⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼

䑘ㅓㅭ㬇ᷛ⼌㆑⺄
e-mail: [email protected]
QQ: 665689683

Fuchun Guo, Willy Susilo, Yi Mu.

Introduction to Security Reduction.
Springer 2018.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Chapter 1. Introduction

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Kerckhoffs's Principle
A cryptosystem should be secure, even if everything about the system, except the key, is
public knowledge.

„ Kerckhoffs’ principle is a fundamental concept in cryptography.

„ It states that the security of a cryptographic system shouldn't rely on
the secrecy of the algorithm.
„ Instead, it should be based on the secrecy of the cryptographic key.

Auguste Kerckhoffs
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

In 1976, Diffie and Hellman [1] first proposed the definition of

public-key cryptography.

„ Each user has a pair of keys: a secret key and a public key;
„ The public key is public known, but the secret key is kept secret;
„ Given the public key, it is computationally infeasibility to conclude the
secret key.

[1] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on
Information Theory, 22(6): 644–654. IEEE 1976.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Public-key Cryptography
¾ Public-key Encryption (e.g. RSA, ElGamal, etc.)
„ allows parties to exchange messages over an insecure channel;
„ provides confidentiality

¾ Digital Signature (e.g. RSA, DSA, ECDSA, etc.)

„ allows parties to sign e-documents;
„ provides unforgeability

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security
In the past, the most common approach to validate the security of a cryptographic scheme
was to search for attacks and to declare a scheme secure if no attack is found that
contradicts its security.
This approach has the following problems:
„ We can never be certain that an attack does not exist.
„ Security can only be considered heuristic at best as the possibility that an attack exists
cannot be excluded

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Provable Security
In 1982, Goldwasser and Micali [2] proposed a public-key encryption
scheme and proved its security (known as provable security).
„ It is to relate the security of a cryptographic scheme with that of its underlying hard
problems;
„ To achieve this goal, one needs to first specify the attacker’s capabilities and the security
goals that a given cryptographic scheme must meet;
„ Next, one needs to provide a reduction which shows how to transform an adversary that
breaks the security goals of a cryptographic scheme into an adversary against the
security goals of hard problems on which the scheme is based.

[2]Shafi Goldwasser and Silvio Micali. Probabilistic encryption & how to play mental poker keeping secret all
partial information. The Fourteenth Annual ACM Symposium on Theory of Computing- STOC 1982, pp. 365–
377. ACM 1982.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Provable Security
There are two popular methods for provable security:
„ Game-based Proof
¾ Security Reduction
If there exists an adversary ࣛ that can break the scheme, there exists an efficient algorithm ࣜ which
can use ࣛ to solve the underlying hard problems.
¾ Game Hopping
An attacker running in a particular attack environment has an unknown probability of success. We then
slowly alter the attack environment until the attacker’s success probability can be computed.
„ Simulation-based Proof
‫ ܌ܔܚܗ܅ ܔ܉܍܀‬ൎ ۷‫܌ܔܚܗ܅ ܔ܉܍܌‬

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Asymptotic vs. Concrete Security
Let ߑ be a cryptographic scheme and ߎ be its underlying assumption
(discrete logarithm, factoring, etc.).

A proof of security for ߑ based on ߎ would then have the form漡

If an adversary can break ߑ in time ‫ ݐ‬with probability at least ߝఀ , then there exists
an adversary that can break ߎ in time ‫ݐ‬Ԣ with probability at least ߝ௽ , where ‫ ݐ‬ൎ ‫ ݐ‬ᇱ ,
ߝఀ ൎ ߝ௽ .

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Asymptotic vs. Concrete Security

To get the contradiction we usually have that
ߝ௽ > ߝఀ െ ߛ
where ߝఀ is assumed to be negligible in the security parameter ߣ, and 0 ൑ ߛ < 1 is also
negligible in ߣ.
Then, we have
ߝఀ < ߝ௽ + ߛ.

If we want to set parameters of ߑ so that ߝఀ ൑ 2ିఒ , we should have

ߝ௽ =2ିఒ -ߛ

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Chapter 2. Notions, Definitions and Models

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Notions
Notion Explanation Notion Explanation Notion Explanation
‫݌‬, ‫ݍ‬ prime numbers ॳ a cyclic group ࣅ a security
parameter
ॲ௤ ೙ the finite field (q is the ݃ a generator of ࣕ(ࣅ) an negligible
characteristic, and n is a positive a cyclic group function in ࣅ
integer )
চ௣ The set {0,1, ‫ ڮ‬, ‫ ݌‬െ 1} ݁: ॳଵ × ॳଶ ՜ ॳఛ a bilinear map ࣛ adversary

চ‫כ‬௣ The set {1, ‫ ڮ‬, ‫ ݌‬െ 1} PPT Probabilistic ࣝ challenger

polynomial
time

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

2.1 Digital Signature

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

A digital signature scheme is formally defined by the following four algorithms:

ࡿࢋ࢚࢛࢖ ૚ࣅ ՜ ࢖ࢇ࢘ࢇ࢓࢙: This algorithm takes as input a security parameter 1ఒ and outputs
the systems parameters ‫ݏ݉ܽݎܽ݌‬.
ࡷࢋ࢟ࡳࢋ࢔ ૚ࣅ , ࢖ࢇ࢘ࢇ࢓࢙ ՜ (ࡿࡷ, ࡼࡷ): This algorithm takes as input a security parameter
1ఒ and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a pair of secret-public keys (ܵ‫ܭ‬, ܲ‫)ܭ‬.

