SCIS 2006 The 2006 Symposium on and Information Security All rights are reserved and copyright of this manuscript belongs to the authors. Hiroshima, Japan, Jan. 17-20, 2006 This manuscript has been published without reviewing and editing as received The Institute of Electronics, from the authors: posting the manuscript to SCIS 2006 does not prevent future Information and Communication Engineers submissions to any journals or conferences with proceedings.

Universally Composable Identity-Based

Ryo Nishimaki ∗ Yoshifumi Manabe ∗ † Tatsuaki Okamoto ∗ †

Abstract— The identity-based encryption (IBE) is one of the most important primitives in cryp- tography, and various security notions of IBE (e.g., IND-ID-CCA2, NM-ID-CCA2, IND-sID-CPA etc.) have been introduced and the relations among them have been clarified recently. This paper, for the first time, investigate the security of IBE in the universally composable (UC) framework. This paper first defines the UC-security of IBE, i.e., we define the ideal functionality of IBE, FIBE. We then show that UC-secure IBE is equivalent to conventionally-secure (IND-ID-CCA2-secure) IBE. This paper also introduces the UC-security of weaker security notions of IBE, which correspond to IND-ID-CPA IBE and IND-sID-CCA2. We finally prove that Boneh-Franklin’s suggestion on the construction of a secure signatures from an IND-ID-CPA IBE scheme is true in the UC framework. Keywords: identity-based encryption, IND-ID-CCA2, universal composition, digital signatures

1 Introduction entionally-secure primitives/protocols has been one of the significant topics in cryptography [4, 5, 8, 9, 11]. 1.1 Background Since UC represents stronger security requirements, a The concept of identity-based encryption (IBE) was lot of conventionally-secure protocols fail to meet UC introduced by Shamir [12], and is a variant of public- security requirements. For example, we cannot design encryption (PKE), where the identity of a user is secure two party protocols in the UC framework with employed in place of the user’s public-key. no setup assumption, while there are conventionally- Boneh and Franklin [2] defined the security, IND- secure two party protocols (e.g., commitment and zero- ID-CCA2 (indistinguishable against adaptively chosen- knowledge proofs) with no setup assumption. attacks under chosen identity attacks), as However, we know that the conventional security the desirable security of IBE schemes. Canetti, Halevi, notions are equivalent to UC security notions for a and Katz [6, 7] defined a weaker notion of security in few cryptographic primitives. For example, UC-secure which the adversary commits ahead of time to the chal- PKE is equivalent to conventionally-secure (IND-CCA2- lenge identity it will attack. We refer to this notion as secure) PKE [3] and UC-secure signatures are equiva- selective identity (sID) adaptively chosen-ciphertext se- lent to conventionally-secure (existentially unforgeable cure IBE (IND-sID-CCA2). In addition, they also de- against chosen message attacks: EUF-CMA-secure) sig- fine a weaker security notion of IBE, selective-identity natures [4]. chosen-plaintext (CPA) secure IBE (IND-sID-CPA). At- IBE is a more complex than trapadung et. al. [1], and Galindo and Hasuo [10] PKE and signatures, so it is not clear whether conventi- introduced the non-malleability (NM) in the security onally-secure (i.e., IND-ID-CCA2-secure) IBE is equiv- notion of IBE. Thus, the security definitions consid- alent to UC-secure IBE or not. Since IBE is one of the ered up to now in the literature are: G-A1-A2, where most significant primitives like PKE and signatures in G ∈ {IND, NM}, A1 ∈ {ID, sID}, ID denotes full- cryptography, it is important to clarify the relationship identity attacks, and A2 ∈ {CPA, CCA1, CCA2}. between the UC security and conventional security