Fully Secure Accountable-Authority Identity-Based Encryption

The problem of trust is one of the biggest concerns in any identity-based infrastructure where the key-generation authority (called the PKG) must choose secret keys for participants and therefore be highly trusted by all parties. While some abilities of the PKG are intrinsic to this setting, reducing this trust as much as possible is beneficial to both user and authority as the less trust is placed in it, the less an honest authority can be accused of abusing that trust. Goyal (CRYPTO 2007) defined the notion of Accountable-Authority IBE in which a dishonest PKG who had leaked a user’s private key could be proven guilty. Later, Goyal et al. (CCS 2008) asked whether it would be possible to implicate a PKG who produced an unauthorized decoder box, enabling decryption with a noticeable probability but which may not actually grant access to a well-formed key. Formally, would it be possible for a tracing algorithm to implicate a dishonest PKG given only black-box access to such a decoder? Goyal et al. could only provide such a scheme in the weaker setting of selective security, where an adversary must declare at the start of the game which identity it intends to target. In this work, we provide the first fully secure accountable-authority IBE scheme. We prove security from the standard DBDH assumption while losing none of the functionality or security of the original proposal.