Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Encrypt: To encrypt a message M ∈ G 2 under the public key v = (v 1 , . . . , v k ) choose a<br />
random s ∈ Z p and then the cipher text is<br />
C =<br />
(<br />
e(P 1 , P 2 ) s × M, sP, s<br />
where V j is as defined in Key Generation part.<br />
)<br />
k∑<br />
V j<br />
Decrypt: Let (A, B, C) be a ciphertext and v = (v 1 , . . . , v k ) be the corresponding identity.<br />
Then we decrypt using d v = (d 0 , d 1 , . . .) as<br />
A × e(d 1, C)<br />
e(B, d 0 ) = M.<br />
Note that, only the first two components of the private key are required for the decryption.<br />
j=1<br />
8.3.2 Security Reduction<br />
Security of the FullccHIBE scheme described above can be reduced from the hardness of the<br />
h-wDBDHI ∗ problem. The reduction combines ideas from the proof in Section 8.2.2 with<br />
ideas from the proofs in Chapter 5. In particular, the general idea of tackling adaptive<br />
adversaries including an “artificial abort” stage is from Waters [89], the modification for the<br />
case of 1 < l ≤ n is from Chapter 5 whereas the idea of the simulation of the key-extraction<br />
queries is from the proof in Section 8.2.2 and is based on algebraic techniques originally used<br />
by Boneh and Boyen [17]. To explain this idea further, the simulator in the proof will abort<br />
on certain queries made by the adversary and also on certain challenge identities. The idea<br />
of controlling this abort strategy is based on the technique from [89]. On the other hand, if<br />
on a certain query, the simulator does not abort, then the technique for the actual simulation<br />
of the key-extraction oracle is very similar to the technique in Section 8.2.2.<br />
The challenge generation is a bit different due to the fact that in FullccHIBE level j of<br />
the HIBE has a parameter P 3,j , whereas in ccHIBE, there is one parameter P 3 for all levels of<br />
the HIBE. In case of BBG-HIBE or its augmented version ccHIBE, the height of the target<br />
identity is fixed in the commitment stage itself. <strong>Based</strong> on this information the simulator sets<br />
up the HIBE and the effect of the committed identity tuple for BBG-HIBE or the sets of<br />
committed identities in ccHIBE is assimilated in P 3 . In case of FullccHIBE there is no prior<br />
commitment stage in the reduction and the number of levels in the target identity may vary<br />
between 1 and h. This is the intuitive reason of why we need different P 3,i for each level of<br />
the HIBE.<br />
Theorem 8.3.1. The FullccHIBE protocol is (ɛ, t, q)-IND-ID-CPA secure assuming that the<br />
(t ′ , ɛ ′ , h)-wDBDHI ∗ assumption holds, where<br />
102