no- Attrapadung et. al. [1], and Galindo and Hasuo tions of IBE. The UC security of IBE, however, has not [10] have clarified the relationship among these no- been investigated. tions, and shown that IND-ID-CCA2 is equivalent to That is, we have the following problems: the strongest security notion, NM-ID-CCA2, among them. 1. What is the security definition of IBE in the UC Since Canetti introduced universal composability (UC) framework (i.e., how to define an ideal function- as a new framework for analyzing the security of cryp- ality of IBE)? tographic primitives/protocols [3], investing the rela- 2. Is UC-secure IBE equivalent to IND-ID-CCA2- tion between UC-secure primitives/protocols and conv- secure IBE? ∗ Department of Social Informatics, Graduate School of Infor- Some weaker security notions of IBE than IND-ID- matics, Kyoto University, Yoshidahonmachi, Sakyo-ku, Kyoto- CCA2 are also useful to construct a secure (IND-CCA2) shi, Japan, [email protected] † NTT Laboratories, 1-1 Hikari-no-oka, Yokosuka- PKE scheme and a secure (EUF-CMA) signatures. For shi, Japan, [email protected], example, Canetti, Halevi and Katz [7] have shown how [email protected] to construct a secure PKE scheme from a selective-ID- We say that a function g : < → < is negligible if for | | 1 secure (IND-sID-CPA-secure) IBE scheme. Boneh and any d > 0 we have g(k) < kd for sufficiently large k. Franklin [2] suggested a construction of a secure signa- tures from an IND-ID-CPA IBE scheme. 2.2 Identity-Based Encryption The UC security treatment of such weaker security Identity-Based Encryption scheme Identity-based notions of IBE may provide insight into a new relation- encryption scheme Σ is specified by four algorithms: S, ship between IBE and other primitives and also offer a X , E, D: simpler and more clear proof of the relations than the Setup: S takes security parameter k and returns params conventional proofs. Therefore, it should be significant (system parameters) and mk (master-key). The to define the weaker security notions of IBE in the UC system parameters include a description of a fi- framework. nite message space M, and a description of a fi- That is, we have the following problem: nite ciphertext space C. 1. What are the UC security definitions of the weaker Extract: X takes as input params, mk, and an ar- security notions of IBE? bitrary ID ∈ {0, 1}∗, and returns private key d. 2. How to prove the constructibility of secure PKE/ Here ID is an arbitrary string that will be used signatures from the weaker security notions of as a public key, and d is the corresponding private IBE in the UC framework? decryption key. E ∈ M 1.2 Our Results Encrypt: takes as input params, ID, and M . It returns a ciphertext C ∈ C. This paper answers the above-mentioned problems: Decrypt: D takes as input params, C ∈ C, and a 1. This paper defines the UC-security of IBE, i.e., private key d. It returns M ∈ M. we define the ideal functionality of IBE, FIBE. These algorithms must satisfy the standard consis- 2. We show that UC-secure IBE is equivalent to tency constraint, namely, conventionally-secure (IND-ID-CCA2-secure) IBE. ∀M ∈ M : D(params, C, d) = M where C = 3. We define the ideal functionalities of weaker se- E(params, ID, M), d = X (params, mk, ID) F ND F sID curity notions of IBE, IBE and IBE. We then F ND 2.3 Definitions of security notions for IBE schemes show that UC-secure IBE with IBE is equivalent to IND-ID-CPA IBE, and that UC-secure IBE Let A = (A1, A2) be an adversary; we say A is poly- F sID nomial time if both probabilistic algorithm A and A with IBE is equivalent to IND-sID-CCA2 IBE. 1 2 are polynomial time. At the first stage, given the sys- 4. We prove that Boneh-Franklin’s suggestion [2] tem parameters, the adversary computes and outputs on the construction of a secure signatures from challenge template τ. A1 