Tightly CCA-secure identity-based encryption with ciphertext pseudorandomness

Abstract

Affine message authentication code (MAC) and delegatable affine MAC turn out to be useful tools for constructing identity-based encryption (IBE) and hierarchical IBE (HIBE), as shown in Blazy, Kiltz and Pan’s (BKP) creative work in CRYPTO (2014). An important result obtained by BKP is IBE of tight PR-ID-CPA security, i.e., tight IND-ID-CPA security together with ciphertext pseudorandomness (PR). However, the problem of designing tightly PR-ID-CCA2 secure IBE remains open. We note that the CHK transformation does not preserve ciphertext pseudorandomness when converting IND-ID-CPA secure 2-level HIBE to IND-ID-CCA2 secure IBE. In this paper, we solve this problem with a new approach. We introduce a new concept called De-randomized delegatable affine MAC and define for it weak APR-CMA security. We construct such a MAC with a tight security reduction to the Matrix DDH assumption, which includes the k-Linear and DDH assumptions. We present a paradigm for constructing PR-ID-CCA2 secure IBE, which enjoys both ciphertext pseudorandomness and IND-ID-CCA2 security, from De-randomized delegatable affine MAC and Chameleon hashing. The security reduction is tightness preserving. It provides another approach to IND-ID-CCA2 security besides the CHK transformation. By instantiating the paradigm with our specific De-randomized delegatable affine MAC, we obtain the first IBE of tight PR-ID-CCA2 security from the Matrix DDH assumption over pairing groups of prime order. Our IBE also serves as the first tightly IND-ID-CCA2 secure IBE with anonymous recipient (ANON-ID-CCA2) from the Matrix DDH assumption. Our IBE further implies the first tightly IND-ID-CCA2 secure extractable IBE based on the Matrix DDH assumption. The latter can be used to get IBE of simulation-based selective opening CCA2 (SIM-SO-CCA2) security (due to Lai et al. in EUROCRYPT, 2014). The tight security of our IBE leads to a tighter reduction of the SIM-SO-CCA2 security.

Appendices

Appendix 1: Efficiency comparison table of tightly secure IBEs

See Table 3

Table 3 Comparison between the known tightly-secure IBEs with identity space \(\mathcal {ID} = \{0, 1\}^\lambda \) in prime order groups based on standard assumptions

Appendix 2: Proof of Lemma 3

In \(\mathsf {G}_{\zeta ,\eta -1}\) (resp., \(\mathsf {G}_{\zeta ,\eta }\)), the challenger uses \(\textsf {RT}(\textsf {m}_{|\zeta , \eta -1})\) (resp., \(\textsf {RT}(\textsf {m}_{|\zeta , \eta })\)) as the randomness to compute \([u]_2\) in \(\textsc {Eval}(\textsf {m})\) and uses \(\textsf {RT}(\textsf {m}^*_{|\zeta , \eta -1})\) (resp., \(\textsf {RT}(\textsf {m}^*_{|\zeta , \eta })\)) as the randomness to compute \(h_1\) in \(\textsc {Chal}(\textsf {m}^*)\). By the special property of \(\textsf {RT}\), \(\textsf {RT}(\textsf {m}_{|\zeta , \eta -1})\) and \(\textsf {RT}(\textsf {m}_{|\zeta , \eta })\) are the same when the message \(\textsf {m}\) satisfies \(|\textsf {m}| < (\zeta - 1) \lambda + \eta \) or \(\textsf {m}_{\zeta ,\eta } = b_{\zeta , \eta }\), and they are independent of each other when the message \(\textsf {m}\) satisfies \(|\textsf {m}| \ge (\zeta - 1) \lambda + \eta \) and \(\textsf {m}_{\zeta ,\eta } = 1- b_{\zeta , \eta }\). The difference between \(\mathsf {G}_{\zeta , \eta -1}\) and \(\mathsf {G}_{\zeta , \eta }\) can be reduced to the Q-fold \(\mathcal {D}_k\)-MDDH assumption for the group \(\mathbb {G}_2\).

