Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Phase 1 and Phase 2: As discussed in Section 3.4.1.<br />
Challenge: After completion of Phase 1, A outputs two messages M 0 , M 1 ∈ G 2 and an<br />
identity tuple v + = v1, ∗ . . . , vu, ∗ u ≤ k. B chooses a random bit γ and forms the ciphertext<br />
C = 〈M γ · Z, cP, α 1 cP, . . . , α u cP 〉. Note that, F i (vi ∗ ) = α i P , so<br />
C = 〈M γ · Z, cP, cF 1 (v ∗ 1), . . . , cF u (v ∗ u)〉.<br />
If Z = e(P, P ) abc = e(P 1 , P 2 ) c then C is a valid encryption of M γ .<br />
9.2.2 Case of Boneh-Boyen-Goh HIBE<br />
The original BBG-HIBE protocol has been described in Section 3.4.1.<br />
The BBG-HIBE is proved to be secure in the selective-ID model (Theorem 3.1 of [19]).<br />
We now show that the proof is not sufficient for the augmented s + ID model and how can it<br />
be modified to achieve security in the s + ID model.<br />
In the original sID model, an adversary declares an identity v ∗ that it intends to attack<br />
before the system is set up. Suppose v ∗ = (v1, ∗ . . . , vm) ∗ where m ≤ h. In the reduction given<br />
in [19], the following is done. If m < h then the simulator appends (h−m) zeros to v ∗ so that<br />
v ∗ is a vector of length h. Note that, in the protocol individual components of an identity<br />
are elements of Z ∗ p so the adversary is restricted from making a query where one or more<br />
components of the identity is 0. (BB-HIBE does not have this restriction). The reduction<br />
in [19] crucially depends on this step.<br />
In the protocol, a single element of G 1 (i.e. Q i ) is associated with the ith level of the<br />
HIBE and we have another element, namely P 3 which is required for the security reduction.<br />
The simulator B is given as input a random tuple (P, Q, Y 1 , . . . , Y h , T ) where Y i = α i P s<br />
for 1 ≤ i ≤ h for some unknown α. The task of B is to decide whether T = e(P, Q) αh+1 or<br />
T is a random element of G 2 .<br />
We now reproduce the relevant steps of the reduction in Theorem 3.1 in [19].<br />
Setup: B picks a random γ ∈ Z p and sets P 1 = Y 1 = αP and P 2 = Y h + γP . Next, B<br />
picks random γ 1 , . . . , γ h ∈ Z p and sets Q j = γ j P − Y h−j+1 for j = 1, . . . , h. B also picks<br />
a random δ ∈ Z p and sets P 3 = δP + ∑ h<br />
j=1 v∗ jY h−j+1 . B gives A the public parameters<br />
〈P, P 1 , P 2 , P 3 , Q 1 , . . . , Q h 〉.<br />
Note that, the effect of v ∗ = (v1, ∗ . . . , vm) ∗ is assimilated in P 3 . In case, m (the depth of<br />
the challenge identity tuple v ∗ ) is less than h, we have vm+1 ∗ = · · · = vh ∗ = 0, so v∗ jY h−j+1 for<br />
m < j ≤ h has no effect on P 3 . The Q j s in the public parameter are independent of the<br />
target identity and depends only on the Y h−j+1 s after suitable randomization. In contrast,<br />
in case of the BB-HIBE, each Q j depends on vj ∗ i.e., the component corresponding to level j<br />
in target identity v ∗ and we have no term like P 3 .<br />
Given this setup, Boneh, Boyen and Goh show that all the private key queries of A can<br />
be answered (see Phase 1 in the proof of Theorem 3.1 in [19] for details).<br />
108