Abstract
In this paper, we focus on constructing IBE from hardness assumptions without pairings. Especially, we propose two IBE schemes that are provably secure under new number theoretic assumptions over the group \(\mathbb {Z}_{N^2}^*\), in the Random Oracle (RO) model. We essentially take advantage of the underlying algebraic structure to overcome the difficulties in devising an IBE scheme.
More precisely, our contributions are two-fold and can be summarised as follows: (i) We give two concrete pairing-free constructions of IBE based on a variant of DDH assumption and Paillier’s \(\mathsf {DCR}\) assumption respectively over the group \(\mathbb {Z}_{N^2}^*\). These schemes are quite efficient and easily to be proven \(\mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) in the random oracle model. (ii) We also provide a generic construction of selectively secure IBE from DDH group with a \(\mathsf {DL}\)-solvable subgroup in the standard model by employing puncturable PRFs and indistinguishability obfuscation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Of course, this cannot be realized in a prime order group due to the hardness of discrete logarithm problem, instead we can choose a composite order group with unknown order.
- 2.
Note that since \(\ell \) is a polynomial of the security parameter \(\kappa \), but N is exponentially large, a brute force may not be possible to retrieve \(a_i\in \mathbb {Z}_{\lfloor N/\ell \rfloor }\) from \(g^{a_i}\). For instance, practically \(\ell =80\), \(N=2^{1024}\).
- 3.
Observe that g generates the 2N-th power residue subgroup of \(\mathbb {Z}_{N^2}^*\), namely \(\mathbb {G}_{N}\) w.h.p: the probability that g is not a generator is \(\frac{p'+q'-1}{p'q'}\le \frac{1}{p'}+\frac{1}{q'}\).
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS (1993). https://doi.org/10.1145/168588.168596
Boneh, D., Papakonstantinou, P., Rackoff, C., Vahlis, Y.: On the impossibility of basing identity based encryption on trapdoor permutations. In: FOCS (2008)
Boneh, D., Boyen, X.: Efficient Selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_27
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boneh, D., Gentry, C., Hamburg, M.: Space-efficient identity based encryption without pairings. In: FOCS (2007). https://doi.org/10.1109/focs.2007.50
Bresson, E., Catalano, D., Pointcheval, D.: A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 37–54. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_3
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26
Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_32
Döttling, N., Garg, S.: Identity-based encryption from the diffie-hellman assumption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 537–569. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_18
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008). https://doi.org/10.1145/1374376.1374407
Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_11
Koblitz, N., Menezes, A.J.: The random oracle model: a twenty-year retrospective. Des. Codes Crypt. 77(23), 587–610 (2015). https://doi.org/10.1007/s10623-015-0094-2
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Paillier, P.: Public-key cryptosystems based on discrete logarithms residues. In: EUROCRYPT (1999)
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014)
Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Acknowledgments
The authors would like to thank anonymous reviewers for their helpful comments and suggestions. This work was supported by National Natural Science Foundation of China (Grants 61472414,61772514,61602061), and National Key R&D Program of China (2017YFB1400700).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Preliminaries (Cont’d.)
1.1 A.1 Indistinguishability Obfuscation
We present the formal definition following the syntax of Garg et al. [14]:
Definition 8
(Indistinguishability Obfuscation (\(i\mathcal {O}\))). A uniform PPT machine \(i\mathcal {O}\) is called an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_\kappa \}\) if the following holds:
-
(Correctness:) For all security parameters \(\kappa \in \mathbb {N}\), \(C\in \mathcal {C}_\kappa \), and inputs x:
$$\Pr [C'(x)=C(x):C'\leftarrow i\mathcal {O}(\kappa ,C)]=1.$$ -
(Indistinguishability:) For any (not necessarily uniform) PPT distinguisher \((\mathsf {Samp},\) \(\mathcal {D})\), there exists a negligible function \(\mathsf {negl}\) such that the following holds: if \(\Pr [\forall x,\) \(C_0(x)=C_1(x);(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]\ge 1-\mathsf {negl}(\kappa )\), then:
$$\begin{aligned}&|\Pr [\mathcal {D}(\sigma ,i\mathcal {O}(\kappa ,C_0))=1:(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]\\ -&\Pr [\mathcal {D}(\sigma ,i\mathcal {O}(\kappa ,C_1))=1:(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]| \le \mathsf {negl}(\kappa ). \end{aligned}$$
1.2 A.2 Puncturable Pseudorandom Functions
Below we recall the definition of puncturable PRFs, as given by Sahai et al. [20]:
Definition 9
A puncturable family of PRFs F is given by a triple of Turing machines \(\mathsf {Key},\mathsf {Puncture},\mathsf {Eval}\), and a pair of computable functions \(n(\cdot )\) and \(m(\cdot )\), satisfying the following conditions:
-
(Functionality preserved under puncturing). For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^\lambda )\) outputs a set \(S\subseteq \{0,1\}^{n(\kappa )}\), then for all \(x\in \{0,1\}^{n(\kappa )}\) where \(x\notin S\), we have that:
$$\Pr [\mathsf {Eval}(K,x)=\mathsf {Eval}(K_S,x):K\leftarrow \mathsf {Key}(1^\kappa ), K_S=\mathsf {Puncture}(K,S)]=1.$$ -
(Pseudorandom at punctured points). For every PPT adversary \((\mathcal {A}_1,\mathcal {A}_2)\) such that \(\mathcal {A}_1(1^\kappa )\) outputs a set \(S\subseteq \{0,1\}^{n(\kappa )}\) and \(x\in S\), consider an experiment where \(K\leftarrow \mathsf {Key}(1^\kappa )\) and \(K_S=\mathsf {Puncture}(K,S)\). Then we have
$$|\Pr [\mathcal {A}_2(K_S,x,\mathsf {Eval}(K,x))=1]- \Pr [\mathcal {A}_2(K_S,x,U_{m(\kappa )})=1]|\le \mathsf {negl}(\kappa ),$$where \(U_{m(\kappa )}\) denotes the uniform distribution over \(m(\kappa )\) bits.
