Based on this generic transformation, any CPA-secure 2-level HIBE can be used to construct a CCA-secure IBE. More generally, a CPA-secure(h+1)-HIBE gives a CCA-secure h-HIBE. Hence, protocol designers can concentrate on construct- ing protocols that achieve CPA-security (be it in the full model or the selective- ID model) without random oracles and then apply this transformation to achieve CCA-security. Protocols such as the Boneh-Boyen HIBE and the Boneh-Boyen- Goh HIBE described in Chapter 5 accomplish this in the selective-ID model, while the Boneh-Boyen IBE and Waters IBE to be described in Chapter 7 accomplish this in the full model.

=M×e(P₁,P₂)^s×e(−sP,xP₂)

=M.

The basic intuition behind the conversion of this CPA-secure IBE scheme to a CCA-secure PKE scheme is the following. Suppose the user Alice wishes to ob- tain a public and private key pair. She plays the role of the PKG where the master secret key of the PKG is now the secret key of Alice and the public parameter con- stitutes her public key. This way theSet-Upalgorithm of BB-IBE becomes the key generation algorithm for the PKE scheme. The main novelty comes in theEncrypt algorithm. To encrypt a message to Alice in the PKE scheme, Bob first chooses a random s∈ZZ^∗_pand computes sP. This is an element of G and constitutes the second element (B) of the ciphertext in BB-IBE. Next a publicly known injective embed- ding (or a collision resistant hash function) is used to map sP into an element v in ZZp. Now Bob generates the third component (C) of the BB-IBE ciphertext using this v as the “identity”. So, effectively, the “identity” used to generate the ciphertext is itself generated dynamically from the second component of the ciphertext and provides the crucial binding for the randomizer s. Note that the second component in the BB-IBE does not depend on the identity and that is why this technique can be applied. Bob now masks the message with e(P1,P₂)^sto generate the first component (A) of BB-IBE ciphertext. Given the ciphertext, Alice first uses the same injective embedding on sP to derive v. Next, she runs theKey-Genalgorithm of BB-IBE on this “identity” v to obtain the corresponding private key. Using this private key she now runs the BB-IBEDecryptalgorithm on the ciphertext(A,B,C)to recover the message.

Though this is the basic idea, the actual conversion provides a CCA-secure key encapsulation mechanism. This can then be combined with a secure data encapsu- lation mechanism to obtain a PKE scheme. Also, some more refinements can be introduced. These result in improving the efficiencies of the encryption and decryp- tion algorithms. The details of the KEM are as follows. The original paper of Boyen, Mei and Waters described the protocol in the setting of asymmetric pairing. For sim- plicity we use the setting of symmetric pairing.

BMW-PKE.

Set-Up. Let e : G×G→G_T be a symmetric pairing setting and G=hPi. Let H be an injective encoding from G toZZ_p. Choose y1and y2 randomly fromZZ_pand P1

randomly from G. Computeξ =e(P,P1), U1=y1Pand U2=y2P. The public key of the user is(H,ξ^,U1,U2)and the secret key is(P1,y1,y2).

Encapsulate. A random t is chosen fromZZpand the session key is set to beξ^t= e(P,P1)^t. The encapsulation of this key is obtained as follows. First compute B=tP, then apply the encoding H to B to obtain w=H(B). This w is an element ofZZpand is the (dynamic) “identity” of the BB-IBE scheme. Compute C=tU1+twU2. The encapsulation of the session key is(B,C).

Decapsulate. Given an encapsulation (B,C), and the private key (P₁,y₁,y₂), the session key is re-constructed as follows. First compute w=H(B) which is the

“identity” of the BB-IBE scheme used to encapsulate the session key. Next com- pute w^′=y1+wy2 (mod p)and check whether w^′Bequals C. If this equality does not hold, then the ciphertext is not well-formed and the decapsulation algorithm returns⊥. If the equality holds, then the session key is obtained as e(B,P1).

For a properly generated encapsulation key, the validity check will be successful.

This is so, because w^′B= (y₁+wy₂)tP=ty₁P+twy₂P=tU₁+twU₂=C. The session key is also correctly reconstructed as e(B,P₁) =e(tP,P₁) =e(P,P₁)^t=ξ^t.

Note that in the above description, the component C of the encapsulation is not used for actual reconstruction of the session key. It is used to ensure that the encapsu- lation itself is well formed. We provide a brief description of the security argument.