More precisely, we construct PPT adversaries \(\mathcal {B}_1, \mathcal {B}_2\big ( \mathcal {PG}, [\mathbf{A }]_2, [\mathbf{H }]_2 \big )\), where \(\mathcal {PG} \small {\mathop {\leftarrow }\nolimits _{\$}}\mathsf {PGGen}(1^{\lambda })\), \(\mathbf{A } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathcal {D}_k\), and \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\) with \(\mathbf{W } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathbb {Z}_q^{k \times Q}\), to distinguish whether \(\mathbf{R } = \mathbf{0 }\) (i.e., \(\big ( \mathcal {PG}, [\mathbf{A }]_2, [\mathbf{H }]_2 \big )\) is identical to the real \(\mathcal {D}_k\)-MDDH distribution) or \(\mathbf{R } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathbb {Z}_q^{(k+1) \times Q}\) (i.e., \(\big ( \mathcal {PG}, [\mathbf{A }]_2, [\mathbf{H }]_2 \big )\) is identical to the random \(\mathcal {D}_k\)-MDDH distribution) in Fig. 10. \(\mathcal {B}_1\) and \(\mathcal {B}_2\) are the same except their strategies in \(\textsc {Finalize}\).

Fig. 10

Description of \(\mathcal {B}_1, \mathcal {B}_2\big ( \mathcal {PG}, [\mathbf{A }]_2, [\mathbf{H }]_2 \big )\) for the proof of Lemma 3. Here \(\mathbf{H }_c\) denotes the cth column of the matrix \(\mathbf{H }\), and \(\alpha : \{0,1\}^{*} \longrightarrow [1, Q]\) is an injective function implemented by \(\mathcal {B}_1, \mathcal {B}_2\) on the fly

In Initialize, \(\mathcal {B}_1, \mathcal {B}_2\) choose \(\mathbf{r } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathbb {Z}_q^{k+1}\) and set \(\mathbf{x }_{\zeta , \eta }^{(1 - b_{\zeta , \eta })\top } := \mathbf{r }^{\top } \mathbf{A } \overline{\mathbf{A }}^{-1}\) implicitly. Observe that \(\mathbf{x }_{\zeta , \eta }^{(1 - b_{\zeta , \eta })\top } = \mathbf{r }^{\top } \mathbf{A } \overline{\mathbf{A }}^{-1} = ( \overline{\mathbf{r }}^{\top } \overline{\mathbf{A }} + {{{\underline{\varvec{r}}}}}^{\top } {{{\underline{\varvec{A}}}}} ) \overline{\mathbf{A }}^{-1} = \overline{\mathbf{r }}^{\top } + {{{\underline{\varvec{r}}}}}^{\top } {{{\underline{\varvec{A}}}}} \overline{\mathbf{A }}^{-1}\), thus it is uniformly distributed over \(\mathbb {Z}_q^{1 \times k}\) because of the randomness of \(\overline{\mathbf{r }}\), as in \(\mathsf {G}_{\zeta ,\eta -1}\) and \(\mathsf {G}_{\zeta ,\eta }\).

In \(\textsc {Eval}(\textsf {m})\), if \(|\textsf {m}| < (\zeta -1)\lambda + \eta \), then \(\textsf {m}_{|\zeta , \eta -1} = \textsf {m}_{|\zeta , \eta } = \textsf {m}\), and \(\mathcal {B}_1, \mathcal {B}_2\) use the randomness \(\textsf {RT}(\textsf {m}_{|\zeta , \eta -1})\), which equals \(\textsf {RT}(\textsf {m}_{|\zeta , \eta })\), to compute \([u]_2\), as in \(\mathsf {G}_{\zeta ,\eta -1}\) and \(\mathsf {G}_{\zeta ,\eta }\). And note that \(\mathcal {B}_1, \mathcal {B}_2\) can compute \([{d}_{\zeta ,\eta }^{(1 - b_{\zeta ,\eta })}]_2 := [\mathbf{r }^{\top } \cdot \mathbf{A } \cdot \mathbf{s }]_2\), which is the same as \(\mathsf {G}_{\zeta ,\eta -1}\) and \(\mathsf {G}_{\zeta ,\eta }\), since

$$\begin{aligned}{}[\mathbf{r }^{\top } \cdot \mathbf{A } \cdot \mathbf{s }]_2 = \left[ (\mathbf{r }^{\top } \mathbf{A } \overline{\mathbf{A }}^{-1}) \cdot (\overline{\mathbf{A }} \mathbf{s }) \right] _2 = [\mathbf{x }_{\zeta , \eta }^{(1 - b_{\zeta , \eta })\top } \cdot \mathbf{t }]_2. \end{aligned}$$

