Security Notions for Identity Based Encryption

Transcription

1 Security Notions for Identity Based Encryption David Gaindo and Ichiro Hasuo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010, 6500 GL Nijmegen, The Netherands Abstract. Identity Based Encryption IBE) has attracted a ot of attention since the pubication of the scheme by Boneh and Frankin. So far, ony indistinguishabiity based security notions have been considered in the iterature, and it has not been investigated whether these definitions are appropriate. For this purpose, we define the goas of semantic security and non-maeabiity for IBE. We then compare the security notions resuting from combining those goas with the attacks previousy considered in the iterature fu and seective-identity attacks), providing either an impication or a separation. Remarkaby, we show that the strongest security eves with respect to seective-identity attacks i.e. chosen-ciphertext security) do not impy the weakest fu-identity security eve i.e. one-wayness). With the aim of comprehensiveness, notions of security for IBE in the context of encryption of mutipe messages and/or to mutipe receivers are finay presented, as we as their reationship with the standard IBE security notion. The resuts obtained substantiate indistinguishabiity against fu-identity chosen ciphertext attacks as the appropriate security notion for IBE. Keywords: foundations, identity-based encryption, one-wayness, indistinguishabiity, non-maeabiity, semantic security, seective-identity attacks, fu-identity attacks, impications and separations. 1 Introduction The concept of Identity Based Encryption IBE) was proposed by Shamir in [Sha85], aimed at simpifying certificate management in e-mai reated systems. The idea is that an arbitrary string such as an e-mai address or a teephone number coud serve as a pubic key for an encryption scheme. Once a user U receives a communication encrypted using its identity id U, the user authenticates itsef to a Key Generation Center KGC) from which it obtains the corresponding private key d U. The probem was not satisfactoriy soved unti the work by Boneh and Frankin [BF03]. They proposed forma security notions for IBE systems and designed a secure IBE scheme. Since then, IBE has attracted a ot of attention, and a arge number of IBE schemes and reated systems such as [Gen03,AP03]) have been proposed. So far, ony the indistinguishabiity based security notions proposed in [BF03], as we as the variations obtained from [CHK03], have been considered in the iterature, and it has not been investigated whether these definitions are appropriate. To better understand what does mean the appropriateness of an encryption security notion it is worthwhie to remind how the standard security notion for Pubic Key Encryption PKE) was adopted. A ook at PKE security notions. A usefu way to describe the security of a cryptographic scheme is by combining the possibe goas and attack modes. In the case of PKE schemes, the most important goas considered are: indistinguishabiity IND), semantic security SS) [GM84] and non-maeabiity NM) [DDN00]. Semantic security formaizes the inabiity of an

2 adversary to earn any information about the paintext m hidden in a chaenge ciphertext c, whie indistinguishabiity is a technica goa, aimed at capturing a strong form of privacy and being easier to work and reason with than semantic security. Non-maeabiity formaizes that an adversary can not buid up a ciphertext c c whose decryption is meaningfuy reated to m. This notion modes the tamper-proofness of a scheme. Regarding attacks, chosen-paintext attacks CPA) [GM84] and chosen-ciphertext attacks CCA) [RS92] are the most we-known modes. Under CPA the adversary is given the pubic key of the scheme, and thus can encrypt messages on its own, whie in CCA the adversary gets in addition access to a decryption orace, to which it can submit any ciphertext of its choice except for the chaenge ciphertext c. Combining these goas and attacks one obtains six security notions: IND-CPA, IND-CCA, SS-CPA, SS-CCA, NM-CPA, NM-CCA. The equivaence between IND-CPA and SS-CPA was studied in [GM84], and the reations between IND and NM under any form of attack were presented in [BDPR98]. In particuar, they showed that NM impies IND under any attack form considered there, but that the opposite direction ony hods for the CCA case. For this reason, IND-CCA was considered the right notion of security for genera purpose PKE. However, in [BDPR98] was emphasized that a definition for SS-CCA had not been proposed yet, and thus was not known if IND-CCA and SS-CCA were actuay equivaent notions. Despite this fact, it became cryptographic fokore that those notions were equivaent, and this equivaence was even expicity used in the iterature, for instance in [SJ00,KI01,DT03]. Finay, it was not unti [WSI02,GLN02] that an SS-CCA definition was given and proved to be equivaent to IND-CCA. State of the art on IBE security notions. The first IBE security notions were proposed in [BF03]. These new notions were inspired on the existing PKE definitions, with the noveties that the adversary, regardess of the attack mode, is given access to an extraction orace, which on input an identity id {0, 1} outputs the corresponding private key. Moreover, the adversary seects the identity id ch on which it wants to be chaenged, so that now the chaenge consists of a pair id ch, c), where c denotes a ciphertext encrypted under identity id ch. In [BF03] the adversary is aowed to adaptivey seect id ch, probaby depending on the information received so far such as decryption keys), whie in [CHK03] the adversary must commit ahead of time to the chaenge identity. The atter mode is referred to as seectiveidentity attacks sid), whie the origina mode is caed fu-identity attacks ID). With respect to IBE goas, ony one-wayness and indistinguishabiity [BF03] have been defined so far. Thus, the security definitions mosty considered up to now in the iterature are: IND-ID-CPA, INDsID-CPA,IND-ID-CCA,IND-sID-CCA. Currenty, IND-ID-CCA is thought to be the right security notion for IBE. However, there is no work, in the sense of [BDPR98], aiming at estabishing the strength of this security notion, and it aso acks to reate the fu-identity and the purportedy) weaker seectiveidentity modes. Moreover, athough no definition for semantic security in the context of IBE encryption has been given to the best of our knowedge, in the origina work by Boneh and Frankin the security notions IND-ID-CPA, IND-ID-CCA) are presented as equivaent to SS-ID-CPA, SS-ID-CCA). Our contributions. Buiding from the works [BDPR98,GLN02,BF03], we investigate the security foundations underying IBE encryption. For this purpose, we define the goas of semantic security and non-maeabiity for IBE, buiding from we-known pubic key encryption goas. These definitions are presented in Section 3. 2

