Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ɛ ≤ 2ɛ ′ /λ;<br />
t ′ = t + O(uq) + O(ɛ −2 ln(ɛ −1 )λ −1 ln(λ −1 )); and<br />
λ = 1/(2(4lq2 n/l ) h ).<br />
We assume 2q > 2 n/l .<br />
Proof : Suppose A is a (t, q)-CPA adversary for the h-HIBE, then we construct an algorithm<br />
B that solves the h-wDBDHI ∗ problem. B takes as input a tuple 〈P, Q, Y 1 , . . . , Y h , T 〉 where<br />
Y i = α i P for some random α ∈ Z ∗ p and T is either equal to e(P, Q) αh+1 or is a random<br />
element of G 2 . We define the following game between B and A.<br />
Setup: B chooses random u 1 , . . . , u h ∈ Z m and l-length vectors −→ x 1 , . . . , −→ x h with entries<br />
from Z m . Here m = 2 max(2q, 2 n/l ) = 4q. Similarly, it chooses random v 1 , . . . , v h ∈ Z p and<br />
l-length vectors −→ y 1 , . . . , −→ y h from Z p . It further chooses k j for 1 ≤ j ≤ h randomly from<br />
{0, . . . , µ l }, where µ l = l(N 1/l − 1)}. Let, v j = (v j,1 , . . . , v j,l ). For 1 ≤ j ≤ h, it then defines<br />
the functions:<br />
F j (v j ) = p + mk j − u j −<br />
J j (v j ) = v j +<br />
K j (v j ) =<br />
l∑<br />
y j,i v j,i<br />
i=1<br />
l∑<br />
x j,i v j,i<br />
i=1<br />
{<br />
0 if uj + ∑ l<br />
i=1 x j,iv j,i ≡ 0 mod m<br />
1 otherwise<br />
These functions are used to control the abort strategy by the simulator.<br />
Next, B assigns P 1 = Y 1 , P 2 = Y h + yP , P 3,j = (p + mk j − u j )Y h−j+1 + v j P for 1 ≤ j ≤ h<br />
and U j,i = −x j,i Y h−j+1 + y j,i P for 1 ≤ j ≤ h and 1 ≤ i ≤ l. It provides A the public<br />
parameters 〈P, P 1 , P 2 , −→ P 3 , −→ U 1 , . . . , −→ U h 〉. Everything else is internal to B. Note that from<br />
A’s point of view the distribution of the public parameters is identical to the distribution of<br />
the public parameters in an actual setup. The master secret αP 2 is unknown to B.<br />
<strong>Using</strong> the definition of the public parameters it is possible to show that<br />
V j = P 3,j +<br />
l∑<br />
v j,i U j,i = F j (v j )Y h−j+1 + J j (v j )P.<br />
i=1<br />
As in the proof of Theorem 8.2.1., this fact is crucial to the answering key-extraction queries<br />
and challenge generation.<br />
Phase 1: Suppose A asks for the private key corresponding to an identity v = (v 1 , . . . , v u ),<br />
for u ≤ h. B first checks whether there exists a j ∈ {1, . . . , u} such that K(v j ) ≠ 0. It aborts<br />
103