can output some information an IND-ID-CPA IBE scheme is true in the UC s which will be transferred to A2. At the second stage, framework. That is, we present a protocol which the adversary is challenged with ciphertext y∗ gener- F F ND UC-realizes ideal functionality SIGW in the IBE- ated from τ by a probabilistic function, in a manner F hybrid model, where SIGW is an ideal function- depending on the goal. We say adversary A success- F ality with (normal) unforgeability, while SIG de- fully breaks the scheme if she achieves her goal. We fined by Canetti [4] represents strong unforgeabil- consider a security goal, IND [1, 10], and three attack ity. models, ID-CPA, ID-CCA, ID-CCA2, listed in order of increasing strength. The difference among the models 2 Preliminaries is whether or not A1 or A2 is granted access to decryp- 2.1 Conventions tion oracles. We describe in Table 1 the ability with which the adversary can, in the different attack mod- Notations We describe probabilistic algorithms and els, access the Extraction Oracle X (params, mk, ·), the experiments with standard notations and conventions. Encryption Oracle E(params, ID, ·) and the Decryp- For probabilistic algorithm A, A(x1, x2, ...; r) is the re- tion Oracle D(params, d, ·) (We omit parameters in sult of running A that takes as inputs x1, x2, ... and Table 1). When we say O = {EO , XO , DO } = ← i i i i coins r. We let y A(x1, x2, ...) denote the exper- {X (params, mk, ·), E(params, ID, ·), ²}, where i ∈ {1, 2}, iment of picking r at random and letting y equal the we mean DO is a function that returns a empty string ← i output of A(x1, x2, ...; r). If S is a finite set, then x S ² on any input. denotes the experiment of assigning to x an element uniformly chosen from S. If α is neither an algorithm Indistinguishability Let IBE = (S, X , E, D) be an nor a set, then x ← α indicates that we assign α to x. identity based encryption scheme and let A = (A1, A2) ∈ { } We say that y can be output by A(x1, x2, ...) if there be an adversary. For atk id-cpa, id-cca, id-cca2 ∈ is some r such that A(x1, x2, ...; r) = y. Mˆ denotes a and k N let, M Mˆ subset of message space , where the elements of ind-atk are distributed according to the distribution designated AdvIBE,A (k) by some algorithm. ind-atk-1 − ind-atk-0 = Pr[ExpIBE,A (k) = 1] Pr[ExpIBE,A (k) = 1] ∈ { } | | | | where for b, d 0, 1 and m0 = m1 , Functionality FIBE ind-atk-b Experiment ExpIBE,A (k) FIBE proceeds as follows, running with parties (params, mk) ← S(k); P1,...,Pn and adversary S. O ← A 1 (m0, m1, s, ID) 1 (params); Setup ∗ c ← E(params, ID, mb); In the first activation, expect to receive a value O ← A 2 ∗ d 2 (m0, m1, s, c ,ID); (Setup, sid, Pi) from some party Pi. Then do: return d 1. Hand (Setup, sid, Pi) to adversary S. We say that IBE is secure in the sense of IND-ATK, if ind-atk A 2. Receive value (Set, sid, P Ki) from adversary AdvIBE,A (k) is negligible for any . S, and hand (Set, sid, P Ki) to Pi.

3. Record the pair (Pi,PKi). Table 1: Oracle Set O1, O2 O1 O2 Extract {X E } {X E } 0 ID-CPA , , ² , , ² Upon receiving value (Extract, sid, ID, P Ki) from {X E D} {X E } ID-CCA , , , , ² some party Pk, proceed as follows: ID-CCA2 {X , E, D} {X , E, D} 0 1. If PKi is recorded and ID is Pk’s, record (ID,Pk) in ID-Reg. Else do not record. 0 S selective-ID Canetti, Halevi, and Katz considered 2. Hand (Extract, sid, ID, P Ki) to adversary , selective node attack [6]. Under this definition, the and receive (Received, sid) from adversary S. identity for which the challenge ciphertext is encrypted 0 3. Hand (Extracted, sid, Pk,PKi) to Pk and Pi is selected by the adversary in advance (i.e., non-adaptively) 0 before the public key is generated. (If PKi is not recorded or ID is not Pk’s, do not hand.) 2.4 Universal Composability Encrypt F 0 Ideal functionality of , SC To Upon receiving value (Encrypt, sid, m, ID, P K ) F i realize identity-based encryption functionality, IBE, from some party Pj, proceed as follows: we use FSC [8]. To understand UC framework, see | | 0 more details in [3]. 1. Hand (Encrypt, sid, m ,ID,PKi) to adver- S | | 0 sary , where m the length of m.(If PKi is not 0 3 UC-secure IBE is equivalent to IND- recorded hand (Encrypt, sid, m, ID, P Ki).) ID-CCA2-secure IBE 0 2. Receive (Encrypted, sid, c, ID, P Ki) 3.1 The Identity-Based Encryption Function- from adversary S and hand (Encrypted, sid, c, ID, P K0) to P . ality FIBE i j

