KDM Security for Identity-Based Encryption: Constructions and Separations

For encryption schemes, key dependent message (KDM) security requires that ciphertexts preserve secrecy even when the encrypt messages may depend on the secret keys. While KDM security has been extensively studied for public-key encryption (PKE), it receives much less attention in the setting of identity-based encryption (IBE). In this work, we focus on the KDM security for IBE. Our results are threefold. • We propose an exquisite structure-preserving PKE-to-IBE transformation via indistinguishability obfuscation and puncturable PRF. This transformation establishes a connection between PKE and IBE in general. In particular, it provides a liberal interface for transferring the KDM security results (either positive or negative) from PKE to IBE, though in the selective-identity sense. • On the positive side, we present two constructions that achieve KDM security in the adaptive-identity sense for the first time. One is generically built from identity-based hash proof system (IB-HPS) with homomorphic property, which indicates that the IBE schemes of Gentry (Eurocrypt 2006), Coron (DCC 2009), Chow et al. (CCS 2010) are actually KDM-secure in the multiple-key setting. The other is built from indistinguishability obfuscation and a new notion named puncturable unique signature, which is bounded KDM-secure in the single-key setting. • On the negative side, we separate n-circular security (which is a prototypical case of KDM security) from the standard IND-CPA/CCA security for IBE by giving a counterexample based on differing-inputs obfuscation and a new notion named puncturable IBE.