Cryptography Reference
In-Depth Information
Exercise 23.3.8
Suppose there is an efficiently computable group homomorphism
ψ
:
G
2
→
G
1
. Show that if an adversary knows
ψ
and can compute preimages of the hash
function
H
1
then it can determine the private key for any identity by making a private key
query on a different identity.
If the output of
H
2
is indistinguishable from random
l
-bit strings then it is natural
to believe that obtaining the message from a ciphertext under a passive attack requires
computing
e
(
Q
id
,
c
1
)
e
(
Q
s
id
,g
k
)
e
(
Q
id
,g
)
sk
.
=
=
Hence, it is natural that the security (at least, in the random oracle model) depends on the
following computational problem.
Definition 23.3.9
Let
G
1
,
G
2
and
G
T
be groups of prime order
r
and let
e
:
G
1
×
G
T
be a non-degenerate bilinear pairing. The
bilinear Diffie-Hellman problem
(
BDH
)is:
given
Q
G
2
→
G
2
,
g
a
and
g
b
, where 1
∈
G
1
,
g
∈
≤
a,b<r
, to compute
e
(
Q,g
)
ab
.
Exercise 23.3.10
Show that if one can solve CDH in
G
2
or in
G
T
then one can solve BDH.
As seen in Exercise
23.3.7
, the basic Boneh-Franklin scheme does not have IND-
CCA security. To fix this, one needs to provide some extra components in the ciphertext.
Alternatively, one can consider the basic Boneh-Franklin scheme as an identity-based
KEM: the ciphertext is
c
1
=
kdf
(
e
(
Q
id
,g
)
k
). In the
random oracle model (treating both
H
1
and
kdf
as random oracles) one can show that the
Boneh-Franklin identity-based KEM has IND-CCA security (in the security model for
identity-based encryption as briefly mentioned above), assuming that the BDH problem is
hard. We refer to Boneh and Franklin [
75
,
76
] for full details and security proofs.
There is a large literature on identity-based encryption and its extensions, including
schemes that are secure in the standard model. We do not discuss these topics further in
this topic.
g
k
and the encapsulated key is
K
=