In identity-based encryption papers (i.e.this) it is very difficult for me to understand security proof. I don't know why they prove assumption (BDH, BDDH) for security of their scheme. Some uses random oracle and most of them try to simulate the scheme. Why is the simulation required in these security proofs?
Asked
Active
Viewed 219 times
1 Answers
4
(I assume you are asking about this paper based on your previous questions.) They do not prove BDDH in their security proofs.
Assume that an attacker $A$ breaks IND-sMID-CPA of the above scheme with probability greater than $\epsilon$ within time $t$ [...]. We show that using $A$, one can construct an attacker $B$ for solving the BDDH problem.
In security proofs by reduction, we assume the proposition is not true (here: assume the proposed scheme is not IND-sMID-CPA) and show the proposition being false would imply some contradiction (here: solving BDDH problem which is believed to be hard). In this case assuming existence of attacker $A$ against IND-sMID-CPA security of the proposed scheme, they construct algorithm $B$ for solving the BDDH problem. Attacker $A$ is expected to participate in IND-sMID-CPA experiment, so through the reduction algorithm $B$ should simulate the experiment for $A$ and since this proof is in the random oracle model, $B$ should simulate random oracle as well.
problem B is reducible to problem A if an algorithm for solving problem A efficiently (we call this algorithm $A$) (if it existed) could also be used as a subroutine to solve problem B efficiently.
In this context:
A = breaking IND-sMID-CPA
B = BDDH problem
reduction algorithm $B$ uses adversary $A$ as a subroutine. $B$ doesn't know how $A$ works; the only thing $B$ knows is that $A$ is expecting to attack problem A. so given an input instance of problem B (here BDDH), reduction algorithm should generate (simulate) an instance of problem A for $A$.
Chapter 3.3.2 of Introduction to Modern Cryptography explains "proofs by redcution".
-
@Mhy.Why $B$ construct simulation for $A$? If random oracle model is used,simulation is required? How to know the scheme needs to use random oracle model? May be I don't know nature of security proofs by reduction. – La Yate May Jul 14 '16 at 12:23
-
In normal security proof, just challenger and adversary. In security reduction proof, two adversary, $A$ and $B$ algorithms.If $A$ succeeds in breaking security, then $B$ is also sure to break the security. If so? – La Yate May Jul 14 '16 at 12:33
-
1@LaYateMay being unfamiliar with nature of security proofs causes hard time reading cryptographic papers. Maybe this presentation -p16-20 could help you (I am looking for more sources which may help you). – Mhy Jul 14 '16 at 12:44
-
@LaYateMay Simulation is generally required (not only in random oracle model). – Mhy Jul 14 '16 at 12:47
-
1@LaYateMay I edited my answer, I think chapter 3.3.2 of the referenced book is a great source. – Mhy Jul 14 '16 at 13:10
-
@Mhy.So many thanks to you. I will try reading your references. – La Yate May Jul 14 '16 at 13:21
-
For this one, [3]: https://www.crcpress.com/Introduction-to-Modern-Cryptography-Second-Edition/Katz-Lindell/p/book/9781466570269, as it is not free. – La Yate May Jul 14 '16 at 13:28
-
Let us continue this discussion in chat. – La Yate May Jul 14 '16 at 13:37