Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information Engineering Hohai University Nanjing, 00 P.R. China Certificate-based encryption is a useful primitive that combines traditional public key encryption and entity-based encryption while preserving some of their most attractive features. It not only simplifies the cumbersome certificate management in traditional PKI, but also solves the key escrow problem inherent in entity-based encryption. In this paper, we propose a new certificate-based encryption scheme without random oracles that is provably secure against key replacement attacks. The proposed certificate-based encryption scheme is proven to be secure under the hardness of the decision -Party Diffie-Hellman problem in the standard model. Performance comparison shows that the proposed scheme outperforms all the previous standard-model certificate-based encryption schemes in the literature. Keywords: public key encryption, certificate-based encryption, key replacement attack, standard model, -DDH problem. INTRODUCTION Public key cryptography (PKC) is an important technique to realize network and information security. In traditional PKC, cryptographic keys are generated randomly with no connection to users entities. The association between a user s entity and his public key is obtained through a digital certificate issued by a trusted certificate authority (CA). This kind of certificate systems is referred as public key infrastructure (PKI). However, the need for PKI-certificates is consered as the main difficulty in the deployment of traditional PKC. To simplify the certificate management, Shamir [] introduced the notion of entity-based cryptography (IBC). In IBC, a user s public key is derived directly from his entity and his private key is generated by a trusted third party called Private Key Generator (PKG). The main practical benefit of IBC lies in the reduction of the need for certificates. However, if the KGC becomes dishonest, it can impersonate any user using its knowledge of the user s private key. This is due to the key escrow inherent in IBC. In addition, private key distribution in entity-based cryptography is a very daunting task as private keys must be sent to the users over secure channels. In Asiacrypt 00, Al-Riyami and Paterson [] proposed the notion of certificateless public key cryptography (CL-PKC). In CL-PKC, a trusted third party called Key Generation Center (KGC) is involved in the process of issuing a partial private key for each user. Every user independently generates a pair of secret key and public key, and then combines his secret key with the partial private key from the KGC to generate his Received October 9, 0; revised January, 0; accepted February 8, 0. Communicated by Vincent Rijmen. * This work is supported by the National Natural Science Foundation of China (No. 6754), the Six Talent Peaks Program of Jiangsu Province of China (No. 0098), the Fundamental Research Funds for the Central Universities of China (No. 00B0644). 55

2 554 private key. Therefore, CL-PKC overcomes the key escrow problem inherent in IBC. However, due to the lack of certificates to ensure the authenticity of the public keys, cryptographic schemes in the certificateless setting are susceptible to the key replacement attack. Furthermore, as partial private keys should be sent to the users over secure channels, CL-PKC suffers from the key distribution problem. In Eurocrypt 00, Gentry [] introduced the notion of certificate-based encryption (CBE) that represents an interesting and potentially useful balance between traditional PKC and IBC. As in traditional PKC, each user in a CBE system generates his own public/private key pair and requests a certificate from a CA. The difference is that a certificate in CBE acts not only as a certificate but also as a partial private key. This additional functionality proves an efficient implicit certificate mechanism so that a receiver needs both his private key and certificate to decrypt a ciphertext sent to him, while message senders need not be concerned about the receiver s certificate revocation problem. The feature of implicit certificate allows us to eliminate third-party queries for the certificate status and simplify the public key revocation in traditional PKI. In addition, CBE overcomes the key escrow problem (since the CA does not know the private keys of users) and the key distribution problem inherent in IBC. In parallel to CBE, Kang et al. [4] proposed the notion of certificate-based signature (CBS) that follows the ea of CBE. In the recent years, the topic of certificate-based cryptography (CBC) has attracted much attention in the research community and a number of schemes have been proposed, including many CBE schemes (e.g. [5-]) and CBS schemes (e.g. [-5]). The following table summarizes the comparison of the above cryptosystems. Table. Properties of the related public key cryptosystems. Do not require trusted third party Implicit Certificates Key Escrow Free Key Distribution Free Traditional PKC IBC CL-PKC CBC Key replacement attack, which was first introduced to the security of certificateless public key encryption (CL-PKE) by Al-Riyami and Paterson [], refers to that an adversary replaces a user s public key with a false one and dupes any other third party to encrypt messages or verify signatures using this false public key. At the first glance, one may think that this kind of attack does not exist in the certificate-based cryptosystems due to the use of certificates. However, it does exist. In a certificate-based cryptosystem, the CA does issue the certificates. But, only the holder of a certificate needs to check the vality of its certificate and other users do not need. Therefore, the certificate-based cryptosystems are also susceptible to the key replacement attack. Actually, some previous certificate-based cryptographic schemes have been demonstrated to be insecure under this attack. Please refer to [, 5-7] for the concrete key replacement attacks on those schemes. Key replacement attacks in CBE systems were first introduced in [6] and formally defined by Lu and Li in []. The first CBE scheme that has been explicitly proven secure against key replacement attacks was also proposed in []. However, the

