Keywords-certificate-based encryption; forward-secure; bilinear Diffie-Hellman assumption; random oracle model. I. INTRODUCTION. In Eurocrypt 2003, Gentry ...
2009 Fifth International Conference on Information Assurance and Security
Forward-Secure Certificate-Based Encryption
Yang Lu and Jiguo Li College of Computer and Information Engineering Hohai University Nanjing, Jiangsu Province, China e-mail: {luyangnsd, ljg1688}@163.com On the other hand, as cryptographic computations are performed more frequently on small, unprotected, and easilystolen devices (e.g., mobile phones), the notion of forward security [4] was introduced to counter the acute threat of the private key exposure. In a forward-secure scheme, the users’ private keys are updated at regular periods throughout the lifetime of the system; furthermore, exposure of a user’s private key corresponding to a given time period does not enable an adversary to break the scheme (in the appropriate sense) for any prior time period. Forward-secure scheme has a number of obvious applications, as it can be used to protect the secrecy of communications for devices operating in insecure environments where key exposure is an immediate concern. In this paper, we propose a new notion called ForwardSecure Certificate-Based Encryption. This notion preserves the advantages of CBE such as implicit certificate and no private key escrow. At the same time it also inherits the properties of the forward-secure PKE such as forward keyevolving. We also construct a concrete forward-secure CBE scheme and prove it to be secure in the random oracle model [6, 7]. The performance parameters of our scheme grow at most poly-logarithmically with the total number of time periods. Therefore, our scheme is quite efficient.
Abstract—Certificate-based encryption (CBE) is a new paradigm which overcomes the shortcomings of traditional public-key encryption (PKE) and identity based encryption (IBE). CBE provides an efficient implicit certificate mechanism to eliminate third-party queries for the certificate status and to simplify the certificate revocation problem in traditional PKI. Therefore, CBE can be used to construct an efficient PKI requiring fewer infrastructures. It also solves the key escrow and key distribution problem inherent in IBE. In this paper, we introduce a new notion called Forward-Secure CertificateBased Encryption. It preserves the advantages of CBE such as implicit certificate and no private key escrow. At the same time it also inherits the properties of the forward-secure public key encryption. We also propose a concrete and efficient forwardsecure CBE scheme and prove it to be secure based on the bilinear Diffie-Hellman assumption in the random oracle model. Keywords-certificate-based encryption; forward-secure; bilinear Diffie-Hellman assumption; random oracle model
I.
INTRODUCTION
In Eurocrypt 2003, Gentry [1] introduced the notion of certificate-based encryption (CBE), which combines identity-based encryption (IBE) and traditional PKIsupported public key encryption (PKE) while preserving their features. CBE provides an implicit certificate mechanism for a traditional PKI and allows a periodical update of certificate status. As traditional PKIs, each user in CBE generates his own public/private key pair and requests a long-lived certificate from the CA. This long-lived certificate has all the functionalities of a traditional PKI certificate. But, CA generates the long-lived certificate as well as short-lived certificates (i.e., certificate status). A short-lived certificate is pushed only to the owner of the public/private key pair and acts as a partial decryption key. This additional functionality provides an implicit certificate so that the sender is not required to obtain fresh information on certificate status and the receiver can only decrypt the ciphertext using his private key along with an up-to-date short-lived certificate from its CA. The feature of implicit certificate allows us to eliminate third-party queries for the certificate status and simplify the public key revocation problem so that CBE does not need infrastructures like CRL [2] and OCSP [3]. Therefore, CBE can be used to construct an efficient PKI requiring fewer infrastructures than the traditional PKI. Furthermore, there is no key escrow problem and key distribution problem in CBE. 978-0-7695-3744-3/09 $25.00 © 2009 IEEE DOI 10.1109/IAS.2009.189
II.
RELATED WORK
Since the introduction of CBE and forward security, there are different variants or improvements proposed in the literature later on. Yum and Lee [11] provided a formal equivalence theorem between IBE and CBE and showed that IBE implies CBE by giving a generic construction from IBE to CBE. However, Galindo et al. [12] pointed out that a dishonest authority could break the security of this generic construction. This generic construction is inherently flawed due to a naive use of double encryption without further treatments. Lu et al. solved this problem by providing two security-enhancing conversions and achieved two generic CBE constructions from PKE and IBE in [17,18]. AlRiyami and Paterson [13] presented a generic conversion of CBE from CL-PKE and claimed that a secure CBE scheme could be constructed from any secure CL-PKE scheme using this conversion. Kang and Park [14] pointed out that their conversion was incorrect due to the flaw in their security proof. Recently, Galindo et al. [15] proposed the first CBE scheme secure in the standard model. Liu and
57
The security model for ke-CBE is defined against four different types of adversaries: the Type I adversary �1 models an uncertified user who has no access to the masterkey to attack the security of a ciphertext under a public key chosen by himself without knowing the corresponding certificate; the Type II adversary �2 models an honest-butcurious certifier who possesses the master-key to attack the security of a ciphertext under a given public key without knowing the corresponding private key; the Type III adversary �3 models a user who possesses the private key uski for time period i of a certified user to attack the security of a ciphertext for any prior time period without knowing all the private key uskj of the certified user where 0dj
