General and Efficient Certificateless Public Key Encryption Constructions

Transcription

1 General and Efficient Certificateless Public Key Encryption Constructions Zhaohui Cheng 1,LiqunChen 2,LiLing 3, and Richard Comley 1 1 School of Computing Science, Middlesex University, London, UK {m.z.cheng,r.comley}@mdx.ac.uk 2 Hewlett-Packard Laboratories, Bristol, UK liqun.chen@hp.com 3 Department of Communication Science and Engineering, Fudan University, Shanghai, China lingli@fudan.edu.cn Abstract. In 2003, Al-Riyami and Paterson introduced a new public key encryption paradigm called Certificateless Public Key Encryption (CL-PKE), which like Identity-Based Encryption (IBE) is certificatefree, and meanwhile which unlike IBE but similar to certificate-based encryption is key-escrow-free. In this paper, based on a heuristic observation on some existing IBE schemes and PKE schemes, we propose a general approach to build a CL-PKE solution, which makes use of a simple combination of an IBE scheme, a Diffie-Hellman type key establishment algorithm and a secure hash-function. Following this approach we construct two efficient concrete CL-PKE schemes and formally analyse their security in the random oracle model. 1 Introduction To address the threat of the impersonation attack on the public key cryptography (PKC), a common strategy is to introduce into the system an authority trusted by all users. With the interventions of the authority, the impersonation attack launched by a malicious user can be thwarted by different methods. One method is that the authority explicitly provide a guarantee that one user s ownership of a claimed public key is authentic. The certificate-based public key cryptography takes this approach. Each user obtains from the authority a certificate which securely binds the user identity with the user s public key by a signature generated by the authority. By this approach, an infrastructure to issue certificates has to be constructed and also one has to verify certificates to obtain others authentic public keys. Such infrastructure can be very complicated and faces many challenges in practice, such as the efficiency and scalability of the infrastructure. The second method is that users use their identity directly as their public keys and so the public key authenticity problem is trivial and certificates are no longer necessary. However, each user s private key has to be generated by the authority. This is the approach taken by the identity-based cryptography (IBC). T. Takagi et al. (Eds.): Pairing 2007, LNCS 4575, pp , c Springer-Verlag Berlin Heidelberg 2007

2 84 Z. Cheng et al. However, in this type of system, the authority knows every user s private key, i.e., the system has the inherent key-escrow function, and no method can prevent a curious authority from decrypting users ciphertexts or impersonating a user. Though the IBC paradigm offers great advantage of simplicity over the certificate-based PKC, the key escrow property is not desirable in some settings. The natural question arises that whether a public key system as IBC certificate-free and at the same time as PKC key-escrow-free is constructible. In 2003, Al-Riyami and Paterson brought forth the notion of Certificateless Public Key Cryptography (CL-PKC) [3] to respond to this challenge. In the CL-PKC, a user has a public key generated by himself and his private key is determined by two pieces of secret information: one secret associated with the user s identity is passed by the authority and the other associated with the public key is generated by the user himself. Moreover, one secret is not computable from the other, so the authority cannot compute the private key corresponding to a user s public key. Hence the CL-PKC is key-escrow-free. The approach against the impersonation attack in the CL-PKC is not to provide authenticity of a public key by a certificate. Instead, a CL-PKC guarantees that even if a malicious user successfully replaces a victim s public key with its own choice and so could know the secret associated with the public key but not the other secret obtained by the victim user from the authority, it still cannot generate a valid signature or decrypt the message encrypted under the false public key and the victim s identifier. This will certainly reduce the interest of launching the impersonation attack. Since the certificateless public key encryption (CL-PKE) notion was introduced, there have been a number of generic constructions. In [1,29], three general constructions of CL-PKE are constructed. They are the sequential or parallel composition of a secure identity-based encryption (IBE) with a secure public key encryption (PKE) to encrypt a message. Unfortunately, none of those generic constructions are secure [22,25] regarding the model defined in [3]. Libert and Quisquater [25] showed simple variants can rescue them. Yum and Lee proposed yet another generic construction but by double-encryption with two secure IBE schemes [30], which is also found insecure [22]. In [7], Bentahar et al. extended the key encapsulation mechanism (KEM) to the CL-PKE setting and proposed a generic construction from an IBE and a PKE. There have been a couple of general constructions in the standard model as well [15,24]. All of these general constructions are not very efficient both on computation and communication. They all need double-encryption with either two IBE schemes or one IBE with a PKE, and the ciphertext of these schemes are longer than the used IBE or PKE s. In this work, based on a heuristic observation on some constructions of IBE and PKE, we propose a general approach of constructing efficient CL-PKE, specifically, we can make use of a hash function to tightly integrate an IBE with a PKE of similar ciphertext structure to form a CL-PKE. Following this approach, we construct two efficient CL-PKE schemes and formally analyse their security in an enhanced security model.

3 General and Efficient Certificateless Public Key Encryption Constructions 85 The paper is constructed as follows. In Section 2 we recap the basic facts of pairing and various CL-PKE security formulations. In Section 3, we present a heuristic approach of constructing CL-PKE from IBE and PKE schemes. Then we construct two efficient concrete CL-PKE schemes and provide a formal security proof of them in Section 4. After that, we discuss relevant efficiency of the CL-PKE proposals. Finally, we draw a conclusion. 2 Preliminaries 2.1 Pairing Here we briefly recall some basic facts of pairings. Definition 1. A pairing is a bilinear map ê : G 1 G 2 G t between three groups G 1, G 2 and G t of exponent p, which has the following properties: 1. Bilinear: For all (P 1,P 2 ) G 1 G 2 and for all (a, b) Z q Z p, we have ê(ap 1,bP 2 )=ê(p 1,P 2 ) ab. 2. Non-degenerate: There exist non-trivial points P 1 G 1 and P 2 G 2 both of order q such that ê(p 1,P 2 ) Computable: For all (P 1,P 2 ) G 1 G 2, ê(p 1,P 2 ) is efficiently computable. We shall use following assumptions to analyse the proposed schemes. Each problem is assumed to be defined for a given set of pairing parameters including the groups G 1, G 2 and G t, the generators P 1 G 1 and P 2 G 2, the pairing ê, and possibly the morphism ψ : G 2 G 1. Assumption 1 (Diffie Hellman (DH i,j,k )). For a, b R Z p and some values of i, j, k {1, 2}, given (ap i,bp j ), computing abp k is hard. Assumption 2 (Bilinear Diffie Hellman (BDH i,j,k )). For a, b, c R Z p, given (ap i,bp j,cp k ), for some values of i, j, k {1, 2}, computing ê(p 1,P 2 ) abc is hard. Assumption 3 (General BDH). For a, b, c R Z p, given (ap 1,cP 1,aP 2,bP 2 ), computing ê(p 1,P 2 ) abc is hard. We note that if an efficient isomorphism ψ exists, then the BDH 2,2,2 assumption implies the General BDH assumption. 2.2 CL-PKE Security Model Here we first specify the CL-PKE algorithms and then revisit various CL-PKE security models and define a strong security notion for this type of encryption. For a CL-PKE scheme we define the public key, message, ciphertext and randomness spaces by P CL ( ), M CL ( ), C CL ( ) andr CL ( ). These spaces are

