Forward-Secure Certificate-Based Encryption ...

2 downloads 0 Views 238KB Size Report
certificate and no private key escrow. At the same time it also inherits the properties of the forward-secure public key encryption. We first formalize the definition ...
Forward-Secure Certificate-Based Encryption: Definition and Generic Construction Yang Lu and Jiguo Li

Junmo Xiao

College of Computer and Information Engineering Hohai University Nanjing, Jiangsu Province, China {luyangnsd, ljg1688}@163.com

Institute of Communication Engineering PLA University of Science and Technology Nanjing, Jiangsu Province, China [email protected]

Abstract—Certificate-based encryption (CBE) is a new paradigm which combines traditional public-key encryption (PKE) and identity-based encryption (IBE) while preserving their features. CBE provides an efficient implicit certificate mechanism to eliminate third-party queries for the certificate status and to simplify the certificate revocation problem. Therefore, CBE can be used to construct an efficient PKI requiring fewer infrastructures. In addition, it also solves the key escrow problem and key distribution problem inherent in IBE. In this paper, we introduce a new notion called Forward-Secure Certificate-Based Encryption. It preserves the advantages of CBE such as implicit certificate and no private key escrow. At the same time it also inherits the properties of the forward-secure public key encryption. We first formalize the definition and security model for forward-secure CBE. Then we propose a generic construction of forward-secure CBE and prove it to be secure against chosen plaintext attacks in the standard model. We also describe how our generic scheme can be enhanced to achieve security against adaptive chosen-ciphertext attacks in both the standard model and the random oracle model. Keywords-forward-secure; certificate-based encryption; generic construction; the standard model

I.

INTRODUCTION

In Eurocrypt 2003, Gentry [3] introduced the notion of certificate-based encryption (CBE), which combines identitybased encryption (IBE) and traditional PKI-supported public key encryption (PKE) while preserving their features. CBE provides an implicit certification mechanism and allows a periodical update of certificate status. As a traditional PKI, each user in CBE generates his own public/private key pair and requests a long-lived certificate from the CA. This long-lived certificate has all the functionalities of a traditional PKI certificate. But, CA generates the long-lived certificate as well as short-lived certificates (i.e., certificate status). A short-lived certificate is pushed only to the owner of the public/private key pair and acts as a partial decryption key. This additional functionality provides an implicit certificate so that the sender need not obtain fresh information on certificate status and the receiver must decrypt the ciphertext using his private key along with an up-to-date short-lived certificate from its CA. The feature of implicit certificate allows us to eliminate third-party queries for the certificate status and simplify the public key revocation problem so that CBE does not need infrastructures

like CRL [26] and OCSP [27]. Therefore, CBE can be used to construct an efficient PKI requiring fewer infrastructures. Furthermore, there is no key escrow problem and key distribution problem in CBE. As cryptographic computations are performed more frequently on small, unprotected, and easily-stolen devices (e.g., mobile phones), the threat of the private key exposure is becoming more and more acute. Although a user in CBE can make his private key be disused by revoking his short-lived certificate, once he reveals his private key accidentally or an attacker actively compromises it. However, anyone who obtains the private key can read all past messages sent to the user since all the past short-lived certificates are public. In this paper, we propose a new notion called Forward-Secure Certificate-Based Encryption to fill the above gap in CBE. This notion preserves the advantages of CBE such as implicit certificate and no private key escrow while inheriting the properties of the forward-secure PKE [21]. We propose the first generic construction of forward-secure CBE and prove it to be secure under chosen-plaintext attacks in the standard model. We also describe how our generic scheme can be enhanced to achieve security against adaptive chosen-ciphertext attacks. II.

RELATED WORK

Since the introduction of CBE, there are different variants or improvements proposed in the literature later on. Yum and Lee [4] provided a formal equivalence theorem among IBE, certificateless public-key encryption (CL-PKE) [1] and CBE. They showed that IBE implies both CBE and CL-PKE by giving two generic constructions from IBE to those primitives. However, Galindo et al. [5] pointed out that a dishonest authority could break the security of these two generic constructions. Lu et al. [7] solved this problem by providing two security-enhancing conversions and achieved two generic CBE constructions from PKE and IBE, which are provably cca-secure in the random oracle model [14,15]. Al-Riyami and Paterson [2] gave an analysis of Gentry’s CBE concept and repaired a number of problems with the original definition and security model for CBE. They also presented a generic conversion of CBE from CL-PKE and claimed that a secure CBE scheme could be constructed from any secure CL-PKE scheme using this conversion. Kang and Park [9] pointed out that their conversion was incorrect due to the flaw in their