3 With respect to the reation between seective and fu-identity attacks, we show in Section 4 that the strongest security eves with respect to sid attacks i.e. chosen-ciphertext security) do not even impy the weakest ID security eve i.e. one-wayness). It turns out then that seective-identity security is a stricty weaker security requirement than fu-identity security. Notwithstanding, sid security suffices for other purposes, for instance for buiding IND-CCA PKE schemes [CHK04], and there exists an efficient generic transformation in the Random Orace Mode [BR93] from sid security to ID security [BB04a]. There are severa efficient schemes in the iterature meeting fu-identity security in the Random Orace Mode [BR93], such as [BF03,BB04a,LQ05,Ga05,CC05]. Currenty, ony the works [BB04a,BB04b,Wat05] show schemes with ID security in the standard mode. In Section 5, we compare the fu-identity security notions resuting from our work, providing either an impication or a separation. Our resuts are summarized in Tabe 1. As in [BDPR98], this diagram must be seen as a directed graph. An arrow is an impication, and there is path between A and B if and ony if the security notion A impies the security notion B. A hatched arrow represents a separation which is proved in this paper. Dotted arrows refer to trivia impications. For each pair of notions we obtain an impication or a separation, which is either expicity found in the diagram or deduced from it. For instance, it turns out that IND-ID-CPA does not impy IND-ID-CCA. Otherwise, foowing the arrows in the diagram, there woud be a path between IND-ID-CPA and NM-ID-CPA, which is impossibe due to Theorem 11. As a particuar case, we show that SS-ID-CCA and IND-ID-CCA are equivaent under our definition, thus proving the intuition stated in [BF03]. Recenty it has come to our attention that in an independent work, [ACH + 05] shows simiar resuts to those we present in this section. SS-mID-CCA mutipe-chaenge CCA security SS-mID-mCCA SS-ID-mCCA OW-ID-CCA SS-ID-CCA IND-ID-CCA NM-ID-CCA OW-ID-CPA SS-ID-CPA IND-ID-CPA NM-ID-CPA 8 9 NM >< >= IND SS >: OW -sid- >; j ff CCA CPA seective-identity security Tabe 1. Reations among security notions In the ast pace, we study in Section 6 the robustness of IND-ID-CCA secure schemes in the context of encryption of mutipe messages and/or to mutipe receivers. Concretey, inspired by [GLN02], we propose severa new attack modes for the case of active adversaries: mutipe-identity mid-cca) attacks the adversary can adaptivey query for encryptions of 3

4 the same paintext under different identities) 1 ; mutipe-paintext ID-mCCA) attacks the adversary chooses one fixed identity, and can adaptivey query encryption of different paintexts under that identity) and mutipe-identity-paintext attacks mid-mcca) the adversary can adaptivey query encryption of different paintexts under different identities ). It is shown that any IND-ID-CCA scheme aso meets those stronger security eves. The proof techniques used throughout the paper are indebted to the techniques used in [BDPR98] and [GLN02]. Sti, the fact that PKE and IBE are essentiay different cryptographic primitives, makes some subteties to appear, which demand to be carefuy examined. For instance, a strong separation such as the one we present between sid and ID security, is not known for PKE security notions. As a genera concusion, the broad body of evidences presented in this work confirm indistinguishabiity against fu-identity chosen-ciphertext attacks as the appropriate security notion for IBE. 2 Preiminaries We start by fixing some notation and recaing basic concepts. Agorithmic notation. Assigning a vaue a to a variabe x wi be in genera denoted by x a. If A is a non-empty set, then x A denotes that x has been uniformy chosen in A. If D is a probabiity distribution over A, then x D means that x has been chosen in A by samping the distribution D. Finay, if A is an agorithm, x A means that A has been executed on some specified input and its output has been assigned to the variabe x. Negigibe functions. The cass of negigibe functions on a parameter Z +, denoted as neg), is the set of the functions ǫ : Z + R + such that, for any poynomia p R[], there exist M R + such that ǫ) < M p) for a Z+. Let poy) the cass of functions p : Z + R + upper bounded in Z + by some poynomia in R[]. Hereafter, U) denotes the uniform distribution on {0, 1}. Set sequences. As usua, {0, 1} and {0, 1} wi respectivey denote the set of a finite binary strings and the set of binary strings with ength. If m {0, 1}, then m denotes its ength. A string set sequence, M = {M } Z +, is a poynomia size set hereafter simpy named as set) if there exist an integer vaued function p M ) poy) such that M {0, 1} p M) for a Z +. The cardinaity of a set sequence A as a function of ) wi be denoted by A. Misceaneous notations. We denote a sequence of bit strings by symbo. For exampe, the notation m Dmk, id ch, c ) means that m is the sequence of the resuts when we appy the agorithm Dmk, id ch, ) to each component of c. The bitwise compement of a bit string x is denoted by x. Identity based encryption IBE). An IBE scheme is specified by four probabiistic poynomia time PPT) agorithms: Setup S) takes a security parameter 1 and returns the system parameters pms and masterkey mk. The parameters pms incude incudes the security parameter 1 ; the description of sets ID, M, C, which denote the set of identities, messages and ciphertexts respectivey. pms is pubicy avaiabe, whie the mk is kept secret by the KGC. Extract X) takes as inputs pms, mk and id ID ; it outputs the private key d id corresponding to the identity id. 1 This security definition has been previousy considered in [BSS05], but no proof of equivaence to IND-ID- CCA was given. Moreover, the attack we consider is stronger since it gives more power to the adversary. 4

5 Encrypt E takes as inputs pms, an identity id ID and m M. It returns a ciphertext c C. Decrypt D) takes as inputs pms, a private key d id and c C, and it returns m M or reject when c is not a egitimate ciphertext. For the sake of consistency, these agorithms must satisfy that for a id ID, m M, Dpms, d id, c) = m, where c = Epms, id, m) and d id = Xpms, mk, id) 2.1 Attacks modes for identity based encryption The attack modes mosty used for IBE in the iterature can be cassified by combining the foowing items: The adversary is given/not-given to access a decryption orace; The adversary can adaptivey seect the identity it wants to attack or it is forced to commit ahead of time to the identity under attack, which resuts then in 4 different attacks modes. Regardess of the attack mode under consideration, the adversary is supposed to have access to an extraction orace, which on input an identity id it outputs the corresponding decryption key d id. The decryption orace, on inputs an identity id and a ciphertext c, it outputs Dpms, d id, c). The adversary can query these oraces poynomiay many times and in an adaptive manner [BF03]. There is no need to incude in the attack mode an encryption orace, since in an IBE scheme the adversary is abe to simuate this orace after knowing the pubic parameters pms of the scheme. The attack modes under consideration are referred to as sid-cpa,id-cpa,sid-cca,id-cca. 2.2 One-wayness - OW In the foowing, one-wayness security definitions for IBE are presented. As far as we know, ony one-wayness against fu-identity chosen-paintext attacks referred to as OW-ID-CPA in the foowing definition) has been previousy considered in the iterature. Foowing the notation in [BDPR98], O i = ε means O i is the function which returns the empty string ε on any input. Definition 1 OW-{ID, sid}-{cca, CPA}) Let Π = S, X, E, D) be an IBE scheme, and et A = A 0, A 1, A 2 ) be any 3-tupe of PPT orace agorithms. For ATK = sid-cpa, ID-CPA, sid-cca, ID-CCA, we say Π is OW-ATK secure if for any 3-tupe of PPT orace agorithms A 2 id, γ) A 01 3 ) pms, mk) S1 ); Pr m O1, O2 = m id ch, σ) A1 pms, id, γ) neg), m PU poy )); c Epms, id ch, m); 5 m O1, O2 A `σ, idch, c) 2 and If ATK=sID-CPA then O 1 ) = Xpms, mk, ), O 2 ) = ε and id ch := id If ATK=ID-CPA then O 1 ) = Xpms, mk, ), O 2 ) = ε If ATK=sID-CCA then O 1 ) = Xpms, mk, ), O 2 ) = Dpms, mk, ) and id ch := id If ATK=ID-CCA then O 1 ) = Xpms, mk, ), O 2 ) = Dpms, mk, ) 5

