Chosen-Ciphertext Secure Identity-Based Encryption in the Standard Model with short Ciphertexts

We describe a practical identity-based encryption scheme that is secure in the standard model againstchosen-ciphertext(IND-CCA2)attacks. Securityisbasedonanassumptioncomparableto (but slightly stronger than) Bilinear Decisonal Di‐e-Hellman (BDDH). A comparison shows that our construction outperforms all known identity-based encryption schemes in the standard model anditsperformanceisevencomparablewiththeonefromtherandom-oraclebasedBoneh/Franklin IBEscheme. OurproposedIBEschemehasfurthermorethepropertythatitfulflllssomenotionof \redundancy-freeness",i.e. theencryptionalgorithmisnotonlyaprobabilisticinjectionbutalsoa surjection. As a consequence the ciphertext overhead is nearly optimal: to encrypt k bit messages for k bit identities and with k bit randomness we get 3k bit ciphertexts to guarantee (roughly) k bits of security.

[1]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[2]  Jean-Jacques Quisquater,et al.  Identity Based Encryption Without Redundancy , 2005, ACNS.

[3]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..

[4]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[5]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[6]  Victor Shoup,et al.  Why Chosen Ciphertext Security Matters , 2000 .

[7]  Jonathan Katz,et al.  Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption , 2005, CT-RSA.

[8]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[9]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[10]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[11]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[12]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[13]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[14]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[15]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[16]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[17]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[18]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[19]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[20]  Liqun Chen,et al.  An Efficient ID-KEM Based On The Sakai-Kasahara Key Construction , 2006, IACR Cryptol. ePrint Arch..

[21]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[22]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[23]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[24]  Liqun Chen,et al.  Security Proof of Sakai-Kasahara's Identity-Based Encryption Scheme , 2005, IMACC.

[25]  David Pointcheval,et al.  Chosen-Ciphertext Security without Redundancy , 2003, ASIACRYPT.

[26]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[27]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[28]  David Naccache,et al.  Secure and Practical Identity-based Encryption , 2005 .

[29]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[30]  N. Smart,et al.  SK-KEM : AN IDENTITY-BASED KEM , 2006 .

[31]  Masao Kasahara,et al.  ID based Cryptosystems with Pairing on Elliptic Curve , 2003, IACR Cryptol. ePrint Arch..

[32]  Frederik Vercauteren,et al.  A comparison of MNT curves and supersingular curves , 2006, Applicable Algebra in Engineering, Communication and Computing.

[33]  Sanjit Chatterjee,et al.  Trading Time for Space: Towards an Efficient IBE Scheme with Short(er) Public Parameters in the Standard Model , 2005, ICISC.

[34]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[35]  Pooya Farshim,et al.  Generic Constructions of Identity-Based and Certificateless KEMs , 2008, Journal of Cryptology.

[36]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[37]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[38]  Nigel P. Smart,et al.  High Security Pairing-Based Cryptography Revisited , 2006, ANTS.

[39]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[40]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[41]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[42]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[43]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.