International Association for Cryptologic Research

International Association
for Cryptologic Research


Caroline Kudla


On Proofs of Security for Certificateless Cryptosystems
Alexander W. Dent Caroline Kudla
Certificateless public-key encryption has recently been proposed as an attractive alternative to certificate-based and identity-based encryption schemes. The attraction of certificateless PKE is that it combines the implicit public key authentication of an identity-based scheme with the escrow-free property of a certificate-based scheme. However, all the certificateless schemes that have been thusfar presented have either had the security proved in a reduced security model, or have relied on the random oracle model. Indeed, some authors have gone as far as suggesting that it is impossible to prove the full security of a certificateless scheme in the standard model. This paper examines this claim and comes to the conclusion that, while some provable security techniques may be denied to us, there is no reason why the security of a certificateless scheme cannot be proven in the standard model.
Identity Based Authenticated Key Agreement Protocols from Pairings
Liqun Chen Caroline Kudla
We investigate a number of issues related to identity based authenticated key agreement protocols using the Weil or Tate pairings. These issues include how to make protocols efficient; how to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and how to allow users to use different Trusted Authorities. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols which are modified from Smart's AK protocol. We study the security of these protocols heuristically and using provable security methods. In addition, we prove that our AK protocol is immune to key compromise impersonation attacks, and we also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys). We also show that this TA forward secrecy property implies that the protocol has the perfect forward secrecy property.