A provably secure certificate-based encryption scheme against malicious CA attacks in the standard model

Abstract

Certificate-based encryption (CBE) is a new public-key cryptographic paradigm that represents an interesting balance between conventional public-key encryption and identity-based encryption. It not only simplifies the certificate revocation problem in conventional public-key encryption, but also solves the key escrow problem inherent in identity-based encryption. In CBE, a certificate authority (CA) is employed to initialize the system and issue certificates for users. Each user needs both a private key and an up-to-date certificate to decrypt ciphertexts. In the previous concrete constructions of CBE, the CA is assumed to be honest-but-curious, that is, the CA always starts launching attacks only after it has initialized the system honestly. However, it seems that such an assumption does not necessarily reflect reality when we consider a malicious CA that is trying every effort to break the system. To show that the malicious CA attack exists in CBE, we present two concrete attacks against a previous CBE scheme. In both attacks, a malicious CA can easily break any user's confidentiality by implanting a trapdoor in the public system parameters. To fight against malicious CA attacks, we propose a new CBE scheme. The proposed CBE scheme is proven to be chosen-ciphertext secure against malicious CA attacks in the standard model. Performance comparison shows that it is efficient and practical.