4 86 Z. Cheng et al. parametrised by the master public key M pk, and hence by the security parameter k. A CL-PKE scheme consists of following algorithms: CL.Gen(1 k ). The algorithm given the system security parameter k generates the master secret key M sk and the master public key M pk. CL.PartialKey(M sk,m pk, ID A ). The algorithm takes M sk, M pk and an arbitrary identity string ID A {0, 1} of entity A as input and returns a partial private key D A corresponding to ID A. CL.SecretVal(M pk, ID A ). The algorithm takes M pk and the identity string ID A as input and returns the secret value X A associated with the entity A. CL.PrivateKey(M pk,d A,X A ). The algorithm takes M pk, D A and X A as input and outputs the private key S A of entity A. CL.PublicKey(M pk,x A, ID A ). The algorithm takes M pk and X A as input and outputs the public key P A of the entity A. CL.Encrypt(M pk, ID A,P A,m; r). The algorithm takes M pk, ID A, P A,a message m M CL (M pk ) and the randomness r R CL (M pk ) as input and returns the ciphertext C C CL (M pk ) of message m. Wealsousetheinterface CL.Encrypt (M pk, ID A,P A,m) by assuming that r is sampled in the algorithm when the context is clear. CL.Decrypt(M pk, ID A,P A,S A,C). The algorithm takes M pk, ID A, S A and a ciphertext C as input, and outputs the value of the corresponding plaintext m or a failure symbol. Similar to IBE and PKE, to cope with probabilistic ciphers, we will require that not too many choices for r encrypt a given message to a given ciphertext. To formalize this concept we let γ(m pk ) be the least upper bound such that {r R CL (M pk ) : E CL (M pk, ID,P ID,m; r) = C} γ(m pk ) for every ID, P ID P CL (M pk ), m M CL (M pk )andc C CL (M pk ). We say a CL-PKE is γ-uniform if γ(m pk )/ R CL (M pk ) < γ. In this work, we require that γ is negligible of security parameter k. Following Al-Riyami-Paterson s CL-PKE security formulation, we can define various security notions for this type of encryption. These security notions are defined by two games as in Table 1 and 2. Game 1 is conducted between a challenger and a Type-I adversary A I of two PPT algorithms (A I1, A I2 ). A Type-I adversary does not know the master secret key and can replace an entity s public key with its choice. Game 2 is conducted between a challenger and a Type- II adversary A II of two PPT algorithms (A II1, A II2 ). A Type-II adversary as a malicious KGC knows the master secret key (so every entity s partial private key) and intends to decrypt a user s ciphertext. In the games, s is some state information and O CL are the oracles that the adversary can access during the game. Depending on the security model, these oracles may include the follows: a public key broadcast oracle Public-Key-Broadcast which takes as input an identifier and returns the associated public key. If necessary, the oracle will execute the CL.PublicKey algorithm first.

5 General and Efficient Certificateless Public Key Encryption Constructions 87 Table 1. IND CL-PKE Games Game 1: Type-I Adversarial 1. (M pk,m sk) CL.Gen(1 k ). 2. (s, ID,m 0,m 1) A O CL I 1 (Mpk). 3. b {0, 1},r R CL (M pk). 4. C CL.Encrypt(M pk, ID,P ID,m b; r). 5. b A O CL I 2 (s, Mpk,C, ID,P ID,m 0,m 1). Game 2: Type-II Adversarial 1. (M pk,m sk) CL.Gen(1 k ). 2. (s, ID,m 0,m 1) A O CL II 1 (Mpk,Msk). 3. b {0, 1},r R CL (M pk). 4. C CL.Encrypt(M pk, ID,P ID,m b; r). 5. b A O CL II 2 (s, Mpk,Msk,C, ID,P ID,m 0,m 1). Table 2. OW CL-PKE Games Game 1: Type-I Adversarial 1. (M pk,m sk) CL.Gen(1 k ). 2. (s, ID ) A O CL I 1 (Mpk). 3. m M CL (M pk),r R CL (M pk). 4. C CL.Encrypt(M pk, ID,P ID,m; r). 5. m A O CL I 2 (s, Mpk,C, ID,P ID ). Game 2: Type-II Adversarial 1. (M pk,m sk) CL.Gen(1 k ). 2. (s, ID ) A O CL II 1 (Mpk,Msk). 3. m M CL (M pk),r R CL (M pk). 4. C CL.Encrypt(M pk, ID,P ID,m; r). 5. m A O CL II 2 (s, Mpk,Msk,C, ID,P ID ). a partial key exposure oracle Partial-Private-Key-Extract which returns the partial private key associated with an identity. If necessary, the oracle will execute the CL.PartialKey algorithm first. This oracle is only useful to Type-I adversaries, as a Type-II adversary can compute every partial private key using the master secret key. a secret value exposure oracle Secret-Value-Extract which reveals the secret value of entity whose public key was not replaced. If necessary, the algorithm will execute algorithm CL.SecretVal first. a public key replace oracle Public-Key-Replace which takes as input an identifier and a public key from the public key space and replaces the current public key associated with the identifier with the provided key. a strong decryption oracle Decrypt S which takes as input a ciphertext and an identifier, and outputs the decryption of the ciphertext using the the current private key associated with the identifier. Note that in the games, the adversary may have replaced the public key associated with an identity, and this decryption oracle is required to output the correct decryption (which can be failure symbol as well) using the private key corresponding to the current public key, even if it may not know that the corresponding secret value. As this oracle does not reflect general practice, a normal decryption oracle is defined as follow: a decryption oracle Decrypt P which takes as input a ciphertext and an identifier, and outputs the decryption of the ciphertext using the the original (before any Public-Key-Replace query) private key associated with the identifier. Though this query reflects the common practice that given a ciphertext a party uses its own private key to decrypt it, some attacks of conceptional

