Cryptography Reference
In-Depth Information
A
2. The adversary
is given the master public key
mpk
and oracle access to
(
,
−
)
(
(
,
−
),
−
)
Der
msk
and to
Sign
Der
msk
which, on input an identity
id
and a
message
m
, returns
Sign
(
usk
,
m
)
, where
usk
←
Der
(
msk
,
id
)
.
A
asks a polyno-
id
,
m
,σ
)
mial number of queries to the oracles and outputs a 3-tuple
(
, consisting
of an identity string, a message and a signature.
3. The experiment output is defined to be 1 if and only if
Ve r
id
,
m
,σ
)
=
(
mpk
,
id
)
id
),
m
)
1 and neither
Der
(
msk
,
nor
Sign
(
Der
(
msk
,
were queried to the
oracles.
The security definition is then the following:
Definition 10.3
An IBS scheme
IB
(
Setup, Der, Sign, Ver
)is
existentially
unforgeable under an adaptive chosen-message attack
(UF-CMA, for short) if, for
every PPT adversary
Σ
=
A
, there exists a negligible function
negl
such that:
IBSign
uf-cma
Pr
(
A,
IB
Σ
(
k
)
=
1
)
≤
negl
(
k
).
10.2.2 From Signature Schemes to IBS Schemes
We next present a generic construction, called SS-2-IBS, that produces an IBS
scheme from any standard signature scheme. This construction is made possi-
ble by the fact that, as remarked above, in a signature scheme the sender is
the private key owner. Therefore, the private key may include the private key
of a standard signature scheme plus a certificate for the corresponding standard
public key signed by the PKG. Then the user signs the message with the stan-
dard private key and appends to the signature her standard public key and the
corresponding certificate. This construction can be more formally described as
follows:
SS-2-IBS construction
.
Given a standard signature scheme
Σ
=
(
SGen, SSign, SVer
), an IBS scheme
Cert
-
IB
Σ
=
SS
-
2
-
IBS
(Σ)
is constructed as follows:
•
Cert
-
IB
Σ
=
(
Setup
,
Der
,
Sign
,
Ve r
)
, where the algorithms are specified below.
Setup
: The PKG runs
SGen
on input 1
k
and obtains:
•
1
k
(
mpk
,
msk
)
←
SGen
(
).
mpk
is published as a system parameter and
msk
is the master private key.
Der: SGen
is run on input 1
k
•
to obtain a public key/private key pair for
1
k
Σ,(
,
namely, the concatenation of the public key with the identity is signed with the
pk
,
sk
)
←
SGen
(
)
. The PKG computes
cert
←
SSign
(
msk
,
pk
||
id
)