The HIBE scheme of Section 7.4 can be modified to achieve CCA-security. This modification is based on the technique used by Boyen, Mei and Waters [49] as ex-
plained in Chapter 6. Symmetric key techniques are combined with the CPA-secure HIBE to obtain a hybrid construction. Several pairing computations can be elimi- nated by using symmetric key authenticated encryption (AE) to check for ciphertext validity. The details of the CCA-secure scheme are given inFigure 7.1. Bold entries denote the portions that are introduced to obtain CCA-security over and above the CPA-secure scheme in Section 7.4.
The scheme uses three extra primitives which have not been considered so far.
Below we provide a brief description of these primitives and refer the reader to places where more details may be found.
Authenticated Encryption. This is a symmetric key primitive which combines the dual role of encryption and authentication into a single functionality. There are two algorithms associated with the primitive –AE.EncryptandAE.Decrypt.
The algorithmAE.Encrypttakes as input a nonce (or initialization vectorIV) and the message M and uses the secret key dk to produce the ciphertext(cpr,tag).
Typically, the length ofcpris equal to that of M andtagis some extra informa- tion which provides authentication. Algorithm AE.Decrypttakes(cpr,tag) as input and provides as output either the corresponding message M or the symbol
⊥which denotes that the authentication has failed. Intuitively, an AE scheme provides confidentiality of the message and at the same time ensures that active tampering of the ciphertext by an adversary will be detected. Formal description of AE schemes was first independently proposed in [22, 119]. It is not too diffi- cult to design AE schemes using block ciphers which make two passes over the data. Somewhat counter-intuitively, several one-pass AE schemes [114, 96, 149]
have been constructed the most famous among which is the OCB mode [149].
See [57, 153] for a general family of one-pass AE schemes as well as for schemes which offer certain advantages over OCB.
Universal One-Way Hash Family (UOWHF). This is a family of hash functions {Hs}s∈S where each Hshas the same domain and range. An adversarial game for the family is defined as follows. The adversary chooses x from the domain; is then given a uniform random s and has to find an x′distinct from x such that Hs(x) = Hs(x′). Compared to the usual notion of collision resistance, this game is more difficult for the adversary since the adversary has to commit to one of the inputs even before knowing the function for which a collision has to be found. Viewed differently, the requirement on the hash function is lesser and so it may be more desirable to base a scheme on a UOWHF rather than on a collision-resistant hash function. The notion of UOWHF was introduced by Naor and Yung [140] and was analysed in the concrete security setting by Bellare and Rogaway [25]. For later practically oriented work on extending the domain of a UOWHF see [159, 152].
Key Derivation Function (KDF). A KDF function maps a domain to a range in a manner such that if the input to the KDF is a random element of the domain, then the output of the KDF is indistinguishable from random to a computationally bounded adversary. This notion was introduced by Shoup [162] as a component in constructing hybrid PKE schemes.
The formal security reduction is long. We provide some idea of the argument with reference to Figure 7.1. The scheme is obtained by modifying the previous CPA-secure scheme. So, the technique for simulating key extraction queries is al- ready built into the system. Also, for the challenge ciphertext, all elements except for C2can be properly generated. The additional mechanism is used to ensure de- cryption queries can be properly handled and that the component C2of the challenge ciphertext can be properly generated.
Essentially, there are two separate encapsulations of the session key K. The first is using the CPA-secure HIBE scheme and the second is using the Boneh-Boyen selective-identity secure IBE scheme. The identity for the first encapsulation is the actual identity for which encryption is done while the “identity” for the second encapsulation is the output of the function Hs. This is the basic idea of Boyen- Mei-Waters transformation of a CPA-secure IBE to a CCA-secure PKE discussed in Chapter 6.
Note that the length j of the identity tuple is part of the input to Hs. This binding of the length of the identity tuple ensures that given the challenge ciphertext, it is not possible to trivially make a decryption query on a proper prefix of the challenge identity by simply discarding some elements from the challenge ciphertext.
