Further Observations on Certificate-Base Encryption and its Generic Construction from

Certificate-based encryption (CBE) is a new asymmetric encryption paradigm which was introduced to solve the certificate management problem in traditional public key encryption (PKE). It combines PKE and identity-based encryption (IBE) while preserving some of their most attractive features. CBE provides an efficient implicit certificate mechanism which eliminates the third-party queries and simplifies the certificate revocation problem in the traditional public key infrastructure (PKI). It also solves the key escrow problem and key distribution problem inherent in IBE. In this paper, we introduce the key replacement attack and the malicious-but-passive certifier attack into CBE, and define a class of new security models for CBE under different security levels according to the power of the adversaries against CBE. Our new security models are more elaborated and stronger compared with other existing ones. Then, we propose a generic construction of CBE from certificateless public key encryption and prove its security under the proposed security models in the standard model. We also show a concrete conversion using the proposed generic construction. 
 
   
 
 Key words: Certificate-based encryption, security model, generic construction, certificateless public key encryption, standard model.


INTRODUCTION
In traditional public key cryptography (PKC), cryptographic keys are generated randomly with no connection to users' identities.Therefore, it is infeasible to prove that a party is indeed the holder of a given public key.This problem can be solved by introducing public key certificates generated by a trusted third party called the certification authority (CA) that can provide an unforgettable and trusted link between a public key and the identity of its holder.This kind of certificate systems is private key escrow becomes an inherent problem in IBC.
Abbreviations: CBE, Certificate-based encryption; PKE, public key encryption; IBE, identity-based encryption; PKC, public key cryptography; CA, certification authority; PKI, public key infrastructure; IBC, identity-based cryptography; PKG, private key generator; IP, internet protocol; CL-PKC, certificateless public key cryptography; KGC, key generation center; DBDH, decisional bilinear diffie-hellman.referred to as the public key infrastructure (PKI).However, the need for PKI-supporting certificates is considered as the main difficulty in the deployment and management of traditional PKC.To simplify the management of the public key certificates, Shamir (1984) introduced the concept of identity-based cryptography (IBC) in which the public key of each user is derived directly from its identity, such as an internet protocol (IP) address or an e-mail address, and the corresponding private key is generated by a trusted third party called private key generator (PKG).Rather than obtaining the disparate public keys and the certificates of its intended recipients separately as is done in traditional PKC, a message sender who knows the identities of its recipients needs only to obtain the public parameters of the PKG.Therefore, the main practical benefit of IBC lies in great reduction of need for public key certificates.However, the PKG can generate the private keys of all its users, so Moreover, private keys must be sent to the users over secure channels.It makes private key distribution a daunting task.To fill the gap between traditional PKC and IBC, Al-Riyami and Paterson (2003) proposed a new paradigm called certificateless public key cryptography (CL-PKC) in 2003.In CL-PKC, a trusted third party called key generation center (KGC) is involved in the process of issuing a partial secret key for each user.The user independently generates its public/private key pair and combines the partial secret key from KGC with its private key to generate the final decryption key.This way, KGC does not know the decryption key of any user.Therefore, CL-PKC solves the key escrow problem inherent in IBC.However, due to the lack of public key certificate to ensure the authenticity of the user's public key, it is important to assume that an adversary in the certificateless system can replace the user's public key with a false key of its choice, which is also known as key replacement attack.
Cryptographic protocols in certificateless system are easily suffered from this kind of attack.Moreover, partial secret keys must be sent to the users over secure channels.It makes CL-PKC suffer the same key distribution problem as IBC.
In Eurocrypt 2003, Gentry (2003) introduced the notion of certificate-based encryption (CBE), which combines identity-based encryption (IBE) and traditional PKIsupporting public key encryption (PKE) while preserving some of their most attractive features.CBE provides an implicit certificate mechanism and allows a periodical update of certificate status.As in the traditional PKE, each user generates his own public/private key pair and requests a certificate from a trusted third party, which is called as the certifier.The certifier generates a certificate as in a traditional PKI and is responsible for pushing a fresh certificate only to the holder of the public key at beginning of each time period.A certificate in CBE has all the functionalities of a traditional PKI certificate, and also acts as a partial decryption key.This additional functionality provides an implicit certificate mechanism so that the sender is not required to obtain fresh information on certificate status and the recipient can only decrypt the ciphertext using his private key along with an up-to-date certificate from its certifier.The feature of implicit certificate allows us to eliminate third-party queries for the certificate status and to simplify the public key revocation problem so that CBE does not need infrastructures like CRL and OCSP.Therefore, CBE can be used to construct a more efficient PKI requiring fewer infrastructures.Furthermore, there is no key escrow problem (since the certifier does not know the private keys of users) and key distribution problem (since the certificates need not be kept secret) in CBE.