In \(\textsc {Eval}(\textsf {m})\), if \(|\textsf {m}| \ge (\zeta -1)\lambda + \eta \), \(\mathcal {B}_1, \mathcal {B}_2\) implement an injective function \(\alpha : \{0,1\}^{*} \longrightarrow [1, Q]\) on the fly, and compute \(\mathbf{s }' := \textsf {TRF}(\textsf {m}) \in \mathbb {Z}_q^k\) and \([\mathbf{t }]_2 := \left[ \overline{\mathbf{A }} \cdot \mathbf{s }' + \overline{\mathbf{H }}_c \right] _2\), where \(c := \alpha (\textsf {m}_{|\zeta ,\eta -1}) \in [1, Q]\) and \(\overline{\mathbf{H }}_c\) is the cth column of the matrix \(\overline{\mathbf{H }}\). Then for message \(\textsf {m}\) with \(\textsf {m}_{\zeta , \eta } = b_{\zeta ,\eta }\), \(\mathcal {B}_1, \mathcal {B}_2\) use \(\textsf {RT}(\textsf {m}_{|\zeta ,\eta -1})\), which equals \(\textsf {RT}(\textsf {m}_{|\zeta ,\eta })\), to compute \([u]_2\) the same way as in \(\mathsf {G}_{\zeta ,\eta -1}\) and \(\mathsf {G}_{\zeta ,\eta }\). As for message \(\textsf {m}\) with \(\textsf {m}_{\zeta ,\eta } = 1- b_{\zeta ,\eta }\), \(\mathcal {B}_1, \mathcal {B}_2\) compute \([u]_2\) in a different way with

$$\begin{aligned}{}[u]_2 = \bigg [ \mathop {\sum }\nolimits _{\begin{array}{c} (i, j) \in [p(\textsf {m})] \times [\lambda ] \\ (i, j) \ne (\zeta , \eta ) \end{array}} \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta , \eta -1}) + \mathbf{r }^{\top } \cdot (\mathbf{A } \cdot \mathbf{s }' + \mathbf{H }_c)\bigg ]_2, \end{aligned}$$

where \({\mathbf{H }}_c\) is the cth column of \({\mathbf{H }}\). We analyze the simulation as follows. Since \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\), then \(\mathbf{H }_c = \mathbf{A } \cdot \mathbf{W }_c + \mathbf{R }_c\) and \(\overline{\mathbf{H }}_c = \overline{\mathbf{A }} \cdot \mathbf{W }_c + \overline{\mathbf{R }}_c\). Thus \([\mathbf{t }]_2 = \left[ \overline{\mathbf{A }} \cdot \mathbf{s }' + \overline{\mathbf{H }}_c \right] _2 = \left[ \overline{\mathbf{A }} \cdot (\mathbf{s }' + \mathbf{W }_c + \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c) \right] _2 = \left[ \overline{\mathbf{A }} \cdot \mathbf{s } \right] _2\), where \(\mathbf{s } := \mathbf{s }' + \mathbf{W }_c + \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c = \textsf {TRF}(\textsf {m}) + \mathbf{W }_{\alpha (\textsf {m}_{|\zeta ,\eta -1})} + \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_{\alpha (\textsf {m}_{|\zeta ,\eta -1})}\) is also a truly random function of \(\textsf {m}\). For message \(\textsf {m}\) with \(\textsf {m}_{\zeta ,\eta } = 1 - b_{\zeta ,\eta }\), we have that

