The Scientific World Journal

Volume 2014, Article ID 170906, 14 pages

http://dx.doi.org/10.1155/2014/170906

## Efficient and Provable Secure Pairing-Free Security-Mediated Identity-Based Identification Schemes

^{1}Faculty of Engineering, Multimedia University, 63100 Cyberjaya, Selangor, Malaysia^{2}Faculty of Information Science and Technology, Multimedia University, Jalan Ayer Keroh Lama, 75450 Bukit Beruang, Melaka, Malaysia

Received 13 March 2014; Accepted 17 April 2014; Published 26 May 2014

Academic Editor: Mirjana Ivanovic

Copyright © 2014 Ji-Jian Chin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Security-mediated cryptography was first introduced by Boneh et al. in 2001. The main motivation behind security-mediated cryptography was the capability to allow instant revocation of a user’s secret key by necessitating the cooperation of a security mediator in any given transaction. Subsequently in 2003, Boneh et al. showed how to convert a RSA-based security-mediated encryption scheme from a traditional public key setting to an identity-based one, where certificates would no longer be required. Following these two pioneering papers, other cryptographic primitives that utilize a security-mediated approach began to surface. However, the security-mediated identity-based identification scheme (SM-IBI) was not introduced until Chin et al. in 2013 with a scheme built on bilinear pairings. In this paper, we improve on the efficiency results for SM-IBI schemes by proposing two schemes that are pairing-free and are based on well-studied complexity assumptions: the RSA and discrete logarithm assumptions.

#### 1. Introduction

##### 1.1. Background

Identification schemes allow one party, the prover, to prove itself to another party, the verifier, that it knows its secret key without revealing anything else about itself in the process. The main utilization of the identification primitive is to facilitate one-sided entity authentication and is conventionally deployed in access control mechanisms to facilitate resource control and distribution.

In traditional public key cryptography, certificates are used to ensure that a user’s public key is legitimately bound to a particular user and cannot be replaced. This certificate is usually issued by a certificate authority. However, certificate management can become an issue when the number of users in a cryptosystem grows larger. One of the methods of mitigating this potentially costly problem is through the deployment of the cryptographic primitive in an identity-based setting introduced by Shamir [1].

Another issue that traditional public key cryptography faces is the revocation of user secret keys. This would necessarily involve the revocation of a user’s certificate along with his public/secret key pair and is a costly operation. Timeliness is also a factor, as the procedure to revoke a user’s keys may be a (relatively) long one and creates additional load on the certificate authority, turning the revocation procedure into a potentially costly process exercise. All these compound the certificate management issue mentioned earlier.

In the identity-based setting, where certificates are not used, key revocation is conventionally done by tagging validity periods onto the user’s identity-string as an extension. This also creates an issue of timeliness since revocation is only possible at the end of those validity dates. Without checking certificates, it is also difficult to check if a user is still valid or if his user secret key has been revoked already.

In [2], Boneh et al. proposed the initial groundwork for instant revocation of user keys and privileges, including the public key and certificates by introducing the concept of security-mediated cryptography. The idea of security-mediated cryptography is to necessitate the cooperation of a security mediator, a trusted third party, in any form of transaction that a user needs to use. For example, in an encryption scheme, a security mediator needs to lend his cooperation to the user in order for the user to decrypt a particular ciphertext. And for signatures, a security mediator has to agree to cooperate with a signer in order to produce a valid signature.

Specifically, this is done by separating the user’s secret key into two portions during the key generation. One portion of the key is given to the mediator while the other is given to the user. Therefore, the security mediator cooperates in the form of providing his portion of the secret key to be combined with the user’s portion to create the full secret key for the transaction.

##### 1.2. Related Work

Identification schemes were first introduced by Fiat and Shamir [3], while their identity-based counterparts, namely, identity-based identification schemes, were first formalized by Bellare et al. [4] and Kurosawa and Heng [5] independently. In recent years, there have been various advances in the area of identity-based identification, such as the introduction of identity-based identification schemes in the standard model [6, 7], hierarchical model [8–10], and certificateless model [11].

Following Boneh et al.’s initial work, Ding and Tsudik expanded on security-mediated cryptography to cover identity-based encryption using the RSA assumption [12]. Shortly thereafter, Libert and Quisquater proposed the first pairing-based security-mediated identity-based encryption schemes [13]. On the signature front, Cheng et al. proposed the first security-mediated identity-based signature [14].

