Certificateless Public Key Encryption Without Pairing

Certificateless Public Key Encryption without Pairing Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo Centre for Information Security Research School of Information Technology and Computer Science University of Wollongong Wollongong NSW 2522, Australia {baek, rei, wsusilo}@uow.edu.au Abstract. “Certificateless Public Key Cryptography” has very appealing features, namely it does not require any public key certification (cf. traditional Public Key Cryptography) nor having key escrow problem (cf. Identity-Based Cryptography). Unfortunately, construction of Certificateless Public Key Encryption (CLPKE) schemes has so far depended on the use of Identity-Based Encryption, which results in the bilinear pairing-based schemes that need costly operations. In this paper, we consider a relaxation of the original model of CLPKE and propose a new CLPKE scheme that does not depend on the bilinear pairings. We prove that in the random oracle model, our scheme meets the strong security requirements of the new model of CLPKE such as security against public key replacement attack and chosen ciphertext attack, assuming that the standard Computational Diffie-Hellman problem is intractable. 1 Introduction Motivation. Consider a situation where Alice wants to send a confidential message to Bob. Using a public key encryption (PKE) scheme, Alice needs to obtain Bob’s public key and encrypts her message using this key. When this operation is performed correctly, then only Bob who is in possession of a private key matched to his public key can decrypt the ciphertext and read the message. One direct implication of this mechanism is an assurance that Bob’s public key is authentic. In the normal Public Key Cryptography (PKC), this assurance is obtained via certification by a Certification Authority (CA). More precisely, the CA digitally signs on Bob’s public key and the “Digital Certificate” which contains the resulting signature and the public key should be checked against the CA’s public key by any interested party. However, the realization of this authentication mechanism called “Public Key Infrastructure (PKI)” has long been a concern for implementers as the issues associated with revocation, storage and distribution of certificates must be resolved. On the other hand, a very different approach to the above authenticity problem in public key cryptography was made by Shamir [16]. In this new approach named “Identity-Based Cryptography (IBC)”, every user’s public key is just his/her identity (identifier) which is an arbitrary string such as an email address while the corresponding private key is a result of some mathematical operation that takes as input the user’s identity and the secret master key of a trusted authority, sometimes referred to as “Private Key Generator (PKG)”. Notice that in this setting, certification of the public keys is provided implicitly based on the fact that if the user has obtained a correct private key associated with the published identity, he/she will be able to perform some cryptographic operations such as decrypt or sign. Hence, it is no longer necessary to explicitly authenticate public keys, i.e. verifying the digital certificates of the public keys, as in the traditional PKI setting. However, an obvious drawback of IBC is an unconditional trust that must be placed to the PKG, as the PKG can always impersonate any single entity as every user’s private key is known to the PKG. In order to resolve the above escrow problem in IBC while keeping the implicit certification property of IBC, a new paradigm called “Certificateless Public Key cryptography (CLPKC)” was introduced by Al-Riyami and Paterson [1]. In CLPKC, the user’s public key is no longer an arbitrary string. Rather, it is similar to the public key used in the traditional PKC generated by the user. However, a crucial difference between them is that the public key in CLPKC does not need to be explicitly certified as it has been generated using some “partial private key” obtained from the trusted authority called “Key Generation Center (KGC)”. Note here that the KGC does not know the users’ private keys since they contain secret information generated by the users themselves, thereby removing the escrow problem in IBC. Therefore, it is sometimes said that CLPKC lies in between PKC and IBC. However, it should be emphasized that so far “Certificateless Public Key Encryption (CLPKE)” schemes have been constructed within the framework of Identity-Based Encryption (IBE) schemes proposed by Boneh and Franklin [5], and Cocks [7]. As a result, the CLPKE schemes in the literature had to be based on either the bilinear pairings or somewhat inefficient IBE scheme proposed in [7]. In spite of the recent advances in implementation technique, the pairing computation is still considered as expensive compared with “standard” operations such as modular exponentiations