New Proof for BKP IBE Scheme and Improvement in the MIMC Setting

Abstract

In CRYPTO 2014, Blazy et al. [2] proposed a new and efficient identity-based encryption scheme (denoted by BKP) with almost tight security in the prime order setting. However, their scheme is transformed from affine message authentication code and cannot give a standard proof in the IBE setting. Furthermore, it is not proven secure in the multi-instance, multi-ciphertext (MIMC, or multi-challenge) setting. Based on Blazy et al.’s work, we propose a generalized almost tightly secure IBE scheme from BKP IBE scheme and give a new proof in the standard security model under the Matrix Diffie-Hellman (MDDH) assumption. Based on the generalized IBE scheme, we propose a new almost tightly secure IBE scheme in the MIMC setting. Compared with a recent IBE scheme proposed by Gong et al. in the MIMC setting, our scheme is more efficient under the decisional linear (DLIN, or 2-LIN) assumption in the symmetric bilinear groups.

A IBE in the MIMC Setting

Security Model. We define \((\mu , Q_k, Q_c, Q_r)\)-security for an IBE \(\mathsf {\Phi }=(\mathsf {Par}\), \(\mathsf {Setup}\), \(\mathsf {KeyGen}\), \(\mathsf {Encrypt}\), \(\mathsf {Decrypt})\) in the MIMC setting according to the following game.

• Setup. The challenger \(\mathcal {B}\) gets \((\mathsf {pp}, \mathsf {sp})\leftarrow _{\mathrm {R}}\mathsf {Par}(1^\lambda , n)\) and creates \((\mathsf {mpk}^{(j)}\), \(\mathsf {msk}^{(j)})\leftarrow _{\mathrm {R}}\mathsf {Setup}(\mathsf {pp}, \mathsf {sp})\) for \(j\in [\mu ]\) and gives \(\{\mathsf {mpk}^{(j)}\} _{j\in [\mu ]}\) to the adversary \(\mathcal {A}\). The challenger flips a random coin \(\beta \in \{0, 1\}\) whose value is fixed throughout the game. Finally the challenger initializes \(\mathcal {Q}_k\) and \(\mathcal {Q}_c\) as two empty sets.

• Query. The adversary \(\mathcal {A}\) can adaptively make the following two types of queries in an arbitrary order.

  • Key Query. \(\mathcal {A}\) submits an index \(j\in [\mu ]\) and an identity \({\textsf {ID}}\in \mathcal {ID}\). The challenger creates a private key \({\mathsf {sk}}_{\textsf {ID}}\leftarrow _{\mathrm {R}}\mathsf {KeyGen}(\mathsf {mpk}^{(j)}, \mathsf {msk}^{(j)}, \mathsf {ID})\) and gives the adversary the private key. Finally the challenger updates \(\mathcal {Q}_k:=\mathcal {Q}_k\cup \{(j, \mathsf {ID})\}\).

  • Challenge Query. \(\mathcal {A}\) submits an index \(j^*\in [\mu ]\), a challenge identity \(\mathsf {ID}^*\in \mathcal {ID}\) and a message \(\mathsf {M}_0\in \mathcal {M}\) to \(\mathcal {B}\). \(\mathcal {B}\) chooses \(\mathsf {M}_1\leftarrow _{\mathrm {R}}\mathcal {M}\), creates the ciphertext \(\mathsf {CT}^*= \mathrm {\mathsf {Encrypt}}(\mathsf {mpk}^{(j^*)}, \mathsf {ID}^*, \mathsf {M}_\beta )\) and passes \(\mathsf {CT}^*\) to \(\mathcal {A}\). Finally the challenger updates \(\mathcal {Q}_c:=\mathcal {Q}_c\cup \{(j^*, \mathsf {ID}^*)\}\).

• Guess. \(\mathcal {A}\) outputs its guess \(\beta '\) of \(\beta \).

We say that the adversary \(\mathcal {A}\) is valid if and only if (1) \(\mathcal {Q}_k\cap \mathcal {Q}_c=\emptyset \), i.e., for each \((j, \mathsf {ID})\in \mathcal {Q}_k\), for all \((j^*, \mathsf {ID}^*)\in \mathcal {Q}_c\), if \(j=j^*\), \(\mathsf {ID}\ne \mathsf {ID}^*\); (2) \(\mathcal {A}\) has made at most \(Q_k\) key reveal queries, i.e., \(|\mathcal {Q}_k|\le Q_k\); (3) \(\mathcal {A}\) has made at most \(Q_c\) challenge queries for every scheme instance and identity, i.e., \(|\mathcal {Q}_c|\le Q_c\); (4) for each \((j^*, \mathsf {ID}^*)\in \mathcal {Q}_c\), \(\mathcal {A}\) has made at most \(Q_r\) challenge queries.

The advantage of \(\mathcal {A}\) in this game is defined as \(\mathrm {\mathbf {Adv}}_{\mathsf {\Phi }, \lambda , n}^{\mathsf {ind}\text {-}\mathsf {cpa}}(\mathcal {A}, \mu , Q_k, Q_c, Q_r)=|\mathrm {Pr}[\beta ' = \beta ] - \frac{1}{2}|\).

Definition 7

An IBE scheme \(\mathsf {\Phi }\) is \((\mu , Q_k, Q_c, Q_r)\)-secure if \(\mathrm {\mathbf {Adv}}_{\mathsf {\Phi }, \lambda , n}^{\mathsf {ind}\text {-}\mathsf {cpa}}(\mathcal {A}\), \(\mu \), \(Q_k\), \(Q_c, Q_r)\) is negligible for any valid PPT adversary \(\mathcal {A}\).

Weak Security. We consider a weak adversary in the above game who cannot request challenge ciphertexts for the same scheme instance and identity twice, i.e., \(Q_r=1\). An IBE scheme is weakly secure if and only if \(\mathrm {\mathbf {Adv}}_{\mathsf {\Phi }, \lambda , n}^{\mathsf {ind}\text {-}\mathsf {cpa}}(\mathcal {A}\), \(\mu \), \(Q_k\), \(Q_c, 1)\) is negligible for all weak PPT adversaries.