Efficient certificate-based encryption and hierarchical certificate-based encryption schemes in the standard model

Abstract

Telco systems usually run large-scale, centralized key management systems. However, centralized approaches based on conventional public key encryption like RSA raise problems such as key escrow, secure channel to delivery key, and third-party query as well as single point of failure. To address these problems, we propose both certificate-based encryption (CBE) and hierarchical certificate-based encryption (HCBE) schemes proved secure in the standard model. Compared with other schemes, our schemes are proved IND-CCA2 (Indistinguishability under Adaptive Chosen Ciphertext Attack) secure in full model, where the number of group elements is independent of the value of security parameter. As far as we know, the proposed HCBE is the first fully IND-CCA2 secure scheme with ciphetexts of constant size.

Keywords

Certificate-based encryption hierarchical certificate-based encryption identity-based encryption

1 Introduction

In 2003, Gentry [1] proposed a new notion of certificate-based encryption (CBE) whose construction is based on Boneh-Franklin identity-based encryption (IBE) scheme [2]. The first advantage of the new paradigm is that it overcomes the key escrow problem in IBE. The problem states that without permission of any user the key generation center can decrypt any ciphertext because it can generate the decryption key for the user. Unfortunately, this is not acceptable in some applications. In the case of CBE, decryption requires both the secret key of a keyholder and an up-to-date certificate from certificate authority (CA). In fact, the certificate serves as the decryption key in IBE, which is generated based on user’s indentity information and master secret key. The CA does not know the secret key of the user so that it cannot decrypt any ciphertext of the user. Another advantage of CBE when compared with IBE is that it does not require a secure channel to deliver the certificate (decryption key in the case of IBE) to the user.

CBE still needs an infrastructure to distribute the certificate. In this case, the certificate is required at a receiver’s side rather than a sender’s side unlike in the conventional public key encryption (PKE) [3]. The questions are, how to protect the public key and what is the role of certificate in a CBE? These questions can be answered as follows: the certificate is generated based on the public key of a user; this certificate’s update information is continously sent to the user who possesses the public key (this update may be performed hourly, for example); whenever the public key is found to be invalid, the user will stop issuing the up-to-date certificate, and hence the user cannot decrypt the current or incoming ciphertext.

Compared with the traditional PKEs, CBE makes it more efficient to construct a public key system because CBE does not cause third-party-query problem which is one of the reasons that make public key infrastructures of PKE inefficient. The problem means that whenever a user Alice encrypt a message to Bob, she needs to query for Bob’s certificate status to ensure that the public key certainly belongs to Bob. In contrast, in CBE, the sender Alice does not need to care about the certificate status of the receiver Bob. Instead, Bob will take care of his certificate status by himself in order to decrypt incoming ciphertexts.

1.1 Related work

In 2003, the first CBE scheme was proposed by Gentry [1]. The idea of the first CBE scheme is based on IBE scheme of Boneh-Franklin [2]. After that, many CBE schemes in the random oracle model were proposed in [4 –13]. In 2004, Canetti, Halevi and Katz [14] introduced a generic method to convert a CPA (Chosen Plaintext Attack)-secure HIBE (Hierarchical IBE) into a CCA (Chosen Ciphertext Attack)-secure HIBE without random oracle. In 2005, Dodis and Katz [5] proposed a generic construction to build a new IND-CCA2 (Indistinguishability under Adaptive Chosen Ciphertext Attack) secure multiple encryption from PKE schemes which are IND-CCA2 secure. This result can be used to construct a generic IND-CCA2 CBE scheme secure in the standard model. They combined three defferent schemes: one-time signature (OTS) [15], CCA-secure IBE scheme and public key encryption scheme. The disadvantage of this technique is long-sized ciphertexts and inefficency in terms of performance. In [16], Morillo proposed a CBE scheme in the standard model. The scheme was proved to be secure in the selective model based on the IBE scheme of Waters (2005) [17]. Based on the idea of Dodis and Katz, Galindo [18] proposed a CBE scheme secure in the standard model with shorter ciphertext and improved performance by using Waters (2005) [17] and Boneh-Boyen (2004) [19] IBE schemes. In 2009, Lu and Li gave a generic construction of CBE scheme in the standard model [20]. Recently, many applications of CBE have been proposed. Hyla and Pejas [22] proposed a certificate-based group-oriented encryption scheme with an effective secret sharing based on general access structure. Sur et al. [23] proposed a certificate-based proxy re-encryption for public cloud storage which has the advantages of CBE while providing the functionalities of proxy re-encryption. Fan et al. [24] proposed anonymous multi-receiver CBE that is CPA secure.

1.2 Basic ideas

In this paper, we firstly propose a new CBE scheme in standard model. The one is used as the fundamental to build an HCBE (Hierarchical CBE) scheme in standard model with short length of ciphertext.

The need of the HCBE is due to the fact that workload of the CA in a CBE system is extremely high because it has to continuously update the certificate for every users who have registered the public key and identity information. The task of issuing certificates and reissuing up-to-date certificates should be at regular time interval (for example, hourly). In [1], Gentry uses the Subset cover to reduce the workload, but when the scale of the system is big, the task will be computationally intensive one. Our basic idea to address this problem is to introduce hierarchy to CBE. The HCBE scheme will reduce the workload of the CA by delegating the task of CA to its lower levels. Combining this approach together with the Subset cover technique allows us to make efficient HCBE scheme.

In the other hand, it is well known that a scheme without random oracle assumption achieve higher security level than one with random oracle assumption. The (H)IBE scheme [21] has a remarkable result, that is, it is proved to be secure in standard model under a static hardness assumption. This result can be used to build our HCBE scheme with short ciphertext of constant size. This is an important point because in most of HIBE schemes, the length of a ciphertext depends on the depth of the hierarchical system. In fact, our HCBE scheme is the first concrete construction of HCBE in literature.

1.3 Contributions

In this paper, we propose a CBE scheme and a HCBE scheme which are proved to be fully IND-CCA2 secure in the standard model. To construct the schemes, we apply the Canetti-Halevi-Katz transformation [14] to 2-level CPA-secure HIBE from [21] and a one-time signature to achieve a IND-CCA2 secure CBE. The resultant CBE is fully IND-CCA2 secure and very efficient. The proposed CBE is extended to HCBE with ciphetexts of constant size which is the first fully IND-CCA2 secure HCBE scheme as far as we know. Because it is hierarchical, HCBE can support distributive processing in a large-scale key management as in Telco system environment. Constant-sized ciphertexts are also helpful to reduce communication overhead. It can also resolve the problem of violation of any privacy of customers because it resolves the key escrow problem. If a large key management system is structured into a set of small, distributed subsystem in a hierarchical way using our HCBE, it can also evade the single point of failure problem.