We define IBE functionality FIBE in Fig.1. FIBE 3. Store (m, c, ID) in Plain-Cipher. is a functionality of IBE-setup, IBE-extraction, IBE- encryption and IBE-decryption. Decrypt 0 Upon receiving value (Decrypt, sid, c, ID, P Ki) 3.2 UC-secure IBE is equivalent to IND-ID- from Pk, proceed as follows: CCA2-secure IBE 1. If the following four conditions are satisfied Next, we present a protocol that securely realizes 0 then hand (Decrypted, sid, m, ID, P Ki) to Pk. FIBE. Let Σ = (S, X , E, D) be an identity based encryption (a) (ID,Pk) is recorded in ID-Reg. scheme. Consider the following transformation from (b) Pi(Setup party) is not corrupted or Pi is IBE scheme Σ to protocol πIBE that is geared towards corrupted after ID is extracted. realizing FIBE in the FSC-hybrid model: (c) Pk is not corrupted. 1. Upon input (Setup, sid, Pi) within some party (d) (m, c, ID) is stored in Plain-Cipher. Pi, Pi obtains the system parameters PKi and master-key SKi by running algorithm S(), then 2. If (ID,Pk) is not recorded in ID-Reg then hand 0 outputs (Set, sid, P Ki) and sends (Establish- value (Decrypt, sid, c, ID, P Ki) to adversary S and hand not-recorded to P . session, sid, P, initiator) to FSC for all parties. k 0 3. Otherwise, hand value 2. Upon input (Extract, sid, ID, P Ki) within some (Decrypt, sid, c, ID, P K0) to adversary S, party Pk, Pk sends (Establish-session, sid, Pi, i receive value (Decrypted, sid, m0,PK0) F i responder) to SC and sends message (Extract, from adversary S, and hand 0 0 (Decrypted, sid, m ,ID,PKi) to Pk.

Figure 1: The identity-based encryption functionality 0 h i Z A sid, ID, P Ki) to Pi. Upon receiving this mes- 1. Extraction query IDl . asks to corrupt Pl sage, Pi obtains private key dk by running algo- and responds by activating Pl with (Extract, sid, rithm X (PK0,SK0,ID). If PK0 is already de- i i i IDl,PKi) to obtain private key dl corresponding fined and ID is Pk’s, Pi sends (Send, sid, dk) to to public key hIDli. It sends dl to the adversary. FSC. Upon receiving (Received, sid, dk) from F 0 h i Z A SC, Pk outputs (Extracted, sid, Pk,PKi). If 2. Decryption query IDl,Cl . asks to corrupt 0 PKi is not yet defined or ID is not Pk’s, Pi ig- Pl, obtains private key dl corresponding to IDl nores the request. and responds by running algorithm D(PKi,Cl, dl) 0 to decrypt ciphertext Cl using private key dl. It 3. Upon input (Encrypt, sid, m, ID, P Ki) within some sends the resulting plaintext to the adversary. party Pj, Pj obtains ciphertext c by running algo- E 0 rithm (PKi, ID, m) and outputs (Encrypted, sid, These queries may be asked adaptively, that is, each 0 query ql may depend on the replies to q1, ..., ql−1. c, ID, P Ki). (Note that it does not necessarily In step 7, the adversary issues more queries qm+1, ..., qn hold that ID is Pj’s) where query ql is one of: 0 4. Upon input (Decrypt, sid, c, ID, P Ki) within Pk, 0 1. Extraction query hIDli where IDl =6 IDk. Z if PKi is already defined and ID is Pk’s, Pk ob- D 0 responds as in step 2. tains m = (PKi, c, dk) and outputs (Decrypted, 0 h i 6 h ∗i 6 sid, m, Pk,PKi). If Pk has not extracted private 2. Decryption query IDl,Cl = IDk,C . If IDl = key dk yet, Pk outputs not-recorded. IDk Z responds as in step 2, else if IDl = IDk,Cl =6 C∗, Z activates P with (Decrypt, sid, C ,P ,PK ) F F k l k i Theorem 1 πIBE securely realizes IBE in the SC- and sends the resulting plaintext to the adver- hybrid model with respect to non-adaptive adversaries sary (if IDk is not extracted then activates Pk if and only if IBE scheme Σ is IND-ID-CCA2-secure. with (Extract, sid, IDk,PKi) before activating Proof sketch. (only if part): Assuming that there Pk with (Decrypt, sid, Cl,Pk,PKi)). A∗ exists adversary that can guess bit b correctly with These queries may be asked adaptively as in step 2. probability 1 +², in an IND-ID-CCA2 game with scheme 2 We omit details, see the full paper version. Z Σ, we prove that we can construct environment and (if part): We show that if π does not securely A IBE real life adversary such that for any ideal process realize F , then π is not IND-ID-CCA2-secure. S Z IBE IBE adversary (simulator) , can tell with probability ² We then prove that π is not IND-ID-CCA2 secure A S IBE whether it is interacting with and πIBE or with in by using distinguishable environment Z. F A∗ the ideal process for IBE by using adversary that We omit how simulator S proceeds, see the full paper breaks IND-ID-CCA2 security. version. Z proceeds as follows: For some value of the security parameter z for Z, we assume that there is environment Z such that 1. Activates party Pi with (Setup, sid, Pi) and ob- − IDEALF,S,Z (z) REALπIBE,A,Z (z) > σ, then we show tains PKi. A∗ that there exists h which correctly guesses bit b with ∗ 1 σ 2. Hands PKi to A and plays the role of an oracle probability 2 + 2l in the IND-ID-CCA2 game, where for adversary A∗ in the IND-ID-CCA2 game. l is the total number of messages that were encrypted throughout the running of the system and h ∈ {1, ..., l}. A∗ ∗ 3. Obtains (IDk,M0,M1) from . IDk (party Pk’s A runs Z on the following simulated interaction with A∗ h ID) is the ID attacks. a system running πIBE. Let mj denotes the jth mes- sage that Z asks to encrypt in this simulation and ID 4. Activates P with (Extract, sid, ID ,PK ), ob- j k k i denotes the jth ID that Z uses to encrypt in this sim- tains (Extracted, sid, ID ,PK ). k i ulation. 5. Chooses random bit b ∈ {0, 1}, selects an ar- 1. When Z activates some party Pi with input (Setup, bitrary party Pj =6 Pk and activates Pj with ∗ A∗ (Encrypt, sid, Mb,IDk,PKi) and obtains C . sid, Pi), h lets Pi output the value PKi from A∗ h’s input. 6. Hands C∗ to A∗ as the test ciphertext. 2. When Z activates some party Pk with input A∗ 7. Plays the role of an oracle for adversary in A∗ 0 ∈ (Extract, sid, IDk,PKi), h lets Pk output mes- the IND-ID-CCA2 game, and obtains guess b A∗ { } sage (Extracted, sid, IDk,PKi) from h’s input. 0, 1 . A∗ If Pk is corrupted then h queries its extraction 0 8. Outputs 1 if b = b , otherwise outputs 0 and halts. oracle on IDk, obtains value u, and lets Pk return u to Z. In step 2, the adversary issues queries q , ..., q where 1 m − Z query q is one of: 3. For the first h 1 times that asks to encrypt l A∗ some message, mj, h lets the encrypting party return cj = E(PKi,IDj, mj). 4. The h-th time that Z asks to encrypt message, 4.2 UC-secure IBE with ND is equivalent to ∗ A∗ mh by ID , h queries its encryption oracle with IND-ID-CPA-secure IBE |m | the pair of messages (mh, 0 h ), and obtains test ND F ND We omit protocol πIBE that securely realizes IBE, ciphertext ch. It then hands ch to Z as the en- ∗ see the full paper version. cryption of mh. That is, ch = E(PKi,ID , mh) ∗ |mh| ND F ND F or ch = E(PKi,ID , 0 ). Theorem 2 πIBE securely realizes IBE in the SC- hybrid model with respect to non-adaptive adversaries 5. For the remaining l − h times that Z asks to en- if and only if IBE scheme Σ is IND-ID-CPA-secure. A∗ crypt some message, mj, h lets the encrypting We omit the proof of Theorem 2, see the full paper 0 | | E mj party return cj = (PKi,IDj, 0 ). version.

