4.1 Boneh-Franklin IBE

4.1.1 Security Against Chosen Ciphertext Attacks

The protocol BasicIdent, though secure against a chosen plaintext attack, is not secure against an adversary who can mount a chosen ciphertext attack. But it is possible to augment the protocol to achieve CCA security. The resulting protocol, calledFullIdent, is described next.

Set-Up Define two additional hash functions H₃:{0,1}ⁿ× {0,1}ⁿ→ZZ^∗_pand H4: {0,1}ⁿ→ {0,1}ⁿ. Other parts are same as theSet-UpofBasicIdent.

Key-Gen: Same as theKey-GenofBasicIdent.

Encrypt: To encrypt M to the public keyid, compute Q_id=H1(id), choose a ran- domσ∈ {0,1}ⁿand set r=H3(σ,M). finally, the ciphertext is

C=hrP,σ_⊕H2(e(Q_id,P_pub)^r),M⊕H4(σ)i

Decrypt: To decrypt C=hU,V,Wiusing the private key diddo the following:

compute V⊕H₂(e(d_id,U)) =σ; and then W⊕H₄(σ) =M; set r=H₃(σ,M)and verify whether U=rP; if not, reject C; otherwise output M.

FullIdent is the result of applying the so-called Fujisaki-Okamoto transforma- tion [86] toBasicIdent. LetE_pk(M; r)be the encryption of M under the public key pkusing random bits r whereE is some public key encryption scheme. Fujisaki- Okamoto defined a hybrid scheme:

E^hy

pk(M) =hE_pk(σ,H3(σ,M)),H4(σ)⊕Mi

One implication of the Fujisaki-Okamoto transformation is that if E is secure against chosen plaintext attack, thenE^hyis secure against chosen ciphertext attack assuming that H3and H4are random oracles.

So, in a sense, Boneh-Franklin extended this idea to the identity-based set- ting. They apply the Fujisaki-Okamoto transformation on the IND-ID-CPA secure schemeBasicIdentto obtain the IND-ID-CCA secure schemeFullIdent.

The security reduction proceeds through several stages. First, apply the Fujisaki- Okamoto transformation on BasicPubto obtain a public key encryption scheme BasicPub^hy. Now, an IND-ID-CCA adversaryA′

1againstFullIdentis used to con- struct an IND-CCA adversaryA′

2 againstBasicPub^hy. By direct application of the result of Fujisaki-Okamoto, there is an IND-CPA adversaryA₂againstBasicPub.

Finally, by Game 2 we know that this adversary can be used to construct an algo- rithm to solve the BDH problem.

We give a formal description of the first reduction, i.e., given an IND-ID-CCA adversaryA′

1againstFullIdenthow an IND-CCA adversaryA′

2can be constructed againstBasicPub^hy. Galindo in [89] showed that there is a flaw in the security reduc- tion as described by Boneh-Franklin and suggested a remedy. The problem creeps in because of ciphertext integrity check in the Fujisaki-Okamoto transformation.

We introduce the flaw in the appropriate place and then follow Galindo’s modified analysis in our description.

In the IND-CCA game againstBasicPub^hy,A′

2 receives from its challenger the public key

K_pub=hP,P_pub,Q_id,H2,H3,H4i A′

2 now simulates the IND-ID-CCA game forA′

1 and interacts with its own challenger whenever necessary.

Set-Up: A′

2givesA′

1the public parameters

PP=hP,P_pub,H₁,H₂,H₃,H₄i where H1is simulated in the same way as in Game 1 earlier.

Phase 1 – key extraction queries: as in game 1.

Phase 1 – decryption queries: Lethidi,C_iibe the ith decryption query, where Ci= hU_i,V_i,W_ii. IfA′

2can generate the decryption key did_iforid_ias in the key extraction queries, then use this did_i to obtain a decryption of Ciand return the result toA′

1. If A′

2 is unable to form this did_i that means ci=1 in the tuplehidi,Qi,bi,ciiof H₁^list and hence Qi=biQ_id.A′

2sets C_i^′=hbiUi,Vi,Wiiand sends this to its challenger for decryption.A′

2returns toA′

1whatever the challenger returns. This is assumed to be a valid answer to the decryption queryhidi,Cii. Suppose d_idi=sQibe the private key corresponding toidi, which is unknown toA′

2. Let, d_id=sQ_idbe the decryption key ofBasicPub^hy, which is available to the challenger. Then theFullIdentdecryption of Ciusing did_iwould be same as theBasicPub^hydecryption of C_i^′using did; since

e(b_iU_i,d_id) =e(b_iU_i,sQ_id) =e(U_i,sb_iQ_id) =e(U_i,d_idi).

