Sakai–Ohgishi–Kasahara identity-based non-interactive key exchange revisited and more

Abstract

Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. So far, there are only few IB-NIKE schemes in the literature. Among them, Sakai–Ohgishi–Kasahara (SOK) scheme is the first efficient and secure two-party IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, its existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent. In this work, we intensively revisit the SOK IB-NIKE scheme and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie–Hellman assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation. The resulting scheme is adaptively secure based on the decisional bilinear Diffie–Hellman inversion assumption. To the best of our knowledge, this is the first adaptively secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or require programmable hash functions from multilinear maps. At the technical heart of our scheme, we generalize the definition of AHFs and propose a generic construction which enables AHFs with previously unachieved parameters. This might be of independent interest. In addition, we present some new results about IB-NIKE. Firstly, we propose a generic construction of multiparty IB-NIKE from extractable witness PRFs and existentially unforgeable signatures. Secondly, we investigate the relation between semi-adaptive security and adaptive security of IB-NIKE. Somewhat surprisingly, we show that these two notions are polynomially equivalent.

Appendix: Review of standard primitives

1.1 Indistinguishability obfuscation

We recall the definition of indistinguishability obfuscator from [21] as below.

Definition 2

(Indistinguishability obfuscator (\(i{{\mathcal {O}}}\))) A uniform PPT machine \(i{{\mathcal {O}}}\) is called an indistinguishability obfuscator for a circuit class \(\{{{\mathcal {C}}}_{\kappa }\}\) if the following properties satisfied:

• Functionality preserving For all security parameters \(\kappa \in \mathbb {N}\), for all \(C \in {\mathcal {C}}_\kappa \), for all inputs \(x\), we have that:

  $$\begin{aligned} \Pr [C'(x) = C(x): C' \leftarrow i{{\mathcal {O}}}(\kappa , C)] = 1 \end{aligned}$$

• Indistinguishability obfuscation For any pairs of PPT adversaries \(({\mathcal {S}}, {\mathcal {D}})\), there exists a negligible function \(\alpha \) such that if \(\Pr [\forall x, C_0(x) = C_1(x): (C_0, C_1, state)\) \(\leftarrow {\mathcal {S}}(\kappa )] \!\ge \! 1- \alpha (\kappa )\), and then, we have: \(| \Pr [{\mathcal {D}}(state, i{{\mathcal {O}}}(\kappa , C_0))\) \(= 1]- \Pr [{\mathcal {D}}(state, i{{\mathcal {O}}}(\kappa , C_1)) = 1] | \le \alpha (\kappa ).\)

In this paper, we are interested in indistinguishability obfuscators for all polynomial-size circuits.

1.2 Constrained PRFs

Recently, the concept of constrained pseudorandom functions⁸ was proposed in the concurrent works of Kiayias, Papadopoulos, Triandopoulos and Zacharias [25], Boneh and Waters [7], and Boyle et al. [9]. More precisely, constrained PRFs are defined as below:

Definition 3

(Constrained PRFs) A family of constrained PRFs \(\mathsf {F}: K \times X \rightarrow Y\) is defined over a key space \(K\), a domain \(X\), and a range \(Y\) (these sets may be parameterized by the security parameter \(\kappa \)) with respect to a predicate family \(P = \{p: X \rightarrow \{0,1\}\}\). It consists of three polynomial-time algorithms \(\mathsf {KeyGen}\), \(\mathsf {Constrain}\), and \(\mathsf {Eval}\) satisfying the following properties:

• \(\mathsf {KeyGen}(\kappa )\): on input a security parameter \(\kappa \), output a secret key \(k \in K\). As shorthand, we will occasionally write \(\mathsf {F}_k(x)\) for \(\mathsf {F}(k, x)\).

• \(\mathsf {Constrain}(k, p)\): on input a secret key \(k\) and a predicate \(p \in P\), output a constrained key \(k_p\). The key \(k_p\) enables the evaluation of \(\mathsf {F}(k, x)\) for all \(x\) such that \(p(x)=1\) and no other \(x\). As shorthand, we will occasionally write \(k(p)\) for \(k_p\).

• \(\mathsf {Eval}(k_p, x)\): on input a constrained key \(k_p\) and an \(x \in X\), output \(\mathsf {F}(k_p, x)\).

