##
###
Efficient Chosen-Ciphertext Secure Identity-Based Encryption with Wildcards
[chapter]

James Birkett, Alexander W. Dent, Gregory Neven, Jacob C. N. Schuldt

*
Information Security and Privacy
*

We propose new instantiations of chosen-ciphertext secure identitybased encryption schemes with wildcards (WIBE). Our schemes outperform all existing alternatives in terms of efficiency as well as security. We achieve these results by extending the hybrid encryption (KEM-DEM) framework to the case of WIBE schemes. We propose and prove secure one generic construction in the random oracle model, and one direct construction in the standard model. actual message under the key K. The basic
## more »

... on has been used within the cryptographic community for years, dating back to the work of Blum and Goldwasser in 1984 [4], but its security for the case of public-key encryption was not properly analysed until the work of Cramer and Shoup [11] . One would intuitively expect these results to extend to the case of WIBEs, but this was never formally shown to be the case. Chosen-ciphertext security. The basic schemes of [1] are proved secure under an appropriate adaptation of indistinguishability (IND) under chosen-plaintext attack (CPA) [13] , where the adversary is given access to a key derivation oracle and has to distinguish between encryptions of two messages of its choice. This security notion is often not considered sufficient for practise though. Rather, the community seems to have settled with the stronger notion of indistinguishability under chosen-ciphertext attack (CCA) [16] as the "right" security notion for practical use. The need for chosen-ciphertext security in practise was shown by Bleichenbacher's attack [21] on the SSL key establishment protocol, which was based on the (CPA-secure) RSA-PKCS#1 version 1 [22] encryption standard. The practical appreciation for the notion is exemplified by the adoption of the (CCA-secure) RSA-OAEP encryption scheme [23] in version 2 of the RSA-PKCS#1 standard. A generic construction. Canetti et al. [9] proposed a generic construction of a CCA-secure hierarchical identity-based encryption (HIBE) scheme with up to L hierarchy levels from any (L + 1)-level CPA-secure HIBE scheme and any one-time signature scheme. Abdalla et al. adapted their techniques to the WIBE setting, but their construction requires a (2L + 2)-level CPA-secure WIBE scheme to obtain an L-level CCA-secure one. (The reason is that the construction of [9] prefixes a bit to identity strings indicating whether it is a real identity or a public key of the one-time signature scheme. In the case of WIBE schemes, these bits must be put on separate levels, because if not the simulator may need to make illegal key derivation queries to answer the adversary's decryption queries.) Doubling the hierarchy depth has a dramatic impact on efficiency and security of the schemes. First, the efficiency of all known WIBE schemes (in terms of computation, key length, and ciphertext length) is linear in the hierarchy depth, so the switch to CCA-security essentially doubles most associated costs. Second, the security of all known WIBE schemes degrades exponentially with the maximal hierarchy depth L. If the value of L is doubled, then either the scheme is restricted to half the (already limited) number of "useful" hierarchy levels, or that the security parameter must be increased to restore security. The first measure seriously limits the functionality of the scheme, the second increases costs even further. For example, the WIBE scheme from [1] based on Waters' HIBE scheme [20] loses a factor of (2nq K ) L in the reduction to the BDDH problem, where n is the bit length of an identity string at each level of the hierarchy and q K is the number of adversarial key derivation queries. Assume for simplicity that the advantage of solving the BDDH problem in a group of order p > 2 k is 2 −k/2 . If n = 128 and q K = 2 20 , then to limit an adversary's advantage to 2 −80 in a WIBE scheme with L = 5 levels, one should use a group order of at least 160 + 56L = 440 bits. In the CCA-secure construction however, one needs a group order of 160+56(2L+2) = 832 bits, almost doubling the size of the representation of a group element, and multiplying by eight the cost of most (cubic-time) algorithms! Furthermore, since there are twice as many levels, the ciphertext must contain twice as many group elements, so overall, ciphertexts are four times as large and the cost of encryption and decryption is multiplied by sixteen! Our contributions. In this paper, we provide formal support for the use of hybrid encryption with WIBE schemes, and we present CCA-secure schemes that are more

doi:10.1007/978-3-540-73458-1_21
dblp:conf/acisp/BirkettDNS07
fatcat:a4ebzxf2lncj7ja5yarnyuaale