1 Introduction

Verifiable Random Functions (VRFs for short) were introduced by Micali, Rabin and Vadhan [41]. Informally, a VRF behaves like a pseudo-random function but also allows for efficient verification. More precisely, this means that there is a public key pk and a function F associated with a secret key sk (the seed) such that the following properties are satisfied. First, the function is efficiently computable, given sk, on any input. Second, having only pk and oracle access to the function, the value F pk (x)=y looks random to any polynomially bounded observer who did not query F pk (x) explicitly. Third, a proof π pk (x) that F pk (x)=y is efficiently computable knowing sk and efficiently verifiable knowing only pk.

VRFs turn out to be very useful in a variety of applications essentially because they can be seen as a compact commitment to an exponential number of (pseudo)random bits. To give a few examples, Micali and Reyzin [39] showed how to use VRFs to reduce to 3 the number of rounds of resettable zero-knowledge proofs in the bare model. Micali and Rivest [40] described a very simple non-interactive lottery system used in micropayment schemes, based on VRFs. Jarecki and Shmatikov [34] employed VRFs to build a verifiable transaction escrow scheme that preserves users’ anonymity while enabling automatic de-escrow. Liskov [36] used VRFs to construct updatable zero-knowledge databases.

However, in spite of their popularity, VRFs are not very well understood objects. In fact, only four constructions were known, in the standard model [20, 22, 38, 41]. The schemes proposed by Micali, Rabin and Kilian [41] and by Lysyanskaya [38] build VRFs in two steps. First they focus on constructing a Verifiable Unpredictable Function (VUF), and then they show how to convert a VUF into a VRF using the Goldreich–Levin [28] theorem to “extract” random bits. Informally, a VUF is a function that is hard to compute but whose produced outputs do not necessarily look random. Unfortunately, the VRF resulting from this transformation is very inefficient and, furthermore, it loses a quite large factor in its exact security reduction. This is because the transformation involves several steps, all rather inefficient. First, one uses the Goldreich–Levin theorem [28] to construct a VRF with very small (i.e., slightly super polynomial in the security parameter) input space and output size 1. Next, one iterates the previous step in order to amplify the output size to (roughly) that of the input. Then, using a tree based construction, one iterates the resulting function in order to get a VRF with unrestricted input size and finally one evaluates the so obtained VRF several times in order to get an output size of the required length.

The constructions proposed by Dodis [20] and by Dodis and Yampolskiy [22], on the other hand, are direct, i.e., they manage to construct VRFs without having to resort to the Goldreich–Levin transform. The VRF presented in [20] is based on a “DDH-like” assumption that the author calls sum-free decisional Diffie–Hellman (sf-DDH). This assumption is similar to the one employed by Naor–Reingold [42] to construct PRFs, with the difference that it applies an error correcting code C to the input elements in order to compute the function. The specific properties of the employed encoding allow for producing additional values that can be used as proofs. This construction is more efficient than [38, 41] in the sense that it does not need the expensive Goldreich–Levin transform. Still, it has some efficiency issues as the size of the produced proofs and keys is linear in the input size. Dodis [20] also adapts this construction to provide a distributed VRF, that is a standard VRF which can be computed in a distributed manner. The scheme proposed by Dodis and Yampolskiy [22], on the other hand, is more attractive, at least from a practical point of view, as it provides a simple implementation of VRFs with short (i.e., constant-size) proofs and keys. It is interesting to note that, even though the latter construction is far more efficient than previous work, it builds upon a similar approach: first, they consider a simple VUF (which is basically the Boneh–Boyen weakly secure signature scheme [6]) that is secure for slightly superpolynomially sized input spaces, and then, rather than resorting to the Godreich-Levin [28] hardcore bit theorem to convert it into a VRF, they show how to modify the original VUF in order to make it a VRF, under an appropriate decisional assumption.

From the discussion above it seems clear that, with the possible exception of [20], all known constructions of verifiable random functions follow similar design criteria. First one builds a suitable VUF and then one transforms it into a VRF by either using the Goldreich–Levin transform or via some direct, ad hoc, modifications of the original VUF. The main drawback of this approach is that, once a good enough VUF is found, one has to either be able to convert it into a VRF directly or accept the fact that the VRF obtained via the Goldreich–Levin transform is not going to be a practical one.

The main motivating question of our work is whether there are alternative (and potentially more efficient) ways for constructing VRFs directly, without the need to resort to the two-step methodology sketched above.

1.1 Our Contribution

In this paper we show how to construct VRFs from a class of identity-based encryption (IBE) schemes [44] that we call VRF-suitable. In particular, we deal with the related notion of identity-based key encapsulation mechanisms (IB-KEM). Roughly speaking, an identity-based key encapsulation mechanism is an asymmetric encryption scheme where the public key can be an arbitrary string. Such schemes consist of four algorithms: a Setup algorithm that generates the system common parameters as well as a master key msk; a key derivation algorithm that uses the master secret key to generate a private key d sk corresponding to an arbitrary public key string ID (the identity); an encapsulation algorithm that creates a ciphertext and a session key using the public key ID, and a decapsulation algorithm that recovers the session key from a ciphertext using the corresponding private key.

Informally, an IB-KEM is said to be VRF-suitable if the following conditions are met. First, the scheme has to provide unique decapsulation. This means that, given a ciphertext C produced with respect to some arbitrary identity ID, all the secret keys corresponding to any other identity ID′ decapsulate to the same value (i.e., even if ID′≠ID). Second, the IB-KEM has to provide what we call pseudo-random decapsulation. Very informally, pseudo-random decapsulation means that if C is a ciphertext produced using some identity ID, then the “decapsulated” key should look random even if the decapsulation algorithm is executed using the secret key corresponding to any other identity ID ID. Having a scheme that achieves pseudo-random decapsulation may seem like a strong requirement at first. We argue that this is not the case by showing that several existing IBE schemes already provide pseudo-random decapsulation.

Our generic construction is of interest both from a theoretical and a practical point of view. Indeed, apart from establishing a connection between two seemingly unrelated primitives, our method is direct, in the sense that it allows to build a VRF from a VRF-suitable IB-KEM without having to resort to the inefficient Goldreich–Levin transform. Moreover, our reduction is tight. This means that, once an efficient VRF-suitable IB-KEM is available, this leads to an equally efficient VRF, with no additional security loss. Furthermore, our construction immediately allows for efficient distributed VRFs as long as a distributed version of the underlying encryption scheme is available (which is the case for most schemes used in practice).

Realizing VRF-Suitable IB-KEMs

As a second contribution of this paper, we investigate on the possibility of realizing VRF-suitable IB-KEMs. Toward this goal, we first describe a general, but limited, construction from a class of standard public key encryption schemes. The proposed implementation (that we call q-bounded VRF-suitable IB-KEM) is limited in the sense that the pseudo-random decapsulation property is guaranteed to hold only if a restricted number of key derivations is allowed. This results in a VRF where the number of proofs that can be produced is bounded by q. Implementing the underlying public key encryption scheme using specific cryptosystems (such as ElGamal [24] or the Linear encryption scheme of Boneh, Boyen and Shacham [8]) we obtain efficient constructions of q-bounded VRFs from various number-theoretic assumptions.

Next, we show how to construct a fully fledged VRF-suitable IB-KEM from the Sakai–Kasahara IB-KEM [43]. Interestingly, the resulting VRF turns out to be very similar to the Dodis–Yampolskiy VRF [22]. Finally, we propose a new implementation of a VRF-suitable IB-KEM inspired (but more efficient) by Lysyanskaya’s VRF [38] (which in turn builds from the Naor–Reingold’s PRF [42]). Unlike Lysyanskaya’s construction, whose security relies on the interactive Many-DH assumption [38], our new scheme can be proven secure based on the intractability, in bilinear groups, of the (non-interactive) decisional -weak Bilinear Diffie–Hellman Inversion problem (decisional -wBDHI for short) introduced by Boneh, Boyen and Goh [9]. Our scheme enjoys several interesting properties. First, even though the decisional -wBDHI assumption is asymptotic in nature, the parameter does not need to be too large in order for our security proof to go through. This is because is only related to the size of the identities, but it is not related to the number of adversarial queries allowed in the security reduction (as opposed to most known proofs using asymptotic assumptions). More precisely, grows logarithmically with respect to the size of the identity space. This means that in practice it is enough to assume the decisional -wBDHI assumption to hold only for reasonably small values of (such as =160 or =256). Second, if one is interested only in selective-security,Footnote 1 then our scheme can efficiently support an unbounded input space. Finally, we prove our VRF-suitable IB-KEM to be fully-secure so that the resulting VRF can efficiently support large input spaces. To this end, we show two different proofs. The first one uses the notion of admissible hash functions introduced by Boneh and Boyen [5], and it requires to slightly change the scheme in the sense that identities have to first be hashed using an admissible hash function. The second proof, instead, works for the same scheme that we prove selective-secure, and it obtains full security by using a slightly different computational assumption (n-Decisional Diffie–Hellman Exponent [10]) and the artificial abort technique [46]. Having constructions for large input spaces was an important open problem in the context of VRFs that was first solved in the recent works of Hohenberger and Waters [33], and Boneh et al. [11].

IBEs and Digital Signatures

Naor [7] pointed out that a fully-secure identity-based encryption scheme can be transformed into a secure signature scheme as follows. One sets the message space as the set I of valid identities of the IBE. To sign mI, one executes the key derivation algorithm on input m, and outputs d sk as the signature. A signature on m is verified by encrypting a random M with respect to the identity m, and then by checking that decrypting the resulting ciphertext one gets back M. Thus if one considers an IBE with unique key derivation (i.e., where for each identity a single corresponding decryption key can be computed), the methodology sketched above leads to a unique signature (i.e., a digital signature scheme for which each message admits one single valid signature). Since unique signatures are, by definition, verifiable unpredictable functions, at first glance our construction might seem to (somewhat) follow from Naor’s remark. We argue that this is not the case for two reasons. First, our construction does not require the underlying IB-KEM to have unique key derivation, but only to provide unique decapsulation. Clearly, the former property implies the latter, but there is no reason to exclude the possibility of constructing a scheme realizing unique decapsulation using a randomized key derivation procedure. Second, a crucial requirement for Naor’s transformation to work is that the original IBE is fully-secure. A VRF-suitable IB-KEM, on the other hand, is required to be secure only in a much weaker sense (that we call weak selective ID security).

1.2 Other Related Work

As pointed out above, the notion of VRF is related to the notion of unique signatures. Unique signatures were introduced by Goldwasser and Ostrovsky [29] (they called them invariant signatures). The only known constructions of unique signatures in the plain model (i.e., without common parameters or random oracles) are due to Micali, Rabin and Vadhan [41], to Lysyanskaya [38] and to Boneh and Boyen [6]. In the common reference string model, Goldwasser and Ostrovsky [29] also showed that unique signatures require the same kind of assumptions needed to construct non-interactive zero-knowledge.

Dodis and Puniya in [21] addressed the problem of constructing Verifiable Random Permutations (VRPs) from Verifiable Random Functions. They defined VRPs as the verifiable analogy of pseudo-random permutations. In particular, they pointed out that the technique of Luby–Rackoff [37] (for constructing PRPs from PRFs) cannot be applied in this case. This is due to the fact that VRP proofs must reveal the VRF outputs and proofs of the intermediate rounds. In their paper they showed a construction in which a super-logarithmic number of executions of the Feistel transformation suffices to build a VRP.

Chase and Lysyanskaya [16] introduced the notion of simulatable VRF. Informally, a simulatable VRF is a VRF with the additional property that proofs can be simulated, i.e., a simulator can fake proofs showing that the value of F sk (x) is y for any y of its choice. Simulatable VRFs work in the common reference string model, and they can be used to provide a direct transformation from single-theorem non-interactive zero-knowledge to multi-theorem NIZK.

Two works [12, 26] have recently investigated the possibility of realizing VRFs from general assumptions. Brakerski et al. [12] introduced the notion of Weak Verifiable Random Functions (wVRFs) that are defined like standard VRFs except that the pseudo-randomness property holds only for randomly selected inputs. Brakerski et al. proposed constructions of wVRFs from trapdoor permutations and number-theoretic assumptions (Bilinear Diffie–Hellman), and they showed that weak VRFs are essentially equivalent to efficient prover non-interactive zero-knowledge proof systems. They also showed a black-box separation between VRFs (both weak and standard) and one-way permutations. In a recent work, Fiore and Schröder [26] further investigated the minimal cryptographic assumptions needed to realize VRFs, and showed that VRFs cannot be reduced in a black-box way to the existence of trapdoor permutations.

1.3 Publication Note and Organization

An abridged version of this paper appeared in the proceedings of EUROCRYPT 2009 [1]. In this version, we give more precise and formal definitions of VRF-suitable IB-KEMs, we include complete proofs of security, and we provide additional results. Most notably, this version contains the construction of a VRF scheme which is proven fully-secure for large input spaces. Moreover, we define q-bounded VRFs and we propose constructions based on standard public key encryption schemes such as ElGamal and Linear Encryption.

Organization

The paper is organized as follows. Section 2 introduces some basic notation, defines the relevant computational assumptions used in our constructions, and gives the definitions of IB-KEM and VRF-suitable IB-KEM. Section 3 describes our generic construction of verifiable random functions from VRF-suitable IB-KEMs. Section 4 introduces the notion of q-bounded VRFs and proposes a realization based on public-key encryption schemes. Section 5 presents two constructions of VRF-suitable IB-KEMs, one based on the Sakai–Kasahara IB-KEM [43] and a new one for which we prove selective- and full-security for large identity spaces. Section 6 recalls our contributions and discusses future directions. The Appendix contains a few more results of independent interest. In particular, Appendix A motivates the notion of pseudo-random decapsulation by showing that the IB-KEMs of Waters [46] and Boneh–Franklin [7] satisfy this notion; and Appendix C shows an alternative proof of full security for the new VRF-suitable IB-KEM in Section 5 based on the security proof for the Hohenberger–Waters VRF [33].

2 Preliminaries

Before presenting our results, we briefly recall some basic definitions. In what follows we will denote by k the security parameter. An algorithm \({\mathcal{A}}\) is called PPT if it is a probabilistic Turing machine whose running time is bounded by some polynomial in k. Denote by \(\mathbb{N}\) the set of natural numbers and by \(\mathbb{R}^{+}\) the set of positive real numbers. We say that a function \(\epsilon : \mathbb{N}\rightarrow \mathbb{R}^{+}\) is negligible if and only if for every polynomial P(k) there exists a \(k_{0} \in \mathbb{N}\) such that for all k>k 0ϵ(k)<1/P(k). If A is a set, then \(a\stackrel{{\scriptscriptstyle\$}}{\leftarrow}A\) indicates the process of selecting a at random and uniformly over A (which in particular assumes that A can be sampled efficiently). If \({\mathcal{A}}(\cdot)\) is a PPT algorithm, then \(y \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathcal{A}}(x)\) indicates the process of running \({\mathcal{A}}\) on input x and assigning its output to y.

2.1 Assumptions

In this section we recall some number-theoretic hardness assumptions that will be used in our work. In the following assume \(\mathbb{G}\) to be a cyclic multiplicative group of prime order p, where p is a k-bit long prime and g is a generator of \(\mathbb{G}\).

2.1.1 Decisional Diffie–Hellman Assumption

The Decisional Diffie–Hellman assumption (DDH) is the decisional version of the Computational Diffie–Hellman problem (CDH) informally defined in [19]. Informally, the DDH problem in a group \(\mathbb{G}\) of prime order p is defined as follows. Let \(a,b \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) be chosen at random. An adversary for the DDH problem is given as input (g,g a,g b,g c) and it must output 0 if it believes that c=ab, or 1 if c is random and independent in \(\mathbb{Z}_{p}\).

More formally, we define the advantage of an adversary \(\mathcal{A} \) into deciding DDH in \(\mathbb{G}\) as

$$\mathbf {Adv}^{\mathrm{DDH}}_{ \mathcal{A} }(k) = \bigl \vert \Pr \bigl[ \mathcal{A} \bigl(g,g^a,g^b,g^{ab} \bigr)=0 \bigr] - \Pr \bigl[ \mathcal{A} \bigl(g,g^a,g^b,g^{c} \bigr)=0 \bigr] \bigr \vert , $$

where the probability is taken over the random choices of \(a,b,c \in \mathbb{Z}_{p}\) and the coin tosses of \(\mathcal{A} \).

Definition 1

(DDH)

The Decisional Diffie–Hellman (DDH) assumption holds in \(\mathbb{G}\) if, for any PPT adversary \(\mathcal{A} \), its advantage, \(\mathbf {Adv}^{\mathrm{DDH}}_{ \mathcal{A} }(k)\), is negligible in k.

