. Recall that
Π CLE can be itself a random oracle-using scheme. All random oracles pertaining
to Π CLE are thus controlled by CH. The chosen-ciphertext attacker A also
has access to a decryption oracle and an additional random oracle H that are
simulated by B as follows:
- random oracle queries related to Π CLE as well as public key broadcast,
public key replacement (in the case of Type I attacks) and partial/full private
key exposure queries are passed to CH whose answers are relayed to A.
- Whenever A submits a string (m||σ||pk||ID) to the H oracle, B first checks
if H was previously queried on the same input and returns the previously
R
answered value if it was. Otherwise, B returns a randomly chosen r ←
Z∗q .
CLE
She then runs the encryption algorithm of Π
to compute
params
C = EID,pk
(m||σ, r)
CLE
which is a Π
encryption of m under the public key pk and the identity ID
using the randomness σ ∈ {0, 1}k0 (as well as a Π CLE encryption of (m||σ)
for the randomness r). In order to anticipate subsequent decryption queries,
a record containing the input (m||σ||pk||ID), the output r and the ciphertext
C is stored in a list LH . Note that B might need CH to answer queries for
random oracles related to Π CLE to be able to compute C.
- Decryption queries for a ciphertext C and an identity ID: B first recovers the
public key pk currently associated with ID (by issuing a public key query to
CH). She then searches in list LH for a tuple of the form ((m||x||pk||ID), r, C)
in order to return the corresponding m if such a tuple exists and ⊥ otherwise.
When A decides that phase 1 is over, she outputs messages (m0 , m1 ) and an identity ID∗ (whose private key was not exposed and that was not submitted to both
the Public-Key-Replace and Partial-Private-Key-Extract oracles). At that point, B
obtains the current value pk∗ of entity ID∗ ’s public key (by issuing a Public-KeyR
Broadcast query to CH) before randomly choosing two strings σ0 , σ1 ←
{0, 1}k0
and in turn sending her challenge request (M0 = (m0 ||σ0 ), M1 = (m1 ||σ1 ), ID∗ )
to CH. The latter then returns a Π CLE encryption C ∗ of Mb = (mb ||σb ) for the
R
identity ID∗ and the current public key pk∗ using some randomness r∗ ←
Z∗q .
As in the proof of theorem 2 in [19], if A ever queries H on the input
(md ||σd ||pk∗ ||ID∗ ) for d ∈ {0, 1}, B halts and outputs the corresponding bit
d as a result which is very likely to be correct in this case: since A has absolutely
no information on σb (b being the complement bit of b), one can show as in [19]
that A only asks for the hash value H(mb ||σb ||pk∗ ||ID∗ ) with probability qH /2k0
throughout the game). On the other hand, if such an H-query never occurs, B
outputs exactly the same result b′ as A and obviously succeeds against CH if A
yields a correct guess b′ = b.
�The probability for B to wrongly reject a ciphertext during the game is
smaller than 1 − (1 − 2−ℓ0 )qD . Indeed, for a given decryption query on a ciphertext C and an identity ID, assume that (m||σ) = DSparams
(C) and does not
ID
figure (together with ID and pk) in list LH . The probability that H(m||σ||pk||ID)
takes a value encrypting (m||σ) into C is at most 2−ℓ0 (as at most 2ℓ−ℓ0 distinct
random values r ∈ R may encrypt a given ciphertext into the same ciphertext
by the definition of ℓ0 ) .
It comes that B’s advantage against CH is at least
ǫ′ > (ǫ − qH /2k0 −1 )(1 − 2−ℓ0 )qD
and that her running time is bounded by τ ′ < τ + O(qH τE ) where τE is the time
complexity of the encryption algorithm of the basic scheme Π CLE . She also has
to issue qD + 1 public key broadcast oracle queries to CH and qH queries to
random oracles pertaining to Π CLE .