2 Preliminaries

2.1 Blinear pairing

Let G and G_T are cyclic groups of order N. Binliear Pairing is a map that has the following properties:

Bilinearity: $\forall g, h \in G, a, b \in ℤ_{N}$ , e (g^a, h^b) = e (g, h) ^ab

Non-degenerate:∃ g ∈ G such that e (g, g) has order N in G_T.

2.2 Hardness assumptions

The schemes in this paper use the notion of composite order group. Let $G$ be a group generator. It takes a security parameter λ as input and outputs (N = p₁p₂p₃, G, G_T, e), where p₁, p₂, p₃ are distinct primes, G and G_T are cyclic groups of order N = p₁p₂p₃.

Assumption 1. (Subgroup decision problem for 3 primes). Randomly select g in group G_{p
₁}, and X₃ in group G_{p
₃}. Let D = (g, X₃). After that, we randomly select T₁ in group G_{p
₁
p
₂} and T₂ in G_{p
₁}. An algorithm $A$ can break the Assumption 1 with advantage $\begin{matrix} Adv 1_{G, A} (λ) \\ : = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] | . \end{matrix}$

We say that G satisfies Assumption 1 if $Adv 1_{G, A} (λ)$ is a negligible function of λ for any polynomial time algorithm $A$ .

Assumption 2. Randomly select g, X₁ in group G_{p
₁}, X₂, Y₂ in group G_{p
₂}, and X₃, Y₃ in group G_{p
₃}. Let D = (g, X₁X₂, X₃, Y₂Y₃). After that, we randomly select T₁ in group G and T₂ in G_{p
₁
p
₃}. An algorithm $A$ can break the Assumption 2 with advantage $\begin{matrix} Adv 2_{G, A} (λ) \\ : = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] | . \end{matrix}$

We say that G satisfies Assumption 2 if $Adv 2_{G, A} (λ)$ is a negligible function of λ for any polynomial time algorithm $A$ .

Assumption 3. Randomly select g in group G_{p
₁}, X₂, Y₂, Z₂ in group G_{p
₂}, X₃ in group G_{p
₃} and α, s in group $ℤ_{N}$ . Let D = (g, g^αX₂, X₃, g^sY₂, Z₂). After that, we set T₁ = e (g, g) ^αs and randomly select T₂ in G_T. An algorithm $A$ can break the Assumption 3 with advantage $\begin{matrix} Adv 3_{G, A} (λ) \\ : = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] | . \end{matrix}$

We say that G satisfies Assumption 3 if $Adv 3_{G, A} (λ)$ is a negligible function of λ for any polynomial time algorithm $A$ .

2.3 One-time signature [15]

A one-time signature scheme is defined as follows:

KeyGen, the key generation algorithm, takes the security parameter 1^k as input, and outputs a pair of signing key (sk) and verification key (vk).

Sign, the signing algorithm, takes a signing key sk and a message M as input, and outputs a signature σ.

Vrfy, the verification algorithm, takes a verification key vk, a message M and a signature σ as input, and outputs accept if the signature is valid or ⊥ symbol.

3 Framework of certificate-based encryption

3.1 Certificate-based encryption scheme

The CBE scheme consists of the following algorithms:

Setup is run by the CA. It takes the security parameter as input and returns the CA’s master secret key msk and the system parameters params.

SetKeyPair is run by a user. It takes params as input and outputs the public key pk and the secret key sk for the user.

Certification algorithm takes ID, msk, params and pk as input, and outputs the certificate Cert to the user.

Encryption is run by a sender. It takes ID, params, pk and plaintext M as input, and returns a ciphertext C.

Decryption takes ID, params, Cert, sk and ciphertext C as input, and outputs the plaintext M.

Security model of CBE:

The security model for CBE is defined using the following two games:

Game 1. The adversary does not have the master secret key of the CA.

Setup: The challenger runs the Setup algorithm and gives params to the adversary $A_{I}$ and keeps msk secret to itself.

Phase 1: The adversary makes queries as follows:

Certification query: < user, PK, SK >. The challenger checks that (PK, SK) is valid. In this case, it runs Certification on input < msk, user, PK > and returns Cert_i; else it returns ⊥.

Decryption query: < user, PK, SK, C >. The challenger checks that (PK, SK) is valid. In this case, it generates Cert_i by using the Certification algorithm and outputs Dec_{Cert_i, SK} (C); else it returns ⊥.

Challenge: < user^*, PK^*, SK^*, M₀, M₁>, where M₀, M₁ are of the same size. The challenger checks that (PK^*, SK^*) is valid. In this case, it selects a random bit b and returns C^* = Enc_{user^*, PK^*} (M_b); else it returns ⊥.

Phase 2: As in Phase 1, except that decryption queries < user^*, PK^*, SK^*, C^*> are disallowed.

Guess: $A_{I}$ outputs a guess b ′ ∈ {0, 1}. $A_{I}$ wins if b = b ′. The advantage of adversary $A_{I}$ is defined as ${Adv}_{A_{I}} : = | \Pr [b = b^{'}] - 1 / 2 |$ .

Game 2. The adversary is given the master secret key of the CA.

Setup: The challenger runs the Setup algorithm and gives params and msk to the adversary $A_{II}$ . It then runs SetKeyPair to obtain a key pair (PK, SK) and gives PK to the adversary $A_{II}$ .

Phase 1: The adversary is allowed to make decryption query < user, C >. On this query, the challenger generates Cert_i by using the Certification algorithm with inputs < msk, user, PK > and outputs Dec_{Cert_i, SK} (C); else it returns ⊥.

Challenge: < user^*, M₀, M₁>. The challenger chooses a random bit b and returns C^* = Enc_{user^*, PK^*} (M_b); else it returns ⊥.

Phase 2: Adversary continously makes query as in Phase 1.

Guess: The adversary $A_{II}$ outputs a guess b ′ ∈ {0, 1}. The adversary wins if b = b ′. The advantage of adversary $A_{II}$ is defined as ${Adv}_{A_{II}} : = | \Pr [b = b^{'}] - 1 / 2 |$ .

Definition: A CBE scheme is said to be secure against an adaptive chosen ciphertext attack (or IND-CCA2 secure) if no probabilistic polynomially bounded adversary has non-negligible advantage in either Game 1 or Game 2.

3.2 Hierarchical certificate-based encryption scheme

The l -HCBE scheme consists of the following algorithms, where l is the depth of hierarchical system:

Setup takes the security parameter 1^k as input and returns the certificate’s master secret key msk and the system parameters params.