• Correctness For any \(k \leftarrow \mathsf {KeyGen}(\kappa )\), any \(S \in {\mathcal {S}}\), any \(k_p \leftarrow \mathsf {Constrain}(k, p)\), and any \(x \in X\), we have:

  $$\begin{aligned} \mathsf {F}(k_p, x) = \left\{ \begin{array}{l@{\quad }l} \mathsf {F}(k, x) &{} \hbox {if } p(x)=1\\ \bot &{} \hbox {otherwise} \end{array} \right. \end{aligned}$$

• Security Let \({\mathcal {A}} = ({\mathcal {A}}_1, {\mathcal {A}}_2)\) be an adversary against constrained PRFs and define its advantage \(\mathsf {Adv}_{\mathcal {A}}(\kappa )\) as:

  $$\begin{aligned} \Pr \!\left[ \!b \!=\! b':~ \begin{array}{ll} &{} (\mathrm{pp}, k) \leftarrow \mathsf {KeyGen}(\kappa );\\ &{} (x^*, state) \leftarrow {\mathcal {A}}_1^{{\mathcal {O}}_\mathsf {constrain}(\cdot ), {\mathcal {O}}_\mathsf {eval}(\cdot )}(pp);\\ &{} y_0^* \xleftarrow {\text {R}}Y, y_1^* \leftarrow \mathsf {F}(k, x^*);\\ &{} b \leftarrow \{0,1\}; \\ &{} b' \leftarrow {\mathcal {A}}_2^{{\mathcal {O}}_\mathsf {constrain}(\cdot ), {\mathcal {O}}_\mathsf {eval}(\cdot )}(state, y_b^*); \end{array} \!\!\right] \!-\! \frac{1}{2}, \end{aligned}$$

  where \({\mathcal {O}}_\mathsf {constrain}(p) = \mathsf {Constrain}(k, p)\), \({\mathcal {O}}_\mathsf {eval}(x) = \mathsf {F}(k, x)\). Both \({\mathcal {A}}_1\) and \({\mathcal {A}}_2\) are not allowed to query \({\mathcal {O}}_\mathsf {constrain}(\cdot )\) for \(p\) such that \(p(x^*) = 1\) and not allowed to query \({\mathcal {O}}_\mathsf {eval}(\cdot )\) for \(x^*\). We say that constrained PRFs are pseudorandom if for any PPT adversary its advantage function \(\mathsf {Adv}_{\mathcal {A}}(\kappa )\) is negligible in \(\kappa \).

1.3 Signatures

We recall the definition of signature as below.

Definition 4

(Signature) A signature scheme with message space \(M\) and signature space \(\varSigma \) consists of three PPT algorithms as follows:

• \(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a verification key \(vk\) and a signing key \(sk\). Let \(M\) be the message space and \(\varSigma \) be the signature space.

• \(\mathsf {Sign}(sk_\sigma , m)\): take as input a signing key \(sk\) and a message \(m \in M\), output a signature \(\sigma \in \varSigma \).

• \(\mathsf {Verify}(vk, m, \sigma )\): take as input a verification key \(vk\), a message \(m\), and a signature \(\sigma \), output \(1\) indicates “acceptance” and \(0\) indicates “rejection.”

• Correctness For all \((vk, sk) \leftarrow \mathsf {KeyGen}(\kappa )\) and all \(m \in M\), we have \(\mathsf {Verify}(vk, m, \mathsf {Sign}(sk, m)) = 1\). If \((\sigma , m)\) satisfies \(\mathsf {Verify}(vk, m, \sigma ) = 1\), then \(\sigma \) is said to be a valid signature of message \(m\) under the verification key \(vk\).

• Security Let \({\mathcal {A}}\) be an adversary against the signature and define its advantage \(\mathsf {Adv}_{\mathcal {A}}(\kappa )\) as:

  $$\begin{aligned} \Pr \left[ \! \mathsf {Verify}(vk, m^*, \sigma ^*)\!=\!1:~ \begin{array}{ll} &{} (vk, sk) \leftarrow \mathsf {KeyGen}(\kappa );\\ &{} (m^*, \sigma ^*) \leftarrow {\mathcal {A}}^{{\mathcal {O}}_\mathsf {sign}(\cdot )}(vk);\\ \end{array} \!\right] \!, \end{aligned}$$

  where \({\mathcal {O}}_\mathsf {sign}(m) = \mathsf {Sign}(sk, m)\). \({\mathcal {A}}\) is not allowed to query \({\mathcal {O}}_\mathsf {constrain}(\cdot )\) for \(m^*\). We say that a signature is existentially unforgeability under adaptive chosen-message attack (EUF-CMA) if for any PPT adversary its advantage function \(\mathsf {Adv}_{\mathcal {A}}(\kappa )\) is negligible in \(\kappa \).