ࡿ࢏ࢍ࢔ ࡹ, ࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࣌: This algorithm takes as input a message ‫ܯ‬, the secret key
ܵ‫ ܭ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a signature ߪ on ‫ܯ‬.
ࢂࢋ࢘࢏ࢌ࢟ ࡹ, ࣌, ࡼࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ૙/૚: This algorithm takes as input the message ‫ܯ‬, the
signature ߪ, the public key ܲ‫ ܭ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs 1 if it is correct;
otherwise it outputs 0 to indicate failure.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Correctness:

ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬

ܸ݁‫ܯ ݕ݂݅ݎ‬, ߪ, ܲ‫ܭ‬, ‫ݏ݉ܽݎܽ݌‬ ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ݏ݉ܽݎܽ݌‬
ܲ‫ݎ‬ ՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬: = 1
՜1
ܵ݅݃݊ ‫ܯ‬, ܵ‫ܭ‬, ‫ݏ݉ܽݎܽ݌‬
՜ߪ

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Existential Unforgeability under Chosen Message Attack (EU-CMA)

This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen. ࣝ runs ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ ݏ݉ܽݎܽ݌‬՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬, and returns ܲ‫ ܭ‬to ࣛ.
Query.
1. ࣛ adaptively submits a message ‫ܯ‬௜ .
2. ࣝ runs ܵ݅݃݊ ‫ܯ‬௜ , ܵ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௜ , and returns ߪ௜ to ࣛ, where ݅ = {1,2, ‫ ڮ‬, ‫ݍ‬ௌ }.
Let ࣧ = {‫ܯ‬ଵ , ‫ܯ‬ଶ , ‫ ڮ‬, ‫ܯ‬௤ೄ } and ࣫ = ‫ܯ‬ଵ , ߪଵ , ‫ܯ‬ଶ , ߪଶ , ‫ ڮ‬, ‫ܯ‬௤ೞ , ߪ௤ೞ .
Forgery: ࣛ outputs a signature ߪ ‫ כ‬on a message ‫ כܯ‬. ࣛ wins the game if:
1. ܸ݁‫ כܯ ݕ݂݅ݎ‬, ߪ ‫ כ‬, ܲ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ 1;
2. ‫ࣧ ב כܯ‬
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Existential Unforgeability under Chosen Message Attack (EU-CMA)

Definition 2.1.1 (EU-CMA): A signature scheme is (ܶ, ‫ݍ‬௦ , Ԗ(ɉ))-secure in the EU-CMA
security model if there exists no adversary ࣛ who can win the above game in
time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௦ signature queries, namely
ܲ‫ כܯ(ݕ݂݅ݎܸ݁ ݎ‬, ߪ ‫ כ‬, ܲ‫ܭ‬, ‫ )ݏ݉ܽݎܽ݌‬՜ 1 | ‫ < ࣧ ב כܯ‬Ԗ(ɉ).

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - II漣Strong Existential Unforgeability under Chosen Message Attack
(SEU-CMA)
This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen. ࣝ runs ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ ݏ݉ܽݎܽ݌‬՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬, and returns ܲ‫ ܭ‬to ࣛ.
Query.
1. ࣛ adaptively submits a message ‫ܯ‬௜ .
2. ࣝ runs ܵ݅݃݊ ‫ܯ‬௜ , ܵ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௜ , and returns ߪ௜ to ࣛ, where ݅ = {1,2, ‫ ڮ‬, ‫ݍ‬ௌ }.
Let ࣧ = {‫ܯ‬ଵ , ‫ܯ‬ଶ , ‫ ڮ‬, ‫ܯ‬௤ೄ } and ࣫ = ‫ܯ‬ଵ , ߪଵ , ‫ܯ‬ଶ , ߪଶ , ‫ ڮ‬, ‫ܯ‬௤ೞ , ߪ௤ೞ .
Forgery: ࣛ outputs a signature ߪ ‫ כ‬on a message ‫ כܯ‬. ࣛ wins the game if:
1. ܸ݁‫ כܯ ݕ݂݅ݎ‬, ߪ ‫ כ‬, ܲ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ 1;
2. (‫ כܯ‬, ߪ ‫࣫ ב ) כ‬
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II漣Strong Existential Unforgeability under Chosen Message Attack

(SU-CMA)

Definition 2.1.2 (SU-CMA): A signature scheme is (ܶ, ‫ݍ‬௦ , Ԗ(ɉ))-secure in the SEU-CMA
security model if there exists no adversary ࣛ who can win the above game in
time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௦ signature queries, namely
ܲ‫ כܯ(ݕ݂݅ݎܸ݁ ݎ‬, ߪ ‫ כ‬, ܲ‫ܭ‬, ‫ )ݏ݉ܽݎܽ݌‬՜ 1 | (‫ כܯ‬, ߪ ‫ < ࣫ ב ) כ‬Ԗ ɉ .