in finite fields. According to the current MIRACL [12] implementation, a 512-bit Tate pairing takes 20 ms whereas a 1024-bit prime modular exponentiation takes 8.80 ms. Also, it is known that Cock’s IBE scheme [7] uses bit-by-bit encryption and hence outputs long ciphertexts. Being aware of the above problem of the current constructions of CLPKE, we focus on constructing a CLPKE scheme that does not depend on the pairings. This way, our scheme will be more efficient than all of the CLPKE schemes proposed so far [1, 2, 17]. The approach we make to achieve such a goal is to construct a CLPKE scheme that tends more towards a PKE scheme in the traditional PKI setting. We note that the reason why the CLPKE schemes in [1, 2, 17] have to depend on IBE is that in those schemes, a user need not be in possession of a partial private key before generating a public key, which is indeed a feature provided by IBE. By relaxing this requirement, however, we could construct a very efficient CLPKE scheme without pairings. Related Work. Al-Riyami and Paterson [1] proposed CLPKE and Certificateless Public Key Signature (CLPKS) schemes, all of which are based on the bilinear pairing used in Boneh and Franklin’s [5] IBE scheme. We note that their new construction of a CLPKE scheme given in [2] is also based on the bilinear pairing. Recently, a generic construction of CLPKE was given by Yum and Lee [17], who showed that any IBE and normal public key encryption schemes, if combined together properly, can yield a CLPKE scheme. Although their result indeed brings some flexibility in constructing CLPKE schemes, one should still expect a new IBE scheme to emerge to obtain a CLPKE scheme that does not depend on the bilinear pairings or Cock’s IBE scheme [7]. More recently, Castellucia et al. [6] proposed a new Secret Handshake (SH) scheme. An interesting feature of this scheme compared with the original SH scheme [3] is that it does not depend on the bilinear pairings but the key issuing technique based on the Schnorr signature [15], which is very similar to the “SelfCertified Keys” technique presented in [13], so that the required computational cost is twice less expensive than the original one. We note that Castellucia et al. [6] mentioned that their technique can also be applied to build a Hidden Credential (HC) scheme [11], however, no further application of it was considered. Finally, we remark that CLPKC in general and our work are related to the early works on the “self-certified keys” [10, 13, 14]. One crucial difference between schemes based on CLPKC and those based on self-certified keys is that the former depends more on the “identity-based” property, so that a user does not need to obtain any (private) key from the KGC before generating a public key. This property is useful as mentioned in [1], but we emphasize that if one merely wants the “certificate-less property” for public key encryption, there is an alternative method to construct a certificateless public key encryption scheme, which bypasses the use of IBE. The technique of self-certified keys is such a method and is similar to our method to construct the CLPKE scheme presented in this paper. However, we point out that no schemes in [10, 13, 14] are supported by formal security analysis. Moreover, the CLPKE scheme presented in this paper is structurally different from any schemes presented in [10, 13, 14]. Hence, one can view our work as formal treatment and extension of the early works on the self-certified keys. Our Contributions. In this paper, we elaborate on a new formal model of CLPKE and construct a CLPKE scheme that does not depend on the bilinear pairings: We extend the technique of [3, 13] non-trivially to the CLPKE setting and construct a new CLPKE scheme which is almost as efficient as the “hashed” ElGamal encryption scheme modified by the Fujisaki-Okamoto transform technique [8]. We prove in the random oracle model [4] that our scheme is secure against adaptive chosen ciphertext attacks, relative to the Computational Diffie-Hellman (CDH) problem. 2 Definitions Model. The main goal of CLPKE [1] is to allow a sender to transmit a confidential message to a recipient by encrypting the message using the recipient’s public key which does not have to be contained in a certificate issued by CA. As a result, one can remove the certificate checking process that increases the system complexity. In spite of the absence of the checking process, the sender is guaranteed that only the honest recipient who has gone through appropriate authentication procedure and has obtained a right “partial private key” associated with his identifier ID from the Key Generation Center (KGC) will be able to decrypt the message. Our model of CLPKE is very similar to that of original CLPKE [1]. In fact, the sub-algorithms of our CLPKE, Setup, SetSecretValue, SetPrivateKey, Encrypt and Decrypt are identical to those of the original CLPKE. Two