Chow et al. [15] and Yap et al. [16] both extended security-mediated cryptography into the certificateless setting, where the issue of key escrow was addressed. In certificateless cryptography, first proposed by Al-Riyami and Paterson [17], the key generation center only produces half of the user secret key. The user then produces the other half of the user secret key to be combined into the full user secret key, thus securing their key from even the key generation center. However, the cryptographic primitives in the certificateless setting introduce more operational cost to the scheme and are known to be difficult to be proven secure [18].

##### 1.3. Motivations and Contribution

In 2013, Chin et al. first combined the notion of security-mediated cryptography with identifications in the identity-based setting to propose the first security-mediated identity-based identification (SM-IBI) scheme [19]. In the paper, the authors provided the first formal definitions for SM-IBIs and also proposed a concrete construction. The motivation of the authors was to allow fast revocation of keys for identification schemes in the identity-based setting.

For SM-IBI schemes, a security mediator is required to participate in the identification protocol in order for a user to authenticate himself to a verifier. The security mediator can then hold a revocation list to identify which users’ secret keys have been revoked and refuse participation for those users.

However the first concrete scheme that was proposed by the authors was built based on bilinear pairings. The pairing operation is widely known by cryptographers to be a costly operation; thus, it would be beneficial to construct pairing-free alternatives to facilitate more efficient running of the cryptographic primitive.

In this paper, we propose two pairing-free SM-IBI constructs as faster alternatives to the pairing-based scheme proposed by Chin et al. Our two schemes are constructed based on the RSA assumption and the discrete logarithm assumption, respectively. The RSA-based scheme, which we name as the GQ-SM-IBI, is constructed based on the Guillou Quisquater identification scheme constructed by Bellare and Palacio [20]. On the other hand, the discrete logarithm-based scheme, which we name as the BNN-SM-IBI, is constructed based on the BNN identity-based identification scheme proposed by Bellare et al. [4]. We provide security analysis for both schemes, proving them secure against impersonation under passive attacks if the RSA assumption and the discrete logarithm assumption hold and secure against impersonation under active and concurrent attacks if the one-more RSA inversion assumption and the one-more discrete logarithm assumption hold. Lastly, we provide an efficiency analysis, both theoretically and practically, and show that both schemes are significantly faster than Chin et al.’s pairing-based SM-IBI scheme.

The rest of the paper is organized as follows. We begin with some preliminaries and review the formal definitions and security model of SM-IBI schemes in Section 2. Then we show the construction and security analysis for the GQ-SM-IBI scheme in Section 3. This is followed by the construction and security analysis for the BNN-SM-IBI scheme in Section 4. In Section 5 we show the operational costs of both schemes as well as presenting our implementation results. Finally we conclude in Section 6.

#### 2. Preliminaries

##### 2.1. Discrete Logarithm Assumption

Let be a cyclic group with prime order and let be a generator of . The DL problem (DL) is defined as given a number in group , output .

*Definition 1. *The discrete logarithm assumption states that there exists no polynomial-time algorithm that is able to -solve the discrete logarithm problem with nonnegligible probability such that

##### 2.2. The One-More Discrete Logarithm Assumption

The one-more discrete logarithm () problem was first introduced by Bellare and Palacio [20] in their proof against impersonation under active and concurrent attacks for the standard Schnorr identification scheme. Later work that involves proving security of identification schemes based on discrete logarithms to be secure against active and concurrent attacks for discrete logarithm also makes use of this assumption such as [4, 21].

Let be a finite cyclic group of order and let be a generator of . Define an experiment where an adversary is given a challenge oracle that produces a random group element when queried and a discrete log oracle , which provides the discrete log corresponding to the query where . wins if after making queries to , is able to output solutions to all challenges with only queries to , meaning has to solve at least one instance of the discrete logarithm problem without relying on the discrete log oracle. returns 1 if is successful and otherwise.

*Definition 2. *The assumption states that there exists no polynomial-time algorithm that is able to -solve the problem with nonnegligible probability where

##### 2.3. RSA Inversion (RSAI) Assumption

Given compute such that where .

*Definition 3. *The assumption states that there exists no polynomial-time algorithm that is able to -solve the problem with nonnegligible probability such that

##### 2.4. One-More RSA Inversion (OMRSAI) Assumption

This is the interactive variant of the problem first proposed by Bellare and Palacio [20] to prove security of the GQ identification scheme and is analogous to the assumption. This assumption is applied in the proof of security against active and concurrent attacks for RSA-based schemes.

