Building Key-Private Public-Key Encryption Schemes

In the setting of identity-based encryption with multiple trusted authorities, TA anonymity formally models the inability of an adversary to distinguish two ciphertexts corresponding to the same message and identity, but generated using different TA master public-keys. This security property has applications in the prevention of traffic analysis in coalition networking environments. In this paper, we examine the implications of TA anonymity for key-privacy for normal public-key encryption (PKE) schemes. Key-privacy for PKE captures the requirement that ciphertexts should not leak any information about the public-keys used to perform encryptions. Thus key-privacy guarantees recipient anonymity for a PKE scheme. Canetti, Halevi and Katz (CHK) gave a generic transform which constructs an IND-CCA secure PKE scheme using an identitybased encryption (IBE) scheme that is selective-id IND-CPA secure and a strongly secure one-time signature scheme. Their transform works in the standard model (i.e. does not require the use of random oracles). Here, we prove that if the underlying IBE scheme in the CHK transform is TA anonymous, then the resulting PKE scheme enjoys key-privacy. Whilst IND-CCA secure, key-private PKE schemes are already known in the standard-model, our result gives the first generic method of constructing a key-private PKE scheme in the standard model. We then go on to investigate the TA anonymity of multi-TA versions of well-known standardmodel secure IBE schemes. In particular, we prove the TA anonymity and selective-id IND-CPA security of a multi-TA version of Gentry’s IBE scheme. Applying the CHK transform, we obtain a new, efficient keyprivate, IND-CCA secure PKE scheme in the standard model.