different algorithms are PartialKeyExtract and SetPublicKey. PartialKeyExtract is similar to the “Partial Private Key Extract” algorithm of the original CLPKE with a difference that the output of PartialKeyExtract consists of not only a partial private key which should be kept secret but a “partial public key” which will be used to generate a public key later by the user. The only difference between the “Set Public Key” algorithm of the original CLPKE and SetPublicKey of our CLPKE is that in our model of CLPKE, the partial public key output by PartialKeyExtract should be provided as input to SetPublicKey, which makes it impossible for the user to set a public key if he/she has not contacted the KGC and obtained a partial private/public pair. We note that our model of CLPKE is slightly weaker than the one given in [1] as a user must authenticated himself/herself to the KGC and obtain an appropriate partial public key to create a public key, while the original CLPKE does not require a user to contact the KGC to set up his/her public keys. (As discussed in Section 1, one can view our CLPKE is close to the public key encryption in the normal PKI setting while Al-Riyami and Paterson’s original CLPKE of is close to IBE). However, we argue that our CLPKE does not lose the unique property of CLPKE that the use of certificates to guarantee the authenticity of public keys is not required any more, which is the main motivation for CLPKE. Below, we formally describe our model of CLPKE. Definition 1 (CLPKE). A generic CLPKE (Certificateless Public Key Encryption) scheme, denoted by Π, consists of the following algorithms. – Setup: The Key Generation Center (KGC) runs this algorithm to generate a common parameter params and a master key masterKey. Note that params is given to all interested parties. We write (params, masterKey) = Setup(). – PartialKeyExtract: Taking params, masterKey and an identity ID received from a user as input, the KGC runs this algorithm to generate a partial private key DID and a partial public key PID . We write (PID , DID ) = PartialKeyExtract(params, masterKey, ID). – SetSecretValue: Taking params and ID as input, the user runs this algorithm to generate a secret value sID . We write sID = SetSecretValue(params, ID). – SetPrivateKey: Taking params, DID and sID as input, the user runs this algorithm to generate a private key SKID . We write SKID = SetPrivateKey(params, DID , sID ). – SetPublicKey: Taking params, PID , sID and ID as input, the user runs this algorithm to generate a public key P KID . We write P KID = SetPublicKey( params, PID , sID , ID). – Encrypt: Taking params, ID, P KID , and a plaintext message M as input, a sender runs this algorithm to create a ciphertext C. We write C = Encrypt( params, ID, P KID , M ). – Decrypt: Taking params, SKID and the ciphertext C as input, the user as a recipient runs this algorithm to get a decryption δ, which is either a plaintext message or a “Reject” message. We write δ = Decrypt(params, SKID , C). Security Notion. We also modify the security notion for the original CLPKE and present a new notion, which we call “indistinguishability of CLPKE ciphertexts under chosen ciphertext attack (IND-CLPKE-CCA)”. We note that the modification is very small: In our security notion of CLPKE, the attacker’s “public key request” queries should be answered by running the PartialKeyExtract algorithm, which is not needed in the original CLPKE. Like the security notion for the original CLPKE, we assume two types of attackers AI and AII . A difference between these two attackers is that AI does not have access to the master key of KGC while AII does have. Now a formal definition follows. Definition 2 (IND-CLPKE-CCA). Let AI and AII denote Type I attacker and Type II attacker respectively. Let Π be a generic CLPKE scheme. We consider two games “Game I” and “Game II” where AI and AII interact with their “Challenger” respectively. Note that the Challenger keeps a history of “queryanswer” while interacting with the attackers. Game I: This is the game in which AI interacts with the “Challenger”: Phase I-1: The Challenger runs Setup() to generate masterKey and params. The Challenger gives params to AI while keeping masterKey secret. Phase I-2: AI performs the following: • Issuing partial key extraction queries, each of which is denoted by (ID, “partial key extract”): On receiving each of these queries, the Challenger computes (PID , DID ) = PartialKeyExtract(params, masterKey, ID) and returns it to AI . • Issuing private key extraction queries, each of which is denoted by (ID, “private key extract”): On receiving each of these queries, the Challenger computes (PID , DID ) = PartialKeyExtract(params, masterKey, ID) and sID = SetSecretValue(params, ID). It then computes SKID = SetPrivateKey(params, DID , sID ) and returns it to AI . • Issuing public key request queries, each of which is denoted by (ID, “public key request”): On