B Proof of Theorem 3
We begin by given a sequence of games played between a challenger and an adversary.
-
Game\(_0\):
-
1.
The adversary selectively gives the challenger the identity \(\mathsf {ID}^*\).
-
2.
The public parameters \(\mathsf {params}\) are chosen by the challenger invoking \(\mathsf {Gen}(1^\kappa )\).
-
3.
K is chosen as a key for the PPRF.
-
4.
The hash function \(\mathcal {H}(\cdot )\) is created as an obfuscation of the program \(G_1\).
-
5.
The adversary queries the key extraction oracle a polynomial number of times on \(\mathsf {ID}\ne \mathsf {ID}^*\). It receives back \(F(K,\mathsf {ID})\). Once this phase is end, the adversary gives two equal length messages \(m_0,m_1\).
-
6.
The challenger chooses a random bit \(b\in \{0,1\}\), \(r\leftarrow \{0,\dots ,Bp-1\}\) and outputs \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\).
-
7.
The adversary receives \(C^*\) and could still issue key extraction queries for polynomial times with the same restriction that \(\mathsf {ID}\ne \mathsf {ID}^*\), finally it outputs \(b'\) as its guess of b.
-
8.
If \(b'=b\), the game outputs 1, else outputs 0.
-
1.
-
Game\(_1\): Is the same as Game\(_0\) except that \(y^*=F(K,\mathsf {ID}^*)\) and the hash function \(\mathcal {H}(\cdot )\) is replaced by an obfuscation of the program \(G_2\) (Fig. 2).
-
Game\(_2\): Is the same as Game\(_1\) except that \(y^*\leftarrow \mathbb {Z}_p\).
-
Game\(_3\): Is the same as Game\(_2\) except that the challenge ciphertext \(C^*\) is computed as \((g^r,g^{r'}\cdot m_b)\) where \(r'\leftarrow \{0,\dots ,Bp-1\}\) is chosen independently of r.
We establish the following lemmas and they together yield Theorem 3 that the so obtained IBE scheme is selectively secure.
Lemma 1
If the obfuscation scheme is indistinguishability secure, then the advantage of any PPT adversary is negligibly close between Game\(_0\) and Game\(_1\).
Proof
We set up two algorithms \(\mathsf {Samp}\) and \(\mathcal {D}\):
\(\mathsf {Samp}(1^\kappa )\) runs the adversary to obtain \(\mathsf {ID}^*\) and its state \(\tau '\). It then invokes \(\mathsf {Gen}(1^\kappa )\) to obtain \(\mathsf {params}\) and \(\mathsf {msk}\). It chooses K as the key for PPRF. It sets \(y^*=F(K,\mathsf {ID}^*)\) and \(\tau =(\mathsf {ID}^*,\mathsf {params},\mathsf {msk},K,\tau ')\). It builds \(C_1\) as the program for \(G_1\), and \(C_2\) as the program for \(G_2\).
\(\mathcal {D}\) takes as input \(\tau \) and an obfuscation of a circuit \(C_1\) or \(C_2\). When the adversary makes a key extraction query on \(\mathsf {ID}\ne \mathsf {ID}^*\), \(\mathcal {D}\) use the K within \(\tau \) to return \(F(K,\mathsf {ID})\). Once the adversary gives two equal length messages \(m_0,m_1\), \(\mathcal {D}\) chooses a random bit b and constructs challenge ciphertext \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\). Eventually, the adversary sends a bit \(b'\) and wins the game if \(b'=b\). \(\mathcal {D}\) outputs 1 if the adversary wins.
Observe that if \(\mathcal {D}\) receives an obfuscation of \(C_1\), the probability \(\mathcal {D}\) outputs 1 is equal to the probability of the adversary winning in Game\(_0\). And if \(\mathcal {D}\) receives an obfuscation of \(C_2\), the probability \(\mathcal {D}\) outputs 1 is equal to the probability of the adversary winning in Game\(_1\). Then the lemma follows. \(\square \)
Lemma 2
If the punctured PRF is secure, then the advantage of any PPT adversary is negligibly close between Game\(_1\) and Game\(_2\).