Related work
In the original work, Gentry (2003) constructed a CBE scheme in the random oracle (Bellare and Rogaway, 1993) from the BF-IBE scheme (Boneh and Franklin, Lu 3901 2001).A subsequent paper by Yum and Lee (2004) provided a formal equivalence theorem among IBE, certificateless public key encryption (CL-PKE) (Al-Riyami and Paterson, 2003) and CBE, and showed that IBE implies both CBE and CL-PKE by giving a generic construction from IBE to those primitives.However, Galindo et al. (2006) pointed out that a dishonest authority could break the security of their generic constructions.Actually, these generic constructions were inherently flawed due to a naive use of double encryption without further treatments.Lu et al. (2008) solved this problem by using the Fujisaki-Okamoto (1999a, b) conversions and gave a method to achieve generic CCAsecure CBE constructions in the random oracle model.Lu et al. (2008) also proposed two generic constructions of CBE without random oracles in Lu and Li (2009).In 2005, Al-Riyami and Paterson ( 2005) gave an analysis of Gentry ( 2003) CBE concept and repaired a number of problems in the original definitions for CBE.They also presented a generic conversion from CL-PKE to CBE and claimed that a secure CBE scheme could be constructed from any secure CL-PKE scheme using this conversion.Kang and Park (2005) pointed out that their conversion was incorrect due to the flaw in their security proof.Yum and Lee (2005) proposed a separable implicit certificate revocation system called status CBE to relieve the certifier's burden of certificate revocation, in which the authenticity of a public key is guaranteed by a long-lived certificate and the certificate revocation problem is resolved by a short-lived certificate.However, their status CBE scheme is pointed out by Park and Lee (2007) to be insecure under the key replacement attack.In 2006, Morillo and Ràfols (2006) proposed the first CBE scheme in the standard model from the Waters-IBE scheme (Waters, 2005) and the BB-IBE scheme (Boneh and Boyen, 2004).In 2008, Galindo et al. (2008) revised the CBE scheme in Morillo and Ràfols (2006) and proposed an improved scheme.Liu and Zhou (2008) also proposed another CBE scheme in the standard model from the Gentry-IBE scheme (Gentry, 2006).In 2009, Lu et al. (2009) proposed a quite efficient CBE scheme in the random oracle model from the SK-IBE scheme (Sakai and Kasahara, 2003;Chen and Cheng, 2005), which requires computing only one pairing in the decryption algorithm.

Contributions
The contributions of this paper are twofold.The first contribution is that, we provide more reasonable and elaborated security models for CBE.Although Al-Riyami and Paterson (2005) have repaired a number of problems in the original definition of the security model for CBE and proposed a revised one, the new definition is still not satisfactory.Inspired by the definitions of security models for CL-PKE (Dent, 2008) and CBS (Wu et al., 2009), we introduce the key replacement attack and the maliciousbut-passive certifier attack into CBE, and define a class of new security models for CBE.We also divide these security models into different security levels according to the power of the adversaries against CBE so that our definitions will provide a systematic approach for analyzing the exiting CBE schemes and constructing new CBE schemes.The second contribution is that we make a further investigation on the relationship between CBE and CL-PKE.As discussed in Al-Riyami and Paterson (2005), CBE and CL-PKE are two similar concepts, and also share some common features.Yum and Lee (2004) showed

Definition of certificate-based encryption
In a CBE scheme, a certificate generator, which is called the certifier, will first generate the system parameter including a master key and a list of public system parameters.The certifier will use the system parameter to generate certificates for users in the system.Users then will generate their own public/private key pairs and contact the certifier to obtain the corresponding certificates.A user should use its private key and the certificate from the certifier as the decryption key to decrypt the ciphertext received.The following definition of CBE is modified from Al-Riyami and Paterson (2005), where the original definition given by Gentry (2003)  τ used by the user id in the time periodτ.However, we note that a concrete CBE scheme need not involve certificate consolidation.In this situation, the algorithm CB-Consolidate will simply output CB-Cert ' τ = CB-Cert τ .Since this algorithm is not used in almost all the existing CBE schemes, we also omit this algorithm in this paper.