⊓
⊔
4.2
Generic IND-CPA secure compositions
From now, we only have to consider constructions that are only secure against
chosen-plaintext attacks. By applying to them the random oracle-using conversion, we end up with provably secure constructions in the random oracle model.
Let Π IBE = (SetupIBE , ExtractIBE , E IBE , DIBE ) be an IBE scheme and
P KE
P KE
P KE
Π
= (KP KE , Epk
, Dsk
) be a traditional public key encryption scheme.
Theorem 2. If Π IBE is IND-ID-CPA and Π P KE is IND-CPA, then the GenericCLE-1 is IND-CPA.
The proof of the above theorem (detailed in the full paper) separately consider
Type I and Type II adversaries.
Lemma 1. A Type I IND-CPA adversary AI having an advantage ǫ over GenericCLE-1 implies either an IND-ID-CPA adversary with advantage ǫ/(2qID ) over
Π IBE or an IND-CPA adversary with advantage ǫ/(2qID ) over Π P KE , where
qID is the total number of distinct identities involved in AI ’s requests.
Lemma 2. A Type II IND-CPA adversary AII with advantage ǫ over GenericCLE-1 implies an IND-CPA adversary B with advantage ǫ/qID over Π P KE , where
qID is the total number of distinct identities involved in AII ’s requests.
The proofs of chosen-plaintext security of Generic-CLE-2 and Generic-CLE-3 are
very similar. In lemmas 1 and 2, qID can be the number of random oracle queries
for hash functions mapping identifiers onto cyclic subgroups or finite fields if we
assume that any query involving a given identity comes after a hash query on it.
This shows how to obtain a secure generic construction in the random oracle
model. In the case of Generic-CLE-1, if the encryption schemes of Π P KE and
Π IBE use distinct sets of randomness R1 and R2 , the enhanced CLE scheme
�may use a random oracle H : {0, 1}∗ → R1 × R2 so that an encryption of a
plaintext m using the random string σ is given by
CLE
IBE
P KE
E ID,pk (m||σ) = EID
(Epk
(m||σ, r1 ), r2 )
where (r1 ||r2 ) = H(m||σ||pk||ID). In the case of Generic-CLE-3, we have
CLE
P KE
IBE
(m1 , r1 ), EID
(m2 , r2 )i
E ID,pk (m||σ) = hEpk
with m1 ⊕ m2 = m||σ.
5
A new efficient construction
We present here our new efficient certificateless encryption scheme that we call
NewFullCLE. Its security relies on the intractability of the following problem that
was introduced in [10] by Boneh and Boyen.
Definition 3 ([10]). The p-Bilinear Diffie-Hellman Inversion problem
(p-BDHI) is, given hP, αP, α2 P, . . . , αp P i ∈ Gp+1
, to compute ê(P, P )1/α ∈ G2 .
1
5.1
The scheme
Similarly to FullCLE∗ , NewFullCLE may be viewed as an optimized combination
of an IBE with a traditional ElGamal-like [21] cryptosystem.
Setup: given security parameters k,k0 so that k0 is polynomial in k, this algorithm chooses a k-bit prime number q, bilinear map groups (G1 , G2 )
of order q, a generator P ∈ G1 and hash functions h1 : {0, 1}∗ → Z∗q ,
R
Z∗q
h2 : G22 → {0, 1}n+k0 , h3 : {0, 1}∗ → Z∗q . A master key mk := s ←
and a public key Ppub = sP ∈ G1 are also chosen. The group element
g = ê(P, P ) ∈ G2 is also included among the public parameters which are
params := {q, k, k0 , G1 , G2 , P, Ppub , g, ê, h1 , h2 , h3 , n, M, C}
where M := {0, 1}n , C := G1 × {0, 1}n+k0 respectively denote cleartext and
ciphertext spaces.
Partial-Private-Key-Extract: takes as input entity A’s identifier IDA ∈ {0, 1}∗
and extracts A’s partial private key dA = s+h11(IDA ) P ∈ G1 .
R
Set-Secret-Value: given params and A as inputs, this algorithm picks xA ←
Z∗q
which is returned as user A’s secret value.