2.1.2 Decision Linear Assumption

The Decision Linear assumption (DLin) was first proposed by Boneh et al. in [8]. The Decision Linear problem in a group \(\mathbb{G}\) of prime order p can be defined as follows. Let \(u,v,h \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{G}\) and \(a,b \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) be chosen at random. An adversary for the Decision Linear problem in \(\mathbb{G}\) is given as input \((u,v,h,u^{a},v^{b},h^{c}) \in \mathbb{G}^{6}\) and it must output 0 if it believes that c=a+b and 1 if c is random in \(\mathbb{Z}_{p}\). More formally, we define the advantage of an adversary \(\mathcal{A} \) into deciding the Decision Linear problem in \(\mathbb{G}\) as

$$\mathbf {Adv}^{\mathrm{DLin}}_{ \mathcal{A} }(k)= \bigl \vert \Pr \bigl[ \mathcal{A} \bigl(u,v,h,u^{a},v^{b},h^{a+b} \bigr)=0 \bigr] - \Pr \bigl[ \mathcal{A} \bigl(u,v,h,u^{a},v^{b},h^{c} \bigr)=0 \bigr] \bigr \vert . $$

Definition 2

(DLin)

The Decision Linear assumption holds in \(\mathbb{G}\) if, for any PPT adversary \(\mathcal{A} \), its advantage, \(\mathbf {Adv}^{\mathrm{DLin}}_{ \mathcal{A} }(k)\), is negligible in k.

2.1.3 Decisional Bilinear Diffie–Hellman Assumption

The Bilinear Diffie–Hellman assumption (BDH for short) was first introduced by Boneh and Franklin in [7]. Here we present its decisional version (DBDH) that was used in several other works (e.g. [46]).

The Decisional Bilinear Diffie–Hellman problem is defined as follows. Let \(\mathbb{G},\mathbb{G}_{T}\) be two groups of prime order p equipped with a bilinear map \(e:\mathbb{G}\times \mathbb{G}\to \mathbb{G}_{T}\), and let g be a generator of \(\mathbb{G}\). Let \(a,b,c \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) be randomly chosen. Let (g,g a,g b,g c,Z) be the input of an adversary whose goal it to decide whether Z=e(g,g)abc or Z=e(g,g)z for a random independent \(z \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\). More formally, we define the advantage of \(\mathcal{A} \) into solving the DBDH problem as

Definition 3

(DBDH)

The Decisional Bilinear Diffie–Hellman assumption holds in bilinear groups \(\mathbb{G},\mathbb{G}_{T}\) if, for any PPT adversary \(\mathcal{A} \), its advantage, \(\mathbf {Adv}^{\mathrm{DBDH}}_{ \mathcal{A} }(k)\), is at most negligible in k.

2.1.4 Decisional Bilinear Diffie–Hellman Inversion Assumption

The q-decisional Bilinear Diffie–Hellman Inversion assumption (DBDHI for short) was first introduced by Boneh and Boyen in [4].

Let \(\mathbb{G},\mathbb{G}_{T}\) be two groups of prime order p equipped with a bilinear map \(e:\mathbb{G}\times \mathbb{G}\to \mathbb{G}_{T}\), and let g be a generator of \(\mathbb{G}\). In the DBDHI problem the adversary is given a tuple \((g, g^{x}, g^{(x^{2})}, \ldots, g^{(x^{q})})\) together with a value Z, and it must decide whether Z=e(g,g)1/x or Z=e(g,g)z, for randomly chosen \(x,z \in \mathbb{Z}_{p}\). More formally, we define the advantage of an algorithm \(\mathcal{A} \) into solving the DBDHI problem as

$$\everymath{\displaystyle} \begin{array} {rcl} \mathbf {Adv}^{\mathrm{DBDHI}}_{ \mathcal{A} }(k) &=& \bigl| \Pr \bigl[ \mathcal{A} \bigl(g, g^{x}, g^{(x^2)}, \ldots, g^{(x^q)},e(g,g)^{1/x} \bigr)=0 \bigr] \\ &&{}- \Pr \bigl[ \mathcal{A} \bigl(g, g^{x}, g^{(x^2)}, \ldots, g^{(x^q)},e(g,g)^{z} \bigr)=0 \bigr] \bigr|. \end{array} $$

Definition 4

(DBDHI)

The DBDHI assumption holds in bilinear groups \(\mathbb{G},\mathbb{G}_{T}\) if, for any PPT adversary \(\mathcal{A} \) and for any q polynomial in k, we have that \(\mathbf {Adv}^{\mathrm{DBDHI}}_{ \mathcal{A} }\) is at most negligible in k.

2.1.5 Decisional Weak -Bilinear Diffie–Hellman Inversion Assumption

The Decisional weak -Bilinear Diffie–Hellman Inversion (-wBDHI) assumption was introduced by Boneh, Boyen and Goh in [9].

Let \(\mathbb{G},\mathbb{G}_{T}\) be two groups of prime order p equipped with a bilinear map \(e:\mathbb{G}\times \mathbb{G}\to \mathbb{G}_{T}\), and let g be a generator of \(\mathbb{G}\). In the -wBDHI problem the adversary is given as input a tuple \((g^{c}, g^{b}, g^{b^{2}},\ldots , g^{b^{\ell}})\) together with a value Z, and it must decide whether \(Z=e(g,g)^{b^{\ell+1} c}\) or Z=e(g,g)z for randomly chosen \(b,c,z \in \mathbb{Z}_{p}^{*}\). Formally, we define the advantage of an algorithm \(\mathcal{A} \) into solving the decisional -wBDHI as

$$\begin{array}{rcl} \mathbf {Adv}^{\mathrm{wBDHI}^{*}}_{ \mathcal{A} }(k) & = & \bigl|\Pr\bigl[{\mathcal{A}}\bigl(g^c, g^b, g^{b^2},\ldots ,g^{b^{\ell}}, e(g,g)^{b^{\ell+1}c}\bigr)=0\bigr] \\ & & {} - \Pr\bigl[{\mathcal{A}} \bigl(g^c, g^b, g^{b^2},\ldots ,g^{b^{\ell}}, e(g,g)^{z}\bigr)=0\bigr] \bigr|, \end{array} $$

where the probability is taken over the random choices of \(b,c,z \in \mathbb{Z}_{p}^{*}\).

Definition 5

(-wBDHI)

We say that the decisional -wBDHI assumption holds in bilinear groups \(\mathbb{G}, \mathbb{G}_{T}\) if, for any polynomial in k, and for any PPT adversary \(\mathcal{A} \), its advantage, \(\mathbf {Adv}^{\mathrm{wBDHI}^{*}}_{ \mathcal{A} }(k)\), is negligible in k.

Remark 1

Cheon showed in [17] an attack against the Strong Diffie–Hellman assumption and its related problems (among which the DBDHI used to prove the security of the Dodis–Yampolskiy VRF). This attack reduces the security of a factor \(\sqrt{q}\), and it applies to -wBDHI as well (with a factor \(\sqrt{\ell}\)). However, as we will see in Sect. 5.2, for the sake of our construction we need to assume that the -wBDHI assumption holds only for rather small values of (e.g., =160 or =256). This means that in our case the security loss is not as significant as in Dodis–Yampolskiy’s.

Finally, we notice that the assumptions DBDHI and wBDHI are related in the sense that the former implies the latter, but the converse is not known (we defer the interested reader to [9] for further discussions on these assumptions).

2.2 Verifiable Random Functions

Verifiable Random Functions (VRFs for short) were introduced by Micali, Rabin and Vadhan [41]. Intuitively, a VRF behaves like a pseudo-random function, but also allows for proofs of correctness of its outputs. More formally, a VRF is a triplet of algorithms VRF=(Gen,Func,V) providing the following functionalities. The key generation algorithm Gen is a probabilistic algorithm that takes as input the security parameter and produces a couple of matching public and private keys (vpk,vsk). The deterministic algorithm Func, on input the secret key vsk and the input x, computes (F vsk (x),Prove vsk (x)), where v=F vsk (x) is the value of the VRF, and π=Prove vsk (x) is its proof of correctness. The verification algorithm V takes as input a tuple (vpk,x,v,π) and outputs a bit indicating whether or not π is a valid proof that F vsk (x)=v.

Let \(a:\mathbb{N}\rightarrow \mathbb{N}\cup \{*\}\) and \(b:\mathbb{N}\rightarrow \mathbb{N}\) be functions computable in polynomial time (in k). Moreover, we assume that a(k) and b(k) are bounded by a polynomial in k, except if a takes the value ∗ (in this case we simply assume that the VRF can take inputs of arbitrary length). Let \(\mathcal{D} \) and \(\mathcal{R} \) be two sets of size 2a(k) and 2b(k) respectively. Formally, we say that VRF=(Gen,Func,V) is a VRF with input space \(\mathcal{D} \) and output space \(\mathcal{R} \), if the following conditions are met.

Domain Range Correctness::

For all \(x \in \mathcal{D} \) it has to be the case that \({\mathsf {F}}_{ \mathit {vsk}}(x) \in \mathcal{R} \). We require this condition to hold with overwhelming probability (over the choices of (vpk,vsk)).

Provability::

For all \(x \in \mathcal{D} \) if Prove vsk (x)=π and F vsk (x)=v then V(vpk,x,v,π)=1. We require this condition to hold with overwhelming probability (over the choices of (vpk,vsk) and the coin tosses of V).

Uniqueness::

No values (vpk,x,v 1,v 2,π 1,π 2), such that v 1v 2, can satisfy (unless with negligible probability over the coin tosses of V) V(vpk,x,v 1,π 1)=V(vpk,x,v 2,π 2)=1.

Pseudo-randomness::

For all probabilistic polynomial time adversaries \({\mathcal{A}}=({\mathcal{A}}_{1},{\mathcal{A}}_{2})\) we require that

$$\left\vert \Pr\left[ b'=b \left| \everymath{\displaystyle} \begin{array}{l} ( \mathit {vpk}, \mathit {vsk}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Gen}}(1^k); (x,\omega) \gets {\mathcal{A}}_1^{ {\mathsf {Func}}(\cdot)}( \mathit {vpk}) \\ \noalign{\vspace*{3pt}} b \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{0,1\}; v_0 \gets {\mathsf {F}}_ \mathit {vsk}(x); v_1 \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal{R} \\ \noalign{\vspace*{3pt}} b' \gets {\mathcal{A}}_2^{ {\mathsf {Func}}(\cdot)}(\omega,v_b) \end{array}\right. \right] - \frac{1}{2} \right\vert \leq \epsilon(k) $$

where ϵ(k) is a negligible function. In the above experiment, the notation \({\mathcal{A}}^{ {\mathsf {Func}}(\cdot)}\) indicates that \({\mathcal{A}}\) has oracle access to the algorithm Func. Also, in order to make this definition sensible, we impose that \({\mathcal{A}}\) cannot query the oracle on input x.

Roughly speaking, pseudo-randomness guarantees that the output of the function at any given point x, for which a proof has not been issued, looks random to any polynomially bounded observer.

Selective-Secure Verifiable Random Functions

We introduce a new notion of VRF that we call selective-secure VRF. Informally speaking, a selective-secure VRF is a VRF with a relaxed pseudo-randomness property in which the adversary is required to commit ahead of time (i.e., before seeing the public key) to the input value it intends to attack. Sometimes, to point out the opposition with this selective notion, we will refer to VRFs that are secure in the usual sense as fully-secure VRFs.

More formally, a VRF is selective-secure if it satisfies the VRF definition given before except that the pseudo-randomness property is replaced by the following selective variant:

Selective Pseudo-randomness::

For all PPT adversaries \({\mathcal{A}}=({\mathcal{A}}_{1},{\mathcal{A}}_{2})\) we require that

$$\left\vert \Pr\left[ b'=b \left| \everymath{\displaystyle} \begin{array}{l} (x,\omega) \gets A_1(); ( \mathit {vpk}, \mathit {vsk}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Gen}}(1^k) \\ \noalign{\vspace*{3pt}} b \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{0,1\}; v_0 \gets {\mathsf {F}}_ \mathit {vsk}(x); v_1 \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal{R} \\ \noalign{\vspace*{3pt}} b' \gets A_2^{ {\mathsf {Func}}(\cdot)}(\omega,v_b) \end{array}\right. \right] - \frac{1}{2} \right\vert \leq \epsilon(k) $$

where ϵ(k) is a negligible function, and the adversary cannot query x to the oracle Func(⋅).

A straightforward reduction shows that any selective-VRF is also fully-secure at the price of a (significant) loss in the resulting security.

Proposition 1

Let VRF be a VRF scheme with input space \(\mathcal{D} \) of size 2a(k), which is selective-secure with security ϵ(k). Then, the same scheme is also fully-secure with security ϵ(k)/2a(k).

Proof

The proof of this proposition can be obtained by considering the following reduction. Let \({\mathcal{A}}\) be an adversary that breaks the pseudo-randomness of VRF with advantage at least ϵ(k). Then, one can build an adversary \({\mathcal{B}}\) that simulates \({\mathcal{A}}\) while playing the selective pseudo-randomness experiment. At the beginning, \({\mathcal{B}}\) chooses a random point \(x^{*} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal{D} \) as its challenge value and gives it to its challenger. Observe that \({\mathcal{B}}\) can perfectly simulate \({\mathcal{A}}\), as long as \({\mathcal{A}}\) does not query the oracle on x and it does ask its challenge on x . Otherwise \({\mathcal{B}}\) aborts and outputs a random bit. Since \({\mathcal{B}}\)’s guess on x is correct with probability 1/2a(k), \({\mathcal{B}}\) will have advantage ϵ(k)/2a(k) of winning in the selective pseudo-randomness experiment. □

Remark 2

According to the definition given above, the output of a VRF is in a specific set \(\mathcal{R} \). However, in some applications one may need a VRF whose output is a binary string. To this end, we note that any VRF with output space \(\mathcal{R} \) can be turned into one that outputs a binary string by applying a suitable universal hash function to the output. More precisely, let VRF=(Gen,Func,V) be a VRF with output space \(\mathcal{R} \), and let \({\mathcal{H}}= \{H: \mathcal{R} \to \{0,1\}^{b}\}_{H}\) be a family of universal hash functions (for a suitable b). Then we define another VRF scheme VRF′=(Gen′,Func′,V′) whose output space is {0,1}b and that works as follows. The key generation Gen′ runs \(( \mathit {vpk}, \mathit {vsk}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Gen}}(1^{k})\), chooses a function H from the family \({\mathcal{H}}\) uniformly at random, and outputs vpk′=(vpk,H) and vsk′=vsk. The algorithm Func′ first obtains the output y and the proof π by running Func, and then it returns y′=H(y) as the VRF’s output, while it includes y in the proof, i.e., π′=(π,y). Finally, the verification algorithm V′ checks that y′=H(y), and that π is a correct proof for y (by running V). It is easy to see that, since H is a deterministic function and the scheme VRF has uniqueness, VRF′ satisfies uniqueness as well. Moreover, by the leftover hash lemma [2, 30], if H is a universal hash and VRF satisfies pseudo-randomness over \(\mathcal{R} \), then VRF′ satisfies pseudo-randomness over {0,1}b. For the sake of precision, we notice that the secure re-use of the same universal hash H (which is randomly generated once and then fixed in the public key) is justified by a variant of the leftover hash lemma proven by Shoup in [45].

2.3 Identity-Based Encryption and Identity-Based Key Encapsulation

An identity-based encryption scheme IBE consists of a tuple of algorithms (Setup,KeyDer,Enc,Dec) providing the following functionality. The trusted authority runs Setup, on input the security parameter 1k, to generate a master key pair (mpk,msk). Without loss of generality, we assume that the public key mpk specifies a message space \(\mathcal{M} \) and a value n (polynomial in the security parameter) indicating the length of each identity. The trusted authority publishes the master public key mpk, and keeps the master secret key msk private. When a user with identity ID wishes to become part of the system, the trusted authority generates a user decryption key \(\mathit {sk}_{ \mathit {ID}}\stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {KeyDer}}( \mathit {msk}, \mathit {ID})\) and sends this key over a secure and authenticated channel to the user. To send an encrypted message m to the user with identity ID, the sender computes a ciphertext \(\mathit {C}\stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Enc}}( \mathit {mpk}, \mathit {ID}, m)\), which can be decrypted by the user as mDec(mpk,d ID ,C).

Boneh and Franklin [7] formally defined the notion of security for identity-based encryption schemes. In particular, they defined the notion of chosen plaintext security against adaptive chosen identity attacks. Intuitively, such a notion captures the requirement that security should be preserved even when facing an adversary who is allowed to choose the identity it wishes to attack and to collude with (i.e., to obtain the secret keys of) other identities of the system. Later, Canetti, Halevi, and Katz [13] introduced a weaker notion of security in which the adversary has to commit ahead of time (i.e., before the parameters of the scheme are made public) to the identity it intends to attack. A scheme meeting such a weaker security requirement is called selective-ID chosen plaintext secure IBE (IND-sID-CPA, for short).

Identity-Based Key Encapsulation

In our work we will not use directly the notion of IBE, but we will rather consider the closely related notion of identity-based key encapsulation (IB-KEM). Therefore, we will provide formal definitions only for IB-KEMs.