6. Whenever decryptor Pj is activated with input 4.3 A Universally Composable Signature Based (Decrypt, sid, c, IDj,PKi) where c = cj for some on the IBE Scheme A∗ j, h lets Pj return the corresponding plaintext mj. If c is different from all cj’s and IDj is ex- ∗ F A Functionality SIGW tracted then h queries its decryption oracle on (ID , c), obtains value u, and lets P return u to j j Key Generation: Z. If c is different from all cj’s and IDj is not ∗ Upon receiving value (KeyGen, sid) from some party extracted then A lets P output . 0 h j not-recorded S (signer), verify that sid = (S, sid ) for some Z A∗ Z sid0. If not, then ignore the request. Else, hand 7. When halts, h outputs whatever outputs and halts. (KeyGen, sid) to the adversary. Upon receiving (Verification Key, sid, v) from the adversary, out- We apply a standard hybrid argument for analyzing put (Verification Key, sid, v) to S, and record the A∗ the success probability of h. We omit the details, see pair (S, v). the full paper version. 2 Signature Generation: Upon receiving value (Sign, sid, m) from S, verify 0 0 4 UC-secure IBE with ND is equivalent that sid = (S, sid ) for some sid . If not, then ignore to IND-ID-CPA-secure IBE the request. Else, send (Sign, sid, m) to the adver- sary. Upon receiving (Signature, sid, m, σ) from the 4.1 The Identity-Based Encryption with ND adversary, verify that no entry (m, v, 0) is recorded. F ND Functionality IBE If it is, then output an error message to S and halt. We define an IBE functionality with no decryption Else, output (Signature, sid, m, σ) to S, and record F ND the entry (m, v, 1). (ND), IBE in Fig.2. F The main difference from IBE is Decrypt stage. Signature Verification: F ND 0 IBE does not hand results of decryption. Upon receiving value (Verify, sid, m, σ, v ) from some party P , hand (Verify, sid, m, σ, v0) to the ad- F ND Functionality IBE versary. Upon receiving (Verified, sid, m, φ) from the adversary do: F ND proceeds as follows, running with parties IBE 0 P1,...,Pn and adversary S. 1. If v = v and the entry (m, v, 1) is recorded, Setup, Extract, Encrypt: See Figure 1. then set f = 1. Decrypt 2. Else if v = v0, the signer is not corrupted, and Upon receiving value (Decrypt, sid, c, ID, P K0) i no entry (m, v, 1) is recorded, then set f = 0 from P , proceed as follows: k and record the entry (m, v, 0). 1. If P is not corrupted, k 3. Else, if there is an entry (m, v0, f 0) recorded, 0 (a) If (ID,Pk) is recorded in ID-Reg, then then let f = f . hand (Decrypted, sid, 1,ID,PK0) to P . i k 4. Else, let f = φ and record the entry (m, v0, φ) (b) Otherwise, hand 0 Output (Verified, sid, m, f) to P . (Decrypted, sid, 0,ID,PKi) to Pk.

