2011 Reports : Cryptology ePrint Archive Forum

Discussion forum for Cryptology ePrint Archive reports posted in 2011.
Please put the report number in the subject.

On Report 2011/361

Posted by: **jsbaek** (IP Logged)

Date: 05 January 2012 20:31

Dear Authors,

Thank you very much for pointing out the "flaw" in the proof of our stateful IBE scheme. Actually I do understand your point.

But I would like to say something about this.

As stated in our paper, the stateful IBE scheme was proposed as an extension of our stateful PKE

scheme (StPE) proposed in the same paper. In fact, we do not provide a complete proof for the proposed

stateful IBE scheme but leave it as a future work for the full version of the paper by stating

"The detailed proof will be provided in the full version of this paper." . (Unfortunately the full version is yet to be released.) So I'm wondering what

proof you are referring to in Section 3.2 of your paper. - We do not even state this as a theorem.

Rather than giving a full proof, we are providing a sketch of the proof. According to the end of Section

4 of our paper, the basic idea is to construct

a normal StPE (We call this "StBDH" for the sake of convenience) out of the proposed stateful IBE and proved

that the CCA-security of the stateful IBE is reduced to the CCA-security of this StBDH. Then we claim that

"Using a similar technique used in the proof of stDH+ (Appendix A.2), it can be shown that the derived StPE

scheme is IND-CCA secure assuming that the Bilinear Diffie

-Hellman (BDH) [9] is hard (in the random oracle model)."

We sincerely accept that this sentence is a mistake in a sense that it is not clear whether 'computational' or 'gap' DH assumption is sufficent for CCA-security of the stBDH scheme. But I really DO NOT think this is serious enough to be written as a paper and deserve the title "On the Exact Security of Baek et al.’s Stateful IBE...".

Your observation on the "Exact Security" is trivial and is well-known. We are definitely aware the "inconsistency in answering decryption oracle queries" that the proof for the CCA-security of the StBDH cannot be reduced to the normal computational BDH problem. You may think that I'm bluffing but if we did not know this, we would not be able to prove that the hardness of "gap" Diffie-Hellman problem to the CCA-security of our proposed scheme stDH+ in the same paper.

So I would like you to change the title of your paper by removing "Baek et al.'s stateful IBE" and to focus more on your new constructions. Your criticism is somewhat groundless.

Joonsang Baek

Edited 3 time(s). Last edit at 09-Jan-2012 15:22 by jsbaek.

Thank you very much for pointing out the "flaw" in the proof of our stateful IBE scheme. Actually I do understand your point.

But I would like to say something about this.

As stated in our paper, the stateful IBE scheme was proposed as an extension of our stateful PKE

scheme (StPE) proposed in the same paper. In fact, we do not provide a complete proof for the proposed

stateful IBE scheme but leave it as a future work for the full version of the paper by stating

"The detailed proof will be provided in the full version of this paper." . (Unfortunately the full version is yet to be released.) So I'm wondering what

proof you are referring to in Section 3.2 of your paper. - We do not even state this as a theorem.

Rather than giving a full proof, we are providing a sketch of the proof. According to the end of Section

4 of our paper, the basic idea is to construct

a normal StPE (We call this "StBDH" for the sake of convenience) out of the proposed stateful IBE and proved

that the CCA-security of the stateful IBE is reduced to the CCA-security of this StBDH. Then we claim that

"Using a similar technique used in the proof of stDH+ (Appendix A.2), it can be shown that the derived StPE

scheme is IND-CCA secure assuming that the Bilinear Diffie

-Hellman (BDH) [9] is hard (in the random oracle model)."

We sincerely accept that this sentence is a mistake in a sense that it is not clear whether 'computational' or 'gap' DH assumption is sufficent for CCA-security of the stBDH scheme. But I really DO NOT think this is serious enough to be written as a paper and deserve the title "On the Exact Security of Baek et al.’s Stateful IBE...".

Your observation on the "Exact Security" is trivial and is well-known. We are definitely aware the "inconsistency in answering decryption oracle queries" that the proof for the CCA-security of the StBDH cannot be reduced to the normal computational BDH problem. You may think that I'm bluffing but if we did not know this, we would not be able to prove that the hardness of "gap" Diffie-Hellman problem to the CCA-security of our proposed scheme stDH+ in the same paper.

So I would like you to change the title of your paper by removing "Baek et al.'s stateful IBE" and to focus more on your new constructions. Your criticism is somewhat groundless.

Joonsang Baek

Edited 3 time(s). Last edit at 09-Jan-2012 15:22 by jsbaek.

Please log in for posting a message. Only registered users may post in this forum.