An identity-based key encapsulation mechanism (IB-KEM) scheme enables a sender and a receiver to agree on a session key K in such a way that the sender can create K from public parameters and receiver’s identity while the receiver can recover K using his secret key. This notion, in the context of identity-based encryption, was first formalized by Bentahar et al. [3].

More formally, an IB-KEM scheme is defined by the following four algorithms:

  • Setup(1k) is a probabilistic algorithm that takes as input a security parameter k, and outputs a master public key mpk and a master secret key msk. The master public key implicitly defines the identity space \(\mathcal {ID}\) and the session key space \(\mathcal {K}\).

  • KeyDer(msk,ID) is the key derivation algorithm that uses the master secret key to compute a secret key sk ID for an identity \(\mathit {ID}\in \mathcal {ID}\).

  • Encap(mpk,ID) is the encapsulation algorithm that computes a random session key K and a corresponding ciphertext C encrypted under the identity ID.

  • Decap(mpk,ID,sk ID ,C) is the decapsulation algorithm that allows the possessor of a secret key sk ID for the identity ID to decapsulate a ciphertext C to get back a session key K.

For correctness, it is required that \(\forall k \in \mathbb{N}\), for all possible \(( \mathit {mpk}, \mathit {msk}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Setup}}(1^{k})\), \(\forall \mathit {ID}\in \mathcal {ID}, ( \mathit {C}, K) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, \mathit {ID})\) the following probability holds:

$$\Pr\bigl[ {\mathsf {Decap}}\bigl( \mathit {mpk}, \mathit {ID}, {\mathsf {KeyDer}}( \mathit {msk}, \mathit {ID}), \mathit {C}\bigr)=K\bigr]=1. $$

Security

The standard notion of security for IB-KEM is semantic security against adaptive chosen-ID attacks (\(\mathrm {IB\mbox {-}KEM\mbox {-}CPA} \)) and is recalled below.

Let \(\mathcal {IBKEM}\) be an IB-KEM scheme, and \({\mathcal{A}}=({\mathcal{A}}_{1}, {\mathcal{A}}_{2})\) be a PPT algorithm. Then consider the following experiment between a challenger and an adversary \({\mathcal{A}}\):

Setup::

The challenger runs the Setup algorithm, keeps the master secret key msk for himself, and runs \({\mathcal{A}}_{1}( \mathit {mpk})\) on input the master public key.

Phase 1::

The adversary \({\mathcal{A}}_{1}\) is allowed to ask an arbitrary (but polynomially limited) number of key derivation queries. In each of these queries the adversary specifies an identity ID of its choice, and gets back the corresponding private key (which is generated by the challenger by running the algorithm KeyDer(msk,ID)). The queries may be asked adaptively, i.e., each query can depend on previously issued ones.

Challenge::

When Phase 1 is over, the adversary \({\mathcal{A}}_{1}\) outputs a state information st and an identity ID such that ID was not queried during Phase 1. The challenger then computes \((C, K_{0}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Enc}}( \mathit {mpk}, \mathit {ID}^{*})\) and chooses a random session key \(K_{1} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal {K}\). Next, it picks a random bit b and runs the adversary \({\mathcal{A}}_{2}\) on input (st,C,K b ).

Phase 2::

This phase goes exactly as Phase 1 with the additional restriction that \({\mathcal{A}}_{2}\) cannot issue a key derivation query for identity ID .

Guess::

When Phase 2 is over, \({\mathcal{A}}_{2}\) outputs a bit b′ denoting its guess for the bit b.

We define the advantage of an adversary \({\mathcal{A}}\) in attacking the scheme \(\mathcal {IBKEM}\) as

$$\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}CPA} }_{\mathcal {IBKEM}, {\mathcal{A}}}(k)= \biggl \vert \Pr \bigl[b=b' \bigr]- \frac{1}{2} \biggr \vert $$

where the probability is taken over the internal coin tosses of the challenger and the adversary.

Selective-ID Security. The notion of selective-identity security for IB-KEMs is defined similarly to the notion of \(\mathrm {IB\mbox {-}KEM\mbox {-}CPA} \) security except that \({\mathcal{A}}_{1}\) is required to choose the identity ID before seeing the master public key. More precisely, the corresponding security game works as follows:

Initialize::

\({\mathcal{A}}_{1}\) is run on input the security parameter and outputs an identity ID and a state information st.

Setup::

The challenger runs the Setup algorithm and keeps the master secret key msk for himself. Next, it computes \((C, K_{0}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Enc}}( \mathit {mpk}, \mathit {ID}^{*})\), and chooses a random session key \(K_{1} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal {K}\). It picks a random bit b and finally runs the adversary \({\mathcal{A}}_{2}\) on input (st,mpk,C,K b ).

Key derivation queries::

The adversary \({\mathcal{A}}_{2}\) is allowed to ask an arbitrary (but polynomially limited) number of key derivation queries. In each of these queries the adversary specifies an identity ID of its choice such that IDID . \({\mathcal{A}}_{2}\) receives back the corresponding private key (which is generated by the challenger by running the algorithm KeyDer(msk,ID)). The queries may be asked adaptively, meaning with this that each query can depend on previously issued ones.

Guess::

At the end of the experiment, \({\mathcal{A}}_{2}\) outputs a bit b′ denoting its guess for the bit b.

We define the advantage of an adversary \({\mathcal{A}}=({\mathcal{A}}_{1}, {\mathcal{A}}_{2})\) against the selective security of the scheme \(\mathcal {IBKEM}\) as

$$\mathbf {Adv}^{ \mathrm {sIB\mbox {-}KEM\mbox {-}CPA} }_{\mathcal {IBKEM}, {\mathcal{A}}}(k)= \biggl \vert \Pr \bigl[b=b' \bigr]- \frac{1}{2} \biggr \vert $$

where the probability is taken over the internal coin tosses of the challenger and the adversary.

Weak Selective-ID Security. In this paper we additionally introduce a new notion of security for IB-KEM schemes that we call weak selective-ID security. More precisely, we define this notion as the full fledged selective case with the exception that here the challenge identity is chosen by the challenger and given as input to the adversary. Clearly, this notion is weaker with respect to selective-ID security, and it is easy to see that the latter implies the former.

Formally, let us consider an efficiently samplable distribution \(\mathcal{D} _{\mathcal {ID}}\) over the identity space,Footnote 2 and let \({\mathcal{A}}\) be a PPT adversary. We define the notion of weak selective-ID security (\(\mathrm {wsIB\mbox {-}KEM\mbox {-}CPA} \)) for IB-KEM schemes by considering the following game:

Setup::

In this phase the challenger selects a challenge identity \(\mathit {ID}^{*} \gets \mathcal{D} _{\mathcal {ID}}\) (according to distribution \(\mathcal{D} _{\mathcal {ID}}\)), and runs (mpk,msk)←Setup(1k). Then it computes (C,K 0)=Encap(mpk,ID ) and chooses a random key \(\bar{K} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathcal {K}\). Finally, it flips a binary coin \(b \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{0,1\}\), and runs \(\mathcal{A} \) on input (mpk,ID ,C,K b ).

Key derivation queries::

The adversary is allowed to ask key derivation queries for an arbitrary (but polynomial) number of adaptively chosen identities different from ID .

Guess::

In the end of this game \(\mathcal{A} \) outputs b′ as its guess for b.

We define the advantage of \(\mathcal{A} \) against \(\mathcal {IBKEM}\) in the above game w.r.t. distribution \(\mathcal{D} _{\mathcal {ID}}\) as

$$\mathbf {Adv}^{ \mathrm {wsIB\mbox {-}KEM\mbox {-}CPA} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)= \biggl \vert \Pr\bigl[b=b' \bigr]-\frac{1}{2} \biggr \vert $$

where the probability is taken over the coin tosses of the challenger and the adversary.

2.4 VRF-Suitable IB-KEMs

Our VRF construction relies on a special class of identity-based key encapsulation mechanisms that we call VRF-suitable. A VRF-suitable IB-KEM is defined by the following algorithms:

  • Setup(1k) is a probabilistic algorithm that takes as input a security parameter k and outputs a master public key mpk and a master secret key msk. We denote by \(\mathcal {K}\) the session key space.

  • KeyDer(msk,ID) is the key derivation algorithm that uses the master secret key to compute a secret key sk ID for identity ID and some auxiliary information aux ID needed to correctly encapsulate and decapsulate the key.

  • Encap(mpk,ID,aux ID ) is the encapsulation algorithm that computes a ciphertext C and a session key K using (mpk,ID,aux ID ). More precisely, in the algorithm the ciphertext C can be computed using only (mpk,ID), while the computation of K requires aux ID in addition to (mpk,ID).

  • Decap(mpk,ID,sk ID ,aux ID ,C) is the decapsulation algorithm that allows the possessor of sk ID and aux ID to decapsulate C to get back a session key K.

Remark 3

Note that the description above differs from the one given for basic IB-KEM in that here we allow the encapsulation and decapsulation mechanisms to use some auxiliary information aux ID , produced by KeyDer, to work correctly. Clearly, if one sets aux ID =⊥, then one goes back to the original description. Thus, the new paradigm is slightly more general as it allows to consider encapsulation mechanisms where everybody can compute the ciphertext but only those knowing the information aux ID can compute the key. Notice however, that aux ID does not allow, by itself, to decapsulate. In some sense, this auxiliary information should be seen as a value that completes the public key, rather than something that completes the secret key. In fact, this auxiliary information is not required to be kept secret in our constructions. Specifically, in all notions of security for VRF-suitable IB-KEMs (e.g., pseudo-random decapsulation and weak selective-id security) the adversary is allowed to obtain the auxiliary information for any identity of its choice, including the challenge identity. Even though such a syntax may look useless in the standard public key scenario, it turns out to be extremely useful (see below) in our context.

In order to be VRF-suitable, an IB-KEM has to satisfy the following properties:

  1. 1.

    Unique Decapsulation. No tuples \(( \mathit {mpk}, \mathit {C}_{0}, \mathit {ID}, \mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}, \mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}')\), such that \((\mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}) \neq (\mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}')\) can satisfy the following checks (unless with negligible probability over the coin tosses of Encap and Decap):

    • (i) \({\mathsf {Decap}}( \mathit {C}_{0}, \mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}) \neq {\mathsf {Decap}}( \mathit {C}_{0}, \mathit{sk}'_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}') \neq \bot\), and

    • (ii) both the following checks hold: \(( \mathit {C}, K) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, \mathit {ID}, \mathit {aux}_{\mathit {ID}})\) and K=Decap(C,sk ID ,aux ID ), \(( \mathit {C}', K') \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, \mathit {ID}, \mathit {aux}_{\mathit {ID}}')\) and \(K'= {\mathsf {Decap}}( \mathit {C}',\mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}')\).

    We remark that an IB-KEM with a deterministic key derivation algorithm does not necessarily satisfy unique decapsulation. Intuitively, to see this, think of the case in which the key derivation algorithm generates the randomness using a PRF whose seed is part of the master secret key. Then, by fixing the master public key, one can still have two different seeds that lead to two different secret keys for the same identity. Therefore, what we require in unique decapsulation is that, even though an identity may have different secret keys, they all decapsulate a ciphertext to the same session key.

  2. 2.

    Pseudo-random Decapsulation. Let C be an encapsulation produced using some identity \(\mathit {ID}_{0} \in \mathcal {ID}\). Informally, this property says that the session key obtained by decapsulating the ciphertext C should look random even if C is decapsulated by executing the decapsulation algorithm using a secret key corresponding to any other \(\overline{ \mathit {ID}} \neq \mathit {ID}_{0}\).

    More formally, let \(\mathcal {IBKEM}\) be an IB-KEM, \(\mathcal{A} =( \mathcal{A} _{1}, \mathcal{A} _{2})\) be a PPT adversary and let \(\mathcal{D} _{\mathcal {ID}}\) be an efficiently samplable distribution over the identity space \(\mathcal {ID}\). We define the pseudo-random decapsulation experiment as follows:

    figure a

    With \(\mathcal{A} ^{ {\mathsf {KeyDer}}(\cdot)}\) we denote that \(\mathcal{A} \) has oracle access to the key derivation algorithm. Let \(\mathcal {ID}\) denote the identity space, i.e., the space from which the adversary (and everybody else) is allowed to choose the identities. In order to make the experiment \(\mathbf {Exp}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}\) non-trivial, we introduce the following restrictions:

    • the identity \(\overline{ \mathit {ID}}\) output by \(\mathcal{A} _{1}\) should not have been asked to the KeyDer(⋅) oracle;

    • \(\mathcal{A} _{2}\) is not allowed to query the oracle KeyDer(⋅) on \(\overline{ \mathit {ID}}\).

    We define the advantage of \(\mathcal{A} \) in the experiment \(\mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} \) for the distribution \(\mathcal{D} _{\mathcal {ID}}\) as

    $$\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)=\biggl \vert \Pr \bigl[ \mathbf {Exp}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)=1 \bigr] - \frac{1}{2} \biggr \vert . $$

    Finally, we say that \(\mathcal {IBKEM}\) has pseudo-random decapsulation with respect to \(\mathcal{D} _{\mathcal {ID}}\) if, for any PPT adversary \(\mathcal{A} \), its advantage \(\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)\) is a negligible function in k. Also, we simply say that \(\mathcal {IBKEM}\) has pseudo-random decapsulation if there exists a distribution \(\mathcal{D} _{\mathcal {ID}}\) for which the above holds.

The above definition essentially rules out all those schemes in which the decapsulation algorithm returns ⊥, or any other error message, when the identities associated with a given secret key and ciphertext do not match. In other words, a necessary condition for an IBE to be VRF-suitable is that its decapsulation procedure always outputs some random looking key, even when invoked with an “incorrect” secret key.

We also note that, although requiring an IB-KEM to provide pseudo-random decapsulation may seem like a strong requirement, we argue that this is not the case. Indeed, several existing IB-KEM schemes which are IND-CPA secure (but not IND-CCA secure) already have this property. In Appendix A.1 we prove that the IB-KEM derived from the Waters’ IBE scheme [46] provides pseudo-random decapsulation, while in Sect. 5.1 we prove that the same holds for the IB-KEM by Sakai and Kasahara [43]. It is easy to generalize these two proofs to the case of Boneh–Boyen (BB1) [4] and to the schemes of Boneh–Boyen (BB2) [4] and Gentry [27], respectively. However, with the exception of the Sakai–Kasahara’s scheme and our new scheme in Sect. 5.2, all these schemes do not satisfy the unique decapsulation property.

In the following theorem we show that a necessary condition, in order for an IB-KEM to be VRF-suitable, is that it is secure in a weak selective sense.

Theorem 1

Let \(\mathcal {IBKEM}\) be a VRF-suitable IB-KEM satisfying pseudo-random decapsulation for a distribution \(\mathcal{D} _{\mathcal {ID}}\), then it is also a weak selective-ID secure IB-KEM w.r.t. \(\mathcal{D} _{\mathcal {ID}}\) (in the sense of the definition given in Sect2.3).

Proof

Assume, for the sake of contradiction, that there exists an adversary \({\mathcal{A}}\) that breaks the weak selective-ID security of the given VRF-suitable IB-KEM. We show how to use this adversary to construct another adversary \({\mathcal{B}}= ({\mathcal{B}}_{1}, {\mathcal{B}}_{2})\) that refutes the pseudo-random decapsulation of the scheme. \({\mathcal{B}}_{1}\) is run on input (mpk,ID 0,C) (where ID 0 is chosen according to \(\mathcal{D} _{\mathcal {ID}}\)) and proceeds as follows. First, \({\mathcal{B}}_{1}\) outputs \(\overline{ \mathit {ID}}= \mathit {ID}_{0}\) as the challenge identity. Next, \({\mathcal{B}}_{2}\) receives a session key K b (which is either the right decapsulation key corresponding to C or a random one) and an auxiliary information \(\mathit {aux}_{ \mathit {ID}_{0}}\). So, \({\mathcal{B}}_{2}\) runs \({\mathcal{A}}\) on input \(( \mathit {mpk},C,K_{b}, \mathit {ID}_{0},\mathit {aux}_{ \mathit {ID}_{0}})\). Whenever \({\mathcal{A}}\) asks for a key derivation query, \({\mathcal{B}}_{2}\) uses its own oracle to answer such query, in the obvious way. Finally, when \({\mathcal{A}}\) outputs a bit b′, \({\mathcal{B}}_{2}\) outputs the same b′. It is easy to see that the simulation is perfect and thus the advantage of \({\mathcal{B}}\) in breaking the pseudo-random decapsulation is exactly the same as the advantage of \({\mathcal{A}}\) in breaking the weak selective security of the scheme. □

Selective Pseudo-random Decapsulation

In what follows we define a selective variant of pseudo-random decapsulation in which the adversary commits ahead of time to the identity on which it wishes to be challenged. Let \(\mathcal{D} _{\mathcal {ID}}\) be an efficiently samplable distribution over the identity space as defined before. The experiment for selective pseudo-random decapsulation is defined as follows.

figure b

In this experiment the adversary is not allowed to query the oracle on \(\overline{ \mathit {ID}}\). Like in standard pseudo-random decapsulation, \(\mathcal{A} \)’s advantage in the experiment IB-KEM-selRDECAP is defined as

$$\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}selRDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)=\biggl \vert \Pr \bigl[ \mathbf {Exp}^{ \mathrm {IB\mbox {-}KEM\mbox {-}selRDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)=1 \bigr] - \frac{1}{2} \biggr \vert . $$

Finally, we say that \(\mathcal {IBKEM}\) satisfies selective pseudo-random decapsulation w.r.t. \(\mathcal{D} _{\mathcal {ID}}\) if, for any PPT adversary \(\mathcal{A} \), the advantage \(\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}selRDECAP} }_{\mathcal {IBKEM}, \mathcal{A} , \mathcal{D} _{\mathcal {ID}}}(k)\) is a negligible function in k. We say that a VRF-suitable IB-KEM that satisfies selective pseudo-random decapsulation is selective-secure. Otherwise, we say that it is fully-secure.