Security models for certificate-based encryption
Roughly speaking, the security of a CBE scheme requires that a user with the identity (id) can decrypt a valid ciphertext generated in the time period τ under the public key CB-PK if and only if he has the correct CB-SK and CB-Cert τ .In other words, he cannot recover the plaintext from a valid ciphertext correctly with only CB-SK or CB-Cert τ .
In Al-Riyami andPaterson (2003, 2005) the security models for CBE are both defined by two types of adversaries: Type-I adversary and Type-II adversary, where Type-I adversary models an uncertified client who has not the legitimate certificate and Type-II adversary models a malicious certifier in possession of the master secret key.Different from the original security model in Gentry (2003) where the challenger against Type-II adversary is allowed to work with multiple values of the public system parameters, the security model in Al-Riyami and Paterson (2005) requires that the public parameters and master key are fixed and supplied to Type-II adversary at the beginning of the simulation.Kang and Park (2005) pointed out that this restriction is sufficiently reasonable because a certifier does not change its public parameters frequently in practice.However, both these two security models may be not elaborated and strong enough for the practical applications.For example, these two security models both require that Type-I adversary should provide a private key along with the corresponding public key in all of decryption oracle queries.This restriction enables the challenger to handle these decryption queries, but is unnecessary and also restricts the ability of Type-I adversary.Actually, the challenger can handle decryption queries using some special purpose knowledge extractors without requiring the adversary to provide the private key.Besides this, both these two security models do not consider the key replacement attack.It seems that the key replacement attack does not exist in CBE due to the use of certificates.However, in CBE only the owner needs to check the validity of its certificate and other users do not need.Therefore, such attack actually does exist.A concrete example is the status CBE scheme proposed by Yum and Lee (2005).In Park and Lee (2007), this scheme is pointed out to be insecure under the key replacement attack.Since a reasonable and elaborated security model is indispensable to the construction of provably secure cryptographic schemes, we should define a more reasonable and elaborated security model for CBE.Inspired by the improvements in the definitions of security notions for CL-PKE (Dent, 2008) and CBS (Wu et al., 2009), we define a class of new security models for CBE under different security levels according to the power of the adversaries against CBE.Our definitions abolish the unnecessary restrictions in the existing security models, and also introduce the key replacement attack and the malicious-but-passive certifier attack.In the following, we give the concrete definitions of these security models and also investigate the relationships among them.

Oracles
We first define the oracles that an adversary against CBE may access and how each oracle query should be responded by a challenger Χ.We assume that Χ keeps a history of "query-answer" while interacting with the adversary.CB-RequestPublicKey: On input an identity (id), the challenger Χ responds with the public key CB-PK for id.If the identity (id) has no associated public key, then Χ generates a public key CB-PK for id by running CB-SetKeyPair.CB-ReplacePublicKey: The adversary can repeatedly replace the public key of any entity with any value of its choice.On input, an identity (id) and a value CB-PK ' , the challenger Χ replaces the current public key CB-PK with CB-PK ' .Note that the current value of a user's public key CB-StrongDecrypt: On input an index τ of a time period, an identity (id), and a ciphertext C, the challenger responds with the correct decryption of C, even if the public key for id has been replaced.This is a rather strong property for the security model of CBE.After all, the challenger may no longer know the correct corresponding private key.However, this capability may give the adversary more power in breaking the scheme.
For further discussion of this feature (but in CL-PKE setting) (Al-Riyami and Paterson, 2003).
CB-NormalDecrypt: On input an index τ of a time period, an identity (id), and a ciphertext C, the challenger Χ responds with the decryption of the ciphertext C using the original private key for id and the certificate for id in the time period τ.Note that the functionality of this oracle can be achieved by a strong decryption oracle.
CB-WeakDecrypt: On input an index τ of a time period, an identity (id), a private key CB-SK and a ciphertext C, the challenger Χ responds with the decryption of the ciphertext C using CB-SK and the certificate for id in the time period τ.Note that the functionality of such an oracle also can be achieved by a strong decryption oracle.

Type-I security
The Type-I security model of CBE is designed to protect against an uncertified user who dose not obtain a legitimate certificate from its certifier and is trying to gain some information about a message from its encryption.According to the attack power of such an adversary against CBE, we classify Type-I security into three levels: weak Type-I (wType-I) security, normal Type-I (nType-I) Sci. Res.Essays security and strong Type-I (sType-I) security.

Weak Type-I security
We first define the wType-I security model for CBE.This security notion is defined by a following weak IND-CB-CCA2 Game-I in which Type-I adversary Α I cannot replace public keys of any users and make the strong decryption queries, but may request public keys and certificates, extract private keys and make normal or weak decryption queries: Setup: The challenger Χ runs the algorithm CB-Setup (1 k , N) to generate a master key CB-msk and a list of public system parameters CB-params.

Definition 2
A CBE scheme is said to be wType-I secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the weak IND-CB-CCA2 Game-I.