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

2.2 Public-key Encryption

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
A public-key encryption scheme is formally defined by the following four algorithms:

ࡿࢋ࢚࢛࢖ ૚ࣅ ՜ ࢖ࢇ࢘ࢇ࢓࢙: This algorithm takes as input a security parameter 1ఒ and outputs
the systems parameters ‫ݏ݉ܽݎܽ݌‬.
ࡷࢋ࢟ࡳࢋ࢔ ૚ࣅ , ࢖ࢇ࢘ࢇ࢓࢙ ՜ (ࡿࡷ, ࡼࡷ): This algorithm takes as input a security parameter 1ఒ
and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a pair of secret-public keys (ܵ‫ܭ‬, ܲ‫)ܭ‬.
ࡱ࢔ࢉ ࡹ, ࡼࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡯ࢀ: This algorithm takes as input a message ‫ܯ‬, the public key
ܲ‫ ܭ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a ciphertext ‫ܶܥ‬.
ࡰࢋࢉ ࡯ࢀ, ࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡹ/٣: This algorithm takes as input the ciphertext ‫ܶܥ‬, the secret
key ܵ‫ ܭ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs the plaintext ‫ ܯ‬or ٣ to indicate failure.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Correctness:

ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬

‫ܶܥ ܿ݁ܦ‬, ܵ‫ܭ‬, ‫ݏ݉ܽݎܽ݌‬ ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ݏ݉ܽݎܽ݌‬

ܲ‫ݎ‬ ՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬: = 1
՜‫ܯ‬
‫ܯ ܿ݊ܧ‬, ܲ‫ܭ‬, ‫ݏ݉ܽݎܽ݌‬
՜ ‫ܶܥ‬

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Indistinguishability against Chosen-Plaintext Attacks (IND-CPA)

This security model is formally defined by the following four game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen. ࣝ runs ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ ݏ݉ܽݎܽ݌‬՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬, and returns ܲ‫ ܭ‬to ࣛ.
Challenge.
1. ࣛ submits two messages ‫ܯ‬଴ and ‫ܯ‬ଵ .
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit b ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ܲ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.
Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - I漣Indistinguishability against Chosen-Plaintext Attacks (IND-CPA)

Definition 2.2.1 (IND-CPA): A public-key encryption scheme is (ܶ, Ԗ(ɉ))-secure in the

IND-CPA security model if there exists no adversary ࣛ who can win the above game in
time ܶ with advantage at least Ԗ(ɉ), namely
ଵ
ܲ‫ ܾ ݎ‬ᇱ = ܾ െ < Ԗ(ɉ).
ଶ

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II漣Indistinguishability against Chosen-Ciphertext Attacks (IND-CCA2)

This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen. ࣝ runs ‫ ݊݁ܩݕ݁ܭ‬1ఒ , ‫ ݏ݉ܽݎܽ݌‬՜ (ܵ‫ܭ‬, ܲ‫)ܭ‬, and returns ܲ‫ ܭ‬to ࣛ.
Phase I. ࣛ adaptively submits a ciphertext ‫ܶܥ‬௜ where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵ . ࣝ runs
‫ܶܥ ܿ݁ܦ‬௜ , ܵ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௜ , and returns ‫ܯ‬௜ to ࣛ.
Challenge.
1. ࣛ submits two messages ‫ܯ‬଴ and ‫ܯ‬ଵ .
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit b ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ܲ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II漣Indistinguishability against Chosen-Ciphertext Attacks (IND-CCA2)

Phase II. ࣛ adaptively submits a ciphertext ‫ܶܥ‬௝ with the following limitation :
1. ‫ܶܥ ് כ ܶܥ‬௝ where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶ ;
2. ࣝ runs ‫ܶܥ ܿ݁ܦ‬௝ , ܵ‫ܭ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௝ , and returns ‫ܯ‬௝ to ࣛ;
3. ‫ݍ‬஽ = ‫ݍ‬ଵ + ‫ݍ‬ଶ .
Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - II漣Indistinguishability against Chosen-Ciphertext Attacks (IND-CCA2)

Definition 2.2.2 (IND-CCA2): A public-key encryption scheme is (ܶ, ‫ݍ‬஽ , Ԗ(ɉ))-secure in

the IND-CCA2 security model if there exists no adversary ࣛ who can win the above game
in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬஽ decryption queries, namely
ଵ
ܲ‫ ܾ ݎ‬ᇱ = ܾ െ < Ԗ(ɉ).
ଶ

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

2.3 Identity-based Encryption (IBE)

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

An identity-based encryption (IBE) scheme is formally defined by the following algorithms:

ࡿࢋ࢚࢛࢖ ૚ࣅ ՜ (ࡹࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙): This algorithm takes as input a security parameter 1ఒ and
outputs the master secret key ‫ ܭܵܯ‬and the system public parameters ‫ݏ݉ܽݎܽ݌‬.