In a KEM, there is no message. The adversary for a CCA-secure KEM interacts with the decapsulation oracle during the query stages. For the challenge stage, a ses- sion key is generated and is properly encapsulated. This encapsulation is provided to the adversary. Along with the encapsulation, the adversary is provided either the proper session key or a random element from the set of all possible session keys which is independent of the proper session key and both the options are equiproba- ble. In the guess stage, the adversary outputs its guess of which of the two options have been used.

Coming to the BMW-KEM, the challenge encapsulation is of the form(B^∗,C^∗), where B^∗=t^∗P. The first thing to note is that this t^∗does not depend on the ad- versary’s input. Correspondingly, in the security game, the challenger can choose t^∗ during the set-up phase and compute B^∗=t^∗P. Once this is done, the challenger also fixes the “challenge identity” w^∗=H(B^∗). This is the crucial point which indicates that the selective-identity security of the BB-IBE suffices to obtain a CCA-secure PKE.

The challenger is given a DBDH tuple(P,aP,bP,cP,Z)where Z is either e(P,P)^abc or Z is a random element of GT. Note that none of a,bor c is known to the chal- lenger. So, the set-up and answering of the decapsulation queries will have to be done without this knowledge. The challenger sets w^∗=H(cP)where H is an injec- tive embedding. In other words, the challenger effectively uses the unknown c as the randomizer t^∗for the challenge encapsulation. Next, the challenger chooses random y1and y2fromZZpand sets U1=−w^∗bP+y1Pand U2=bP+y2P. Furtherξ is set to be equal to e(aP,bP) =e(P,abP), i.e., P1of the scheme is set to be equal to abP.

The public key is declared to be(H,ξ,U1,U2)as required, while the secret key is (P₁,y₁,y₂). Note that, the challenger does not actually know P1=abP.

A decapsulation query is of the type(B,C)where B=tPand C=t(U₁+wU₂).

Such a query is handled by the challenger in two steps. In the first step, it computes w=H(B) =H(tP)as the “identity” to which the implicit encryption of the BB-IBE has been done. Since w,y1and y2are known to the challenger, it can easily verify the well-formedness of the query. Once this is verified, it proceeds to generate a decryption key for w using the technique for simulating the key extraction queries in the BB-IBE scheme. More specifically, it chooses a random r∈ZZ_pand computes (d₀,d₁)in the following manner.

d₀=r(U₁+wU₂)− 1

w−w^∗(y₁+wy₂)aP

=abP−w−w^∗

w−w^∗abP− 1

w−w^∗(y₁+wy₂)aP+r(U₁+wU₂)

=abP− a

w−w^∗((w−w^∗)bP+ (y₁+wy₂)P) +r(U₁+wU₂)

=abP− a

w−w^∗(−w^∗bP+y₁P+w(bP+y₂P)) +r(U₁+wU₂)

=abP− a

w−w^∗(U1+wU2) +r(U1+wU2)

=abP+

r− a w−w^∗

(U1+wU2);

d1=rP− 1 w−w^∗P1

=

r− a w−w^∗

P.

Note that the crucial point is to use the beautiful algebraic technique introduced by Boneh and Boyen [32] for simulating key extraction queries in BB-HIBE discussed in Chapter 5. The above computation holds only if w6=w^∗. Since w^∗equals H(cP) and c is a random element ofZZp, w^∗is also a random element ofZZp. So the proba- bility that w equals w^∗is 1/p. For a total of q decapsulation queries, this accounts for an additive security degradation of q/p. Having generated(d0,d1), the challenger proceeds to obtain the session key for(B,C)as follows. Let r^′=r−a/(w−w^∗).

e(d₀,B)

e(C,d₁) = e(abP+r^′(U₁+wU₂),tP) e(t(U₁+wU₂),r^′P)

=e(abP,tP)×e(r^′(U1+wU2),tP) e(t(U1+wU2),r^′P)

=e(P,abP)^t

=e(P,P₁)^t

=ξ^t

Thus, the challenger can answer the decapsulation query.

For the challenge ciphertext, we have w^∗=H(cP) and the challenger returns (B^∗,C^∗)and Z where B^∗=cPand C^∗is computed to be

C^∗= (y₁+w^∗y₂)cP

=c((w^∗−w^∗)bP+y1P+w^∗y2P)

=c(−w^∗bP+y₁P+w^∗(bP+y₂P))

=c(U1+w^∗U2).

This shows that a proper encapsulation is provided to the adversary. If Z is e(P,P)^abc, then along with the encapsulation the adversary gets the proper session key. On

the other hand, if Z is random then it is independent of(B^∗,C^∗)and provides no information to the adversary. If the adversary is able to correctly guess which of the two cases has occurred, then the challenger is able to solve the DBDH problem.