SetKeyPair takes params as input and outputs the public key pk and the secret key sk for auser.

Certification takes ID = (I₁, I₂, …, I_j) (j ≤ l) where I_i = userinfo ∥ PK_i is concatenation of user’s identity information and the user’s public key, msk, params and pk as input, and outputs the certificate Cert which is sent to user over an open channel.

Encryption takes ID, params, pk and plaintext M as input, and returns a ciphertext C.

Decryption takes ID, params, Cert, sk and ciphertext C as input, and outputs the plaintext M.

Security model of HCBE:

The security model for HCBE is defined by using the following two games:

Game 1. The adversary does not have the master secret key of the CA.

Setup: The challenger runs the Setup algorithm and gives params to the adversary $A_{I}$ and keeps msk secret to itself.

Phase 1: The adversary makes queries as follows: Certification query: < user = user₁, …, user_j ; PK = PK₁, …, PK_j, SK_j>. To response to this query, the challenger checks that (PK_i, SK_i) (i ≤ j) is valid. In this case, it runs Certification: on input < msk, user ; PK₁, …, PK_j> and returns Cert ; else it returns ⊥.

Decryption query: < user, PK, SK, C >. The challenger checks that (PK, SK) is valid. In this case, it generates Cert by using the Certification algorithm and outputs Dec_{Cert, SK_j} (C); else it returns ⊥.

Challenge: $< {user}^{*} = {user}_{1}^{*}, . . ., {user}_{j}^{*}; {PK}^{*} = {PK}_{1}^{*}, . . ., {PK}_{j}^{*};$ ${SK}_{j}^{*}; M_{0},$ M₁>, where M₀, M₁ are of the same size. The challenger checks that $({PK}_{i}^{*},$ ${SK}_{i}^{*})$ is valid. In this case, it chooses a random bit b and returns C^* = Enc_{user^*, PK^*} (M_b); else it returns ⊥.

Phase 2: As in Phase 1, except that decryption queries $< {user}_{1}^{*}, . . ., {user}_{j}^{*};$ ${PK}_{1}^{*}, . . ., {PK}_{j}^{*},$ ${SK}_{j}^{*}, C^{*} >$ are disallowed.

Guess: The adversary $A_{I}$ outputs a guess b ′ ∈ {0, 1}. The adversary wins the game if b = b ′. The advantage of adversary $A_{I}$ is defined as ${Adv}_{A_{I}} : = | \Pr [b = b^{'}] - 1 / 2 |$ .

Game 2. The adversary is given the master secret key of the CA.

Setup: The challenger runs the Setup algorithm and gives params and msk to the adversary $A_{II}$ . It then runs SetKeyPair to obtain a key pair (PK, SK) and gives PK to theadversary $A_{II}$ .

Phase 1: The adversary is allowed to make decryption query user = < user₁, …, user_j, C >. On this query, the challenger generates Cert by using the Certification algorithm with inputs < msk, user, PK > and outputs Dec_{Cert, SK} (C); else it returns ⊥.

Challenge: $< {user}^{*} = {user}_{1}^{*}, . . ., {user}_{j}^{*}, M_{0}, M_{1} >$ . The challenger chooses a random bit b and returns C^* = Enc_{user^*, PK} (M_b); else it returns ⊥.

Phase 2: Adversary continously makes query as in Phase 1.

Guess: The adversary $A_{II}$ outputs a guess b ′ ∈ {0, 1}. The adversary wins the game if b = b ′. The advantage of adversary $A_{II}$ is defined as ${Adv}_{A_{II}} : = | \Pr [b = b^{'}] - 1 / 2 | .$

Definition: An HCBE scheme is said to be secure against an adaptive chosen ciphertext attack (or IND-CCA2 secure) if no probabilistic polynomially bounded adversary has non-negligible advantage in either Game 1 or Game 2.

4 The proposed CBE scheme in the standard model

By applying the Canetti-Halevi-Katz transfromation [14] to the Lewko-Waters HIBE [21], we construct a CCA2-secure CBE scheme in the standard model. The proposed CBE scheme is later extended to HCBE scheme.

Setup: Choose a bilinear group $G$ of order N = p₁p₂p₃. Randomly choose $g, h, u_{1}, u_{2} \in G_{p_{1}}$ and $α \in ℤ_{N}$ . Let H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ be two collision resistant hash functions.

Public parameters: params = { N, n, g, h, u₁, u₂, e (g, g) ^α, H₁, H₂}. Master secret key: msk = α.

SetKeyPair: Choose randomly $β \in ℤ_{N}$ and $h_{2} \in G_{p_{1}}$ . Compute: H₁ = g^β. A user’s secret key is SK = β, and its corresponding public key is PK = (h₁, h₂).

Certification: Set ID₁ = H₁ (user ∥ PK) where (user ∥ PK) is concatenation of user’s identity information and the user’s public key. Choose $R_{2}, R_{3}, R_{3}^{'} \in G_{p_{3}}$ and $r \in ℤ_{N}$ . Compute: Cert₀ = g^rR₃, ${Cert}_{1} = g^{α} (u_{1}^{{ID}_{1}} h)^{r} R_{3}^{'}$ , ${Cert}_{2} = u_{2}^{r} R_{2}$ . The certificate is Cert = (Cert₀, Cert₁, Cert₂).

Encryption:

Generate a one-time signing-verification key pair (sk, vk).

Let: ID₁ = H₁ (user ∥ PK), ID₂ = H₂ (vk).

Choose randomly $s \in ℤ_{N}$ . Compute:

C₀ = Me (g, g) ^αse (H₁, H₂) ^s.

$C_{1} = (u_{1}^{{ID}_{1}} u_{2}^{{ID}_{2}} h)^{s}$ .

C₂ = g^s. We have C = (C₀, C₁, C₂).

Compute: σ = Sign_sk (C).

Output: (vk, C, σ).

Decryption:

Check if Vrfy (vk, C, σ) =1. If not, output ⊥. Else, do the next steps.

Let: ID₁ = H₁ (user ∥ PK), ID₂ = H₂ (vk).

Choose randomly: ${\tilde{R}}_{3}, {\tilde{R}}_{3}^{'} \in G_{p_{3}}$ , $r^{'} \in Z_{N}$ . Set:

$d_{0} = {Cert}_{0} g^{r^{'}} {\tilde{R}}_{3}$ .

$d_{1} = {Cert}_{1} h_{2}^{β} (u_{1}^{{ID}_{1}} h)^{r^{'}} {Cert}_{2}^{{ID}_{2}} u_{2}^{r^{'} {ID}_{2}} {\tilde{R}}_{3}^{'}$ .