$$\begin{aligned}{}[u]_2= & {} \left[ \mathop {\sum }\nolimits _{(i, j) \ne (\zeta , \eta )} \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta ,\eta -1}) + \mathbf{r }^{\top } \cdot (\mathbf{A } \cdot \mathbf{s }' + \mathbf{H }_c)\right] _2 \\= & {} \left[ \mathop {\sum }\nolimits _{(i, j) \ne (\zeta , \eta )} \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta ,\eta -1}) + \mathbf{r }^{\top } \cdot \mathbf{A } \cdot (\mathbf{s }' + \mathbf{W }_c) + \mathbf{r }^{\top } \cdot \mathbf{R }_c\right] _2 \\= & {} \Bigg [ \mathop {\sum }\nolimits _{(i, j) \ne (\zeta , \eta )} \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta ,\eta -1}) + \underbrace{\mathbf{r }^{\top } \mathbf{A } \overline{\mathbf{A }}^{-1}}_{\mathbf{x }_{\zeta , \eta }^{(1 - b_{\zeta ,\eta })\top }} \cdot \underbrace{\overline{\mathbf{A }} (\mathbf{s }' + \mathbf{W }_c)}_{\mathbf{t } - \overline{\mathbf{R }}_c} + \mathbf{r }^{\top } \mathbf{R }_c \Bigg ]_2 \\= & {} \left[ \mathop {\sum }\nolimits _{i = 1}^{p(\textsf {m})} \mathop {\sum }\nolimits _{j=1}^\lambda \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta ,\eta -1}) + \mathbf{r }^{\top } \cdot ( \mathbf{R }_c - \mathbf{A } \cdot \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c )\right] _2 \\= & {} \left[ \textstyle \mathop {\sum }\nolimits _{i = 1}^{p(\textsf {m})} \mathop {\sum }\nolimits _{j=1}^\lambda \mathbf{x }^{(\textsf {m}_{i, j})\top }_{i, j} \cdot \mathbf{t } + \textsf {RT}(\textsf {m}_{|\zeta ,\eta -1}) + {{{\underline{\varvec{r}}}}} \cdot ( {{{\underline{\varvec{R}}}}}_c - {{{\underline{\varvec{A}}}}} \cdot \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c )\right] _2. \end{aligned}$$

• Case 1: \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\) for \(\mathbf{R } = \mathbf{0 }\). Then \({{{\underline{\varvec{r}}}}} \cdot ( {{{\underline{\varvec{R}}}}}_c - {{{\underline{\varvec{A}}}}} \cdot \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c ) = 0\), and it also uses the randomness \({\textsf {RT}(\textsf {m}_{|\zeta ,\eta -1})}\) to compute \([u]_2\) for message \(\textsf {m}\) with \(\textsf {m}_{\zeta ,\eta } = 1 - b_{\zeta ,\eta }\), as in \(\mathsf {G}_{\zeta ,\eta -1}\). Furthermore in this case, \(b_{\zeta , \eta }\) is completely hidden from the point of view of \(\mathcal {A}\), thus \(\mathcal {A}\) can submit a message \(\textsf {m}^*\) in \(\textsc {Chal}(\textsf {m}^*)\) such that \(|\textsf {m}^*| < (\zeta -1)\lambda +\eta \vee \textsf {m}_{\zeta ,\eta }^* = b_{\zeta ,\eta }\), i.e., \(\overline{\textsf {abort}}\) occurs, with probability at least 1 / 2. Therefore,

  $$\begin{aligned} \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] \ge 1/2. \end{aligned}$$

  (17)

• Case 2: \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\) for \(\mathbf{R } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathbb {Z}_q^{(k+1) \times Q}\). Then with probability \((1- 1/q)\), \({{{\underline{\varvec{r}}}}}\) is non-zero, thus \({{{\underline{\varvec{r}}}}} \cdot ( {{{\underline{\varvec{R}}}}}_c - {{{\underline{\varvec{A}}}}} \cdot \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c )\) is uniformly random due to the randomness of \({{{\underline{\varvec{R}}}}}_c\). In this case, an independent randomness \({\textsf {RT}(\textsf {m}_{|\zeta ,\eta })} := {\textsf {RT}(\textsf {m}_{|\zeta ,\eta -1})} + {{{\underline{\varvec{r}}}}} \cdot ( {{{\underline{\varvec{R}}}}}_c - {{{\underline{\varvec{A}}}}} \cdot \overline{\mathbf{A }}^{-1} \cdot \overline{\mathbf{R }}_c )\) is employed for \(\textsf {m}\) with \(\textsf {m}_{\zeta ,\eta } = 1 - b_{\zeta ,\eta }\), as in \(\mathsf {G}_{\zeta ,\eta }\).