Normal Type-I Security
Different from the wType-I security model, the nType-I security model gives Type-I adversary to the ability to replace the public keys of any users with values of its choice.However, it also prevents the adversary from querying the strong decryption oracle.This kind of security is defined by a normal IND-CB-CCA2 Game-I which is very similar to the weak IND-CB-CCA2 Game-I, but with the following two differences: Α I can query CB-ReplacePublicKey on any identity; Α I cannot query CB-ExtractPrivateKey on any identity if the corresponding public key has been replaced.

Definition 3
A CBE scheme is said to be nType-I secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the normal IND-CB-CCA2 Game-I.

Strong Type-I Security
Finally, we define the strongest Type-I security notion for CBE, namely the sType-I security.In this kind of security model, the adversary is allowed to query the strong decryption oracle.That is, the adversary is able to obtain the correct decryption of any ciphertext under the public key chosen by itself without providing the corresponding private key.The sType-I security is defined by a strong IND-CB-CCA2 Game-I which is very similar to the normal IND-CB-CCA2 Game-I, but with the following two differences: Α I can query the oracle CB-StrongDecrypt rather than CB-NormalDecrypt and CB-WeakDecrypt; Α I cannot query CB-StrongDecrypt (id * , τ * , C * ).

Definition 4
A CBE scheme is said to be sType-I secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the strong IND-CB-CCA2 Game-I.

Type-II security
The Type-II security model for CBE is designed to protect against an honest-but-curious certifier who always generates its master key and the public system parameters honestly according to the scheme specification.Hence, a Type-II adversary in this security model is equipped with the master key and needs not to access the oracle RequestCertificate, as it is able to compute these values by itself.As the Type-I security, the Type-II security also can be classified into three levels: weak Type-II (wType-II) security, normal Type-II (nType-II) security and strong Type-II (sType-II) security.

Weak Type-II security
The wType-II security model for CBE is defined by a following weak IND-CB-CCA2 Game-II in which Type-II adversary Α II cannot replace any user's public key, but may request public keys, extract private keys and make normal decryption queries.Setup: The challenger Χ runs the algorithm CB-Setup (1 k , N) to generate a master key CB-msk and a list of public system parameters CB-params.

Normal Type-II security
Different from the wType-II security model, the nType-II security model gives Type-II adversary to the ability to replace the public keys of any users with values of its choice.But it also prevents the adversary from querying the strong decryption oracle.This kind of security model is defined by a normal IND-CB-CCA2 Game-II which is very similar to the weak IND-CB-CCA2 Game-II, but with Lu 3905 the following two differences: Α II cannot query CB-ExtractPrivateKey on any identity if the corresponding public key has been replaced; Α II cannot be challenged on an identity for which it has replaced the public key.

Definition 6
A CBE scheme is said to be nType-II secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the normal IND-CB-CCA2 Game-II.

Strong Type-II security
In the nType-I security model, if Type-II adversary is allowed to query the strong decryption oracle, then we will obtain the sType-II security notion for CBE.The sType-II security is defined by a strong IND-CB-CCA2 Game-II which is very similar to the normal IND-CB-CCA2 Game-II, but with the following two differences: Α II can query CB-StrongDecrypt rather than CB-NormalDecrypt and CB-WeakDecrypt;

Definition 7
A CBE scheme is said to be sType-II secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the strong IND-CB-CCA2 Game-II.

Malicious-but-passive Type-II security
We now define a much stronger Type-II security model for CBE, namely the malicious-but-passive Type-II (mType-II) security model.This kind of model is designed to protect against a malicious-but-passive certifier who may generate its master key and the public system parameters maliciously at the setup stage of the system, instead of generating its master key and the public system parameters honestly according to the scheme specification and suddenly becoming malicious as the honest-but-curious certifier in the Type-II security model.So an adversary in this security model controls the generation of the master key and the public system parameters, and that of any user's certificate.The malicious-but-passive attack by the trusted third party was first introduced to the security of CL-PKC by Au et al. (2007) in which they showed that the malicious-butpassive KGC in some certificateless schemes like Al-Riyami and Paterson ( 2003) can generate its master key and the public system parameters maliciously so that it can decrypt all the ciphertext in the system without knowing the users' private key.
The general mType-II security model for CBE is expressed by the following malicious-but-passive IND-CB-CCA2 Game-II: Setup: The challenger Χ invokes a malicious-but-passive Type-II adversary Α II on input 1 k and N. Α II returns a list of public system parameters CB-params to Χ.It is required that CB-params is computationally indistinguishable from the output of CB-Setup (1 k , N).At this stage, Α II is not allowed to query any oracle (One exception is that, if the security analysis is done under the random oracle model, then such an adversary can query the specified random oracles) Phase 1: In this phase, Α II may have access to some certain oracles according to its attack power.Challenge: Once Α II decides the Phase 1 is over, it outputs an index τ * of a time period, an identity id * and two equal length messages M 0 , M 1 , on which it wants to be challenged. .The advantage of Α II is defined to be; As the Type-II security for CBE, we also can define three different levels of mType-II security: weak mType-II (wmType-II) security, normal mType-II (nmType-II) security and strong mType-II (smType-II) security.Since these security notions can be defined in the same way as the Type-II security, we omit the concrete definitions here.