An analogue of Proposition 1, it can also be proved for VRF-suitable IB-KEMs.

Proposition 2

Let \(\mathcal {IBKEM}\) be a VRF-suitable IB-KEM with identity space \(\mathcal {ID}\) that is selective-secure with security ϵ(k). Then, the same scheme is also fully-secure with security \(\epsilon(k)/|\mathcal {ID}|\).

3 A Generic Construction

In this section we show our construction of Verifiable Random Functions from a VRF-suitable IB-KEM \(\mathcal {IBKEM}=( {\mathsf {Setup}}, {\mathsf {KeyDer}}, {\mathsf {Encap}}, {\mathsf {Decap}})\). Let \(\mathcal {ID}\) be the identity space, \(\mathcal {K}\) the session key space and \(\mathcal{ SK}\) the secret key space. Also, let \(\mathcal{D} _{\mathcal {ID}}\) be the distribution for which \(\mathcal {IBKEM}\) satisfies pseudo-random decapsulation. Then we construct a verifiable random function VRF=(Gen,Func,V) with input space \(\mathcal {ID}\) and output space \(\mathcal {K}\) as follows.

  • Gen(1k) runs (mpk,msk)←Setup(1k), chooses an identity \(\mathit {ID}_{0} \gets \mathcal {ID}\) according to the distribution \(\mathcal{D} _{\mathcal {ID}}\), and computes C 0Encap(mpk,ID 0). Finally, it returns vpk=(mpk,C 0,ID 0) and vsk=msk.

  • Func vsk (x) computes π x =(sk x ,aux x )=KeyDer(msk,x) and y=Decap(mpk,x,π x ,C 0). It returns (y,π x ) where y is the output of the function and π x is the proof.

  • V(vpk,x,y,π x ) first checks if π x is a valid proof for x in the following way. It computes (C,K)=Encap(mpk,x,aux x ) and checks if K=Decap(mpk,π x ,C). Next, it checks the validity of y by testing if Decap(mpk,x,π x ,C 0)=y. If both the tests are true, then the algorithm returns 1, otherwise it returns 0.

3.1 Security Proof

Now we prove that the proposed construction actually realizes a secure VRF.

Theorem 2

Assume \(\mathcal {IBKEM}\) is a VRF-suitable IB-KEM scheme, as described in Sect2, then the construction given above is a verifiable random function.

Proof

According to the definition given in Sect. 2, we prove that VRF=(Gen,Func,V) is a verifiable random function by showing that it satisfies all the properties. Domain range correctness and provability trivially follow from the correctness of the IB-KEM scheme.

To see that the uniqueness property is satisfied, we show that it is implied by the unique decapsulation of \(\mathcal {IBKEM}\). Recall that the latter property says that there cannot exist a tuple \(( \mathit {mpk}, \mathit {C}_{0}, \mathit {ID}, \mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}, \mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}')\) such that \((\mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}) \neq (\mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}')\), and that satisfies:

  1. (i)

    \({\mathsf {Decap}}( \mathit {mpk}, \mathit {ID}, \mathit{sk}_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}, \mathit {C}_{0}) \neq {\mathsf {Decap}}( \mathit {mpk}, \mathit {ID}, \mathit{sk}'_{ \mathit {ID}}, \mathit {aux}_{\mathit {ID}}', \mathit {C}_{0}) \neq \bot\), and

  2. (ii)

    \(( \mathit {C}, K) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, \mathit {ID}, \mathit {aux}_{\mathit {ID}})\) and KDecap(mpk,ID,sk ID ,aux ID ,C), \(( \mathit {C}', K') \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, \mathit {ID}, \mathit {aux}_{\mathit {ID}}')\) and \(K' \gets {\mathsf {Decap}}( \mathit {mpk}, \mathit {ID},\mathit{sk}_{ \mathit {ID}}', \mathit {aux}_{\mathit {ID}}', \mathit {C}')\).

By construction, this can be restated as requiring that there cannot exist a tuple \(( \mathit {vpk}, x, \pi_{x}, \pi_{x}')\) where \(\pi_{x} \neq \pi_{x}'\), and it is such that: (i) \(y = {\mathsf {Decap}}( \mathit {mpk}, x, \mathit{sk}_{x}, \mathit {aux}_{x},\allowbreak \mathit {C}_{0}) \neq {\mathsf {Decap}}( \mathit {mpk}, x, \mathit{sk}'_{x}, \mathit {aux}_{x}', \mathit {C}_{0}) = y'\), and (ii) \(( \mathit {C}, K) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, x, \mathit {aux}_{x})\) and KDecap(mpk,x,sk x ,aux x ,C), \(( \mathit {C}', K') \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, x, \mathit {aux}_{x}')\) and \(K' \gets {\mathsf {Decap}}( \mathit {mpk}, x,\mathit{sk}_{x}', \mathit {aux}_{x}', \mathit {C}')\). Observe that all the checks can be equivalently rewritten as: yy′, y=Decap(mpk,x,sk x ,aux x ,C 0), \(( \mathit {C}, K) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, x, \mathit {aux}_{x})\) and KDecap(mpk,x,sk x ,aux x ,C), \(y' = {\mathsf {Decap}}( \mathit {mpk}, x, \mathit{sk}'_{x}, \mathit {aux}_{x}', \mathit {C}_{0})\), \(( \mathit {C}', K') \stackrel{{\scriptscriptstyle\$}}{\leftarrow} {\mathsf {Encap}}( \mathit {mpk}, x, \mathit {aux}_{x}')\) and \(K' \gets {\mathsf {Decap}}( \mathit {mpk}, x,\mathit{sk}_{x}', \mathit {aux}_{x}', \mathit {C}')\). Again, by our definition of the verification algorithm, this is in turn equivalent to saying that yy′ and \({\mathsf {V}}( \mathit {vpk},x,y,\pi_{x})= {\mathsf {V}}( \mathit {vpk},x,y',\pi_{x}')=1\), that is the uniqueness of VRFs.

To prove pseudo-randomness, we assume by contradiction that there exists a PPT adversary \({\mathcal{A}}=({\mathcal{A}}_{1}, {\mathcal{A}}_{2})\) that is able to break the pseudo-randomness of VRF with non-negligible advantage ϵ(k). Then we show how to build a PPT adversary \(\mathcal{B}=(\mathcal{B}_{1}, \mathcal{B}_{2})\) which uses \({\mathcal{A}}\) to obtain non-negligible advantage ϵ(k) in the \(\mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} \) experiment for distribution \(\mathcal{D} _{\mathcal {ID}}\).

\(\mathcal{B}_{1}\) receives from its challenger a public key mpk, a ciphertext \(C_{0}^{*}\), and an identity ID 0 chosen according to \(\mathcal{D} _{\mathcal {ID}}\). So, \({\mathcal{B}}_{1}\) sets \(\mathit {vpk}=( \mathit {mpk},C_{0}^{*}, \mathit {ID}_{0})\) and runs \(\mathcal{A} _{1}( \mathit {vpk})\). The adversary \(\mathcal{A} \) is allowed to make queries to the function oracle Func(⋅), and \(\mathcal{B} \) simulates this oracle as follows. On input a value \(x \in \mathcal {ID}\), \({\mathcal{B}}\) queries its key derivation oracle on x, it obtains (sk x ,aux x ) and returns \((y_{x}= {\mathsf {Decap}}( \mathit {mpk}, x, \mathit {sk}_{x}, \mathit {aux}_{x}, C_{0}^{*}), \pi_{x} = (\mathit {sk}_{x}, \mathit {aux}_{x}))\) to the adversary. When \(\mathcal{A} _{1}\) outputs an element \(\bar{x}\), \(\mathcal{B}_{1}\) outputs the same element to its challenger. Thus the challenger produces K , which is either the decapsulation of \(C_{0}^{*}\) with \((\mathit {sk}_{\bar{x}},\mathit{aux}_{\bar{x}})\) or a random element of \(\mathcal {K}\), and gives K to \(\mathcal{B} _{2}\). Finally, \(\mathcal{B} _{2}\) runs \(b' \gets \mathcal{A} _{2}(\mathit{st}, K^{*})\) (simulating all oracle queries as \({\mathcal{B}}_{1}\)) and returns the bit b′ to its challenger.

It is easy to see that \({\mathcal{B}}\) is perfectly simulating the pseudo-randomness game to \({\mathcal{A}}\). Thus, if \(\mathcal{A}\) has advantage ϵ(k), then \(\mathcal{B}\)’s advantage is exactly the same. □

4 q-Bounded VRFs

In the previous section we described a general transformation that allows to construct verifiable random functions from a class of identity-based key encapsulation mechanisms that we call VRF-suitable. Before showing, in Sect. 5, two VRF-suitable IB-KEMs that lead to two VRFs, in this section we introduce a slightly weaker notion of verifiable random functions that we call q-bounded VRFs. A q-bounded VRF is a standard VRF (as defined in Sect. 2.2) with the limitation that pseudo-randomness is preserved only if at most q proofs are produced.

4.1 Construction of q-Bounded VRFs from Public Key Encryption Schemes

We show that it is possible to construct a q-bounded VRF from a public key encryption scheme. This construction consists of two steps. First, a q-resilient IB-KEM (which is defined below) is constructed from any IND-CPA secure encryption scheme. Later we can apply our generic transformation to build a q-bounded VRF from a q-resilient IB-KEM that is VRF-suitable.

Building Blocks

Before describing the construction in detail, we discuss some preliminary building blocks.

4.1.1 Key Encapsulation Mechanism

We briefly describe the notion of public key encryption schemes with key encapsulation mechanism (KEM for short) and its related definition of security.

A KEM is defined by three algorithms:

  • Kg(1k) is the key generation algorithm that takes as input the security parameter k and outputs a pair of keys (pk,sk) where pk is made public and sk is kept secret.

  • Encap(pk) is a probabilistic algorithm that takes as input the public key pk and outputs (C,K), where C is the ciphertext and \(K \in \mathcal {K}\) is a session key.

  • Decap(pk,sk,C) is a deterministic algorithm that takes as input the public key pk, the secret key sk, and a ciphertext C, and it outputs either a key K or an error symbol ⊥.

We note that, given any standard public key encryption scheme, it is always possible to construct a KEM. We define the notion of indistinguishability under chosen-plaintext attacks (\(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \)) for KEMs. Essentially, it is the usual IND-CPA security notion for public key encryption, adapted to the KEM setting. Consider the following experiment:

figure c

The advantage of \(\mathcal{A} \) in the experiment above is defined as

$$\mathbf {Adv}^{ \mathrm {KEM\mbox {-}IND\mbox {-}CPA} }_{\mathrm{KEM},\, \mathcal{A} }(k)= \bigl \vert \Pr\bigl[\mathbf {Exp}^{ \mathrm {KEM\mbox {-}IND\mbox {-}CPA} }_{\mathrm{KEM}, \mathcal{A} }(k)=1 \bigr]-1/2 \bigr \vert . $$

We say that a KEM is \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \)-secure if any PPT adversary \(\mathcal{A} \) has at most negligible advantage in the experiment \(\mathbf {Exp}^{ \mathrm {KEM\mbox {-}IND\mbox {-}CPA} }_{\mathrm{KEM}, \mathcal{A} }\).

Unique decapsulation for KEM::

We define the notion of unique decapsulation for KEMs. A KEM satisfies unique decapsulation if there are no tuples (pk,sk,sk′,C 0) such that sksk′ and Decap(pk,sk,C)≠Decap(pk,sk′,C)≠⊥.

Pseudo-random decapsulation for KEM::

Here we introduce the notion of pseudo-random decapsulation for public key encryption schemes with key encapsulation. Consider the following experiment:

figure d

The advantage of \(\mathcal{A} \) in the experiment above is defined as

$$\mathbf {Adv}^{ \mathrm {KEM\mbox {-}RDECAP} }_{\mathrm{KEM},\, \mathcal{A} }(k)=\bigl \vert \Pr\bigl[\mathbf {Exp}^{ \mathrm {KEM\mbox {-}RDECAP} }_{\mathrm{KEM}, \mathcal{A} }(k)=1 \bigr]-1/2 \bigr \vert . $$

We say that a KEM satisfies pseudo-random decapsulation if any PPT adversary \(\mathcal{A} \) has at most negligible advantage in the experiment \(\mathbf {Exp}^{ \mathrm {KEM\mbox {-}RDECAP} }_{\mathrm{KEM}, \mathcal{A} }\).

q-Resilient IB-KEMs

In [31] Heng and Kurosawa introduced the notion of q-resilient security in the context of identity-based encryption [31]. Informally, an IB-KEM is said to be q-resilient if it is secure only when facing adversaries that are allowed to issue at most q key derivation queries. Later, Cramer et al. [18] pointed out that, this notion, was implicitly given by Dodis, Katz, Xu, and Yung in [23], when introducing the notion of key-insulated public-key cryptosystems.

Cover-Free Families

If S,T are sets, we say that S does not cover T if \(S \not\supseteq T\). Let d,q,s be positive integers, and let F=(F i )1≤is be a family of subsets of {1,…,d}. We say that family F is q-cover-free over {1,…,d}, if for each subset F i F and each S that is the union of at most q sets in (F 1,…,F i−1,F i+1,…,F s ), it is the case that S does not cover F i . Furthermore, we say that F is l-uniform if all subsets in the family have size l. We use the following fact [25, 35]: there is a deterministic polynomial time algorithm that on input integers s,q returns l,d,F where F=(F i )1≤is is an l-uniform q-cover-free family over {1,…,d}, for l=d/4q and d≤16q 2log(s). In the following we let SUB denote the resulting deterministic polynomial-time algorithm that on input s,q,i returns F i . We call F i =SUB(s(k),q(k),i) the subset associated with index i∈{1,…,s(k)}.

For our construction we will need a cover-free family with parameters

$$ s(k)=2^k, \quad d(k) = 16 k q^2(k), \quad l(k) =4k q(k). $$
(1)

4.1.2 q-Resilient IB-KEM from KEM

Here we show how to construct a q-resilient IB-KEM from a KEM. Such construction is given in [18, 31]. Here we adapt it to encompass the KEM case.

Let \(q(k), d(k), s(k), l(k) : \mathbb{N}\rightarrow \mathbb{N}\) be (efficiently computable) functions. For ease of exposition we simply refer to them as q,d,s,l. Let \(\mathcal{KEM} = (\mathsf {Kg},\mathsf {Encap},\mathsf {Decap})\) be a public key encryption scheme with key encapsulation and let F be an l-uniform q-cover-free family over {1,…,d(k)}. We denote by F ID =SUB(s(k),l(k),ID)={r 1,…,r l } the subset associated with an identity ID. We assume identities are integers in {1,…,s(k)}.

We construct the IB-KEM \(\mathcal{IBKEM} = ( {\mathsf {Setup}}, {\mathsf {KeyDer}}, {\mathsf {Encap}}, {\mathsf {Decap}})\) in the following way:

  • Setup(1k,q): For i=1,…,d compute (pk i ,sk i )←Kg(1k). Set mpk=(pk 1,…,pk d ) and msk=(sk 1,…,sk d ).

  • KeyDer(msk,ID): Given F ID ={r 1,…,r l } (recall that F ID =SUB(s(k),l(k),ID)={r 1,…,r l }), set \(\mathit{SK}_{ \mathit {ID}}=(\mathit {sk}_{r_{1}}, \ldots, \mathit {sk}_{r_{l}})\).

  • Encap(mpk,ID): Let F ID ={r 1,…,r l } and compute (c i ,K i )=Encap(pk i ) for i=r 1,…,r l . Set \(C=(c_{r_{1}}, \ldots, c_{r_{l}})\) and \(K=K_{r_{1}} {\oplus }\cdots {\oplus }K_{r_{l}}\).

