Converting to Identity-Based Cryptography Clause Samples

Converting to Identity-Based Cryptography. ‌ This section will demonstrate that the proposed protocol cannot achieve all the security attributes of Section 5.4.6 if brought to an identity-based setting. In identity-based cryptography, the public key is directly derived from the identity, such that an entity A’s public key becomes H1(▇▇▇) = QA. We let A’s partial private key be its full private key such that SA = DA = sQA. If A wants to establish a session key with B, they exchange ephemeral public keys as usual, but do not exchange public keys as these already are known in the identity-based setting. A then computes KAB = ê(QB, sP)a · ê(sQA, bP). Similarily, B computes KBA = ê(QA, sP)b · ê(sQB, aP). Using a KDF, the final session key then becomes FK = H(K abP) where H is a suitable hash function. Notice that this protocol is identical to Smart’s protocol [58, 15]. This protocol does not acheive known session-specific temporary information security as shown in Table 1. Thus, if an adversary obtains the short-term private keys, the session key can be efficiently computed. Moreover, in our security model, an adversary armed with the KGC master key can no longer query for session-specific private information as it will reveal the established session key.