Proof
In order to reduce this lemma to the property of PPRF’s pseudorandomness at the punctured points, we give the algorithms \(\mathcal {A}_1\) and \(\mathcal {A}_2\).
\(\mathcal {A}_1(1^\kappa )\) runs the adversary to obtain \(\mathsf {ID}^*\) and its state \(\tau '\), then it outputs the set \(S=\{\mathsf {ID}^*\}\).
\(\mathcal {A}_2\) obtains \(S=\{\mathsf {ID}^*\}\), \(K(\{\mathsf {ID}^*\})=\mathsf {Puncture}(K,{\mathsf {ID}^*})\), and either a value \(y^*=F(K,\mathsf {ID}^*)\) or a uniformly random \(y^*\in \mathbb {Z}_p\). \(\mathcal {A}_2\) runs \(\mathsf {Gen}(1^\kappa )\) to obtain \(\mathsf {params}\), then it can get \(g^{y^*}\). This value corresponds to exactly the \(g^{y^*}\) value in Game\(_{1}\) if \(y^*=F(K,\mathsf {ID}^*)\) or in Game\(_{2}\) if \(y^*\leftarrow \mathbb {Z}_p\). \(\mathcal {A}_2\) can then obfuscate the program \(G_2\) and answer the key extraction queries from the adversary since it knows \(K(\{\mathsf {ID}^*\})\). The obfuscated program is modeled as a hash function \(\mathcal {H}\). When the adversary gives two equal length messages \(m_0,m_1\), \(\mathcal {A}_2\) chooses a bit b uniformly at random and constructs challenge ciphertext \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\). The adversary may issue more key extraction queries of \(\mathsf {ID}\ne \mathsf {ID}^*\), and \(\mathcal {A}_2\) answers them in a similar way. Eventually, the adversary sends a bit \(b'\) and wins the game if \(b'=b\). \(\mathcal {A}_2\) outputs 1 if the adversary wins.
By our construction, the lemma follows. \(\square \)
Lemma 3
If \(\mathsf {sDDH}\) assumption holds in group G, then the advantage of any PPT adversary is negligibly close between Game\(_2\) and Game\(_3\).
Proof
To prove this lemma, we establish a distinguisher \(\mathcal {D}\). \(\mathcal {D}\) takes as input a tuple \((B,p,g,f,G,F,X,Y,Z,\mathsf {Solve}(\cdot ))\) where \(X=g^x,Y=g^y\) for \(x\leftarrow \mathbb {Z}_n,y\leftarrow \mathbb {Z}_p\). The target of \(\mathcal {D}\) is to output 1 if \(Z=g^{xy}\) or 0 if \(Z=g^z\), for \(z\leftarrow \mathbb {Z}_n\).
Next the distinguisher \(\mathcal {D}\) invokes the adversary to get \(\mathsf {ID}^*\), chooses a PRF key K and computes \(K(\{\mathsf {ID}^*\})\) itself. It then can obfuscate the program \(G_2\) through its knowledge of \(K(\{\mathsf {ID}^*\}),\mathsf {ID}^*,g,Y\). The obfuscated program is modeled as a hash function \(\mathcal {H}\). It sends \(\mathsf {params}=\{B,p,g,f,G,F,\mathcal {H}\}\) to the adversary. When the adversary issues a key extraction query of \(\mathsf {ID}\ne \mathsf {ID}^*\), it uses \(K(\{\mathsf {ID}^*\})\) to compute \(F(K(\{\mathsf {ID}^*\}),\mathsf {ID})\) and returns this value back. Once the adversary sends a pair of equal length message \(m_0,m_1\), it creates the ciphertext \(C^*=(X,Z\cdot m_b)\) after flipping a random coin b and sends to the adversary. The adversary may issue more key extraction queries of \(\mathsf {ID}\ne \mathsf {ID}^*\), and \(\mathcal {D}\) answers them in a similar way. By construction, there are two cases. If \(Z=g^{xy}\), the probability of \(\mathcal {D}\) outputting 1 is exactly the probability that the adversary succeeds in Game\(_2\). On the other hand, if \(Z=g^z\) for a uniformly random \(z\in \mathbb {Z}_n\), the probability of \(\mathcal {D}\) outputting 1 is the probability that the adversary succeeds in Game\(_3\).
By \(\mathsf {sDDH}\) assumption, the difference between these two probabilities must be negligible. \(\square \)
Lemma 4
The advantage of any PPT adversary in Game\(_3\) is negligible.
Proof
In Game\(_3\), the challenge ciphertext perfectly “hides” the message, especially regardless of choice of the bit b. The lemma follows. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, X., Liang, B., Li, S., Xue, R. (2018). On Constructing Pairing-Free Identity-Based Encryptions. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)