ࡷࢋ࢟ࡳࢋ࢔ ࡵࡰ, ࡹࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡿࡷࡵࡰ : This algorithm takes as input an identity ‫א ܦܫ‬
{0,1}‫ כ‬, the master secret key ‫ ܭܵܯ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a secret key
ܵ‫ܭ‬ூ஽ .
ࡱ࢔ࢉ ࡹ, ࡵࡰ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡯ࢀ: This algorithm takes as input a message ‫ܯ‬, the identity ‫ܦܫ‬
and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a ciphertext ‫ܶܥ‬.

ࡰࢋࢉ ࡯ࢀ, ࡿࡷࡵࡰ , ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡹ/٣: This algorithm takes as input the ciphertext ‫ܶܥ‬, the
secret key ܵ‫ܭ‬ூ஽ and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs the plaintext ‫ ܯ‬or ٣ to indicate
failure.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Correctness:

ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ܭܵܯ‬, ‫; ݏ݉ܽݎܽ݌‬

‫ܶܥ ܿ݁ܦ‬, ܵ‫ܭ‬ூ஽ , ‫ݏ݉ܽݎܽ݌‬ ‫ܦܫ ݊݁ܩݕ݁ܭ‬, ‫ܭܵܯ‬, ‫ݏ݉ܽݎܽ݌‬
ܲ‫ݎ‬ ՜ ܵ‫ܭ‬ூ஽ ; = 1
՜‫ܯ‬
‫ܯ ܿ݊ܧ‬, ‫ܦܫ‬, ‫ݏ݉ܽݎܽ݌‬
՜ ‫ܶܥ‬

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Indistinguishability against Chosen-Plaintext Attacks (IND-ID-CPA)

This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
Phase 1. ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵ .ࣝ runs
‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returnsܵ‫ܭ‬ூ஽೔ to ࣛ.
Challenge.
1. ࣛ submits an identity ‫ א כܦܫ‬0,1 ‫כ‬
with ‫ܦܫ{ ב כ ܦܫ‬ଵ , ‫ܦܫ‬ଶ , ‫ ڮ‬, ‫ܦܫ‬௤భ }, and two messages
‫ܯ‬଴ and ‫ܯ‬ଵ with |‫ܯ‬଴ = |‫ܯ‬ଵ ;
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit b ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ‫ כܦܫ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Indistinguishability against Chosen-Plaintext Attacks (IND-ID-CPA)

Phase 2. ࣛ adaptively submits an identity ‫ܦܫ‬௝ ‫ א‬0,1 ‫ כ‬with the limitation ‫ܦܫ‬௝ ് ‫כ ܦܫ‬
where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೕ and returnsܵ‫ܭ‬ூ஽ೕ to ࣛ.
Let ‫ݍ‬௄ = ‫ݍ‬ଵ + ‫ݍ‬ଶ .

Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - I漣Indistinguishability against Chosen-Plaintext Attacks (IND-ID-CPA)

Definition 2.3.1 (IND-ID-CPA): An identity-based encryption scheme is (ܶ, ‫ݍ‬௄ , Ԗ(ɉ))-

secure in the IND-ID-CPA security model if there exists no adversary ࣛ who can win the
above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ secret key queries,
namely
1
Pr ܾ ᇱ = ܾ െ < Ԗ(ɉ).
2

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II漣Indistinguishability against Selective-ID Chosen-Plaintext Attacks

(IND-sID-CPA)
This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Inititialization. ࣛ submits an identity ‫{ א כܦܫ‬0,1}‫ כ‬.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
Phase 1. ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬with ‫ܦܫ‬௜ ് ‫ כ ܦܫ‬, where ݅ =
1,2, ‫ ڮ‬, ‫ݍ‬ଵ .ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returnsܵ‫ܭ‬ூ஽೔ to ࣛ.
Challenge.
1. ࣛ submits two messages ‫ܯ‬଴ and ‫ܯ‬ଵ with |‫ܯ‬଴ = |‫ܯ‬ଵ ;
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit b ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ‫ כܦܫ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II漣Indistinguishability against Selective-ID Chosen-Plaintext Attacks

(IND-sID-CPA)

Phase 2. ࣛ adaptively submits an identity ‫ܦܫ‬௝ ‫ א‬0,1 ‫ כ‬with the limitation ‫ܦܫ‬௝ ് ‫כ ܦܫ‬
where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೕ and returnsܵ‫ܭ‬ூ஽ೕ to ࣛ.
Let ‫ݍ‬௄ = ‫ݍ‬ଵ + ‫ݍ‬ଶ .

Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - II漣Indistinguishability against Selective-ID Chosen-Plaintext Attacks
(IND-sID-CPA)

Definition 2.3.1 (IND-sID-CPA): An identity-based encryption scheme is (ܶ, ‫ݍ‬௄ , Ԗ(ɉ))-

secure in the IND-sID-CPA security model if there exists no adversary ࣛ who can win the
above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ secret key queries,
namely 1
Pr ܾ ᇱ = ܾ െ < Ԗ(ɉ).
2

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - III漣Indistinguishability against Chosen-Ciphertext Attacks (IND-ID-

CCA)
This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
Phase I.
„ KeyGen Query: ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵ .ࣝ
runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returnsܵ‫ܭ‬ூ஽೔ to ࣛ.
„ Decryption Query:
1. ࣛ adaptively submits a ciphertext ‫ܦܫ‬௞ , ‫ܶܥ‬௞ where ݇ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵᇱ .
2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௞ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೖ and ‫ܶܥ ܿ݁ܦ‬௞ , ܵ‫ܭ‬ூ஽ೖ , ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௞ ,
and returns ‫ܯ‬௞ to ࣛ.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model-III 漣Indistinguishability against Chosen-Ciphertext Attacks (IND-ID-

CCA)
Challenge.
1. ࣛ submits an identity ‫{ א כܦܫ‬0,1}‫ כ‬with ‫ܦܫ ് כܦܫ‬௜ and ‫ܯ‬଴ and ‫ܯ‬ଵ with ‫ܯ‬଴ = |‫ܯ‬ଵ |.
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit ܾ ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ‫ כܦܫ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.
Phase II.
„ KeyGen Query: ࣛ adaptively submits an identity ‫ܦܫ‬௝ ‫ א‬0,1 ‫ כ‬with ‫ܦܫ‬௝ ് ‫ כ ܦܫ‬where
݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೕ and returns ܵ‫ܭ‬ூ஽ೕ to ࣛ.
„ Decryption Query: ࣛ adaptively submits a ciphertext ‫ܦܫ‬௟ , ‫ܶܥ‬௟ with ‫ܦܫ‬௟ , ‫ܶܥ‬௟ ്
(‫ כܦܫ‬, ‫ ) כ ܶܥ‬where ݈ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶᇱ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௟ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೗ and
‫ܶܥ ܿ݁ܦ‬௟ , ܵ‫ܭ‬ூ஽೗ , ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௟ , and returns ‫ܯ‬௟ to ࣛ.
Let ‫ݍ‬௄ = ‫ݍ‬ଵ + ‫ݍ‬ଶ and ‫ݍ‬஽ = ‫ݍ‬ଵᇱ + ‫ݍ‬ଶᇱ .
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - III漣Indistinguishability against Chosen-Ciphertext Attacks (IND-ID-
CCA2)

Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

Definition 2.3.3 (IND-ID-CCA2): An identity-based encryption scheme is

(ܶ, ‫ݍ‬௞ , ‫ݍ‬஽ , Ԗ(ɉ))-secure in the IND-CCA security model if there exists no adversary ࣛ
who can win the above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ key
generation queries and ‫ݍ‬஽ decryption queries, namely
1
Pr ܾ ᇱ = ܾ െ < Ԗ(ɉ).
2

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - IV 漣 Indistinguishability against Selective-ID Chosen-Ciphertext

Attacks (IND-sID-CCA)
This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Inititialization. ࣛ submits an identity ‫{ א כ ܦܫ‬0,1}‫ כ‬.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
Phase I.
„ KeyGen Query: ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬with ‫ܦܫ‬௜ ് ‫ כ ܦܫ‬where
݅ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵ .ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returnsܵ‫ܭ‬ூ஽೔ to ࣛ.
„ Decryption Query:
1. ࣛ adaptively submits a ciphertext ‫ܦܫ‬௞ , ‫ܶܥ‬௞ where ݇ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵᇱ .
2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௞ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೖ and ‫ܶܥ ܿ݁ܦ‬௞ , ܵ‫ܭ‬ூ஽ೖ , ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௞ ,
and returns ‫ܯ‬௞ to ࣛ.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - VI 漣 Indistinguishability against Selective-ID Chosen-Ciphertext

Attacks (IND-sID-CCA)
Challenge.
1. ࣛ submits two messages ‫ܯ‬଴ and ‫ܯ‬ଵ with ‫ܯ‬଴ = |‫ܯ‬ଵ |.
2. ࣝ flips an unbiased coin with {0,1} , and obtains a bit b ‫{ א‬0,1}.
3. ࣝruns E݊ܿ ‫ܯ‬௕ , ‫ כܦܫ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ‫ כ ܶܥ‬, and returns ‫ כ ܶܥ‬to ࣛ.
Phase II.
„ KeyGen Query: ࣛ adaptively submits ‫ܦܫ‬௝ ‫ א‬0,1 ‫ כ‬with ‫ܦܫ‬௝ ് ‫ כ ܦܫ‬where ݆ =
1,2, ‫ ڮ‬, ‫ݍ‬ଶ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ೕ and returns ܵ‫ܭ‬ூ஽ೕ to ࣛ.
„ Decryption Query:
1. ࣛ adaptively submits ‫ܦܫ‬௟ , ‫ܶܥ‬௟ with ‫ܦܫ‬௟ , ‫ܶܥ‬௟ ് (‫ כܦܫ‬, ‫ ) כ ܶܥ‬where ݈ = 1,2, ‫ ڮ‬, ‫ݍ‬ଶᇱ .
2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௟ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೗ and ‫ܶܥ ܿ݁ܦ‬௟ , ܵ‫ܭ‬ூ஽೗ , ‫ ݏ݉ܽݎܽ݌‬՜ ‫ܯ‬௟ ,
and returns ‫ܯ‬௟ to ࣛ. Let ‫ݍ‬௄ = ‫ݍ‬ଵ + ‫ݍ‬ଶ and ‫ݍ‬஽ = ‫ݍ‬ଵᇱ + ‫ݍ‬ଶᇱ .
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - IV 漣 Indistinguishability against Selective-ID Chosen-Ciphertext
Attacks (IND-sID-CCA)

Output: ࣛ outputs its guess ܾԢ on ܾ. ࣛ wins the game if ܾ ᇱ = ܾ.

