Canetti, Halevi and Katz [54] showed that the problem can be resolved in the context of (H)IBE by using a cryptographic primitive called one-time signature. So we begin with the notion of one-time signatures.

6.2.1 One-Time Signatures

A signature scheme is defined by three probabilistic polynomial time algorithms as follows:

Key-Generation: On input the security parameter 1^κ, this probabilistic polynomial time algorithm outputs a pair of signing key (sk) and verification key (vk).

Sign: This algorithm takes as input a signing key sk and a message M from the appropriate message spaceM and outputs a signatureσ.

Verify: This is a deterministic algorithm which on input a verification key vk, a message M and a signatureσon M outputsacceptorrejectdepending on whether σ is a valid signature on M or not.

As the name implies, a one-time signature means the signing key is used only once to sign a single message. A signature scheme (Key-Generation,Sign,Verify) is a strong, one-time signature scheme if the success probability of any probabilistic polynomial time adversaryA is negligible in the following game.

1. Key-Generation(1^κ)outputs (vk,sk). The adversaryA is given vk.

2. A(1^κ,vk)may take one of the following actions:

a. A outputs a message M and in return is given a signature of M under the signing key sk, i.e.,σ←Sign_sk(M). ThenA outputs a pair (M^∗,σ^∗).

b. A outputs a pair (M^∗,σ^∗) and halts. In this case (M,σ) is undefined, i.e., the adversary outputs a possible forgery without even seeing a single valid message-signature pair.

A succeeds in the game ifσ^∗is a proper signature of M^∗under the verification key vk, i.e.,Verify_vk(M^∗,σ^∗) =acceptbut(M^∗,σ^∗)6= (M,σ). Note that,A may succeed even if M^∗=M, which is the reason to call the scheme a strong one-time signature.

6.2.2 The Transformation

Let H′ = (Set-Up^′, Key-Gen^′, Encrypt^′, Decrypt^′) be the description of an (h+1)-HIBE for arbitrary h≥1 handling(n+1)-bit identities. LetSig = (Key- Generation, Sign, Verify)be a signature scheme which outputs an n-bit verifica- tion key. IfH′ is secure in the senseIND-ID-CPAandSigis a strong one-time signature scheme, then one can construct an h-HIBEH secure in the senseIND- ID-CCAthat handles n-bit identities.

Given an identity tuple id= (id1, . . . ,idj)∈({0,1}ⁿ)^j of H we map it to an identity tuple ofH′as

Encode(id) = (0id1, . . . ,0idj)∈({0,1}ⁿ⁺¹)^j

andEncode(ε) =ε, i.e the null string is mapped to itself. Let ˆid=Encode(id). The HIBEH is constructed in such a way that the private key didof an identity tupleid inH is equal to the private key d^′_idˆ of ˆidinH′.

Construction ofH

Set-Up: Same as theSet-Upalgorithm ofH′. The master key ofH′,mskH′ is the master key,mskH ofH. Similarly, the public parameter ofH′,PPbecomes the public parameter ofH.

Key-Gen: Let d_idbe the private key ofid. To derive the private key of(id,v)first obtain ˆid=Encode(id)and ˆv=Encode(v). RunKey-Gen^′_d

id(id,ˆ v)ˆ and output the result as d_id,v.

In the case of IBE or the first level of HIBE,id=ε, so the master secret of PKG (call it d_ε) is used to generate the private key of the identityv. Since the master secret ofH is same as the master secret ofH′, we have dv=d_v^′_ˆ. Proceeding this way we see that for any identity tuple(id,v)inH, did,v=d_id,ˆ^′_ˆ

v, given did=d^′_ˆ

id. Encrypt: To encrypt a message M to an identity tupleid, run the key generation al- gorithm ofSig,Key-Generation(1^κ)to obtain(vk,sk). Let ˆid=Encode(id),(1vk), compute C=Encrypt^′_PP(id,ˆ M) and σ =Sign_sk(C). The ciphertext is the tuple hvk,C,σi.

Note that the n-bit verification key is padded with 1 to get an(n+1)-bit “identity”

whereas theEncodefunction pads an identity by 0. This difference plays a crucial role in the simulation.