In \(\textsc {Chal}(\textsf {m}^*)\), if \(|\textsf {m}^*| < (\zeta -1)\lambda +\eta \vee \textsf {m}_{\zeta ,\eta }^* = b_{\zeta ,\eta }\), note that \(\textsf {RT}(\textsf {m}^*_{|\zeta , \eta -1}) = \textsf {RT}(\textsf {m}^*_{|\zeta , \eta })\), \(\mathcal {B}_1, \mathcal {B}_2\) use the randomness \(\textsf {RT}(\textsf {m}^*_{|\zeta , \eta -1})\), which equals \(\textsf {RT}(\textsf {m}^*_{|\zeta , \eta })\), to compute \(h_1\) perfectly as in \(\mathsf {G}_{\zeta ,\eta -1}\) and \(\mathsf {G}_{\zeta ,\eta }\). Meanwhile, if \(|\textsf {m}^*| \ge (\zeta -1)\lambda +\eta \wedge \textsf {m}_{\zeta ,\eta }^* = 1 - b_{\zeta ,\eta }\), \(\mathcal {B}_1, \mathcal {B}_2\) abort the game played with \(\mathcal {A}\) immediately and set \(\textsf {abort} = \textsf {true}\).

In summary, if \(\overline{\textsf {abort}}\) occurs, then with probability \((1- 1/q)\), if it is the Case 1: \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\) for \(\mathbf{R } = \mathbf{0 }\) (resp., Case 2: \(\mathbf{H } = \mathbf{A } \cdot \mathbf{W } + \mathbf{R }\) for \(\mathbf{R } \small {\mathop {\leftarrow }\nolimits _{\$}}\mathbb {Z}_q^{(k+1) \times Q}\)), \(\mathcal {B}_1, \mathcal {B}_2\) perfectly simulate game \(\mathsf {G}_{\zeta ,\eta -1}\) (resp., game \(\mathsf {G}_{\zeta ,\eta }\)) with \(\mathcal {A}\). In Finalize, \(\mathcal {B}_1\)’s strategy is to return 1 to its \(\mathcal {D}_k\)-MDDH challenger if and only if \(\overline{\textsf {abort}}\) occurs, and \(\mathcal {B}_2\)’s strategy is to return 1 to its \(\mathcal {D}_k\)-MDDH challenger if and only if \(\overline{\textsf {abort}}\) occurs and \(\beta ' = \beta \) holds (i.e., \(\mathsf {Win}\) occurs). Thus we have the following equations

$$\begin{aligned}&\mathsf {Adv}_{\mathsf {PGGen}, \mathbb {G}_2, \mathcal {B}_1}^{Q,\mathcal {D}_k-mddh}(\lambda ) = \Big | \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] - \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 2} \big ] \Big |,\\&\quad \mathsf {Adv}_{\mathsf {PGGen}, {\mathbb {G}_2}, \mathcal {B}_2}^{Q,\mathcal {D}_k-mddh}(\lambda ) = \Big | \Pr \big [ \overline{\textsf {abort}} \wedge \mathsf {Win} ~\big |~ \text {Case 1} \big ] - \Pr \big [ \overline{\textsf {abort}} \wedge \mathsf {Win} ~\big |~ \text {Case 2} \big ] \Big | \\&\quad = \Big | \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] \cdot \Pr \big [ \mathsf {Win} ~\big |~ \text {Case 1} \wedge \overline{\textsf {abort}} \big ] \\&\quad \quad - \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 2} \big ] \cdot \Pr \big [ \mathsf {Win} ~\big |~ \text {Case 2} \wedge \overline{\textsf {abort}} \big ] \Big | \\&\quad \ge (1 - 1/q) \cdot \Big | \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] \cdot {\Pr }_{\zeta ,\eta -1}[\mathsf {Win}] - \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 2} \big ] \cdot {\Pr }_{\zeta ,\eta }[\mathsf {Win}] \Big | \\&\quad \ge (1 - 1/q) \cdot \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] \cdot \Big | {\Pr }_{\zeta ,\eta -1}[\mathsf {Win}] - {\Pr }_{\zeta ,\eta }[\mathsf {Win}] \Big | \\&\quad \quad - (1 - 1/q) \cdot \Big | \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] - \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 2} \big ] \Big | \cdot {\Pr }_{1,\eta }[\mathsf {Win}] \\&\quad \mathop {\ge }\limits ^{(17)} \frac{1}{2} \cdot \frac{1}{2} \cdot \Big | {\Pr }_{\zeta ,\eta -1}[\mathsf {Win}] - {\Pr }_{\zeta ,\eta }[\mathsf {Win}] \Big | \!-\! \Big | \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 1} \big ] - \Pr \big [ \overline{\textsf {abort}} ~\big |~ \text {Case 2} \big ] \Big |. \end{aligned}$$

