## Abstract

In recent years, a large number of identity-based key agreement
protocols from pairings have been proposed. Some of them are
elegant and practical. However, the security of this type of
protocol has been surprisingly hard to prove, even in the random
oracle model.
The main issue is that a simulator is not able to deal with reveal queries,
because it requires solving either a computational problem or a decisional
problem, both of which are generally believed to be hard (i.e.,
computationally infeasible). The best solution so far for security proofs
uses the gap assumption, which means assuming
that the existence of a decisional oracle does not change the
hardness of the corresponding computational problem. The
disadvantage of using this solution to prove security is that such
decisional oracles, on which the security proof relies, cannot be
performed by any polynomial time algorithm in the real world,
because of the hardness of the decisional problem.
In this paper we present a method
incorporating a built-in decisional function into the protocols.
The function transfers a hard decisional problem in the
proof to an easy decisional problem. We then discuss the resulting
efficiency of the schemes and the relevant security reductions, in
the random oracle model, in the context of different pairings one can use.
We pay particular attention, unlike most other papers in the area, to the
issues which arise when using asymmetric pairings.

Translated title of the contribution | Identity-based key agreement protocols from pairings |
---|---|

Original language | English |

Pages (from-to) | 213-241 |

Journal | International Journal of Information Security |

Volume | 6 |

Publication status | Published - 2007 |