**A Built-in Decisional Function and Security Proof of ID-based Key Agreement Protocols from Pairings**

*L. Chen and Z. Cheng and N.P. Smart*

**Abstract: **In recent years, a large number of identity-based key agreement
protocols from pairings have been proposed. Some of them are elegant
and practical. However, the security of this type of protocols has
been surprisingly hard to prove. The main issue is that a simulator
is not able to deal with reveal queries, because it requires solving
either a computational problem or a decisional problem, both of
which are generally believed to be hard (i.e., computationally
infeasible). The best solution of security proof published so far
uses the gap assumption, which means assuming that the existence of a
decisional oracle does not change the hardness of the corresponding
computational problem. The disadvantage of using this solution to
prove the security for this type of protocols is that such
decisional oracles, on which the security proof relies, cannot be
performed by any polynomial time algorithm in the real world,
because of the hardness of the decisional problem. In this paper we
present a method incorporating a built-in decisional function in
this type of protocols. The function transfers a hard decisional
problem in the proof to an easy decisional problem.
We then discuss the resulting efficiency of the schemes and the
relevant security reductions in the context of different pairings
one can use.

**Category / Keywords: **public-key cryptography / ID Based Key Agreement Protocols

**Date: **received 28 Apr 2006, withdrawn 4 May 2006

**Contact author: **nigel at cs bris ac uk

**Available format(s): **(-- withdrawn --)

**Note: **Some bugs have been found in some of the analysis which need correcting.
They are easily fixed in one of two ways, but at the moment we are
deciding which way to fix them. Will repost once we have rewritten.

**Version: **20060504:061554 (All versions of this report)

**Short URL: **ia.cr/2006/160

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]