Define an experiment where an adversary is given as input and access to two oracles and . on any input returns a random point , while on any input will return where . is required to compute the solutions to all the target points while using strictly less queries to the oracle. In other words, is required to find while using the oracle only times. returns if is successful and otherwise.

*Definition 4. *The assumption states that there exists no polynomial-time algorithm that is able to -win the problem with nonnegligible probability where

##### 2.5. Definition of Security-Mediated IBI Schemes

In this section, we review the definition of SM-IBI schemes as defined by [19]. The definition follows closely to that of conventional IBI schemes, with the difference being that the prover segment is extended to encompass obtaining tokens from the security mediator. The SM-IBI scheme is defined as five probabilistic polynomial-time algorithms.(i)*Setup*. It takes in the security parameter as input and outputs the system parameters params along with the master secret key MSK.(ii)*Extract.* Upon receiving a user’s request for a key, it takes in params MSK and a user’s identity ID. Once the secret key is created, the PKG separates the key into two portions, one for the user, , and one for the security mediator, , and returns the portions to the respective parties.(iii)*Identification Protocol.* The identification protocol is an interactive protocol run by the 3 algorithms:* User-Prover* and* SEM-prover* on the prover side trying to authenticate himself to the* Verifier.* Both provers are used cooperatively in the interactive three-step canonical honest verifier zero knowledge proof of knowledge protocol with the verifier as follows.(1)*User-Prover* initiates by sending his identity to ID to the* SEM-prover*.* SEM-prover* checks whether ID’s keys have been revoked and stops with an error code if true. If ID is legitimate then it generates and sends SEM-COMMIT to User-Prover who then combines SEM-COMMIT with his own USER-COMMIT to form FULL-COMMIT to send to* Verifier.*(2)*Verifier* selects a random CHALLENGE and sends it to the* User-Prover.*(3)*User-Prover* relays CHALLENGE to* SEM-Prover* and receives SEM-RESPONSE from* SEM-Prover* which it then combines with his own USER-RESPONSE to form FULL-RESPONSE and sends to the* Verifier.* The* Verifier* will choose to either accept or reject it.

##### 2.6. Security Model for Security-Mediated IBI

Adversaries of SM-IBI follow the description of standard identification schemes: passive and active/concurrent attackers. However, the adversary for SM-IBI is able to query additionally partial conversation components, specifically the user’s prover and the security mediator’s prover besides the usual full prover query.

The security of SM-IBI schemes is modelled as a game played by an adversary against a challenger as follows.(i)*Setup. * runs* Setup*, creates the system parameters params, and passes them to while keeping the master secret key MSK to itself.(ii)*Phase 1.* This is the training phase. is allowed to adaptively make the following queries to .(a)*User-Extract *(ID). will run* Extract* but returns only the user’s portion of the secret key to .(b)*SEM*-*Extract* (ID). will run* Extract* but returns only the security mediator’s portion of the secret key to .(c)*Full-Extract *(ID). will run* Extract* and returns both the user’s portion of the secret key and the security mediator’s portion of the secret key to .(d)*Identification Queries *(ID). For passive adversaries, will generate transcripts of valid conversations for . For active/concurrent adversaries, will act as the cheating prover, engaging as the cheating verifier in conversations. is able to issue any one of the following identification queries.(1)*SEM-Identification *(ID). runs the security mediator’s half of the prover session.(2)*User-Identification *(ID). runs the user’s half of the prover session.(3)*Full-Identification *(ID). combines both security mediator’s and user’s session to generate a full and valid conversation.(iii)*Phase 2. * will eventually output on which it wants to be challenged on and begins its role as the cheating prover for both security mediator and user prover sessions. on the other hand assumes the role of the verifier. wins the game if it manages to convince to accept with nonnegligible probability.

We say a security-mediated IBI scheme is -secure under passive or active/concurrent attacks if for any passive or active/concurrent Type-1 impersonator who runs in time , , where can make at most full extract queries.

It is interesting to point out that extracting the security mediator’s half of the secret key gives no information about the full user key and that neither security mediator’s prover sessions nor user’s prover sessions done alone will provide a valid conversation, but only the combined session will. This models the security requirement that any user cannot legitimately prove himself to a verifier without the security mediator’s help.

