# Verifiable Random Functions: Relations to Identity-Based Key Encapsulation and New Constructions

- 776 Downloads
- 9 Citations

## Abstract

In this paper we show a relation between the notions of verifiable random functions (VRFs) and identity-based key encapsulation mechanisms (IB-KEMs). In particular, we propose a class of IB-KEMs that we call VRF-suitable, and we propose a direct construction of VRFs from VRF-suitable IB-KEMs. Informally, an IB-KEM is VRF-suitable if it provides what we call *unique decapsulation* (i.e., given a ciphertext *C* produced with respect to an identity *ID*, all the secret keys corresponding to identity *ID*′, decapsulate to the same value, even if *ID*≠*ID*′), and it satisfies an additional property that we call *pseudo-random decapsulation*. In a nutshell, pseudo-random decapsulation means that if one decapsulates a ciphertext *C*, produced with respect to an identity *ID*, using the decryption key corresponding to any other identity *ID*′, the resulting value looks random to a polynomially bounded observer. Our construction is of interest both from a theoretical and a practical perspective. Indeed, apart from establishing a connection between two seemingly unrelated primitives, our methodology is *direct* in the sense that, in contrast to most previous constructions, it avoids the inefficient Goldreich–Levin hardcore bit transformation. As an additional contribution, we propose a new VRF-suitable IB-KEM based on the decisional *ℓ*-weak Bilinear Diffie–Hellman Inversion assumption. Interestingly, when applying our transformation to this scheme, we obtain a new VRF construction that is secure under the same assumption, and it efficiently supports a large input space.

## Key words

Verifiable random functions Identity-based encryption Pseudo-randomness## Notes

### Acknowledgements

We thank Gregory Neven for collaborating with us at an early stage of this research. We also thank Eike Kiltz and Jonathan Katz for helpful discussions. The work of the second author was partially done while visiting the Computer Science Department at École Normale Supérieure. The third author did this work while he was student at University of Catania, and later while working at ENS. This work was supported in part by the European Commission through the IST Program under Contract ICT-2007-216646 ECRYPT II and in part by the French National Research Agency through the PACE project.