6 In the above expression σ and γ denote some state information. By giving mk as input to the decryption agorithm D we mean that it can decrypt ciphertexts reated to any identity. Additiona requirements are that neither A 1 nor A 2 are aowed to query O 1 on the chaenge identity id ch, and A 2 can not query O 2 on the chaenge pair id ch, c). These queries may be asked adaptivey, that is, each query may depend on the answers obtained to the previous queries. 2.3 Indistinguishabiity - IND In the foowing we reca the indistinguishabiity security notions obtained from the attacks previousy considered in the iterature. Definition 2 IND-{ID, sid}-{cca, CPA}) Let Π = S, X, E, D) be an IBE scheme, and et A = A 0, A 1, A 2 ) be any 3-tupe of PPT orace agorithms. For ATK = sid-cpa, ID-CPA, sid-cca, ID-CCA, we say Π is IND-ATK secure if for any 3-tupe of PPT orace agorithms A, p 1) p 2) neg), where p i) = Pr v = 1 id, γ) A 0 1 ) pms, mk) S1 ); m 1), m 2), id ch ), σ) A O 1, O 2 1 pms, id, γ) c Epms, id ch, m i) ); v A O 1, O 2 2 σ, id ch, c)) In the ast expression, the oraces O 1, O 2 as we as the access to them are as in Definition 1. Additionay, m 1) and m 2) are required to have the same ength; neither A 1 nor A 2 are aowed to query O 1 on the chaenge identity id ch, and A 2 can not query O 2 on the chaenge pair id ch, c). These queries may be asked adaptivey, that is, each query may depend on the answers obtained to the previous queries. 3 Semantic Security and Non-Maeabiity for Identity Based Encryption In this section, semantic security as we as non-maeabiity for IBE schemes are defined for the first time to the best of our knowedge. These definitions are obtained by adapting the definitions of semantic security [GM84,GLN02] and non-maeabiity [BDPR98,BS99] for PKE to the attack scenario proposed in [BF03]. 3.1 Semantic Security - SS In the foowing we rephrase the definitions in [GLN02] for the IBE setting. In our scenario, a CPA attacker is given access to one orace for extraction of private keys, whie a CCA adversary is additionay given access to a decryption orace. The attack is broken in two stages: Stage 1: The adversary conducts some computation using its oraces, and terminates this stage by giving a chaenge tempate. This tempate consists of chaenge identity id ch and three circuits P, L, F): P is a samping circuit, and L, F are circuits with a number of 6

7 input bits that equas the number of output bits in P. The idea is that P specifies a probabiity space on paintexts, whie L specifies partia information i.e., information eak ) regarding the paintext that is given to the adversary, and F specifies partia information regarding the paintext) that the adversary caims to be abe to earn. Stage 2: In the second stage the adversary is given an encryption c of a paintext m under an identity id ch aong with Lm), where m is seected according to P and the adversary does not know the decryption key for id ch. Both CPA and CCA adversaries are not aowed to query the extraction orace on id ch, whie the CCA adversary can not query the decryption orace on the pair id ch, c). Roughy speaking, an IBE scheme is said to be semanticay secure under CPA respectivey CCA) if for every efficient CPA respectivey CCA) attacker as above, there exists a corresponding benign adversary that performs as we without seeing the ciphertexts. Concretey, the benign adversary is not given any orace access, it produces a chaenge tempate P, L, F) and is supposed to guess Fm) given Lm). Additiona requirements are that the benign adversary is supposed to produce P, L, F) according to the same distribution as the rea adversary, and to be as successfu as the rea adversary in guessing Fm). Note that the benign adversary modes an idea situation in which it produces the same chaenge tempate as the rea adversary, but it is given a perfecty secure encryption of the paintext m, that is, it is given nothing [Go93]. Definition 3 SS-{ID, sid}-{cca, CPA}) Let Π = S, X, E, D) be an IBE scheme, and et B = B 0, B 1, B 2 ) be a 3-tupe of PPT orace agorithms. For ATK = sid-cpa, ID-CPA, sid-cca, ID-CCA, we say Π is SS-ATK secure if for any 3-tupe of PPT orace agorithms B there exists a 3-tupe of PPT agorithms B = B 0, B 1, B 2 ), such that the foowing conditions hod: id, γ) B 0 1 ); pms, mk) S1 ); P, idch, L, F), σ ) B O 1, O 2 Pr v = Fm) 1 pms, id, γ) c, β) Epms, id ch, m), Lm) ), where m PU poy) ); v B O 1, O 2 2 σ, idch, c), β ) P, L, F), σ ) B 1 < Pr v = Fm) 1 ); m PU poy) ); v B 2 σ, Lm) ) + ε), where ε) neg), and for every the P, L, F) part in the random variabes B 1 1 ) and B O 1,O 2 1 pms, id) are identicay distributed. The oraces O 1, O 2 as we as the access to them are as in Definition 1. Additionay, neither B 1 nor B 2 are aowed to query O 1 on the chaenge identity id ch, and B 2 can not query O 2 on the chaenge pair id ch, c). These queries may be asked adaptivey. 3.2 Non-maeabiity - NM The notion of non-maeabiity for PKE was introduced in [DDN00]. In [BDPR98] an aternative definition was proposed, which was shown to be equivaent to the origina one [BS99]. The 7