Definition 2.3.3 (IND-sID-CCA2): An identity-based encryption scheme is

(ܶ, ‫ݍ‬௞ , ‫ݍ‬஽ , Ԗ(ɉ))-secure in the IND-sID-CCA security model if there exists no adversary ࣛ
who can win the above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ key
generation queries and ‫ݍ‬஽ decryption queries, namely
1
Pr ܾ ᇱ = ܾ െ < Ԗ(ɉ).
2

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

2.4 Identity-based Signature

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

An identity-based signature (IBS) scheme is formally defined by the following algorithms:

ࡿࢋ࢚࢛࢖ ૚ࣅ ՜ (ࡹࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙): This algorithm takes as input a security parameter 1ఒ and
outputs the master secret key ‫ ܭܵܯ‬and the system public parameters ‫ݏ݉ܽݎܽ݌‬.
ࡷࢋ࢟ࡳࢋ࢔ ࡵࡰ, ࡹࡿࡷ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࡿࡷࡵࡰ : This algorithm takes as input an identity ‫א ܦܫ‬
{0,1}‫ כ‬, the master secret key ‫ ܭܵܯ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a secret key
ܵ‫ܭ‬ூ஽ .
ࡿ࢏ࢍ࢔ ࡹ, ࡿࡷࡵࡰ , ࢖ࢇ࢘ࢇ࢓࢙ ՜ ࣌: This algorithm takes as input a message ‫ܯ‬, the secret key
ܵ‫ܭ‬ூ஽ and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs a signature ߪ on ‫ܯ‬.
ࢂࢋ࢘࢏ࢌ࢟ ࡹ, ࣌, ࡵࡰ, ࢖ࢇ࢘ࢇ࢓࢙ ՜ ૙/૚: This algorithm takes as input the message ‫ܯ‬, the
signature ߪ, the identity ‫ ܦܫ‬and the parameters ‫ݏ݉ܽݎܽ݌‬, and outputs 1 if ߪ is valid or 0 to
indicate an invalid signature.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Correctness:

ܵ݁‫ ݌ݑݐ‬1ఒ ՜ ‫ܭܵܯ‬, ‫; ݏ݉ܽݎܽ݌‬

ܸ݁‫ܯ ݕ݂݅ݎ‬, ߪ, ‫ܦܫ‬, ‫ݏ݉ܽݎܽ݌‬ ‫ܦܫ ݊݁ܩݕ݁ܭ‬, ‫ܭܵܯ‬, ‫ݏ݉ܽݎܽ݌‬
ܲ‫ݎ‬ = 1
՜1 ՜ ܵ‫ܭ‬ூ஽ ;
ܵ݅݃݊ ‫ܯ‬, ܵ‫ܭ‬ூ஽ , ‫ ݏ݉ܽݎܽ݌‬՜ ߪ

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Models
Security Model - I漣Existential Unforgeability under Chosen Message Attack (EU-ID-
CMA)

Security Model - II 漣 Existential Unforgeability under Selective-ID Chosen

Message Attack (EU-sID-CMA)

Security Model - III漣Strong Unforgeability under Chosen Message Attack (SEU-ID-

CMA)

Security Model - IV 漣 Strong Unforgeability under Selective-ID Chosen

Message Attack (SEU-sID-CMA)

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - I漣Existential Unforgeability under Chosen Message Attack (EU-ID-

CMA)

This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen Query. ࣛ adaptively submits ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬௄ . ࣝ runs
‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returns ܵ‫ܭ‬ூ஽೔ to ࣛ. Let ࣫௄ = {‫ܦܫ‬ଵ , ‫ܦܫ‬ଶ , ‫ ڮ‬, ‫ܦܫ‬௤಼ }.
Signing Query.
1. ࣛ submits ‫ܦܫ‬௝ᇱ ‫ א‬0,1 ‫ כ‬and ‫ܯ‬௝ ‫ א‬0,1 ‫ כ‬where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ௌ ;
2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ᇱ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ᇲ and ܵ݅݃݊ ‫ܯ‬௝ , ܵ‫ܭ‬ூ஽ᇲ , ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௝ ˗
ೕ ೕ
3. ࣝ returns ߪ௝ to ࣛ.
Let ࣫ௌ = { ‫ܦܫ‬ଵᇱ , ‫ܯ‬ଵ , (‫ܦܫ‬ଶᇱ , ‫ܯ‬ଶ ) ‫ܦܫ( ڮ‬௤ᇱ ೄ , ‫ܯ‬௤ೄ )}.
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - I漣Existential Unforgeability under Chosen Message Attack (EU-ID-
CMA)
Forge. ࣛ outputs (‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫) כ‬. ࣛ wins in the above game if:
(1) ܸ݁‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1;
(2) ‫࣫ ב כ ܦܫ‬௄ ;
(3) (‫ כ ܦܫ‬, ‫࣫ ב ) כܯ‬ௌ

Definition 2.4.1 (EU-ID-CMA): An identity-based signature scheme is (ܶ, ‫ݍ‬௄ , ‫ݍ‬ௌ , Ԗ(ɉ))-
unforgeable in the EU-ID-CMA security model if there exists no adversary ࣛ who can win
the above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ secret key queries
and ‫ݍ‬ௌ singing queries, namely
ܲ‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎܸ݁ ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1 < Ԗ ɉ .

