Journal of Cryptology

, Volume 27, Issue 3, pp 544–593 | Cite as

Verifiable Random Functions: Relations to Identity-Based Key Encapsulation and New Constructions

Article

Abstract

In this paper we show a relation between the notions of verifiable random functions (VRFs) and identity-based key encapsulation mechanisms (IB-KEMs). In particular, we propose a class of IB-KEMs that we call VRF-suitable, and we propose a direct construction of VRFs from VRF-suitable IB-KEMs. Informally, an IB-KEM is VRF-suitable if it provides what we call unique decapsulation (i.e., given a ciphertext C produced with respect to an identity ID, all the secret keys corresponding to identity ID′, decapsulate to the same value, even if IDID′), and it satisfies an additional property that we call pseudo-random decapsulation. In a nutshell, pseudo-random decapsulation means that if one decapsulates a ciphertext C, produced with respect to an identity ID, using the decryption key corresponding to any other identity ID′, the resulting value looks random to a polynomially bounded observer. Our construction is of interest both from a theoretical and a practical perspective. Indeed, apart from establishing a connection between two seemingly unrelated primitives, our methodology is direct in the sense that, in contrast to most previous constructions, it avoids the inefficient Goldreich–Levin hardcore bit transformation. As an additional contribution, we propose a new VRF-suitable IB-KEM based on the decisional -weak Bilinear Diffie–Hellman Inversion assumption. Interestingly, when applying our transformation to this scheme, we obtain a new VRF construction that is secure under the same assumption, and it efficiently supports a large input space.