Decrypt: Given the ciphertext hvk,C,σiencrypted underid and the correspond- ing private key did, first check whether Verify_vk(C,σ) =accept. If not reject the ciphertext. Otherwise, letid^′=Encode(id)and runKey-Gen^′_d

id(id^′,(1vk))to gen- erate the private key d∗=d^′_ˆ

id(recall that ˆid=Encode(id),(1vk). Then output M= Decrypt^′_d∗(id,C).ˆ

6.2.3 Security

Given an identity tuple id= (id1, . . . ,idj), j≤h inH, the sender encrypts the message M to a ( j+1) level identity ˆid= (Encode(id),(1vk))of H′ where vk is the verification key of the underlying one-time signature scheme. The receiver having identityidcan derive the private key of ˆidinH′from the private key didin H. This is possible because, as we have seen, the private key ofidinH is same as the private key ofEncode(id) inH′.

Use of a strong one-time signature scheme ensures that the adversary will not be able to modify the challenge ciphertext to form another valid ciphertext. On the other hand, use of a CPA-secure(h+1)level HIBE and encoding the verification key of

the signature scheme in a different way than a normal identity component ensure that a proper decryption key can be generated for any ciphertext encrypted under the target identity. This intuitive idea is formalized into a reductionist argument as discussed below.

For simplicity, we will assume that the probability of forging a one-time signa- ture, Pr[Forge]is negligible. A more precise argument can be given to show an upper bound on the advantage of breaking the CCA-security of the constructed HIBE in terms of the probability of forging a signature and the advantage of breaking the CPA-secure HIBE.

Under the assumption that the probability of forging a signature is negligible, the following argument shows that anIND-ID-CPAadversaryA′againstH′can be used to construct an IND-ID-CCAadversaryA againstH. Note that we are considering the adaptive-ID model and the argument can be easily modified for the selective-ID model.

1. A′obtains the public parameterPPfrom its challenger, which it relays toA. 2. In Phase 1, wheneverA asks for the private key of an identityid,A′asks its

challenger for the private key didˆ where ˆid=Encode(id)and returns it toA. 3. In Phase 1, on a decryption query of the form(id,hvk,C,σi)fromA,A′ first

checks whetherVerify_vk(C,σ) =accept. If notA′returnsreject. Otherwise it asks its challenger for the private key of(id,ˆ 1vk)where ˆid=Encode(id)and uses this private key to decrypt C and returns the resulting plaintext toA.

4. In the challenge stage,A outputs two messages M0,M₁and a target identity tuple id^∗=hid^∗₁, . . . ,id^∗_ji, j≤h. As per the rule of the game, the private key ofid^∗or any of its prefix was not revealed in Phase 1. A′ first runs the key generation algorithm Key-Generationof Sig to generate (vk^∗,sk^∗). It outputs the same messages M0,M1 and(Encode(id^∗),(1vk^∗)) as its target identity. In response, it receives a challenge ciphertext C^∗. NowA′ computesσ^∗=Sign_sk∗(C^∗)and returns the ciphertexthvk^∗,C^∗,σ^∗itoA.

5. In phase 2,A makes additional decryption queries and private key extraction queries with the usual restriction that it cannot ask for the private key ofid^∗or any of its prefix and a decryption of the challenge ciphertext underid^∗or any of its prefix. The key extraction queries are answered as in Phase 1. For a decryption query of the form(id,vk,C,σ)fromA,A′takes the following action:

a. Ifid=id^∗and vk=vk^∗, returnreject. (The security of the strong one-time signature scheme ensures that the adversary cannot generate a valid ciphertext in this case.)

b. Ifid6=id^∗or ifid=id^∗but vk6=vk^∗, thenA′sets ˆid=Encode(id)and re- quests its challenger for the private key of(id,ˆ (1vk)). It decrypts the ciphertext using this private key and returns the result toA.

6. FinallyA outputs its guessγ^′. The sameγ^′is output byA′.

In the above simulation, A′ poses as a real challenger forA. Since we have assumed that the probability of forging a signature is negligible, the advantage of A againstH translates into the advantage ofA′againstH′.

Based on this generic transformation, any CPA-secure 2-level HIBE can be used to construct a CCA-secure IBE. More generally, a CPA-secure(h+1)-HIBE gives a CCA-secure h-HIBE. Hence, protocol designers can concentrate on construct- ing protocols that achieve CPA-security (be it in the full model or the selective- ID model) without random oracles and then apply this transformation to achieve CCA-security. Protocols such as the Boneh-Boyen HIBE and the Boneh-Boyen- Goh HIBE described in Chapter 5 accomplish this in the selective-ID model, while the Boneh-Boyen IBE and Waters IBE to be described in Chapter 7 accomplish this in the full model.