Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

where ˜r = (r − αk F k ). Also d 1 = − 1 F k Y k +rP = − αk F k P +rP = ˜rP . For any j ∈ {1, . . . , m}\{k} we have ˜rV j = (r − αk F k )(F j Y h−j+1 + J j P ) = r(F j Y h−j+1 + J j P ) − 1 F k (F j Y h+k−j+1 + J j Y k ). For j < k, F j = 0, so B can compute all these ˜rV j s from what it has. It forms d 0 = d 0|k + ∑ j∈{1,...,m}\{k} ˜rV j = αP 2 + ˜r m∑ V j . To form a valid private key B also needs to compute ˜rP 3,j and ˜rQ j for m < j ≤ h. Now, ) ˜rP 3,j = (r − αk (c j P + v F jY ∗ h−j+1 ) k j=1 = r(c j P + v ∗ jY h−j+1 ) − 1 F k ( cj Y k + v ∗ jY h+k−j+1 ) ; For j ≤ u, ) ˜rQ j = (r − αk (β j P − Y h−j+1 ) = r(β j P − Y h−j+1 ) − 1 (β j Y k − Y h+k−j+1 ) F k F k and for u < j ≤ h, ) ˜rQ j = (r − αk β j P = rβ j P − 1 β j Y k . F k F k All these values are computable from what is known to B. Hence, B forms the private key as: d v = (d 0 , d 1 , ˜rP 3,m+1 , . . . , ˜rP 3,h , ˜rQ m+1 , . . . , ˜rQ h ) and provides it to A. Challenge: After completion of Phase 1, A outputs two messages M 0 , M 1 ∈ G 2 on which it wishes to be challenged and v + = v1, ∗ . . . , vu ∗ where ′ u′ ≤ u ≤ h. B picks a random b ∈ {0, 1} and provides A the challenge ciphertext ( ( u ′ ) ) ∑ CT = M b × T × e(Y 1 , βQ), Q, (c j + β j vj) ∗ × Q . Suppose, Q = γP for some unknown γ ∈ Z p . Then ( u ′ ) ( ∑ u ′ ) ∑ c j + β j vj ∗ × Q = γ c j + β j vj ∗ P j=1 j=1 114 j=1
∑u ′ ( = γ cj P + vjY ∗ h−j+1 + vj(β ∗ j P − Y h−j+1 ) ) j=1 ∑u ′ ( ) = γ P3,j + vjQ ∗ j = γ j=1 ( u ′ ) ∑ V j . j=1 If the input provided to B is a true h-wDBDHI ∗ tuple, i.e., T = e(P, Q) (αh+1) , then T × e(Y 1 , βQ) = e(P, Q) (αh+1) × e(Y 1 , βQ) = e(Y h + βP, Q) α = e(P 1 , P 2 ) γ . So, the challenge ciphertext is ( CT = M b × e(P 1 , P 2 ) γ , γP, γ ( u ′ )) ∑ V j . CT is a valid encryption of M b under v + = (v1, ∗ . . . , vu ∗ ′). On the other hand, when T is random, CT is random from the view point of A. j=1 Phase 2: 2 together. This is similar to Phase 1. Note that A places at most q queries in Phase 1 and Guess: Finally, A outputs its guess b ′ ∈ {0, 1}. B outputs 1 ⊕ b ⊕ b ′ . A’s view in the above simulation is identical to that in a real attack. This gives us the required bound on the advantage of the adversary in breaking the HIBE protocol. 9.4 Augmenting to M + 2 Like the augmentation of the selective-ID model to selective + -ID model, we can augment M 2 proposed in Chapter 7 in an obvious way to M + 2 . Suppose the adversary of an h-HIBE has committed to a set of target identities, I ∗ 1, . . . , I ∗ u where u ≤ h. Then in the challenge phase it outputs a target identity v ∗ 1, . . . , v ∗ u ′ where 1 ≤ u′ ≤ u and each v ∗ j ∈ I ∗ j . The HIBE H 2 proposed in Chapter 7 is also secure in M + 2 . ccHIBE of Chapter 8 secure in M 2 can be proved to be secure in M + 2 with a multiplicative security degradation of h. Here, we show how G 1 can be augmented to M + 2 . 9.4.1 Construction We augment G 1 to obtain security in model M + 2 and call this new protocol (h, n 1 , . . . , n h )-G 2 or simply G 2 . 115
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
Page 62 and 63:
problem. - Our construction resembl
Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69:
DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71:
these are respectively 2.4 kb and 2
Page 72 and 73:
Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75:
model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?