Key words

Verifiable random functions Identity-based encryption Pseudo-randomness 

References

  1. [1]
    M. Abdalla, D. Catalano, D. Fiore, Verifiable random functions from identity-based key encapsulation, in Advances in Cryptology—EUROCRYPT 2009, Cologne, Germany, April 26–30, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 554–571 CrossRefGoogle Scholar
  2. [2]
    B. Barak, Y. Dodis, H. Krawczyk, O. Pereira, K. Pietrzak, F.-X. Standaert, Y. Yu, Leftover hash lemma, revisited, in Advances in Cryptology—CRYPTO 2011, Santa Barbara, CA, USA, August. Lecture Notes in Computer Science (Springer, Berlin, 2011), pp. 1–20 CrossRefGoogle Scholar
  3. [3]
    K. Bentahar, P. Farshim, J. Malone-Lee, N.P. Smart, Generic constructions of identity-based and certificateless KEMs. J. Cryptol. 21(2), 178–199 (2008) CrossRefMATHMathSciNetGoogle Scholar
  4. [4]
    D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2004, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238 CrossRefGoogle Scholar
  5. [5]
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology—CRYPTO 2004, Santa Barbara, CA, USA, August 15–19, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 443–459 CrossRefGoogle Scholar
  6. [6]
    D. Boneh, X. Boyen, Short signatures without random oracles, in Advances in Cryptology—EUROCRYPT 2004, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 56–73 CrossRefGoogle Scholar
  7. [7]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—CRYPTO 2001, Santa Barbara, CA, USA, August 19–23, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 CrossRefGoogle Scholar
  8. [8]
    D. Boneh, X. Boyen, H. Shacham, Short group signatures, in Advances in Cryptology—CRYPTO 2004, Santa Barbara, CA, USA, August 15–19, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 41–55 CrossRefGoogle Scholar
  9. [9]
    D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in Advances in Cryptology—EUROCRYPT 2005, Aarhus, Denmark, May 22–26, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 440–456 CrossRefGoogle Scholar
  10. [10]
    D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in Advances in Cryptology—CRYPTO 2005, Santa Barbara, CA, USA, August 14–18, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 258–275 CrossRefGoogle Scholar
  11. [11]
    D. Boneh, H.W. Montgomery, A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade, in ACM CCS 10: The 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, October 4–8, ed. by E. Al-Shaer, A.D. Keromytis, V. Shmatikov (ACM Press, New York, 2010), pp. 4–8 Google Scholar
  12. [12]
    Z. Brakerski, S. Goldwasser, G.N. Rothblum, V. Vaikuntanathan, Weak verifiable random functions, in TCC 2009: The 6th Theory of Cryptography Conference, March 15–17, ed. by R. Omer. Lecture Notes in Computer Science, vol. 5444 (Springer, Berlin, 2009), pp. 558–576 Google Scholar
  13. [13]
    R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in Advances in Cryptology—EUROCRYPT 2003, Warsaw, Poland, May 4–8, ed. by E. Biham. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 255–271 CrossRefGoogle Scholar
  14. [14]
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in Advances in Cryptology—EUROCRYPT 2010, French Riviera, May 30–June 3, ed. by H. Gilbert. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 523–552 CrossRefGoogle Scholar
  15. [15]
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25, 601–639 (2012) CrossRefMATHMathSciNetGoogle Scholar
  16. [16]
    M. Chase, A. Lysyanskaya, Simulatable VRFs with applications to multi-theorem NIZK, in Advances in Cryptology—CRYPTO 2007, Santa Barbara, CA, USA, August 19–23, ed. by A. Menezes. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 303–322 CrossRefGoogle Scholar
  17. [17]
    J.H. Cheon, Security analysis of the strong Diffie–Hellman problem, in Advances in Cryptology—EUROCRYPT 2006, St. Petersburg, Russia, May 28–June 1, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 1–11 CrossRefGoogle Scholar
  18. [18]
    R. Cramer, G. Hanaoka, D. Hofheinz, H. Imai, E. Kiltz, R. Pass, A. Shelat, V. Vaikuntanathan, Bounded CCA2-secure encryption, in Advances in Cryptology—ASIACRYPT 2007, Kuching, Malaysia, December 2–6, ed. by K. Kurosawa. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 502–518 CrossRefGoogle Scholar
  19. [19]
    W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976) CrossRefMATHMathSciNetGoogle Scholar
  20. [20]
    Y. Dodis, Efficient construction of (distributed) verifiable random functions, in PKC 2003: The 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, USA, January 6–8, ed. by Y. Desmedt. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 1–17 CrossRefGoogle Scholar
  21. [21]
    Y. Dodis, P. Puniya, Verifiable random permutations. Cryptology ePrint Archive, Report 2006/078, 2006. http://eprint.iacr.org/
  22. [22]
    Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in PKC 2005: the 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Les Diablerets, Switzerland, January 23–26, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 3386 (Springer, Berlin, 2005), pp. 416–431 CrossRefGoogle Scholar
  23. [23]
    Y. Dodis, J. Katz, S. Xu, M. Yung, Key-insulated public key cryptosystems, in Advances in Cryptology—EUROCRYPT 2002, Amsterdam, The Netherlands, April 28–May 2, ed. by L.R. Knudsen. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 65–82 CrossRefGoogle Scholar
  24. [24]
