Chosen-Ciphertext Security from Identity-Based Encryption

  • Ran Canetti
  • Shai Halevi
  • Jonathan Katz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3027)


We propose a simple and efficient construction of a CCA-secure public-key encryption scheme from any CPA-secure identity-based encryption (IBE) scheme. Our construction requires the underlying IBE scheme to satisfy only a relatively “weak” notion of security which is known to be achievable without random oracles; thus, our results provide a new approach for constructing CCA-secure encryption schemes in the standard model. Our approach is quite different from existing ones; in particular, it avoids non-interactive proofs of “well-formedness” which were shown to underlie most previous constructions. Furthermore, applying our conversion to some recently-proposed IBE schemes results in CCA-secure schemes whose efficiency makes them quite practical.

Our technique extends to give a simple and reasonably efficient method for securing any binary tree encryption (BTE) scheme against adaptive chosen-ciphertext attacks. This, in turn, yields more efficient CCA-secure hierarchical identity-based and forward-secure encryption schemes in the standard model.


Chosen-ciphertext security Forward-secure encryption Identitybased encryption Public-key encryption 


  1. [agmm04]
    Aiello, B., Gertner, Y., Malkin, T., Myers, S.: Personal communicationGoogle Scholar
  2. [bdpr98]
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  3. [bfm88]
    Blum, M., Feldman, P., Micali, S.: Non-Interactive Zero-Knowledge and its Applications. In: 20th ACM Symposium on Theory of Computing (STOC), pp. 103–112. ACM, New York (1988)Google Scholar
  4. [bb04]
    Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) (to appear)CrossRefGoogle Scholar
  5. [bf01]
    Boneh, D., Franklin, M.: Identity-Based Encryption from theWeil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001); Full version to appear in SIAM J. Computing and available at CrossRefGoogle Scholar
  6. [chk03]
    Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public-Key Encryption Scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003); Full version available at CrossRefGoogle Scholar
  7. [c01]
    Cocks, C.: An Identity-Based Encryption Scheme Based on Quadratic Residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. [cs98]
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  9. [cs02]
    Cramer, R., Shoup, V.: Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. [cs03]
    Camenisch, J., Shoup, V.: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. [ddn00]
    Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. SIAM J. Computing 30(2), 391–437 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  12. [es02]
    Elkind, E., Sahai, A.: A Unified Methodology For Constructing Public- Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. In: First Theory of Cryptography Conference, TCC (2004) (to appear), Available from
  13. [fls90]
    Feige, U., Lapidot, D., Shamir, A.: Multiple Non-Interactive Zero- Knowledge Proofs Under General Assumptions. SIAM J. Computing 29(1), 1–28 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  14. [gl03]
    Gennaro, R., Lindell, Y.: A Framework for Password-Based Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. [gs02]
    Gentry, C., Silverberg, A.: Hierarchical Identity-Based Cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. [gm84]
    Goldwasser, S., Micali, S.: Probabilistic Encryption. J. Computer System Sciences 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  17. [hl02]
    Horwitz, J., Lynn, B.: Toward Hierarchical Identity-Based Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. [l79]
    Lamport, L.: Constructing Digital Signatures from a One-Way Function. Technical Report CSL-98, SRI International, Palo Alto (1979)Google Scholar
  19. [l03]
    Lindell, Y.: A Simpler Construction of CCA-Secure Public-Key Encryption Under General Assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 241–254. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. [mry04]
    MacKenzie, P., Reiter, M., Yang, K.: Alternatives to non-malleability: Definitions, constructions, and applications. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 171–190. Springer, Heidelberg (2004) (to appear)CrossRefGoogle Scholar
  21. [ny90]
    Naor, M., Yung, M.: Public-Key Cryptosystems Provably-Secure against Chosen-Ciphertext Attacks. In: 22nd ACM Symposium on Theory of Computing (STOC), pp. 427–437. ACM, New York (1990)Google Scholar
  22. [rs91]
    Rackoff, C., Simon, D.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  23. [r90]
    Rompel, J.: One-Way Functions are Necessary and Sufficient for Secure Signatures. In: 22nd ACM Symposium on Theory of Computing (STOC), pp. 387–394. ACM, New York (1990)Google Scholar
  24. [s99]
    Sahai, A.: Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. In: 40th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 543–553. IEEE, Los Alamitos (1999)Google Scholar
  25. [s84]
    Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  26. [s98]
    Shoup, V.: Why Chosen Ciphertext Security Matters. IBM Research Report RZ 3076 (November 1998), Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Ran Canetti
    • 1
  • Shai Halevi
    • 1
  • Jonathan Katz
    • 2
  1. 1.IBM T. J. Watson Research CenterHawthorne
  2. 2.Dept. of Computer ScienceUniversity of MarylandCollege Park

Personalised recommendations