2. If Pk is corrupted, hand value Figure 3: The digital signatures functionality 0 S (Decrypt, sid, c, ID, P Ki) to adversary , receive the answer from adversary S, and hand the answer to Pk. Canetti defined ideal functionality of digital signa- tures, FSIG, and showed that UC-secure signatures are Figure 2: The identity-based encryption functionality equivalent to EUF-CMA-secure signatures [4]. FSIG with ND represents strong unforgeability. We define an ideal functionality of digital signatures with (normal) un- F forgeability, SIGW in Fig.3. An IND-ID-CPA-secure IBE scheme can be converted into a signature scheme F sID Functionality IBE that is existentially unforgeable against chosen message F sID attack (EUF-CMA). IBE proceeds as follows, running with parties P ,...,P and adversary S. Theorem 3 π UC-realizes F in the F ND - 1 n SIGW SIGW IBE Setup hybrid model. In the first activation, expect to receive value We omit protocol π and the proof of the Theo- ∗ SIGW (Setup, sid, P ,ID ) from some party P . Then do: rem 3, see the full paper version. i i 1. Record target ID, ID∗. 5 UC IBE with sID is equivalent to IND- sID-CCA2-secure IBE 2. 3. 4. See Figure 1. Canetti, Halevi, and Katz have shown how to con- Extract: See Figure 1. Encrypt struct a secure PKE scheme from a selective-ID-secure 0 Upon receiving value (Encrypt, sid, m, ID, P Ki) IBE scheme [7]. ∗ F sID from some party Pj, if ID =6 ID , then ignore the We define IBE functionality IBE in Fig.4. The main request. Else, proceed as FIBE in Figure 1. difference from FIBE are Setup, Encrypt and De- F sID ∗ Decrypt crypt stages. IBE receives target ID, ID at Setup 0 ∗ stage. If ID = ID , then F sID excutes encryption Upon receiving value (Decrypt, sid, c, ID, P Ki) IBE 6 ∗ (resp. decryption) at Encrypt (resp. Decrypt) stage. from Pk, if ID = ID , then ignore the request. Else, sID proceed as FIBE in Figure 1. We can present protocol πIBE that securely realizes F sID as in Section 3. IBE Figure 4: The identity-based encryption functionality sID F sID F Theorem 4 πIBE securely realizes IBE in the SC- with sID hybrid model with respect to non-adaptive adversaries if and only if IBE scheme Σ is IND-sID-CCA2 secure. We omit the proof of the Theorem 4, see the full [5] Ran Canetti and Marc Fischlin. Universally paper version. composable commitments. In proceedings of CRYPTO’01, 2001. 6 Conclusion [6] Ran Canetti, Shai Halevi, and Jonathan Katz. A F We defined IBE and showed that UC-secure IBE is forward-secure public-key encryption scheme. In equivalent to IND-ID-CCA2-secure IBE. We also de- proceedings of EUROCRYPT’03, 2003. fined the ideal functionalities of weaker security no- F ND F sID tions of IBE, IBE and IBE. We then showed that [7] Ran Canetti, Shai Halevi, and Jonathan Katz. F ND UC-secure IBE with IBE is equivalent to IND-ID- Chosen-ciphertext security from identity-based F sID CPA-secure IBE, and that UC-secure IBE with IBE encryption. In proceedings of EUROCRYPT’04, is equivalent to IND-sID-CCA2-secure IBE. We pre- 2004. sented a protocol which UC-realizes ideal functionality ND [8] Ran Canetti and Hugo Krawczyk. Universally FSIG in the F -hybrid model. W IBE composable and secure channels. In References proceedings of EUROCRYPT’02, 2002. [1] Nuttapong Attrapadung, Yang Cui, Goishiro [9] Ran Canetti and Tale Rabin. Universal com- Hanaoka, Hideki Imai, Kanta Matsuura, Peng position with joint state. In proceedings of Yang, and Rui Zhang. Relations among no- CRYPTO’03, 2003. tions of security for identity based encryption [10] David Galindo and Ichiro Hasuo. Security no- schemes. Cryptology ePrint Archive, Report tions of for identity based encryption. Cryp- 2005/258, 2005. http://eprint.iacr.org/. tology ePrint Archive, Report 2005/253, 2005. [2] Dan Boneh and Matthew Franklin. Identity-based http://eprint.iacr.org/. encryption from the weil pairing. In proceedings of [11] Waka Nagao, Yoshihumi Manabe, and Tatsuaki CRYPTO’01, 2001. Okamoto. A universally composable secure chan- [3] Ran Canetti. Universally composable security:a nel based on the kem-dem framework. In proceed- new paradigm for cryptograpic protocols. In pro- ings of TCC’05, 2005. ceedings of FOCS’01, 2001. [12] Adi Shamir. Identity-based and sig- [4] Ran Canetti. Universally composable signatures, nature schemes. In proceedings of CRYPTO’84, certification, and authenticated communication. 1984. In proceedings of 17th Computer Security Foun- dations Workshop, 2004.