Compute: $M = C_{0} \frac{e (d_{0}, C_{1})}{e (d_{1}, C_{2})}$ .

Theorem 1. The proposed CBE scheme is chosen-ciphertext secure against Type-I adversary if H₁ and H₂ are collision resistant hash functions, OTS is a strong unforgeable signature scheme and subgroup decicion problem for three primes assumptions hold in $G$ .

Proof: We will construct an algorithm $B$ by using an adversary $A_{I}$ to break either the underlying stronly unforgeable one-time signature with probability Pr[Forge] or the CPA security of the 2nd-level Lewko-Waters HIBE, where $A_{I}$ is a successful adversary against the CBE scheme. The algorithm $B$ works by interacting with $A_{I}$ as follows.

Setup: The 2nd-HIBE challenger generates ID.msk = α, public parameters ID.params = { N, n, g, h, u₁, u₂, e (g, g) ^α}, gives ID.msk to $B$ , and keeps secret the msk. Next, $B$ sets H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ to be two collision resistant hash functions. Finally, $B$ sends to $A_{I}$ the public paramters: CB. params = { ID.parmas, H₁, H₂}.

Phase 1: Adversary $A_{I}$ makes queries as follows:

Certification query: < user, (H₁, H₂)>, $B$ asks 2nd-HIBE challenger for the secret key corresponding to identity ID₁ = H₁ (user ∥ (H₁, H₂)) and forwards the answer to $A_{I}$ .

Decryption query: < user, (H₁, H₂), β, (vk, C, σ)>. $B$ does the following checks:

If Vrfy (C, σ) ≠1, $B$ aborts the game.

Otherwise, $B$ sets ID₁ = H₁ (user ∥ (H₁, H₂)) and ID₂ = H₂ (vk). It then submits the query ID = (ID₁, ID₂) to 2nd-HIBE challenger for the private key. The challenger responds the private key: $(d_{0}, d_{1}^{'}, d_{2}) = (g^{r} R_{3},$ $g^{α} (u_{1}^{{ID}_{1}} u_{2}^{{ID}_{2}})^{r}, u_{2}^{r} R_{2})$ . Then $B$ computes $(d_{0}, d_{1}, d_{2}) = (d_{0}, d_{1}^{'} h_{2}^{β}, d_{2})$ . It uses the decryption key to decrypt the ciphertext: $C_{0} \frac{e (d_{0}, C_{1})}{e (d_{1}, C_{2})} = M$ . $A_{I}$ is given M as the answer to its decryption query.

Challenge: $< {user}^{*}, β^{*}, (h_{1}^{*}, h_{2}^{*}), M_{0}, M_{1} >$ . $B$ does the following steps:

Run KeyGen of the OTS to generate (sk^*, vk^*).

Compute: ${ID}_{1}^{*} = H_{1} ({user}^{*}, (h_{1}^{*}, h_{2}^{*}))$ and ID₂ = H₂ (vk^*).

Submit to 2nd-HIBE challenger the query $< ({ID}_{1}^{*}, {ID}_{2}^{*}), M_{0}, M_{1} >$ . The 2nd-HIBE challenger chooses random b ∈ {0, 1} and sets: $ID . Enc (({ID}_{1}^{*}, {ID}_{2}^{*}), M_{b}) = (M_{b} e (g, g)^{α s}, (u_{1}^{{ID}_{1}^{*}} u_{2}^{{ID}_{2}^{*}} h)^{s}, g^{s}) = (C_{0}, C_{1}, C_{2})$ .

$B$ modifies the ciphertext to obtain: $C^{*} = (C_{0} e (C_{2}, h_{2}^{β}), C_{1}, C_{2}) = (M_{b} e (g, g)^{α s} e (h_{1}, h_{2})^{s}, (u_{1}^{{ID}_{1}^{*}} u_{2}^{{ID}_{2}^{*}} h)^{s}, g^{s})$ .

Next, $B$ queries the OTS challenger for the signature σ^* = Sign_sk
^* (C^*).

Finally, $B$ sends to $A_{I}$ the challenge ciphertext (vk^*, C^*, σ^*).

Phase 2: Adversary $A_{I}$ makes additional certification and decryption queries, except that it cannot ask for the certificate of $< {user}^{*}, (h_{1}^{*}, h_{2}^{*}) >$ and decryption query of $< {user}^{*}, β^{*}, (h_{1}^{*}, h_{2}^{*}), ({vk}^{*}, C^{*}, σ^{*})$ . The key extraction is answered as in Phase 1. The decryption query is answered as follows:

If vk = vk^* and $< user, (h_{1}, h_{2}) > = < {user}^{*}, h_{1}^{*}, h_{2}^{*} >$ , $B$ aborts the game. (The security of the strong OTS scheme ensures that the adversary cannot generate a valid ciphertext in this case).

If vk ≠ vk^*, $B$ does as in Phase 1. It queries for private key of ID = (ID₁, ID₂) to 2nd-HIBE and then uses the private key to decrypt the ciphertext. It sends back decrypted message M to $A_{I}$ .

Guess: Adversary $A_{I}$ outputs a guess b ′ ∈ {0, 1} and $B$ uses this output as its result.

$A_{I}$ ’s view is identical to its view in a real attack game, except the event Forge occurs or collision is found. Therefore we get $\begin{matrix} {Adv}_{A_{I}}^{CBE} \geq {Adv}_{B}^{CPA - (2) HIBE} \\ - 1 / 2 (\Pr_{B} [Forge] + \Pr_{B} [Collision]) . \end{matrix}$ ■

Theorem 2.The proposed CBE scheme is chosen-ciphertext secure against Type II adversary $A_{II}$ if H₁ and H₂ are collision resistant hash functions, OTS is a strong unforgeable signature scheme and subgroup decision problem for three primes assumptions hold in $G$ .

Proof. We will construct an algorithm $B$ by using an adversary $A_{II}$ to break either the underlying stronly unforgeable one-time signature with probability Pr[Forge] or the CPA security of the Lewko-Waters IBE, where $A_{II}$ is a successful adversary against the CBE scheme. The algorithm $B$ works by interacting with $A_{II}$ as follows.

Setup: The adversary $B$ initializes the IBE challenger, who runs ID.Setup and sends ID.params = (N, n, g, h₁, h₂, u₂, e (h₂, h₂) ^β) where h₂ = g^{β ′}, h₁ = g^β and ID.msk = β. The value β ′ is also given to $B$ .

Next, $B$ chooses $α \in ℤ_{N}$ and sets CB. msk = α. Furthermore, it sets: H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ to be two collision resistant hash functions.

Following this, $B$ sends to $A_{II}$ CB. params = { ID.params, H₁, H₂} and CB. msk = α.

Phase 1: Adversary $A_{II}$ issues decryption query < user, (vk, C, σ)>. $B$ performs the follwing checks:

Vrfy (C, σ) =1. If it is not hold, $B$ then aborts the games.

Otherwise, $B$ submits the query to the IBE challenger for key extraction query of ID₂ = H₂ (vk), and receives K₁ = g^rR₃, $K_{2} = h_{2}^{β} (u_{2}^{{ID}_{2}} h)^{r} R_{3}^{'}$ and $E_{2} = u_{2}^{r} R_{2}$ . $B$ computes ID₁ = H₁ (user ∥ (H₁, H₂)). Then $B$ modifies the keys to be $d_{0} = K_{1} g^{r^{'}} \tilde{R_{3}}$ , $d_{1} = g^{α} K_{2} (u_{1}^{{ID}_{1}} u_{2}^{{ID}_{2}} h)^{r^{'}} E_{2}^{{ID}_{2}} u_{2}^{r^{'} {ID}_{2}} {\tilde{R}}_{3}^{'}$ . $B$ uses this key to decrypt the ciphertext C. The result M is given to $A_{II}$ .

Challenge: On < user^*, M₀, M₁>, $B$ does as follows:

$B$ runs the key generation algorithm of OTS to generate (sk^*, vk^*), and computets ${ID}_{2}^{*} = H_{2} ({vk}^{*})$ .

$B$ submits the query $< {ID}_{2}^{*}, (M_{0}, M_{1}) >$ to IBE challenger. The IBE challenger flips a fair coin b ∈ {0, 1} and generates ciphertext: $C = ID . Enc ({ID}_{2}^{*}, M_{b}) = (M_{b} e (h_{2}, h_{2})^{β s}, (u_{2}^{{ID}_{2}^{*}} h)^{s}, u_{1}^{s}, h_{2}^{s}) = (C_{0}^{'}, C_{10}, C_{11}, C_{2})$ .

Then $B$ modifies the ciphertext C to obtain: $C^{*} = (C_{0}^{'} . e (C_{2}^{α}, g), (C_{10} . C_{11}^{{ID}_{1}^{*}})^{β^{'}}, C_{2}^{β^{'}}) = (M_{b} . e (h_{1}, h_{2})^{β^{'} s}, e (g, g)^{α β^{'} s}, (u_{1}^{{ID}_{1}^{*}} u_{2}^{{ID}_{2}^{*}} h)^{β^{'} s}, g^{β^{'} s})$

Next, $B$ queries to the OTS challenger to get σ^* = Sign_sk
^* (C^*).

Finally, $B$ sends $A_{II}$ the challenge ciphertext (vk^*, C^*, σ^*).

Phase 2: The adversary continuously queries as in Phase, except that query for < user^*, (vk^*, C^*, σ^*) > is not allowed.

Guess: Adversary $A_{II}$ outputs a guess b ′ ∈ {0, 1} and $B$ outputs the same guess.

$A_{II}$ ’s view is identical to its view in a real attack game, except the event Forge occurs or collision is found. Therefore we get $\begin{matrix} {Adv}_{A_{II}^{CBE}} \geq {Adv}_{B}^{CPA - IBE} \\ - 1 / 2 (\Pr_{B} [Forge] + \Pr_{B} [Collision]) . \end{matrix}$ ■

5 The proposed HCBE scheme in the standard model

We extend the proposed CBE scheme to HCBE scheme as below. The security proof is similar to the one for the proposed CBE scheme.

Setup: Choose a bilinear group $G$ of order N = p₁p₂p₃. Randomly choose $g, h, u_{1}, u_{2}, . . ., u_{l} \in G_{p_{1}}$ where l is maximum depth of HCBE and $α \in ℤ_{N}$ . Let H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ be two collision resistant hash functions. Public parameters: params = { N, n, g, h, u₁, u₂, …, u_l, e (g, g) ^α, H₁, H₂}. Master secret key: msk = α.

SetKeyPair: Consider a level j. Choose randomly $β_{j} \in ℤ_{N}$ and $h_{j 2} \in G_{p_{1}}$ . Compute: h_j1 = g^β
_j. A user’s secret key is SK_j = β_j, and public key is PK_j = (h_j1, h_j2).

Certification: Set ID_j = H₁ (user_j ∥ PK_j) where (user_j ∥ PK_j) is concatenation of user’s identity information and the user’s public key. Choose $R_{2}, R_{3}, R_{3}^{'}, R_{j + 1}, . . ., R_{l} \in G_{p_{3}}$ and $r \in ℤ_{N}$ .

Compute: $Cert = (g^{r} R_{3}, g^{α} (u_{1}^{{ID}_{1}} . . . u_{j}^{{ID}_{j}} h)^{r} R_{3}, u_{j + 1}^{r} R_{j + 1}, . . ., u_{l}^{r} R_{l})$ = (Cert₀, …, Cert_l).

Encryption:

Generate a OTS key pair (sk, vk).

Let: ID_{j +1} = H₂ (vk).

Choose randomly $s \in ℤ_{N}$ . Compute:

C₀ = Me (g, g) ^αse (h_j1, h_j2) ^s.

$C_{1} = (u_{1}^{{ID}_{1}} u_{2}^{{ID}_{2}} . . . u_{j + 1}^{{ID}_{j + 1}} h)^{s}$ .

C₂ = g^s. We have: C = (C₀, C₁, C₂).

Compute: σ = Sign_sk (C).

Output: (vk, C, σ).

Decryption:

Check if Vrfy (vk, C, σ) =1. If not, output ⊥. Else, do the next steps.

Let ID_{j +1} = H₂ (vk).

Choose randomly: ${\tilde{R}}_{3}, {\tilde{R}}_{3}^{'}, {\tilde{R}}_{j + 1}, . . ., {\tilde{R}}_{l} \in G_{p_{3}}$ , $r^{'} \in Z_{N}$ . Set:

$d_{0} = {Cert}_{0} g^{r^{'}} {\tilde{R}}_{3}$ .

$d_{1} = {Cert}_{1} h_{j 2}^{β_{j}} (u_{1}^{{ID}_{1}} . . . u_{j}^{{ID}_{j}})^{r^{'}} {Cert}_{j + 1}^{{ID}_{j + 1}} u_{j + 1}^{r^{'} {ID}_{j + 1}} {\tilde{R}}_{3}^{'}$ .