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II 漣 Existential Unforgeability under Selective-ID Chosen

Message Attack (EU-sID-CMA)
This security model is formally defined by the following game executed between a
challenger ࣝ and an adversary ࣛ.

Intialization. ࣛ submits an identity ‫{ א כ ܦܫ‬0,1}‫ כ‬.

Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.

KeyGen Query. ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬with the limitation that
‫ܦܫ‬௜ ് ‫ כ ܦܫ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬௄ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returns
ܵ‫ܭ‬ூ஽೔ to ࣛ. Let ࣫௄ = {‫ܦܫ‬ଵ , ‫ܦܫ‬ଶ , ‫ ڮ‬, ‫ܦܫ‬௤಼ }.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - II 漣 Existential Unforgeability under Selective-ID Chosen

Message Attack (EU-sID-CMA)
Signing Query.
1. ࣛ submits an identity ‫ܦܫ‬௝ᇱ ‫ א‬0,1 ‫כ‬
with ‫ܦܫ‬௝ᇱ ് ‫ כ ܦܫ‬and ‫ܯ‬௝ ‫ א‬0,1 ‫כ‬
where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ௌ ;

2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ᇱ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ᇲ and ܵ݅݃݊ ‫ܯ‬௝ , ܵ‫ܭ‬ூ஽ᇲ , ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௝ ˗
ೕ ೕ

3. ࣝ returns ߪ௝ to ࣛ.
4. Let ࣫ௌ = { ‫ܦܫ‬ଵᇱ , ‫ܯ‬ଵ , (‫ܦܫ‬ଶᇱ , ‫ܯ‬ଶ ) ‫ܦܫ( ڮ‬௤ᇱ మ , ‫ܯ‬௤మ )}.

Forge. ࣛ outputs (‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫) כ‬. ࣛ wins in the above game if

ܸ݁‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - II 漣 Existential Unforgeability under Selective-ID Chosen
Message Attack (EU-sID-CMA)

Definition 2.4.2 (EU-sID-CMA): An identity-based signature scheme is (ܶ, ‫ݍ‬௄ , ‫ݍ‬ௌ , Ԗ(ɉ))-
unforgeable in the EU-sID-CMA security model if there exists no adversary ࣛ who can
win the above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ secret key
queries and ‫ݍ‬ௌ singing queries, namely
ܲ‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎܸ݁ ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1 < Ԗ(ɉ).

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - III漣Strong Unforgeability under Chosen Message Attack (SU-ID-

CMA)
This security model is formally defined by the following four game executed between a
challenger ࣝ and an adversary ࣛ.
Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.
KeyGen Query. ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬ଵ .ࣝ
runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returns ܵ‫ܭ‬ூ஽೔ to ࣛ . Let ࣫௄ =
{‫ܦܫ‬ଵ , ‫ܦܫ‬ଶ , ‫ ڮ‬, ‫ܦܫ‬௤಼ }.
Signing Query.
1. ࣛ submits an identity ‫ܦܫ‬௝ᇱ ‫ א‬0,1 ‫כ‬
and ‫ܯ‬௝ ‫ א‬0,1 ‫כ‬
where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ௌ ;
2. ࣝ runs ‫݊݁ܩݕ݁ܭ‬ ‫ܦܫ‬௝ᇱ , ‫ܭܵܯ‬, ‫ݏ݉ܽݎܽ݌‬ ՜ ܵ‫ܭ‬ூ஽ᇲ and ܵ݅݃݊ ‫ܯ‬௝ , ܵ‫ܭ‬ூ஽ᇲ , ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௝ ˗
ೕ ೕ
3. ࣝreturnsߪ௝ to ࣛ.
Let ࣫ௌ = { ‫ܦܫ‬ଵᇱ , ‫ܯ‬ଵ , (‫ܦܫ‬ଶᇱ , ‫ܯ‬ଶ ) ‫ܦܫ( ڮ‬௤ᇱ ೄ , ‫ܯ‬௤ೄ )} and ࣫ఙ = {ߪଵ , ߪଶ , ‫ ڮ‬, ߪௌ } .
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - III漣Strong Unforgeability under Chosen Message Attack (SU-ID-

CMA)
Forge. ࣛ outputs (‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫) כ‬. ࣛ wins in the above game if:
(1) ܸ݁‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎ‬, ‫ כܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1;
(2) ‫࣫ ב כ ܦܫ‬௄ ;
(3) (‫ כܦܫ‬, ‫࣫ ב ) כܯ‬ௌ or (‫ כ ܦܫ‬, ‫࣫ א ) כܯ‬ௌ (ߪ ‫࣫ ב כ‬ఙ ).