#### 3. GQ-SMIBI: RSA-Based Security-Mediated IBI Scheme

The GQ-SM-IBI scheme is derived from the GQ identification scheme proposed in [20] and is provably secure against passive attackers assuming the assumption and against active/concurrent attackers assuming the assumption.

The GQ-SM-IBI scheme is constructed as follows.(1)*Setup* (). It takes in the security parameter , runs the key generation algorithm for RSA, and obtains an RSA instance, . It chooses a hash function and publishes the system parameters . The master secret key is kept secret.(2)*Extract* (). It takes in , and as input. It calculates and sets . It further chooses , sets , and calculates and . It gives to the user as its partial secret key and to the security mediator as its partial private key and keeps secret.(3)*Identification Protocol.* It is run by the* User-Prover* and* SEM-Prover* with* Verifier* as such.(a)*User-Prover* sends its to* Sem-Prover* and chooses and sets . SEM-Prover upon receiving checks if it is still valid and returns error if it is revoked. Otherwise,* SEM-Prover* chooses and sends to* User-Prover*.* User-Prover* combines and sends to* Verifier.*(b)*Verifier* chooses a random challenge where is a super-logarithmic challenge length such that .* Verifier* then sends it to* User-Prover*.* User-Prover* relays to* SEM-Prover*.(c)*SEM-Prover* calculates its half of the response and sends it to* User-Prover*.* User-Prover* combines it with his response to create and sends it as a response to* Verifier*.

Verifier checks if and accepts if yes; otherwise it outputs reject.

To check for completeness,

##### 3.1. Security Analysis: Impersonation under Passive Attack

Theorem 5. *The GQ-SM-IBI scheme is -secure against impersonation under passive attacks in the random oracle if the RSA Inversion Problem is -hard where
*

*Proof. *Assume the GQ-SM-IBI scheme is -breakable; then a simulator that -breaks the problem can be shown. takes in input and runs the impersonator as a subroutine. Without loss of generality, it can be assumed that any* SEM-Extract, User-Extract, SEM-Identification, User-Identification,* and* Full-Identification* queries are preceded by a* Create-User* query. To avoid collision and consistently respond to these queries, maintains a list which is initially empty. The following shows how simulates the environment and oracle queries for . (1)*Setup*. selects a hash function and sets the system parameters as . It sends to .(2)*Create*-*User *. chooses randomly and lets at this point. Whenever makes a query on , consider the following.(a)If , will choose sets and will return to . It adds to .(b)Otherwise, for , chooses , sets , and returns to . also sets , chooses , and sets as the SEM portion of the user private key and as the user portion of the user private key. It can be seen that
adds , , , , , , , to . returns to .(3)*SEM-Extract* (). If and* USER-Extract* () has been queried before, aborts. If , but* USER-Extract* () has not been queried before, chooses and sets as the SEM portion of the user private key, saves it in , and returns it to . Otherwise for all other , just retrieves in and returns it to .(4)*USER-Extract* (). If and* USER-Extract* () has been queried before, aborts. If , but* SEM-Extract* () has not been queried before, chooses and sets as the USER portion of the user private key, saves it in , and returns it to . Otherwise for all other , just retrieves in and returns it to .(5)*Identification* (, ). will act as the cheating verifier to learn information from valid conversation transcripts from . If just retrieves ’s entry in and runs the identification protocol for either the SEM’s interactions, the user’s interactions, or both combined as in the protocol. Otherwise, for , then creates a full valid transcript for each th query by picking , and and sets . also sets , , and . tags the session with . If queries* SEM-Identification* (, ), will return ;* User-Identification* (, ), will return ;* Full-Identification* (, ), will return . If no session is specified for the query, just returns the next session in sequence. One can see that* SEM-Identification* (, ) and* User-Identification* (, ) can be combined to create a full and valid transcript on session :
Eventually, stops Phase 1 and outputs the challenge , on which it wishes to be challenged on. checks if from and aborts if not. Otherwise, runs now as a cheating prover on by obtaining its commitment, , selecting a challenge and obtaining the response from . then resets to the step whereby just sent , selects a second challenge , and receives as response. It should hold that and . One can then obtain . Since is a prime and , . Use the extended Euclidean algorithm to obtain integers and such that . It follows that
then calculates the solution to the problem as follows:

It remains to calculate the probability of solving the problem and winning the game. The probability of successfully extracting two valid conversation transcripts from is bounded by as given by the reset lemma [20]:
Finally calculate . Let be the probability that issues both a* SEM-Extract* and a* USER-Extract* query on and that makes a total of of such queries. The probability of answering all the extraction queries is . In Phase 2, the probability of not aborting is if outputs the challenge identity that was not queried before. This is given by the probability . Compiling them, the probability of not aborting is . This probability is maximised at . Using , the probability that does not abort is at least because the value approaches for large . Therefore, the advantage of , , and the bound of the simulation are given as follows:

##### 3.2. Security Analysis: Impersonation under Active/Concurrent Attack

Theorem 6. *The GQ-SM-IBI scheme is -secure against impersonation under active/concurrent attacks in the random oracle if the Problem is -hard where
*

*Proof. *Assume the GQ-SM-IBI scheme is -breakable; then a simulator that -breaks the problem can be shown. takes in input , is given access to and oracles, and runs the impersonator as a subroutine. Any* SEM-Extract, User-Extract, SEM-Identification, User-Identification,* and* Full-Identification* queries are preceded by a* Create-User* query. maintains a list which is initially empty. The following shows how simulates the environment and oracle queries for . (1)*Create-User* (). chooses randomly and lets at this point. Whenever makes a query on , consider the following.(i)If , will choose , queries for , and sets and will return to . It adds , , , , , , , to .(ii)Otherwise, for , chooses , sets , and returns to . also sets , chooses , and sets as the SEM portion of the user private key and as the user portion of the user private key. It can be seen that
adds , , , , , , to . returns to .(2)*SEM-Extract* (). If and* USER-Extract* () has been queried before, aborts. If , but* USER-Extract* () has not been queried before, chooses and sets as the SEM portion of the user private key, saves it in , and returns it to . Otherwise for all other , just retrieves in and returns it to .(3)*USER-Extract* (). If and* SEM-Extract* () has been queried before, aborts. If , but* SEM-Extract* () has not been queried before, chooses and sets as the USER portion of the user private key, saves it in , and returns it to . Otherwise for all other , just retrieves in and returns it to .(4)*Identification* (, ). will act as the cheating verifier to learn information from valid conversation interactions from . If just retrieves ’s entry in and runs the identification protocol for either the SEM’s interactions, the user’s interactions, or both combined as in the protocol.

Otherwise, for , then creates a full valid conversation for each th query by querying for and setting . Additionally, chooses and sets . Upon receiving from , will query to receive and sets . then chooses and then sets . tags the session with .(i)If queries* SEM-Identification* (, ), will commit and respond with upon receiving .(ii) If queries* User-Identification* (, ), will commit and respond with upon receiving .(iii) If queries* Full-Identification* (, ), will commit and respond with upon receiving . If no session is specified for the query, just returns the next session in sequence. One can see that* SEM-Identification* (, ) and* User-Identification* (, ) can be combined to create a full and valid conversation on session :

Eventually, stops Phase 1 and outputs the challenge , on which it wishes to be challenged on. checks if from and aborts if not. Otherwise, runs now as a cheating prover on . runs by obtaining its commitment, , selects a challenge , and obtains the response from . then resets to the step whereby just sent , selects a second challenge , and receives as response. It should hold that and . One can then obtain . Since is a prime and , . Use the extended Euclidean algorithm to obtain integers and such that . It follows that

then calculates the solution to the problem as follows:

proceeds to calculate the solutions to the other challenges as follows:
The probability study for the simulation above is similar to that of the impersonation under passive attack game and is therefore omitted.

#### 4. BNN-SM-IBI: An DL-Based Security-Mediated IBI Scheme

The BNN-SM-IBI scheme is derived from the BNN-IBI scheme proposed in the work of [4] and is provably secure against passive attackers assuming the DL assumption and against active/concurrent attackers assuming the assumption.

