Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Table 9.1: Comparison of BBG-HIBE and G 1 .<br />
Protocol/ id PP max pvt dec. subkey/ enc. eff. dec. eff. security<br />
Sec. Model comp size key size CT expansion degradation<br />
G 1 in s + ID Z p 3 + 2h 2h 2 h + 2 2 none<br />
BBG in s + ID Z ∗ p 4 + h h + 1 2 h + 2 2 h<br />
BBG in sID Z ∗ p 4 + h h + 1 2 h + 2 2 none<br />
The columns PP size, max pvt key size, dec. subkey/CT expansion stand for the number of elements<br />
of G 1 in public parameter, private key, decryption subkey and ciphertext expansion respectively. The<br />
column enc. eff stands for the number of scalar multiplications in G 1 during encryption while the<br />
column dec. eff denotes the number of pairing computations during decryption. All values are for<br />
a HIBE of maximum height h.<br />
Comparison to BBG protocol<br />
The protocol G 1 is a modification of the BBG-HIBE with a different P 3,i for each level of the<br />
HIBE. This is required to get a proof of security in the augmented s + -ID model without any<br />
security degradation. This reduction is provided in the next section. Additionally, it allows<br />
identity components to be elements of Z p , instead of Z ∗ p as in BBG-HIBE. On the other<br />
hand, this modification only affects the efficiency of the BBG-HIBE in a small way. The first<br />
thing to note is the size of the ciphertext is still constant (three elements). Secondly, the<br />
size of the public parameter as well as private key is linear in the length of the HIBE and<br />
private key size decreases as we “go down” the HIBE. These two properties ensure that the<br />
applications mentioned in [19] also hold for the new HIBE described above. In particular, it<br />
is possible to combine the new HIBE with the BB-HIBE of [17] to get an intermediate HIBE<br />
with controllable trade-off between the size of the ciphertext and the size of the private key.<br />
Further, the application to the construction of forward secure encryption protocol mentioned<br />
in [19] can also be done with the new HIBE.<br />
9.3.2 Security<br />
Semantic security (i.e., (CPA-security) of the above scheme in the s + -ID model is proved<br />
under the h-wDBDHI ∗ assumption.<br />
Theorem 9.3.1. Let (t ′ , ɛ, h)-wDBDHI ∗ assumption holds in 〈G 1 , G 2 , e()〉. Then the HIBE<br />
G 1 is (t, q, ɛ)-IND-sID-CPA secure for q ≥ 1, t ′ ≈ t + O(τq) where τ is the time for a scalar<br />
multiplication in G 1 .<br />
Proof : Suppose A is a (t, q, ɛ)-CPA adversary for the G 1 , then we construct an algorithm<br />
B that solves the h-wDBDHI ∗ problem. B takes as input a tuple 〈P, Q, Y 1 , . . . , Y h , T 〉 where<br />
112