3 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 555 provable security goal of this scheme was obtained by consering the random oracle model [8]. It is well known that provable security is one of the basic requirements for PKC. As shown in [9], a proof in the random oracle model can only serve as a heuristic argument and does not necessarily imply the security in the real implementation. Therefore, to develop a CBE scheme that is provably secure against key replacement attacks without using the random oracle methodology becomes an important and interesting research problem. In this paper, we newly propose a CBE scheme based on Waters IBE scheme [0]. We prove its security under the hardness of the decision -Party Diffie-Hellman problem in the standard model. Compared with the previous standard-model CBE schemes in the literature, our scheme enjoys better computation efficiency and lower communication bandwth. To the best of our knowledge, our scheme is the first CBE scheme without random oracles that has been explicitly proven secure against key replacement attacks.. PRELIMINARIES In this section, we briefly review some preliminaries that are related to our paper.. Bilinear Map and Computational Assumption Let k be a security parameter and p be a k-bit prime number, G and G T denote two multiplicative cyclic groups of the same order p. A mapping e: G G G T is called a bilinear map if it satisfies the following properties: Bilinearity: e(u a, v b ) = e(u, v) ab for all u, v G and a, b Z p *. Non-degeneracy: e(g, g) for a random generator g G. Computablity: e(u, v) can be efficiently computed for all u, v G. The security of our CBE scheme is based on the following decision -Party Diffie-Hellman (-DDH) problem which was proposed for the first time in [] as a nonparing variant of the decision bilinear Diffie-Hellman (DBDH) problem. Definition : The -DDH problem in G is, given (g, g a, g b, g c, T) G 5 for unknown a, b, c Z * p, to dece whether T = g abc. The advantage of a probabilistic polynomial time (PPT) algorithm A in solving the -DDH problem is defined as -DDH A = Pr[A(g, g a, g b, g c, g abc ) = ] Pr[A(g, g a, g b, g c, T) = ], where the probability is defined over the randomly chosen a, b, c and T. We say that the -DDH problem is hard in G if -DDH ( k ) A is negligible for all PPT algorithms A.. Certificate-Based Encryption Formally, a CBE scheme consists of the following five algorithms: Setup( k ): On input a security parameter k, this algorithm generates a master key msk and a list of public parameters params. After this algorithm is performed, the CA publishes params and keeps msk secret.

4 556 UserKeyGen(params): On input params, this algorithm outputs a public/private key pair (PK, SK). Specifically, when a user with entity runs this algorithm, the generated key pair is denoted as (PK, SK ). CertGen(params, msk,, PK ): On input params, msk, and an user s entity and public key PK, this algorithm outputs a certificate Cert. After this algorithm is performed, the CA sends the certificate Cert to the user via an open channel. Encrypt(params, M,, PK ): On input params, a message M, and a receiver s entity and public key PK, this algorithm outputs a ciphertext C. Decrypt(params, C, SK, Cert ): On input params, a ciphertext C, and the receiver s private key SK and certificate Cert, this algorithm outputs either a plaintext M or a special symbol indicating a decryption failure. The essential security of a CBE scheme requires that one can decrypt a val ciphertext generated using the public key PK if and only if he has the knowledge of both SK and Cert. In other words, one cannot recover the correct plaintext from a val ciphertext with only SK or Cert. As defined in [], the security model of CBE schemes that are secure against key replacement attacks should distinguish two different types of adversaries: Type-I and Type-II. Type-I adversary simulates an uncertified user who wants to gain some information about a message from its encryption before obtaining a certificate from the CA. Such an adversary can replace public keys of any users, but is not allowed to access the master key. Type-II adversary simulates an honest-but-curious CA in possession of the master key who attacks a given public key without the knowledge of the corresponding private key. Such an adversary is able to produce certificates for any users, but is not allowed to replace any user s public key. The chosen-ciphertext security for CBE schemes is defined by the following two different games IND-CBE-CCA-I and IND-CBE-CCA-II, in which a Type-I adversary and a Type-II adversary interact with a challenger respectively. IND-CBE-CCA-I: This game is played between a Type-I adversary A and a challenger. Setup: The challenger runs the algorithm Setup( k ) to generate msk and params. It then returns params to A and keeps msk to itself. Phase : In this phase, A can adaptively query the following five oracles: O CreateUser : On input an entity, the challenger returns a public key PK. If has no associated public key, then the challenger runs UserKeyGen(params) to generate a key-pair (SK, PK ) and returns PK. In this case, is sa to be created. Note that other oracles defined below only respond to an entity which has been created. O ReplacePublicKey : On input an entity and a value PK, the challenger replaces the current public key PK associated with with the value PK. Note that the current value of an entity s public key is used by the challenger in any computations or responses to the following queries. This oracle models the ability of a Type-I adversary to convince a legitimate user to use a false public key. O ExtractPrivateKey : On input an entity, the challenger responds with a private key SK. Here, A is disallowed to query this oracle on any entity for which the public key has been replaced. This restriction is imposed due to the fact that it is unreasonable to expect the challenger to be able to prove a private key of a user for which it does not know the private key.