Relation among security models for CBE
We now study the relation among the above different security models for CBE.Firstly, according the attack power of the adversaries in each security model, it is not difficult to deduce the following relations: sType-I ⇒ nType-I ⇒ wType-I sType-II ⇒ nType-II ⇒ wType-II smType-II ⇒ nmType-II ∧ sType-II nmType-II ⇒ wmType-II ∧ nType-II wmType-II ⇒ wType-II.
In the above, A ⇒ B denotes that a CBE scheme which is A secure must be B secure, and A ⇒ B ∧ C denotes that a CBE scheme which is A secure must both be B secure and C secure.It is clear that the sType-I security and the smType-II security are the strongest security levels that a CBE scheme could achieve.
We note that all the existing CBE schemes are proved secure using the common observational or black-box proof technique which requires that an algorithm (also called a solver) should use an attacker as a subroutine in solving a mathematical problem.However, the following two theorems state that the black-box security proof technique may not be used to prove a CBE scheme to both sType-I secure and smType-II (or sType-II) secure in the standard model.

Theorem 1
In the standard model, if there exists a black-box proof for the sType-I security of a CBE scheme, then that CBE scheme must not be nmType-II secure.
Proof: Assume that there exists a CBE scheme which is sType-I secure.Then, there exists a PPT challenger Χ I for the strong IND-CB-CCA2 Game-I such that Χ I successfully simulates the strong IND-CB-CCA2 Game-I with overwhelming probability and no sType-I adversaries win the game with non-negligible advantage.According to Definition 4, Χ I provide the following oracles: CB-RequestPublicKey, CB-RequestCertificate, CB-ReplacePublicKey, CB-ExtractPrivateKey, and CB-StrongDecrypt.We show how to construct a PPT nmType-II adversary Α II to win the normal and maliciousbut-passive IND-CB-CCA2 Game-II with non-negligible advantage by interacting with Χ I as follows: At the beginning of the normal and malicious-butpassive IND-CB-CCA2 Game-II, challenger Χ II invokes Α II on input 1 k and N. Α II invokes Χ I on input 1 k and N to get CB-params, and then returns CB-params to Χ II .
Α II randomly chooses an identity id * and queries CB-RequestPublicKey(id * ) to Χ II .Let the public key returned by Χ II be CB-PK * .
Α II randomly chooses an index τ * of a time period, then queries CB-RequestPublicKey (id * ), CB-RequestCertificate (τ * , id * ) and CB-ReplacePublicKey (id * , CB-PK * ) to Χ I respectively.Α II randomly chooses two equal length messages M 0 , M 1 , and submits (τ * , id * , M 0 , M 1 ) to Χ II as its challenge output.Suppose that the returned challenge ciphertext is Since Χ I successfully simulates the strong IND-CB-CCA2 Game-I with overwhelming probability, it implies that Χ I will simulate the strong decryption oracle successfully and output the correct message M * = M b with overwhelming probability to respond the strong decryption oracle query by Α II .Hence, Α II will output the right answer at a non-negligible probability.This proves that the advantage of Α II in the normal and malicious-butpassive IND-CB-CCA2 Game-II is non-negligible.
The above theorem shows that the sType-I security and the nmType-II security cannot co-exist on any CBE schemes without random oracles in the black-box proof.
Since the smType-II security implies the nmType-II security, so the sType-I security and the smType-II security also cannot co-exist on any CBE schemes without random oracles in the black-box proof.
Similarly, a sType-I challenger must be an nType-II attacker in the standard model.That is, the sType-I security and the sType-II security also cannot co-exist on any CBE scheme in the standard model.

Theorem 2
In the standard model, if there exists a black-box proof for the sType-I security of a CBE scheme, then it must not be nType-II secure.Proof: The proof of this theorem is similar to that of Theorem 1 only with some minor modifications and hence is omitted.Remark 3: It should be noted that we may prove a CBE scheme to both be sType-I secure and smType-II secure (or sType-II secure) in the random oracle using the blackbox security proving technique.For example, the CBE scheme in Lu and Li (2010) is proved to be sType-I secure and sType-II secure in the random oracle.This result does not contradict our conclusions above.After all, the game challenger in the random oracle is always assumed to have the full control of some specified random oracles while the one in the standard model has no such power.Remark 4: The game hopping proof technique (Bellare and Rogaway, 2006;Shoup, 2004) may used to prove a CBE scheme to both be sType-I secure and smType-II secure (or sType-II secure) in the standard model.Recently, Dent et al. (2008) successfully used this new proof technique to prove their CL-PKE scheme to both be strong Type-I and Type-II secure in the standard model.It makes us believe that the sType-I security and the smType-II (or sType-II) security can co-exist on a CBE scheme without random oracles in a game hopping proof.