  • Decap(mpk,ID,SK ID ,C): Let \(SK_{ \mathit {ID}}=(\mathit {sk}_{r_{1}}, \ldots, \mathit {sk}_{r_{l}})\). Compute K i =Decap(pk i ,sk i ,c i ) for i=r 1,…,r l and set \(K=K_{r_{1}} {\oplus }\cdots {\oplus }K_{r_{l}}\).

Theorem 3

If \(\mathcal{KEM}\) is a \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \)-secure key encapsulation mechanism and F is a q-cover-free family over {1,…,d}, then the scheme \(\mathcal{IBKEM}\) described above is (q-resilient) \(\mathrm {IB\mbox {-}KEM\mbox {-}CPA} \)-secure.

Proof

For the sake of contradiction, assume there exists an efficient adversary \({\mathcal{A}}\) that is able to break the \(\mathrm {IB\mbox {-}KEM\mbox {-}CPA} \) security of \(\mathcal{IBKEM}\) with non-negligible probability ϵ(k). Then we show how to build an efficient algorithm \({\mathcal{B}}\) that can break the \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) security of the underlying KEM scheme with advantage at least ϵ(k)/d(k), where d(k) is the parameter for the cover-free family as described above.

First observe that there exists an index j∈{1,…,d} such that j belongs to the subset \(F_{\overline{ \mathit {ID}}}\) associated with the challenge identity \(\overline{ \mathit {ID}}\) but not to any subset associated with the identities queried to the key derivation oracle. As long as the number of key derivation queries is at most q, we know such an index must exist. Moreover, as d is of polynomial size, such index j can be guessed by our algorithm \({\mathcal{B}}\) with non-negligible probability 1/d.

\({\mathcal{B}}\) takes as input a public key pk and constructs the master public key of the IB-KEM as follows. It generates \((\mathit{pk}_{i},\mathit{sk}_{i}) \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathsf {Kg}(1^{k})\)i=1,…,j−1,j+1,…,d, sets pk j =pk and gives mpk=(pk 1,…,pk d ) to \({\mathcal{A}}\). Now observe that if the guess of j is right, then \({\mathcal{B}}\) is able to answer all key derivation queries made by \({\mathcal{A}}\) (as \({\mathcal{B}}\) knows all the secret keys but sk j ). At some point the adversary supplies a challenge identity \(\overline{ \mathit {ID}}\) such that \(F_{\overline{ \mathit {ID}}} = \{ r_{1}, \ldots, r_{\ell} \}\) contains j and \({\mathcal{B}}\) answers as follows. It computes \(k_{i} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathsf {Encap}_{\mathit{pk}_{i}}()\) \(\forall i \in F_{\overline{ \mathit {ID}}} \setminus \{j\}\), then queries its encapsulation oracle, gets back \(\bar{k}\) and sets \(k_{j} = \bar{k}\). \({\mathcal{B}}\) sets \(\overline{K} = k_{r_{1}} {\oplus }\cdots {\oplus }k_{r_{l}}\) and gives it to \({\mathcal{A}}\). When \({\mathcal{A}}\) outputs its decision bit b, the algorithm \({\mathcal{B}}\) outputs the same bit as its guess about the distribution of \(\bar{k}\).

It is easy to see that when the guess of j is right the simulation provided by \({\mathcal{B}}\) is perfect. Indeed if \({\mathcal{B}}\) is given a random \(\bar{k}\) then \(\overline{K}\) is also random, otherwise \(\overline{K}\) is a correctly distributed session key. Thus \({\mathcal{B}}\) wins with probability at least ϵ/d. □

q-Bounded VRFs from q-Resilient IB-KEMs

Recall that our final goal is a construction of q-bounded VRFs from public key encryption schemes (with specific properties). The first step is to show how to construct a q-bounded VRF from a q-resilient IB-KEM. However, this can be obtained very easily by applying our generic transformation given in Sect. 3 to a q-resilient VRF-suitable IB-KEM.

Therefore, to obtain the final result the only thing we have to ensure is that the q-resilient IB-KEM obtained through the construction given in the previous section is VRF-suitable, that is it satisfies pseudo-random decapsulation and unique decapsulation.

First, to see that the q-resilient IB-KEM has unique decapsulation, we observe that this holds if the underlying KEM satisfies the analogous unique decapsulation (for KEMs). Indeed, assume for the sake of contradiction there is a tuple \(( \mathit {mpk}, C_{0}, \mathit {ID}, \mathit {sk}_{ \mathit {ID}}, \mathit {sk}_{ \mathit {ID}}')\) such that \(\mathit {sk}_{ \mathit {ID}} \neq \mathit {sk}_{ \mathit {ID}}'\) and both conditions (i) and (ii) hold. Since the choice of the public/secret keys related to ID is a deterministic and public process, notice that condition (i) already implies that there is (at least) a tuple (pk,sk,sk′,c 0) such that sksk′ and Decap(pk,sk,c 0)≠Decap(pk,sk′,c 0)≠⊥. Hence, if the q-resilient IB-KEM does not have unique decapsulation, so is for the underlying KEM.

Second, we formally prove in the following theorem that the resulting scheme has pseudo-random decapsulation if the original KEM, on top of being \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) secure, satisfies the analogous (for KEM) pseudo-random decapsulation property defined before. As for the case of IBEs, this might seem a quite strong requirement at first. However, as we will show in Sect. 4.2, it is not too hard to find examples of public key encryption schemes whose KEM version already achieves pseudo-random decapsulation.

Theorem 4

If a KEM satisfies pseudo-random decapsulation then the resulting q-resilient IB-KEM obtained via the transformation given in Sect4.1.2 has pseudo-random decapsulation as well.

Proof

In particular, our theorem shows that our q-resilient IB-KEM satisfies pseudo-random decapsulation for any arbitrary distribution \(\mathcal{D} _{\mathcal {ID}}\).

Let \(\mathcal{A} =( \mathcal{A} _{1}, \mathcal{A} _{2})\) be an adversary for the pseudo-random decapsulation of the q-resilient IB-KEM and, for the sake of contradiction, assume that \(\mathcal{A} \) has non negligible advantage \(\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{ \mathcal{A} ,\,\mathcal {IBKEM}}(k)=\epsilon(k)\). Then we show how to build a simulator \(\mathcal{B} \) that can break either the \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) security or the pseudo-random decapsulation of the underlying KEM with non negligible advantage.

Let ID 0 be an identity chosen by the simulator according to \(\mathcal{D} _{\mathcal {ID}}\), and let \(\overline{ \mathit {ID}}\) be the challenge identity returned by the adversary. We distinguish two cases:

  1. 1.

    \(\overline{ \mathit {ID}} = \mathit {ID}_{0}\)

  2. 2.

    \(\overline{ \mathit {ID}} \neq \mathit {ID}_{0}\)

\(\mathcal{A} \) will output a challenge identity either of type 1 or type 2 with probability at least 1/2. We will show a simulator \({\mathcal{B}}\) that in the first case breaks the \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) security of the KEM, whereas in the second case it breaks the pseudo-random decapsulation of the KEM.

At the beginning, \(\mathcal{B} \) flips a binary coin \(\beta \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{0,1\}\) and runs Simulation β as described below. Basically, if β=0 \(\mathcal{B} \) guesses that \(\mathcal{A} \) will output a challenge identity of type 1, whereas, if β=1, \({\mathcal{B}}\) guesses that \(\mathcal{A} \) will output a challenge identity \(\overline{ \mathit {ID}} \neq \mathit {ID}_{0}\). We stress that these simulations are perfectly indistinguishable from the adversary’s point of view.

Simulation 0. In this case \(\mathcal{B} \) acts as an adversary for the \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) security of the KEM. It receives in input (pk,C ,K ). Since \(\mathcal{B} \) is guessing that \(\overline{ \mathit {ID}} = \mathit {ID}_{0}\), this proof is the same as that one for the \(\mathrm {wsIB\mbox {-}KEM\mbox {-}CPA} \) security of the IB-KEM. Let \(F_{ \mathit {ID}_{0}}=\{r_{1}, \ldots, r_{l}\}\) be the subset associated with the identity ID 0. \(\mathcal{B} \) picks a random index \(j \stackrel{{\scriptscriptstyle\$}}{\leftarrow}F_{ \mathit {ID}_{0}}\) and sets \(\mathit {pk}_{r_{j}}=\mathit {pk}\). Then it generates the remaining d−1 pairs of keys (pk i ,sk i )=Kg() ∀i=1,…,d and ij and sets mpk=(pk 1,…,pk d ). It computes (C i ,K i )=Encap(pk i )∀ij and sets the ciphertext as C 0=(C 1,…,C j−1,C ,C j+1,…,C l ). It runs \(\mathcal{A} _{1}( \mathit {mpk}, C_{0})\). \(\mathcal{A} _{1}\) issues key derivation queries until it outputs the challenge identity \(\overline{ \mathit {ID}}\). For every key derivation query ID asked by the adversary, let F ID be its associated subset. If jF ID , then \(\mathcal{B} \) aborts and outputs a random bit b∈{0,1}. Otherwise, it uses the secret keys to compute the key of the identity ID.

Let \(\overline{ \mathit {ID}}\) be the challenge identity returned by \({\mathcal{A}}_{1}\). If \(\overline{ \mathit {ID}} \neq \mathit {ID}_{0}\) \(\mathcal{B} \) aborts. Otherwise, let \(F_{ \mathit {ID}_{0}}=\{s_{1}, \ldots, s_{l}\}\) be the subset associated with identity ID 0. \(\mathcal{B} \) sets \(K_{s_{j}}=K^{*}\), \(K=K_{s_{1}} {\oplus }\cdots {\oplus }K_{s_{l}}\) and runs \(b' \gets \mathcal{A} _{2}(K)\). Finally, \(\mathcal{B} \) outputs the same bit b′.

We observe that if K is a random session key, so is K. Otherwise if \(K^{*}=\mathsf {Decap}(\mathit {pk}_{i^{*}},\mathit {sk}_{i^{*}},C^{*})\) then K is properly distributed. In this case let us consider the probability that the simulator wins when \(\mathcal{A} \) wins and \(\mathcal{A} \) outputs \(\overline{ \mathit {ID}} = \mathit {ID}_{0}\) as challenge identity. This is equal to the probability that \(\mathcal{A} \) wins and \(\mathcal{B} \) does not abort in the key derivation phase. Since the adversary issues at most q queries, we know that there exists at least an index j such that j is not in any of the subsets associated with the queried identities and \(j \in F_{\overline{ \mathit {ID}}}\). Since \(\overline{ \mathit {ID}} = \mathit {ID}_{0}\)\(\mathcal{B} \) does not abort in the key derivation phase with probability at least 1/l (independent of \({\mathcal{A}}\)’s view).

Simulation 1. In this case \(\mathcal{B} \) acts as an adversary for the pseudo-random decapsulation of the KEM. It receives in input (pk,sk,pk′,C ,K ). Let \(F_{ \mathit {ID}_{0}}=\{r_{1}, \ldots, r_{l}\}\) be the subset associated with the identity ID 0. \(\mathcal{B} \) picks a random index \(j \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{1,\ldots,l\}\) and sets \(\mathit {pk}_{r_{j}}=\mathit {pk}\) and \(\mathit {sk}_{r_{j}}=\mathit {sk}\). Then it picks another index \(i^{*} \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{1, \ldots, d\}\) and sets \(\mathit {pk}_{i^{*}}=\mathit {pk}'\). Later it generates the remaining d−2 pairs of keys (pk i ,sk i )=Kg() ∀i=1,…,d and ir j ,i and sets mpk=(pk 1,…,pk d ). It computes (C i ,K i )=Encap(pk i ) ∀ij and constructs the ciphertext as C 0=(C 1,…,C j−1,C ,C j+1,…,C l ). It runs \(\mathcal{A} _{1}( \mathit {mpk}, C_{0})\). \(\mathcal{A} _{1}\) issues key derivation queries until it outputs the challenge identity \(\overline{ \mathit {ID}}\). Let ID be a queried identity and let F ID be its associated subset. If \(\overline{ \mathit {ID}} = \mathit {ID}_{0}\) or i F ID then \(\mathcal{B} \) aborts and outputs a random bit b∈{0,1}. Otherwise it uses the known secret keys to compute the key of the identity ID.

Let \(F_{\overline{ \mathit {ID}}}=\{s_{1}, \ldots, s_{l}\}\) be the subset associated with the challenge identity \(\overline{ \mathit {ID}}\). If \(i^{*} \notin F_{\overline{ \mathit {ID}}}\) \(\mathcal{B} \) aborts and outputs a random bit. Otherwise let j′ be the index such that s j=i . If j′≠j \(\mathcal{B} \) aborts. Otherwise it sets \(K_{s_{j}}=K^{*}\), \(K=K_{s_{1}} {\oplus }\cdots {\oplus }K_{s_{l}}\) and runs \(b' \gets \mathcal{A} _{2}(K)\). Then \(\mathcal{B} \) outputs the same b′.

We observe that if K is a random session key, so is K. Otherwise if \(K^{*}=\mathsf {Decap}(\mathit {pk}_{i^{*}}, \mathit {sk}_{i^{*}}, C^{*})\) then K is properly distributed. In this simulation we have two abort conditions:

  1. 1.

    \(i^{*} \notin F_{\overline{ \mathit {ID}}}\) or i is in a subset associated with one of the identities queried to the key derivation oracle;

  2. 2.

    jj′.

The first abort condition does not happen with probability at least 1/d, since we know that, as long as at most q queries are asked, there exists an index i∈{1,…,d} such that i belongs to \(F_{\overline{ \mathit {ID}}}\) and not to any of the subsets associated with the identities queried to the key derivation oracle. The second abort condition does not happen with probability 1/l. Thus \(\mathcal{B} \) does not abort with probability at least 1/dl (independent of \({\mathcal{A}}\)’s view). In this case \(\mathcal{B} \) wins when \(\mathcal{A} \) wins and \(\mathcal{A} \) outputs \(\overline{ \mathit {ID}} \neq \mathit {ID}_{0}\), and \(\mathcal{B} \) does not abort.

Let we denote by fail the event that the simulator fails. Thus in both the simulations \(\mathcal{B} \) wins with advantage \(\epsilon(k) \cdot \Pr[\overline{\textsf{fail}}]\). In conclusion, we have that the simulator breaks either the \(\mathrm {KEM\mbox {-}IND\mbox {-}CPA} \) security of the KEM with advantage at least ϵ(k)/2l, or it breaks the pseudo-random decapsulation of the KEM with advantage at least ϵ(k)/(2dl). □

4.2 Practical Examples

In this section we show two examples of PKE schemes that satisfy the pseudo-random decapsulation and unique decapsulation properties (and thus they can be used to construct q-bounded VRFs). The first is the well known ElGamal encryption scheme [24], while the second one is the Linear Encryption scheme by Boneh, Boyen and Shacham [8].

q-Bounded VRFs from ElGamal

Here we prove that the KEM version of the ElGamal encryption scheme satisfies the unique decapsulation and pseudo-random decapsulation properties defined in Sect. 4.1.1. First we recall the scheme:

  • Kg(1k): Let \(\mathbb{G}\) be a group of order p, and \(g \in \mathbb{G}\) be a generator. The key generation algorithm picks a random \(x \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\). It sets the public key \(\mathit {pk}=(\mathbb{G},g, X=g^{x})\) and the secret key sk=x.

  • Encap(pk): The encapsulation algorithm picks a random \(y \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and produces a ciphertext C=g y and a session key K=X y.

  • Decap(pk,sk,C): The decapsulation algorithm first checks that X=g sk. If this does not hold, output ⊥. Otherwise, it uses the secret key to “extract” a session key from a given ciphertext C by computing K=C x.

It is easy to see that the scheme satisfies unique decapsulation because of the check in the Decap algorithm and the fact that for each public key, there is only one secret key (moreover, this is efficiently checkable).

So, we are left with proving pseudo-random decapsulation in the following theorem.

Theorem 5

The KEM version of the ElGamal encryption scheme satisfies pseudo-random decapsulation under the Decisional Diffie–Hellman assumption.

Proof

Let \(\mathcal{A} \) be an adversary for the pseudo-random decapsulation of the scheme above. Then we show how to construct a simulator \(\mathcal{B} \) that exploits \(\mathcal{A} \) to break the Decisional Diffie–Hellman (DDH) assumption (see Sect. 2.1.1).

\(\mathcal{B} \) receives in input a DDH tuple (g,g a,g b,Z). It picks random \(x_{0} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and sets \(\mathit {pk}_{0}=(\mathbb{G}, g, g^{x_{0}})\), sk 0=x 0, \(\mathit {pk}_{1}=(\mathbb{G}, g, g^{a})\), C =g b, K=Z. Then it runs \(\mathcal{A} \) on input (pk 0,sk 0,pk 1,C ,K) and gets back a bit b′. In the end the simulator outputs b′.

