Cryptography Reference
In-Depth Information
The security definition for standard encryption schemes given by IND-CCA was
extended by Boneh and Franklin in [35] to identity-based encryption schemes as
follows:
Definition 10.5
The
identity-based CCA indistinguishability experiment
under an
adaptive chosen message attack,
IBE
ind-cca
A,E
(
k
)
, is the following:
Setup
is run on input 1
k
obtaining a master key
1
k
1.
(
mpk, msk
)
←
Setup
(
)
.
A
2. The adversary
is given the master public key
mpk
and oracle access to
(
,
−
)
(
,
(
,
−
),
−
)
Der
msk
and to
Dec
mpk
Der
msk
which, on input an identity
id
asks
a polynomial number of queries to the oracle and outputs an identity
id
—subject
to the constraint that the
Der
oracle was not queried on
id
—and a pair of messages
of the same length,
m
0
,
m
1
, belonging to the plaintext space.
3. A random bit
b
and a ciphertext
c
, returns
Dec
(
mpk
,
usk
,
c
)
, where
usk
←
Der
(
msk
,
id
)
.
A
←{
0
,
1
}
is chosen and the challenge ciphertext
c
←
Enc
(
mpk
,
id
,
m
b
)
is computed and given to
A
.
4.
A
continues having access to the oracles but cannot query the
Der
oracle on the
identity
id
nor the decryption oracle on the pair
(
id
,
c
)
. Finally,
A
outputs a bit
b
.
5. The output of the experiment is defined to be 1 if
b
=
b
and 0 otherwise. In the
succeeds
.
The security definition is then the following:
An IBE scheme
first case,
A
is
indistinguishable under an adap-
tive chosen ciphertext attack
(IND-ID-CCA, for short) if, for every PPT adversary
A
, there exists a negligible function
negl
such that
E
=
(
Setup
,
Der
,
Enc
,
Dec
)
IBE
ind-cca
(
(
)
=
)
≤
/
+
negl
(
).
Pr
k
1
1
2
k
A
,
E
Remark 10.2
The adversary of the IB experiment
IBE
ind-cca
A,E
is much more pow-
erful than that of the standard IND-CCA experiment
PubK
ind-cca
A
,
E
(
k
)
because it can
choose an arbitrary identity
id
and can query the
Der
oracle to obtain any user private
key not associated with
id
. This is because when the adversary attacks a public key
id
, the system should remain secure even if the adversary knows the private keys of
other users. Another, more subtle, difference between IND-CCA and IND-ID-CCA
is that, while in the former the adversary is challenged on a random public key, in
the latter it is challenged on an
id
that the adversary itself is allowed to choose.
(
k
)
10.3.2 Applications of IBE
IBE has many applications that take advantage of its special features to achieve things
that cannot be done with standard public-key cryptography. We mention a couple
of them taken from the Boneh-Franklin paper where the first fully functional IBE
scheme was introduced.