8 new definition was simper since it did not use simuators. Intuitivey, an encryption scheme is non-maeabe if, given a ciphertext, the adversary cannot conjure up another ciphertext whose decryption is meaningfuy reated to the decryption of the given one. This notion modes the tamper-proofness of a scheme. In this paper non-maeabiity is defined without using simuators, adapting the definition for pubic-key schemes in [BDPR98] to the IBE framework. After receiving a chaenge pair id ch, c), the aim of the adversary is to output the description of a reation R and a vector of ciphertexts c no component of which is the chaenge ciphertext c) such that the reation Rm, m) hods, where m Dmk, id ch, c ) and m is the paintext hidden in the chaenge ciphertext. The adversary is successfu if it can do this with probabiity significanty greater than that with which Rm 0, m) hods for some random m 0 of the same ength as m. In the foowing the notation Dmk, id ch, c) = means that c is not a egitimate ciphertext, Definition 4 NM-{ID, sid}-{cca, CPA}) Let Π = S, X, E, D) be an IBE scheme, and et C = C 0, C 1, C 2 ) be any 3-tupe of PPT orace agorithms. For ATK = sid-cpa, ID-CPA, sid-cca, ID-CCA, we say Π is NM-ATK secure if for any 3-tupe of PPT orace agorithms C, the advantage id, γ) C 0 1 ); pms, mk) S1 ); P, id ch, σ) C O 1, O 2 Pr v = 1 1 pms, id, γ); m PU poy) ); c Epms, id ch, m); R, c ) C O 1, O 2 2 σ, id ch, c)); m Dmk, idch, c ); if c c m Rm, m) then v 1 ese v 0; id, γ) C 0 1 ); pms, mk) S1 ); P, id ch, σ) C O 1, O 2 Pr v = 1 1 pms, id, γ); m, m 0 PU poy) ); c Epms, id ch, m); R, c ) C O 1, O 2 2 σ, id ch, c)); m Dmk, idch, c ); if c c m Rm 0, m) then v 1 ese v 0; is negigibe as a function on. In the ast expression, the oraces O 1, O 2 as we as the access to them is defined as in Definition 1, and P specifies a probabiity space on M. Additionay, neither C 1 nor C 2 are aowed to query O 1 on the chaenge identity id ch, and C 2 can not query O 2 on the chaenge pair id ch, c). These queries may be asked adaptivey. Remark 1. The security notions described here and in the previous section can be easiy defined in the Random Orace Mode [BR93], where a parties have access to a random function H from strings to strings. The definitions are modified by incuding in the experiments defining the advantage an initia step, in which some random functions H are chosen from the set of a functions from some appropriate domain to appropriate range. Then H-oraces are provided to the agorithms and they may depend on H. It is easiy verified that a of the impications and separations provided in this work aso hod in the Random Orace Mode. 4 A separation between seective-identity and fu-identity security notions In this section we show a strong separation between seective-identity and fu-identity attack scenarios. The separation is as foows: for any goa {IND, SS, NM}, it turns out that goa- 8

9 sid-cca does not impy OW-ID-CPA, that is, the strongest seective-identity security eves are stricty weaker than the weakest fu-identity security eve. Theorem 5 For any goa {IND, SS, NM}, goa-sid-cca does not impy OW-ID-CPA. Proof : Assume that there exists an IBE scheme Π = S, X, E, D) which is goa-sid-cca secure for some goa {IND, SS, NM} otherwise the caim is triviay true). We construct another IBE scheme Π = S, X, E, D ) which is goa-sid-cca but not OW-ID-CPA, whose existence proves the theorem. The scheme Π is defined as foows: S 1 ) X pms, mk, id) E pms, id, m) D pms, d id, C) pms, mk) S1 ); return return return id + ID ; Xpms, mk, id); Epms, id, m) Dpms, d id, C) d + Xpms, mk, id + ); pms pms, id +, d + ); return `pms, mk It is trivia to check that Π quaifies as an IBE scheme if Π does. From the definition of Π and the definition of sid attacks 2, it aso hods that ID = ID := { ID } Z + = { {0, 1} p)} Z + for a certain p) poy). Π is not OW-ID-CPA due to the foowing successfu adversary A = A 0, A 1, A 2 ): Agorithm A O 1,O 2 1 pms ) id ch id + ; σ d +, pms); m 1), m 2) M, s.t. m 1) = m 2) ; return `m 1), m 2), id ch ), σ Agorithm A O 1,O 2 2 `σ, idch, c return Dpms, d +, c) A simpe cacuation shows that the OW-ID-CPA advantage of the adversary A = A 0, A 1, A 2 ) is 1. The basic idea is that A 1 knows the decryption key reated to id + once it gets pms. Then it sets id ch := id +, it quaifies as a OW-ID-CCA adversary A 1 did not query id + to its orace O 1 ) and finay it can decrypt any ciphertext reated to the chaenge identity, thus effectivey breaking the one-wayness of Π. It remains to show that the new scheme Π is secure in the sense of goa-sid-cca. We argue by contradiction: if we have a successfu goa-sid-cca attacker C = C 0, C 1, C 2 ) for this new scheme, then from that we can construct a successfu goa-sid-cca B = B 0, B 1, B 2 ) attacker for the origina scheme Π. The detais are given in Appendix??. Notice that in the previous proof, the agorithm A 0 was not specified, since it is useess in fu-identity attack scenarios. In the foowing we wi focus on fu-identity scenarios, so the agorithm with subscript 0 in every adversary tupe is dropped for the sake of simpicity. 5 Reations between fu-identity security notions In this section impications and separations for one-wayness, indistinguishabiity, semantic security and non-maeabiity for fu-identity chosen-paintext and chosen-ciphertext attacks are presented. Theorem 6 OW-ATK does not impy IND-ATK, for ATK = ID-CPA, ID-CCA. 2 See for instance Definition 4 in [CHK04,BK05]. 9

10 Proof : This proof is straightforward, and the reader is referred to the fina version of the paper. Theorem 7 IND-ATK entais SS-ATK, for ATK = ID-CPA, ID-CCA. Proof : We present the proof for the ID-CCA case. The modification for the ID-CPA case is easy by dropping the access to decryption orace. Given an SS-ID-CCA adversary B 1, B 2 ), we construct its benign simuator B 1, B 2 ) as foows. The agorithm B 2 simuates B 2 by feeding the encryption of fake paintext 1 m instead of a rea paintext m PU poy) ): since the scheme is IND-ID-CCA this shoud not affect the advantage. Agorithm B 1 1 ) pms, mk) S1 ); P, idch, L, F), σ ) B O 1, O 2 1 pms); n the number of output bits in P); return P, L, F), σ, pms, mk, id ch, 1 n ) ) Agorithm B 2 σ, pms, mk, idch, 1 n ), β ) v B O 1, O 2 2 σ, id ch, Epms, id ch, 1 n ), β)) ; return v It is obvious that the P, L, F) part of the output of B 1 and B 1 are identicay distributed. We sha show that the simuator thus defined is as successfu as the actua adversary. The advantage of the simuator B 1, B 2 ) is evauated as foows. pms, mk) S1 ); Pr v = Fm) P, idch, L, F), σ ) B X mk, D mk 1 pms); 1) m PU poy) ); v B X mk, D mk 2 σ, id ch, Epms, id ch, 1 m ), Lm) ) ) This probabiity is the same as the advantage of the origina adversary B 1, B 2 ), except that B 2 is given the encryption of 1 m instead of m. Caim 1 The two ensembes V = [ σ, id ch, Epms, id ch, 1 m ), Lm)), Fm) ) Exp ], W = [ σ, id ch, Epms, id ch, m), Lm)), Fm) ) Exp ], under the foowing experiment Experiment Exp pms, mk) S1 ); m PU poy) ); P, idch, L, F), σ ) B X mk, D mk 1 pms); cannot be distinguished by any PPT agorithm T X mk, D mk σ, idch, α, β), γ ) which is not aowed to query X mk id ch ) nor D mk id ch, α). It suffices to show Caim 1: if it is true, in particuar the foowing T does not distinguish V and W. Agorithm T O 1,O 2 σ, idch, α, β), γ ) v A O 1,O 2 2 σ, id ch, α, β)); if v = γ then d 1 ese d 0; return d 10