If Z is g ab then K is correctly distributed. Indeed we have \(K=(C^{*})^{\mathit {sk}_{1}}=\mathsf {Decap}(\mathit {pk}_{1}, \mathit {sk}_{1}, C^{*})\). Otherwise if Z is random K is random too. Thus the simulation is perfect and \(\mathcal{B} \) achieves the same advantage of \(\mathcal{A} \). □

q-Bounded VRFs from Linear Encryption

With an argument similar to that of ElGamal, it can be easily proved that also the Linear Encryption scheme described in [8] by Boneh, Boyen and Shacham has pseudo-random decapsulation under the so-called Decision Linear Assumption (see Sect. 2.1.2).

First, we recall the scheme. Let G be a group of prime order p.

  • Kg(1k): The key generation algorithm selects three elements \(u,v,h \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{G}\) uniformly at random and computes \(x,y \in \mathbb{Z}_{p}\) such that u x=v y=h. The public key is pk=(u,v,h) while the secret key is sk=(x,y).

  • Encap(pk): The encapsulation algorithm picks random \(a,b \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and returns the ciphertext C=(u a,v b) and the session key K=h a+b.

  • Decap(pk,sk,C): The decapsulation algorithm first checks that h=u x=v y. If this does not hold, then it returns ⊥. Otherwise, it uses the secret key sk to compute the session key associated with a given ciphertext C=(C 1,C 2) by computing \(K=C_{1}^{x}C_{2}^{y}\).

Similarly to the case of ElGamal, the scheme has unique decapsulation because of the check in the Decap algorithm and the fact that for each public key there is only one secret key, and this is efficiently checkable.

Theorem 6

The KEM version of the Linear Encryption scheme satisfies pseudo-random decapsulation under the Decision Linear assumption.

Proof

Let \({\mathcal{A}}\) be an adversary that has non-negligible advantage into breaking the pseudo-random decapsulation of the Linear Encryption scheme given above. Then we show how to build an efficient simulator \({\mathcal{B}}\) that solves the Decision Linear problem with non-negligible probability.

\({\mathcal{B}}\) receives in input a tuple (u,v,h,u a,v b,Z). It picks random \(h_{0} \stackrel{{\scriptscriptstyle\$}}{\leftarrow}G\), \(x_{0},y_{0} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and sets \(u_{0} = h_{0}^{1/x_{0}}, v_{0} = h_{0}^{1/y_{0}}\). It sets pk 0=(u 0,v 0,h 0), sk 0=(x 0,y 0), pk 1=(u,v,h), C =(u a,v b) and K=Z. Since there exist \(x,y \in \mathbb{Z}_{p}\) such that u x=v y=h\({\mathcal{B}}\) is implicitly setting sk 1=(x,y). Then the simulator runs \(b \gets \mathcal{A} (\mathit{pk}_{0},\mathit{sk}_{0},\mathit{pk}_{1},\allowbreak C^{*},K)\) and outputs the same b.

We show that the simulation is perfect and thus \({\mathcal{B}}\) wins with the same probability \({\mathcal{A}}\) wins.

First of all, observe that there exist \(\tau_{u}, \tau_{v} \in \mathbb{Z}_{p}\) such that \(u_{0} = u^{\tau_{u}}\) and \(v_{0} = v^{\tau_{v}}\). Thus C is a valid ciphertext for pk 0, i.e. it can be written as \(C^{*} = (u_{0}^{a'},v_{0}^{b'})\) where a′=a/τ u and b′=b/τ v . Second, if Z=h a+b, then we clearly have a correctly distributed K=Decap(pk 1,sk 1,C )=(u a)x(v b)y. Otherwise, if Z is random, so is K. □

5 VRF-Suitable IB-KEMs

In this section we describe our constructions of Verifiable Random functions from VRF-suitable IB-KEMs. In particular, in light of the results presented in Sect. 3, we focus on constructing VRF-suitable IB-KEM schemes.

We start by describing, in Sect. 5.1, a VRF from the Sakai–Kasahara IB-KEM [43]. Interestingly, the proposed VRF closely resembles the VRF proposed by Dodis and Yampolskiy [22].

Next, in Sect. 5.2, we present a new construction of VRF-suitable IB-KEM from the decisional -weak Bilinear Diffie–Hellman Inversion assumption (decisional -wBDHI, following the acronym used in [9]), recalled in Sect. 2.1, that given \(g, g^{b}, g^{c}, g^{b^{2}},\ldots , g^{b^{\ell}}\), the quantity \(e(g,g)^{b^{\ell+1}c}\) should remain indistinguishable from random to any polynomially bounded adversary. Interestingly, in order for our construction to work, the parameter does not need to be too large. This is because it only limits to 2 the size of the space of valid identities but it does not affect in any other way the number of adversarial queries allowed in the security proof (as in most known proofs using q-type assumptions). This means that it is enough to assume that the -wBDHI assumption holds only for rather small values of (i.e. =160 or =256).

As a final note, we mention that, in principle, one could construct a VRF from Boneh–Franklin’s IBE. Indeed, we prove in Appendix A.2, that the KEM version of the scheme is actually a VRF-suitable IB-KEM, under the decisional Bilinear Diffi–Hellman assumption. However, for the sake of building a VRF, this construction is of very limited interest as its proof holds in the random oracle model.

5.1 Sakai–Kasahara VRF

We briefly recall the KEM version of the Sakai–Kasahara IBE scheme (SKfor short) [43]. This scheme relies on the q-decisional Bilinear Diffie–Hellman Inversion assumption (DBDHI for short), which is defined in Sect. 2.1.4.

  • Setup(1k): The setup algorithm runs \(\mathcal{G}(1^{k})\) to obtain the description of the groups \(\mathbb{G}, \mathbb{G}_{T}\) and of a bilinear map \(e: \mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_{T}\). The description of \(\mathbb{G}\) contains a generator \(g \in \mathbb{G}\). Then the algorithm picks a random \(s \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and sets h=g s, mpk=(g,h),msk=s. For security reasons, the identity space \(\mathcal {ID}\) is the subset of \(\mathbb{Z}_{p}\) limited to the first q elements of \(\mathbb{Z}_{p}\), where q is some polynomial in the security parameter.

  • KeyDer(msk,ID): Let \(\mathit {ID}\in \mathcal {ID}\). The key derivation algorithm constructs the secret key sk ID =g 1/s+ID. In the unlikely case that ID=−s, we define sk ID to be \(1\in \mathbb{G}\).

  • Encap(mpk,ID): The encapsulation algorithm picks a random \(t \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}^{\star}_{p}\) and computes a random session key K=e(g,g)t and a corresponding ciphertext C=(g s g ID)t.

  • Decap(mpk,ID,sk ID ,C): The decapsulation algorithm uses the secret key sk ID to compute a session key K from a ciphertext C as follows: K=e(C,sk ID ).

First, notice that by assuming aux ID =⊥ for all identities ID, the above description fits our syntax of VRF-suitable IB-KEMs. In the following theorem we prove that the Sakai–Kasahara IB-KEM scheme can be used to construct a VRF (i.e., that it actually provides unique decapsulation and pseudo-random decapsulation). Precisely, we first show that the scheme is selective-secure. Then its full-security follows by applying the result of Proposition 2.

Theorem 7

Assuming that the q-DBDHI assumption holds in a bilinear group \(\mathbb{G}\), then the Sakai–Kasahara IB-KEM [43] is a selective-secure VRF-suitable IB-KEM.

Proof

We prove the theorem by showing that the IB-KEM scheme presented above has unique decapsulation and satisfies the selective pseudo-random decapsulation property.

First, we observe that unique decapsulation follows by construction. Indeed, if we fix a specific (mpk,msk) pair, then one can obtain only one key for each identity (i.e., no random choices are possible). More formally, consider the second condition of the unique decapsulation property, where one checks that both the keys sk ID and \(\mathit {sk}_{ \mathit {ID}}'\) decrypt correctly. Let C=g (s+ID)t and K=e(g,g)t be honestly generated ciphertext and session key. By the definition of the decapsulation algorithm, the equation e(g (s+ID)t,sk ID )=e(g,g)t holds if and only if sk ID =g 1/s+ID. Hence, if this check holds for both sk ID and \(\mathit {sk}'_{ \mathit {ID}}\) (even for different t’s), then it must be \(\mathit {sk}_{ \mathit {ID}} = \mathit {sk}_{ \mathit {ID}}'\).

Now, let us focus on proving that SKsatisfies selective pseudo-random decapsulation under the DBDHI assumption. Let \(\mathcal{ID}=\{ \mathit {ID}_{0}, \ldots, \mathit {ID}_{q-1}\}\subseteq \mathbb{Z}_{p}\) be the sets of all possible identities (i.e. the first q elements of \(\mathbb{Z}_{p}\)), and let ID 0 be the zero-identity, i.e., \(0 \in \mathbb{Z}_{p}\). Here we prove that SKsatisfies pseudo-random decapsulation w.r.t. the distribution \(\mathcal{D} _{\mathcal {ID}}\) that always outputs ID 0=0. We stress that even such a restricted distribution is sufficient for instantiating our generic construction and building a VRF.

So, for the sake of contradiction, suppose there exists an adversary \(\mathcal{A} =({\mathcal{A}}_{1}, {\mathcal{A}}_{2})\) that has non-negligible advantage ϵ(k) into breaking the selective pseudo-random decapsulation of SK IB-KEM w.r.t. ID 0. Then we show how to build a simulator \(\mathcal{B} \) which is able to break the DBDHI assumption with non-negligible advantage ϵ(k).

\(\mathcal{B} \) receives in input a tuple \((g, g^{x}, g^{(x^{2})}, \ldots, g^{(x^{q})}, Z) \in \mathbb{G}^{q+1} \times \mathbb{G}_{T}\) and must output 0 if it believes that Z=e(g,g)1/x, or 1 otherwise. First, \(\mathcal{B} \) runs \({\mathcal{A}}_{1}\) to obtain the challenge identity \(\mathit {ID}_{k} \in \mathcal{ID}\). Let s be implicitly defined as xID k . Using the binomial theorem \({\mathcal{B}}\) computes \((g, g^{s}, g^{(s^{2})}, \ldots, g^{(s^{q})})\). Then \(\mathcal{B} \) defines the polynomial \(f(z)= \prod^{q-1}_{i=0,i \neq k}(z+ \mathit {ID}_{i})=\sum^{q-1}_{i=0}z^{i}\beta_{i}\), and computes \(g'=\prod_{i=0}^{q-1}g^{s^{i}\beta_{i}}=g^{f(s)}\) and \(h'=\prod_{i=1}^{q-1}g^{s^{i}\beta_{i-1}}=g^{sf(s)}=(g')^{s}\). It picks a random \(t \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and sets C 0=(g′)t. We observe that C 0 is a valid ciphertext under identity ID 0 and randomness t/s.

At this point it is worth noting that with all but negligible probability the values g′,h′,C 0 perfectly simulate the real values. The only unlucky cases are when g′=1 (i.e., f(s)=0modp) or when \(g'\not=1\) and h′=1 (i.e., s=0). However, in both cases, it is easy to see that \({\mathcal{B}}\) can directly recover x and break the DBDHI assumption.

To complete the first part of the simulation, \({\mathcal{B}}\) computes a session key \(\bar{K}\) as follows. Let \(f'(z)=\frac{f(z)}{z+{ \mathit {ID}_{k}}}-\frac{\gamma}{z+{ \mathit {ID}_{k}}}=\sum_{i=0}^{q-2}z^{i}\gamma_{i}\), where \(\gamma\not=0\) is the remainder of the division of f(z) by \(z+\overline{ \mathit {ID}}\). First \(\mathcal{B} \) computes

$$Z_{0}= \Biggl(\prod_{i=0}^{q-1} \prod_{j=0}^{q-2}e\bigl(g^{s^{i}},g^{s^{j}} \bigr)^{\beta_{i}\gamma_{j}} \Biggr) \Biggl(\prod_{m=0}^{q-2}e \bigl(g,g^{s^{m}}\bigr)^{\gamma\gamma_{m}} \Biggr)=e(g,g)^{\frac{f(s)^{2}-\gamma^{2}}{x}}. $$

\(\mathcal{B} \) sets \(\bar{K}= (Z_{0} \cdot Z^{\gamma^{2}} )^{t}\).Then \(\mathcal{B} \) gives mpk=(g′,h′), C 0 and \(\bar{K}\) to the adversary.

When \(\mathcal{A} \) asks for the private key of an identity ID j ID k \({\mathcal{B}}\) computes the secret key in the following way. First it defines the polynomial \(f_{j}(z)=\frac{f(z)}{z+ \mathit {ID}_{j}}= \prod_{i=0,i\neq j,k}^{q-1}(z+ \mathit {ID}_{i})=\sum_{i=0}^{q-2}z^{i}\delta_{i}\). Then it computes \(\mathit{sk}_{ \mathit {ID}_{j}}=(g')^{{1}/{s+ \mathit {ID}_{j}}}=g^{{f(s)}/{s+ \mathit {ID}_{j}}}=g^{f_{j}(s)}=\prod_{i=0}^{q-2}g^{s^{i}\delta_{i}}\) and returns \(\mathit{sk}_{ \mathit {ID}_{j}}\) to \(\mathcal{A} \).

At the end of the experiment \(\mathcal{A} \) is supposed to output its guess b′. \(\mathcal{B} \) outputs the same b′ as its guess for Z. Observe that if Z=e(g,g)1/x, then \(\mathcal{B} \) computed a session key of the correct form: \(\bar{K}=e(g',g')^{\frac{t}{s+{ \mathit {ID}_{k}}}}\). Otherwise, if Z is a random element of \(\mathbb{G}_{T}\), then \(\bar{K}\) will be random too.

In conclusion, \({\mathcal{B}}\) succeeds with the same probability as \({\mathcal{A}}\). However, due to the way the public parameters are generated, if \({\mathcal{A}}\) has a running time T, then \({\mathcal{B}}\)’s running time is O(T+q) where q is the size of the identity space. □

By applying the result of Proposition 2 to the previous theorem and to our transformation, we obtain the following Corollary.

Corollary 1

Assuming that the q-DBDHI assumption holds in a bilinear group \(\mathbb{G}\), then the VRF obtained from the Sakai–Kasahara VRF-suitable IB-KEM [43] is a fully-secure VRF for domains of polynomial size.

We notice that the resulting VRF can only support an input space that is polynomially-sized (in the security parameter). This depends on two reasons. First, if we want a fully-secure VRF, then the reduction of Proposition 2 has a security loss which is linear in the size of the input space. Second, even if we restrict only to selective-security, observe that the running time of the simulator in the security reduction of Theorem 7 is linear in the size of the input space.

We remark that all previously known constructions of VRFs [20, 22, 38, 41] made the same restriction on the size of the input space.

Similarity with the Dodis–Yampolskiy VRF

Here we show that the Dodis–Yampolskiy VRF [22] (that we briefly recall in Appendix B) closely resembles the construction obtained from our transformation. Indeed, Theorem 7 leads to the following VRF.

  • Gen(1k): The key generation algorithm runs \(\mathcal{G}(1^{k})\) to obtain the description of the groups \(\mathbb{G}, \mathbb{G}_{T}\) and of a bilinear map \(e:\mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_{T}\). The description of \(\mathbb{G}\) contains a generator \(g \in \mathbb{G}\). Then the algorithm picks random \(s,t \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and sets h=g s, C 0=h t, vpk=(g,h,C 0),vsk=s.

  • Func vsk (x): Let Func vsk (x)=(F vsk (x),π vsk (x)). One sets Func vsk (x)=e(C 0,sk x )=e(g,g)(st)/(s+x) as the VRF output and π vsk (x)=KeyDer(x)=g 1/(s+x) as the proof of correctness.

  • V(vpk,x,y,π x ): To verify whether y was computed correctly, one starts by running the Encap algorithm on input (vpk,x). Encap chooses \(\omega \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\) and then computes Ke(g,g)ω and C=(hg x)ω. Then one checks that K=Decap(mpk,x,π x ,C)=e((g xh)ω,π x ) and y=Decap(mpk,x,π x ,C 0)=e(h t,π x ).

By setting t=s −1modp and ω=1, the construction above can be optimized to get exactly the Dodis–Yampolskiy VRF. It is worth noting, however, that our security analysis does not directly work with the optimized scheme.

5.2 Our New Construction

In this section we propose a new construction of a VRF-suitable IB-KEM from the (conjectured) computational intractability of the decisional weak -Bilinear Diffie–Hellman Inversion problem (see Sect. 2.1.5 for a formal description). The new scheme is inspired by Lysyanskaya’s VRF [38] in that the validity of each new auxiliary information aux ID (required to compute the session key) is verified by exploiting the DDH-CDH separation in bilinear groups. Our new scheme, however, is more efficient as it leads to a VRF directly (i.e., rather than having to construct a unique signature scheme first), and it does not require error correcting codes. The proposed scheme follows.