Definition 2.4.3 (SEU-ID-CMA): An identity-based signature scheme is (ܶ, ‫ݍ‬௄ , ‫ݍ‬ௌ , Ԗ(ɉ))-
unforgeable in the EU-ID-CMA security model if there exists no adversary ࣛ who can win
the above game in time ܶ with advantage at least Ԗ(ɉ) after making ‫ݍ‬௄ secret key queries
and ‫ݍ‬ௌ singing queries, namely
ܲ‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎܸ݁ ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1 < Ԗ(ɉ).

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Security Model - IV 漣 Strong Unforgeability under Selective-ID Chosen
Message Attack (SU-sID-CMA)
This security model is formally defined by the following four game executed between a
challenger ࣝ and an adversary ࣛ.
Intialization. ࣛ submits an identity ‫{ א כ ܦܫ‬0,1}‫ כ‬.

Setup. ࣝ runs ܵ݁‫ ݌ݑݐ‬1ఒ ՜ (‫ܭܵܯ‬, ‫)ݏ݉ܽݎܽ݌‬, and returns ‫ ݏ݉ܽݎܽ݌‬to ࣛ.

KeyGen Query. ࣛ adaptively submits an identity ‫ܦܫ‬௜ ‫ א‬0,1 ‫ כ‬with the limitation that
‫ܦܫ‬௜ ് ‫ כ ܦܫ‬where ݅ = 1,2, ‫ ڮ‬, ‫ݍ‬௄ . ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௜ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽೔ and returns
ܵ‫ܭ‬ூ஽೔ to ࣛ. Let ࣫௄ = {‫ܦܫ‬ଵ , ‫ܦܫ‬ଶ , ‫ ڮ‬, ‫ܦܫ‬௤಼ }.

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - IV 漣 Strong Unforgeability under Selective-ID Chosen

Message Attack (SU-sID-CMA)
Signing Query.
1. ࣛ submits an identity ‫ܦܫ‬௝ᇱ ‫ א‬0,1 ‫כ‬
with ‫ܦܫ‬௝ᇱ ് ‫ כ ܦܫ‬and ‫ܯ‬௝ ‫ א‬0,1 ‫כ‬
where ݆ = 1,2, ‫ ڮ‬, ‫ݍ‬ௌ ;

2. ࣝ runs ‫ܦܫ ݊݁ܩݕ݁ܭ‬௝ᇱ , ‫ܭܵܯ‬, ‫ ݏ݉ܽݎܽ݌‬՜ ܵ‫ܭ‬ூ஽ᇲ and ܵ݅݃݊ ‫ܯ‬௝ , ܵ‫ܭ‬ூ஽ᇲ , ‫ ݏ݉ܽݎܽ݌‬՜ ߪ௝ ˗
ೕ ೕ

3. ࣝ returns ߪ௝ to ࣛ.
Let ࣫ௌ = ‫ܦܫ‬ଵᇱ , ‫ܯ‬ଵ , ‫ܦܫ‬ଶᇱ , ‫ܯ‬ଶ ‫ܦܫ ڮ‬௤ᇱ మ , ‫ܯ‬௤ೄ and ࣫ఙ = {ߪଵ , ߪଶ , ‫ ڮ‬, ߪ௤ೄ } .
Forge. ࣛ outputs (‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫) כ‬. ࣛ wins in the above game if:
(1) ܸ݁‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎ‬, ‫ כܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1;
(2) ‫࣫ ב כ ܦܫ‬௄ ;
(3) (‫ כܦܫ‬, ‫࣫ ב ) כܯ‬ௌ or (‫ כ ܦܫ‬, ‫࣫ א ) כܯ‬ௌ (ߪ ‫࣫ ב כ‬ఙ ).
⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Security Model - IV 漣 Strong Unforgeability under Selective-ID Chosen

Message Attack (SU-sID-CMA)

Definition 2.4.4 (SEU-sID-CMA): An identity-based signature scheme is

(ܶ, ‫ݍ‬௄ , ‫ݍ‬ௌ , Ԗ(ɉ)) -unforgeable in the EU-sID-CMA security model if there exists no
adversary ࣛ who can win the above game in time ܶ with advantage at least Ԗ(ɉ) after
making ‫ݍ‬௄ secret key queries and ‫ݍ‬ௌ singing queries, namely
ܲ‫ݏ݉ܽݎܽ݌(ݕ݂݅ݎܸ݁ ݎ‬, ‫ כ ܦܫ‬, ‫ כܯ‬, ߪ ‫ ) כ‬՜ 1 < Ԗ(ɉ).

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔
Further Reading
1. Attribute-based Encryption (ABE);
2. Attribute-based Signature (ABS);
3. Function Encryption (FE);
4. Policy-based Encryption;
5. Policy-based Signature

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔

Thank You!

⹌䊠㗽㕌㰄ⳉ㋪䐅㘘➓㦌㏎㔼 ⭻䄔⹓!䄔