Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Since b 0,1 , . . . , b 0,h , b 1 , . . . , b n are chosen randomly from Z p , the P 3,i s and the Q j s are random<br />
elements of G 1 . The public parameters are given to the adversary. The master secret is aP 2 ,<br />
which is not known to the simulator.<br />
Now comes the most crucial part of the proof. For y ∈ Z p ,<br />
V i (y) = P 3,i + yQ 1 + y 2 Q 2 + · · · + y n Q n<br />
= a 0 P 2 + b 0,i P + y(a 1 P 2 + b 1 P ) + y 2 (a 2 P 2 + b 2 P ) + · · · + y n (a n P 2 + b n P )<br />
= (a 0 + a 1 y + a 2 y 2 + · · · + a n y n )P 2 + (b 0,i + b 1 y + b 2 y 2 + · · · + b n y n )P<br />
= F (y)P 2 + J i (y)P.<br />
This decomposes V i (y) into two parts – one depends on P 2 and the other depends on P . The<br />
part which depends on P 2 vanishes if and only if y is equal to some element of I ∗ . The ability<br />
of the simulator to properly answer key extraction queries and generate a proper challenge<br />
ciphertext depends crucially on this fact.<br />
Phase 1: In this stage, the adversary can make queries to O k , all of which have to be<br />
answered by the simulator. Suppose the adversary queries O k on an identity v = (v 1 , . . . , v j ),<br />
with 1 ≤ j ≤ h. By the constraint of model M 1 all the v i ’s cannot be in I ∗ . Suppose ı is<br />
such that v ı is not in I ∗ . Then F (v ı ) ≢ 0 mod p.<br />
As in the protocol, define V i to be V i (v i ). Choose r 1 , . . ., r ı−1 , r ı, ′ r ı+1 , . . ., r j randomly<br />
from Z p . Define W = ∑ j<br />
i=1,i≠ı r iV i . The first component d 0 of the secret key for v =<br />
(v 1 , . . . , v j ) is computed in the following manner.<br />
d 0 = − J ı(v ı )<br />
F (v ı ) P 1 + r ′ ı(F (v ı )P 2 + J ı (v ı )P ) + W.<br />
The following computation shows that d 0 is properly formed.<br />
d 0 = ±aP 2 − J ı(v ı )<br />
F (v ı ) P 1 + r ı(F ′ (v ı )P 2 + J ı (v ı )P ) + W<br />
(<br />
= aP 2 + r ı ′ −<br />
a )<br />
(F (v ı )P 2 + J ı (v ı )P ) + W<br />
F (v ı )<br />
j∑<br />
= aP 2 + r i V i<br />
i=1<br />
where r ı = r ′ ı − a/F (v ı ). Since r ′ ı is random, so is r ı . The quantities d 1 , . . . , d j are computed<br />
in the following manner.<br />
d i = r i P 1 ≤ i ≤ j, i ≠ ı;<br />
= r ′ ıP − 1<br />
F (v ı) P 1 = r ı P for i = ı.<br />
This technique is based on the algebraic techniques introduced by Boneh and Boyen [17] as<br />
discussed in Section 3.2.1. The generalization is in the definition of F () and J i ()s. Here we<br />
take these to be polynomials, which allows us to tackle the case of adversary committing to<br />
more than one identity.<br />
88