If a decryption query is made for an identity which is not equal to the challenge identity or one of its prefixes, then (as is standard) the technique of simulating key extraction queries is used to generate a proper decryption key for this identity and use that to decrypt the ciphertext and answer the query. The problem arises when the identity is either the challenge identity or one of its prefixes. In this case, it can be argued that the inputs to Hsfor the decryption query and for the challenge ciphertext are necessarily different. So, (using the UOWHF property) the outputs are also different. Since this output is an “identity” for the second encapsulation through the in-built BB-IBE scheme, the technique for simulating key extraction queries in the BB-IBE scheme can be used to obtain a decryption key for this identity and then use it to decrypt the ciphertext. In a similar manner it is possible to show that the element C2can be properly generated.
Suppose that the adversary makes a mal-formed decryption query where the ele- ments
C1,C2,B1, . . . ,Bj
do not satisfy the relation to each other as required, i.e., they are not formed by using the same randomiser. The relation between C1and C2is explicitly checked by the pairing computation in the decryption algorithm. But, the relation between C1and B1, . . . ,Bjis not explicitly checked. If the required relation (i.e., the discrete log to the respective bases is t) does not hold, then it can be argued that the session key K generated in the decryption algorithm is a random element which is independent of the K∗implicitly defined by the challenge ciphertext. The decryption algorithm of the AE scheme will be invoked with a random key K and for which the adversary has not earlier seen any ciphertext. So, the authentication mechanism of the AE scheme will generate an invalid ciphertext error and⊥will be returned to the adversary. Note that the crucial issue here is that the relation between C1and B1, . . . ,Bjis implicitly
verified using the AE scheme. Doing this directly would have required a number of pairing computations which would make the decryption algorithm less efficient.
The pairing based approach for verifying well-formedness of the ciphertext has been used in [120].
Fig. 7.1 CCA-secure HIBE.
1. Maximum depth of the HIBE is h.
2. Identities are of the formid= (id1, . . . ,idj), j∈ {1, . . . ,h},idk= (idk,1, . . . ,idk,l)andidk,iis an (n/l)-bit string.
3. The setting(p,G=hPi,G,GT,e)is of Type 1 pairing.
4. The notation Vk()is given in (7.4.8).
5. It is possible to avoid computing the pairing value e(P1,P2)during encryption by replacing P2
in the public parameters by e(P1,P2).
HIBE.Set-Up
1. Chooseαrandomly fromZZp. 2. Set P1=xP.
3. Choose P2,U1′, . . . ,Uh′,U1, . . . ,Ulrandomly from G.
4. Choose W randomly from G.
5. Let Hs:{1, . . . ,h} ×G→ZZp
be chosen from a UOWHF and made public.
6. Public parameters:
P,P1,P2,U1′, . . . ,Uh′,U1, . . . ,Uland W.
7. Master secret key: xP2.
HIBE.KeyGen: Identityid= (id1, . . . ,idj).
1. Choose r1, . . . ,rjrandomly fromZZp. 2. d0=xP2+∑k=1j rkVk(idk).
3. dk=rkPfor k=1, . . . ,j.
4. Output did= (d0,d1, . . . ,dj).
HIBE.Encrypt:
Identityid= (id1, . . . ,idj); message M.
1. Choose t randomly fromZZp.
2. C1=tP, B1=tV1(id1), . . . ,Bj=tVj(idj).
3. K=e(P1,P2)t. 4. (IV,dk) =KDF(K).
5. (cpr,tag) =AE.Encryptdk(IV,M).
6. γ=Hs(j,C1); Wγ=W+γP1; C2=tWγ. 7. Output(C1,C2,B1, . . . ,Bj,cpr,tag).
HIBE.Decrypt:
Identityid= (id1, . . . ,idj);
ciphertext(C1,C2,B1, . . . ,Bj,cpr,tag);
decryption key did= (d0,d1, . . . ,dj).
1. γ=Hs(j,C1); Wγ=W+γP1. 2. If e(C1,Wγ)6=e(P,C2)return⊥. 3. K=e(d0,C1)×∏k=1j e(Bk,−dk).
4. (IV,dk) =KDF(K).
5. M=AE.Decryptdk(IV,cpr,tag).
(This may abort and return⊥).
6. Output M.