## References

- [1]M. Abdalla, D. Catalano, D. Fiore, Verifiable random functions from identity-based key encapsulation, in
*Advances in Cryptology—EUROCRYPT 2009*, Cologne, Germany, April 26–30, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 554–571 CrossRefGoogle Scholar - [2]B. Barak, Y. Dodis, H. Krawczyk, O. Pereira, K. Pietrzak, F.-X. Standaert, Y. Yu, Leftover hash lemma, revisited, in
*Advances in Cryptology—CRYPTO 2011*, Santa Barbara, CA, USA, August. Lecture Notes in Computer Science (Springer, Berlin, 2011), pp. 1–20 CrossRefGoogle Scholar - [3]K. Bentahar, P. Farshim, J. Malone-Lee, N.P. Smart, Generic constructions of identity-based and certificateless KEMs.
*J. Cryptol.***21**(2), 178–199 (2008) CrossRefMATHMathSciNetGoogle Scholar - [4]D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2004*, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238 CrossRefGoogle Scholar - [5]D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in
*Advances in Cryptology—CRYPTO 2004*, Santa Barbara, CA, USA, August 15–19, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 443–459 CrossRefGoogle Scholar - [6]D. Boneh, X. Boyen, Short signatures without random oracles, in
*Advances in Cryptology—EUROCRYPT 2004*, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 56–73 CrossRefGoogle Scholar - [7]D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in
*Advances in Cryptology—CRYPTO 2001*, Santa Barbara, CA, USA, August 19–23, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 CrossRefGoogle Scholar - [8]D. Boneh, X. Boyen, H. Shacham, Short group signatures, in
*Advances in Cryptology—CRYPTO 2004*, Santa Barbara, CA, USA, August 15–19, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 41–55 CrossRefGoogle Scholar - [9]D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in
*Advances in Cryptology—EUROCRYPT 2005*, Aarhus, Denmark, May 22–26, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 440–456 CrossRefGoogle Scholar - [10]D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in
*Advances in Cryptology—CRYPTO 2005*, Santa Barbara, CA, USA, August 14–18, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 258–275 CrossRefGoogle Scholar - [11]D. Boneh, H.W. Montgomery, A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade, in
*ACM CCS 10: The 17th Conference on Computer and Communications Security*, Chicago, Illinois, USA, October 4–8, ed. by E. Al-Shaer, A.D. Keromytis, V. Shmatikov (ACM Press, New York, 2010), pp. 4–8 Google Scholar - [12]Z. Brakerski, S. Goldwasser, G.N. Rothblum, V. Vaikuntanathan, Weak verifiable random functions, in
*TCC 2009: The 6th Theory of Cryptography Conference*, March 15–17, ed. by R. Omer. Lecture Notes in Computer Science, vol. 5444 (Springer, Berlin, 2009), pp. 558–576 Google Scholar - [13]R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in
*Advances in Cryptology—EUROCRYPT 2003*, Warsaw, Poland, May 4–8, ed. by E. Biham. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 255–271 CrossRefGoogle Scholar - [14]D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in
*Advances in Cryptology—EUROCRYPT 2010*, French Riviera, May 30–June 3, ed. by H. Gilbert. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 523–552 CrossRefGoogle Scholar - [15]D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis.
*J. Cryptol.***25**, 601–639 (2012) CrossRefMATHMathSciNetGoogle Scholar - [16]M. Chase, A. Lysyanskaya, Simulatable VRFs with applications to multi-theorem NIZK, in
*Advances in Cryptology—CRYPTO 2007*, Santa Barbara, CA, USA, August 19–23, ed. by A. Menezes. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 303–322 CrossRefGoogle Scholar - [17]J.H. Cheon, Security analysis of the strong Diffie–Hellman problem, in
*Advances in Cryptology—EUROCRYPT 2006*, St. Petersburg, Russia, May 28–June 1, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 1–11 CrossRefGoogle Scholar - [18]R. Cramer, G. Hanaoka, D. Hofheinz, H. Imai, E. Kiltz, R. Pass, A. Shelat, V. Vaikuntanathan, Bounded CCA2-secure encryption, in
*Advances in Cryptology—ASIACRYPT 2007*, Kuching, Malaysia, December 2–6, ed. by K. Kurosawa. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 502–518 CrossRefGoogle Scholar - [19]W. Diffie, M.E. Hellman, New directions in cryptography.
*IEEE Trans. Inf. Theory***22**(6), 644–654 (1976) CrossRefMATHMathSciNetGoogle Scholar - [20]Y. Dodis, Efficient construction of (distributed) verifiable random functions, in
*PKC 2003: The 6th International Workshop on Theory and Practice in Public Key Cryptography*, Miami, USA, January 6–8, ed. by Y. Desmedt. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 1–17 CrossRefGoogle Scholar - [21]Y. Dodis, P. Puniya, Verifiable random permutations. Cryptology ePrint Archive, Report 2006/078, 2006. http://eprint.iacr.org/
- [22]Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in
*PKC 2005: the 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets*, Les Diablerets, Switzerland, January 23–26, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 3386 (Springer, Berlin, 2005), pp. 416–431 CrossRefGoogle Scholar - [23]Y. Dodis, J. Katz, S. Xu, M. Yung, Key-insulated public key cryptosystems, in
*Advances in Cryptology—EUROCRYPT 2002*, Amsterdam, The Netherlands, April 28–May 2, ed. by L.R. Knudsen. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 65–82 CrossRefGoogle Scholar - [24]T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in