Generic construction of CBE from CL-PKE
A new generic construction of CBE from CL-PKE is proposed and this proves the security of the certificate scheme CBE from the construction under different security levels.

Syntax of CL-PKE
In the original work (Al-Riyami and Paterson, 2003), a CL-PKE scheme is defined by seven algorithms (CL-Setup, CL-PartialKeyExtract, CL-SetSecretValue, CL-SetPrivateKey, CL-SetPublicKey, CL-Encrypt, and CL-Decrypt) such that: CL-Setup: On input a security parameter k, it returns a Lu 3907 master key CL-msk and a list of public system parameters CL-params that include the descriptions of a finite identity information space IDSPC CL , a finite plaintext space MSPC CL and a finite ciphertext space CSPC CL .UserKeyGen, CL-Encrypt, and CL-Decrypt) be a fivealgorithm CL-PKE scheme as described above.Then, a CBE scheme Π CB = (CB-Setup, CB-SetKeyPair, CB-Certify, CB-Encrypt, CB-Decrypt) can be generically constructed from the scheme CL-PKE (Figure 1) Figure 1 shows the generic construction of CBE from the scheme CL-PKE; the algorithms CL-UserKeyGen and CL-PartialKeyGen are to generate the public/private key pair and the certificate in the CBE scheme Π CB respectively.The message and ciphertext spaces of the scheme Π CB are same as those of the scheme Π CL .Furthermore, the identities in the scheme Π CL are of the form id||τ||CB-PK, that is, the identity information space IDSPC CL in Π CL is equal to IDSPC CB × {0,1} l × PKSPC CB , where l is the smallest integer such that N ≤ 2 l and PKSPC CB is the public key space in Π CB .We should claim that, in the practical conversion, we may use a collision resistant hash function to map IDSPC CB × {0,1} l × PKSPC CB to a binary string space in which the string has a reasonable length as the identity information space of the CL-PKE scheme to reduce the complexity of the resulting CBE scheme.Here, we put IDSPC CB × {0, 1} l × PKSPC CB as the identity information space of Π CL directly only to simplify the security proof of the resulting CBE scheme Π CB .Next are our conclusions about the relationships between the resulting CBE scheme Π CB and the underlying CL-PKE scheme Π CL .We refer the readers to Dent (2008) and Au et al. (2007) for the security definitions of CL-PKE.

Theorem 3
Suppose that the CL-PKE scheme Π CL is strong Type-I † secure (respectively, weak Type-Ia † secure), then the CBE scheme Π CB from the above generic construction is sType-I secure (respectively, nType-I secure).Proof: Let Α I be a sType-I adversary against the CBE scheme Π CB with advantage ε.We show how to make  Finally, Event 4 can happen only if Α I query CB-StrongDecrypt (τ * , id * , C * ).However, Α I is forbidden from making such decryption query in the strong IND-CB-CCA2 Game-I.So this event never occurs in Β I 's simulation.
To summarize, Β I never aborts during the simulation and provides a perfect simulation of challenger against Α I in the strong IND-CB-CCA2 Game-I.Thus, it has an advantage ε in guessing b.Since Π CL is a strong Type-I † secure CL-PKE scheme, then Π CB is a sType-I secure CBE scheme.Similarly, we can prove that an nType-I adversary against Π CB can be used to construct a weak Type-Ia † adversary against the scheme Π CL .This completes the proof of this theorem.

Theorem 4
Suppose that the CL-PKE scheme Π CL is strong and malicious-but-passive Type-II † secure (respectively, weak and malicious-but-passive Type-II † secure), then the CBE scheme Π CB from the above generic construction is smType-II secure (respectively, nmType-II secure).Proof: Let Α II be a smType-II adversary against the scheme Π CB with advantage ε.We show how to make It outputs CB-params to Α I .Phase 1: Upon receiving CB-params, Α I queries the oracles CB-Request Public Key, CB-Request Certificate, CB-Extract Private Key, and CB-Normal Decrypt or CB-Weak Decrypt in an adaptive manner.Challenge: Once Α I decides that Phase 1 is over, it outputs an index τ * of a time period, an identity id * and two equal length messages M 0 , M 1 , on which it wants to be challenged.The challenger Χ randomly chooses a bit b ∈ {0, 1}, computes C * = CB-Encrypt (CB-params, τ * , id * , CB-PK * , M b ), and then outputs C * as the challenge ciphertext to Α I .Phase 2: Α I issue a second sequence of queries as in Phase 1. Guess: Finally, Α I outputs a guess b ' ∈ {0, 1} and wins the game if b = b ' .The restrictions are that: (1) Α I cannot query Request Certificate (τ

