Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Y i = α i P for some random α ∈ Z ∗ p and T is either equal to e(P, Q) αh+1 or a random element<br />
of G 2 . We define the s + ID game between B and A as follows.<br />
Initialization: A outputs an identity tuple v ∗ = (v1, ∗ . . . , vu) ∗ ∈ (Z p ) u for any u ≤ h. The<br />
restriction on A is that it cannot ask for the private key of v ∗ or any of its prefixes and in<br />
challenge stage it asks for an encryption under v ∗ or any of its prefixes. In case u < h, B<br />
chooses random vu+1, ∗ . . . , vh ∗ from Z p and keeps these extra elements to itself. (Note that B<br />
is not augmenting the target identity to create a new target identity.)<br />
Setup:<br />
B picks random β, β 1 , . . . , β h and c 1 , . . . , c h in Z p . It then sets<br />
P 1 = Y 1 = αP ; P 2 = Y h + βP = (α h + β)P ; and for 1 ≤ j ≤ u,<br />
Q j = β j P − Y h−j+1 ; P 3,j = c j P + v ∗ jY h−j+1 ; and for u < j ≤ h,<br />
Q j = β j P ; P 3,j = c j P + v ∗ jY h−j+1 .<br />
B declares the public parameter as (P, P 1 , P 2 , −→ P 3 , −→ Q), where −→ Q = (Q 1 , . . . , Q h ), −→ P 3 =<br />
(P 3,1 , . . . , P 3,h ). The corresponding master key αP 2 = Y h+1 +βY 1 is unknown to B. B defines<br />
the functions F j = v ∗ j − v j for 1 ≤ j ≤ u and F j = v ∗ j for u < j ≤ h and J j = c j + β j v j for<br />
1 ≤ j ≤ h.<br />
Phase 1: Suppose A asks for the private key corresponding to an identity v = (v 1 , . . . , v m )<br />
for m ≤ h. Note that for any j ≤ u,<br />
Similarly, for u < j ≤ h<br />
V j = P 3,j + v j Q j<br />
= c j P + vjY ∗ h−j+1 + v j (β j P − Y h−j+1 )<br />
= (v ∗ j − v j )Y h−j+1 + (c j + β j v j )P<br />
= F j Y h−j+1 + J j P.<br />
V j = P 3,j + v j Q j = c j P + v ∗ jY h−j+1 + v j β j P = F j Y h−j+1 + J j P.<br />
Hence, V j for 1 ≤ j ≤ h is computable from what is known to B.<br />
Recall that u is the length of v ∗ that the adversary committed to before the set-up phase.<br />
If m ≤ u, then there must be a k ≤ τ such that F k ≠ 0, as otherwise the queried identity is<br />
a prefix of the target identity. In case m > u, it is possible that F 1 = · · · = F u = 0. Then<br />
by construction, F u+1 ≠ 0. Let k be the smallest in {1, . . . , m} such that F k ≠ 0. B picks a<br />
random r ∈ Z p and assigns d 0|k = (−J k /F k )Y k + βY 1 + rV k and d 1 = (−1/F k )Y k + rP. Now,<br />
d 0|k = − J k<br />
F k<br />
Y k + βY 1 + α k Y h−k+1 − α k F k<br />
F k<br />
Y h−k+1 + rV k = αP 2 + ˜rV k<br />
113