Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Since b 0,1 , . . . , b 0,h , b 1 , . . . , b n are chosen randomly from Z p , the P 3,i s and the Q j s are random elements of G 1 . The public parameters are given to the adversary. The master secret is aP 2 , which is not known to the simulator. Now comes the most crucial part of the proof. For y ∈ Z p , V i (y) = P 3,i + yQ 1 + y 2 Q 2 + · · · + y n Q n = a 0 P 2 + b 0,i P + y(a 1 P 2 + b 1 P ) + y 2 (a 2 P 2 + b 2 P ) + · · · + y n (a n P 2 + b n P ) = (a 0 + a 1 y + a 2 y 2 + · · · + a n y n )P 2 + (b 0,i + b 1 y + b 2 y 2 + · · · + b n y n )P = F (y)P 2 + J i (y)P. This decomposes V i (y) into two parts – one depends on P 2 and the other depends on P . The part which depends on P 2 vanishes if and only if y is equal to some element of I ∗ . The ability of the simulator to properly answer key extraction queries and generate a proper challenge ciphertext depends crucially on this fact. Phase 1: In this stage, the adversary can make queries to O k , all of which have to be answered by the simulator. Suppose the adversary queries O k on an identity v = (v 1 , . . . , v j ), with 1 ≤ j ≤ h. By the constraint of model M 1 all the v i ’s cannot be in I ∗ . Suppose ı is such that v ı is not in I ∗ . Then F (v ı ) ≢ 0 mod p. As in the protocol, define V i to be V i (v i ). Choose r 1 , . . ., r ı−1 , r ı, ′ r ı+1 , . . ., r j randomly from Z p . Define W = ∑ j i=1,i≠ı r iV i . The first component d 0 of the secret key for v = (v 1 , . . . , v j ) is computed in the following manner. d 0 = − J ı(v ı ) F (v ı ) P 1 + r ′ ı(F (v ı )P 2 + J ı (v ı )P ) + W. The following computation shows that d 0 is properly formed. d 0 = ±aP 2 − J ı(v ı ) F (v ı ) P 1 + r ı(F ′ (v ı )P 2 + J ı (v ı )P ) + W ( = aP 2 + r ı ′ − a ) (F (v ı )P 2 + J ı (v ı )P ) + W F (v ı ) j∑ = aP 2 + r i V i i=1 where r ı = r ′ ı − a/F (v ı ). Since r ′ ı is random, so is r ı . The quantities d 1 , . . . , d j are computed in the following manner. d i = r i P 1 ≤ i ≤ j, i ≠ ı; = r ′ ıP − 1 F (v ı) P 1 = r ı P for i = ı. This technique is based on the algebraic techniques introduced by Boneh and Boyen [17] as discussed in Section 3.2.1. The generalization is in the definition of F () and J i ()s. Here we take these to be polynomials, which allows us to tackle the case of adversary committing to more than one identity. 88
Challenge Generation: The adversary submits messages M 0 , M 1 and an identity v = (v 1 , . . . , v j ) with 1 ≤ j ≤ h. By the rules of model M 1 , each v i ∈ I ∗ and so F (v i ) ≡ 0 mod p for 1 ≤ i ≤ j. Consequently, and hence V i = V i (v i ) = F (v i )P 2 + J i (v i )P = J i (v i )P cV i = cJ i (v i )P = J i (v i )(cP ) = J i (v i )Q where Q = cP was supplied as part of the DBDH instance. Note that it is possible to compute W i = cV i even without knowing c. The simulator now randomly chooses a bit γ and returns (M γ × Z, Q, W 1 , . . . , W j ) to the adversary. If Z is real, then this is a proper encryption of M γ under the identity v. Phase 2: The key extraction queries in this stage are handled as in Phase 1. Guess: The adversary outputs a guess γ ′ . The simulator outputs 1 if γ = γ ′ , else it outputs 0. If Z = e(P, P ) abc , then the simulator provides a perfect simulation of the (h, n ′ )-M 1 game. On the other hand, if Z is random, the adversary receives no information about the message M γ from the challenge ciphertext. The above shows that an adversary’s ability to attack (h, n)-H 1 HIBE in model (h, n ′ )- M 1 can be converted into an algorithm for solving DBDH. The bound on the advantage follows from this fact. Theorem 7.5.1. shows that an (h, n)-H 1 HIBE is CPA-secure in model (h, n ′ )-M 1 for n ′ ≤ n. The next result shows that (h, n)-H 1 is also secure in the h-sID model. Theorem 7.5.2. Let h, n, q be positive integers. Then Adv (h,n)-H 1 h-sID (t, q) ≤ q p + AdvDBDH (t + O(τnq)). Proof : The proof is similar to the proof of Theorem 7.5.1.. In the h-sID model, the adversary commits to an identity (v ∗ 1, . . . , v ∗ j) where 1 ≤ j ≤ h and v i ∈ Z p . Randomly choose v ∗ j+1, . . . , v ∗ h from Z p. Randomly choose b 1 , . . . , b n , b 0,1 , . . . , b 0,h from Z p . For 1 ≤ i ≤ h, define F i (x) = x − v ∗ i ; J i (x) = b n x n + b n−1 x n−1 + · · · + b 1 x + b 0,i . The protocol is set-up in the following manner. For 2 ≤ j ≤ n, define Q j = b j P , Q 1 = P 2 + b 1 P and for 1 ≤ i ≤ h, define P 3,i = −vi ∗ P 2 + b 0,i P . This defines all the public parameters. 89
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?