5 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 557 O GenerateCertificate : On input an entity, the challenger responds with a certificate Cert. If has no associated certificate, then the challenger should first generate a certificate by running the algorithm CertGen(params, msk,, PK ). O StrongDecrypt : On input an entity and a ciphertext C, the challenger responds with the decryption of the ciphertext C. Note that the challenger should return the correct decryption of C even if the public key associated with has been replaced. This is a rather strong property for the security model of CBE. After all, the challenger may no longer know the correct corresponding private key. However, this capability may give A more power in breaking a CBE scheme. In addition, if we do not give A access to such a strong decryption oracle, then the ability to replace public keys is of no use to such an adversary. This is because if the challenger never gives a response based on a replaced public key, then A gains no advantage by replacing a public key. Challenge: Once A outputs an entity * and two equal-length messages (M 0, M ) on which it wants to be challenged, the challenger picks a random bit b {0,}, computes and outputs a challenge ciphertext C * = Encrypt(params, M b, *, PK * ) to A. Phase : In this phase, A can issue a second sequence of queries as in Phase. Guess: After all queries, A outputs a guess b {0, } for b. We say that A wins the game if b = b and the following restrictions are simultaneously satisfied: () A cannot submit * to O GenerateCertificate at any point; () A cannot submit an entity to O ExtractPrivateKey if its corresponding public key has been replaced; () A cannot submit ( *, C * ) to O StrongDecrypt INDin Phase. A s advantage in the above game is defined to be A CBE-CCA-I (k) = Pr[b = b ] /. IND-CBE-CCA-II: This game is played between a Type-II adversary A and a challenger. Setup: The challenger runs the algorithm Setup( k ) to generate (msk, params) and the algorithm UserKeyGen(params) to obtain a key pair (PK *, SK * ) respectively. It then returns params, msk and PK * to A. Phase : In this phase, A can adaptively query the following decryption oracle: O Decrypt : On input an entity and a ciphertext C, the challenger performs the algorithm Decrypt(params, C, SK *, Cert ) and then returns the decrypted plaintext (after running the algorithm CertGen(params, msk,, PK * ) if necessary). Challenge: Once A outputs an entity * and two equal-length messages (M 0, M ) on which it wants to be challenged, the challenger picks a random bit b {0, }, computes and outputs a challenge ciphertext C * = Encrypt(params, M b, *, PK * ) to A. Phase : In this phase, A can issue a second sequence of queries as in Phase. Guess: After all queries, A outputs a guess b {0, } for b. We say that A wins the game if b = b and A has never submitted ( *, C * ) to O Decrypt in Phase. A s advantage in the above game is defined to be A IND-CBE-CCA-II (k) = Pr[b = b ] /. Definition : A CBE scheme is sa to be IND-CBE-CCA secure if no PPT adversary has non-negligible advantage in the above two games.. Data Encapsulation Mechanism A data encapsulation mechanism (DEM) is a symmetric encryption scheme that is specified by two algorithms Encrypt and Decrypt. Encryption algorithm Encrypt takes

6 558 as input a message M {0, } * and a symmetric key K K and outputs a ciphertext C {0, } *, where K is the symmetric key space. Decryption algorithm Decrypt takes as input a ciphertext C and a symmetric key K and returns either a decrypted plaintext M {0, } * or a special symbol denoting a decryption failure. For the purposes of this paper, it is required that a DEM is secure with respect to indistinguishability against adaptive chosen-ciphertext attacks (IND-DEM-CCA). Definition : A DEM is sa to be IND-DEM-CCA secure if no PPT adversary A has non-negligible advantage in the following game: Initial: A runs on input a security parameter k and submits two equal-length messages M 0 and M. Challenge: The challenger chooses a random key K K and a random bit b {0, }, and returns C * = Encrypt(M b, K) as a challenge ciphertext to A. Query: In this phase, A can adaptively make a series of queries to a decryption oracle and the challenger responds these queries by using the key K. The only restriction is that A cannot submit the challenge ciphertext C * to this decryption oracle. Guess: A outputs a guess b {0, } for b and wins the game if b = b. A s advantage in the above game is defined to be A IND-DEM-CCA (k) = Pr[b = b ] /. An IND-DEM-CCA secure DEM can be built from relatively weak primitives, i.e. from any passive secure symmetric encryption scheme by essentially adding a message authentication code (MAC). In addition, the modes of operation CMC [] and EME [] both give IND-DEM-CCA secure DEMs proved that the underlying block-cipher is a strong pseudorandom permutation and avo the usual overhead due to the MAC..4 Collision Resistant Hash Function In our CBE construction, we require two collision resistant hash functions. Definition 4: A hash function H R H(k) is collision resistant if for all PPT algorithms A the advantage A CR (k) = Pr[H(x) = H(y) x y (x, y) R A( k, H) H R H(k)] is negligible as a function of the security parameter k.. OUR PROPOSED CBE SCHEME In this section, we propose a new CBE scheme which is based on Waters IBE scheme [0]. In order to perform secrecy communication for arbitrarily long messages, our construction adopts the KEM-DEM hybr encryption framework introduced by Cramer and Shoup [4]. Our proposed scheme consists of the following five algorithms: Setup: Let G and G T be two cyclic groups of prime order p and g be a generator g of G. Given a bilinear map e: G G G T, two collision resistant hash functions H : {0, } * G {0, } n and H : G Z p *, and an IND-DEM-CCA secure data encapsulation mechanism DEM = (Encrypt, Decrypt) with key space G T, the CA randomly chooses Z p * and computes g = g. Additionally, the CA chooses three random elements g,

