Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Phase 1: Suppose a key extraction query is made on v = (v 1 , . . . , v j ) for j ≤ h. (Note that j may be less than, equal to, or greater than u.) If j ≤ u, then there must be a k ≤ j such that F k (v k ) ≢ 0 mod p, as otherwise v i ∈ Ii ∗ for each i ∈ {1, . . . , j} – which is not allowed by the rules of M 2 . In case j > u, it is possible that F 1 (v 1 ) = · · · = F u (v u ) = 0. Then, since v u+1 ∈ Z ∗ p and F u+1 (x) = x, we have F u+1 (v u+1 ) ≢ 0 mod p. Thus, in all cases, there is a k such that F k (v k ) ≢ 0 mod p. We choose k to be the first such value in the range {1, . . . , j} and so for i < k, we have F i (v i ) ≡ 0 mod p. We next show that it is possible to construct a valid private key for v from what is known to the adversary. Recall that Y i = α i P and hence Y i1 +i 2 = α i 1 Y i2 . Choose a random r in Z p and define ( j∑ ) ( j∑ ) A 1 = βY 1 − 1 J i (v i )Y k + r (F i (v i )Y h−i+1 + J i (v i )P ) ; F k (v k ) i=1 i=1 A 2 = − 1 ∑ F i (v i )Y h+k−i+1 ; F k (v k ) A 3 = i=j+1 i∈{1,...,j}\{k} h∑ ( r(b i,0 P + a i,0 Y h−i+1 ) − 1 ) F k (v k ) (b i,0Y k + a i,0 Y h+k−i+1 ) . It is possible to compute A 1 , A 2 and A 3 from what is known to the simulator. First note that F k (v k ) ≢ 0 mod p and hence 1/F k (v k ) is well defined. The values F i (v i ), J i (v i ) and P, Y 1 , . . . , Y h are known to the simulator. Hence, A 1 and A 3 can be computed directly. In A 2 , the values Y h+2 , . . . , Y h+k are involved. However, the corresponding coefficients are F k−1 (v k−1 ), . . . , F 1 (v 1 ). By definition, k is the first integer in the set {1, . . . , j} such that F k (v k ) ≢ 0 mod p. Hence, F k−1 (v k−1 ) ≡ · · · ≡ F 1 (v 1 ) ≡ 0 mod p and consequently, the values Y h+2 , . . . , Y h+k are not required by the simulator in computing A 2 . The first component d 0 of the private key d v for v is obtained as d 0 = A 1 + A 2 + A 3 . The following computation shows that this is proper. d 0 = A 1 + A 2 + A 3 where Now A = = ±Y h+1 + A 1 + A 2 + A 3 = Y h+1 + βY 1 − α k F k(v k ) = αP 2 + ) (r − αk A F k (v k ) j∑ (J i (v i )P + F i (v i )Y h−i+1 ) + i=1 J i (v i )P + F i (v i )Y h−i+1 = ∑n i l=1 F k (v k ) Y h−k+1 + (A 1 − βY 1 ) + A 2 + A 3 h∑ i=j+1 (b i,0 P + a i,0 Y h−i+1 ) . ∑n i b i,l viP l + a i,l viY l h−i+1 + b i,0 P + a i,0 Y h−i+1 l=1 98
Hence, This shows A = = ∑n i l=1 v l iQ i,l + b i,0 P + a i,0 Y h−i+1 = V i + b i,0 P + a i,0 Y h−i+1 . j∑ V i + i=1 = P 3 + h∑ (b i,0 P + a i,0 Y h−i+1 ) i=1 j∑ V i . i=1 d 0 = αP 2 + r ′ (P 3 + ) j∑ V i where ˜r = r − (α k /F k (v k )). Since r is random, so is ˜r and hence d 0 is properly formed. Also, i=1 d 1 = − 1 F k (v k ) Y k + rP = − αk P + rP = ˜rP F k (v k ) which is as required. To form a valid private key ˜r −→ Q i has to be computed for j < i ≤ h. This is done as follows. ) ˜rQ i,l = (r − αk (b i,l P + a i,l Y h−i+1 ) F k (v k ) = r(b i,l P + a i,l Y h−i+1 ) − 1 F k (v k ) (b i,lY k + a i,l Y h+k−i+1 ) . Thus, we get d v = (d 0 , d 1 , ˜r −→ Q j+1 , . . . , ˜r −→ Q h ) . Challenge: After completion of Phase 1, the adversary outputs two messages M 0 , M 1 ∈ G 2 together with a target identity v ∗ = (v1, ∗ . . . , vu) ∗ on which it wishes to be challenged. The constraint is each vi ∗ ∈ Ii ∗ and hence F i (vi ∗ ) ≡ 0 mod p for 1 ≤ i ≤ u. If u ≤ h, then a j,0 = 0 for u ≤ j ≤ h. The simulator picks a random b ∈ {0, 1} and constructs the challenge ciphertext ( ( u∑ ) ) h∑ M b × T × e(Y 1 , βQ), Q, J i (vi ∗ ) + b i,0 Q . i=1 i=u+1 Suppose, Q = γP for some unknown γ ∈ Z p . <strong>Using</strong> the fact F i (vi ∗ ) ≡ 0 mod p for 1 ≤ i ≤ u and a i,0 = 0 for u + 1 ≤ i ≤ h, we have ( u∑ ) ( h∑ u∑ ) h∑ J i (vi ∗ ) + b i,0 Q = γ (J i (vi ∗ )P + F i (vi ∗ )Y h−i+1 ) + (a i,0 Y h−i+1 + b i,0 P ) i=1 i=u+1 i=1 i=u+1 99
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?