receiving each of these queries, the Challenger computes (PID , DID ) = PartialKeyExtract(params, masterKey, ID) and sID = SetSecretValue(params, ID). It then computes P KID = SetPublicKey(params, PID , sID ) and returns it to AI . • Replacing the User’s public key: AI replaces a public key P KID with its own at any time. • Issuing decryption queries, each of which is denoted by (ID, P KID , C, “decryption”): On receiving such a query, the Challenger finds SKID from its “query-answer” list for public key request, computes δ = Decrypt( params, SKID , C), which is either a plaintext message or a “Reject” message and returns δ to AI . If the Challenger cannot find SKID , it runs a special “knowledge extractor” to obtain a decryption δ and returns it to AI . (As discussed in [1], it is not unreasonable to assume that the Challenger cannot answer a decryption query when a corresponding public key has been replaced, and hence returns “Reject”. However, as also pointed out in [1]), replacing public keys gives a huge power to the attacker. Hence, we assume that the Challenger uses other means, called “knowledge extractor” [1], to decrypt a requested ciphertext. Note that a construction of the knowledge extractor is specific to each CLPKE scheme). Phase I-3: AI outputs two equal-length plaintext messages (M0 , M1 ) and a target identity ID∗ . Note that ID∗ has not been queried to extract a partial private key nor a private key at any time. Note also that ID∗ cannot be equal to an identity for which both the public key has been replaced and the partial private key has been extracted. On receiving (M0 , M1 ) and ID∗ , the Challenger picks β ∈ {0, 1} at random and creates a target ciphertext C ∗ = Encrypt(params, P KID∗ , Mβ ). The Challenger returns C ∗ to AI . Phase I-4: AI issues queries as in Phase 2. The same rule the game applies here: ID∗ has not been queried to extract a partial private key nor a private key at any time; ID∗ cannot be equal to an identity for which both the public key has been replaced and the partial private key has been extracted. Additionally, no decryption queries should be made on C ∗ for the combination of ID∗ and P KID∗ that was used to encrypt Mβ . Phase I-5: AI outputs its guess β ′ ∈ {0, 1}. Game II: This is the game in which AII interacts with the “Challenger”: Phase II-1: The Challenger runs Setup() to generate masterKey and params. The Challenger gives params and masterKey to AII . Phase II-2: AII performs the following: • Computing partial key associated with ID: AII computes (PID , DID ) = PartialKeyExtract(params, masterKey, ID). • Issuing private key extraction queries, each of which is denoted by (ID, “private key extract”): On receiving each of these queries, the Challenger computes (PID , DID ) = PartialKeyExtract(params, masterKey, ID) and sID = SetSecretValue(params, ID). It then computes SKID = SetPrivateKey(params, DID , sID ) and returns it to AII . • Issuing public key request queries, each of which is denoted by (ID, “public key request”): On receiving each of these queries, the Challenger computes DID = PartialKeyExtract(params, masterKey, ID) and sID = SetSecretValue(params, ID). It then computes P KID = SetPublicKey( params, PID , sID ) and returns it to AII . • Issuing decryption queries, each of which is denoted by (ID, P KID , C, “decryption”): On receiving each of these queries, the Challenger finds SKID from its “query-answer” list, computes δ = Decrypt(params, SKID , C), which is either a plaintext message or a “Reject” message, and returns δ to AII . Phase II-3: AII outputs two equal-length plaintext messages (M0 , M1 ) and a target identity ID∗ . Note that ID∗ has not been issued as a private key extraction query. On receiving (M0 , M1 ) and ID∗ , the Challenger picks β ∈ {0, 1} at random and creates a target ciphertext C ∗ = Encrypt(params, P KID∗ , Mβ ). The Challenger returns C ∗ to AII . Phase II-4: AII issues queries as in Phase 2 subject to the same rules. (That is, ID∗ has not been issued as a private key extraction query). But in this phase, no decryption queries should be made on C ∗ for the combination of ID∗ and P KID∗ used to encrypt Mβ . Phase II-5: AII outputs its guess β ′ ∈ {0, 1}. We define Ai ’s guessing advantage in Game i, where i ∈ {I, II}, by AdvIND−CLPKE−CCA (Ai ) = | Pr[β ′ = β] − 12 |. Ai breaks IND-CLPKE-CCA of Π,Game i Π with (t, qpaex , qprex , ǫ) if and only if the guessing advantage of Ai that makes qpaex partial key extraction and qprex private key extraction queries is greater than ǫ within running time t. The scheme Π is said to be (t, qpaex , qprex , ǫ)-INDCLPKE-CCA secure if there is no attacker Ai that breaks IND-CLPKE-CCA of Π with (t, qpaex , qprex , ǫ). Computational Problem. We now review the standard “Computational DiffieHellman (CDH)” problem used in a large number of cryptographic schemes. Definition 3 (CDH). Let p and q be primes such that q|p − 1. Let g be a generator