8.1 Gentry’s IBE

8.1.1 CPA-Secure Construction

Before going into the construction of the scheme we mention two things.

First, the scheme actually provides recipient anonymity, i.e., it is an anonymous- IBE. This notion has been described in Chapter 2 and we briefly recall the concept.

The idea is that given a ciphertext it is computationally infeasible for an adversary to determine for which identity it was generated. Formally, the notion of anonymity is captured by asking the adversary in the challenge stage, to provide a pair of identities (id0,id1)along with a pair of equal length messages(M0,M1). A pair of independent and uniform random bits(b,c)is chosen and the challenge ciphertext is generated for the message Mbunder the identityidcwhich is then provided to the adversary.

In this model, the adversary has to guess both the bits b and c with probability significantly away from 1/4.

Second, the security of the scheme is based on the hardness of the (truncated) decision q-ABDHE problem (see Chapter 3). An instance of this problem consists of a tuple(P^′,P_q+2^′ ,P,P1, . . . ,Pq,Z)where Pi=αⁱPfor some randomα∈ZZp. The task is to decide whether Z is equal to e(Pq+1,P^′)or Z is a random element of GT. Here q is a parameter of the problem instance. In the proof relating the security of the IBE scheme to this problem, q will depend on the maximum number of key- extraction queries the adversary is allowed to make. In other words, the hardness assumption required for security is a non-static one.

We now describe the CPA-secure scheme of Gentry followed by its security re- duction.

Set-Up: The PKG chooses independent and uniform random elements P and Q from G; a uniform random elementα fromZZp; and sets P1=αP. The public pa- rameters consist of(P,P1,Q)while the master secret key isα. Identities are elements ofZZp.

Key-Gen: The input is an identityid∈ZZpand the PKG generates a decryption key d_idfor this identity. To do this, the PKG chooses a uniform random r∈ZZpand sets d_id= (r,Q_id), where

Q_id= 1

α−id(Q−rP).

Ifid=α, then the PKG aborts; an event which occurs with probability 1/p.

Encrypt: The input consists of a message M∈G_T and an identityid∈ZZp. The sender generates a uniform random t ∈ZZp and computes the ciphertext to be (U,V,W)where

U=t(P₁−idP); V=e(P,P)^t; W=M×e(P,Q)^−t.

Decrypt: On input (U,V,W); identity id; and decryption key did= (r,Q_id), the receiver outputs

W×e(U,Q_id)×V^r.

If the ciphertext and the decryption key are proper, then the correctness of the decryption can be seen by the following computation.

e(U,Q_id)×V^r=e(t(α−id)P, 1

α−id(Q−rP))×e(P,P)^tr

=e(tP,Q−rP)×e(P,P)^tr

=e(P,Q)^t×e(P,P)^−tr×e(P,P)^tr

=e(P,Q)^t.

The security statement for this scheme is given below.

Theorem 8.1. let q=q_id+1, where q_id is the number of key extraction queries.

The above scheme is(t,ε^,qid)ANON-IND-ID-CPAsecure if the truncated decision (t^′,ε^′,q)-ABDHE assumption holds, whereε=ε^′+2/p and t^′=t+O(q²τ^),τ^is the time for a scalar multiplication in G.

Proof : LetA be a(t,ε,q_id)-adversary for theANON-IND-ID-CPAgame. This is used to construct an algorithmBwhich solves the truncated decision q-ABDHE problem. B takes as input a tuple (P^′,P_q+2^′ ,P,P₁, . . . ,P_q,Z), where Z is either e(Pq+1,P^′) or a random element of GT. Note that Pi =αⁱP, for some random α ∈ZZp. AlgorithmBproceeds as follows.

Set-Up: Bgenerates a random polynomial f(x)of degree q with coefficients in ZZp and sets Q= f(α)P. Note that Q can be computed by using the elements P,P1, . . . ,Pq. The public key(P,P1,Q)is given to the adversary. Since P,αand f(x) are chosen independently and uniformly at random, the distribution of the public key is the same as that in the actual scheme.

Key Extraction Query: This can happen in both Phase 1 and Phase 2 and are tackled in the same manner in both phases. SupposeA asks for the decryption key of an identity id∈ZZp. If id=α, then B can immediately solve the given instance of truncated q-ABDHE problem. Otherwise, let Fid(x)be the degree(q− 1)polynomial(f(x)−f(id))/(x−id).Bnow defines the private key foridto be (f(id),F_id(α)P). The fact that this is a valid private key foridcan be seen from the following simple computation.

F_id(α^)P= f(α)−f(id)

α−id P= 1

α−id(f(α^)P−f(id)P) = 1

α−id(Q−f(id)P). Challenge: SupposeA outputs two identitiesid0,id1and two messages M0,M₁. As in the case of simulation of key extraction queries, ifα is eitherid0orid1, thenB can immediately solve the given instance of the truncated q-ABDHE problem. So,

assume that this is not the case.Bgenerates two independent and uniform random bits b,cand computes a private key(r,Q_idb)forid_busing the method for simulating key extraction queries.