By combining the above two equations, we get that

$$\begin{aligned} \Big | {\Pr }_{\zeta , \eta -1}[\mathsf {Win}] - {\Pr }_{\zeta , \eta }[\mathsf {Win}] ~\Big | \le 4 \cdot \Big ( \mathsf {Adv}_{\mathsf {PGGen}, {\mathbb {G}_2}, \mathcal {B}_1}^{Q,\mathcal {D}_k-mddh}(\lambda ) + \mathsf {Adv}_{\mathsf {PGGen}, {\mathbb {G}_2}, \mathcal {B}_2}^{Q,\mathcal {D}_k-mddh}(\lambda ) \Big ). \end{aligned}$$

\(\square \)

Appendix 3: Extractable IBE from our IBE

1.1 Extractable IBE and its IND-ID-CCA2 security

We review the definition of extractable IBE from [27].

Definition 12

(Extractable identity-based encryption) An extractable identity-based encryption (extractable IBE) scheme \(\mathsf {IBE}_{ex} = (\mathsf {Gen}_{ex}, \mathsf {USKGen}_{ex},\) \(\mathsf {Enc}_{ex}, \mathsf {Dec}_{ex})\) consists of the following four PPT algorithms:

• \(\mathsf {Gen}_{ex}(1^\lambda )\) takes as input a security parameter \(\lambda \). It generates a public key \(\mathsf {pk}\) and a master secret key \(\mathsf {msk}\). The public key \(\mathsf {pk}\) defines an identity space \(\mathcal {ID}\), a ciphertext space \(\mathcal {C}\) and a session key space \(\mathcal {K}\).

• \(\mathsf {USKGen}_{ex}(\mathsf {msk}, \mathsf {id})\) takes as input the master secret key \(\mathsf {msk}\) and an identity \(\mathsf {id}\in \mathcal {ID}\). It produces a user secret key \(\mathsf {usk}[\mathsf {id}]\) for \(\mathsf {id}\).

• \(\mathsf {Enc}_{ex}(\mathsf {pk}, \mathsf {id}, \theta )\) takes as input the public key \(\mathsf {pk}\), an identity \(\mathsf {id}\in \mathcal {ID}\) and a bit \(\theta \in \{0,1\}\). It outputs a ciphertext \(\mathsf {CT} \in \mathcal {C}\) if \(\theta =0\), and outputs a ciphertext and a session key \((\mathsf {CT}, K) \in \mathcal {C} \times \mathcal {K}\) if \(\theta =1\).

• \(\mathsf {Dec}_{ex}(\mathsf {usk}[\mathsf {id}], \mathsf {id}, \mathsf {CT})\) takes as input a user secret key \(\mathsf {usk}[\mathsf {id}]\), an identity \(\mathsf {id} \in \mathcal {ID}\) and a ciphertext \(\mathsf {CT} \in \mathcal {C}\). It outputs a bit \(\theta '\in \{0,1\}\) and a session key \(K'\in \mathcal {K}\).

