Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Chapter 9 Augmented Selective-ID Model: Case of Constant Size Ciphertext HIBE 9.1 Introduction In this chapter, we augment the selective-ID security model by giving more power to the adversary. Recall that, for a HIBE of maximum height h, in the sID model the adversary commits to an identity tuple v ∗ = (v ∗ 1, . . . , v ∗ j), j ≤ h and in the challenge phase obtains an encryption under v ∗ . In the augmented version, which we call selective + -ID model, the adversary is allowed in the challenge phase to ask for an encryption under v + = (v ∗ 1, . . . , v ∗ j ′), where 1 ≤ j ′ ≤ j. This way we provide additional flexibility to the adversary in choosing the target identity. In the sID model, the adversary is restricted from making private key query for any prefix of v ∗ . Consequently, a “natural” intuition is that the adversary be allowed to choose any prefix of v ∗ as a challenge identity. Unfortunately, the selective-ID model does not allow this flexibility to the adversary. In the s + ID model, this flexibility is introduced and the challenge identity is allowed to be any prefix of v ∗ . Clearly, any protocol secure in the s + ID model is also secure in the sID model, though the converse is not necessarily true. We show that the security reduction for BB-HIBE [17] satisfies this notion of s + ID security. On the other hand, the security proof of the BBG-HIBE does not go through in the s + ID model. A simple modification of this proof gives a proof of security for the BBG-HIBE in the s + -ID model. But this proof yields a multiplicative security degradation by a factor of h, where h is the maximum number of levels in the HIBE. Admittedly, a security degradation by a factor of h is not much. However, the sID and the s + ID models are really restrictive models and one would like to obtain a protocol without any security degradation. We modify the BBG-HIBE to obtain a new constant size ciphertext HIBE, G 1 which is secure in the s + ID model without any security degradation. Identities in the BBG-HIBE are tuples whose components are elements of Z ∗ p, where p is 106
a suitable large prime. It is an easy observation that if these components are allowed to be elements of Z p , then the BBG-HIBE is not secure (we provide the details in Section 9.2.2). In our construction, G 1 , we allow the components of the identity tuples to be elements of Z p . We next modify this construction to obtain a constant size ciphertext HIBE, G 2 which is proved to be secure in model M 2 augmented in the line of s + ID model. Our third construction is a product construction, in the sense that the constructed HIBE can be seen to be a “product” of two individual HIBEs. We have mentioned in Section 3.4 that a product construction combining the BB-HIBE and the BBG-HIBE has been presented in [19]. We consider the product of H 1 of Chapter 7 with G 2 to obtain a new HIBE G 3 . This HIBE is secure in model M 1 and reduces the size of the ciphertext in H 1 by a factor of h, where h is the number of levels in G 2 . The decryption subkey (i.e., the part of the private key required for decryption) for both G 1 and G 2 are equal to that of BBG-HIBE. While in G 3 the size of the decryption subkey is reduced by a factor of h over the size of the decryption subkeys in H 1 . 9.2 From Selective-ID to Selective + -ID Model We modify the challenge phase of the selective-ID model to give more power to the adversary. Challenge: A outputs two equal length messages M 0 , M 1 and an identity v + where v + is either v ∗ or any of its prefixes. In response it receives an encryption of M γ under v + , where γ is chosen uniformly at random from {0, 1}. We refer to this new model as selective + -ID model (s + ID model in short). This model is stronger than the original sID model because now the adversary is allowed to ask for a challenge ciphertext not only on v ∗ but also on any of its prefixes. In case of IBE both the models are same as we have only one level. For HIBE, a protocol secure in the selective + -ID model is obviously secure in the selective-ID model, however the converse may not hold. We now analyse two well known HIBEs in the light of this new model. 9.2.1 Case of Boneh-Boyen HIBE We show that the Boneh-Boyen HIBE discussed in Section 3.2.1 is secure in the s + -ID model. The original reduction as discussed in Section 3.2.1 goes through without almost any modification for the s + -ID model. The only change is in challenge generation. Initialization: A commits to a target identity v ∗ = v1, ∗ . . . , vk ∗ of height k ≤ h. If k < h, B adds extra random elements from Z p to make v ∗ an identity of height h. Setup: B picks random α 1 , . . . , α h ∈ Z p and defines Q j = α j P − vjP ∗ 1 for 1 ≤ j ≤ h. It gives A the public parameters PP = 〈P, P 1 , P 2 , Q 1 , . . . , Q h 〉. Here the msk = aP 2 = abP is unknown to B. Define the function F j (x) = xP 1 + Q j = (x − vj)P ∗ 1 + α j P for 1 ≤ j ≤ h. 107
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
Page 62 and 63:
problem. - Our construction resembl
Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?