6 88 Z. Cheng et al. interest are not simulated (see the attack on the second Al-Riyami-Paterson CL-PKE [4], which we call AP-CL-PKE2, in Appendix A.2). A conceptional decryption oracle is used in some formulation as follows: a decryption oracle Decrypt C which takes as input a ciphertext, an identifier, a public key and the secret value corresponding to the given public key, and outputs the decryption of the ciphertext using the private key determined by the partial key corresponding to the identifier and the given secret value in the query. If the secret value is not given in the query, then the oracle works as Decrypt P. For each type of adversary, we define two attack models in which the adversary is allowed to access different oracles. For Type-I adversaries, we define the following two attack models. CCA2 model. In this model, the adversary is allowed to access the Public- Key-Broadcast, Partial-Private-Key-Extract, Secret-Value-Extract, Public- Key-Replace and Decrypt S oracles. However, there are a few restrictions on the adversary. If Public-Key-Replace has been issued on an identity, then Secret-Value- Extract on the identity is disallowed. Partial-Private-Key-Extract on ID is disallowed. Decrypt S on (ID,C ) is not allowed in A I 2 when ID s current public key P ID is the same as when the challenge query is issued. CPA model. In this model, the adversary has the access to the similar oracles as in the CCA2 model, but the Decrypt S oracle is disallowed. As the strong decryption oracle Decrypt S may not reflect the practice, we can define two weaker CCA2 models Type-I P and Type-I C in which the adversary is allowed to access the Decrypt P and Decrypt C oracle instead of Decrypt S respectively. For Type-II adversaries we define the following two attack models. CCA2 model. In this model, the adversary is allowed to access the Public- Key-Broadcast, Secret-Value-Extract, Public-Key-Replace and Decrypt S oracles. Again, there are a few restrictions on the adversary. If Public-Key-Replace has been issued on an identity, then Secret-Value- Extract on the identity is disallowed. Public-Key-Replace on ID is disallowed. Secret-Value-Extract on ID is disallowed. Decrypt S on (ID,C ) is not allowed in A II 2. CPA model. In this model, the adversary has the access to the similar oracles as in the CCA2 model, but the Decrypt S oracle is disallowed. Similarly, we can define a weaker CCA2 model Type-II P in which the adversary is allowed to access the Decrypt P oracle instead. There is no interest of defining Type-II C security as it requires the adversary to know both the partial key (because of the knowledge of the master secret key) and the secret value which implies the adversary can decrypt the ciphertext on its own.

7 General and Efficient Certificateless Public Key Encryption Constructions 89 If we let MOD denote the mode of attack, either CPA or CCA2, the adversary s advantage in the indistinguishability-based game is defined to be Adv CL IND MOD CL (A) = 2Pr[b = b] 1, while, the advantage in the one-way game is given by Adv CL OW MOD CL (A) =Pr[m = m]. A CL-PKE algorithm is considered to be secure, in the sense of a given goal and attack model (CL-IND-CCA2 for example) if, for any PPT Type-I (and Type-II) adversary, the advantage in the relevant game is a negligible function of the security parameter k. There are two main differences between the model defined above and the Al-Riyami-Paterson s CL-PKE security model [3,4]. First, in the Al-Riyami- Paterson s model a private key exposure oracle which returns the private key of an entity is used, while, here we provide the secret value exposure oracle instead. As in CL-PKE each entity has two pieces of secret information, it is natural to provide the adversary with an exposure oracle for each secret. Because the entity private key is determined by two secrets, the Secret-Value-Extract oracle with the Partial-Key-Extract oracle certainly can simulate the private key exposure oracle. On the other hand, given a private key and the corresponding partial key, the adversary may not be able to recover the related secret value if the CL.PrivateKey algorithm is a one way function such as the algorithm used in [3]. Hence, the Secret-Value-Extract oracle provides extra capability to the adversary against certain schemes. The second difference is that in Game 2 above the adversary can access the Public-Key-Replace oracle and the strong decryption oracle Decrypt S (this formulation has been adopted in a number of other works [25,14,2]), while, in the Al-Riyami-Paterson s model the Public-Key- Replace oracle is disallowed and the decryption oracle Decrypt P is used instead. A trivial Type-II attack applicable in the enhanced model on AP-CL-PKE2 (see Appendix A.2.) shows that the new formulation defines a stronger model in theory. On the relation of different security formulations, the Type-I (resp. Type-II) security is certainly stronger than the Type-I P and Type-I C (resp. Type-II P ) security. Because of the behavior of Decrypt C,theType-I C security is at least as strong as the Type-I P one. The Type-I C attack on AP-CL-PKE2 shows that the Type-I C security is indeed stronger than Type-I P. Recently, Au et al. [2] made an interesting observation that a passive-butmalicious KGC may generate the master public/private key pair in a special way to help it decrypt some user s ciphertext. And they presented such an attack against the first Al-Riyami-Paterson CL-PKE [3] (we call it AP-CL-PKE1). The attack shows that it is meaningful to let a Type-II + adversary generate the master keys in Game 2. However, it remains an open problem whether a secure CL-PKE against both Type-I and Type-II + adversaries is constructible in the standard model. Even in the random oracle model, this strong security notion

8 90 Z. Cheng et al. might be difficult to achieve. We note that when the Type-II + adversary generates the master public key, a question arises that who controls any random oracle included in the master public key. In [2], a generic CL-PKE scheme is claimed to be secure in this strong model. However, no proof is given and it is unclear who (the challenger or the adversary) controls the random oracles. On the other hand, Au et al. s attack can be defeated by requiring the KGC to demonstrate the randomness of the choice of parameters. In particular, the attack against AP-CL-PKE1 requires the adversary to choose from the used group a specific generator P, which supposes to be random. For its innocence the KGC can show a witness of the randomness of the generator such as a public string S with P = H(S) for a cryptographic hash function H. Onecan refer to IEEE P1363 and ANSI X9.62 standards for examples of methods used to generate verifiably random parameters. In this work, we adopt the enhanced Al-Riyami-Paterson formulation (the Type-I+Type-II security model) and conduct the security analysis of the proposed schemes in the random oracle model. 3 Heuristic Approach of CL-PKE Now we explain our heuristic approach of constructing CL-PKE. This approach is based on a simple observation of some existing IBE and PKE schemes. Most of the discrete-logarithm based PKE schemes, e.g. the ElGamal encryption [16], essentially take the same general approach, which can be presented in a simple equation as follows: PKE ciphtext= DH token(s), Hiding(message; DH value), where a DH token is defined as an input to a DH key establishment protocol, and a DH value is defined as a result of the protocol; a well-known example is that two entities exchange their DH tokens g x and g y respectively and then compute a DH value g xy. In the above general PKE approach, the encrypter generates one or more DH tokens and uses the DH token(s) and the decrypter s public key to compute the DH value. Then the DH value is used as the secret to hide messages in a message hiding algorithm. The decrypter uses its private key and the DH token(s) in the ciphertext to compute the DH value and so to recover the conveyed message. Most of the existing IBE schemes, e.g. [6,11,5], make use of pairings and base their security on the BDH assumption or its variants which are the descendants of the DH assumption. These IBE encryption schemes essentially adopt the same approach, like those PKE schemes based on the DH assumption, which can be presented as: IBE ciphtext= pairing-dh token(s), Hiding(message; pairing-dh value), where a pairing-dh token and pairing-dh value is a variety of the DH token and DH value. Again, the encrypter first computes one or more pairing-dh tokens, then computes a pairing-dh value, which can be computed through pairings by

