Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Let a private key for (v 1 , . . . , v u−1 ) be (A ′ 0, A ′ 1, −→ B ′ u, . . . , −→ B ′ h), where<br />
( u−1<br />
)<br />
∑<br />
A ′ 0 = αP 2 + r ′ V j + P 3 ,<br />
j=1<br />
A ′ 1 = r ′ P , and for u ≤ j ≤ h, −→ B ′ j = (r ′ Q j,1 , . . . , r ′ Q j,nj ). Let B j,k ′ = r′ Q j,k . Pick a random<br />
r ∗ ∈ Z p and compute d v = (A 0 , A 1 , −→ B u+1 , . . . , −→ B h ) where<br />
A 0 = A ′ 0 + ∑ (<br />
n ∑u<br />
)<br />
u<br />
i=1 vi uB u,i ′ + r ∗ j=1 V j + P 3 ,<br />
A 1 = A ′ 1 + r ∗ P,<br />
B u+1 = −→ B ′ u+1 + r ∗ −→ Q u+1 ,<br />
. . . ,<br />
B h = −→ B ′ h + r ∗ −→ Q h .<br />
If we put r = r ′ + r ∗ , then d v is a proper private key for v = (v 1 , . . . , v k ).<br />
Encrypt: To encrypt M ∈ G 2 under the identity (v 1 , . . . , v u ) ∈ (Z ∗ p) k , pick a random<br />
s ∈ Z p and output<br />
(<br />
( ))<br />
u∑<br />
e(P 1 , P 2 ) s × M, sP, s P 3 + V j .<br />
Decrypt:<br />
To decrypt (A, B, C) using the private key d v = (d 0 , d 1 , . . .), compute<br />
( (<br />
A × e(d 1, C)<br />
e rP, s P 3 + ∑ ))<br />
u<br />
e(B, d 0 ) = e(P 1, P 2 ) s j=1 V j<br />
× M ×<br />
)) = M.<br />
j=1<br />
(<br />
e sP, αP 2 + r<br />
(<br />
P 3 + ∑ k<br />
j=1 V j<br />
Note: ccHIBE is parametrized by (n 1 , . . . , n h ) and we will write (h, n 1 , . . . , n h )-ccHIBE to<br />
explicitly denote this parametrization.<br />
8.2.2 Security Reduction<br />
We wish to show that ccHIBE is secure in model M 2 . Recall that Adv is used to denote<br />
the advantage of an adversary in attacking a HIBE. By the notation Adv (h,n 1,...,n h )-ccHIBE<br />
(h,n ′ 1 ,...,n′ )-M (t, q)<br />
h 2<br />
we will denote the maximum advantage of an adversary which runs in time t and makes q<br />
key-extraction queries in attacking (h, n 1 , . . . , n h )-ccHIBE in the model (h, n ′ 1, . . . , n ′ h )-M 2.<br />
Theorem 8.2.1. Let h, n 1 , . . . , n h , q be positive integers and n ′ 1, . . . , n ′ h<br />
positive integers with n ′ i ≤ n i for 1 ≤ i ≤ h. Then<br />
be another set of<br />
Adv (h,n 1,...,n h )-ccHIBE<br />
(h,n ′ 1 ,...,n′ )-M (t, q) ≤ Adv h-wDBDHI∗ (t + O(τnq))<br />
h 2<br />
96