The BNN-SM-IBI scheme is constructed as follows.(1)*Setup* (). It takes in the security parameter . It randomly selects , a generator and computes . Setup also chooses and publishes the system parameters . The master private key is kept secret.(2)*Extract* (). It takes in , and as input. It calculates , picks , calculates and , and sets the full user private key as . Additionally, it sets , , , . It then sets and . It gives to the user as its partial private key and to the security mediator as its partial private key and keeps secret.(3)*Identification Protocol. *It is run by the* User-Prover* and* SEM-Prover* with* Verifier* as such.(a)*User-Prover* sends its to* Sem-Prover*, chooses , and sets and .* SEM-Prover* upon receiving checks if it is still valid and returns error if it is revoked. Otherwise,* SEM-Prover* chooses and sends , , and to* User-Prover*.* User-Prover* combines , , and sends , and to* Verifier*.(b)*Verifier* chooses a random challenge and sends it to* User-Prover*.* User-Prover* relays to* SEM-Prover*.(c)*SEM-Prover* calculates its half of the response and sends it to* User-Prover*.* User-Prover* combines it with his response to create and sends it as a response to* Verifier*.

*Verifier* checks if and accepts if yes; otherwise it outputs reject.

To check for completeness,

##### 4.1. Security Analysis: Impersonation under Passive Attack

Theorem 7. *The BNN-SM-IBI scheme is -secure against impersonation under passive attacks in the random oracle if the DL problem is -hard where
*

*Proof. *Assume the BNN-SM-IBI scheme is -breakable; then a simulator that -breaks the DL problem can be shown. takes in input and runs the impersonator as a subroutine. Without loss of generality, it can be assumed that any* SEM-Extract*,* User-Extract*,* SEM-Identification*,* User-Identification*, and* Full-Identification* queries are preceded by a* Create-User* query. To avoid collision and consistently respond to these queries, maintains a list , , , , , , , , , , , , which is initially empty. The following shows how simulates the environment and oracle queries for . (1)*Setup*. sets the system parameters as and keeps master private key secret. It sends to .(2)*Create-User *. chooses randomly and lets at this point. Whenever makes a query on , consider the following.(i)If , chooses and sets and and returns to . adds , , , , , , , , , , , , , to .(ii)Otherwise, for , chooses and returns . It then chooses , calculates , and sets and . adds , , , , , , , , , , , , , to .(3)*SEM-Extract* (). If and* USER-Extract* () has been queried before, aborts. If , but* USER-Extract* () has not been queried before, will choose and sets and . also sets and , saves these values in , and returns them to . These values will be used in the event of an* Identification* query later on. Otherwise for all other , just retrieves in and returns it to .(4)*USER-Extract* (). If and* SEM-Extract* () has been queried before, aborts. If , but* SEM-Extract* () has not been queried before, will choose and sets and . also sets and , saves these values in , and returns them to . These values will be used in the event of an* Identification* query later on. Otherwise for all other , just retrieves in and returns it to .(5)*Identification* (, ). will act as the cheating verifier to learn information from valid conversation transcripts from . If , just retrieves ’s entry in and runs the identification protocol for either the SEM’s interactions, the user’s interactions, or both combined as in the protocol. Otherwise, for , then creates a full valid transcript for each th query by picking . retrieves , and sets . Additionally, chooses , calculates , and retrieves , and , from as well. then sets and . tags the session with . If queries(i)* SEM-Identification* (, ), will return ;(ii)* User-Identification* (, ), will return , , , ;(iii)Full-Identification (, ), will return , , , . If no session is specified for the query, just returns the next session in sequence. One can see that* SEM-Identification* (, ) and* User-Identification* () can be combined to create a full and valid transcript on session :
Eventually, stops Phase 1 and outputs the challenge , on which it wishes to be challenged on. checks if from and aborts if not. Otherwise, runs now as a cheating prover on by obtaining its commitment, , , selecting a challenge and obtaining the response from . then resets to the step whereby just sent , , , selects a second challenge , and receives as response. is then able to extract the full user private key as follows:
outputs as the discrete log solution.

It remains to calculate the probability of solving the CDH problem and winning the game. The probability of successfully extracting two valid conversation transcripts from is bounded by as given by the reset lemma [20]:
Finally, let be the probability that issues a* SEM-Extract* and a* USER-Extract* query on and that makes a total of of such queries. The probability of answering all the extraction queries is . In Phase 2, the probability of not aborting is if outputs the challenge identity that was not queried before. This is given by the probability . Compiling them, the probability of not aborting is . This value is maximised at . Using , The probability that does not abort is at least because the value approaches for large . Therefore, the advantage of , , and the bound of the simulation is given as follows:

##### 4.2. Security Analysis: Impersonation under Active/Concurrent Attack

Theorem 8. *The BNN-SM-IBI scheme is -secure against impersonation under active/concurrent attacks in the random oracle if the *