In the Wikipedia article on Certificateless Public Key Cryptography https://en.wikipedia.org/wiki/Certificateless_cryptography, it states, "For tight security, a certificateless system has to prove its security against two types of adversaries. Type 1 Adversary- Refers to any third party who can fake the user's public keys, corresponding to obtaining the user's random secret value." Does this mean that a Type 1 adversary has access to the user's random secret value?
Asked
Active
Viewed 190 times
1 Answers
0
Not necessarily. If we read the Cetificateless public key paper of Al-Riyami and Paterson, we see in the introduction to section 3 at the head of page 9 that (full) private keys $S_A$ are produced as a function of partial private keys $D_A$ and random secret values $x_A$. We also see that public keys $P_A$ depend on $x_A$ but can be verified without knowledge of $x_A$.
In section 3.1 on page 11, we see that a type I adversary can, for identities of its choice (with certain restrictions)
- request public keys $P_A$
- replace public keys with (valid) values $P'_A$ of their choice
- extract partial private keys $D_A$
- extract private keys $S_A$
- make decryption queries
none of these a priori provides the adversary with knowledge of $x_A$.
Daniel S
- 29,316
- 1
- 33
- 73