Set-Private-Key: given params, user A’s partial private key dA ∈ G1 and his
secret value xA ∈ Z∗q , this algorithm returns the pair SA = (xA , dA ) ∈
Z∗q × G1 as a private key.
Set-Public-Key: takes as input params and entity A’s secret value xA ∈ Z∗q and
produces A’s public key pkA := yA = g xA ∈ G2 .
�Encrypt: to encrypt m ∈ {0, 1}n using the identifier IDA ∈ {0, 1}∗ and the
public key pkA = yA = g xA , the sender
q
1. Checks that yA
= 1G2 .
R
2. Picks σ ← {0, 1}k0 , computes r = h3 (m||σ||pkA ||IDA ) ∈ Z∗q and the
ciphertext is
r
C = hc1 , c2 i = hrh1 (IDA )P + rPpub , (m||σ) ⊕ h2 (g r ||yA
)i
Decrypt: given C = hc1 , c2 i, the receiver computes ω = ê(c1 , dA ) and then
(m||σ) = c2 ⊕ h2 (ω||ω xA ) ∈ {0, 1}n+k0 . The message is accepted iff c1 =
r(h1 (IDA )P + Ppub ) with r = h3 (m||σ||pkA ||IDA ) ∈ Z∗q .
In this construction, partial private keys are signatures computed using a signature scheme independently considered in [11] and [33]. The NewFullCLE scheme
is constructed on the Sakai-Kasahara IBE [26, 14, 15] which bears itself similarities with the second IBE scheme that was proved to be selective-ID secure [13,
10] without random oracles by Boneh and Boyen [10]. As for the Cheng-Chen
[14] variant of the Sakai-Kasahara IBE, its security proof holds in the random
oracle model [8]. The consistency of the construction is easy to check as we have
ê rh1 (IDA )P + rPpub ,
�
1
P = ê(P, P )r .
s + h1 (IDA )
Including g r among the inputs of h2 in step 2 of the encryption algorithm is
necessary to achieve a security reduction under the p-BDHI assumption. The
r
string (m||σ) could be hidden by a hash value of only yA
but the security would
have to rely on a newly defined fancy assumption.
r
Interestingly, hashing g r along with yA
is no longer necessary if the scheme
is transformed into a certificate-based encryption scheme [22]. This is due to
particularities of the certificate-based security model which is not detailed here.
5.2
Efficiency issues
As for the FullCLE∗ scheme proposed by Al-Riyami and Paterson [3], the validity
of the public key can be checked very efficiently. As in [3], assuming that the
bilinear map groups (G1 , G2 ) are chosen by a higher level authority and commonly used by several distinct KGCs, end-users may generate their public key
independently of any authority in the system.
The encryption algorithm only entails two exponentiations in G2 and a multiexponentiation in G1 . It has a comparable efficiency to the pairing-free scheme
of [4]. The receiver has to compute a pairing, an exponentiation in G2 beside a
multi-exponentiation in G1 . The decryption operation may be optimized by the
receiver who can pre-compute and store h1 (IDA )P + Ppub in such a way that a
simple scalar multiplication in G1 suffices to verify the validity of the ciphertext.
Such a pre-computation also enables a speed up the encryption operation for
senders who encrypt several messages under the same public key.
�From a computational point of view, NewFullCLE has the same efficiency as
FullCLE∗ [3] if pre-computations are used in both schemes (although NewFullCLE
might be more efficient on curves of embedding degree 2 as an exponentiation
in GT is cheaper than a scalar multiplication in G1 in this case) as the pairing
can be computed in advance for each identity in FullCLE∗ . However, our construction performs better in the absence of pre-computations as its encryption
procedure does not compute any pairing. The encryption algorithm is also faster
than its counterpart in schemes of [16, 9] for similar parameters and without
pre-computations. Moreover, NewFullCLE does not need a special (and much less
efficient) hash function mapping strings onto a cyclic group (and it thus benefits
from a faster partial private key generation algorithm) while all schemes have
comparable decryption complexities.