11 Hence the advantage of the simuator and that of the actua adversary are indistinguishabe. This proves the theorem. Caim 1 is proved by contradiction, using indistinguishabiity. Assume a successfu distinguisher T of V and W exists. Then we can construct a successfu IND-ID-CCA distinguisher A 1, A 2 ). Agorithm A O 1,O 2 1 pms) P, idch, L, F), σ ) B O 1,O 2 1 pms); m PU poy) ); return 1 m, m,id ch ), σ, L, F, m) ) Agorithm A O 1,O 2 2 σ, L, F, m), idch, α) ) v T O 1,O 2 σ, id ch, α, Lm)), Fm)); return v A 1, A 2 ) does not make those orace queries an IND-ID-CCA distinguisher is prohibited to make, because B 1 or T does not. For probabiities p 1), p 2) in the definition of IND-ID-CCA, the foowing equations are straightforward. p 1) [ = Pr T X ] mk, D mk V ) = 1 p 2) [ = Pr T X ] mk, D mk W ) = 1 Therefore the success of T impies the success of A 1, A 2 ), which is a contradiction. Theorem 8 SS-ATK entais IND-ATK, for ATK = ID-CPA, ID-CCA. Proof : The proof is presented for ATK=ID-CCA. The modification for ID-CPA case is easy. We argue by contradiction. Assume that an IBE scheme S, X, E, D) has a successfu IND- ID-CCA distinguisher A 1, A 2 ). We sha construct an SS-ID-CCA adversary whose advantage is distinguishaby arger than that of any benign simuator. The construction is rather obvious: the first part of the adversary outputs a chaenge tempate P, id ch, L, F) such that P chooses one out of m 1) and m 2), the two chaenge paintexts A 1 outputs, with the uniform probabiity; L outputs the constant vaue so that the benign simuator cannot gain any information about the paintext; Fm 1) ) = 1 and Fm 2) ) = 0. However in the forma proof some subte detais need carefu consideration, which can be found beow. We can assume without oss of generaity that A 2 aways outputs either 0 or 1. If it is not the case we define a new orace PPT A 2 which invokes A 2 and outputs 1 if B 2 outputs 1, and outputs 0 otherwise: obviousy the pair A 1, A 2 ) is again a successfu distinguisher. We can aso assume, from the success of IND-ID-CCA distinguisher A 1, A 2 ), that for some poynomia q and infinitey many s the foowing hods: p 1) p 2) 1 q). Note that we no onger take the absoute vaue. Additionay, for the technica reason, we assume that the agorithm A 1 aways outputs distinct chaenge paintexts i.e. m 1) m 2) ). Otherwise we define a new distinguisher 11

12 A 1, A 2 ) as foows. Agorithm A O 1,O 2 1 pms) m 1), m 2), id ch ), σ ) A O 1,O 2 1 pms); if m 1) m 2) then d 0 ese d 1; if d = 0 then m m 2) ese m m 1) ; return m 1), m, id ch ), σ, d) ) σ, d), idch, c) ) Agorithm A O 1,O 2 2 if d = 0 then v A O 1,O 2 2 σ, id ch, c)) ese v U 1 ; return v Obviousy the advantage of A 1, A 2 ) is identica to that of A 1, A 2 ), and A 1 is ensured to output distinct chaenge paintexts, Using the distinguisher we construct an SS-ID-CCA adversary B 1, B 2 ) as foows. Agorithm B O 1,O 2 1 pms) m 1), m 2), id ch ), σ ) A O 1,O 2 1 pms); n m 1) ; P a circuit with one input bit such that P0) = m 1) and P1) = m 2) ; L a circuit with n input bits, which outputs constanty 0; F a circuit which outputs 1 for input m 1), 0 for the other inputs; return P, id ch, L, F), σ ) Agorithm B O 1,O 2 2 σ, id ch, α, β)) v A O 1,O 2 2 σ, id ch, α)); return v Note that, by our assumption that m 1) m 2) in the output of A 1, for an output P, id ch, L, F), σ ) of B 1 we aways have FP0)) = Fm 1) ) = 1 and FP1)) = Fm 2) ) = 0. B 1, B 2 ) does not make prohibited orace queries because A 1, A 2 ) does not. Let us denote the foowing experiments by Exp i) for i = 1, 2, where i denotes which paintext is chosen. Experiment Exp i) pms, mk) S1 ); c Epms, id ch, m i) ); m 1), m 2), id ch ), σ) A X mk, D mk 1 pms); v A X mk, D mk 2 σ, id ch, c)); Obviousy p i) as in the definition of IND-ID-CCA) is equa to Pr[v = 1 Exp i) ]. Now the advantage of the above adversary B 1, B 2 ) for given is cacuated as foows. pms, mk) S1 ); Pr v = Fm) P, id ch, L, F), σ) B X mk, D mk 1 pms); m PU poy) ); v B X mk, D mk 2 σ, id ch, Epms, id ch, m), Lm))) ) = 1 [v 2 Pr = 1 Exp 1)] + 1 [v 2 Pr = 0 Exp 2)] ) = 1 [v 2 Pr = 1 Exp 1)] + 1 [ 1 Pr v = 1 Exp 2)]) = ) p 2 p 2) ). 12

13 Here ) hods because m 1) m 2), and ) hods because B 2 aways outputs either 0 or 1. By assumption, the ast quantity is distinguishaby arger than 1/2, as a function on. Let B 1, B 2 ) be an arbitrary benign simuator of B 1, B 2 ). Its advantage is evauated as foows, using the fact that the P, L, F) part in the outputs of B 1 and B 1 are identicay distributed. P, L, F), σ ) B 1 Pr v = Fm) 1 ); m PU poy) ); v B 2 σ, Lm)) = 1 2 Pr P, L, F), σ ) B 1 v = 1 1 ); m P0); v B 2 σ, 0) 1 [v 2 Pr = 1 P, L, F), σ ) B 1 1 ); v B 2 σ, 0) = Pr ] P, L, F), σ ) B 1 v = 0 1 ); m P1); v B 2 σ, 0) v = 1 P, L, F), σ ) B 1 1 ); v B 2 σ, 0) [ 1 Pr Hence the success rate of the actua adversary is distinguishaby arger than that of any benign simuator, which contradicts our assumption of SS-ID-CCA. This concudes the proof. Theorem 9 NM-ATK entais IND-ATK, for both ATK = ID-CPA, ID-CCA. Proof : The proof is presented for the case ATK = ID-CCA. For ATK = ID-CPA the modification is easy by just dropping orace accesses. By contradiction. Assume we have a successfu IND-ATK distinguisher A 1, A 2 ). Then using them we can construct a successfu NM-ATK adversary C 1, C 2 ) as foows. Agorithm C O 1,O 2 1 pms) m 1), m 2), id ch ), σ ) A O 1,O 2 1 pms); P a circuit with one input bit such that P0) = m 1) and P1) = m 2) ; return P, id ch, σ, m 1), m 2) ) ) Agorithm C O 1,O 2 2 σ, m 1), m 2) ), id ch, c ) v A O 1,O 2 2 σ, idch, c) ) ; if v = 1 then d Epms, id ch, m 1) ) ese d Epms, id ch, m 2) ); R Comp, where Compx, y) def. x = y ; return R, d) The pair C 1, C 2 ) thus defined does not make prohibited orace queries as an NM-ID-CCA adversary) because A 1, A 2 ) does not as an IND-ID-CCA distinguisher). The trick is that we take as R a reation other than the equaity: this ensures that the ciphertext d output by C 2 is distinct from the chaenge ciphertext c given to C 2. It is straightforward to show that this pair C 1, C 2 ) is indeed successfu: detais foow next. As in the proof of Theorem 8 we can assume that, the successfu IND-ID-CCA distinguisher A 1, A 2 ) is such that: 1) A 2 aways outputs either 0 or 1; and 2) the function p 1) p 2) over rather than its absoute vaue) is not negigibe; and 3) A 1 aways outputs distinct chaenge paintexts m 1) m 2). Let us denote the foowing experiment by Exp i), for i = 1, 2. The parameter i represents which paintext is chosen by the chaenger. 13 ])

