Cryptography Reference
In-Depth Information
Phase 1. The adversary issues queries q 1 ,...,q m where query q i is one of:
- Extraction query
. The challenger responds by running the algorithm
Extract to generate the private key d i
ID i
corresponding to the identity ID i .It
sends d i to the adversary.
- Decapsulation query
. The challenger responds by running algorithm
Extract to generate the private key d i corresponding to ID i . It then runs
algorithm Decapsulate to decapsulate the encapsulation C i using the private
key d i . It sends the resulting session key to the adversary.
Challenge. Once the adversary decides that Phase 1 is over it outputs an iden-
tity ID on which it wishes to be challenged. The only constraint is that ID
did not appear in any private key extraction query in Phase 1. The challenger
computes ( C ,k 1 )= Encapsulate ( mpk, ID ), then picks a random bit β ∈{
ID i ,C i
.
If β = 1, it sends ( C ,k 1 ) as the challenge to the adversary, where k 1 is the real
session key. Otherwise, it sends ( C ,k 1 ) as the challenge to the adversary, where
k 0
0 , 1
}
.
Phase 2. The adversary issues more queries q m +1 ,...,q r
is randomly chosen from
K
where query q i is one
of:
- Extraction query
= ID . Challenger responds as in Phase 1.
ID i
where ID i
ID ,C
- Decapsulation query
ID i ,C i
=
. Challenger responds as in Phase
1.
Thess queries may be asked adaptively as in Phase 1.
Guess. Finally, the adversary outputs a guess β ∈{
0 , 1
}
and wins the game if
β = β .
Werefertosuchanadversary
A
as an IND - ID - CCA adversary. We define adver-
2 ,
where κ is the security parameter. The probability is over the random bits used
by the challenger and the adversary.
( κ )= Pr[ β = β ]
by Adv CCA
E,A
1
sary
A
's advantage over the ID-KEM scheme
E
Definition A.2. We say that an ID-KEM scheme
is IND - ID - CCA secure if for
any probabilistic polynomial time IND - ID - CCA adversary A the advantage
Adv CCA
E,A
E
( κ ) is negligible.
 
Search WWH ::




Custom Search