Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Phase 1: Suppose a key extraction query is made on v = (v 1 , . . . , v j ) for j ≤ h. (Note that<br />
j may be less than, equal to, or greater than u.)<br />
If j ≤ u, then there must be a k ≤ j such that F k (v k ) ≢ 0 mod p, as otherwise v i ∈ Ii<br />
∗<br />
for each i ∈ {1, . . . , j} – which is not allowed by the rules of M 2 . In case j > u, it is<br />
possible that F 1 (v 1 ) = · · · = F u (v u ) = 0. Then, since v u+1 ∈ Z ∗ p and F u+1 (x) = x, we have<br />
F u+1 (v u+1 ) ≢ 0 mod p.<br />
Thus, in all cases, there is a k such that F k (v k ) ≢ 0 mod p. We choose k to be the first<br />
such value in the range {1, . . . , j} and so for i < k, we have F i (v i ) ≡ 0 mod p. We next show<br />
that it is possible to construct a valid private key for v from what is known to the adversary.<br />
Recall that Y i = α i P and hence Y i1 +i 2<br />
= α i 1<br />
Y i2 . Choose a random r in Z p and define<br />
( j∑<br />
) ( j∑<br />
)<br />
A 1 = βY 1 − 1 J i (v i )Y k + r (F i (v i )Y h−i+1 + J i (v i )P ) ;<br />
F k (v k )<br />
i=1<br />
i=1<br />
A 2 = − 1 ∑<br />
F i (v i )Y h+k−i+1 ;<br />
F k (v k )<br />
A 3 =<br />
i=j+1<br />
i∈{1,...,j}\{k}<br />
h∑<br />
(<br />
r(b i,0 P + a i,0 Y h−i+1 ) − 1<br />
)<br />
F k (v k ) (b i,0Y k + a i,0 Y h+k−i+1 ) .<br />
It is possible to compute A 1 , A 2 and A 3 from what is known to the simulator. First note<br />
that F k (v k ) ≢ 0 mod p and hence 1/F k (v k ) is well defined. The values F i (v i ), J i (v i ) and<br />
P, Y 1 , . . . , Y h are known to the simulator. Hence, A 1 and A 3 can be computed directly.<br />
In A 2 , the values Y h+2 , . . . , Y h+k are involved. However, the corresponding coefficients are<br />
F k−1 (v k−1 ), . . . , F 1 (v 1 ). By definition, k is the first integer in the set {1, . . . , j} such that<br />
F k (v k ) ≢ 0 mod p. Hence, F k−1 (v k−1 ) ≡ · · · ≡ F 1 (v 1 ) ≡ 0 mod p and consequently, the<br />
values Y h+2 , . . . , Y h+k are not required by the simulator in computing A 2 .<br />
The first component d 0 of the private key d v for v is obtained as d 0 = A 1 + A 2 + A 3 . The<br />
following computation shows that this is proper.<br />
d 0 = A 1 + A 2 + A 3<br />
where<br />
Now<br />
A =<br />
= ±Y h+1 + A 1 + A 2 + A 3<br />
= Y h+1 + βY 1 − α k F k(v k )<br />
= αP 2 +<br />
)<br />
(r − αk<br />
A<br />
F k (v k )<br />
j∑<br />
(J i (v i )P + F i (v i )Y h−i+1 ) +<br />
i=1<br />
J i (v i )P + F i (v i )Y h−i+1 =<br />
∑n i<br />
l=1<br />
F k (v k ) Y h−k+1 + (A 1 − βY 1 ) + A 2 + A 3<br />
h∑<br />
i=j+1<br />
(b i,0 P + a i,0 Y h−i+1 ) .<br />
∑n i<br />
b i,l viP l + a i,l viY l h−i+1 + b i,0 P + a i,0 Y h−i+1<br />
l=1<br />
98