14 Experiment Exp i) pms, mk) S1 ); m 1), m 2), id ch ), σ ) A X mk, D mk 1 pms); c Epms, id ch, m i) ); v A X mk, D mk 2 σ, id ch, c)); if v = 1 then c Epms, id ch, m 1) ) ese c Epms, id ch, m 2) ); m Dmk, id ch, c ); Now for the NM-ID-CCA adversary C 1, C 2 ) constructed using A 1, A 2 ), its advantage is cacuated as foows. 1 [ Pr c c m Compm i), m ) Exp i)] 2 i=1,2 1 [ Pr c c m Compm j), m ) Exp i)] 4 i,j=1,2 ) = 1 [ Pr Compm i), m ) Exp i)] 1 [ Pr c c Compm j), m ) Exp i)] 4 4 i=1,2 i,j)=1,2),2,1) ) 1 4 p1) p2) 4 ) 1 1 p1) 4 ) 1 4 p2) = 1 2 p1) p 2) ). In the equaity ) we use the facts that m in Exp i) must be either m 1) or m 2) hence not, and that if Compm i), m ) then c Epms, id ch, m i) ) and c Epms, id ch, m ) cannot be identica. 3 For the inequaity ) we first drop the condition c c in the second probabiity, and then use the equaities such as Pr p 2) [ Compm 2), m ) Exp 2)] = Pr [ v 1 Exp 2)] = 1. By the success of A 1, A 2 ) this function is not negigibe, which contradicts that the scheme is NM-ID-CCA. Theorem 10 IND-ID-CCA impies NM-ID-CCA. Proof : Assume the existence of a successfu NM-ID-CCA adversary C 1, C 2 ). Using it we construct a successfu IND-ID-CCA distinguisher A 1, A 2 ) as foows. The point is, since A 2 has an access to decryption orace, it can decrypt the ciphertexts output by C 2 which are reated to the chaenge ciphertext. Agorithm A O 1,O 2 1 pms) P, id ch, σ) C O 1,O 2 1 pms); m 1) PU poy) ); m 2) PU poy) ); return m 1), m 2), id ch ), m 1), m 2), σ) ) Agorithm A O 1,O 2 2 m 1), m 2), σ), id ch, c) ) R, c ) C O 1,O 2 2 σ, idch, c ) ; m O2 id ch, c ); if m Rm 1), m) ) then v 1 ese v 0; return v 3 Note that Compm j), m ) does not ensure c c when j i. Here c Epms, id ch, m i) ), c Epms, id ch, m ) and it is possibe that m i) = m = m j). 14

15 We can assume that in every execution R, c ) C O 1,O 2 2 σ, id ch, c) we have c c. 4 This yieds that A 1, A 2 ) thus defined does not make prohibited orace queries. The advantage of A 1, A 2 ) before taking the absoute vaue), p 1) p 2), is identica to that of C 1, C 2 ), hence must be non-negigibe. This is a contradiction. Theorem 11 IND-ID-CPA does not impy NM-ID-CPA. Proof : Assume that there exists an IBE scheme S, X, E, D) which is IND-ID-CPA otherwise the caim is triviay true). We construct another IBE scheme S, X, E, D ) which is IND-ID- CPA but not NM-ID-CPA, whose existence proves the theorem. Agorithm E pms, id, m) c 1 Epms, id, m); c 2 Epms, id, m); return c 1, c 2 ) Agorithm D mk, id, c 1, c 2 ) ) m Dmk, id, c 1 ); return m; The agorithms E, D thus defined obviousy satisfy the condition that a ciphertext, when decrypted, yieds the origina paintext. The scheme S, X, E, D ) is not NM-ID-CPA due to the foowing successfu adversary: a simpe cacuation shows that the advantage of this adversary C 1, C 2 ) is 1 1/2, where 1/2 is the probabiity a random fake) paintext m 0 is accidentay equa to the rea paintext m. Agorithm C O 1,O 2 1 pms) P the identity circuit with input bits; id ch U ; σ the empty string; return P, id ch, σ) Agorithm C O 1,O 2 2 σ, idch, c 1, c 2 ) ) return Comp, c 2, c 1 ) ) It remains to show that the new scheme S, X, E, D ) is IND-ID-CPA. We argue by contradiction: if we have a successfu IND-ID-CPA distinguisher A 1, A 2 ) for this new scheme, then from that we can construct a successfu distinguisher for the origina scheme S, X, E, D). For the notationa convenience, et us denote by q i,j) the foowing probabiity, for each i = 1, 2 and j = 1, 2. q i,j) pms, mk) S1 ); m 1), m 2), id ch ), σ ) A X mk 1 pms); = Pr v = 1 c 1 Epms, id ch, m i) ); c 2 Epms, id ch, m j) ); v A X mk 2 σ, idch, c 1, c 2 )) ) ; Then the advantage of the distinguisher A 1, A 2 ) is now denoted by q 1,1) q 2,2) = q 1,1) q 1,2) ) 1,2) + q q 2,2) ). Since this probabiity is non-negigibe, either q 1,1) q 1,2) or q 1,2) q 2,2) must be nonnegigibe. We sha show that in either case we can construct a successfu IND-ID-CPA distinguisher A 1, A 2 ) for S, X, E, D) using A 1, A 2 ), which contradicts our assumption. 4 We can modify C 2 such as, if c c then the output is Empty, c), where Empty is the empty reation. Obviousy this modification does not affect the advantage of the adversary.. 15