security proof. Recently, Wang et al. [11] proposed a certificate-based proxy cryptosystem based on Gentry’s CBE scheme. Galindo et al. [6] proposed the first construction of CBE scheme secure in the standard model. Moreover, Lu et al. [8] proposed an efficient CBE scheme secure in the random oracle model. In parallel to CBE, Kang et al. [10] proposed the notion of certificate-based signature which follows the idea of Gentry’s CBE scheme and provided a concrete scheme in the random oracle model. However, Li et al. [12] pointed out that this signature scheme is insecure against the key replacement attack. They refined the security model of CBS given in [10] and constructed a new CBS scheme which is secure in the random oracle model. Moreover, Au et al. [13] propose a new notion called certificate-based ring signature, which is the ring signature in certificate based cryptography setting. The notion of forward-security was first proposed in the context of key-exchange protocols [16,17]. Subsequently, Anderson [18] suggested forward-security for the more challenging non-interactive setting. Bellare and Miner [19] first formalized the notion of forward security in the context of signature schemes. Forward security in the symmetric-key setting has also been studied in [20]. However, the existence of non-trivial, forward-secure PKE schemes has been open for a long while since the question was first posed by Anderson [18]. Until 2003, Canetti et al. [21] first formalized the notion of forward security for PKE and constructed the first forwardsecure PKE scheme. III.

DEFINITION AND SECURITY MODEL

In this section, we define the notion of key-evolving certificate-based encryption schemes and what it means for such a scheme to be forward-secure. Our definitions of forward-secure CBE generalize the definitions for CBE, similar to the way [21] in which the definitions of forward-secure PKE generalize the standard definitions for PKE. Definition 1. A key-evolving certificate-based encryption scheme (ke-CBE) is a tuple of six PPT algorithms (Setup, SetKeyPair, Certify, KeyUpd, Enc, Dec) such that: y Setup takes as input a security parameter Λ. It returns the certifier’s master-key skCA and public parameters params that include the descriptions of a finite message space MSPC, a finite ciphertext space CSPC, a time period space T, and a users’ identity space ID. Suppose that the total number of time periods in T is N. We consider params to be an implicit input to the rest of the algorithms. y SetKeyPair takes as input the total number of time periods N. It returns a public key upk and an initial secret key usk0. y Certify takes as input the master-key skCA, the index τ of the current time period, a user’s identity id, and the user’s public key upk. It returns a short-time certificate Certid,τ, which is sent to the user id. y KeyUpd takes as input a secret key uskτ-1 as well as the index τ of the current time period. It returns a private key uskτ for period τ.

y Enc takes as input the index τ of the current time period, the receiver’s identity id, the receiver’s public key upk, and a message M. It returns a ciphertext C for period τ. We represent the output as a pair . y Dec takes as input the receiver’s short-time certificate Certid,τ and private key uskτ for period τ, and a ciphertext . It returns a message M or the special symbol ⊥ indicating a decryption failure. Naturally, it is required that these algorithms must satisfy the standard consistency constraint: namely, for any (upk, usk0) output by SetKeyPair(N), any private key uskτ correctly generated for period τ, all M, and all output by Enc(τ, id, upk, M), we have M = Dec(τ, Certid,τ, uskτ, C). The security model for ke-CBE is defined against four different types of adversaries: the Type I adversary A1 models an uncertified user who has no access to the master-key; the Type II adversary A2 models a honest-but-curious certifier who possesses the master-key skCA; the Type III adversary A3 models a user who possesses the private key uskτ for time period τ of a certified user; the Type IV adversary A4 models an honest-but-curious certifier who possesses the master-key skCA and the private key uskτ for time period τ of a certified user. The strongest security notion for ke-CBE is forwardsecurity under adaptive chosen-ciphertext attacks (or fs-CBECCA) which is defined by following four games: Game 1. The challenger C runs Setup(Λ) to generate skCA and params. It gives params to the adversary A1 and keeps skCA to itself. Phase 1. A1 adaptively interleaves a series of certificate and decryption queries, C handles these queries as follows: On certificate query , C runs Certify(skCA, τ, id, upk) to generate Certid,τ. It returns Certid,τ to A1. On decryption query , C runs Certify(skCA, τ, id, upk) to generate Certid,τ and outputs Dec(τ, Certid,τ, uskτ, C) to A1. Challenge. On challenge query , where M0, M1 are of equal length, C checks that is not the subject of a certificate query in phase 1. If so, it picks a random bit b∈{0, 1}, encrypts Mb under the challenge public key upk* and sends the resulting ciphertext to A1; else it returns ⊥. Phase 2. As in phase 1, with the restriction that is not the subject of a decryption query and is not the subject of a certificate query. Guess. A1 outputs a guess b’∈{0, 1} and wins the game if b = b’. A1’s advantage in this game is defined to be Adv(A1) = 2|Pr[b = b’]-1/2|.