9 General and Efficient Certificateless Public Key Encryption Constructions 91 the decrypter with its priavate key, the pairing-dh token(s) and possibly the system parameters as well. The pairing-dh value is used as the secret to hide the message by the encrypter in a message hiding algorithm and to recover the conveyed message by the decrypter. We can see that pairing-based IBE and DH-based PKE schemes have a common structure and some generic constructions such as the hybrid encryption (KEM-DEM) [13,7], the Fujisaki-Okamoto (FO) conversions [17,18,26,31] and REACT[27,26]canbeusedintoconstructbothPKEandIBE.In[5],Boyen classified the existing IBE schemes from pairing into three categories: full-domain hash IBE, exponent-inverse IBE and commutative blinding IBE. In each category, some efficient schemes exactly make use of constructions that are applicable in both IBE and PKE. For example, both BF-IBE [6,21] which is a full-domain hash IBE and SK-IBE [11] which is an exponent-inverse IBE adopt the FOconversions. BB 1 -IBE, which is a commutative blinding IBE, takes an approach that can also be used to construct the ElGamal-like secure PKE. BF-KEM [5], SK-KEM [12] and BB 1 -KEM [5] all follow the hybrid encryption construction. Based on the above observation, it seems natural to use a hash function to integrate a secure IBE scheme with a secure PKE scheme to achieve a secure CL-PKE scheme, which can be presented as follows: CL-PKE ciphtext= PKE.DH-tokens(s), IBE.pairing-DH token(s), Hiding (message; H(DH value, pairing-dh value)) where H is a hash function, a PKE.DH-token is a DH token used in a PKE scheme and an IBE.pairing-DH token is a pairing-dh token used in an IBE scheme. The interesting bit is that the PKE.DH-token(s) and IBE.pairing-DH token(s) could be generated in a simple way, where they can share the same randomness. The message hiding algorithm might need to be slightly modified as the input secret value is no longer a DH or pairing-dh value but a hashfunction output. However, if these values are only used in the hash functions in the Hiding algorithm then H is unnecessary. The idea of using hash functions to integrate an IBE and a PKE scheme to construct a CL-PKE scheme was first demonstrated in the early version of this work [10]. An intuitive view on the security of this construction is that to recover message, one has to obtain the hash on both the DH value and the pairing-dh value, which in turn requires one to know both values. While, a Type-I adversary cannot compute the pairing-dh value if the underlying IBE scheme is secure and a Type-II adversary cannot compute the DH value if the underlying PKE schem is secure. Similarly, one can construct CL-KEM with the same approach. Note that this approach is only based on the heuristic observation. A CL-PKE scheme constructed with this approach might not be secure in the model defined in Section 2.2. On the other hand, following this approach of using hash function on the (pairing) DH values to tightly integrate an IBE and a PKE scheme, we indeed are able to construct highly efficient and secure CL-PKE. In the following part, we shall present two concrete CL-PKE schemes constructed in this way.

10 92 Z. Cheng et al. 4 Two Concrete CL-PKE Schemes Two CL-PKE schemes, which we call SLOS-CL-PKE [28] and LQ-CL-PKE [25] based on SK-IBE [11] were presented. These schemes rely on a stronger l- BDHI [11] assumption than BDH. In this section, following the general approach in Section 3, we present other two CL-PKE constructions from a full-domain hash IBE and a commutative blinding IBE respectively whose security is based on the BDH assumption. 4.1 CL-PKE1 From the well-known BF-IBE [6], Al-Riyami and Paterson constructed two CL- PKE schemes: AP-CL-PKE1 [3] and AP-CL-PKE2 [4]. AP-CL-PKE1 is based on a stronger assumption than BDH and the CL.Encrypt algorithm of the scheme requires three pairing operations which are very costly. AP-CL-PKE2 improves upon the previous scheme with better performance. However, as noted before both schemes are insecure against certain attacks. Here, we present a CL-PKE which using a hash function integrates BF-IBE with the ElGamal-like PKE enhanced with the Fujisaki-Okamoto conversion [17]. We note that Fujisaki and Okamoto proposed two generic conversions [17,18], both can transform an OW-CPA secure PKE to an IND-CCA2 secure PKE. In [25], Libert and Quisquater showed that with slight modification, the second Fujisaki-Okamoto conversion (FO-2) [18] can convert a CL-IND-CPA secure CL- PKE to a CL-IND-CCA2 secure scheme. Here we demonstrate a similar result on the first Fujisaki-Okamoto conversion (FO-1) [17]. A simpler version of the scheme which strictly follows the general approach in Section 3 was first shown in an early draft [10] of this work. For the ease of the security analyse, here we adopt the enhanced FO-1 conversion, which just introduces minor extra computation overhead and may be of independent interest. Generic Construction. Let Π be a CL-PKE scheme with the encryption algorithm E and the decryption algorithm D. Define a CL-PKE scheme Π with the encryption algorithm E as where C 1,C 2 E(M pk, ID A,P A,m; σ) C 1,C 2 = E(M pk, ID A,P A,σ; G 1 (m, σ, ID A,P A )),m G 2 (σ) and the decryption algorithm D(M pk, ID A,P A,S A, C 1,C 2 )as σ D(M pk, ID A,P A,S A,C 1 ) m = C 2 G 2 (σ) If C 1 = E(M pk, ID A,P A,σ; G 1 (m, σ, ID A,P A )), output m; otherwise output. and other algorithms essentially the same as Π.

