Certified encryption revisited

Abstract

The notion of certified encryption had recently been suggested as a suitable setting for analyzing the security of encryption against adversaries that tamper with the key-registration process. The flexible syntax afforded by certified encryption suggests that identity-based and certificateless encryption schemes can be analyzed using the models for certified encryption. In this paper we explore the relationships between security models for these two primitives and that for certified encryption. We obtain the following results. We show that an identity-based encryption scheme is secure if and only if it is secure when viewed as a certified encryption scheme. This result holds under the (unavoidable) restriction that registration occurs over private channels. In the case of certificateless encryption we observe that a similar result cannot hold. The reason is that existent models explicitly account for attacks against the non-monolithic structure of the secret keys whereas certified encryption models treat secret keys as whole entities. We propose an extension for certified encryption where the adversary is allowed to partially modify the secret keys of honest parties. The extension that we propose is very general and may lead to unsatisfiable notions. Nevertheless, we exhibit one instantiation for which we can prove the desired result: a certificateless encryption is secure if and only if its associated certified encryption scheme is secure. As part of our analysis, and a result of separate interest we confirm the folklore belief that for both IBE and CLE, security in the single-user setting (as captured by existent models) is equivalent to security in the multi-user setting. © 2009 Springer Berlin Heidelberg.