学術論文誌

IdentityBased Encryption with Security against the KGC: A Formal Model and Its Instantiations
 著者
 K. Emura, S. Katsumata, and Y. Watanabe
 雑誌名
 Theoretical Computer Science
 巻
 900
 ページ
 97–119
 出版社
 Elsevier
 発行年
 2022
Abstract
The key escrow problem is one of the main barriers to the widespread realworld use of identitybased encryption (IBE). Specifically, a key generation center (KGC), which generates secret keys for a given identity, has the power to decrypt all ciphertexts. At PKC 2009, Chow defined a notion of security against the KGC, that relies on assuming that it cannot discover the underlying identities behind ciphertexts. However, this is not a realistic assumption since, in practice, the KGC manages an identity list, and hence it can easily guess the identities corresponding to given ciphertexts. Chow later amended this issue by introducing a new entity called an identitycertifying authority (ICA) and proposed an anonymous keyissuing protocol. Essentially, this allows the users, KGC, and ICA to interactively generate secret keys without users ever having to reveal their identities to the KGC. Unfortunately, since Chow separately defined the security of IBE and that of the anonymous keyissuing protocol, his IBE definition did not provide any formal treatment when the ICA is used to authenticate the users. Effectively, all of the subsequent works following Chow lack the formal proofs needed to determine whether or not it delivers a secure solution to the key escrow problem. In this paper, based on Chow's work, we formally define an IBE scheme that resolves the key escrow problem and provide formal definitions of security against corrupted users, KGC, and ICA. Along the way, we observe that if we are allowed to assume a fully trusted ICA, as in Chow's work, then we can construct a trivial (and meaningless) IBE scheme that is secure against the KGC. Finally, we present two instantiations in our new security model: a latticebased construction based on the GentryPeikertVaikuntanathan IBE scheme (STOC 2008) and Rückert's latticebased blind signature scheme (ASIACRYPT 2010), and a pairingbased construction based on the BonehFranklin IBE scheme (CRYPTO 2001) and Boldyreva's blind signature scheme (PKC 2003).