Regarding key sizes, users’ public keys lie in G2 and thus have longer representations (typically 1024 bits without optimizations) than elements in G1 .
However, pairing compression techniques due to Barreto and Scott [7] allow
them to be compressed to a third (say 342 bits) of their original length on supersingular curves in characteristic 3 or even to 1/6 of their length using ordinary
curves such as those of Barreto and Naehrig [6]. Those compression techniques
additionally increase the speed of exponentiations in G2 .
The version of the scheme depicted in section 5.1 uses symmetric pairings
(and thus supersingular curves). However, it can be implemented with asymmetric pairings as well. In environments where bandwidth is of primary concern,
the size of ciphertexts can be minimized at the expense of a longer system-wide
public key (which is less likely to transit across the network). In such a setting,
asymmetric pairings e : G1 × G2 → GT and ordinary curves such as MNT curves
or BN curves [25, 6] should be used as long as a publicly computable but nonnecessarily invertible isomorphism ψ : G2 → G1 is available.
Regarding the latter criterion, NewFullCLE seems to be more suitable than
previous proposals [2, 3, 16, 9] for an implementation with asymmetric pairings.
Indeed, Smart and Vercauteren [28] recently underlined the hardness of finding
ordinary pairing-friendly groups1 (G1 , G2 ) equipped with a publicly computable
isomorphism ψ : G2 → G1 as well as an efficient algorithm to hash onto G2 .
Our scheme avoids these problems as it does not require to hash onto G2 or
G1 . Concretely, users’ public keys have lie in GT while the system-wide public
key and entities’ partial private keys should respectively be Ppub = sP2 and
dA = 1/(h1 (IDA ) + s)P2 for generators P2 ∈ G2 and P1 = ψ(P2 ) ∈ G1 . In that
bandwidth-optimized version of the scheme, users’public keys can be about 512bit long on MNT curves [25] or even shorter on BN curves [6]. Ciphertexts are
331 bits longer than plaintexts if k0 = 160.
5.3
Security results
We give a security statement (formally proven in the full version of the paper)
under the p-Bilinear Diffie-Hellman Inversion assumption.
1
More precisely, we mean groups allowing the use of the most efficient implementation
techniques for ordinary curves [5].
�Theorem 3. In the random oracle model, the NewFullCLE scheme is secure in
the sense of definition 2 under the p-BDHI assumption.
6
Conclusion
This paper investigated the problem of generically constructing a certificateless
cryptosystem which is secure in the strongest model by combining secure IBE
schemes with a traditional public key cryptosystem.
It pinpointed security problems in three simple generic constructions and
fixed them using a generic random oracle-using conversion (which extends the
Fujisaki-Okamoto transformation) ensuring the security in the strongest sense
given any scheme only withstanding chosen-plaintext attacks. We finally described a new scheme offering computational advantages over previous pairingbased constructions.
The feasibility of a CLE scheme provably fitting the model of [2] without
random oracles still remains a challenging open problem.
References
1. S. S. Al-Riyami. Cryptographic schemes based on elliptic curve pairings. PhD
thesis, University of London, 2004.
2. S. S. Al-Riyami and K. Paterson. Certificateless public key cryptography. In
Asiacrypt’03, volume 2894 of LNCS, pages 452–473. Springer, 2003.
3. S. S. Al-Riyami and K. Paterson. CBE from CL-PKE: A generic construction
and efficient schemes. In PKC’05, volume 3386 of LNCS, pages 398–415. Springer,
2005.
4. J. Baek, R. Safavi-Naini, and W. Susilo. Certificateless public key encryption
without pairing. In ISC’05, volume 3650 of LNCS, pages 134–148. Springer, 2005.
5. P. S. L. M. Barreto, B. Lynn, and M. Scott. On the selection of pairing-friendly
groups. In SAC’03, volume 3006 of LNCS, pages 17–25. Springer, 2003.