11 General and Efficient Certificateless Public Key Encryption Constructions 93 Π shares the same parameters with Π except M pk, the master public system parameters of Π which includes Π s master public system parameters M pk and two extra hash functions G 1 and G 2 defined as follows G 1 : M Π (M pk ) M Π (M pk ) {0, 1} P Π (M pk ) R Π (M pk ) G 2 : M Π (M pk ) M Π (M pk ) Theorem 1. Suppose Π is a γ-uniform CL-PKE scheme against CL-OW-CPA attacks, then Π is a CL-IND-CCA2 scheme. More specifically, suppose that a Type-I (resp. Type-II) CL-IND-CCA2 adversary A has advantage ɛ(k) against Π with running time t(k), makingq D decryption queries and q G1 < 2 M Π (M pk) and q G2 random oracle queries on G 1 and G 2 respectively. Then there exists a Type-I (resp. Type-II) CL-OW-CPA adversary B with advantage over Π in running time Adv B (k) ɛ(k) q G1 + q G2 (1 γ) qg 1 qd t B (k) t(k)+o(q G1 t E ), where t E is the cost of E. Proof: We show how to make use of Type-I (resp. Type-II) CL-IND-CCA2 adversary A against Π to construct a Type-I (resp. Type-II) CL-OW-CPA adversary B again Π. The challenger T starts a Type-I (resp. Type-II) CL-OW-CPA game by passing B the master public key M pk and providing with the oracle access including the possible random oracles, Public-Key-Broadcast, Public-Key- Replace, Secret-Value-Extract and for Type-I B with Partial-Private-Key-Extract as well. In the Type-II game, T also gives M sk to B. B forwards M pk with G 1 and G 2 as the master public key M pk of Π to A where G 1 and G 2 are two random oracles controlled by B. In the Type-II game, B also passes M sk to A. B provides A with the oracle access as follows, and for simplicity of presentation we assume that A will abide by the rules defined in the models in Section 2.2. B forwards to its CL-OW-CPA challenger T the queries on oracles including Public-Key-Broadcast, Secret-Value-Extract, Public-Key-Replace, andfor Type-I T Partial-Private-Key-Extract as well, and relays the answers from the challenger to A. B forwards to its challenger T the queries on the possible random oracles provided by the challenger and relays the answers to A. G 1 (m i,σ i, ID i,p i ): To respond to these queries B maintains a list G list 1.Each entry in the list is a tuple of the form (m i,σ i, ID i,p i,r i,c1 i,ci 2 ) indexed by (m i,σ i, ID i,p i ). To respond to a query, B does the following operations: If on G list 1 a tuple indexed by (m i,σ i, ID i,p i )exits,thenb responds with the corresponding r i. Otherwise, Brandomly chooses a string r i R Π (M pk ). Bcomputes C1 i = E(M pk, ID i,p i,σ i ; r i )andc2 i = G 2 (σ i ) m i.

12 94 Z. Cheng et al. Binserts a new tuple (m i,σ i, ID i,p i,r i,c1 i,ci 2 )intothelistandresponds to A with r i. G 2 (σ i ): To respond to these queries B maintains a list G list 2.Eachentryin the list is a tuple of the form (σ i,h i ) indexed by σ i. To respond to a query, B does the following operations: If on the list there is a tuple indexed by σ i,thenbresponds with the corresponding h i. Otherwise, B randomly chooses a string h i M Π (M pk )andinsertsa new tuple (σ i,h i ) into the list. It responds to A with h i. Decrypt S (ID i,c i ): B takes the following steps to respond to the query: Bqueries its challenger the current public key P i associated with ID i by issuing Public-Key-Broadcast(ID i ). Bparses C i as C1 i, Ci 2 and searches Glist 1 to find tuples (,, ID i,p i,, C1, i C2). i If no such tuple is found, then B outputs. If more than one tuple is found, then B outputs. Boutputs m i in the only found tuple. Challenge: Once A decides that Phase 1 is over, it outputs identity ID and two messages m 0,m 1 on which it wishes to be challenged. Bqueries T with the Public-Key-Broadcast(ID ) to get the current public key P associated with ID. Bforwards ID as the challenge ID to T and gets the challenge ciphertext as C1. Brandomly samples C2 M Π (M pk) and replies A with C = C1,C 2 as the challenge ciphertext in the CL-IND-CCA2 game. Guess: Once A outputs its guess b. B randomly chooses a σ from G list 1 or G list 2 and outputs σ as the answer of the CL-OW-CPA game. Now we analyse B s probability of outputting the correct response σ to T.We define two events. Event 1, denoted by H 1, is that in the game A queries G 1 (, D(M pk, ID, P, S, C 1 ), ID, P )org 2 (D(M pk, ID,P,S,C 1 )) where S is the private key associated with ID when the challenge is issued. Event 2, denoted by H 2, is that in the game A differentiates B from a real world before Event 1 happens. Now we look at the possibility that C = C 1,C 2 is a valid ciphertext of m b for b {0, 1}. ForC to be a valid challenge ciphertext, it is required that D(M pk, ID,P,S,C 1 )=σ G 2 (σ ) C2 = m b and E(M pk, ID,P,σ ; G 1 (m b,σ, ID,P )) = C1. As C2 is randomly sampled from M Π (M pk), C2 is valid for m 0 or m 1 with 1 equal probability M Π (M pk ).Andasσ is randomly sampled by T and G 1 is a