7 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 559 g, u G and a vector U = (u, u,, u n ) whose elements are chosen from G at random. The public parameters are params = (p, G, G T, e, g, g, g, g, u, U, H, H, DEM) and the master key is msk =. For simplicity, given a n-bit string = n, we define Waters hash function F: {0, } n G * ' n i as F( ) u u i i. UserKeyGen: A user with entity chooses a random value x Z * p as his private () () key SK and computes the corresponding public key as PK = ( PK, PK ) = (g x, g x ). () The vality of the public key PK can be verified by checking whether e( PK, g ) = () e(g, PK ) holds. CertGen: To generate a certificate for a user with entity and public key PK, the CA chooses a random value s Z * () () () p and computes Cert = ( Cert, Cert, Cert ) = ( g FID ( ) s, g -s s, g ), where ID = H (, PK ). Encrypt: To send a message M {0, } * to a receiver with entity and public key PK, the sender first chooses a random value r Z * p and computes a symmetric key K () = e( PK, g ) r. It then computes the ciphertext as C = (C, C, C ) = (g r t r, ( F( ID) g), DEM.Encrypt(M, K)), where ID = H (, PK ) and t = H (C ). Decrypt: To decrypt a ciphertext C = (C, C, C ), the receiver first recovers the sym- () () t SK () SK metric key as K e( C,( Cert ( Cert ) ) ) e(( Cert ), C), where t = H (C ). It then computes M/ = DEM.Decrypt (C, K). The consistency of our scheme is easy to check as we have () () t SK () SK K e( C,( Cert ( Cert ) ) ) e(( Cert ), C) r s s t x s x t r eg (,( g FID ( ) ( g) ) ) e(( g ),( FID ( ) g) ) r x r sx r stx sx r sx tr eg (, ) eg (, FID ( ) ) eg (, g ) eg (, FID ( ) ) eg (, g ) eg (, g) xr () epk (, g) r. 4. Security 4. ANALYSIS OF THE SCHEME The security analysis of our scheme requires the following lemma from [5]. Lemma : Let C be some error event such that A C occurs if and only if B C occurs. Then Pr[A] Pr[B] Pr[C]. Theorem : Our CBE scheme is IND-CBE-CCA secure assuming that the decision - DDH problem is hard in G, DEM is IND-DEM-CCA secure, and hash functions H and H are collision resistant. This theorem can be proved by combining the following Lemmas and. Lemma : If A is a Type-I adversary against the IND-CBE-CCA security of our CBE scheme that runs in time, makes at most q C queries to O GenerateCertificate and q D queries to O StrongDecrypt, then there exist an adversary B against the collision resistance of H that runs in time O( ) and has advantage CR, an adversary B against the collision re- B

8 560 sistance of H that runs in time O( ) and has advantage CR B, an adversary B against the -DDH problem that runs in time O( + - ln( - ) - ln( - )) and has advantage -DDH B, and an adversary B 4 against the IND-DEM-CCA security of DEM that runs in time O( + - ln( - ) - ln( - )) and has advantage IND-DEM-CCA B respectively 4 such that A s advantage is bounded by IND-CBE-CCA-I A CR B + CR ( ) B k + 8(q C + q D )(n + )( -DDH B + IND-DEM-CCA ( ) B k ), where = -DDH ( ) 4 B k and = [8(n + ) (q C + q D )] -. Proof: The proof of this lemma proceeds by a sequence of seven games. All games involve A who attempts to guess a random bit and eventually outputs a guess. For all i, we let X i be the event that = in the Game i and i denote A s advantage in the Game i. Then, i = Pr[X i ] /. Let E be an event that can occur during the execution of the adversary and is independent of X i (i.e. Pr[X i E] = Pr[X i ]). We first show that if Game i+ is entical to Game i unless E occurs, then i+ is negligible if and only if i is negligible for i. Obviously, if E does not occur, A will output the same bit that it d in Game i (i.e. Pr[X i+ E] = Pr[X i E] = Pr[X i ]); otherwise, it will output a random bit (i.e. Pr[X i+ E] = /). Then, we get Pr[X i+ ] / = Pr[X i+ E] Pr[E] + Pr[X i+ E] Pr[ E] / = Pr[E]/ + Pr[X i E] Pr[ E] / = Pr[ E] Pr[X i ] /. Therefore, we have i+ = Pr[ E] i. () We now start the game hopping. Game : This game is entical to the original attack game IND-CBE-CCA-I played by A. Therefore, we have = IND-CBE-CCA-I A = Pr[X ] /. Game : This game is entical to Game except that the game is stopped if either one of the following two events happens: Event, denoted by E, is that A queries O GenerateCertificate on an entity such that (, PK ) ( *, PK * ) and H (, PK ) = H ( *, PK * ), where * is the challenge entity chosen by A and PK * is the public key associated with * ; Event, denoted by E, is that A queries O StrongDecrypt on (, C = (C, C, * * C )) such that C C and H ( C) H( C), where C * is the first component of the challenge ciphertext C ( C, C, C). From Lemma, we have Pr[X ] Pr[X ] Pr[E * * * * E ]. Clearly, the event E implies a collision for the function H and the event E implies a collision for the function H. Hence, if E E occurs, then there must exist an algorithm B against the collision resistance of H or an algorithm B against the collision resistance of H such that Pr[E E ] CR + B CR. Therefore, we have Pr[X B ] Pr[X ] CR CR + B. B Game : This game is entical to Game except that some values of the public parameters are replaced. The challenger chooses three random values a, b, Z p * to set g = g a,

