KDM security for identity-based encryption: Constructions and separations

Abstract

For encryption schemes, key dependent message (KDM) security requires that ciphertexts preserve secrecy even when the messages to be encrypted depend on the secret keys. While KDM security has been extensively studied for public-key encryption (PKE), it receives much less attention in the setting of identity-based encryption (IBE). In this work, we focus on the KDM security for IBE. Our results are threefold.We first propose a generic approach to transfer the KDM security results (both positive and negative) from PKE to IBE. At the heart of our approach is a neat structure-mirroring PKE-to-IBE transformation based on indistinguishability obfuscation and puncturable PRFs, which establishes a connection between PKE and IBE in general. However, the obtained results are restricted to selective-identity sense. We then concentrate on results in adaptive-identity sense.On the positive side, we present two constructions that achieve KDM security in the adaptive-identity sense for the first time. One is built from identity-based hash proof system (IB-HPS) with homomorphic property. The other is built from indistinguishability obfuscation and a new notion named puncturable unique signature, which is bounded KDM-secure in the single-key setting.On the negative side, we separate CPA/CCA security from n-circular security (which is a prototypical case of KDM security) for IBE by giving a counterexample based on differing-inputs obfuscation and a new notion named puncturable IBE. We further propose a general framework for generating n-circular security counterexamples in identity-based setting, which might be of independent interest.