13 General and Efficient Certificateless Public Key Encryption Constructions 95 random oracle, C 1 is valid for m 0 or m 1 with equal probability as well. Hence, given C, A either finds that C is not a valid ciphertext for either m 0 or m 1, or (C is a valid ciphertext for either m 0 or m 1 with equal probability) to win the game, outputs b if C is a valid ciphertext for m b. Here we conceptually force the adversary A to immediately output a random b {0, 1} if it finds that C is an invalid challenge ciphertext. This change does not affect A s chance of winning the game. As G 1 and G 2 are random oracles, Then we have that Pr[A win H 1 ]=1/2. Pr[A wins] = Pr[A wins H 1 ]Pr[H 1 ]+Pr[A wins H 1 ]Pr[H 1 ] Pr[H 1 ]+ 1 2 (1 Pr[H 1]) = Pr[H 1]. Pr[A wins] Pr[A wins H 1 ]Pr[H 1 ] = 1 2 (1 Pr[H 1]) = Pr[H 1]. So we have Pr[H 1 ] ɛ(k). Now we estimate the probability of Event 2. In the game, A will notice the difference between the simulation and the real world only if B rejects a valid Decrypt S query or A finds that C is an invalid challenge ciphertext. As argued above, the latter event happens only if Event 1 occurs. So we only investigate the rejection of valid decryption query which occurs when Case 1. A queries Decrypt S (ID i, C1 i, Ci 2 ) such that Ci 1 = E(M pk, ID i, P i, σ i ; G 1 (m i,σ i, ID i,p i )) and C2 i = G 2(σ i ) m i without querying G 1 (m i,σ i, ID i,p i )wherep i is the public key currently associated with ID i,or Case 2. A queries Decrypt S (ID i, C1 i,ci 2 ) such that there are at least two tuples (m a,σ a, ID i, P i,r a,c1, i C2)and(m i b,σ b, ID i,p i,r b,c1,c i 2)inG i list 1.First this case cannot happen if σ a = σ b ;otherwisem a = G 2 (σ a ) C2 i = G 2(σ b ) C2 i = m b,and(m a,σ a, ID i,p i ) uniquely defines a tuple in G list 1. Hence Case 2 happens only if σ a σ b which implies C1 i = E(M pk, ID i,p i,σ a ; r a )= E(M pk, ID i,p i,σ b ; r b ). Case 1 happens with probability at most γ because E is γ-uniform and G 1 is truly random so G 1 (m i,σ i, ID i,p i ) is valid for (M pk, ID i,p i,σ i,c1 i)withproba- bility at most γ. Now we consider the probability of Case 2. Because E is γ-uniform and G 1 is truly random so one query G 1 (m b,σ b, ID i,p i ) is valid for (M pk, ID i,p i,σ b,c1 i)with probability at most γ where C1 i is determined by Ci 1 = E(M pk, ID i,p i,σ a ; r a ). Note that for a fixed C2 i there are 2 M Π (Mpk) pairs of (m b,σ b ). For q G1 queries (q G1 < 2 M Π (Mpk) ), Case 2 happens with probability at most 1 (1 γ) qg 1. And if Case 1 happens, Case 2 won t happen. It comes that Pr[H 2 ] (1 max{γ,1 (1 γ) qg 1 }) q D = ((1 γ) qg 1 ) q D

14 96 Z. Cheng et al. Overall, we have that Adv B (k) 1 q G1 +q G2 Pr[H 2 ]Pr[H 1 ] 1 q G1 +q G2 (1 γ) qg 1 qd ɛ(k) The Scheme. CL-PKE1 consists of following algorithms: CL.Gen(1 k ). Given a security parameter k, the algorithm works as follows. 1. Generate three cyclic groups G 1, G 2 and G t of prime order p, an isomorphism ψ from G 2 to G 1, and a bilinear pairing map ê : G 1 G 2 G t. Pick a random generator P 2 G 2 and set P 1 = ψ(p 2 ). 2. Pick a random s Z p and compute P pub = sp Pick four cryptographic hash functions: H 1 : {0, 1} G 2, H 2 : G t G 1 {0, 1} n, H 3 : {0, 1} n {0, 1} n {0, 1} G 1 Z p, H 4 : {0, 1} n {0, 1} n, for some integer n>0. 4. Output the master public key M pk =(G 1, G 2, G t, p, ê, ψ, n, P 1, P 2, P pub, H 1, H 2,H 3,H 4 ) and the master secret key M sk = s. The message space is M = {0, 1} n, the ciphertext space is C = G 1 {0, 1} n {0, 1} n and the randomness space is R = {0, 1} n. CL.PartialKey(M sk,m pk, ID A ). Given a string ID A {0, 1} of entity A, M pk and M sk, the algorithm computes Q A = H 1 (ID A ) G 2, D A = sq A and returns D A. CL.SecretVal(M pk, ID A ). Given a string ID A and M pk, the algorithm outputs a random X A Z p. CL.PrivateKey(M pk,d A,X A ). Given M pk, D A and X A, the algorithm outputs S A =(D A,X A ). CL.PublicKey(M pk,x A, ID A ). Given M pk and X A, the algorithm outputs P A = X A P 1. CL.Encrypt(M pk, ID A,P A,m). Given a plaintext m {0, 1} n,theidentityid A of entity A, the system parameters M pk and the public key P A of the entity, the following steps are performed. 1. Pick a random σ {0, 1} n and compute r = H 3 (σ, m, ID A,P A ). 2. Compute Q A = H 1 (ID A ), ξ =ê(p pub,q A ) r and f = rp A. 3. Set the ciphertext to C = rp 1,σ H 2 (ξ,f),m H 4 (σ). CL.Decrypt(M pk, ID A,P A,S A,C). Given a ciphertext C = U, V, W C, the private key S A =(D A,X A ), the identifier ID A and M pk, the algorithm takes the following steps: 1. Compute ξ =ê(u, D A ), f = X A U and σ = V H 2 (ξ,f ). 2. Compute m = W H 4 (σ )andr = H 3 (σ,m, ID A,P A ). 3. If U r P 1, output, elsereturnm as the plaintext.

15 General and Efficient Certificateless Public Key Encryption Constructions 97 To prove the security of CL-PKE1, we shall first prove that the following Basic-CL-PKE1 is CL-OW-CPA secure, then apply Theorem 1 to obtain the security result. Basic-CL-PKE1 shares most of the algorithms with CL-PKE1 except the following two (the hash functions H 3 and H 4 in CL.Gen of CL-PKE1 are unnecessary in Basci-CL-PKE1). CL.Encrypt(M pk, ID A,P A,m; r). Given a plaintext m {0, 1} n,theidentity ID A of entity A, the system parameters M pk and the public key P A of the entity, the following steps are performed. 1. Compute Q A = H 1 (ID A ), ξ =ê(p pub,q A ) r and f = rp A. 2. Set the ciphertext to C = rp 1,m H 2 (ξ,f). CL.Decrypt(M pk, ID A,P A,S A,C). Given a ciphertext C = U, V, the private key S A =(D A,X A ), the identifier ID A and M pk, the algorithm takes the following steps: 1. Compute ξ =ê(u, D A )andf = X A U. 2. Return m = V H 2 (ξ,f ) as the plaintext. Lemma 1. Basic-CL-PKE1 is secure in the sense of CL-OW-CPA against Type-I adversaries provided that H 1 and H 2 are modeled as random oracles and the BDH 2,2,2 assumption is sound. Specifically, assume there exists a Type-I adversary A breaks Basic-CL-PKE1 with CL-OW-CPA attacks with advantage ɛ(k), and in the attack A runs in time t(k) and makes q H1 and q H2 queries on H 1 and H 2 respectively. Then there exists an algorithm B to solve the BDH 2,2,2 problem with advantage and time as follows: Adv BDH2,2,2 B (1 qh 2 2 )ɛ(k)/q n H1, t B (k) t(k)+o(q H2 τ), where τ is the time of a pairing. The proof is given in Appendix A.1. Lemma 2. Basic-CL-PKE1 is secure in the sense of CL-OW-CPA against Type-II adversaries provided that H 2 is modeled as random oracle and the DH 1,2,1 assumption is sound. Specifically, assume there exists a Type-II adversary A breaks Basic-CL-PKE1 with CL-OW-CPA attacks with advantage ɛ(k), andin the attack A runs in time t(k) and gets q P entity public keys. Then there exists an algorithm B to solve the DH 1,2,1 problem with advantage and time as follows: where τ is the time of a pairing. Adv DH1,2,1 B ɛ(k)/q P, t B (k) t(k)+o(q H2 τ), The proof strategy is similar to Lemma 1. Due to lack of space, the details are omitted. Following from Theorem 1 and Lemma 1 and 2, we have the following security result of CL-PKE1. Note that Basic-CL-PKE1 is 1 2 n -uniform.

