On Constructing Pairing-Free Identity-Based Encryptions

Abstract

In this paper, we focus on constructing IBE from hardness assumptions without pairings. Especially, we propose two IBE schemes that are provably secure under new number theoretic assumptions over the group \(\mathbb {Z}_{N^2}^*\), in the Random Oracle (RO) model. We essentially take advantage of the underlying algebraic structure to overcome the difficulties in devising an IBE scheme.

More precisely, our contributions are two-fold and can be summarised as follows: (i) We give two concrete pairing-free constructions of IBE based on a variant of DDH assumption and Paillier’s \(\mathsf {DCR}\) assumption respectively over the group \(\mathbb {Z}_{N^2}^*\). These schemes are quite efficient and easily to be proven \(\mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CPA}\) in the random oracle model. (ii) We also provide a generic construction of selectively secure IBE from DDH group with a \(\mathsf {DL}\)-solvable subgroup in the standard model by employing puncturable PRFs and indistinguishability obfuscation.

Appendices

A Preliminaries (Cont’d.)

1.1 A.1 Indistinguishability Obfuscation

We present the formal definition following the syntax of Garg et al. [14]:

Definition 8

(Indistinguishability Obfuscation (\(i\mathcal {O}\))). A uniform PPT machine \(i\mathcal {O}\) is called an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_\kappa \}\) if the following holds:

• (Correctness:) For all security parameters \(\kappa \in \mathbb {N}\), \(C\in \mathcal {C}_\kappa \), and inputs x:

  $$\Pr [C'(x)=C(x):C'\leftarrow i\mathcal {O}(\kappa ,C)]=1.$$

• (Indistinguishability:) For any (not necessarily uniform) PPT distinguisher \((\mathsf {Samp},\) \(\mathcal {D})\), there exists a negligible function \(\mathsf {negl}\) such that the following holds: if  \(\Pr [\forall x,\) \(C_0(x)=C_1(x);(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]\ge 1-\mathsf {negl}(\kappa )\), then:

  $$\begin{aligned}&|\Pr [\mathcal {D}(\sigma ,i\mathcal {O}(\kappa ,C_0))=1:(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]\\ -&\Pr [\mathcal {D}(\sigma ,i\mathcal {O}(\kappa ,C_1))=1:(C_0,C_1,\sigma )\leftarrow \mathsf {Samp}(1^\kappa )]| \le \mathsf {negl}(\kappa ). \end{aligned}$$

1.2 A.2 Puncturable Pseudorandom Functions

Below we recall the definition of puncturable PRFs, as given by Sahai et al. [20]:

Definition 9

A puncturable family of PRFs F is given by a triple of Turing machines \(\mathsf {Key},\mathsf {Puncture},\mathsf {Eval}\), and a pair of computable functions \(n(\cdot )\) and \(m(\cdot )\), satisfying the following conditions:

• (Functionality preserved under puncturing). For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^\lambda )\) outputs a set \(S\subseteq \{0,1\}^{n(\kappa )}\), then for all \(x\in \{0,1\}^{n(\kappa )}\) where \(x\notin S\), we have that:

  $$\Pr [\mathsf {Eval}(K,x)=\mathsf {Eval}(K_S,x):K\leftarrow \mathsf {Key}(1^\kappa ), K_S=\mathsf {Puncture}(K,S)]=1.$$

• (Pseudorandom at punctured points). For every PPT adversary \((\mathcal {A}_1,\mathcal {A}_2)\) such that \(\mathcal {A}_1(1^\kappa )\) outputs a set \(S\subseteq \{0,1\}^{n(\kappa )}\) and \(x\in S\), consider an experiment where \(K\leftarrow \mathsf {Key}(1^\kappa )\) and \(K_S=\mathsf {Puncture}(K,S)\). Then we have

  $$|\Pr [\mathcal {A}_2(K_S,x,\mathsf {Eval}(K,x))=1]- \Pr [\mathcal {A}_2(K_S,x,U_{m(\kappa )})=1]|\le \mathsf {negl}(\kappa ),$$

  where \(U_{m(\kappa )}\) denotes the uniform distribution over \(m(\kappa )\) bits.

B Proof of Theorem 3

We begin by given a sequence of games played between a challenger and an adversary.

• Game\(_0\):

  1. 1.

     The adversary selectively gives the challenger the identity \(\mathsf {ID}^*\).