of ZZ∗p . Let A be an attacker. A tries to solve the following problem: Given (g, g a , g b ) for uniformly chosen a, b, c ∈ ZZ∗q , compute κ = g ab . Formally, we define A’s advantage AdvCDH (A) by Pr[A(g, g a , g b ) = g ab ]. A ZZ∗ p solves the CDH problem with (t, ǫ) if and only if the advantage of A is greater than ǫ within running time t. The CDH problem is said to be (t, ǫ)-intractable if there is no attacker A that solves the CDH problem with (t, ǫ). We remark that the current CLPKE schemes presented in [1] and [2] all depend on the “Bilinear Diffie-Hellman (BDH)” problem which is a pairing version of the CDH problem used in the construction of Boneh and Franklin’s IBE scheme [5]. (Informally, the BDH problem is to compute ê(g, g)abc given g a , g b and g c , where g is a generator, ê denotes a bilinear pairing and a, b, c are chosen at random from ZZ∗q ). 3 Our CLPKE Scheme We now present our CLPKE scheme based on the Schnorr signature [15]. As mentioned previously, our CLPKE scheme is motivated by the construction of PKI-enabled encryption scheme given in [6]. However, we apply this scheme nontrivially to construct an efficient CLPKE scheme: The computational cost for realizing our scheme is very low due to not only the efficiency brought from the Schnorr signature but also the effective method that combines the Schnorr signature and the public key encryption scheme. – We remark that the encryption algorithm of our CLPKE scheme requires two more modular exponentiations compared with the “hashed” ElGamal encryption transformed by the technique proposed by Fujisaki and Okamoto [8]; the decryption algorithm requires one more exponentiation compared with the same scheme. Below, we describe the scheme: – Setup(): Generate two primes p and q such that q|p − 1. Pick a generator g of ZZ∗p . Pick x ∈ ZZ∗q uniformly at random and compute y = g x . Choose hash functions H1 : {0, 1}∗ × ZZ∗q → ZZ∗q , H2 : {0, 1}l0 × {0, 1}l1 → ZZ∗q and H3 : ZZ∗p × ZZ∗p → {0, 1}l , where l = l0 + l1 ∈ IN. Return params = (p, q, g, y, H1 , H2 , H3 ) and masterKey=(p, q, g, x, H1 , H2 , H3 ). – PartialKeyExtract(params, masterKey, ID): Pick s ∈ ZZ∗q at random and compute w = g s and t = s + xH1 (ID, w). Return (PID , DID ) = (w, t). – SetSecretValue(params, ID): Pick z ∈ ZZ∗q at random. Return sID = z. – SetPrivateKey(params, DID , sID ): Set SKID = (sID , DID ) = (z, t). Return SKID . – SetPublicKey(params, PID , sID , ID): Let PID = w and sID = z. Compute µ = g z and set P KID = (w, µ). Return P KID . – Encrypt(params, ID, P KID , M ) where the bit-length of M is l0 : Parse P KID as (w, µ) and compute γID = wy H1 (ID,w) . Pick σ ∈ {0, 1}l1 at random, and compute r = H2 (M, σ). Compute C = (c1 , c2 ) such that c1 = g r ; c2 = H3 (k1 , k2 ) ⊕ (M ||σ), r . (Note that “||” denotes“concatenation”. Note where k1 = µr and k2 = γID also that the bit-length of (M ||σ) equals to l = l0 + l1 ). Return C. – Decrypt(params, SKID , C): Parse C as (c1 , c2 ) and SKID as (z, t). Compute M ||σ = H2 (cz1 , ct1 ) ⊕ c2 . If g H2 (M,σ) = c1 , return M . Else return “Reject”. It can be easily seen that the above decryption algorithm is consistent: If C = (c1 , c2 ) is a valid cipheretxt, we obtain r H2 (cz1 , ct1 ) ⊕ c2 = H2 (g rz , g rt ) ⊕ H2 (µr , γID ) ⊕ (M ||σ) z r s+xH1 (ID,w) r r = H2 ((g ) , (g ) ) ⊕ H2 (µr , γID ) ⊕ (M ||σ) r = H2 (µr , (g s y H1 (ID,w) )r ) ⊕ H2 (µr , γID ) ⊕ (M ||σ) r r r r = H2 (µ , γID ) ⊕ H2 (µ , γID ) ⊕ (M ||σ) = M ||σ. 4 Security Analysis Basically, the main idea of the security proofs given in this section is to have the CDH attacker B simulate the “environment” of the Type I and Type II attackers AI and AII respectively until it can compute a Diffie-Hellman key g ab of g a and g b using the ability of AI and AII . As described in Definition 2, AI and AII will issue various queries such as random oracle, partial key extraction, public key request, private key extraction and decryption queries. B will respond to these queries with the answers identically distributed as those in the real attack. We note that for the attacker AI , B sets g a as a part of the challenge ciphertext and g b as a KGC’s public key. On the other hand, for the attacker AII , B sets g a as a part of the challenge ciphertext but uses g b to generate a public key associated with the challenge identity. The KGC’s public key is set up as g x where B knows random x ∈ ZZ∗q . This way, B can give the master key of the KGC to AII . We remark that care must be taken when the answers for the attackers’ public key request queries are simulated. One reason is that a public key in our scheme is related to not only a private key but also partial private and public keys obtained from the KGC. The other reason is that during the attack, the attackers are entitled to see (or receive) any public keys even associated with the target identity. The proofs given in this section address these two issues. Theorem 1. The