A
It outputs CB-msk and CB-params to Α II .Phase 1: Upon receiving CB-msk and CB-params, Α II starts Α II decides the Phase 1 is over, it outputs an index τ * of a time period, an identity id * and two equal length messages M 0 , M 1 , on which it wants to be challenged.The challenger Χ randomly chooses a bit b ∈ {0, 1}, computes C * = CB-Encrypt (CB-params, τ * , id * , CB-PK * , M b ), and then outputs C * as the challenge ciphertext to Α II .Phase 2: Α II issues a second sequence of queries as in Phase 1. Guess: Finally, Α II outputs a guess b ' ∈ {0, 1} and wins the game if b = b ' .The restrictions are that: (1) Α II cannot query CB-ExtractPrivateKey(id * ); (2) Α II cannot query CB-NormalDecrypt (id * , τ * , C * ).The advantage of Α II in this game is defined to be; Adv(Α II ) = |Pr[b = b ' CBE scheme is wType-II secure if no probabilistic and polynomial-time adversary can have non-negligible advantage in winning the above weak IND-CB-CCA2 Game-II.

Figure 1 .
Figure 1.Shows the generic construction of CBE from the scheme CL-PKE.
use of the adversary Α I to construct a strong Type-I † adversary Β I against the CL-PKE scheme Π CL with the same advantageε.Let Χ be the challenger against Β I in the strong IND-CL-CCA2 Game-I, who provides Β I with following oracles: CL-RequestPublicKey(ID): return the public key for the identity ID.CL-ReplacePublicKey(ID, CL-PK ' ): replace the current public key of the identity ID with the value CL-PK ' .CL-ExtractSecretKey(ID): return the secret key (value) for the identity ID.CL-ExtractPartialKey(ID): return the partial private key for the identity ID.CL-StrongDecrypt(ID, C): return the correct decryption of C.After given the public system parameters CL-params by Χ, Β I simulates the challenger in the strong IND-CB-CCA2 Game-I and interacts with Α I as follows: Setup: Β I forward CL-params as CB-params to Α I .Phase 1: Upon receiving CB-params, Α I quires onto the oracles CB-RequestPublicKey, CB-RequestCertificate, CB-ExtractPrivateKey, CB-ReplacePublicKey and CB-StrongDecrypt in an adaptive manner.Β I responds as follows: CB-RequestPublicKey(id): On receiving such a query, Β I first extends the identity id to a valid identity ID = id0 m in CL-PKE by inserting a suffix consisting of m zeros to the identity id, where m = l + |PKSPC CB |.We assume that Β I always uses the same method to extend an identity in Π CB to a valid identity in Π CL in the following simulation.Then Β I queries CL-RequestPublicKey(ID) to Χ and returns Χ's respond to Α I .CB-ReplacePublicKey(id, CB-PK ' ): On receiving such a query, Β I makes a public key replace query CL-ReplacePublicKey(ID, CB-PK ' ) to Χ to replace the public key of the identity ID with the value CB-PK ' .CB-RequestCertificate(id, τ): On receiving such a query, Β I first queries CL-RequestPublicKey(ID) to obtain a public key CL-PK for the identity ID, sets ID ' = id||τ||CB-PK and queries CL-ReplacePublicKey (ID ' , CB-PK) to replace the public key of the identity ID with CB-PK.Then, it queries CL-ExtractPartialKey(ID ' ) to Χ and returns Χ's response to Α I .CB-ExtractPrivateKey(id): On receiving such a query, Β I queries CL-ExtractSecretKey(ID) to Χ.If Χ responds with a secret key, then Β I returns Χ's response to Α I .Otherwise, if Χ rejects its query, namely that the public key for ID has been replaced, then Β I rejects Α I 's query too.CB-StrongDecrypt(τ, id, C): On receiving such a query, Β I first queries CL-RequestPublicKey(ID) to obtain a public key CL-PK for the identity ID, sets ID ' = id||τ||CB-PK and queries CL-ReplacePublicKey(ID ' , CB-PK) to replace the public key of the identity ID ' with CL-PK.Then, it queries CL-StrongDecrypt(ID ' , C) to Χ and returns Χ's response to Α I .Lu 3909 Challenge: Once Α I decides that Phase 1 is over, it outputs an index τ * of a time period, an identity id * and two equal length messages M 0 , M 1 , on which it wants to be challenged.