*Advances in Cryptology—CRYPTO’84*, Santa Barbara, CA, USA, August 19–23, ed. by G.R. Blakley, D. Chaum. Lecture Notes in Computer Science, vol. 196 (Springer, Berlin, 1985), pp. 10–18 CrossRefGoogle Scholar - [25]P. Erdös, P. Frankel, Z. Furedi, Families of finite sets in which no set is covered by the union of
*r*others.*Isr. J. Math.***51**, 79–89 (1985) CrossRefMATHGoogle Scholar - [26]D. Fiore, D. Schröder, Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations, in
*TCC 2012: The 9th Theory of Cryptography Conference*, Taormina, Sicily, Italy, March 19–21, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 7194 (Springer, Berlin, 2012), pp. 636–653 Google Scholar - [27]C. Gentry, Practical identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2006*, St. Petersburg, Russia, May 28–June 1, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 445–464 CrossRefGoogle Scholar - [28]O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in
*21st ACM STOC Annual ACM Symposium on Theory of Computing*, Seattle, Washington, USA, May 15–17 (ACM Press, New York, 1989), pp. 25–32 Google Scholar - [29]S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent (extended abstract), in
*Advances in Cryptology—CRYPTO’92*, Santa Barbara, CA, USA, August 16–20, ed. by E.F. Brickell. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1993), pp. 228–245 Google Scholar - [30]J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function.
*SIAM J. Comput.***28**(4), 1364–1396 (1999) CrossRefMATHMathSciNetGoogle Scholar - [31]S.-H. Heng, K. Kurosawa, k-resilient identity-based encryption in the standard model, in
*Topics in Cryptology—CT-RSA 2004*, San Francisco, CA, USA, February 23–27, ed. by T. Okamoto. Lecture Notes in Computer Science, vol. 2964 (Springer, Berlin, 2004), pp. 67–80 CrossRefGoogle Scholar - [32]S. Hohenberger, B. Waters, Realizing hash-and-sign signatures under standard assumptions, in
*Advances in Cryptology—EUROCRYPT 2009*, Cologne, Germany, April 26–30, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 333–350 CrossRefGoogle Scholar - [33]S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in
*Advances in Cryptology—EUROCRYPT 2010*, French Riviera, May 30–June 3, ed. by H. Gilbert. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 656–672 CrossRefGoogle Scholar - [34]S. Jarecki, V. Shmatikov, Handcuffing big brother: an abuse-resilient transaction escrow scheme, in
*Advances in Cryptology—EUROCRYPT 2004*, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 590–608 CrossRefGoogle Scholar - [35]R. Kumar, S. Rajagopalan, A. Sahai, Coding constructions for blacklisting problems without computational assumptions, in
*Advances in Cryptology—CRYPTO’99*, Santa Barbara, CA, USA, August 15–19, ed. by M.J. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 609–623 Google Scholar - [36]M. Liskov, Updatable zero-knowledge databases, in
*Advances in Cryptology—ASIACRYPT 2005*, Chennai, India, December 4–8, ed. by B.K. Roy. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin, 2005), pp. 174–198 CrossRefGoogle Scholar - [37]M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions.
*SIAM J. Comput.***17**(2) (1988) Google Scholar - [38]A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in
*Advances in Cryptology—CRYPTO 2002*, Santa Barbara, CA, USA, August 18–22, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 597–612 CrossRefGoogle Scholar - [39]S. Micali, L. Reyzin, Soundness in the public-key model, in
*Advances in Cryptology—CRYPTO 2001*, Santa Barbara, CA, USA, August 19–23, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 542–565 CrossRefGoogle Scholar - [40]S. Micali, R.L. Rivest, Micropayments revisited, in
*Topics in Cryptology—CT-RSA 2002*, San Jose, CA, USA, February 18–22, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 2271 (Springer, Berlin, 2002), pp. 149–163 CrossRefGoogle Scholar - [41]S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in
*40th Annual Symposium on Foundations of Computer Science*, New York, New York, USA, October 17–19 (IEEE Computer Society Press, Los Alamitos, 1999), pp. 120–130 Google Scholar - [42]M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in
*38th Annual Symposium on Foundations of Computer Science*, Miami Beach, Florida, October 19–22 (IEEE Computer Society Press, Los Alamitos, 1997), pp. 458–467 CrossRefGoogle Scholar - [43]R. Sakai, M. Kasahara, Id based cryptosystems with pairing on elliptic curve, in
*2003 Symposium on Cryptography and Information Security—SCIS’2003*, Hamamatsu, Japan (2003). http://eprint.iacr.org/2003/054 Google Scholar - [44]A. Shamir, Identity-based cryptosystems and signature schemes, in
*Advances in Cryptology—CRYPTO’84*, Santa Barbara, CA, USA, August 19–23, ed. by G.R. Blakley, D. Chaum. Lecture Notes in Computer Science, vol. 196 (Springer, Berlin, 1985), pp. 47–53 CrossRefGoogle Scholar - [45]V. Shoup,
*A Computational Introduction to Number Theory and Algebra*(Cambridge University Press, Cambridge, 2005) CrossRefMATHGoogle Scholar - [46]B.R. Waters, Efficient identity-based encryption without random oracles, in
*Advances in Cryptology—EUROCRYPT 2005*, Aarhus, Denmark, May 22–26, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 114–127 CrossRefGoogle Scholar