  • Setup(1k): The setup algorithm runs \(\mathcal{G}(1^{k})\) to obtain the description of the groups \(\mathbb{G}, \mathbb{G}_{T}\) and of a bilinear map \(e:\mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_{T}\). The description of \(\mathbb{G}\) contains a generator \(g \in \mathbb{G}\). Let {0,1} be the space of valid identities. Then the algorithm picks (at random) \(a,\alpha_{1},\beta_{1}, \ldots,\alpha_{\ell}, \beta_{\ell} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\), sets g 1=g a, and for i=1,…, sets \(g_{0i}=g^{\beta_{i}}\) and \(g_{1i}=g^{\alpha_{i}}\). The public parameters are

    $$\mathit {mpk}= \bigl(g,g_1, \{g_{ij} \}_{i=0,1;j=1..\ell} \bigr). $$

    The master secret key is msk=(a,{α i ,β i } i=1,.., ).

  • KeyDer(msk,ID): We assume ID=ID 1ID where each ID i ∈{0,1}. The key derivation algorithm constructs the secret key sk ID and the auxiliary information aux ID as follows. Let h 0=g, for i=1 to one computes

    $$h_i=(h_{i-1})^{\alpha_i^{ \mathit {ID}_i}\beta_i^{(1- \mathit {ID}_i)}} $$

    and sets aux ID =(h 1,…,h ) and \(\mathit{sk}_{ \mathit {ID}}=h_{\ell}^{a}\).

  • Encap(mpk,ID,aux ID ): Let aux ID =(h 1,…,h ) computed as above. The encapsulation algorithm picks a random \(t \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}^{\star}_{p}\) and computes a random session key K=e(g 1,h )t and a corresponding ciphertext C=g t.

  • Decap(mpk,ID,sk ID ,aux ID ,C): The decapsulation algorithm uses the secret key sk ID and the auxiliary information aux ID to compute a session key K from a ciphertext C. This is done as follows. First, in order to guarantee the unique decapsulation property, a check on the validity of the auxiliary information has to be performed. This is done as follows. Let h 0=g, for i=1,…,

    If any of the above checks fails output reject. Second, the key K is computed as K=e(C,sk ID )=e(g 1,h )t. Note that the validity of sk ID can be verified by first encrypting some random message m with respect to the public key (g,g 1,h ) and then by checking if one can decrypt it correctly using sk ID .

Security

The following theorem states the security of our new scheme.

Theorem 8

Suppose the decisional -wBDHI assumption holds in \(\mathbb{G}\), then the scheme given above is a selective-secure VRF-suitable IB-KEM scheme.

Proof

Let \(\mathcal {ID}=\{0,1\}^{\ell}\) the identity space. First note that the scheme fits the syntax of VRF-suitable IB-KEMs. We prove the theorem by showing that the scheme satisfies the unique decapsulation property and meets the selective pseudo-random decapsulation requirement.

Unique Decapsulation. We prove this by showing that for a given identity ID the corresponding h is uniquely determined as

$$h_\ell=g^{\prod_{i=1}^\ell \alpha_i^{ \mathit {ID}_i}\beta_i^{1- \mathit {ID}_i}}. $$

The proof is by induction on i. First note that it must be the case \(h_{1}=g^{\alpha_{1}^{ \mathit {ID}_{1}}\beta_{1}^{1- \mathit {ID}_{1}}}\), as otherwise the check \(e(g,h_{1})\stackrel {?}{=}e(g_{ \mathit {ID}_{1}1},h_{0})=e(g^{\alpha_{1}^{ \mathit {ID}_{1}}\beta_{1}^{1- \mathit {ID}_{1}}},g)\) would fail. Now assume that the statement holds true for any index j−1<, i.e. that \(h_{j-1}=g^{\prod_{i=1}^{j-1} \alpha_{i}^{ \mathit {ID}_{i}}\beta_{i}^{1- \mathit {ID}_{i}}}\). We prove that the same holds for j.

$$h_j=h_{j-1}^{\alpha_j^{ \mathit {ID}_j}\beta_j^{1- \mathit {ID}_j}}= \bigl(g^{\prod_{i=1}^{j-1} \alpha_i^{ \mathit {ID}_i}\beta_i^{1- \mathit {ID}_i}} \bigr)^{\alpha_j^{ \mathit {ID}_j}\beta_j^{1- \mathit {ID}_j}}= g^{\prod_{i=1}^{j} \alpha_i^{ \mathit {ID}_i}\beta_i^{1- \mathit {ID}_i}}. $$

Selective Pseudo-random Decapsulation. We prove the selective pseudo-random decapsulation w.r.t. to any arbitrary distribution \(\mathcal{D} _{\mathcal {ID}}\) over the identity space. Namely, our proof works for any ID 0 in the identity space \(\mathcal {ID}\).

Assume that there is an adversary \({\mathcal{A}}\) that breaks the selective pseudo-random decapsulation of the proposed scheme with advantage ϵ, then we show how to build an adversary \({\mathcal{B}}\) that solves the decisional -wBDHI problem with advantage ϵ and runs in time comparable to that needed by \({\mathcal{A}}\). \({\mathcal{B}}\) starts by receiving, from some challenging oracle, the values \((C=g^{c},B_{1}=g^{b},B_{2}=g^{b^{2}}, \ldots B_{\ell}=g^{b^{\ell}})\) and a value Z that can be either of the form \(e(g,g)^{b^{\ell+1}c}\) or of the form e(g,g)z, for random \(z \in \mathbb{Z}_{p}^{*}\), depending on some random (and hidden) bit d that \({\mathcal{B}}\) is supposed to guess. First, note that in the proposed scheme the ciphertext C is independent of specific identities, thus \({\mathcal{B}}\) can produce it without having to commit to any ID 0. \({\mathcal{B}}\) gets the challenge identity \(\overline {\mathit {ID}}\) as input from \({\mathcal{A}}\). Next, it sets g 1=B 1, it chooses random \(\alpha_{i},\beta_{i} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}^{*}\), for i=1,…,, and for i=1,…, it computes the following values:

$$g_{0i}=\left \{ \begin{array}{l@{\quad }l} B_1^{\beta_i} & \mbox{if} \ \overline {\mathit {ID}}_i=0 \\ \noalign{\vspace*{3pt}} g^{\beta_i} & \mbox{if}\ \overline {\mathit {ID}}_i=1 \\ \end{array} \right . \qquad g_{1i}=\left \{ \begin{array}{l@{\quad }l} g^{\alpha_i} & \mbox{if} \ \overline {\mathit {ID}}_i=0 \\ \noalign{\vspace*{3pt}} B_1^{\alpha_i} & \mbox{if} \ \overline {\mathit {ID}}_i=1 \\ \end{array} \right . $$

Note that the public parameters mpk=(g,g 1,{g ij } i=0,1;j=1.. ) are distributed exactly as those produced by the setup algorithm. The master secret key is implicitly set to \(\mathit {msk}=(b, \{\alpha_{i} b^{\overline {\mathit {ID}}_{i}}, \beta_{i} b^{1-\overline {\mathit {ID}}_{i}}\}_{i=1,..,\ell})\). Next, \({\mathcal{B}}\) computes C as follows C C=g c. Thus, C is also correctly distributed. \({\mathcal{B}}\) constructs the challenge key \(K_{\overline {\mathit {ID}}}\) by computing \(Z^{\omega_{\overline {\mathit {ID}}}}\), where \(\omega_{\overline {\mathit {ID}}} =\prod_{i=1}^{\ell}\alpha_{i}^{\overline {\mathit {ID}}_{i}}\beta_{i}^{1-\overline {\mathit {ID}}_{i}}\). The value \(\mathit {aux}_{\overline {\mathit {ID}}}\) is computed as follows: h is \(B_{\ell}^{\omega_{\overline {\mathit {ID}}}}\) and h i is \(B_{i}^{\omega_{\overline {\mathit {ID}},i}}\) where \(\omega_{\overline {\mathit {ID}},i} = \prod_{j=1}^{i} \alpha_{j}^{\overline {\mathit {ID}}_{j}}\beta_{j}^{1-\overline {\mathit {ID}}_{j}}\). Note that \({\mathcal{B}}\) is not able to explicitly compute \(\mathit {sk}_{\overline {\mathit {ID}}} = B_{\ell+1}^{\omega_{\overline {\mathit {ID}}}}\). However, this is not a problem as \({\mathcal{B}}\) is not required to do so. \({\mathcal{B}}\) runs \({\mathcal{A}}\) on input \(( \mathit {mpk}, C^{*}, \mathit {ID}_{0}, K_{\overline {\mathit {ID}}}, \mathit{aux}_{\overline {\mathit {ID}}})\), for some identity ID 0 chosen according to \(\mathcal{D} _{\mathcal {ID}}\).

Now, we show how \({\mathcal{B}}\) can answer key derivation queries for identities \(\mathit {ID}\neq \overline {\mathit {ID}}\). Since \(\mathit {ID}\neq \overline {\mathit {ID}}\), there exists (at least) an index j such that \(\mathit {ID}_{j}\neq \overline {\mathit {ID}}_{j}\). For such index we have that either \(g_{0j}=g^{\beta_{j}}\) (if ID j =0) or \(g_{1j}=g^{\alpha_{j}}\) (otherwise). This means that the h corresponding to identity ID will contain the (unknown) b with exponent −1, at most. Let n< denote the number of positions i such that \(\mathit {ID}_{i}=\overline {\mathit {ID}}_{i}\). \({\mathcal{B}}\) computes the h i as follows.

$$h_{1}=\left \{ \begin{array}{l@{\quad }l} g^{\alpha_1^{ \mathit {ID}_1}\beta_1^{1- \mathit {ID}_1}} & \mbox{if} \ \mathit {ID}_1 \neq \overline {\mathit {ID}}_1 \\ \noalign{\vspace*{3pt}} B_1^{\alpha_1^{ \mathit {ID}_1}\beta_1^{1- \mathit {ID}_1}} & \mbox{if} \ \mathit {ID}_1 = \overline {\mathit {ID}}_1 \\ \end{array} \right . $$
$$h_{2}=\left \{ \begin{array}{l@{\quad }l} h_1^{\alpha_2^{ \mathit {ID}_2}\beta_2^{1- \mathit {ID}_2}} & \mbox{if}\ \mathit {ID}_2 \neq \overline {\mathit {ID}}_2 \\ \noalign{\vspace*{3pt}} B_1^{\alpha_2^{ \mathit {ID}_2}\beta_2^{1- \mathit {ID}_2}\alpha_1^{ \mathit {ID}_1}\beta_1^{1- \mathit {ID}_1}} & \mbox{if} \ \mathit {ID}_2=\overline {\mathit {ID}}_2 \, \land \, \mathit {ID}_1 \neq \overline {\mathit {ID}}_1 \\ \noalign{\vspace*{3pt}} B_2^{\alpha_2^{ \mathit {ID}_2}\beta_2^{1- \mathit {ID}_2}\alpha_1^{ \mathit {ID}_1}\beta_1^{1- \mathit {ID}_1}} & \mbox{if} \ \mathit {ID}_2=\overline {\mathit {ID}}_2 \, \land \, \mathit {ID}_1 = \overline {\mathit {ID}}_1 \\ \end{array} \right . \qquad \ldots $$

Finally, letting \(\omega_{\mathcal {ID}}=\prod_{i=1}^{\ell}\alpha_{i}^{ \mathit {ID}_{i}}\beta_{i}^{1- \mathit {ID}_{i}}\), h is computed as \(B_{n}^{\omega_{ \mathit {ID}}}\).

The secret key sk ID is computed as \(B_{n+1}^{\omega_{ \mathit {ID}}}\). Recall that, since n<, \({\mathcal{B}}\) can do this operation using the values received by the challenger. It is easy to check that both the aux ID =(h 1,…,h ) and sk ID are distributed as in the real key derivation algorithm.

At the end of the game, \({\mathcal{A}}\) returns a bit d′ (d′=0 means real, d′=1 means random), and \({\mathcal{B}}\) outputs the same d′. This completes the description of the simulator.

Now notice that if \(Z=e(g,g)^{b^{\ell+1}c}\), \(K_{\overline {\mathit {ID}}}\) is a valid key for the identity \(\overline {\mathit {ID}}\). This is because \(K_{\overline {\mathit {ID}}} =e(g_{1},h_{\overline {\mathit {ID}}})^{c}\), where \(h_{\overline {\mathit {ID}}}\) is the h corresponding to identity \(\overline {\mathit {ID}}\). Thus, \(h_{\overline {\mathit {ID}}}=g^{b^{\ell}\omega_{\overline {\mathit {ID}}}}\).

$$K_{\overline {\mathit {ID}}} =e(g_1,h_{\overline {\mathit {ID}}})^c=e \bigl(g^{b},g^{b^\ell \omega_{\overline {\mathit {ID}}}}\bigr)^c=Z^{\omega_{\overline {\mathit {ID}}}}. $$

If, on the other hand, Z is a random value so is \(K_{\overline {\mathit {ID}}}\). Thus, by standard calculations one gets that, if \({\mathcal{A}}\) has advantage ϵ in breaking the (selective) pseudo-random decapsulation property of the scheme, \({\mathcal{B}}\) breaks the decisional -wBDHI with advantage ϵ. □

Remark 4

It is interesting to note that the above theorem shows that our scheme satisfies the selective-notion without any restriction on the size of the input space. This does not hold for the Dodis–Yampolskiy VRF because in the security proof (even for selective security) the running time of the simulator is linear in the size of the input space.

The Resulting VRF

We briefly show the VRF construction that results from applying our transformation to the VRF-suitable IB-KEM scheme described above.

  • Gen(1k): The key generation algorithm runs \(\mathcal{G}(1^{k})\) to obtain the description of the groups \(\mathbb{G}, \mathbb{G}_{T}\) and of a bilinear map \(e:\mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_{T}\). The description of \(\mathbb{G}\) contains a generator \(g \in \mathbb{G}\). Let {0,1} be the input space. The algorithm picks \(t, a,\alpha_{1},\beta_{1}, \ldots,\alpha_{\ell}, \beta_{\ell} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}\), uniformly at random and it sets g 1=g a, C=g t. Next, for i=1,…, it computes \(g_{0i}=g^{\beta_{i}}\) and \(g_{1i}=g^{\alpha_{i}}\). The public key is

    $$\mathit {vpk}= \bigl(g,g_1, C, \{g_{ij} \}_{i=0,1;j=1..\ell} \bigr) $$

    whereas the secret key is vsk=(a,{α i ,β i } i=1,.., ).

  • Func(vsk,x): Let (y,π x ) be its output, and assume x=x 1x where each x i ∈{0,1}. The proof is constructed as follows. Let h 0=g, for i=1 to compute

    $$h_i=(h_{i-1})^{\alpha_i^{x_i}\beta_i^{(1-x_i)}}. $$

    Set \(\pi_{x}=(h_{1},\ldots,h_{\ell}, h_{\ell}^{a})\).

    Instead, the VRF output is computed as \(y=e(C, h_{\ell}^{a})\).

  • V(vpk,x,y,π x ): To verify whether y was computed correctly, proceed as follows: Let \(\pi_{x} = (h_{1},\ldots, h_{\ell}, h_{\ell}^{a})\). Let h 0=g, for i=1,…,.

    Check that \(y = e(C, h_{\ell}^{a})\). If any of the above checks fails output reject.

Efficiency and Security Considerations

In terms of efficiency, we note that the resulting VRF scheme has public keys and proofs whose sizes are linear in the bit-length of the VRF’s input. Likewise, the time needed to compute and verify a proof is also linear in . Clearly, these parameters are worse than those achieved by the Dodis–Yampolskiy VRF scheme, which enjoys constant-size proofs and public keys.

In terms of security, our new construction enjoys a tight reduction to the -wBDHI assumption and is proven to be selective-secure for large input spaces. This is not the case for the Dodis–Yampolskiy VRF scheme, as its security reduction is based on the -BDHI assumption, where is linear in the size of the input space. Finally, as we point out in the following section, our new construction can also be proven fully-secure for large input spaces.

5.3 A Scheme Secure for Large Identity Spaces

Given the result of Theorem 8, if one wants to obtain a fully-secure VRF, one should apply Proposition 2 at the cost of losing a factor 2 in the final security (where 2 represents the size of the identity space). This means that the previous scheme is fully-secure only when the identity space is small (i.e., 2 is polynomial in the security parameter), or when the security parameter used to instantiate the bilinear groups is made large enough to have a significant reduction. However, the last solution unfortunately leads to parameters that are quite inefficient in practice.

In this section, we show that our scheme described in Sect. 5.2 can be proven secure without any exponential loss, even when the identity space is exponentially large, meaning that we can efficiently support large identity spaces. In the following sections, we show how to achieve this result using two different techniques: one is based on the notion of admissible hash functions [5], and the other uses the artificial abort technique introduced by Waters [46]. More precisely, in the first case we need to make a small modification in our scheme: we assume that each identity is a binary string of w bits, and that the scheme (originally working with -bits long identities) first hashes the identities using an admissible hash function H:{0,1}w→{0,1}. On the other hand, in order to use the artificial abort technique, we do not have to make any changes in our scheme of Sect. 5.2, but the security will hold under a slightly different assumption.

