Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Phase 1 and Phase 2: As discussed in Section 3.4.1. Challenge: After completion of Phase 1, A outputs two messages M 0 , M 1 ∈ G 2 and an identity tuple v + = v1, ∗ . . . , vu, ∗ u ≤ k. B chooses a random bit γ and forms the ciphertext C = 〈M γ · Z, cP, α 1 cP, . . . , α u cP 〉. Note that, F i (vi ∗ ) = α i P , so C = 〈M γ · Z, cP, cF 1 (v ∗ 1), . . . , cF u (v ∗ u)〉. If Z = e(P, P ) abc = e(P 1 , P 2 ) c then C is a valid encryption of M γ . 9.2.2 Case of Boneh-Boyen-Goh HIBE The original BBG-HIBE protocol has been described in Section 3.4.1. The BBG-HIBE is proved to be secure in the selective-ID model (Theorem 3.1 of [19]). We now show that the proof is not sufficient for the augmented s + ID model and how can it be modified to achieve security in the s + ID model. In the original sID model, an adversary declares an identity v ∗ that it intends to attack before the system is set up. Suppose v ∗ = (v1, ∗ . . . , vm) ∗ where m ≤ h. In the reduction given in [19], the following is done. If m < h then the simulator appends (h−m) zeros to v ∗ so that v ∗ is a vector of length h. Note that, in the protocol individual components of an identity are elements of Z ∗ p so the adversary is restricted from making a query where one or more components of the identity is 0. (BB-HIBE does not have this restriction). The reduction in [19] crucially depends on this step. In the protocol, a single element of G 1 (i.e. Q i ) is associated with the ith level of the HIBE and we have another element, namely P 3 which is required for the security reduction. The simulator B is given as input a random tuple (P, Q, Y 1 , . . . , Y h , T ) where Y i = α i P s for 1 ≤ i ≤ h for some unknown α. The task of B is to decide whether T = e(P, Q) αh+1 or T is a random element of G 2 . We now reproduce the relevant steps of the reduction in Theorem 3.1 in [19]. Setup: B picks a random γ ∈ Z p and sets P 1 = Y 1 = αP and P 2 = Y h + γP . Next, B picks random γ 1 , . . . , γ h ∈ Z p and sets Q j = γ j P − Y h−j+1 for j = 1, . . . , h. B also picks a random δ ∈ Z p and sets P 3 = δP + ∑ h j=1 v∗ jY h−j+1 . B gives A the public parameters 〈P, P 1 , P 2 , P 3 , Q 1 , . . . , Q h 〉. Note that, the effect of v ∗ = (v1, ∗ . . . , vm) ∗ is assimilated in P 3 . In case, m (the depth of the challenge identity tuple v ∗ ) is less than h, we have vm+1 ∗ = · · · = vh ∗ = 0, so v∗ jY h−j+1 for m < j ≤ h has no effect on P 3 . The Q j s in the public parameter are independent of the target identity and depends only on the Y h−j+1 s after suitable randomization. In contrast, in case of the BB-HIBE, each Q j depends on vj ∗ i.e., the component corresponding to level j in target identity v ∗ and we have no term like P 3 . Given this setup, Boneh, Boyen and Goh show that all the private key queries of A can be answered (see Phase 1 in the proof of Theorem 3.1 in [19] for details). 108
Now, suppose in the challenge phase A asks the encryption under v + which is a prefix of v ∗ , i.e., v + = v1, ∗ . . . , vµ, ∗ µ ≤ m. If µ = m, then the original reduction goes through and we get a proper encryption of M b provided the input instance is a true h-wDBDHI ∗ instance. However, if µ < h, then the original reduction in [19] does not give a proper encryption of M b even if the input is a true h-wDBDHI ∗ instance as we show below. Let Q = cP for some unknown c ∈ Z p , then third component of the challenge ciphertext is ( ) h∑ C = δ + vjγ ∗ j Q j=1 ( h∑ ) h∑ = c vj(γ ∗ j P − Y h−j+1 ) + δP + vjY ∗ h−j+1 j=1 j=1 = c(v1Q ∗ 1 + . . . , vmQ ∗ m + P 3 ) since vm+1 ∗ = · · · = vh ∗ = 0 However, this corresponds to an encryption under v ∗ not v + . To get a valid encryption under v + = v ∗ 1, . . . , v ∗ µ, the third component of the ciphertext should be of the form C ′ = c(v1Q ∗ 1 + · · · + vµQ ∗ µ + P 3 ) ( µ∑ ) h∑ = c vj(γ ∗ j P − Y h−j+1 ) + δP + vjY ∗ h−j+1 j=1 j=1 ( µ∑ ) m∑ = c vjγ ∗ j P + δP + vjY ∗ h−j+1 j=1 j=µ+1 ( ) µ∑ m∑ = δ + vjγ ∗ j Q + c vjY ∗ h−j+1 j=1 j=µ+1 This C ′ cannot be computed by B without the knowledge of c. So we see that the BB-HIBE satisfies the security requirement of s + -ID model but the BBG-HIBE does not. This difference is due to the fact that the simulator in the BBG- HIBE assimilates the effect of the challenge identity tuple in a single element in the public parameter (i.e., P 3 ) where as in case of BB-HIBE the public parameter corresponding to each level depends on the corresponding component in the target. So the reduction in [19] provides a proof of security against an adversary in the sID model. However, in the modified s + -ID model the adversary is free to choose the length of the target identity to be any value between 1 and m. Because of the construction of P 3 in the reduction of [19], B cannot form a proper challenge unless µ = m. Another difference in the BB-HIBE and the BBG-HIBE is that in the former, components of identities are elements of Z p , whereas in the later the identity components are elements of Z ∗ p. It is an easy observation that if zero is allowed to be an identity component, then the BBG-HIBE is not secure. A sketch of the argument is as follows. In the sID game, 109
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
Page 62 and 63:
problem. - Our construction resembl
Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69:
DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?