Gentry’s Security Model for CBE

Security for CBE is defined using two different games in [76]. The adversary chooses which game to play. A CBE scheme is secure if no adversary can win either game. In Game 1 the adversary models an uncertified entity and in Game 2 the adversary models the certifier.

We now describe these IND-CCA aversarial games in more detail, following [76, §2.2].

CBE Game 1 Adversary: The challenger runs GenIBE(k1, t), and gives params

to the adversary A1. The adversary then interleaves certification and decryption

queries with a single challenge query. These queries are answered as follows:

• On certification query hτ, λ, P K_{P KE}, SKP KEi, the challenger checks that λ ∈

Λ and that SKP KE is the private key corresponding to P KP KE. If so, it runs

Upd1 and returns Cert0_τ, else it returns ⊥ .

• On decryption query hτ, λ, P K_{P KE}, SKP KE, Ci, the challenger checks that λ ∈

generates Certτ and outputs DCertτ,SKP KE,λ(C), else it returns ⊥ .

• On challenge query (τ_ch, λch, P KP KE,ch, SKP KE,ch, M0, M1), the challenger che-

cks that λch ∈ Λ and that SKP KE,ch is the private key corresponding to

P KP KE,ch. If so, it chooses random bit b and returns

C∗= Eτch,λch,P KIBE,P KP KE,ch(Mb),

else it returns ⊥ .

Finally, A1 outputs a guess b0 ∈ {0, 1}. The adversary wins the game if b = b0

and hτch, λch, P KP KE,ch, SKP KE,ch, C∗i7.1was not the subject of a decryption query

after the challenge, and hτch, λch, P KP KE,ch, SKP KE,chi was not the subject of any

certification query. We define A1’s advantage in this game to be Adv(A1) := 2| Pr[b =

b0] −1₂|.

CBE Game 2 Adversary: The challenger runs GenP KE(k2, t), and gives P KP KE

to the adversary A2. The adversary then interleaves decryption queries with a single

challenge query. These queries are answered as follows:

• On decryption query hτ, λ, params, SKIBE, Ci, the challenger checks that λ ∈ Λ

and that SKIBE is the master-key corresponding to params. If so, it generates

Certτ and outputs DCertτ,SKP KE,λ(C), else it returns ⊥ .

• On challenge query hτch, λch, paramsch, SKIBE,ch, M0, M1i, the challenger checks

that λch ∈ Λ and that SKIBE,ch is the master-key corresponding to paramsch.

If so, it chooses random bit b and returns C∗ = Eτch,λch,P KIBE,ch,P KP KE(Mb),

else it returns ⊥ .

Finally, A2 outputs a guess b0 ∈ {0, 1}. The adversary wins the game if b = b0 and

hτ_ch, λch, paramsch, SKIBE,ch, C∗i was not the subject of a decryption query after the

challenge. We define A2’s advantage in this game to be Adv(A2) := 2| Pr[b = b0] −1₂|.

7.1

Definition 7.2 ([76]) ?? A certificate-updating certificate-based encryption scheme is secure against adaptive chosen ciphertext attack (IND-CBE-CCA) if no probabil- istic polynomial time adversary has non-negligible advantage in either CBE Game 1 or CBE Game 2.

Analysing the CBE Security Model

In this section, we present an analysis of the CBE security model, and compare it to the security model for CL-PKE that was developed in Chapters 5 and 6. Notice that our CL-PKE security model assumes an adversary who can extract partial private keys and change public keys even for the challenge identity, whereas Gentry’s model, in which the equivalent of partial private keys are publicly available and bind the public keys (and time periods) to identities, simulates the adversary differently. Unfortunately, some major weaknesses exist in the CBE security model of [76]:

1. Game 1 does not capture an adversary obtaining a ‘certificate’ for an existing public key that the adversary intends to attack. This method of attack is natural for an uncertified client. The reason this restriction arises is because the challenger initially controls the setting of public keys for entities in the CBE system. We do not have such a restriction in the CL-PKE security model: our Type I adversaries are truly adaptive in nature.

2. A Game 1 adversary must provide the private key along with the corresponding public key. This is done by giving private keys to the challenger when making any query involving public keys (even the challenge query). In CL-PKE, we allow our Type I adversary to change an entity’s public key without needing to show the private key. This gives the adversary more flexibility, for example, the adversary can replace the public key of an entity with that of another (without knowing the corresponding private key). We are able to handle this in our proofs by the use of special purpose knowledge extractors.

given a specific public key by the challenger. This is unlike a CL-PKE Type II adversary.

4. A Game 2 adversary proves knowledge of the master-key corresponding to params by giving every master-key to the challenger. This adversary can al- ter the CBE scheme by choosing new parameters for the ID-PKE scheme in each query. This unnecessarily complicates the way the adversary is modelled. In CL-PKE, a Type II adversary is given the master-key to allow it to ‘break’ part of the scheme which the KGC is always able to break. Handling only one master-key is more natural because the aim of the proof is to examine the security of a system with a pre-specified set of parameters, that is, a system which has been set up.

It can be argued that the unusual constraint expressed in weakness (2) above can be removed for the proof of the first concrete scheme in [76]. However, the proof of security for that scheme suffers from a deficiency. The decryption queries in the proof of [76, Lemma 1], do not work as defined unless the hash queries are modified in the simulation by setting ‘P_j0 = bjP ’ for coinj = 0. Unlike this simulation problem,

the above differences are significant enough to illustrate that the CBE definition and security model inadequately capture the concept we explored in CL-PKE: a concept which represents a shift in how public keys are managed and used. CBE is a very interesting concept for an encryption scheme which is suitable for solving a particular problem: that of efficient revocation in traditional public key infrastructures.