9 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 56 g = g b and g = g. Let m = 4q, where q = q C + q D is the total number of certificate and decryption queries that A makes. The challenger randomly chooses x, x, x,, x n [0, m ], y, y, y,, y n Z p, [0, n], and then sets u and the vector U = (u, u,, u n ) ' ' ' p m x y to be u g x g, i y ui g g i for i n. Obviously, the replaced values are distributed entically to the corresponding values in Game. Therefore, we have =. Game 4: We define two functions from the values of Game as follows, n J ( ) ( p m) x' x, () n i i i i K( ) y' y, () i i n ' ( ) K( ) i i i J where = n is a n-bit string. Then, we have F( ) u u g g. Game 4 is entical to Game except that the game is stopped if A queries O GenerateCertificate or O StrongDecrypt on an entity such that J(ID) = 0 or A wants to be challenged on an entity * such that J(ID * ) 0, where ID = H (, PK ) and ID * = H ( *, PK * ). Let E be the event that the game is stopped, then we have that Pr[ E ] = Pr[ J ( IDi ) 0 (mod p) i J(ID * ) = 0 (mod p)], where ID i = H ( i, PK i ). Due to Waters proof in [0], Pr[ E ] q ( ). Since m = 4q and q = q C + q D, we get Pr[ E ] 8( n )( q C qd). ( n ) m m By Eq. (), we have 4 8( n )( q q ). C D Game 5: In this game, we change the generation of the public parameter g and also change the way that the certificate queries and the decryption queries are answered. We set g = g a to be a random element of G such that a is unknown to the challenger. Now, the challenger answers A s queries to O GenerateCertificate and O StrongDecrypt as follows: O GenerateCertificate : On input an entity, the challenger picks a random s Z * p and returns Cert = ( g K ID J ID ( )/ ( ) FID ( ) s / J ( ID) s, g g / J ( ID) s, g g ). If let s = s a/j(id), then it a s is not difficult to deduce that Cert = ( g FID ( ) s, g s, g ). Obviously, it is a val certificate for the entity. O StrongDecrypt : On input an entity and a ciphertext C = (C, C, C ), the challenger first () / J( ID) ( K( ID) t)/ J( ID) () computes K e( PK, C / C ), where t = H (C ) and PK is the second component of the current public key PK associated with. It then computes DEM. Decrypt(C, K) and returns the result. If C = (C, C, C ) is a val ciphertext encrypted using PK, then we have C = g r J ( ID) K ( ID) t r and C ( g g g) for some random r Z * p. It is () easy to deduce that K epk (, ) r g which is the correct key used to generate the third component C of the ciphertext C. Obviously, the challenger can correctly answer the decryption query regardless of whether PK is the original public key or not. We observe that the challenger is able to correctly answer A s queries to O GenerateCertificate and O StrongDecrypt as in Game 4. This implies 4 = 5. q