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in Advances in Cryptology—CRYPTO’84, Santa Barbara, CA, USA, August 19–23, ed. by G.R. Blakley, D. Chaum. Lecture Notes in Computer Science, vol. 196 (Springer, Berlin, 1985), pp. 10–18 CrossRefGoogle Scholar
  25. [25]
    P. Erdös, P. Frankel, Z. Furedi, Families of finite sets in which no set is covered by the union of r others. Isr. J. Math. 51, 79–89 (1985) CrossRefMATHGoogle Scholar
  26. [26]
    D. Fiore, D. Schröder, Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations, in TCC 2012: The 9th Theory of Cryptography Conference, Taormina, Sicily, Italy, March 19–21, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 7194 (Springer, Berlin, 2012), pp. 636–653 Google Scholar
  27. [27]
    C. Gentry, Practical identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2006, St. Petersburg, Russia, May 28–June 1, ed. by S. Vaudenay. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 445–464 CrossRefGoogle Scholar
  28. [28]
    O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in 21st ACM STOC Annual ACM Symposium on Theory of Computing, Seattle, Washington, USA, May 15–17 (ACM Press, New York, 1989), pp. 25–32 Google Scholar
  29. [29]
    S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent (extended abstract), in Advances in Cryptology—CRYPTO’92, Santa Barbara, CA, USA, August 16–20, ed. by E.F. Brickell. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1993), pp. 228–245 Google Scholar
  30. [30]
    J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999) CrossRefMATHMathSciNetGoogle Scholar
  31. [31]
    S.-H. Heng, K. Kurosawa, k-resilient identity-based encryption in the standard model, in Topics in Cryptology—CT-RSA 2004, San Francisco, CA, USA, February 23–27, ed. by T. Okamoto. Lecture Notes in Computer Science, vol. 2964 (Springer, Berlin, 2004), pp. 67–80 CrossRefGoogle Scholar
  32. [32]
    S. Hohenberger, B. Waters, Realizing hash-and-sign signatures under standard assumptions, in Advances in Cryptology—EUROCRYPT 2009, Cologne, Germany, April 26–30, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 333–350 CrossRefGoogle Scholar
  33. [33]
    S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in Advances in Cryptology—EUROCRYPT 2010, French Riviera, May 30–June 3, ed. by H. Gilbert. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 656–672 CrossRefGoogle Scholar
  34. [34]
    S. Jarecki, V. Shmatikov, Handcuffing big brother: an abuse-resilient transaction escrow scheme, in Advances in Cryptology—EUROCRYPT 2004, Interlaken, Switzerland, May 2–6, ed. by C. Cachin, J. Camenisch. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 590–608 CrossRefGoogle Scholar
  35. [35]
    R. Kumar, S. Rajagopalan, A. Sahai, Coding constructions for blacklisting problems without computational assumptions, in Advances in Cryptology—CRYPTO’99, Santa Barbara, CA, USA, August 15–19, ed. by M.J. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 609–623 Google Scholar
  36. [36]
    M. Liskov, Updatable zero-knowledge databases, in Advances in Cryptology—ASIACRYPT 2005, Chennai, India, December 4–8, ed. by B.K. Roy. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin, 2005), pp. 174–198 CrossRefGoogle Scholar
  37. [37]
    M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2) (1988) Google Scholar
  38. [38]
    A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in Advances in Cryptology—CRYPTO 2002, Santa Barbara, CA, USA, August 18–22, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 597–612 CrossRefGoogle Scholar
  39. [39]
    S. Micali, L. Reyzin, Soundness in the public-key model, in Advances in Cryptology—CRYPTO 2001, Santa Barbara, CA, USA, August 19–23, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 542–565 CrossRefGoogle Scholar
  40. [40]
    S. Micali, R.L. Rivest, Micropayments revisited, in Topics in Cryptology—CT-RSA 2002, San Jose, CA, USA, February 18–22, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 2271 (Springer, Berlin, 2002), pp. 149–163 CrossRefGoogle Scholar
  41. [41]
    S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in 40th Annual Symposium on Foundations of Computer Science, New York, New York, USA, October 17–19 (IEEE Computer Society Press, Los Alamitos, 1999), pp. 120–130 Google Scholar
  42. [42]
    M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, October 19–22 (IEEE Computer Society Press, Los Alamitos, 1997), pp. 458–467 CrossRefGoogle Scholar
  43. [43]
    R. Sakai, M. Kasahara, Id based cryptosystems with pairing on elliptic curve, in 2003 Symposium on Cryptography and Information Security—SCIS’2003, Hamamatsu, Japan (2003). http://eprint.iacr.org/2003/054 Google Scholar
  44. [44]
    A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology—CRYPTO’84, Santa Barbara, CA, USA, August 19–23, ed. by G.R. Blakley, D. Chaum. Lecture Notes in Computer Science, vol. 196 (Springer, Berlin, 1985), pp. 47–53 CrossRefGoogle Scholar
  45. [45]
    V. Shoup, A Computational Introduction to Number Theory and Algebra (Cambridge University Press, Cambridge, 2005) CrossRefMATHGoogle Scholar
  46. [46]
    B.R. Waters, Efficient identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2005, Aarhus, Denmark, May 22–26, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 114–127 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Département d’InformatiqueEcole Normale SupérieureParisFrance
  2. 2.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly
  3. 3.Max Planck Institute for Software Systems (MPI-SWS)SaarbrückenGermany

Personalised recommendations