I don't know why BasicIdent is not chosen-ciphertext secure. If there are anybody who knows well, please explain it to me with example. Moreover, I don't know random oracle and its usage for security analysis.
Asked
Active
Viewed 563 times
1 Answers
4
First, recall that in a chosen-ciphertext attack (CCA) model, the attacker has access to a decryption oracle. A scheme is said CCA-secure if access to a decryption oracle does not give any advantage to the attacker.
Knowing this, a very simple CCA attack can be done on BasicIdent. I will use the description of the scheme from Wikipedia.
As you can see, ciphertexts in BasicIdent are tuples of the form $$c = (u,v) = \left(rP, m \oplus H_2\left(g_{ID}^r\right)\right)$$
The important thing here is that the second term of the ciphertext is simply the message XOR'ed with a hash. So, in the IND security game, the attacker can take the challenge ciphertext $c^* = (u^*, v^*)$ and produce a new ciphertext $\hat c = (u^*, v^* \oplus \hat m)$, for some random message $\hat m$. This new ciphertext must be accepted by the decryption oracle since $c^* \neq \hat c$. The result from the decryption oracle is $m_b \oplus \hat m$, and the attacker can trivially extract the original message $m_b$ from this since he knows $\hat m$.
cygnusv
- 5,072
- 1
- 23
- 48