Game 2. C runs Setup(Λ) and gives params and skCA to the

Game 4. C runs Setup(Λ) and gives params and skCA to the

adversary A2. Then it runs SetKeyPair(N) to generate a key-

adversary A4. Then it runs SetKeyPair(N) to generate a key-

pair (upk*, usk0) and gives upk* to A2.

pair (upk*, usk0) and gives upk* to A4.

Phase 1. A2 issues a series of decryption queries. On *

Phase 1. A4 issues one breakin query, a series of

decryption query , C runs Certify(skCA, τ, id, upk ) to obtain Certid,τ, computes uskτ via KeyUpd(…KeyUpd(usk0, 1), …, τ), and outputs Dec(τ, Certid,τ, uskτ, C) to A2. These queries may be asked adaptively.

decryption queries, C handles these queries as follows:

Challenge. On challenge query , where M0, M1 are of equal length, C picks a random bit b∈{0, 1}, encrypt Mb under the challenge public key upk* and sends the resulting ciphertext to A2.

On decryption query , C runs Certify(skCA, τ, id, upk*) to generate Certid,τ, computes uskτ via KeyUpd(…KeyUpd(usk0, 1), …, τ), and outputs Dec(τ, Certid,τ, uskτ, C) to A4.

Phase 2. As in phase 1, with the restriction that is not the subject of a decryption query.

Challenge. On challenge query , where M0, M1 are of equal length and 0 ≤ j < i < N, C picks a random bit b∈{0, 1}, encrypts Mb under the challenge public key upk* and sends the resulting ciphertext to A4.

*

Guess. A2 outputs a guess b’∈{0, 1} and wins the game if b = b’. A2’s advantage in this game is defined to be Adv(A2) = 2|Pr[b = b’]-1/2|. Game 3. C runs Setup(Λ) to generate skCA and params. It gives params to the adversary A3 and keeps skCA to itself. Then it runs SetKeyPair(N) to generate a key-pair (upk*, usk0) and gives upk* to A3. Phase 1. A3 issues one breakin query, a series of certificate and decryption queries, C handles these queries as follows: On breakin query where 0 < i < N, C computes uski via KeyUpd(…KeyUpd(usk0, 1), …, i). It returns uski to A3. On certificate query where 0 ≤ τ ≤ i < N, C runs Certify(skCA, τ, id, upk*) to generate Certid,τ. It returns Certid,τ to A3. On decryption query , C runs Certify(skCA, τ, id, upk*) to generate Certid,τ, computes uskτ via KeyUpd(…KeyUpd(usk0, 1), …, τ), and outputs Dec(τ, Certid,τ, uskτ, C) to A3. Challenge. On challenge query , where M0, M1 are of equal length and 0 ≤ j < i < N, C picks a random bit b∈{0, 1}, encrypts Mb under the challenge public key upk* and sends the resulting ciphertext to A3. Phase 2. A3 issues a series of decryption queries as in phase 1, with the restriction that is not the subject of a decryption query. Guess. A3 outputs a guess b’∈{0, 1} and wins the game if b = b’. A3’s advantage in this game is defined to be Adv(A3) = 2|Pr[b = b’]-1/2|.

On breakin query where 0 < i < N, C computes uski via KeyUpd(…KeyUpd(usk0, 1), …, i). It returns uski to A4.

Phase 2. A4 issues a series of decryption queries as in phase 1, with the restriction that is not the subject of a decryption query. Guess. A4 outputs a guess b’∈{0, 1} and wins the game if b = b’. A4’s advantage in this game is defined to be Adv(A4) = 2|Pr[b = b’]-1/2|. Definition 2. A ke-CBE scheme is forward-secure against adaptive chosen ciphertext attacks (or fs-CBE-CCA) if no PPT adversary has non-negligible advantage in above four games. Similarly, we can define the weak security notion fs-CBECPA for ke-CBE, in which the adversaries are not allowed to issue any decryption queries. IV.

GENERIC CONSTRUCTION OF FORWARD-SECURE CBE SCHEME

In this section, we provide a generic construction of forward-secure CBE scheme, which is fs-CBE-CPA secure in the standard model. The idea of our generic construction is simple. It takes an IBE scheme which is IND-ID-CPA secure and a ke-PKE scheme which is fs-CPA secure or fs-CCA secure as the building blocks, and combines them in a natural composite way. We also sketch two ways to extend the resulting generic scheme to achieve fs-CBE-CCA security. A.

Building Blocks Definition 3. A key-evolving public-key encryption scheme (ke-PKE) is a 4-tuple of PPT algorithms (KeyGen, KeyUpd, Enc, Dec) such that: y KeyGen takes as input a security parameter k and the total number of time periods N. It returns a public key pk and an initial secret key sk0.

y KeyUpd takes as input a secret key ski-1 as well as the index i of the current time period. It returns a secret key ski for

period i. y Enc takes as input a public key pk, the index i of the current time period, and a message M. It returns a ciphertext C for period i. We represent the output as a pair and write ← Enc(i, pk, M). y Dec takes as input a secret key ski and a ciphertext . It returns a message M. We denote this by M = Dec(i, ski, C). Definition 4. A ke-PKE scheme is forward-secure against chosen-ciphertext attacks (fs-CCA) if no PPT adversary A has a non-negligible advantage against the challenger in the following game: Setup. The challenger runs KeyGen(Λ, N) to generate a public key pk and an initial secret key sk0. It gives the adversary pk. Attack. The adversary issues one break-in query breakin(i), one challenge query challenge(j, M0, M1) and multiple decryption query dec(k, C), in any order, subject to 0 ≤ j < i < N and k ∈ [0, N). The challenger responds these queries as follows: On query breakin(i), key ski is computed via KeyUpd(…KeyUpd(sk0, 1), …, i) and given to the adversary. On query challenge(j, M0, M1), a random bit b is selected and the adversary is given ← Enc(j, pk, Mb). On query dec(k, C), the appropriate key skk is first derived via KeyUpd(…KeyUpd(sk0, 1), …, k). The adversary is then given the output Dec(k, skk, C). If the adversary has already received response C* from query challenge(j, M0, M1), then query dec(j, C*) is disallowed. Guess. The adversary outputs a guess b’ ∈{0, 1} and wins the game if b = b’. The advantage of the adversary is defined by Adv (A) = | Pr [b = b’] - 1/2|. Similarly, the weak security notion fs-CPA can be defined for ke-PKE, in which the adversaries are disallowed to issue any decryption queries. Definition 5. An IBE scheme is a 4-tuple of PPT algorithms (Setup, Extract, Enc, Dec) such that: y Setup takes as input a security parameter k and returns the PKG’s master key msk that is kept secret and the system public parameters params. y Extract takes as input params, msk and a user’s identity id to return the user’s private key sk. y Enc takes as input params, the receiver’s identity id and a message M. It returns a ciphertext C. y Dec takes as input params, the receiver’s private key sk and a ciphertext C. It outputs a message M, or ⊥ if C is invalid. Definition 6. An IBE scheme is IND-ID-CPA secure if no PPT adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CPA game:

