Cryptography Reference
In-Depth Information
(as explained below) as input. If the self-decryption function returns false,
B
responds to
A
with
θ
i
and inserts
v
i,
1
,v
i,
2
,θ
i
in
L
2
.Otherwise,
B
picks
n
until the self-decryption function returns false on input
another
θ
i
∈{
0
,
1
}
ID
,
C
i
v
i,
1
,v
i,
2
,θ
i
and each tuple
. For a randomly chosen
θ
i
, the proba-
ID
, C
bility that
v
i,
1
,v
i,
2
,θ
i
enables at least one
in the
R
list to be valid
is at most
|
R
|
/p
. Thus for a random chosen
θ
i
the self-decryption function
returns false with probability at least 1
can find such a
θ
i
eciently. The intuition of running the self-decryption function is to keep
the coherence of the decryption oracle (as explained below): an “invalid”
ciphertext is always invalid.
−|
R
|
/p
. Hence
B
Phase 1: Private key queries.
To respond to the private key query on
ID
i
,
B
does the following:
1. If the tuple in
L
1
indexed by
ID
i
has the form of
ID
i
,w
0
+
w
j
,then
B
with
d
ID
i
=(
g
1
,g
1
x
+
w
j
1
y
+
w
j
2
answers
A
).
2. If the tuple in
L
1
indexed by
ID
i
has the form of
ID
i
,w
0
,then
B
cannot
answer it and aborts the game.
Phase 1: Decryption queries.
In order to simulate the decryption oracle in
coherence with
H
2
oracle,
B
maintains a list of tuples
ID
j
,C
j
. We refer to this
list as the
R
list, which is initially empty. We remark that the
R
list stores all
the decryption queries which are rejected by
B
.Let
ID
i
,C
i
be a decryption
query issued by algorithm
A
,where
C
i
=
U
i,
1
,U
i,
2
,V
i
,W
i
.
B
simulates the
decryption oracle to answer this query as follows:
-If
B
can extract the private key
d
ID
i
=(
d
i,
1
,d
i,
2
)of
ID
i
,
B
uses the private
key to processes the decryption query normally.
-If
B
B
can not extract the corresponding private key,
runs the following test
v
1
, v
2
, θ
with composing
ID
i
,U
i,
1
,U
i,
2
,V
i
,W
i
and each tuple
on the
L
2
list as input:
1. Compute
σ
=
V
i
⊕
θ
,
M
=
W
i
⊕
H
4
(
σ
), (
r
1
, r
2
)=
H
3
(
M,σ
);
2. Check if
U
i,
1
=
t
r
1
i,
1
,
U
i,
2
=
t
r
2
i,
2
,
v
1
=
e
(
g
1
,g
1
)
r
1
,and
v
2
=
e
(
g
2
,g
2
)
r
2
hold simultaneously, where
t
i,
1
=
u
1
g
H
1
(
ID
i
)
1
,
t
i,
2
=
u
2
g
H
1
(
ID
i
2
.
3. If so, return true. Else, continue the test with next input. Finally, if no
input can go through this test, return false.
If the test return true,
returns the associated
M
.Otherwise,
B
B
returns
into the
R
list. Particularly, we
refer to the above test as
the self-decryption function
. The correctness of
the decryption oracle simulation is based on the fact that an adversary does
not have the capbility to generate a valid ciphertext without making the
associated random oracle queries, which is implied by the chosen ciphertext
security of twin SK-IBE (the hypothesis we use in the proof).
Challenge.
Once
⊥
to
A
and inserts
ID
i
,U
i,
1
,U
i,
2
,V
i
,W
i
decides that Phase 1 is over it outputs two messages
M
0
,
M
1
and a target identity
ID
∗
on which it wishes to be challenged.
A
B
operates as
follows:
Search WWH ::
Custom Search