1.1.1 Correctness

An extractable IBE scheme has completeness error \(\epsilon \), if for all \(\lambda \in \mathbb {N}\), \((\mathsf {pk}, \mathsf {msk})\small {\mathop {\leftarrow }\nolimits _{\$}}\mathsf {Gen}_{ex}(1^\lambda )\), \(\mathsf {id}\in \mathcal {ID}\), \(\mathsf {usk}[\mathsf {id}] \small {\mathop {\leftarrow }\nolimits _{\$}}\mathsf {USKGen}_{ex}(\mathsf {msk}, \mathsf {id})\), \(\theta \in \{0,1\}\), \(\mathsf {CT}/(\mathsf {CT},K) \small {\mathop {\leftarrow }\nolimits _{\$}}\mathsf {Enc}_{ex}(\mathsf {pk}, \mathsf {id}, \theta )\) and \((\theta ',K')\leftarrow \mathsf {Dec}_{ex}(\mathsf {usk}[\mathsf {id}],\) \(\mathsf {id}, \mathsf {CT})\):

• The probability that \(\theta '=\theta \) is at least \(1-\epsilon \), where the probability is taken over the coins used in \(\mathsf {Enc}_{ex}\).

• If \(\theta =1\) then \(\theta '=\theta \) and \(K'=K\). If \(\theta '=0\), \(K'\) is uniformly distributed in \(\mathcal {K}\).

1.1.2 Security

The IND-ID-CCA2 security of extractable IBE is a combination of IND-ID-CCA2 security of one-bit IBE and IND-ID-CCA2 security of identity-based key encapsulation mechanism (IBKEM). The security notion is defined by game in Fig. 11.

Fig. 11

\(\mathsf {IND}\)-\(\mathsf {ID}\)-\(\mathsf {CCA2}\) security game for \(\mathsf {IBE}_{ex}\)

Definition 13

(IND-ID-CCA2 security for extractable IBE) An extractable identity-based encryption scheme \(\mathsf {IBE}_{ex}\) is IND-ID-CCA2 secure, if for any PPT adversary \(\mathcal {A}\), the advantage \(\mathsf {Adv}_{\mathsf {IBE}_{ex}, \mathcal {A}}^{{ind\text {-}id\text {-}cca2}}(\lambda ) := | \Pr [ \mathsf {IND}\text {-}\mathsf {ID}\text {-}\mathsf {CCA2}^{\mathcal {A}} \Rightarrow 1 ] - 1 / 2 |\) is negligible in \(\lambda \), where game \(\mathsf {IND}\)-\(\mathsf {ID}\)-\(\mathsf {CCA2}\) is specified in Fig. 11.

1.2 Construction of extractable IBE from our IBE

Our IBE \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]=(\textsf {Gen}, \textsf {USKGen}, \textsf {Enc}, \textsf {Dec})\) in Fig. 6 which is based on the \(\mathcal {D}_k\)-MDDH assumption can be converted into an extractable IBE \(\mathsf {IBE}_{ex} = (\textsf {Gen}_{ex}, \textsf {USKGen}_{ex},\) \(\textsf {Enc}_{ex}, \textsf {Dec}_{ex})\), as shown in Fig. 12.

Fig. 12

Construction of Extractable IBE \(\mathsf {IBE}_{ex}\) from \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\)

The resulting extractable IBE \(\mathsf {IBE}_{ex}\) has completeness error \(2^{-\lambda }\). If \(\theta =1\), the decryption algorithm always undoes the encryptions, due to the perfect correctness of \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\). If \(\theta =0\), \(\textsf {CT}=\langle \textsf {C},\chi \rangle =\langle [\mathbf{c }_0]_1, [\mathbf{c }_1]_1, R_{\mathsf {CH}},\chi _1, \chi _2\rangle \) is random. Hence in the Dec algorithm of \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\), \(\chi _2 = k_2 \cdot \chi _1 + k_3\) will hold with probability at most \(2^{-\lambda }\). So Dec \(_{ex}\) will output \(\theta '=0\), when CT is an encryption of \(\theta =0\), except with probability at most \(2^{-\lambda }\).

Theorem 3

If \(\mathsf {IBE}[\mathsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\) is PR-ID-CCA2 secure, then the extractable IBE scheme \(\mathsf {IBE}_{ex}\) in Fig. 12 is IND-ID-CCA2 secure.