Galindo’s Observation At this point, Galindo [89] pointed at a flaw in the orig- inal analysis of Boneh-Franklin. Galindo observed that the original argument does not take into account the fact that the decryption algorithm performs a ciphertext integrity check before returning the message. He showed that given the ciphertext C_i^′=hbiUi,Vi,Wii, the BasicPub^hy decryption algorithm will reject it with over- whelming probability. Let Ui=riPwhere ri=H3(σ,Mi)∈ZZ^∗_p, so biUi=biriP.

Since biis chosen at random fromZZ^∗_p, so biriis uniformly distributed inZZ^∗_p. There- fore, H3(σ,M_i)6=b_ir_i with probability(1−1/p)because H3is a random oracle beyond the control ofA′

2. We get a proper decryption only if bi=1, which implies H1(idi) =Q_id, where Qidis part of the public key ofBasicPub^hy.

Fixing the flaw A decryption queryhid_i,C_iican be answered only if it is possible to form a proper private key corresponding toidi or H1(idi) =Q_id. Based on this observation, Galindo suggests the following modification in the simulation.

H1-queries: A′

2selects a j at random from{1, . . . ,qH₁}before initializing the H₁^list. WhenA′

1makes a query to H1atidiwith i6=j, it picks a random bi∈ZZ^∗_p, sets Qi= b_iP, addshid_i,Q_i,b_iito H₁^list and returns Qj toA′

1. If i=j, it sets H1(idj) =Q_id, addshid_j,Q_id,∗ito H₁^listand returns QidtoA′

1.

In terms of Figure 4.1the identity space is partitioned in such a way that the challenge identity space now contains a single identity:id_j.

Phase 1 – Key extraction: WhenA′

1places a private key query foridi,A′ 2checks whetheridi=idj. It aborts in that eventuality. Otherwise,A′

2forms the private key as in the original simulation and returns it toA′

1.

Phase 1 – Decryption queries: For a decryption queryhidi,Cii, ifidi=idj, then A′

2 asks its challenger for a decryption of Ciwhich it relays toA′ 1 (A′

2 can do so because H1(idi) =Q_id). Otherwise, it forms the private key for did_i and uses it to decrypt Ci.

Challenge: At this stageA′

1 outputs two messages M0,M₁and an identityid^∗. If id^∗6=idj,A′

2aborts the game. Otherwise, it sends M0,M₁to its challenger and in return gets C^∗ as the challenge ciphertext. C^∗ is an encryption of M_γ, whereγ ∈ {0,1} is chosen uniformly at random by the challenger. It returns C^∗ as its own challenge toA′

1. Since, H1(id^∗) =Q_id, C^∗is also an encryption of M_γunderid^∗in FullIdent.

Phase 2: As in Phase 1, except that any key extraction query forid^∗, or decryption query forhid^∗,C^∗iis disallowed.

Guess: A′

1outputs its guessγ^′ofγ^{, whichA}2^′echoes.

IfA′

2does not abort the game, then the view with respect toA′

1is same as that in a real IND-ID-CCA attack. The probability thatA₂does not abort, Pr[abort]is at least 1/qH₁(1−q_E/q_H1). Hence,A₂’s advantage againstBasicPub^hy is at least ε^/qH₁(1−q_E/q_H1)≈ε^/qH₁.

In the next stage of the reduction,A′

2is used to construct an IND-CPA adversary A₂againstBasicPubby a straight forward application of the technique of Fujisaki

and Okamoto [86]. GivenA₂, the Game 2 of the previous section is used to construct an algorithmBthat solves the BDH problem. Through this three stage reduction, an advantageεagainstFullIdentcan be converted to (roughly) an advantageε^/q3H

against BDH, where qH is the maximum number of oracle queries to any of the random oracles Hi, 1≤i≤4. In the process of fixing the flaw in security analysis, the security degradation increases because in the original analysis of Boneh-Franklin it was a factor of 1/(q²_HqD)where qD is the number of decryption queries and in general qD≪q_H. Galindo improved the tightness by a factor of qH by using a second general transformation also due to Fujisaki-Okamoto [86]. Improvement by another qHfactor is obtained by using the stronger decisional version of BDH, i.e., the DBDH assumption. Later in this chapter we will describe variants of the Boneh- Franklin IBE where a simple tweak makes it possible to obtain a tight reduction.