CLPKE scheme based on the Schnorr signature is IND-CLPKECPA secure in the random oracle model, assuming that the CDH problem is intractable. In order to prove the above theorem, we prove two lemmas. Lemma 1 shows that our CLPKE scheme is secure against the Type I attacker whose behavior is as described in Definition 2. Lemma 1. The CLPKE scheme based on the Schnorr signature is (t, qH1 , qH2 , qH3 , qpaex , qprex , ǫ)-IND-CLPKE-CCA secure against the Type I attacker AI in ′ ′ the random oracle ³ model assuming that the CDH ´ problem is (t , ǫ )-intractable, qD qH2 q H2 qD 1 2ε ′ ′ where ε > qH e(qprex +1) − 2l1 − 2l1 − q and t > t + (qH1 + qH2 )O(1) + 3 qH3 (2TEX + O(1)) + (qpaex + qprex )(TEX + O(1)) + qD (2TEX + O(1)) where TEX denotes the time for computing exponentiation in ZZ∗p . Proof. Let AI be an IND-CLPKE-CCA Type I attacker. The number of queries to the oracles that AI makes and its running time are as defined in the above theorem statement. We show that using AI , one can construct an attacker B that can solve the CDH problem (Definition 3). Suppose that B is given (p, q, g, g a , g b ) as an instance of the CDH problem. (Note that the number of queries to the oracles that B makes and its running time are as defined in the above theorem statement). B can simulate the Challenger’s execution of each phase of IND-CLPKE-CCA game for AI as follows. [Simulation of Phase I-1] B sets y = g b and gives AI (p, q, g, y, H1 , H2 , H3 ) as params, where H1 , H2 and H3 are random oracles controlled by B as follows. On receiving a query (ID, w) to H1 : 1. If h(ID, w), ei exists in H1 List, return e as answer. 2. Otherwise, pick e ∈ ZZ∗q at random, add h(ID, w), ei to H1 List and return e as answer. On receiving a query (M, σ) to H2 : 1. If h(M, σ), ri exists in H2 List, return r as answer. 2. Otherwise, pick r ∈ ZZ∗q at random, add h(M, σ), ri to H2 List and return r as answer. On receiving a query (k1 , k2 ) to H3 : 1. If h(k1 , k2 ), Ri exists in H3 List, return R as answer. 2. Otherwise, pick R ∈ {0, 1}l at random, add h(k1 , k2 ), Ri to H3 List and return R as answer. [Simulation of Phase I-2] B answers AI ’s queries as follows. On receiving a partial key extraction query (ID, “partial key extract”): 1. If hID, (w, t)i exists in PartialKeyList, return (w, t) as answer. 2. Otherwise, do the following: (a) Pick t, e ∈ ZZ∗q at random and compute w = g t y −e ; add h(ID, w), ei to H1 List (That it, e is defined to be H1 (ID, w).) and hID, (w, t)i to PartialKeyList; return (w, t) as answer. Note from the above simulation that we have wy H1 (ID,w) = g t y −e y e = g t , which holds in the real attack too. On receiving a public key request query (ID, “public key request”): 1. If hID, (w, µ), coini exists in PublicKeyList, return P KID = (w, µ) as answer. 2. Otherwise, pick coin ∈ {0, 1} so that Pr[coin = 0] = δ. (δ will be determined later). 3. If coin = 0, do the following: (a) If hID, (w, t)i exists in PartialKeyList, pick z ∈ ZZ∗q at random and compute µ = g z ; add hID, (z, t)i to PrivateKeyList and hID, (w, µ), coini to PublicKeyList; return P KID = (w, µ) as answer. (b) Otherwise, run the above simulation algorithm for partial key extraction taking ID as input to get a partial key (w, t); pick z ∈ ZZ∗q at random and compute µ = g z ; add hID, (z, t)i to PrivateKeyList and hID, (w, µ), coini to PublicKeyList; return P KID = (w, µ) as answer. 4. Otherwise (if coin = 1), pick s, z ∈ ZZ∗q at random and compute w = g s and µ = g z ; add hID, (z, ?), si to PrivateKeyList and hID, (w, µ), coini to PublicKeyList; return P KID = (w, µ) as answer. On receiving a private key extraction query (ID, “private key extract”): 1. Run the above simulation algorithm for public key request taking ID as input to get a tuple hID, (w, µ), coini ∈ PublicKeyList. 2. If coin = 0, search PrivateKeyList for a tuple hID, (z, t)i and return SKID = (z, t) as answer. 3. Otherwise, return “Abort” and terminate. On receiving a decryption query (ID, P KID , C, “decryption ”), where C = (c1 , c2 ) and P KID = (w, µ): 1. Search PublicKeyList for a tuple hID, (w, µ), coini. 2. If such a tuple exists and coin = 0 (a) Search PrivateKeyList for a tuple hID, (z, t)i. (Note that from the simulation of public key request, hID, (z, t)i must exist in PrivateKeyList as long as one can find hID, (w, µ), coini with coin = 0 in PublicKeyList). (b) Compute M ||σ = H3 (cz1 , ct1 ) ⊕ c2 . (c) If c1 = g H2 (M,σ) , return M and “Reject” otherwise. 3. Else if such a tuple exists and coin = 1 (a) Run the above simulation algorithm for H1 to get a tuple h(ID, w), ei. (b) If there exist h(M, σ), ri ∈ H2 List and h(k1 , k2 ), Ri ∈ H3 List such that r , c1 = g r , c2 = R ⊕ (M ||σ), k1 = µr and k2 = γID where γID = wy e , return M and “Reject” otherwise. We remark that the pair h(M, σ), ri that satisfies the above condition uniquely exists in H2 List as the encryption function is injective with respect to (ID, w). 