Setup. The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key msk to itself. Phase 1. The adversary issues a series of private key extraction queries . The challenger responds by running algorithm Extract to generate the private key sk corresponding to the public key id. It sends sk to the adversary. These queries may be asked adaptively. Challenge. Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 and M1, and a public key id* on which it wishes to be challenged. The challenger picks a random bit b∈{0, 1} and sets C* = Enc(params, id*, Mb). It sends C* as the challenge to the adversary. Phase 2. The adversary issues more extraction queries. The only constraint is that id* is not the subject of these queries. The challenger responds as in Phase 1. Guess. Finally, the adversary outputs a guess b’∈{0, 1} and wins the game if b = b’. The advantage of the adversary A is defined by Adv(A)=|Pr[b = b’] - 1/2|. B. Generic Construction Let IBE = (Setup, Extract, Enc, Dec) be an IBE scheme, ke-PKE = (KeyGen, KeyUpd, Enc, Dec) be a ke-PKE scheme. We assume that scheme IBE and scheme ke-PKE are compatible in that the ciphertext space of ke-PKE is equal to or contained in the message space of IBE. Then a ke-CBE scheme ke-CBE = (Setup, SetKeyPair, Certify, KeyUpd, Enc, Dec) can be constructed generically as follows: y Setup: This algorithm runs IBE.Setup to generate the system parameters params and a PKG’s master key msk. We set the certifier’s master-key skCA to be msk. y SetKeyPair: This algorithm is defined to be the algorithm ke-PKE.KeyGen. y Certify: This algorithm runs the algorithm IBE.Extract on input msk and τ||id||pk. The result is outputted as the certificate Certid,τ of the user id during time period τ. y KeyUpd: This algorithm is defined to be the algorithm ke-PKE.KeyUpd. y Enc: To encrypt a message M for a user id with a public key upk during time period τ, this algorithm computes and outputs the ciphertext ← ke-PKE.Enc(τ, upk, IBE.Enc(τ||id||upk, M)). y Dec: To decrypt using id’s certificate Certid,τ and private key uskτ for time period τ, this algorithm computes and outputs the message M = IBE.Dec(Certid,τ, ke-PKE.Dec(τ, uskτ, C)). The security of the scheme ke-CBE is stated in the following theorems: Theorem 1. The generic scheme ke-CBE is secure in the sense of fs-CBE-CPA if the scheme IBE is IND-ID-CPA secure and the scheme ke-PKE is fs-CPA secure.

Theorem 2. The generic scheme ke-CBE is secure in the sense of fs-CBE-CPA if the scheme IBE is IND-ID-CPA secure and the scheme ke-PKE is fs-CCA secure.

[6]

Due to the space limitation, we will write the full proof for the above two theorems in the final version of this paper.

[7]

C. Achieving CCA-Security At last, we briefly describe how the generic scheme keCBE can be enhanced to achieve the fs-CBE-CCA security. In the standard model (assuming that the scheme IBE is IND-IDCPA secure and the scheme ke-PKE is fs-CCA secure), we can use a one-time signature as in [22] or the more efficient combinationofamessageauthenticationcodeandaweak form of commitment as in [23] as the security-enhancing building block to enhance the security of the generic scheme ke-CBE to be fs-CBE-CCA secure. In the random oracle model (assuming that the scheme IBE is IND-ID-CPA secure and the scheme ke-PKE is fs-CPA secure), we can achieve a more efficient generic scheme which is fs-CBE-CCA secure by applying the Fujisaki-Okamoto transformation [24,25] as in [7]. V.

CONCLUSION

In this paper, we propose the notion of forward-secure certificate-based encryption which is a combination of forwardsecure public-key encryption and certificate-based encryption. We formalize the notion of forward security for CBE and constructed the first generic construction of forward-secure CBE which is fs-CBE-CPA secure in the standard model. We also discuss how the proposed scheme achieves the security against adaptive chosen-ciphertext attacks. We believe that this notion is of practical interest in some application, such as electronic commerce and wireless communication. ACKNOWLEDGMENT

[8] [9] [10]

[11]

[12]

[13]

[14]

[15] [16]

[17]

[18] [19]

[20]

This work is supported by the National Natural Science Foundation of China (No. 60842002), the National High Technology Research and Development Program of China (No. 2007AA01Z409), and the Natural Science Foundation of Hohai University (No. 2008428611).

[22]

REFERENCES

[23]

[1]

[2]

[3]

[4]

[5]

S. S. Al-Riyami and K.G. Paterson, “Certificateless public key cryptography,” Proc. Advances in Cryptology - ASIACRYPT 2003, LNCS 2894, pp.452–473, Springer-Verlag, 2003. S. S. Al-Riyami and K.G. Paterson, “CBE from CL-PKE: a generic construction and efficient schemes,” Proc. PKC 2005, LNCS 3386, pp. 398-415, Springer-Verlag, 2005. C. Gentry, “Certificate-based encryption and the certificate revocation problem,” Proc. Advances in Cryptology - EUROCRYPT 2003, LNCS 2656, pp. 272-293, Springer-Verlag, 2003. D.H. Yum and P.J. Lee, “Identity-based cryptography in public key management,” Proc. EuroPKI 2004, LNCS 3093, pp.71-84, SpringerVerlag, 2004. D. Galindo, P. Morillo, and C. Ràfols, “Breaking Yum and Lee generic constructions of certificate-Less and certificate-based encryption

