Compact identity-based encryption without strong symmetric cipher

Abstract

In order to construct a CCA-secure (i.e. secure against chosen ciphertext attack) public key encryption scheme using the usual KEM/DEM (Key Encapsulation Mechanism/Data Encapsulation Mechanism) framework, one needs KEM and DEM schemes, both of which are CCA-secure. A CCA-secure DEM scheme can be constructed in a various way, but in order to construct a hybrid scheme producing ciphertexts of compact size, the DEM scheme needs to be a length-preserving symmetric cipher. However, it has been pointed out in the recent literature that the length-preserving symmetric cipher is in fact fairly expensive to realize because one needs strong PRP (pseudo random permutation) which is complex. As alternatives to the KEM/DEM framework for constructing compact hybrid encryption have been introduced in the public key (non identity-based) setting. In this paper, as contributions to this line of research, we construct hybrid identity-based encryption schemes which produce compact ciphertexts while providing both efficiency and strong security without resorting to the strong length-preserving symmetric cipher. In particular, all of the proposed schemes incur only one group element ciphertext expansion (defined as the size of the ciphertext minus the size of the plaintext message) and do not depend on the strong PRP. We provide security analysis of our schemes against chosen ciphertext attack under the well-known computational assumptions, in the random oracle model. We believe that our schemes are suitable for implementing on small devices.