Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

The maximum height of the HIBE be h. The identities at a depth u ≤ h are of the form v = (v 1 , . . . , v u ) ∈ (Z p ) u . Messages are elements of G 2 . Setup: Let 〈P 〉 = G 1 . Choose a random α ∈ Z p and set P 1 = αP . Choose a random element P 2 ∈ G 1 and a random h length vector −→ P 3 = (P 3,1 , . . . , P 3,h ), where each P 3,i ∈ G 1 . Also choose random vectors −→ Q 1 , . . . , −→ Q h where each −→ Q i consists of n i elements of G 1 . Set the public parameter as PP = (P, P 1 , P 2 , −→ P 3 , −→ Q 1 , . . . , −→ Q h ) while the master key is P 4 = αP 2 . Instead of P 1 , P 2 , e(P 1 , P 2 ) can also be kept as part of PP. This avoids the pairing computation during encryption. Note that, while the original BBG scheme and ccHIBE of Chapter 8 had a single element P 3 in the public parameter, we have a vector −→ P 3 of length h. Key-Gen: Let, V (i, y) = y n i Q i,ni + · · · + yQ i,1 for any y ∈ Z p . Given an identity v = (v 1 , . . . , v k ) ∈ Z k p of depth k ≤ h, pick a random r ∈ Z p and output d v = ( αP 2 + r ) k∑ V j , rP, rP 3,k+1 , . . . , rP 3,h , r −→ Q k+1 , . . . , r −→ Q h j=1 where V j = P 3,j + V (j, v j ) . The private key at level k consists of (2 + h − k + ∑ h i=k+1 n i) elements of G 1 . Among these, only the first two are required in decryption, the rest are used to generate the private key for the next level as follows: Let the secret key corresponding to the identity v |k−1 = (v 1 , . . . , v k−1 ) be d v|k−1 = (A 0 , A 1 , B k , . . . , B h , −→ C k , . . . , −→ C h ) where A 0 = αP 2 + r ∑ ′ k−1 j=1 V j, A 1 = r ′ P , and for k ≤ j ≤ h, B j = r ′ P 3,j , r ′ Q j,1 , . . . , r ′ Q j,nj = 〈C j,nj 〉 Pick a random r ∗ ∈ Z p and compute −→ C j = d v = (A 0 + B k + ∑ n k i=1 vi k C k,i + r ∑ ∗ k j=1 V j, A 1 + r ∗ P, B k+1 + r ∗ P 3,k+1 , . . . , B h + r ∗ P 3,h , −→ C k+1 + r ∗ −→ Q k+1 , . . . , −→ C h + r ∗ −→ Q h ). If we put r = r ′ + r ∗ , then d v is a proper private key for v = (v 1 , . . . , v k ). Encrypt: To encrypt M ∈ G 2 under the identity (v 1 , . . . , v k ) ∈ (Z p ) k , pick a random s ∈ Z p and output ( ( k∑ )) CT = e(P 1 , P 2 ) s × M, sP, s V j j=1 where V j is as defined in Key Generation. 116
Decrypt: To decrypt CT = (A, B, C) using the private key d v = (d 0 , d 1 , . . .) of v = (v 1 , . . . , v k ), compute ( e rP, s ∑ ) k j=1 V j 9.4.2 Security A × e(d 1, C) e(B, d 0 ) = e(P 1, P 2 ) s × M × ( e sP, αP 2 + r ∑ k j=1 V j ) = M. Semantic security (i.e., CPA-security) of the above scheme in model M + 2 is proved under the h-wDBDHI ∗ assumption. Note that, the additional flexibility in terms of choosing the target identity that we allowed to the adversary in the s + ID model is also applicable here. Theorem 9.4.1. Let n 1 , . . . , n h , q and n ′ 1, . . . , n ′ h be two sets of positive integers with n′ i ≤ n i for 1 ≤ i ≤ h. Then for t ≥ 1, q ≥ 1 where n = ∑ h i=1 n i. Adv (h,n 1,...,n h )-G 2 (t, q) ≤ Adv h-wDBDHI∗ (t + O(τnq)) (h,n ′ 1 ,...,n′ h )-M+ 2 Proof : Suppose A is a (t, q)-CPA adversary for G 2 , then we construct an algorithm B that solves the h-wDBDHI ∗ problem. B takes as input a tuple 〈P, Q, Y 1 , . . . , Y h , T 〉 where Y i = α i P for some random α ∈ Z ∗ p and T is either equal to e(P, Q) αh+1 or a random element of G 2 . We define the modified M + 2 game between B and A as follows. Initialization: A outputs sets of target identities for each level of the HIBE as (I ∗ 1, . . . , I ∗ u) where each I ∗ i is a set of cardinality n ′ i for any u ≤ h. Setup: B defines polynomials F 1 (x), . . . , F h (x) where for 1 ≤ i ≤ u, F i (x) = ∏ (x − v) v∈I ∗ i = x n′ i + ai,n ′ i −1x n′ i −1 + . . . + a i,1 x + a i,0 For u < i ≤ h, define F i (x) = a i,0 where a i,0 is a random element of Z ∗ p. For 1 ≤ i ≤ u, let a i,n ′ i = 1 and a i,ni = · · · = a i,n ′ i +1 = 0. For u < i ≤ h we set n ′ i = 0 and a i,ni = · · · = a i,1 = 0. For 1 ≤ i ≤ h define J i (x) = b i,ni x n i + b i,ni −1x n i−1 + . . . + b i,1 x + b i,0 where b i,j are random elements of Z p . It then sets P 1 = Y 1 = αP ; P 2 = Y h + βP = (α h + β)P ; and for 1 ≤ i ≤ h, 1 ≤ j ≤ n i Q i,j = b i,j P + a i,j Y h−i+1 ; P 3,j = b i,0 P + a i,0 Y h−i+1 . 117
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
Page 62 and 63:
problem. - Our construction resembl
Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69:
DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71:
these are respectively 2.4 kb and 2
Page 72 and 73:
Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75:
model without random oracles. Addit
Page 76 and 77:
6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?