Let f^′(x) =x^q+2and let F_id^′

b(x) = f^′(x)−f^′(idb) (x−id_b)

=x^q+2−id^q+2_b (x−idb)

=x^q+1+id_bx^q+···+id^q_bx+id^q+1_b .

This is a polynomial of degree(q+1). Let P0=P. The challenge ciphertext consists of(U,V,W)where

U = (f^′(α)−f^′(idb))P^′; V =Z×e P^′,

∑

q i=0

F_id^′_b,iPi

!

; W =M_c/(e(U,Q_idb)×V^r).

In the above, F_id^′

b,i=id^q+1_b ⁻ⁱ is the coefficient of xⁱ in the polynomial F_id^′

b(x). In effect, the sum∑^qi=0F_id^′

b,iPiis equal to

F_id^′_b(α^)P−α^q+1P= (idbx^q+···+id^q_bx+id^q+1_b )P

=idbP_q+···+idbP₁+id^q+1_b P₀.

This can be computed from the knowledge of the coefficients F_id^′_b,is and the Pis and without the knowledge ofα.

Guess: At the end,A outputs guesses b^′and c^′of b and c respectively. If b=b^′ and c=c^′, thenBoutputs 1 (indicating that Z is real), otherwise it outputs 0.

As already noted, the distribution of the public parameters is as required by the actual scheme. Further, if Z is real, i.e., Z =e(Pq+1,P^′), then the distribu- tion of the ciphertext is also the same as in the actual scheme. This can be seen from the following computation. Note that f^′(α)−f^′(idb) = (α−idb)F_id^′

b(α). Let s= (log_PP^′)F_id^′

b(α)and then U=s(α₋idb)P. Now, using the value of Z V =e(P_q+1,P^′)×e P^′,

∑

q i=0

F_id^′

b,iP_i

!

=e(P^′,F_id^′

b(α^)P)

=e(P,P)^s and so

Mc

W =e(U,Q_idb)×V^r=e(P,Q)^s.

This follows because U and V are of proper form and(r,Q_idb)is a proper private key forid_b. The details of this calculation is similar to the one given to show the correctness of decryption.

Consider a setI consisting ofα,id_band the identities queried byA. The in- dependent and uniform random distribution of the decryption keys will follow if it holds that the values f(a)(a∈I) are independent and uniform random. This follows from the observations that|I| ≤q+1 and f is a polynomial of degree q whose coefficients are chosen independently and uniformly at random fromZZp.

If Z is real, then the simulation is perfect and let X0be the event thatA’s guesses are both correct. Let X1be the event that the adversary’s guesses are correct when Z is a uniform random element of GT. Clearly,

Pr[X0]−Pr[X1] =Pr[Boutputs 1|Zis real]−Pr[Boutputs 1|Zis random]≤ε^′. Now we argue that when Z is random, the ciphertext statistically hides the bits band c from the adversary. The challenge ciphertext consists of three elements U, V and W . We show that the randomness of these three elements are determined by three independent and uniform random quantitiesα, Z and r which are themselves independent of b and c. Here r is part of the private key and is computed as r= f(idb). Since f is a polynomial with coefficients chosen uniformly at random from ZZp, r is uniformly distributed.

The independent and uniform random choices ofα and Z ensure that U and V are independent and uniform random. Let E be the event that V=e(U,P)^1/(α−id0) or V =e(U,P)^1/(α−id1). Then Pr[E]≤2/p. If E does not occur, then by the uniform random choice of r

e(U,Q_idb)×V^r =e

U, 1

α−id_b(Q−rP)

×V^r

=e(U,Q)^1/(α−idb)×

V e(U,P)^1/(α−idb)

r

is a uniform random element of GT and so U,Vand W are independent and uniform random elements. So, these perfectly hide the bits b and c fromA. It follows that Pr[X1|E] =1/4. Further,

Pr[X1] =Pr[X1|E]Pr[E] +Pr[X1|E]Pr[E]≤Pr[E] +Pr[X1|E]

and so Pr[X1]−Pr[X1|E]≤Pr[E].

If we letA to be an adversary which maximizes the advantage of breaking the IBE scheme among all adversaries that run in time t and make qidkey extraction queries, then we have

ε=Pr[X0]−1

4 =Pr[X0]−Pr[X1|E]

=Pr[X0]−Pr[X1] +Pr[X1]−Pr[X1|E]

≤ε^′+2 p.

The time forBto simulate the queries ofA is dominated by the time to compute F_id(α^)Pwhere Fid(x)is a polynomial of degree q−1. Each evaluation requires O(q) scalar multiplications in G for a total of O(q²)scalar multiplications overall. ⊓⊔