10 56 Game 6: This game is entical to Game 5 except that we alter the generation of the challenge ciphertext. The challenger introduces a new variable c Z * * c p to set C g. Let PK * ( PK () () *, PK * ) be the current public key associated with the challenge entity * * * * c K( ID ) t. For a random bit {0, }, it computes C ( g ) and C * = DEM.Encrypt (M, K * ), where ID * = H ( *, PK ), t * * * () abc = H * ( C ) and K e( PK *, g ). It is easy to * () deduce that K epk ( *, g) c. Clearly, 5 = 6. Game 7: We again alter the challenge phase. This time, the challenger forgets the values b, c and simply retains g b and g c. The challenge ciphertext is constructed as in Game 6 * () but using a random value T from G to compute K epk ( *, T). Obviously, Game 7 and Game 6 are equal unless there exists an algorithm B that distinguishes T = g abc from random. Therefore, we have Pr[X 6 ] Pr[X 7 ] -DDH * B. In Game 7, C and * C are * () completely independent from the bit since K epk ( *, T) is only a random value of G T. The adversary in this game essentially carries out a chosen-ciphertext attack on DEM. Therefore, there exists an algorithm B 4 against the IND-DEM-CCA security of DEM such that 7 = Pr[X 7 ] / IND-DEM-CCA. Due to Waters proof in [0], the B 4 time complexities of the algorithms B and B 4 are both bounded by O( + - ln( - ) - ln ( - )). This completes the game hopping. We now summarize the various equalities and inequalities arising in above game hopping steps into a bound on the advantage of the adversary A in the game IND-CBE-CCA-I. In Games -4, we have Pr[X ] - Pr[X ] CR + B CR, B = and 8(q C + q D )(n+) 4. Since IND-CBE-CCA-I = = Pr[X ] /, we get A IND-CBE-CCA-I A Pr[X ] Pr[X ] + Pr[X ] Pr[X ] + Pr[X ] / CR B + CR B + 8(q C + q D )(n+) 4. (4) In Games 5-7, we also have 4 = 5, 5 = 6, Pr[X 6 ] Pr[X 7 ] -DDH B and 7 = Pr[X 7 ] / IND-DEM-CCA. Then we get B 4 4 = 5 = 6 = Pr[X 6 ] / Pr[X 6 ] Pr[X 7 ] + Pr[X 7 ] / -DDH B + IND-DEM-CCA B. (5) Combining (4) and (5), we finally obtain IND-CBE-CCA-I A CR + B CR ( ) B k + 8(q C + q D )(n+)( -DDH B + IND-DEM-CCA B ). 4 Lemma : If A is a Type-II adversary against our CBE scheme that runs in time, makes at most q D queries to O Decrypt, then there exist an adversary B against the collision resistance of H that runs in time O( ) and has advantage CR B, an adversary B against the -DDH problem that runs in time O( + - ln( - ) - ln( - )) and has advantage -DDH B, and an adversary B against the IND-DEM-CCA security of DEM that runs in time O( + - ln( - ) - ln( - )) and has advantage IND-DEM-CCA B respectively such that A s advantage is bounded by IND-CBE-CCA-II A CR -DDH B + 8q D (n + )( B (k) + IND-DEM-CCA B ), where = -DDH B and = 8( n ) q D. 4

11 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 56 Proof: The proof of this lemma is very similar to that of Lemma. For all i, we let X i be the event that = in the Game i and i denote A s advantage in the Game i. Game : This game is entical to the original game IND-CBE-CCA-II played by A. Therefore, we have = IND-CBE-CCA-II A = Pr[X ] /. Game : This game is entical to Game except that the game is stopped if A queries O Decrypt * * on (, C ( C, C, C) ) such that C C and H ( C) H( C), where C * is the * * * * first component of the challenge ciphertext C ( C, C, C). We denote this event by E. From Lemma, we have Pr[X ] Pr[X ] Pr[E ]. Clearly, E implies a collision for H. Hence, if E occurs, then there must exist an algorithm B against the collision resistance of H such that Pr[E ] CR. Therefore, we have Pr[X ] Pr[X ] CR B. B Game : In this game, the challenger first picks three random values,, a Z * p to set g = g α, g = g a and g = g. Let m = 4q, where q = q D is the total number of decryption queries that A makes. It then generates u and U = (u, u,, u n ) as in the proof of Lemma. Furthermore, it picks a random value b Z * p to set PK * * * = ( PK, PK ) = (g b, (g b ) ) as the challenge public key. Obviously, the replaced values are distributed entically to the corresponding values in Game. Therefore, we have =. Game 4: This game is entical to Game except that it is stopped if A queries O Decrypt on an entity such that J(ID) = 0 or A wants to be challenged on an entity * such that J(ID * ) 0, where ID = H (, PK * ) and ID * = H ( *, PK * ). Let E be the event that q the game is stopped, then Pr[ E ] = Pr[ J ( IDi ) 0 (mod p) J(ID * ) = 0 (mod p)], i where ID i = H ( i, PK * ). As in the proof of Lemma, we can deduce that 4 8( n ) q D. Game 5: In this game, the challenger answers A s queries to O Decrypt as follows: On input * / J ( ID) ( K ( ID) t)/ J ( ID) (, C = (C, C, C )), the challenger computes K e( PK, C / C ), where ID = H (, PK * ) and t = H (C ). It then computes DEM.Decrypt(C, K) and returns the result. If C = (C, C, C ) is a val ciphertext encrypted using the public key PK * r J ( ID) K ( ID) t r, then we have C g and C ( g g g) for some random value r Z * p. It is * easy to deduce that K epk (, g) r which is the correct key used to generate the third component C of the ciphertext C. Therefore, the challenger can correctly answer the decryption query even if it does not know the private key corresponding to PK *. Since the challenger can correctly answer A s queries as in Game 4, we have 4 = 5. Game 6: This game is entical to Game 5 except that we alter the generation of the * * * * * challenge ciphertext C ( C, C, C). The challenger introduces a new variable c Z p * * * c * c K( ID ) t to set C g. For a random bit {0, }, it computes C ( g ) and C * = DEM. Encrypt(M, K * ), where ID * = H ( *, PK * ), t * * = H ( C ) and * abc K e( g, g ). It is easy to * * deduce that K epk (, g) c. This implies that 5 = 6. Game 7: We again alter the challenge phase. This time, the challenger forgets the values a, b, c and simply retains g a, g b and g c. The challenge ciphertext is constructed as in Game