16 If the former probabiity is non-negigibe, define A 1, A 2 ) as foows. It is straight forward to see that its advantage is equa to q 1,1) q 1,2) hence non-negigibe. Agorithm A O 1 1 pms) m 1), m 2), id ch ), σ ) A O 1 1 pms); return m 1), m 2), id ch ), m 1), m 2), σ) ) If the atter probabiity q 1,2) q 2,2) advantage is equa to q 1,2) q 2,2) m 1), m 2), σ), id ch, c) ) Agorithm A O 1 2 c 1 Epms, id ch, m 1) ); c 2 c; v A O 1 2 σ, idch, c 1, c 2 )) ) ; return v is non-negigibe, A 1, A 2 ) is defined as foows. Its hence non-negigibe. Agorithm A O 1 1 pms) m 1), m 2), id ch ), σ ) A O 1 1 pms); return m 1), m 2), id ch ), m 1), m 2), σ) ) Agorithm A O 1 2 m 1), m 2), σ), id ch, c) ) c 1 c; c 2 Epms, id ch, m 2) ); v A O 1 2 σ, idch, c 1, c 2 )) ) ; return v This concudes the proof. The proof for the next theorem is substantiay more compex than the anaogous resut for pubic-key schemes [BDPR98, Theorem 3.6]. This is due to an important difference between IBE and PKE attack modes, namey the existence of extraction oraces. Theorem 12 NM-ID-CPA does not impy IND-ID-CCA. Proof : Assume we have an IBE scheme S, X, E, D) which is NM-ID-CPA. Using this we construct a new scheme S, X, E, D ) which is NM-ID-CPA but not IND-ID-CCA. We can assume that, for each Z +, we have a famiy of pseudo-random functions F = { F K K {0, 1} }, where F K : {0, 1} poy) {0, 1} poy). Notice this does not impy an extra assumption, since the existence of a NM-ID-CPA secure IBE impies a IND-ID-CPA secure IBE by Theorem 9. This impies secure pubic key signature schemes [BF03], and this in turn impies one-way functions. Finay the existence of a famiy of pseudo-random functions is obtained by appying cassica resuts such as [GGM86]. The idea of the construction is as foows. The new decryption agorithm, when queried on the vaue F K id), reveas the decryption key for id. The vaue F K id), which is unique to each id and kept secret, can ony be known by making a decryption query on a pubicy known vaue e. We have these two steps e to F K id) to the decryption key), instead of ony one step e to the decryption key), so that the scheme is easiy shown to be NM-ID-CPA. This procedure of obtaining the decryption key can be done ony by an ID-CCA adversary: an ID-CPA adversary can try extraction queries, but it is prohibited to make it on the chaenge identity hence the vaues F K id) it obtains are irreevent to the desired F K id ch ). Agorithm S 1 ) pms, mk) S1 ); e U ; K U ; return pms, e), mk, e, K) ) Agorithm E pms, e), id, m ) c Epms, id, m); return 0, c) Agorithm X pms, mk, e, K), id ) d Xmk, id); return d, e, F K id) ) Agorithm D pms, d, e, g), i, c) ) if i = 0 then m Dd, c) ese if c = e then m g ese if c = g then m d ese m ; return m 16

17 Note that in the actua use the vaue g in D above wi be F K id). The scheme S, X, E, D ) is not IND-ID-CCA due to the existence of the foowing successfu distinguisher A 1, A 2 ). The oraces O 1, O 2 wi be X mk,e,k), D mk,e,k), respectivey, where the decryption orace D mk,e,k) is defined by D mk,e,k) id, c) = D pms, X mk, e, K), id), c ). ) Agorithm A O 1,O 2 1 pms, e) m 1) the uniform distribution over the message set specified in pms); id ch U ; return m 1), m 1), id ch ), m 1), e) ) Agorithm A O 1,O 2 2 m 1), e), id ch, 0, c)) ) a O 2 idch, 1, e) ) ; b O 2 idch, 1, a) ) ; m Db, c); if m = m 1) then v 1 ese v 0; return v In the description of A 2, the vaue a wi be F K id ch ) and b wi be Xmk, id) in an actua attack. D is the decryption agorithm of the origina IBE scheme. Obviousy the advantage of this distinguisher A 1, A 2 ) is 1, which is non-negigibe. It remains to show that the new scheme S, X, E, D ) is NM-ID-CPA. We argue by contradiction. Let C 1, C 2 ) be a successfu NM-ID-CPA adversary for S, X, E, D ). We construct an NM-ID-CPA adversary C 1, C 2 ) for S, X, E, D) as foows, and the adversary C 1, C 2 ) wi be shown to be successfu. Agorithm C O 1 ) 1 pms e U ; K U ; P, id ch, σ) C O e,k ) 1 1 pms, e) ; return P, id ch, σ, pms, e, K) ) σ, pms, e, K), idch, c ) Agorithm C O 1 2 R, c ) C O e,k 1 2 σ, idch, 0, c) ) ; for 1 i c do if c [i] = 0, c ) then d [i] c ese if c [i] = 1, e) then d [i] O 2 idch, F K id ch ) ) ese d [i] c; return R, d ) Here, O e,k 1 meant to be X mk,e,k) ) is emuated using O 1 meant to be X mk ) as O e,k 1 id) = O1 id), e, F K id) ). We sha show that the NM-ID-CPA adversary C 1, C 2 ) for S, X, E, D) defined above is successfu. We denote by Exp 1 the experiment under which the advantage of C 1, C 2 ) attacking S, X, E, D)) is evauated, and by Exp 2 the one for C 1, C 2 ) attacking S, X, E, D )). By 17

18 expanding the definition we obtain the foowing description. Experiment Exp 1 pms, mk) S1 ); e U ; K U ; P, id ch, σ) C X mk,e,k) ) 1 pms, e) ; m, m 0 PU poy) ); c Epms, id ch, m); R, c ) C X mk,e,k) 2 σ, idch, 0, c) ) ; d constructed from c as in C 2 ); m Dmk, idch, d ); Experiment Exp 2 pms, mk) S1 ); e U ; K U ; P, id ch, σ) C X mk,e,k) ) 1 pms, e) ; m, m 0 PU poy) ); c Epms, id ch, m); R, c ) C X mk,e,k) 2 σ, idch, 0, c) ) ; m D mk, e, K), id ch, c ) ; In the seque we denote a probabiity function evauated under Exp 1 by Pr 1 [ ], and one evauated under Exp 2 by Pr 2 [ ]. We make case-distinction: under Exp 1 or Exp 2, exacty one of the foowing events E 1, E 2, E 3 happens. E 1 def. = c contains ony 0, ) or 1, e)), E 2 def. = c contains ony 0, ) or 1, e) or 1, F K id ch )), but not E 1 ), E 3 def. = neither E 1 nor E 2 ). It is easy to see Pr 1 [E j ] = Pr 2 [E j ] for each j = 1, 2, 3. For notationa convenience we define the foowing probabiities, for j = 1, 2, 3. [ p1, j) = Pr 1 c d m Rm, ] [ m) E j Pr 1 c d m Rm 0, ] m) E j p2, j) = Pr 2 [0, c) c m Rm, m) E j ] Pr 2 [0, c) c m Rm 0, m) E j ]. The probabiity p1, j) is the conditiona) advantage of C 1, C 2 ) under the event E j, and p2, j) is that of C 1, C 2 ). Hence, by the case-distinction, the advantage of C 1, C 2 ) is equa to 3 j=1 p1, j) Pr 1[E j ], and that of C 1, C 2 ) is 3 j=1 p2, j) Pr 2[E j ]. First we consider the case E 1 happens. In that case, the sequence of paintexts m obtained from c via d in Exp 1 is directy obtained by m D mk, e, K), id ch, c ). Hence the gap between p1, 1) and p2, 1) comes ony from the conditions c d in p1, 1) and 0, c) c in p2, 1). More precisey, ony the case that, c contains 1, e) and moreover c = E pms, id ch, F K id ch ) ), contributes to the gap. In this case the paintext m must be identica to F K id ch ): this happens with ony a negigibe probabiity since the vaue F K id ch ) remains secret to the adversary. Therefore we concude that p1, 1) p2, 1) is negigibe. Next we consider the case E 2 happens. In this case c must contain 1, F K id ch ) ). However, just ike in the previous paragraph, the agorithms C 1 and C 2 have no information about 18,