4. Else if such a tuple does not exist (This is the case when the public key of a target user is replaced by AI ) (a) Run the above simulation algorithm for H1 to get a tuple h(ID, w), ei. (b) If there exist h(M, σ), ri ∈ H2 List and hK, Ri ∈ H3 List such that r c1 = g r , c2 = R ⊕ (M ||σ), k1 = µr and k2 = γID , where γID = wy e , return M and “Reject” otherwise. [Simulation of Phase I-3] B answers AI ’s queries as follows. On receiving a challenge query (ID∗ , (M0 , M1 )): 1. Run the above simulation algorithm for public key request taking ID∗ as input to get a tuple hID∗ , (w∗ , µ∗ ), coini ∈ PublicKeyList. 2. If coin = 0 return “Abort” and terminate. 3. Otherwise, do the following: (a) Search PrivateKeyList for a tuple hID∗ , (z ∗ , ?), s∗ i. ∗ ∗ – In this case, we know that µ∗ = g z and w∗ = g s . (b) Pick σ ∗ ∈ {0, 1}l1 , c∗2 ∈ {0, 1}l and β ∈ {0, 1} at random. ∗ (c) Set c∗1 = g a , γID∗ = w∗ y e and e∗ = H1 (ID∗ , w∗ ). a ∗ ∗ (d) Define a = H2 (Mβ , σ ∗ ) and H3 (µ∗a , γID ∗ ) = c2 ⊕ (Mβ ||σ ). (Note that B does not know “a”). 4. Return C ∗ = (c∗1 , c∗2 ) as a target ciphertext. a ∗ * Note that by the construction given above, c∗2 = H3 (µ∗a , γID ∗ ) ⊕ (Mβ ||σ ) = ∗ ∗ ∗ s∗ H3 (g az , g a(s +bH1 (ID ,g )) ) ⊕ (Mβ ||σ ∗ ). [Simulation of Phase I-4] In this phase, B answers AI ’s queries in the same way as it did in Phase I-2. Note that ID∗ cannot be issued as a partial key extraction query and a private key extraction query while AI can freely replace public keys. Note also that no decryption queries should be made on C ∗ for the combination of ID∗ and P KID∗ = (w∗ , µ∗ ) that was used to encrypt Mβ . The decryption queries can be answered in the same way as in Phase 2. We just repeat the following important case: On receiving a decryption query (ID∗ , P KID∗ C), where C = (c1 , c2 ) and P KID∗ = (w∗ , µ∗ ) (In this case, we know that hID∗ , (w∗ , µ∗ ), coini exists in PublicKeyList with coin = 1).: – If there exist h(ID∗ , w∗ ), e∗ i ∈ H1 List, h(M, σ), ri ∈ H2 List and h(k1 , k2 ), Ri ∈ H3 List such that r c1 = g r , c2 = R ⊕ (M ||σ) , k1 = µr and k2 = γID ∗, ∗ where γID∗ = w∗ y e , return M and “Reject” otherwise. Again, we remark that the pair h(M, σ), ri that satisfies the above condition uniquely exists in H2 List as the encryption function is injective with respect to (ID∗ , w). [Simulation of Phase I-5] When AI outputs its β ′ , B returns the set S={ ³ k ´1/e∗ 2i |k2i is the second component of queries to H3 for i ∈ [1, qH3 ] g as∗ ∗ such that e∗ = H1 (ID∗ , w∗ ) and k1i = g az where k2i is the first component of queries to H3 }. [Analysis] We first evaluate the simulations of the random oracles given above. From the construction of H1 , it is clear that the simulation of H1 is perfect. As ∗ def ∗ ∗ def long as AI does not query (Mβ , σ ∗ ) to H2 nor g az ( = µ∗ ) and g a(s +be ) ( = ∗ def (w∗ y e )a ) to H3 , where σ ∗ , z ∗ and s∗ are chosen by B in Phase I-3 and e∗ = ∗ H1 (ID∗ , g s ), the simulations of H2 and H3 are perfect. By AskH∗3 we denote the ∗ event that (µ∗a , (w∗ y e )a ) has been queried to H3 . Also, by AskH∗2 we denote ∗ the event that (Mβ , σ ) has been queried to H2 . Next, one can notice that the simulated target ciphertext is identically distributed as the real one from the construction. Now, we evaluate the simulation of the decryption oracle. If a public key P KID has not been replaced nor P KID has not been produced under coin = 1, the simulation is perfect as B knows the private key SKID corresponding to P KID . Otherwise, simulation errors may occur while B running the decryption oracle simulator specified above. However, these errors are not significant as shown below: Suppose that (ID, P KID , C), where C = (c1 , c2 ) and P KID = (w, µ), has been issued as a valid decryption query. Even if C is valid, there is a possibility that C can be produced without querying (µr , (wy e )r ) to H3 , where e = H1 (ID, w) and r = H2 (M, σ). Let Valid be an event that C is valid. Let AskH3 and AskH2 respectively be events that (µr , (wy e )r ) has been queried to H3 and (M, σ) has been queried to H2 with respect to C = (c1 , c2 ) = (g r , (M ||σ) ⊕ H3 (µr , (wy e )r ) and P KID = (w, µ), where r = H2 (M, σ) and e = H1 (ID, w). We then have Pr[Valid|¬AskH3 ] ≤ Pr[Valid ∧ AskH2 |¬AskH3 ] + Pr[Valid ∧ ¬AskH2 |¬AskH3 ] ≤ Pr[AskH2 |¬AskH3 ] + Pr[Valid|¬AskH2 ∧ ¬AskH3 ] qH 1 ≤ l12 + . 2 q Let DecErr be an event that Valid|¬AskH3 happens during the entire simulation. Then, since qD decryption oracle queries are made, we have Pr[DecErr] ≤ qD qH2 + qqD . 2l1 Now define an event E to be (AskH∗3 ∨ (AskH∗2 |¬AskH∗3 ) ∨ DecErr)|¬Abort, where Abort denotes an event that B aborts during the simulation. (Notice that AskH∗2 and AskH∗3 are as defined above in the beginning). If E does not happen, it is clear that AI does not gain any advantage greater than 1/2 to guess β due to the randomness of the output of the random oracle H3 . Namely, we have Pr[β ′ = β|¬E] ≤ 12 . Hence, by splitting Pr[β ′ = β], we obtain Pr[β ′ = β] = Pr[β ′ = β|¬E] Pr[¬E] + Pr[β ′ = β|E] Pr[E] 1 1 1 ≤ Pr[¬E] + Pr[E] = + Pr[E] 2 2 2 and Pr[β ′ = β] ≥ Pr[β ′ = β|¬E] Pr[¬E] = 1 1 − Pr[E]. 