12 564 * 6 but using a random value T from G to compute K eg (, T). It is clear that Games 6 and 7 are equal unless there exists an algorithm B that distinguishes T = g abc from random. Therefore, we have Pr[X 6 ] Pr[X 7 ] -DDH * B. In Game 7, C and * C are * completely independent from the bit since K eg (, T) is only a random value of G T. The adversary in this game essentially carries out a chosen-ciphertext attack on DEM. Therefore, there exists an algorithm B against the IND-DEM-CCA security of DEM such that 7 = Pr[X 7 ] / IND-DEM-CCA. This completes the game hopping. As in the proof of Lemma, we can deduce that IND-CBE-CCA-II ( k ) CR A B + 8q D (n+)( -DDH B + IND-DEM-CCA B ). 4. Comparison In this subsection, we make a comparison of our scheme and the previous CBE schemes. We compare the schemes on computation efficiency, communication overhead and some security properties. The details of the compared CBE schemes are listed in Tables and. Note that we do not list all known random-oracle based CBE schemes but some secure and representative ones. In the computation cost comparison, we conser four atomic operations: pairing, (long) exponentiation in G T, (short) exponentiation in G and hash. For simplicity, we denote these operations by P, Exp l, Exp s and H respectively. In addition, we denote the symmetric encryption and decryption algorithms by E and D respectively, the encapsulation and decapsulation algorithms of an encapsulation scheme by S and R respectively, the message authentication code algorithm by Mac, and the one-time signature signing and verification algorithms by Sig and Vfy respectively. For our scheme, computing Wa- ' n i ters hash F( ) u u i i requires computing n/ products in G on the average, and it can be seen as a single exponentiation in G. Therefore, computing F(ID) r for a random r can be counted as two exponentiations in G. Once F(ID) has been precomputed, computing F(ID) r needs only one exponentiation in G. In the communication cost comparison, ciphertext overhead represents the difference between the ciphertext length and the message length, and the public key size is measured in terms of the number of group elements of the public key. We denote a commitment string and a de-commitment string of an encapsulation scheme by com and dec respectively, a message authentication code by mac, a verification key and a signature of a one-time signature scheme by vk and respectively, and the bit-length of a string X or an element in a group X by X. In [] and [9], l should be at least 60 in order to obtain a reasonable security. Table. Security properties of the CBE schemes. Schemes Standard model? Computational Consering key assumption(s) replacement attack? Ours -DDH (=DBDH) [6] DBDH [7] DBDH [8] q-abdhe+dbdh [] BDH [9] p-bdhi+-bdhi [] Gap-BDH

13 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 565 Table. Performance of the CBE schemes. Schemes Encryption cost Decryption cost Ciphertext overhead Public key size Ours Exp l +4Exp s +H+E P+Exp s +H+D G G [6] Exp l +5Exp s +H+S+Mac P+Exp s +H+R+Mac G + dec + com + mac G [7] Exp l +5Exp s +H+Sig P+Exp s +H+Vfy G + vk + G [8] 8Exp l +Exp s +H P+Exp l +Exp s +H G T + G 6 G [] P+Exp l +Exp s +5H P+Exp s +H G +l G [9] Exp l +Exp s +4H P+Exp l +Exp s +H G +l G T [] Exp l +Exp s +H+E P+Exp s +H+D G G In pairing-based cryptography efficiency always depends on the chosen curve. Boyen [6] computes estimated relative timings for all atomic asymmetric operations (exponentiations and pairings) and representation sizes for group elements when instantiated in super-singular curves with 80 bits security (SS/80) and MNT curves with 80 bits security (MNT/80). In Table 4, we recall the data from [6]. Table 4. Timings needed to perform atomic operations and representation of group elements in bits. Curves Relative timings ( unit = exp. in G) Representation sizes (bits) Exp in G Exp in G T Pairing G G T MNT/ SS/ Table 5 gives a much clearer comparison between our scheme and the previous standard-model CBE schemes. Note that the costs of the pairings and the exponentiations in G T are measured by the exponentiations in G according to the data in Table 4. In addition, as the hash operation is much more efficient than the exponentiation in G, the costs of the hash operations in all compared schemes are ignored. From Table 5, we conclude that our scheme outperforms all the previous standardmodel CBE schemes. Interestingly, it seems to also offer competitive computation efficiency in comparison with the random-oracle based CBE scheme proposed in []. Furthermore, the message spaces of all the previous standard-model CBE schemes are re- Table 5. Performance comparison of the standard-model CBE schemes. Schemes Encryption Public Decryption cost Ciphertext overhead cost key size Ours MNT/80 40Exp s +E 0Exp s +D 4 4 SS/80 8Exp s +E 4Exp s +D [6] MNT/80 77Exp s +S+Mac 45Exp s +R+Mac 5+ dec + com + mac 4 SS/80 Exp s +S+Mac 6Exp s +R+Mac 56+ dec + com + mac 04 [7] MNT/80 77Exp s +Sig 45Exp s +Vfy 5+ vk + 4 SS/80 Exp s +Sig 6Exp s +Vfy 56+ vk + 04 [8] MNT/80 90Exp s 7Exp s 06 SS/80 4Exp s 49Exp s