  2. 2.

     The public parameters \(\mathsf {params}\) are chosen by the challenger invoking \(\mathsf {Gen}(1^\kappa )\).

  3. 3.

     K is chosen as a key for the PPRF.

  4. 4.

     The hash function \(\mathcal {H}(\cdot )\) is created as an obfuscation of the program \(G_1\).

  5. 5.

     The adversary queries the key extraction oracle a polynomial number of times on \(\mathsf {ID}\ne \mathsf {ID}^*\). It receives back \(F(K,\mathsf {ID})\). Once this phase is end, the adversary gives two equal length messages \(m_0,m_1\).

  6. 6.

     The challenger chooses a random bit \(b\in \{0,1\}\), \(r\leftarrow \{0,\dots ,Bp-1\}\) and outputs \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\).

  7. 7.

     The adversary receives \(C^*\) and could still issue key extraction queries for polynomial times with the same restriction that \(\mathsf {ID}\ne \mathsf {ID}^*\), finally it outputs \(b'\) as its guess of b.

  8. 8.

     If \(b'=b\), the game outputs 1, else outputs 0.

• Game\(_1\): Is the same as Game\(_0\) except that \(y^*=F(K,\mathsf {ID}^*)\) and the hash function \(\mathcal {H}(\cdot )\) is replaced by an obfuscation of the program \(G_2\) (Fig. 2).

• Game\(_2\): Is the same as Game\(_1\) except that \(y^*\leftarrow \mathbb {Z}_p\).

• Game\(_3\): Is the same as Game\(_2\) except that the challenge ciphertext \(C^*\) is computed as \((g^r,g^{r'}\cdot m_b)\) where \(r'\leftarrow \{0,\dots ,Bp-1\}\) is chosen independently of r.

We establish the following lemmas and they together yield Theorem 3 that the so obtained IBE scheme is selectively secure.

Lemma 1

If the obfuscation scheme is indistinguishability secure, then the advantage of any PPT adversary is negligibly close between Game\(_0\) and Game\(_1\).

Proof

We set up two algorithms \(\mathsf {Samp}\) and \(\mathcal {D}\):

\(\mathsf {Samp}(1^\kappa )\) runs the adversary to obtain \(\mathsf {ID}^*\) and its state \(\tau '\). It then invokes \(\mathsf {Gen}(1^\kappa )\) to obtain \(\mathsf {params}\) and \(\mathsf {msk}\). It chooses K as the key for PPRF. It sets \(y^*=F(K,\mathsf {ID}^*)\) and \(\tau =(\mathsf {ID}^*,\mathsf {params},\mathsf {msk},K,\tau ')\). It builds \(C_1\) as the program for \(G_1\), and \(C_2\) as the program for \(G_2\).

\(\mathcal {D}\) takes as input \(\tau \) and an obfuscation of a circuit \(C_1\) or \(C_2\). When the adversary makes a key extraction query on \(\mathsf {ID}\ne \mathsf {ID}^*\), \(\mathcal {D}\) use the K within \(\tau \) to return \(F(K,\mathsf {ID})\). Once the adversary gives two equal length messages \(m_0,m_1\), \(\mathcal {D}\) chooses a random bit b and constructs challenge ciphertext \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\). Eventually, the adversary sends a bit \(b'\) and wins the game if \(b'=b\). \(\mathcal {D}\) outputs 1 if the adversary wins.

Observe that if \(\mathcal {D}\) receives an obfuscation of \(C_1\), the probability \(\mathcal {D}\) outputs 1 is equal to the probability of the adversary winning in Game\(_0\). And if \(\mathcal {D}\) receives an obfuscation of \(C_2\), the probability \(\mathcal {D}\) outputs 1 is equal to the probability of the adversary winning in Game\(_1\). Then the lemma follows.    \(\square \)

Lemma 2

If the punctured PRF is secure, then the advantage of any PPT adversary is negligibly close between Game\(_1\) and Game\(_2\).

Proof

In order to reduce this lemma to the property of PPRF’s pseudorandomness at the punctured points, we give the algorithms \(\mathcal {A}_1\) and \(\mathcal {A}_2\).

\(\mathcal {A}_1(1^\kappa )\) runs the adversary to obtain \(\mathsf {ID}^*\) and its state \(\tau '\), then it outputs the set \(S=\{\mathsf {ID}^*\}\).