2 2 By definition of ε, we then have ¯ 1¯ 1 ε < ¯ Pr[β ′ = β] − ¯ ≤ Pr[E] 2 2 ´ ³ 1 ≤ Pr[AskH∗3 ] + Pr[AskH∗2 |¬AskH∗3 ] + Pr[DecErr] . 2 Pr[¬Abort] First, notice that the probability that B does not abort during the simulation (the probability that ¬Abort happens) is given by δ qprv (1−δ) which is maximized 1 at δ = 1 − 1/(qprex + 1). Hence we have Pr[¬Abort] ≤ e(qprex +1) , where e denotes the base of the natural logarithm. q q q Since Pr[AskH∗2 |¬AskH∗3 ] ≤ 2Hl12 and Pr[DecErr] ≤ D2l1H2 + qqD , we obtain Pr[AskH∗3 ] ≥ 2ε e(qprex + 1) − qD qH2 qD qH2 − − . l l 1 1 2 2 q Meanwhile, if AskH∗3 happens then B will be able to solve the CDH problem ³ ´1/e∗ from the set S defined in the simulation of Phase I-5. by picking gkas2 i∗ Hence we have ε′ ≥ ε′ > 1 qH3 Pr[AskH∗3 ]. Consequently, we obtain 1 ³ 2ε qH3 e(qprex + 1) − qD qH2 qD ´ qH2 − − . 2l1 2l 1 q The running time of the CDH attacker B is t′ > t + (qH1 + qH2 )O(1) + qH3 (2TEX + O(1)) + O(1)) + (qpaex + qprex )(TEX + O(1)) + qD (2TEX + O(1)) where TEX denotes the time for computing exponentiation in ZZ∗p . The following lemma shows that our CLPKE scheme is secure against the Type II attacker. Lemma 2. The CLPKE scheme based on the Schnorr signature is (t, qH1 , qH2 , qH3 , qpaex , qprex , ǫ)-IND-CLPKE-CCA secure against the Type II attacker AII in ′ ′ the random oracle ³ model assuming that the CDH ´ problem is (t , ǫ )-intractable, q q q D H H q 1 2ε where ε′ > qH e(qprex +1) − 2l12 − 2l1 2 − qD and t′ > t + (qH1 + qH2 )O(1) + 3 qH3 (TEX + O(1)) + (qpaex + qprex )(TEX + O(1)) + qD (2TEX + O(1)) where TEX denotes the time for computing exponentiation in ZZ∗p . Due to lack of space, the proof of the above theorem is given in the full version of this paper. 5 Concluding Remarks We have presented the first CLPKE scheme that does not depend on the pairing. We have proven in the random oracle that that the scheme is IND-CLPKE-CCAsecure (Definition 2), relative to the hardness of the standard CDH problem. We remark that one may also construct a “Certificate-Based Encryption (CBE) [9]” scheme without pairing using a similar technique presented in this paper, which will be our future work. Acknowledgement The authors are grateful to the anonymous referees for their helpful comments. References 1. S. Al-Riyami and K. Paterson, Certificateless Public Key Cryptography, A full version, A short version appeared at Asiacrypt 2003, LNCS 2894, pp. 452–473, Springer-Verlag, 2003. 2. S. Al-Riyami and K. Paterson, CBE from CLPKE: A Generic Construction and Efficient Schemes, In PKC ’05, LNCS 3386, pp. 398–415, Springer-Verlag, 2005. 3. D. Balfanz, G. Durfee, N. Shankar, D. K. Smetters, J. Staddon, and H.C. Wong, Secret Handshakes from Pairing-Based Key Agreements, In IEEE Symposium on Security and Privacy ’03, pp. 180–196, IEEE Press, 2003. 4. M. Bellare and P. Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, In ACM CCCS ’93, pp. 62–73, 1993. 5. D. Boneh and M. Franklin, Identity-Based Encryption from the Weil Pairing, In Crypto ’01, LNCS 2139, pp. 213–229, Springer-Verlag, 2001. 6. C. Castellucia, S. Jarecki and G. Tsudik, Secret Handshake from CA-Oblivious Encryption, In Asiacrypt ’04, LNCS 3329, pp. 293–307, Springer-Verlag, 2004. 7. C. Cocks, An Identity Based Encryption Scheme Based on Quadratic Residues, In IMA ’01, LNCS 2260, pp. 360–363, Springer-Verlag, 2001. 8. E. Fujisaki and T. Okamoto, Secure Integration of Asymmetirc and Symmetric Encryption Schemes, In Crypto ’99, LNCS 1666, pp. 537–554, Springer-Verlag, 1999. 9. C. Gentry, Certificate-Based Encryption and the Certificate Revocation Problem, In Eurocrypt ’03, LNCS 2656, pp. 272–293, Springer-Verlag, 2003. 10. M. Girault, Self Certified Public Keys, In Eurocrypt ’91, LNCS 547, pp. 490–497, Springer-Verlag, 1992. 11. J. Holt, R. Bradshaw, K. E. Seamons and H. Orman, Hidden Credentials, In ACM Workshop on Privacy in the Electronic Society (WPES) ’03, pp. 1–8, ACM Press, 2003. 12. MIRACL, Multiprecision Integer and Rational Arithmetic C/C++ Library, http://indigo.ie/ mscott/ 13. H. Petersen and P. Horster, Self-Certified Keys – Concepts and Applications, In International Conference on Communications and Multimedia Security, Chapman and Hall, 1997. 14. S. Saeednia, Identity-Based and Self-Certified Key-Exchange Protocols, In ACISP ’97, LNCS 1270, pp. 303–313, Springer-Verlag, 1997. 15. C. P. Schnorr, Efficient Identifications and Signatures for Smart Cards, In Crypto ’89, LNCS 435, pp. 239–251, Springer-Verlag, 1990. 16. A. Shamir: Identity-based Cryptosystems and Signature Schemes, In Crypto ’84, LNCS 196, pp. 47–53, Springer-Verlag, 1984. 17. D. Yum and P. Lee, Generic Construction of Certificateless Encryption, In ICCSA ’04, LNCS 3043, pp. 802–811, Springer-Verlag, 2004.