[21]

[24]

[25]

[26]

[27]

schemes,” Proc. EuroPKI 2006, LNCS 4043, pp.81-91, Springer-Verlag, 2006. D. Galindo, P. Morillo, and C. Ràfols, “Improved certificate-based encryption in the standard model,” Journal of Systems and Software, vol.81(7), 2008, pp.1218-1226. Y. Lu, J. Li and J. Xiao, “Generic construction of certificate-based encryption,” Proc. the 9th International Conference for Young Computer Scientists, pp.1518-1594, IEEE CS, 2008. Y. Lu, J. Li and J. Xiao, "Constructing efficient certificate-based encryption with paring," Journal of Computers, vol.4(1), 2009, pp.19-26. B.G. Kang and J.H. Park, “Is it possible to have CBE from CL-PKE?” Cryptology ePrint Archive, Report 2005/431. B.G. Kang, J.H. Park, and S.G. Hahn, “A certificate-based signature scheme,” Proc. CT-RSA 2004, LNCS 2964, pp. 99-111, Springer-Verlag, 2004. L. Wang, J. Shao, Z. Cao, M. Mambo, and A. Yamamura, “A certificatebased proxy cryptosystem with revocable proxy decryption power,” Proc. Indocrypt 2007, LNCS 4859, pp.297-311, Springer-Verlag, 2007. J. Li, X. Huang, Y. Mu, W. Susilo, and Q. Wu, “Certificate-based signature: security model and efficient construction,” Proc. EuroPKI 2007, LNCS 4582, pp.110-125, Springer-Verlag, 2007. M.H. Au, J.K Liu, W. Susilo, and T.H. Yuen, “Certificate based (linkable) ring signature,” Proc. ISPEC 2007, LNCS 4464, pp.79-92, Springer-Verlag, 2007. M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” Proc. 1st ACM Conference on Communications and Computer Security, pp. 62-73, 1993. R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” Proc. STOC’98, pp.209-218, 1998. C.G. G¨unther, “An identity-based key-exchange protocol,” Proc. Advances in Cryptology - EUROCRYPT ’89, LNCS 434, pp.29–37, 1990. W. Diffie, P. C. Van-Oorschot, and M. J. Weiner, “Authentication and authenticated key exchanges,” Des.,Codes, Cryptogr, vol. 2(2), pp. 107– 125, 1992. R. Anderson, “Two remarks on public key cryptology”, Invited Lecture, ACM CCCS ’97. M. Bellare and S. K. Miner, “A forward-secure digital signature scheme,” Proc. Advances in Cryptology - Crypto'99, LNCS 1666, pp. 431-448, Springer-Verlag, 1999. M. Bellare and B. Yee, “Forward Security in Private-Key Cryptography,” Proc. RSA Cryptographers’ Track - CT-RSA 2003, LNCS 2612, pp. 1–18, 2003. R. Canetti, S. Halevi, and J. Katz, “A forward-secure public-key encryption scheme,” Proc. Advances in Cryptology - EUROCRYPT 2003, LNCS 2656, pp. 255–271, 2003. R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption,” Proc. Advances in Cryptology EUROCRYPT 2004, LNCS 3027, pp. 207–22, Springer-Verlag, 2004. D. Boneh and J. Katz, “Improved efficiency for cca-secure cryptosystems built using identity based encryption,” Proc. RSA Cryptographers’ Track 2005, LNCS 3376, pp. 87-103, 2005. E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,” Proc. Advances in CryptologyCRYPTO’99, LNCS 1666, pp. 537–554, 1999. E. Fujisaki and T. Okamoto, “How to enhance the security of public-key encryption at minimum cost,” Proc. Public Key Cryptography PKC’99, LNCS 1560, pp. 53–68, 1999. R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile,” RFC 3280, IETF, 2002. M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams, “X.509 Internet public key infrastructure online certificate status protocol – OCSP,” RFC 2560, IETF, 1999.