Compute: $M = C_{0} \frac{e (d_{0}, C_{1})}{e (d_{1}, C_{2})}$ .

Theorem 3. The proposed HCBE scheme is chosen-ciphertext secure against Type-I adversary if H₁ and H₂ are collision resistant hash functions, OTS is a strong unforgeable and subgroup decicion problem for three primes assumptions hold in $G$ .

Proof. We call $H$ is the HCBE scheme with l -level and $H^{'}$ is the corresponding Lewko-Gentry HIBE with (l + 1)-level.

Given an identity tuple ID = (ID₁, …, ID_j), j ≤ l in $H$ , the sender encrypts the message M to a (j + 1) level identity ID_{j +1} = H₂ (vk) of $H^{'}$ where vk is the verification key of the underlying one-time signature scheme. The receiver having identity ID can derive the decryption key at level (j + 1) of ID_{j +1} in $H^{'}$ from the corresponding certificate of ID in $H$ .

We will construct an algorithm $B$ by using an adversary $A_{I}$ to break either the underlying stronly unforgeable one-time signature with probability Pr[Forge] or the CPA security of the (l + 1)-level of the Lewko-Waters HIBE, where $A_{I}$ is a successful adversary against the HCBE scheme. The algorithm $B$ works by interacting with $A_{I}$ as follows.

Setup: The (l + 1)-level HIBE challenger generates the ID.msk = α and public parameters ID.params = { N, n, g, h, u₁, u₂, …, u_l, e (g, g) ^α} and gives ID.msk to $B$ , keeps secret the msk. Next, $B$ sets H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ to be two colli Finally, $B$ sends to $A_{I}$ the public paramters: CB. params = { ID.parmas, H₁, H₂}.

Phase 1: Adversary $A_{I}$ makes queries as follows:

Certification query: < user₁, …, user_j ; PK₁, …, PK_j>, $B$ asks its HIBE challenger for the secret key corresponding to identity ID = (ID₁, ID₂, …, ID_j) where ID_i = H₁ (user_i, PK_i) (i ≤ j) and forwards the answer to $A_{I}$ .

Decryption query: < user₁, …, user_j ; PK₁, …, PK_j, β_j, (vk, C, σ)>. $B$ does the following checks:

Vrfy (C, σ) ≠1, $B$ aborts the game.

Otherwise, $B$ sets ID = (ID₁, ID₂, …, ID_j) where ID_i = H₁ (user_i, PK_i) and ID₍j + 1) = H₂ (vk). It then submits the query ID ′ = (ID₁, …, ID_{j +1}) to the HIBE challenger for the private key. The challenger responds the private key: $(d_{0}, d_{1}^{'}, d_{2}, . . ., d_{j + 1}) = (g^{r} R_{3},$ $g^{α} (u_{1}^{{ID}_{1}} . . . u_{j + 1}^{{ID}_{j + 1}})^{r}, u_{2}^{r} R_{2}, . . ., u_{j + 1}^{r}$ R_{j +1}). Then $B$ computes: $(d_{0}, d_{1}) = (d_{0}, d_{1}^{'} h_{2}^{β})$ . It uses the decryption key to decrypt the ciphertext: $C_{0} \frac{e (d_{0}, C_{1})}{e (d_{1}, C_{2})} = M$ . $A_{I}$ is given M as the answer to its decryption query.

Challenge: On $< {user}^{*} = {user}_{1}^{*}, . . ., {user}_{j}^{*}; β_{j}^{*}, {PK}^{*} = {PK}_{1}^{*}, . . ., {PK}_{j}^{*}; M_{0}, M_{1} >$ , $B$ does the following steps:

Run the key generation algorithm of OTS to generate (sk^*, vk^*).

Compute: ${ID}^{*} = ({ID}_{1}^{*}, {ID}_{2}^{*}, . . ., {ID}_{j}^{*})$ where ${ID}_{i}^{*} = H_{1} ({user}_{i}^{*}, {PK}_{i}^{*})$ and ${ID}_{j + 1}^{*} = H_{2} ({vk}^{*})$ .

Submit to the HIBE challenger the query $< ({ID}_{1}^{*}, . . ., {ID}_{j + 1}^{*}); M_{0}, M_{1} >$ . The HIBE challenger chooses random b ∈ {0, 1} and sets: $ID . Enc (({ID}_{1}^{*}, . . ., {ID}_{j + 1}^{*}), M_{b}) = (M_{b} e (g, g)^{α s}, (u_{1}^{{ID}_{1}^{*}} . . . u_{j + 1}^{{ID}_{j + 1}^{*}} h)^{s}, g^{s}) = (C_{0}, C_{1}, C_{2})$ .

$B$ modifies the ciphertext to obtain: $C^{*} = (C_{0} e (C_{2}, h_{2}^{β}), C_{1}, C_{2}) = (M_{b} e (g, g)^{α s} e (h_{1}, h_{2})^{s}, (u_{1}^{{ID}_{1}^{*}} . . . u_{j + 1}^{{ID}_{j + 1}^{*}} h)^{s}, g^{s})$ .

Next, $B$ queries the OTS challenger for the signature σ^* = Sign_sk
^* (C^*).

Finally, $B$ sends to $A_{I}$ the challenge ciphertext (vk^*, C^*, σ^*).

If vk = vk^* and $< {user}_{1}, . . . {user}_{j}; {PK}_{1}, . . ., {PK}_{j} > = < {user}_{1}^{*}, . . . {user}_{j}^{*}; {PK}_{1}^{*},$ $. . ., {PK}_{j}^{*} >$ , $B$ aborts the game. (The security of the strong OTS scheme ensures that the adversary cannot generate a valid ciphertext in this case).

If vk ≠ vk^*, $B$ does as in Phase 1. It queries for private key of ID = (ID₁, …, ID_{j +1}) to the HIBE challenger and uses the private key to decrypt the ciphertext. It sends back the decrypted message M to $A_{I}$ .

Guess: Adversary $A_{I}$ outputs a guess b ′ ∈ {0, 1} and $B$ uses this output as its result.

$A_{I}$ ’s view is identical to its view in a real attack game, except the event Forge occurs or collision is found. Therefore we get $\begin{matrix} {Adv}_{A_{I}}^{HCBE} \geq {Adv}_{B}^{CPA - HIBE} \\ - 1 / 2 (\Pr_{B} [Forge] + \Pr_{B} [Collision]) . \end{matrix}$ ■

Theorem 4.The proposed HCBE scheme is chosen-ciphertext secure against Type II adversary $A_{II}$ if H₁ and H₂ are collision resistant hash functions, OTS is a strong unforgeable signature scheme and subgroup decision problem for three primes assumptions hold in $G$ .

