A Separation Between Selective and Full-Identity Security Notions for Identity-Based Encryption
Identity-based encryption has attracted a lot of attention since the publication of the scheme by Boneh and Franklin. In this work we compare the two adversarial models previously considered in the literature, namely the full and selective-identity models. Remarkably, we show that the strongest security level with respect to selective-identity attacks (i.e. chosen-ciphertext security) fails to imply the weakest full-identity security level (i.e. one-wayness). In addition, an analogous result for the related primitive of tag-based encryption is presented.
KeywordsFoundations identity-based encryption tag-based encryption
Unable to display preview. Download preview PDF.
- [BR93]Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of the 1st ACM CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
- [RS92]Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar