Verifiable Random Functions: Relations to Identity-Based Key Encapsulation and New Constructions

In this paper we show a relation between the notions of verifiable random functions (VRFs) and identity-based key encapsulation mechanisms (IB-KEMs). In particular, we propose a class of IB-KEMs that we call VRF-suitable, and we propose a direct construction of VRFs from VRF-suitable IB-KEMs. Informally, an IB-KEM is VRF-suitable if it provides what we call unique decapsulation (i.e., given a ciphertext C produced with respect to an identity ID , all the secret keys corresponding to identity ID ′, decapsulate to the same value, even if ID ≠ ID ′), and it satisfies an additional property that we call pseudo-random decapsulation . In a nutshell, pseudo-random decapsulation means that if one decapsulates a ciphertext C , produced with respect to an identity ID , using the decryption key corresponding to any other identity ID ′, the resulting value looks random to a polynomially bounded observer. Our construction is of interest both from a theoretical and a practical perspective. Indeed, apart from establishing a connection between two seemingly unrelated primitives, our methodology is direct in the sense that, in contrast to most previous constructions, it avoids the inefficient Goldreich–Levin hardcore bit transformation. As an additional contribution, we propose a new VRF-suitable IB-KEM based on the decisional ℓ -weak Bilinear Diffie–Hellman Inversion assumption. Interestingly, when applying our transformation to this scheme, we obtain a new VRF construction that is secure under the same assumption, and it efficiently supports a large input space.