Β I first queries CL-RequestPublicKey(ID * ) to obtain a public key CL-PK * for the identity ID * , then queries CL-ReplacePublicKey(id * ||τ * ||CL-PK * , CL-PK * ) to replace the public key of the identity id * ||τ * ||CL-PK * with CL-PK * .After that, it terminates Phase 1 of the strong IND-CL-CCA2 Game-I and submits (id * ||τ * ||CL-PK * , M 0 , M 1 ) to Χ to enter its challenge phase.The latter responds with a challenge ciphertext C * = CL-Encrypt (CL-params, id||τ||CL-PK * , CL-PK * , M b ) for a random bit b ∈ {0,1}.Β I forwards C * to Α I as the challenge ciphertext in the strong IND-CB-CCA2 Game-I.Phase 2: Α I issues a second sequence of queries as in Phase 1, with the restrictions specified in Definition 4. Guess: Finally, Α I outputs a guess b ' ∈ {0,1} for b, and Β I outputs the same bit to Χ. Now, we calculated Β I 's advantage of outputting the right bit in the above game.Firstly, it is obvious that if Β I does not abort during the simulation, then Α I 's view is adventitial to its view in the real attack.So, if Β I does not abort, we have that |Pr[b = b ' ] -1 2 | = ε.Next, we analyze the probability that Β I does not abort during the simulation.According to the definition of the strong Type-I † security of CL-PKE(Dent, 2008), Β I may abort when one of the following four events happens: Event 1: Β I is forced to query both the oracles CL- scheme Π CL with the same advantage ε.Let Χ be the challenger against Β II in the strong and malicious-butpassive IND-CL-CCA2 Game-II.Χ invokes Β II on input 1 k to begin the strong and malicious-but-passive IND-CL-CCA2 Game-II.Β II simulates the challenger in the strong IND-CB-CCA2 Game-II and interacts with Α II as follows: Setup:Β II invokes Α II on input (1 k , N)and obtains a list of public parameters CB-params.Β II forwards CB-params as CL-params to Χ.Note that Χ provides Β II with oracles CL-RequestPublicKey, CL-ReplacePublicKey, CL-ExtractSecretKey, CL-StrongDecrypt, which are defined as same as in the proof of Theorem 3. Phase 1: In this phase, Α II queries onto the oracles CB-RequestPublicKey, CB-ExtractPrivateKey, CB-ReplacePublicKey and CB-StrongDecrypt in an adaptive manner.Β II responds as in the proof of Theorem 3. Challenge: Once Α II decides that Phase 1 is over, it outputs an index τ * of a time period, an identity id * and two equal length messages M 0 , M 1 , on which it wants to be challenged.Β II first queries CL-RequestPublicKey (ID * ) to obtain a public key CL-PK * for the identity ID * , then queries CL-ReplacePublicKey(id * ||τ * ||CL-PK * , CL-PK * ) to Lu  3903is used by Χ in any computations or responses to the adversary's requests.This oracle models the adversary's ability to convince a legitimate user to use an invalid public key and enables our security models to capture the public key replacement attack.CB-ExtractPrivateKey: On input, an identity (id), the challenger Χ responds with the private key CB-SK for id.If the identity (id) has no associated private key, then Χ generates a private key CB-SK for id by running the algorithm CB-SetKeyPair.However, it is unreasonable to expect Χ to be able to respond to such a query if the public key CB-PK for id has already been replaced.
τ for id in the time period τ.If the identity (id) has no associated certificate in the time period τ, then Χ generates CB-Cert τ by running CB-Certify.CB-Decrypt: Considering the different levels of the decrypting power the challenger Χ may have, the decryption oracle can be divided into the following three types: before the challenge phase and CL-ExtractPartialKey on the challenge identity id * ||τ * ||CL-PK * .Event 4: Β I is forced to query CL-StrongDecrypt on the challenge ciphertext C * for the challenge identity id PK * is an identity which never appears in the identity information space of the scheme Π CB .Secondly, Event 2 can happen only if Α I query CB-ExtractPrivateKey on an identity which has replaced the public key.However, Α I is forbidden from querying such query in the strong IND-CB-CCA2 Game-I.So this event never occurs in Β I 's simulation.Thirdly, Event 3 can happen only if Α I query CB-RequestCertificate (id * , τ * ).But this is exactly the certificate query which Α I is forbidden from making in the strong IND-CB-CCA2 Game-I.So this event never occurs in Β I 's simulation.