Cryptography Reference
In-Depth Information
Phase 1.
The adversary issues queries
q
1
,...,q
m
where query
q
i
is one of:
- Extraction query
. The challenger responds by running the algorithm
Extract
to generate the private key
d
i
ID
i
corresponding to the identity
ID
i
.It
sends
d
i
to the adversary.
- Decapsulation query
. The challenger responds by running algorithm
Extract
to generate the private key
d
i
corresponding to
ID
i
. It then runs
algorithm
Decapsulate
to decapsulate the encapsulation
C
i
using the private
key
d
i
. It sends the resulting session key to the adversary.
Challenge.
Once the adversary decides that Phase 1 is over it outputs an iden-
tity
ID
∗
on which it wishes to be challenged. The only constraint is that
ID
∗
did not appear in any private key extraction query in Phase 1. The challenger
computes (
C
∗
,k
1
)=
Encapsulate
(
mpk,
ID
∗
), then picks a random bit
β ∈{
ID
i
,C
i
.
If
β
= 1, it sends (
C
∗
,k
1
) as the challenge to the adversary, where
k
1
is the real
session key. Otherwise, it sends (
C
∗
,k
1
) as the challenge to the adversary, where
k
0
0
,
1
}
.
Phase 2.
The adversary issues more queries
q
m
+1
,...,q
r
is randomly chosen from
K
where query
q
i
is one
of:
- Extraction query
=
ID
∗
. Challenger responds as in Phase 1.
ID
i
where
ID
i
ID
∗
,C
∗
- Decapsulation query
ID
i
,C
i
=
. Challenger responds as in Phase
1.
Thess queries may be asked adaptively as in Phase 1.
Guess.
Finally, the adversary outputs a guess
β
∈{
0
,
1
}
and wins the game if
β
=
β
.
Werefertosuchanadversary
A
as an
IND
-
ID
-
CCA
adversary. We define adver-
2
,
where
κ
is the security parameter. The probability is over the random bits used
by the challenger and the adversary.
(
κ
)=
Pr[
β
=
β
]
by Adv
CCA
E,A
1
sary
A
's advantage over the ID-KEM scheme
E
−
Definition A.2.
We say that an ID-KEM scheme
is
IND
-
ID
-
CCA
secure if for
any probabilistic polynomial time
IND
-
ID
-
CCA
adversary
A
the advantage
Adv
CCA
E,A
E
(
κ
)
is negligible.
Search WWH ::
Custom Search