More precisely, suppose that \(\mathcal {A}\) is a PPT adversary against the IND-ID-CCA2 security of \(\mathsf {IBE}_{ex}\), then there exists a PPT adversary \(\mathcal {B}\) against the PR-ID-CCA2 security of \(\mathsf {IBE}[\mathsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\), such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {IBE}[\mathsf {MAC}, \mathsf {CH}, \mathcal {D}_k], \mathcal {B}}^{{pr\text {-}id\text {-}cca2}}(\lambda ) = \mathsf {Adv}_{\mathsf {IBE}_{ex}, \mathcal {A}}^{{ind\text {-}id\text {-}cca2}}(\lambda ). \end{aligned}$$

Proof of Theorem 3

The PR-ID-CCA2 adversary \(\mathcal {B}\) of \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\) will invoke \(\mathcal {A}\) to guess bit \(\beta \). To do so, \(\mathcal {B}\) simulates the IND-ID-CCA2 game for \(\mathcal {A}\) as follows.

When the PR-ID-CCA2 challenger gives \(\textsf {pk}\) to \(\mathcal {B}\), \(\mathcal {B}\) forwards \(\textsf {pk}\) to \(\mathcal {A}\). For all \(\mathcal {A}\)’s user secret key generation queries, \(\mathcal {B}\) will query its own user secret key generation oracles for answers. Since \(\mathsf {IBE}_{ex}\) and \(\mathsf {IBE}[\textsf {MAC}, \mathsf {CH}, \mathcal {D}_k]\) share the same user secret key generation algorithm, the simulation is perfect for \(\mathcal {A}\).

For each decryption query \(\textsf {CT}=\langle \textsf {C}, \chi \rangle \) from \(\mathcal {A}\), \(\mathcal {B}\) will query its own decryption oracle and get \(m' \leftarrow \textsf {Dec}(\textsf {usk}[\textsf {id}], \textsf {id}, \langle \textsf {C}, \chi \rangle )\). If \(m'=\bot \), \(\mathcal {B}\) chooses \(K \small {\mathop {\leftarrow }\nolimits _{\$}}\{0,1\}^\lambda \) and returns (0, K) to \(\mathcal {A}\). Otherwise \(\mathcal {B}\) sets \(K:=m'\), and returns (1, K). Clearly, \(\mathcal {B}\) gives a perfect simulation of decryption oracle for \(\mathcal {A}\).

When \(\mathcal {A}\) submits a challenge identity \(\textsf {id}^*\), \(\mathcal {B}\) will choose a random message \(m^*\small {\mathop {\leftarrow }\nolimits _{\$}}\{0,1\}^\lambda \) and forward \((\textsf {id}^*, m^*)\) to its own challenger. Then \(\mathcal {B}\) will obtain a challenge \(\langle \textsf {C}^*, \chi ^*\rangle \), which is either the output of \(\textsf {Enc}(\textsf {pk}, \textsf {id}, m^*)\) (when \(\beta =1\)) or randomly chosen (when \(\beta =0\)). \(\mathcal {B}\) sends \((\textsf {CT}^*:=\langle \textsf {C}^*, \chi ^*\rangle , K^*:=m^*)\) to \(\mathcal {A}\).

• If \(\langle \textsf {C}^*, \chi ^*\rangle =\textsf {Enc}(\textsf {pk}, \textsf {id}, m^*)\), \((\textsf {CT}^*=\langle \textsf {C}^*, \chi ^*\rangle , K^*=m^*)\) corresponds to an encryption of \(\beta =1\) for \(\mathsf {IBE}_{ex}\).

• If \(\textsf {CT}^*=\langle \textsf {C}^*, \chi ^*\rangle \) is randomly chosen, \(\textsf {CT}^*\) corresponds to an encryption of \(\beta =0\) for \(\mathsf {IBE}_{ex}\). In this case \(\textsf {CT}^*\) and \(K^*:=m^*\) are both independently and randomly chosen.

Hence \(\mathcal {B}\) perfectly simulates the challenge for \(\mathcal {A}\). Finally, \(\mathcal {B}\) returns the guessing bit \(\beta '\) of \(\mathcal {A}\) to its own challenger. Then \(\mathcal {B}\) has the same advantage as \(\mathcal {A}\). \(\square \)