16 98 Z. Cheng et al. Theorem 2. CL-PKE1 is secure against Type-I adversary with CL-IND-CCA2 attacks provided H i (1 i 4) are modeled as random oracles and the BDH 2,2,2 assumption is sound. CL-PKE1 is secure against Type-II adversary with CL- IND-CCA2 attacks provided H i (2 i 4) are modeled as random oracles and the DH 1,2,1 assumption is sound. Specifically, assume a Type-I adversary A I breaks CL-PKE1 with CL-IND- CCA2 attack with advantage ɛ(k) in time t(k) and in the attack A I makes q D decryption queries and q i queries on H i for 1 i 4 and q 3 < 2 n, then there exists an algorithm B I to solve the BDH 2,2,2 problem with following advantage and time Adv BDH2,2,2 B I (k) (1 q2/2n )ɛ(k) q 1(q 3+q 4) (1 1 2 ) q3qd, n t BI (k) t(k)+o(q 3 t E + q 2 τ), where t E is the cost of Basic-CL-PKE1 and τ is the time of a pairing. Assume a Type-II adversary A II breaks CL-PKE1 with CL-IND-CCA2 attack with advantage ɛ(k) in time t(k) and in the attack A II makes q P public key queries and q i queries on H i for 2 i 4, then there exists an algorithm B II to solve the DH 1,2,1 problem with following advantage and time Adv DH1,2,1 B II (k) ɛ(k) q P (q 3+q 4) (1 1 2 n ) q3qd, t BII (k) t(k)+o(q 3 t E + q 2 τ). Following the general approach in Section 3, we can construct a CL-KEM: CL- KEM1 (see Appendix B in [10] for details). 4.2 CL-PKE2 In this subsection, we construct a CL-PKE (referred to as CL-PKE2) directly following the heuristic approach in Section 3. The scheme is based on BB 1 -IBE [5], a commutative blinding IBE. CL-PKE2 consists of following algorithms: CL.Gen(1 k ): Given a security parameter k, the algorithm works as follows: 1. Generate three cyclic groups G 1, G 2 and G t of prime order p and a bilinear pairing map ê : G 1 G 2 G t. Pick random generator P 2 G 2 and P 1 G Randomly sample a, b and c Z p.setq 1 = ap 1,Q 2 = bp 1,Q 3 = cp 1 G 1, and ˆQ 1 = ap 2, ˆQ 2 = bp 2, ˆQ 3 = cp 2 G 2. Compute v 0 = ê(q 1, ˆQ 2 ) = ê(p 1,P 2 ) ab. 3. Pick three cryptographic hash functions: H 1 : {0, 1} Z p, H 2 : G t G 1 {0, 1} n, H 3 : G t G 1 {0, 1} n G 1 G 1 Z p, for some integer n>0. 4. Output the master public key M pk =(G 1, G 2, G t, p, ê, n, P 1, Q 1, Q 3, v 0, H 1, H 2,H 3 ) and the master secret key M sk =(P 2,a,b,c).

17 General and Efficient Certificateless Public Key Encryption Constructions 99 The message space is M = {0, 1} n, the ciphertext space is C = {0, 1} n G 1 G 1 Z p and the randomness space is R = Z p. CL.PartialKey(M sk,m pk, ID A ). Given a string ID A {0, 1} of entity A, M pk and M sk, the algorithm randomly picks t Z p and outputs D A =(D 1,D 2 )=((ab +(ah 1 (ID A )+c)t)p 2,tP 2 ). We note that P 2 in M sk can be disclosed, in particular, on Type-1 pairings P 1 = P 2.GivenM pk with P 2, one can verify if D A is a signature on ID A. CL.SecretVal(M pk, ID A ). Given a string ID A and M pk, the algorithm returns a random X A Z p. CL.PrivateKey(M pk,d A,X A ). Given M pk, D A and X A, the algorithm outputs S A =(D A,X A ). CL.PublicKey(M pk,x A, ID A ). Given M pk and X A, the algorithm outputs P A = X A P 1. CL.Encrypt(M pk, ID A,P A,m). Given a plaintext m M, theidentityid A of entity A, the system parameters M pk and the public key P A of the entity, the following steps are performed. 1. Pick a random r Z p and compute C 1 = rp 1 and C 2 = rq 3 + rh 1 (ID A )Q Compute ξ = v r 0,f = rp A and C 0 = m H 2 (ξ,f). 3. Compute σ = r + H 3 (ξ,f,c 0,C 1,C 2 ) mod p. 4. Set the ciphertext to C = C 0,C 1,C 2,σ. CL.Decrypt(M pk, ID A,P A,S A,C). Given a ciphertext C = C 0,C 1,C 2,σ C, the private key S A =(D A =(D 1,D 2 ),X A ), the identifier ID A and M pk,the algorithm takes the following steps: 1. Compute ξ = ê(c1,d1) ê(c and f 2,D 2) = X A C Compute r = σ H 3 (ξ,f,c 0,C 1,C 2 ) mod p, output if (ξ,c 1 ) (v0 r,r P 1 ). 3. Compute m = C 0 H 2 (ξ,f ) and return m as the plaintext. CL-PKE2 s security is summarised by the following theorem. Theorem 3. CL-PKE2 is secure against Type-I adversary with CL-IND-CCA2 attacks provided H i (1 i 3) are modeled as random oracles and the general BDH assumption is sound. CL-PKE2 is secure against Type-II adversary with CL-IND-CCA2 attacks provided H i (i =2, 3) are modeled as random oracles and the DH 1,1,1 assumption is sound. Specifically, assume a Type-I adversary A I breaks CL-PKE2 with CL-IND- CCA2 attack with advantage ɛ(k) in time t(k) and in the attack A I makes q D decryption queries and q i queries on H i for 1 i 3, then there exists an algorithm B I to solve the general BDH problem with following advantage and time AdvGenenral BDH B I (k) (1 q1/p)q 1 ɛ(k) q 1(q 2+q 3) (1 1 p )qd t BI (k) t(k)+o(q 1 t 2 + q D (t 1 + t 3 )), where t i for i =1, 2, 3 is the cost of operation in G 1, G 2, G t respectively.