Proof. We will construct an algorithm $B$ by using an adversary $A_{II}$ to break either the underlying stronly unforgeable one-time signature with probability Pr[Forge] or the CPA security of the j -level Lewko-Waters HIBE, where $A_{II}$ is a successful adversary against the j -level HCBE scheme. The algorithm $B$ works by interacting with $A_{II}$ as follows.

Setup: The adversary $B$ initializes the HIBE challenger, who runs ID.Setup and sends ID.params = (N, n, g, h₁, h₂, u₁, …, u_l, e (h₂, h₂) ^β) where h₂ = g^{β ′}, h₁ = g^β and ID.msk = β. The value β ′ is also given to $B$ .

Next, $B$ chooses $α \in ℤ_{N}$ and sets CB. msk = α. Furthermore, it sets: H₁ : {0, 1}^* → {0, 1}ⁿ and H₂ : {0, 1}^* → {0, 1}ⁿ to be two collision resistant hash functions.

Following this, $B$ sends to $A_{II}$ CB. params = { ID.params, H₁, H₂} and CB. msk = α.

Phase 1: Adversary $A_{II}$ issues decryption query < user₁, …, user_j, (vk, C, σ)>. $B$ performs the follwing checks:

Vrfy (C, σ) =1. If it is not hold, $B$ then aborts the games.

Otherwise, $B$ submits the query to the HIBE challenger for key extraction query of ID = (ID₁, …, ID_{j -1}, ID_{j +1}), where ID_{j +1} = H₂ (vk), and receives K₁ = g^rR₃, $K_{2} = h_{2}^{β} (u_{1}^{{ID}_{1}} . . . u_{j - 1}^{{ID}_{j - 1}} u_{j + 1}^{{ID}_{j + 1}} h)^{r} R_{3}^{'}$ and $E_{j + 1} = u_{j + 1}^{r} R_{j + 1}$ ,…, $E_{l} = u_{l}^{r} R_{l}$ . $B$ computes ID_j = H₁ (user_j ∥ (H₁, H₂)). Then $B$ modifies the keys to be $d_{0} = K_{1} g^{r^{'}} \tilde{R_{3}}$ , $d_{1} = g^{α} K_{2} (u_{1}^{{ID}_{1}} . . . u_{j}^{{ID}_{j}} h)^{r^{'}} E_{j + 1}^{{ID}_{j + 1}} u_{j + 1}^{r^{'} {ID}_{j + 1}} {\tilde{R}}_{3}^{'}$ which are used to decrypt the ciphertext C. The result M is given to $A_{II}$ .

Challenge: On $< {user}^{*} = {user}_{1}^{*}, . . ., {user}_{j}^{*}; M_{0}, M_{1} >$ , $B$ does as follows:

$B$ runs the key generation algorithm of OTS to generate (sk^*, vk^*), it computets ${ID}_{j + 1}^{*} = H_{2} ({vk}^{*})$ .

$B$ submits the query $< {ID}_{1}^{*}, . . . ., {ID}_{j - 1}^{*}, {ID}_{j + 1}^{*}, (M_{0}, M_{1}) >$ to the HIBE challenger. The HIBE challenger flips a fair coin b ∈ {0, 1} and generates ciphertext: $C = ID . Enc ({ID}_{2}^{*}, M_{b}) = (M_{b} e (h_{2}, h_{2})^{β s}, (u_{1}^{{ID}_{1}^{*}}, . . ., u_{j - 1}^{{ID}_{j - 1}^{*}} u_{j + 1}^{{ID}_{j + 1}^{*}} h)^{s}, u_{j}^{s}, h_{2}^{s}) = (C_{0}^{'}, C_{10}, C_{11}, C_{2})$ .

Next, $B$ queries to OTS challenger to get σ^* = Sign_sk
^* (C^*).

Finally, $B$ sends $A_{II}$ the challenge ciphertext (vk^*, C^*, σ^*).

Phase 2: The adversary continuously queries as in Phase 1, except that query for < user^*, (vk^*, C^*, σ^*)> is not allowed.

Guess: Adversary $A_{II}$ outputs a guess b ′ ∈ {0, 1} and $B$ outputs the same guess.

$A_{II}$ ’s view is identical to its view in a real attack game, except the event Forge occurs or collision is found. Therefore we get $\begin{matrix} {Adv}_{A_{II}^{HCBE}} \geq {Adv}_{B}^{CPA - HIBE} \\ - 1 / 2 (\Pr_{B} [Forge] + \Pr_{B} [Collision]) . \end{matrix}$ ■

6 Comparison

From Table 1, we can see that only ours and [8] are proved in full security model while the others are proved in selective model which is considered as weaker security notion. When compared with [8], our scheme is based on a static assumption which is weaker than non-static assumptions which [8] is based on.

Table 1
Comparison of the security model

Scheme Security model Assumption

[18] Selective BDH, DBDH

[8] Full Truncated Decision q-ABDH, DBDH

[16] Selective BDH, DBDH

Our $CBE$ Full Supgroup decison in composite order group

Our $HCBE$ Full Supgroup decison in composite order group

Scheme	Security model	Assumption
[18]	Selective	BDH, DBDH
[8]	Full	Truncated Decision q-ABDH, DBDH
[16]	Selective	BDH, DBDH
Our $CBE$	Full	Supgroup decison in composite order group
Our $HCBE$	Full	Supgroup decison in composite order group

Table 2 compares our scheme with the other CBE schemes in the standard model. $| G |$ , $| G_{1} |$ , $| G^{*} |$ , $| G_{T} |$ , $| G_{p_{1}} |$ and $| ℤ_{p} |$ denote the bit sizes of G, G₁, G^*, G_T, G_{p
₁} and $ℤ_{p}$ , respectively. j ≤ l denotes a particular level of the l -level hierarchical system. [18] requires the public commitment string and message authentication code, which are denoted by | com | and | Mac |, respectively. Our scheme and [16] require OTS, where the bit sizes of verification key and signature are denoted by | vk | and | Sign |, respectively. Sign and Vrfy denote computations required for the signing and verifying steps, respectively. When compared with [8], our scheme is a little bit heavier in terms of decryption (the number of pairing is the same, but approximately extra three exponentiations and Vrfy are required), but saves up to four exponentiations plus six pairings in encryption. We note that currently computing a pairing operation can be as expensive as ten odd exponentiations.

