Chosen-Ciphertext Security from Identity-Based Encryption

We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes secure against adaptive chosen-ciphertext attacks) based on any identity-based encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCA-security; this paradigm avoids “proofs of well-formedness” that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCA-secure encryption schemes whose performance is competitive with the most efficient CCA-secure schemes to date. Our techniques extend naturally to give an efficient method for securing IBE schemes (even hierarchical ones) against adaptive chosen-ciphertext attacks. Coupled with previous work, this gives the first efficient constructions of CCA-secure IBE schemes.

[1]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[3]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[4]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[5]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[6]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[7]  Junji Shikata,et al.  Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks , 2003, Public Key Cryptography.

[8]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[9]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[10]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[11]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[12]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[13]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[14]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[15]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[16]  Michael K. Reiter,et al.  Alternatives to Non-malleability: Definitions, Constructions, and Applications (Extended Abstract) , 2004, TCC.

[17]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[18]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[19]  D. Boneh,et al.  Short Signatures from the Weil Pairing , 2001, Journal of Cryptology.

[20]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[21]  Moni Naor,et al.  On Chosen Ciphertext Security of Multiple Encryptions , 2002, IACR Cryptol. ePrint Arch..

[22]  Dan Boneh,et al.  Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles , 2006, CT-RSA.

[23]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[24]  Rafail Ostrovsky,et al.  Efficient and Non-interactive Non-malleable Commitment , 2001, EUROCRYPT.

[25]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[26]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[27]  Jonathan Katz,et al.  Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption , 2005, CT-RSA.

[28]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[29]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[30]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[31]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[32]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[33]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[34]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General , 2005 .

[35]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[36]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[37]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[38]  Amit Sahai,et al.  A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack , 2002, IACR Cryptol. ePrint Arch..

[39]  Yehuda Lindell,et al.  A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions , 2003, EUROCRYPT.

[40]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[41]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[42]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[43]  Victor Shoup,et al.  Why Chosen Ciphertext Security Matters , 2000 .

[44]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[45]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[46]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[47]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[48]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[49]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[50]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[51]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[52]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[53]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[54]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[55]  Ivan Damgård,et al.  On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures , 1993, CRYPTO.

[56]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[57]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[58]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.