6. P. S. L. M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order.
In SAC’05. To Appear.
7. P. S. L. M. Barreto and M. Scott. Compressed pairings. In Crypto’04, volume
3152 of LNCS, pages 140–156. Springer, 2004.
8. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing
efficient protocols. In 1st ACM Conference on Computer and Communications
Security, pages 62–73, ACM Press, 1993.
9. K. Bentahar, P. Farshim, J. Malone-Lee, and N. P. Smart. Generic construction
of identity-based and certificateless KEMs. Cryptology ePrint Archive, Report
2005/058, 2005. http://eprint.iacr.org/2005/058.
10. D. Boneh and X. Boyen. Efficient selective-ID secure identity based encryption
without random oracles. In Eurocrypt’04, volume 3027 of LNCS, pages 223–238.
Springer, 2004.
11. D. Boneh and X. Boyen. Short signatures without random oracles. In Eurocrypt’04,
volume 3027 of LNCS, pages 56–73. Springer, 2004.
12. D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In
Crypto’01, volume 2139 of LNCS, pages 213–229. Springer, 2001.
�13. R. Canetti, S. Halevi, and J. Katz. A forward secure public key encryption scheme.
In Eurocrypt’03, volume 2656 of LNCS, pages 254–271. Springer, 2003.
14. L. Chen and Z. Cheng. Security proof of Sakai-Kasahara’s identity-based encryption scheme. In IMA Int. Conf. 2005, volume 3796 of LNCS, pages 442–459.
Springer, 2005. Also available from http://eprint.iacr.org/2005/226.
15. L. Chen, Z. Cheng, J. Malone-Lee, and N. P. Smart. An efficient ID-KEM based
on the Sakai–Kasahara key construction. Cryptology ePrint Archive, Report
2005/224, 2005. http://eprint.iacr.org/2005/224.
16. Z. Cheng and R. Comley. Efficient certificateless public key encryption. Cryptology
ePrint Archive, Report 2005/012, 2005. http://eprint.iacr.org/2005/012.
17. A. Dent and C. Kudla. On Proofs of Security for Certificateless Cryptosystems.
Cryptology ePrint Archive, Report 2005/348, 2005. http://eprint.iacr.org/
2005/348.
18. Y. Dodis and J. Katz. Chosen-ciphertext security of multiple encryption. In
TCC’05, volume 3378 of LNCS, pages 188–209. Springer, 2005.
19. E. Fujisaki and T. Okamoto. How to enhance the security of public-key encryption
at minimum cost. In PKC’99, volume 1560 of LNCS, pages 53–68. Springer, 1999.
20. E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric
encryption schemes. In Crypto’99, volume 1666 of LNCS, pages 537–554. Springer,
1999.
21. T. E. Gamal. A public key cryptosystem and a signature scheme based on discrete
logarithms. In Crypto’84, volume 196 of LNCS, pages 10–18. Springer, 1985.
22. C. Gentry. Certificate-based encryption and the certificate revocation problem. In
Eurorypt’03, volume 2656 of LNCS, pages 272–293. Springer, 2003.
23. M. Girault. Self-certified public keys. In Eurocrypt’91, volume 547 of LNCS, pages
490–497. Springer, 1991.
24. G. Kang and S. H. H. J. H. Park. A certificate-based signature scheme. In CTRSA’04, volume 2964 of LNCS, pages 99–111. Springer, 2004.
25. A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve
traces for FR-reduction. IEICE Transactions on Fundamentals, E84-A(5):1234–
1243, 2001.
26. R. Sakai and M. Kasahara. ID-based cryptosystems with pairing on elliptic curve.
In SCIS’03, Hamamatsu, Japan, 2003. http://eprint.iacr.org/2003/054.
27. A. Shamir. Identity based cryptosystems and signature schemes. In Crypto’84,
volume 196 of LNCS, pages 47–53. Springer, 1984.