19 F K id ch ) hence this happens with ony a negigibe probabiity. To summarize, the probabiity Pr 1 [E 2 ] = Pr 2 [E 2 ] are both negigibe. Finay, we show that p1, 3) = p2, 3) = 0. The probabiity p1, 3) is 0 because, by the definition of C 2 especiay the construction of d from c ), d contains c when E 3 happens. The probabiity p2, 3) is 0 because, when E 3 happens, c contains iegitimate ciphertext so m. Combining the previous three paragraphs and that Pr 1 [E j ] = Pr 2 [E j ], we have shown that the advantage 3 j=1 p1, j) Pr 1[E j ] of C 1, C 2 ) and 3 j=1 p2, j) Pr 2[E j ] of C 1, C 2 ) have ony a negigibe gap. By assumption the atter is non-negigibe the former must aso be non-negigibe. This concudes the proof. 6 Semantica security of IBE schemes under mutipe-chaenge CCA In this section we present three notions of semantic security under mutipe-chaenge CCA, foowing the pubic-key version [GLN02]. Here an adversary is aowed to make poynomiay many chaenge tempates. Moreover each tempate is answered with a chaenge ciphertext immediatey not after making a the tempates), and the next chaenge tempate can be generated according to the preceding tempates and their answers. After this stage of asking many chaenge tempates adaptivey and in a reated manner, the adversary tries to guess information about the unreveaed paintexts which have been used in answering chaenge tempates. We sha introduce three different types of mutipe-chaenge chosen ciphertext attacks: In the mutipe-identity version mid-cca), the chaenger chooses one fixed paintext, and the adversary can adaptivey query its encryption under different identities poynomiay many times. In the mutipe-paintext version ID-mCCA), the adversary chooses one fixed identity, and can adaptivey query encryption of different paintexts under that identity poynomiay many times. In the mutipe-identity-paintext version mid-mcca), the adversary can adaptivey query encryption of different paintexts under different identities poynomiay many times. Obviousy the first two are specia cases of the ast one. For each attack mode we introduce the notion of semantic security, namey SS-mID-CCA, SS-ID-mCCA, and SS-mID-mCCA. We show that these three notions are a equivaent to semantic security under singe-chaenge CCA, and hence aso to the technica notion of indistinguishabiity. In the definition of SS-ID-CCA an adversary consists of two orace PPT s B 1 and B 2, in such a way that B 1 outputs a chaenge tempate, the chaenger chooses a paintext and presents its encryption, and then B 2 tries to guess information about the paintext. In the mutipe-chaenge case this interaction is modeed by providing the adversary with a tester agorithm T r,pms or T r as its orace. T r,pms is given to an actua adversary which obtains a ciphertext in addition to information eak), whie T r is given to its benign simuator which ony sees information eak). A chaenge tempate is then sent to one of these oraces as a query caed chaenge query ). Agorithm T r,pms P, id ch, L) return Epms, id ch, Pr)), Lr) ) Agorithm T r P, L) return Lr) 19

20 Intuitivey the parameter r of a tester is understood as the mutipe-chaenge version of the coin tosses that the chaenger uses to seect paintexts. It is a sufficienty ong sequence of coin tosses r 1, r 2,...,r t ) which is unreveaed to the adversary. Given the i-th chaenge tempate P i, id i ch, Li ) or P i, L i ) from a simuator), the chaenger chooses a paintext by P i r 1, r 2,...,r i ) using the first i coin tosses in r. Note that now L eaks information on coin tosses r rather than paintexts P i r 1, r 2,...,r i ). 5 For mutipe-chaenge CCA adversaries, it is quite natura to put the same restrictions on the adversary s orace invocations as in the singe-chaenge version, namey: Extraction queries on chaenge identities cannot be made; Decryption queries on chaenge ciphertexts obtained as answers to chaenge queries) cannot be made. However, as is shown in [GLN02], the second restriction is not necessary under mutipepaintext CCA: such a decryption query by an actua adversary can be simuated by a benign simuator which has ony access to a tester orace T r ) by making a chaenge query on a extremey informative information eak L, namey L = P. For the sake of simpicity, we ignore this point of ifting restriction on decryption queries for the time being: this point is expained in detai in Appendix A.1. It seems that the first restriction on extraction queries is sti necessary. Definition 13 Semantic security under mutipe-chaenge CCA) An IBE scheme S, X, E, D) is said to be semanticay secure under mutipe-identity mutipe-paintext chosen ciphertext attacks SS-mID-mCCA) if the foowing hods. For every orace PPT agorithm D SS-mID-mCCA adversary ) with the foowing restriction on orace queries: in any execution of D O 1,O 2,O 3 pms), for each chaenge query c, b) O 3 P, id ch, L) by D, D is prohibited to make the extraction query O 1 id ch ) regardess of before or after the chaenge query, or the decryption query O 2 id ch, c) after the chaenge query there exists a PPT agorithm D benign simuator of D ) which is equay successfu as D, in the foowing sense. 1. The difference between the advantage of the actua adversary D and that of the benign simuator D, namey [ ] [ ] pms, mk) S1 ); r U poy) ; Pr v = Fr) F, v) D X r U poy) ; mk, D mk, T r,pmspms) Pr v = Fr) F, v) D T r 1 ) is negigibe as a function over. 2. The two ensempes over Z + : [ ] pms, mk) S1 ); r U poy) ; t, F) F, v) D X mk, D mk, T r,pmspms) with trace t [ ] r U poy) ; t, F) F, v) D T r 1 ) with trace t and 5 As is shown in the ater definition, the same goes to the information to guess: it is about the coin tosses r i.e. Fr) to guess) rather than paintexts i.e. FPr)) to guess). 20