Full Security via Admissible Hash Functions

The notion of admissible hash functions was first introduced by Boneh and Boyen in [5] as a tool for proving the full security of their identity-based encryption scheme. These functions have been shown to be useful in order to secretly partition the identity space in two subsets, the blue set and the red set, so that there is a noticeable probability that all the adversary’s secret key queries fall in the blue set and the challenge identity is in the red set. This fact is particularly useful in those reductions where the simulator can be programmed so that it is able to answer secret key queries for blue identities, while it can generate a challenge ciphertext for any red identities. Boneh and Boyen showed a construction of admissible hash functions exist based on collision-resistance and error correcting codes.

In our work, we use admissible hash functions in a similar way. In particular, we choose to follow the definition by Cash et al. [14, 15] as it looks easier to use.

Let \(k \in \mathbb{N}\) be the security parameter, w and be two values polynomial in k. Let \({\mathcal{H}}=\{H: \{0,1\}^{w} \to \{0,1\}^{\ell} \}\) be a family of functions. For \(H \in {\mathcal{H}}\), V∈{0,1,⊥} and any x∈{0,1}w we define:

$$F_{V,H}(x)=\left \{ \begin{array}{l@{\quad }l} {\texttt{B}}& \mbox{if} \ \exists i \in \{1,\ldots,\ell\}: H(x)_{i} = V_i \\ \noalign{\vspace*{3pt}} {\texttt{R}}& \mbox{if} \ \forall i \in \{1,\ldots, \ell \}: H(x)_{i} \neq V_i \\ \end{array} \right . $$

For m∈{0,…,}, we denote by \({\mathcal{V}}^{(\ell,m)}\) the uniform distribution over {0,1,⊥} such that exactly m components are in {0,1}.

Definition 6

\({\mathcal{H}}=\{H: \{0,1\}^{w} \to \{0,1\}^{\ell} \}\) is a family of Δ-admissible hash functions if, for every polynomial Q=Q(k), there exists an efficiently computable function m=m(k) and efficiently recognizable sets bad H ⊆({0,1}w) such that the following properties hold:

  1. 1.

    For every PPT algorithm \({\mathcal{A}}\) that, on input \(H\in {\mathcal{H}}\), outputs x∈({0,1}w)Q+1, the following advantage is a negligible function in k:

  2. 2.

    For every \(H \in {\mathcal{H}}\), \(V \gets {\mathcal{V}}^{(\ell,m)}\), and every vector x∈({0,1}w)Q+1bad H we have

\({\mathcal{H}}\) is said admissible if it is Δ-admissible for some Δ such that Δ(k,Q) is significant for every Q=Q(k).

Once we have defined the notion of admissible hash functions, we consider the scheme given in Sect. 5.2 modified as follows. We let the identities be strings I∈{0,1}w, and we use our scheme of Sect. 5.2 by hashing every identity I to ID=H(I)∈{0,1} using a function H taken from an admissible family \({\mathcal{H}}=\{H:\{0,1\}^{w} \to \{0,1\}^{\ell} \}\). To concretely instantiate this scheme, one can use the construction of admissible hash functions proposed by Boneh and Boyen in [5], whose security relies on collision-resistant hash functions. We defer the interested reader to [5, Sect. 5.3] and [15, Sect. 5.4.4] for a more precise description of the construction and the possible choices of parameters.

We now prove the following theorem.

Theorem 9

Suppose the decisional -wBDHI assumption holds in \(\mathbb{G}\) and \({\mathcal{H}}\) is a family of admissible hash functions, then the scheme of Sect5.2 with the above modifications is a secure VRF-suitable IB-KEM.

Proof

First of all, observe that the unique decapsulation property holds for the same reasons given in Theorem 8. Therefore, it only remains to prove the pseudo-random decapsulation property. As in the proof of Theorem 8, we prove pseudo-random decapsulation w.r.t. to any arbitrary distribution \(\mathcal{D} _{\mathcal {ID}}\) over the identity space (i.e., our proof works for any \(\mathit {ID}_{0} \in \mathcal {ID}\)).

We prove the theorem by describing a series of games. Let \(\overrightarrow{ \mathit {ID}} \in (\{0,1\}^{w})^{Q+1}\) be the set of identities queried by the adversary such that the first element of this vector is the challenge identity ID . For any i, we denote by G i the output of Game i.

Game 0 :

is the real pseudo-random decapsulation experiment \(\mathbf {Exp}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM},{\mathcal{A}}}(k)\). By definition we know that:

$$\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM},{\mathcal{A}}}(k)=\biggl \vert \Pr[G_0=1] - \frac{1}{2} \biggr \vert . $$
Game 1 :

is the same experiment as Game 0 except that in Game 1 the challenger aborts and outputs a random bit if \(\overrightarrow{ \mathit {ID}} \in \mathit{bad}_{H}\). By the first condition of admissible hash functions, it is easy to show that any adversary distinguishing Game 0 and Game 1 can be reduced to an adversary \({\mathcal{C}}\) against the admissibility of \({\mathcal{H}}\). Thus we have:

$$\bigl \vert \Pr[G_1=1] - \Pr[G_0=1]\bigr \vert \leq \mathbf {Adv}^{\mathrm{adm}}_{{\mathcal{H}},{\mathcal{C}}}(k). $$
Game 2 :

proceeds as Game 1 except that at the end of the experiment, the challenger generates an event good 2 with probability Δ, and it aborts if good 2 does not occur. Thus we have:

$$\biggl \vert \Pr[G_2=1] - \frac{1}{2} \biggr \vert = \Pr[\mathit{good}_2] \biggl \vert \Pr[G_1=1] - \frac{1}{2} \biggr \vert . $$
Game 3 :

proceeds as Game 2 except for the following change at the end of the experiment. Instead of generating the event good 2, in Game 3 the challenger chooses a vector \(V \gets {\mathcal{V}}^{(\ell,m)}\) and computes F V,H (ID) for every identity ID queried by the adversary. Let E be the event

$$\mbox{``}F_{V,H}\bigl( \mathit {ID}^*\bigr)={\texttt{R}}\wedge F_{V,H}( \mathit {ID}_1)={\texttt{B}}\wedge F_{V,H}( \mathit {ID}_2)={\texttt{B}}\wedge \cdots \wedge F_{V,H}( \mathit {ID}_Q)={{\texttt{B}}}\mbox{''}. $$

Since \(\overrightarrow{ \mathit {ID}} \notin \mathit{bad}_{H}\), by the second condition of the admissibility of H, we have Pr[E]≥Δ.

Next, the challenger samples ⌈kS 2/Δ 2⌉ vectors \(\tilde{V}\), where S=poly(k) is an arbitrary polynomial, and, for each of these samples, it evaluates the function \(F_{\tilde{V},H}\) on the given set of identities \(\overrightarrow{ \mathit {ID}}\). In this way, the challenger computes an approximation \(\tilde{p}_{E}\) of \(p_{E} = \Pr[E | \overrightarrow{ \mathit {ID}}]\).

Finally, if E does not occur, then the challenger in Game 3 aborts. But even if E occurs, then it aborts with probability \(1 - \varDelta / \tilde{p}_{E}\) (recall that in the case of abort, the experiment outputs a random bit). Let good 3 be the event that Game 3 does not abort. Then we have:

$$\Pr[\mathit{good}_3] = \varDelta \cdot \frac{p_E}{\tilde{p}_E}. $$

To analyze the difference between Game 2 and Game 3, one may think about directly replacing the event good 2 with the event E. However, as noticed by Cash et al. in their proof [14], this is not possible as the event E may not be independent of the adversary’s view. More precisely, E is conditioned on the set of identities \(\overrightarrow{ \mathit {ID}}\) asked by \({\mathcal{A}}\). To solve the issue, the game is modified by adding an artificial abort step whose goal is to make the overall abort probability sufficiently independent of \({\mathcal{A}}\)’s view.

So, to complete this analysis, first notice that by Hoeffding’s inequality, ⌈kS 2/Δ 2⌉ samples are sufficient to lower bound \(\tilde{p}_{E} \geq \varDelta\) in such a way that

$$\Pr \biggl[|p_E - \tilde{p}_E| \geq \frac{\varDelta}{S} \biggr] \leq \frac{1}{2^{k}}. $$

Therefore, we obtain that the difference

$$\bigl|\Pr[\mathit{good}_3] - \Pr[\mathit{good}_2]\bigr| = \varDelta \cdot \biggl| \frac{\tilde{p}_E - p_E}{\tilde{p}_E}\biggr| \leq \frac{\varDelta}{S} $$

holds with probability 1−1/2k, and thus we have

$$\bigl| \Pr[G_3] - \Pr[G_2] \bigr| \leq \frac{\varDelta}{S} + \frac{1}{2^k}. $$

Reducing Game 3 to -wBDHI . The final step of the proof is to show that \(|\Pr[G_{3}=1] - 1/2 |\leq \mathbf {Adv}^{\ell\mbox{-}\mathrm{wBDHI}^{*}}_{{\mathcal{B}}}(k)\). For the sake of contradiction, assume there exists an adversary \({\mathcal{A}}\) who wins in Game 3 with advantage ϵ, then we show how to build an adversary \({\mathcal{B}}\) that solves the decisional -wBDHI problem with the same advantage and runs in time comparable to that needed by \({\mathcal{A}}\). \({\mathcal{B}}\) receives \((C=g^{c},B_{1}=g^{b},B_{2}=g^{b^{2}}, \ldots B_{\ell}=g^{b^{\ell}})\) and a value Z that can be either of the form \(e(g,g)^{b^{\ell+1}c}\) or of the form e(g,g)z, for random \(z \in \mathbb{Z}_{p}^{*}\), depending on some random (and hidden) bit d that \({\mathcal{B}}\) is supposed to guess. \({\mathcal{B}}\) sets g 1=B 1, and it chooses \(V \gets {\mathcal{V}}^{(\ell,m)}\) and random exponents \(\alpha_{i},\beta_{i} \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}^{*}\), for i=1,…,, and computes for i=1,…,

$$g_{0i}=\left \{ \begin{array}{l@{\quad }l} g^{\beta_i} & \mbox{if}\ V_i=0 \\ \noalign{\vspace*{3pt}} B_1^{\beta_i} & \mbox{if} \ V_i=1 \ \mbox{or}\ V_i=\bot \\ \end{array} \right . \qquad g_{1i}=\left \{ \begin{array}{l@{\quad }l} B_1^{\alpha_i} & \mbox{if} \ V_i=0 \ \mbox{or} \ V_i=\bot \\ \noalign{\vspace*{3pt}} g^{\alpha_i} & \mbox{if} \ V_i=1 \\ \end{array} \right . $$

Note that the public parameters mpk=(g,g 1,{g ij } i=0,1;j=1.. ) are distributed exactly as those produced by the setup algorithm. Next, \({\mathcal{B}}\) sets C C=g c. Thus, C is also correctly distributed. Now \({\mathcal{B}}\) runs \({\mathcal{A}}\) on input (mpk,C ,ID 0), for an identity ID 0 chosen according to \(\mathcal{D} _{\mathcal {ID}}\). In particular, ID 0 can be any identity in \(\mathcal {ID}\).

The simulation is almost the same as that given in the proof of Theorem 8. The main difference is that here the simulator might abort. Let us show that a key derivation query can be answered as long as F V,H (ID)=B, whereas the simulator can generate a challenge for any identity ID such that F V,H (ID )=R.

For key derivation queries, note that when F V,H (ID)=B there always exists an index i such that H(ID) i =V i . For such index we have that either \(g_{0i}=g^{\beta_{i}}\) (if H(ID) i =0) or \(g_{1i}=g^{\alpha_{i}}\) (otherwise). This means that the value h corresponding to the identity ID will contain the (unknown) b with exponent −1, at most. Thus, it is easy to see that the secret key and the auxiliary information can be efficiently computed.

On the other hand, observe that when F V,H (ID )=R, then ID disagrees with V in all positions and thus h contains the unknown b with exponent exactly . So, the simulator can plug the value Z into the challenge session key.

Finally, the simulator runs the artificial abort step like the challenger in Game 3, and, if no abort condition occurs, then it outputs the same bit returned by \({\mathcal{A}}\). It is easy to see that the view obtained by the adversary in the simulation provided by \({\mathcal{B}}\) is distributed exactly as the view obtained in Game 3, and thus we have that

$$\mathbf {Adv}^{\ell\mbox{-}\mathrm{wBDHI}^*}_{{\mathcal{B}}}(k) \geq \bigl|\Pr[G_3=1] - 1/2 \bigr|. $$

If we put together all the bounds showed before, then we have shown that for every PPT adversary \({\mathcal{A}}\) that makes at most a polynomial number Q=Q(k) of key derivation queries in the \(\mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} \) experiment against the scheme \(\mathcal {IBKEM}\), and for every polynomial S=S(k), there exists an algorithm \({\mathcal{B}}\) against the -wBDHI* assumption and an algorithm \({\mathcal{C}}\) against the admissibility of \({\mathcal{H}}\) such that:

$$\mathbf {Adv}^{ \mathrm {IB\mbox {-}KEM\mbox {-}RDECAP} }_{\mathcal {IBKEM},{\mathcal{A}}}(k) \leq \mathbf {Adv}^{\mathrm{adm}}_{{\mathcal{H}},{\mathcal{C}}}(k) + \frac{\mathbf {Adv}^{\ell\mbox{-}\mathrm{wBDHI}^*}_{{\mathcal{B}}}(k)}{\varDelta} +\frac{1}{S} + \frac{1}{2^k}. $$

 □

Full Security via Artificial Abort

In this section we show an alternative proof of security for the scheme of Sect. 5.2 that supports large identity spaces. We stress that in this case we do not make any changes to the original scheme (which is exactly the same as that shown in Sect. 5.2), but the security is proven under a slightly different assumption: the n-Decisional Diffie–Hellman Exponent assumption, originally introduced by Boneh et al. [10] and recalled below.

The n-Decisional Diffie–Hellman Exponent assumption (n-DDHE for short) is defined in bilinear groups \(\mathbb{G}, \mathbb{G}_{T}\) of prime order p where there is a bilinear map \(e:\mathbb{G}\times \mathbb{G}\to \mathbb{G}_{T}\). Let \(g,h \in \mathbb{G}\) be two generators and \(b \in \mathbb{Z}_{p}^{*}\) be chosen at random.

We define the advantage \(\mathbf {Adv}^{n\mathrm{DDHE}}_{{\mathcal{A}}}(k)\) of a PPT algorithm \({\mathcal{A}}\) in solving n-DDHE in \(\mathbb{G}\) as

$$\left\vert \Pr\left[ c'=c \left| \begin{array}{l} g,h \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{G}; b \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}_{p}^{*}; \\ \noalign{\vspace*{3pt}} c \stackrel{{\scriptscriptstyle\$}}{\leftarrow}\{0,1\}; Z_{0} \gets e(g,h)^{b^{n}}; Z_1 \stackrel{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{G}_{T} \\ \noalign{\vspace*{3pt}} c' \gets {\mathcal{A}}(g,h, g^b, g^{b^2},\ldots, g^{b^{n-1}}, g^{b^{n+1}}, \ldots, g^{b^{2n}},Z_{c}) \end{array}\right. \right] - \frac{1}{2} \right\vert . $$

Definition 7

(n-DDHE [10])

We say that the n-DDHE assumption holds in bilinear groups \(\mathbb{G}, \mathbb{G}_{T}\) if, for any n polynomial in k, any PPT algorithm \({\mathcal{A}}\) has advantage \(\mathbf {Adv}^{n\mathrm{DDHE}}_{{\mathcal{A}}}(k)\) at most negligible in k.

We can now state the following theorem to prove the full security of our scheme. Its proof follows very closely the proof of security of the Hohenberger–Waters VRF [32], and thus we do not give it here. However, for completeness, we provide it in Appendix C.

Theorem 10

Suppose the n-DDHE assumption holds in \(\mathbb{G}\), then the scheme of Sect5.2 is a secure VRF-suitable IB-KEM.

6 Conclusions

In this paper we introduced a new methodology to construct verifiable random functions from a class of identity-based key encapsulation schemes that we call VRF-suitable. We showed the applicability of our methods by providing two concrete realizations of the new primitive. The first one leads to a VRF that is very similar to the Dodis–Yampolskiy construction, while the second one leads to a new VRF. Moreover, the VRF resulting from our second construction enjoys the desired property of being fully-secure while efficiently supporting exponentially-large (in the security parameter) input spaces.

We observe that all known VRFs supporting large input spaces (ours as well as the schemes in [11, 33]) require proofs containing roughly group elements where is length of the identity string, and their proofs hold all under q-type assumptions. We therefore believe that a natural and very intriguing question left open by this research is to find more efficient instantiations of VRFs for large input spaces, possibly ones provably secure under constant-size assumptions.