Table 2

Comparison of the storage and computation

Scheme	Ciphertex size	Encryption	Decryption
[18]	$\| G_{1} \| + \| G^{*} \| + 2 \| G \|$	3 E + 2 P + Sign	3 E + 3 P + Vrfy
	+\| com \| + \| Mac \|
[8]	$\| G \| + 3 \| G_{T} \|$	10 E + 8 P	3 E + 2 P
[16]	$2 \| G \| + \| G_{T} \| + n + \| vk \| + \| σ \|$	5 E + 2 P + Mac	3 E + 3 P + Mac
Our $CBE$	$2 \| G_{p_{1}} \| + \| G_{T} \| + \| vk \| + \| σ \|$	6 E + 2 P + Sign	6 E + 2 P + Vrfy
Our $HCBE$	$2 \| G_{p_{1}} \| + \| G_{T} \| + \| vk \| + \| σ \|$	(j + 4) E + 2 P + Sign	(j + 4) E + 2 P + Vrfy

7 Conclusion

In this paper, we proposed a CBE scheme which is proved to be IND-CCA2 secure in the stadard model under a static assumption. The proposed CBE is extended to HCBE with ciphetexts of constant size which is the first fully IND-CCA2 secure HCBE scheme.

Footnotes

Acknowledgments

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government(MSIP) (No. 2017R1A2B4001801).

References

Gentry

, Certificate-based encryption and the certificate revocation problem, In Advances in Cryptology, EURO-CRYPT2003, Springer, 2003, pp. 272–293.

Boneh

and Franklin

, Identity-based encryption from the weil pairing, In Advances in Cryptology, CRYPTO 2001, Springer, 2001, pp. 213–229.

Rivest

, Shamir

and Adleman

, A method for obtaining digital signatures and public-key cryptosystems, In Communications of the ACM21(2) (1978), 120–126.

Al-Riyami

S.S.

and Paterson

K.G.

, Cbe from clpke: A generic construction and efficient schemes, Public Key Cryptography-PKC 2005, Springer, 2005, pp. 398–415.

Dodis

and Katz

, Chosen-ciphertext security of multiple encryption, Theory of Cryptography, Springer, 2005, pp. 188–209.

Galindo

, Morillo

and Ràfols

, Breaking Yum and Lee generic constructions of certificate-less and certificatebased encryption schemes, Public Key Infrastructure, Springer, 2006, pp. 81–91.

Kang

B.G.

and Park

J.H.

, Is it possible to have cbe from cl-pke?IACR Cryptology ePrint Archive431 (2005).

Liu

and Zhou

, Efficient certificate-based encryption in the standard model, In volume 8, Springer, pp. , SCN, volume 8, Springer, 2008, pp 144–155.

and Li

, Constructing efficient certificate-based encryption scheme with pairing in the standard model, In Information Theory and Information Security (ICI-TIS), 2010 IEEE International Conference on, IEEE, 2010, pp. 234–237.

10.

and Li

, Constructing pairing-free certificatebased encryption, International Journal of Innovative Computing Information and Control9(11) (2013), 4509–4518.

11.

, Mu

, Susilo

, Huang

and Xu

, A provably secure construction of certificate-based encryption from certificateless encryption, The Computer Journal (2012), bxr130.

12.

Yao

, Li

and Zhang

, Certificate-based encryption scheme without pairing, KSII Transactions on Internet & Information Systems7(6) (2013).

13.

Yum

D.H.

and Lee

P.J.

, Generic construction of certifi-cateless encryption, In Computational Science and Its Applications-ICCSA 2004, Springer, 2004, pp. 802–811.

14.

Canetti

, Halevi

and Katz

, Chosenciphertext security from identity-based encryption, In Advances in Cryptology-Eurocrypt 2004, Springer, 2004, pp. 207–222.

15.

Lamport

, Constructing digital signatures from a oneway function. Technical report. Technical Report CSL-98, SRI International Palo Alto, 1979.

16.

Morillo

and Ràfols

, Certificate-based encryption without random oracles, 2006.

17.

Waters

, Efficient identity-based encryption without random oracles, In Advances in Cryptology—EUROCRYPT 2005, Springer, 2005, pp. 114–127.

18.

Galindo

, Morillo

and Ràfols

, Improved certificate-based encryption in the standard model, Journal of Systems and Software81(7) (2008), 1218–1226.

19.

Boneh

and Boyen

, Efficient selective-id secure identity-based encryption without random oracles, In Advances in Cryptology-EUROCRYPT 2004, Springer, 2004, pp. 223–238.

20.

and Li

, Generic construction of certificatebased encryption in the standard model, In Electronic Commerce and Security, 2009 ISECS'09. Second International Symposium on, volume 1, IEEE, 2009, pp. 25–29.

21.

Lewko

and Waters

, Waters, New techniques for dual system encryption and fully secure hibe with short ciphertexts, In Theory of Cryptography, Springer, 2010, pp. 455–479.

22.

Hyla

and Pejaś

, Certificate-based encryption scheme with general access structure, Computer Information Systems and Industrial Management, Springer, 2012, pp. 41–55.

23.

Sur

, Park

, Shin

S.U.K.

, Rhee

K.H.

and Seo

, Certificate-based proxy re-encryption for public cloud storage, Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2013 Seventh International Conference on, IEEE, pp. 2013, pp. 159–166.

24.

Fan

C.-I.

, Tsai

P.-J.

, Huang

J.-J.

and Chen

W.-T.

, Anonymous multi-receiver certificate-based encryption, In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2013 International Conference on, IEEE, 2013, pp. 19–26.

Efficient certificate-based encryption and hierarchical certificate-based encryption schemes in the standard model

Abstract

Keywords

1 Introduction

1.1 Related work

1.2 Basic ideas

1.3 Contributions

2 Preliminaries

2.1 Blinear pairing

2.2 Hardness assumptions

2.3 One-time signature [15]

3 Framework of certificate-based encryption

3.1 Certificate-based encryption scheme

3.2 Hierarchical certificate-based encryption scheme

4 The proposed CBE scheme in the standard model

5 The proposed HCBE scheme in the standard model

6 Comparison

Table 1 Comparison of the security model Scheme Security model Assumption [18] Selective BDH, DBDH [8] Full Truncated Decision q-ABDH, DBDH [16] Selective BDH, DBDH Our CBE Full Supgroup decison in composite order group Our HCBE Full Supgroup decison in composite order group

Footnotes

Acknowledgments

References

Table 1
Comparison of the security model

Scheme Security model Assumption

[18] Selective BDH, DBDH

[8] Full Truncated Decision q-ABDH, DBDH

[16] Selective BDH, DBDH

Our $CBE$ Full Supgroup decison in composite order group

Our $HCBE$ Full Supgroup decison in composite order group