14 566 stricted in G T, which is about 04 bits (when instantiated in super-singular curves with 80 bits security). Thus, when encrypting a large message (e.g. 0 4 bits), these schemes have to split the message into many parts and encrypt it part by part. It results in many times increase of both computation cost and ciphertext size, and maybe security reduction as well. Due to the use of the KEM-DEM hybr encryption framework, our scheme does not suffer from the message length restriction. Therefore, it can be used to encrypt arbitrary-length messages without any efficiency reduction. 5. CONCLUSIONS In this paper, we have proposed a new CBE scheme without random oracles. We have proved in the standard model that the proposed scheme is secure against both public key replacement and adaptive chosen-ciphertext attacks under the hardness of the -DDH problem. Performance analysis shows that the proposed scheme performs all the previous standard-model CBE schemes in the literature. To our best knowledge, it is the first encryption scheme in the certificate-based setting that has been explicitly proven secure against key replacement attacks in the standard model. REFERENCES. A. Shamir, Identity-based cryptosystems and signature schemes, in Proceedings of Crypto, 984, pp S. S. Al-Riyami and K. G. Paterson, Certificateless public key cryptography, in Proceedings of Asiacrypt, 00, pp C. Gentry, Certificate-based encryption and the certificate revocation problem, in Proceedings of Eurocrypt, 00, pp B. G. Kang, J. H. Park, and S. G. Hahn, A certificate-based signature scheme, in Proceedings of CT-RSA, 004, pp S. S. Al-Riyami and K. G. Paterson, CBE from CL-PKE: a generic construction and efficient schemes, in Proceedings of PKC, 005, pp Morillo and C. Ràfols, Certificate-based encryption without random oracles, Cryptology eprint Archive, Report No. 006/, 006, 7. D. Galindo, P. Morillo, and C. Ràfols, Improved certificate-based encryption in the standard model, Journal of Systems and Software, Vol. 8, 008, pp J. K. Liu and J. Zhou, Efficient certificate-based encryption in the standard model, in Proceedings of SCN, 008, pp Y. Lu, J. Li, and J. Xiao, Constructing efficient certificate-based encryption with paring, Journal of Computers, Vol. 4, 009, pp Z. Shao, Enhanced certificate-based encryption from pairings, Computers and Electrical Engineering, Vol. 7, 0, pp Y. Lu and J. Li, Constructing certificate-based encryption secure against key replacement attacks, ICIC Express Letters, Part B: Applications, Vol., 0, pp M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, Certificate based (linkable) ring signature, in Proceedings of the rd Information Security Practice and Experience

15 CERTIFICATE-BASED ENCRYPTION AGAINST KEY REPLACEMENT ATTACKS 567 Conference, 007, pp J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, Certificate-based signature: security model and efficient construction, in Proceedings of EuroPKI, 007, pp J. K. Liu, J. Baek, W. Susilo, and J. Zhou, Certificate based signature schemes without pairings or random oracles, in Proceedings of the th International conference on Information Security, 008, pp J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, Constructions of certificate-based signature secure against key replacement attacks, Journal of Computer Security, Vol. 8, 00, pp J. H. Park and D. H. Lee, On the security of status certificate-based encryption scheme, IEICE Transactions on Fundamentals, Vol. E90-A, 007, pp Y. Lu and J. Li, Certificate-based signcryption: security model and efficient construction, Cryptology eprint Archive, Report No. 0/54, 0, org. 8. M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of the st ACM Conference on Communications and Computer Security, 99, pp R. Canetti, O. Goldreich, and S. Halevi, The random oracle methodology, revisited, Journal of ACM, Vol. 5, 004, pp B. Waters, Efficient entity-based encryption without random oracles, in Proceedings of Eurocrypt, 005, pp D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, in Proceedings of Crypto, 00, pp S. Halevi and P. Rogaway, A tweakable enciphering mode, in Proceedings of Crypto, 00, pp S. Halevi and P. Rogaway, A parallelizable enciphering mode, in Proceedings of CT-RSA, 004, pp R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Proceedings of Crypto, 998, pp A. W. Dent, A note on game hopping proofs, Cryptology eprint Archive, Report No. 006/60, 006, 6. X. Boyen, The BB entity-based cryptosystem: a standard for encryption and key encapsulation, Submitted to IEEE 6., 006, Yang Lu ( 陆 阳 ) received the Ph.D. degree from PLA University of Science and Technology in 009. He has been working in HoHai University from 00. Currently, he is an Assistant Professor in College of Computer and Information Engineering. His research interest includes information security and cryptography. He has published more than 0 papers in international conferences and journals.

16 568 Jiguo Li ( 继 ) received the Ph.D. degree from Harbin Institute of Technology in 00. He has been working in HoHai University from 00. Currently, he is a Professor in College of Computer and Information Engineering. His major research interests include information security and cryptography, network security, wireless security and trusted computing etc. He has published more than 70 scientific papers and two books.