18 100 Z. Cheng et al. Assume a Type-II adversary A II breaks CL-PKE2 with CL-IND-CCA2 attack with advantage ɛ(k) in time t(k), and in the attack A II makes q P public key queries and q i queries on H i for i =2, 3, then there exists an algorithm B II to solve the DH 1,1,1 problem with following advantage and time Adv DH1,1,1 B II (k) ɛ(k) q P (q (1 1 2+q 3) p )qd, t BII (k) t(k)+o(q D t 1 ). The proof is given in Appendix A.3. Similarly, by following the general approach in Section 3, we can construct another CL-KEM by simply outputting (C 1,C 2 ) as the encapsulation of secret key H(ξ,f). 5 Efficiency Discussion and Comparison We now assess the comparative efficiency of several concrete CL-PKE schemes. There have been some related security schemes in the literature. For example, in [8], the authors proposed a CL-PKE-like scheme without using pairing, which is more efficient than those schemes based on pairings. However, the scheme requires a user to execute CL.PartialKey first before generating the public key. This makes it more like a self-certified public key scheme [19] instead of CL-PKE. Moreover, the scheme unlike other CL-PKE proposals based on IBE schemes cannot work compatibly with exiting IBE, i.e., the scheme cannot degenerate smoothly to an IBE. Gentry proposed the security notion Certificate-Based Encryption (CBE) which is closely related with CL-PKE, and constructed a concrete CBE scheme [20]. Here we only consider schemes with proofs in a security formulation compatible with the one defined in Section 2.2. Table 3. CL-PKE Efficiency Comparison Schemes Based IBE IBE Type Computation Ciphertext Size AP-CL-PKE1 [3] (1) BF-IBE Full Domain Hash =BF-IBE+2P (2) =BF-IBE AP-CL-PKE2 [4] (3) BF-IBE Full Domain Hash =BF-IBE+1M =BF-IBE CL-PKE1 BF-IBE Full Domain Hash =BF-IBE+1M =BF-IBE CL-PKE2 BB 1-IBE Commutative Blinding =BB 1-IBE+1M =BB 1-IBE LQ-CL-PKE [25] SK-IBE2 Exponent Inversion =SK-IBE2+1E =SK-IBE2 SLOS-CL-PKE [28] SK-IBE Exponent Inversion =SK-IBE+1M (4) =SK-IBE 1. The scheme is enhanced by a verifiable random parameter generation. 2. The scheme requires two more pairings in the encryption algorithm than BF-IBE. The decryption operation is of the same cost as BF-IBE. 3. The scheme is enhanced as suggested in Section The scheme requires the Weil pairing. As efficiency is the primary concern, we ignore any schemes designed in the standard model because their performance is far worse than those with random oracles. Table 3 summarises the used IBE scheme, the IBE type, computation and ciphertext size of several CL-PKE proposals. The computation cost

19 General and Efficient Certificateless Public Key Encryption Constructions 101 only counts the extra operations including Pairing, Multiplication in G 1 and Exponentiation in G t and the used IBE. Please refer to [5,9] for the detailed efficiency discussion of relevant IBE schemes. Among the schemes using the full domain hash IBE schemes, CL-PKE1 and AP-CL-PKE2 have same performance and are faster than AP-CL-PKE1 in encryption. Among the schemes using the exponent inversion IBE, SLOS-CL-PKE makes use of the Weil pairing. As the Weil pairing is slower than the Tate pairing [23], SLOS-CL-PKE is slower than LQ-CL-PKE. Like BB 1 -IBE, CL-PKE2 enjoys security reductions based on weak complexity assumptions and is efficient in encryption and relatively slow in decryption. 6 Conclusion In this work, we revisited various of CL-PKE formulations and defined a strong security model for this type of encryption. Based on a simple observation on some existing IBE and PKE schemes, we proposed a heuristic approach of constructing efficient CL-PKE and following the approach, we constructed two efficient concrete CL-PKE schemes which are strongly secure in the random oracle model. Beside, we also demonstrated that a slightly modified Fujisaki-Okamoto conversion can transform a weak CL-PKE to a CL-IND-CCA2 secure scheme. References 1. Al-Riyami, S.: Cryptographic schemes based on elliptic curve pairings. PhD thesis, Royal Holloway, University of London (2004) 2. Au, M.H., Chen, J., Liu, J.K., et al.: Malicious KGC attack in certificateless cryptography. Cryptology eprint Archive, Report 2006/ Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT LNCS, vol. 2894, pp Springer, Heidelberg (2003) 4. Al-Riyami, S.S., Paterson, K.G.: CBE from CL-PKE: a generic construction and efficient schemes. In: Vaudenay, S. (ed.) PKC LNCS, vol. 3386, pp Springer, Heidelberg (2005) 5. Boyen, X.: The BB 1 identity-based cryptosystem: a standard for encryption and key encapsulation (August 2006) submissions/boyen-bb1 ieee.pdf 6. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO LNCS, vol. 2139, pp Springer, Heidelberg (2001) 7. Bentahar, K., Farshim, P., Malone-Lee, J., Smart, N.P.: Generic constructions of identity-based and certificateless KEMs. Cryptology eprint Archive, Report 2005/058 (2005) 8. Baek, J., Safavi-Naini, R., Susilo, W.: Certificateless public key encryption without pairing. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC LNCS, vol. 3650, pp Springer, Heidelberg (2005) 9. Cheng, Z.: Pairing-based cryptosystems and key agreement protocols. Thesis, Middlesex University (2007)