28. N. P. Smart and F. Vercauteren. On computable isomorphisms in efficient pairing based systems. Cryptology ePrint Archive, Report 2005/116, 2005. http:
//eprint.iacr.org/2005/116.
29. D. H. Yum and P. J. Lee. Generic construction of certificateless encryption. In
ICCSA’04, volume 3043 of LNCS, pages 802–811. Springer, 2004.
30. D. H. Yum and P. J. Lee. Generic construction of certificateless signature. In
ACISP’04, volume 3108 of LNCS, pages 200–211. Springer, 2004.
31. D. H. Yum and P. J. Lee. Identity-based cryptography in public key management.
In EuroPKI’04, volume 3093 of LNCS, pages 71–84. Springer, 2004.
32. R. Zhang, G. Hanaoka, J. Shikata and H. Imai. On the Security of Multiple
Encryption or CCA-security+CCA-security=CCA-security? In PKC’04, volume
2947 of LNCS, pages 360–374. Springer, 2004.
33. F. Zhang, R. Safavi-Naini, and W. Susilo. An efficient signature scheme from
bilinear pairings and its applications. In PKC’04, volume 2947 of LNCS, pages
277–290. Springer, 2004.
�Appendix: formal model of identity based encryption
We recall here the formalism introduced in [12] for identity based encryption.
Such a primitive is described by the following definition.
Definition 4. An identity based encryption (IBE) scheme consists of a 4-uple of
algorithms (SetupIBE , ExtractIBE , E IBE , DIBE ) with the following specifications.
SetupIBE : is a probabilistic algorithm run by a private key generator (PKG)
that takes as input a security parameter to output a set of public parameters
params including the master public key Ppub of the PKG. The algorithm also
outputs the PKG’s master key mk that is kept secret.
ExtractIBE : is a key generation algorithm run by the PKG on input of a master
key mk and a user’s identity ID to return the user’s private key dID .
E IBE : this probabilistic algorithm takes as input a plaintext M , a recipient’s
identity ID and the set of public parameters params to output a ciphertext C.
DIBE : is a deterministic decryption algorithm taking as input a ciphertext C, the
system-wide parameters params and the private decryption key dID to return
a plaintext M or a distinguished symbol ⊥ if C is not a valid ciphertext.
For consistency purposes, it is required that M = DIBE (C, dID , params) if C =
E IBE (M, ID, params) for all messages M whenever dID = ExtractIBE (mk, ID).
The models of chosen-plaintext and chosen-ciphertext security were extended
to the IBE setting by Boneh and Franklin themselves [12]. Their model considers a “find-then-guess” game between a challenger and an adversary who may
adaptively choose the identity on which she will be challenged after having seen
private keys for several arbitrary identities.
Definition 5. An IBE scheme is IND-ID-CCA secure if no PPT adversary
has a non-negligible advantage in the following game.
1. The challenger runs the Setup algorithm on input of a security parameter k
and sends the domain-wide parameters params to the adversary A.
2. In a find stage, A starts probing the following oracles:
- Key extraction oracle: given an identity ID, it returns the extracted private key associated with it.
- Decryption oracle: given an identity ID ∈ {0, 1}∗ and a ciphertext C, it
generates the private key dID for ID and returns either a plaintext M or
a distinguished symbol ⊥ indicating that the ciphertext was ill-formed.
A can present her queries adaptively. At some point, she produces two plaintexts M0 , M1 ∈ M and an identity ID∗ for which she has not requested the
private key in stage 2. The challenger computes C = E IBE (Mb , ID∗ , params),
R
for a random hidden bit b ←
{0, 1}, which is sent to A.
3. In the guess stage, A asks new queries but is restricted not to issue a key
extraction request on the identity ID∗ nor to submit C to the decryption
oracle for the identity ID∗ . Eventually, A outputs a bit b′ and wins if b′ = b.
A’s advantage is defined as Adv(A) := 2 × P r[b′ = b] − 1.
�
Jean-jacques Quisquater