\(\mathcal {A}_2\) obtains \(S=\{\mathsf {ID}^*\}\), \(K(\{\mathsf {ID}^*\})=\mathsf {Puncture}(K,{\mathsf {ID}^*})\), and either a value \(y^*=F(K,\mathsf {ID}^*)\) or a uniformly random \(y^*\in \mathbb {Z}_p\). \(\mathcal {A}_2\) runs \(\mathsf {Gen}(1^\kappa )\) to obtain \(\mathsf {params}\), then it can get \(g^{y^*}\). This value corresponds to exactly the \(g^{y^*}\) value in Game\(_{1}\) if \(y^*=F(K,\mathsf {ID}^*)\) or in Game\(_{2}\) if \(y^*\leftarrow \mathbb {Z}_p\). \(\mathcal {A}_2\) can then obfuscate the program \(G_2\) and answer the key extraction queries from the adversary since it knows \(K(\{\mathsf {ID}^*\})\). The obfuscated program is modeled as a hash function \(\mathcal {H}\). When the adversary gives two equal length messages \(m_0,m_1\), \(\mathcal {A}_2\) chooses a bit b uniformly at random and constructs challenge ciphertext \(C^*=(g^r, \mathcal {H}(\mathsf {ID}^*)^r\cdot m_b)\). The adversary may issue more key extraction queries of \(\mathsf {ID}\ne \mathsf {ID}^*\), and \(\mathcal {A}_2\) answers them in a similar way. Eventually, the adversary sends a bit \(b'\) and wins the game if \(b'=b\). \(\mathcal {A}_2\) outputs 1 if the adversary wins.

By our construction, the lemma follows.    \(\square \)

Lemma 3

If \(\mathsf {sDDH}\) assumption holds in group G, then the advantage of any PPT adversary is negligibly close between Game\(_2\) and Game\(_3\).

Proof

To prove this lemma, we establish a distinguisher \(\mathcal {D}\). \(\mathcal {D}\) takes as input a tuple \((B,p,g,f,G,F,X,Y,Z,\mathsf {Solve}(\cdot ))\) where \(X=g^x,Y=g^y\) for \(x\leftarrow \mathbb {Z}_n,y\leftarrow \mathbb {Z}_p\). The target of \(\mathcal {D}\) is to output 1 if \(Z=g^{xy}\) or 0 if \(Z=g^z\), for \(z\leftarrow \mathbb {Z}_n\).

Next the distinguisher \(\mathcal {D}\) invokes the adversary to get \(\mathsf {ID}^*\), chooses a PRF key K and computes \(K(\{\mathsf {ID}^*\})\) itself. It then can obfuscate the program \(G_2\) through its knowledge of \(K(\{\mathsf {ID}^*\}),\mathsf {ID}^*,g,Y\). The obfuscated program is modeled as a hash function \(\mathcal {H}\). It sends \(\mathsf {params}=\{B,p,g,f,G,F,\mathcal {H}\}\) to the adversary. When the adversary issues a key extraction query of \(\mathsf {ID}\ne \mathsf {ID}^*\), it uses \(K(\{\mathsf {ID}^*\})\) to compute \(F(K(\{\mathsf {ID}^*\}),\mathsf {ID})\) and returns this value back. Once the adversary sends a pair of equal length message \(m_0,m_1\), it creates the ciphertext \(C^*=(X,Z\cdot m_b)\) after flipping a random coin b and sends to the adversary. The adversary may issue more key extraction queries of \(\mathsf {ID}\ne \mathsf {ID}^*\), and \(\mathcal {D}\) answers them in a similar way. By construction, there are two cases. If \(Z=g^{xy}\), the probability of \(\mathcal {D}\) outputting 1 is exactly the probability that the adversary succeeds in Game\(_2\). On the other hand, if \(Z=g^z\) for a uniformly random \(z\in \mathbb {Z}_n\), the probability of \(\mathcal {D}\) outputting 1 is the probability that the adversary succeeds in Game\(_3\).

By \(\mathsf {sDDH}\) assumption, the difference between these two probabilities must be negligible.    \(\square \)

Lemma 4

The advantage of any PPT adversary in Game\(_3\) is negligible.

Proof

In Game\(_3\), the challenge ciphertext perfectly “hides” the message, especially regardless of choice of the bit b. The lemma follows.    \(\square \)