Identity Based Encryption: Known Random Value

Question

Let's consider a situation whereby:

Alice generates a ciphertext c from a message m using Bob’s ID.

An attacker Carol can get c from the open channel. She knows that c is generated by using Bob’s ID but she does not know Bob’s secret key.

On the other side, Carol is able to know the random number r that Alice has used in the encryption process

Also, it is given that the identity-based decryption formula is as such:

Encrpytion: $c = (u,v) = (\mathtt{g}^{r}, m \oplus {H({T}_{id}^r)})$

Decryption: $m = v \oplus H(e(\mathtt{d}_{id}, u))$

This is also the standard IBE Bilinear Pairing.

I also managed to deduce this equation below from deriving the decryption algorithm.

$m = v \oplus H(\mathtt{{\mathtt{T}_{id}}}^{r})$

Now consider this question:

Can Carol compute the plaintext message $m$ by just knowing $r$ but not Bob’s secret key?

My answer: It's not possible for Carol to compute $m$ just by knowing $r$ because she still has to solve the discrete log problem in the last equation given which is considered hard.

However, I am unsure whether this is right or wrong.

Edit:

Formula for ${T}_{id}= e({Q}_{id},{K})$, where K is the master public key (${g}^{s}$), and ${Q}_{id}$ is the hash of the user id

Formula for ${d}_{id} = ({Q}_{id})^s$, where s is the master secret key

Answer 1

Thanks. I guess $K=g^s$. It seems trivial if Carol knows the random integer $r$ then she can learn the message. As you mentioned everybody could compute $T_{id}$ because both $Q_{id}$ and $K$ are public amongst the network. Since Carol knows $r$ then she can compute $Z=T_{id}^r$ and hash of this result! To learn the message, she has to calculate,

$$m=v \oplus H(Z)=m \oplus H(T_{id}^r) \oplus H(T_{id}^r)=m \oplus (H(T_{id}^r)\oplus H(T_{id}^r))=m \oplus 0=m$$

In general, Carol does not need to know the master secret key $s$ to read the message. The Encryption phase is randomized by the integer $r$ and for a Chosen Ciphertext Carol can learn the message. While we know she can not compromise the forward and backward secrecy of the scheme because the Discrete Logarithm is hard and the random integer for next ciphertext will be sampled, independently.