So, the challenge ciphertext is ( CT = M b × e(P 1 , P 2 ) γ , γP, γ ( u ′ )) ∑ V j . CT is a valid encryption of M b under v ∗ = (v1, ∗ . . . , vu ∗ ′). On the other hand, when T is random, CT is random from the view point of A. j=1 Phase 2: 2 together. This is similar to Phase 1. Note that A places at most q queries in Phase 1 and Guess: Finally, A outputs its guess b ′ ∈ {0, 1}. B outputs 1 ⊕ b ⊕ b ′ . A’s view in the above simulation is identical to that in a real attack. This gives us the required bound on the advantage of the adversary in breaking the HIBE protocol. 9.5 Composite Scheme We have mentioned in Section 3.4 that Boneh-Boyen-Goh [19] proposed a “product” construction based on the BBG-HIBE and the BB-HIBE. A similar construction is possible based on the HIBE G 1 of Section 9.3 and BB-HIBE. The resulting HIBE is secure in s + ID model. On the other hand, in Chapter 7 we have presented a construction H 1 which is secure in model M 1 . This construction is in a sense an extension of the BB-HIBE. We propose a composite scheme based on H 1 and G 2 which we denote as (h, n)-G 3 or simply G 3 . The essential idea, as in [19] is to form a product of two HIBEs. For this we represent an identity tuple in the form of a matrix (say II) having (a-priori) fixed number of columns, h. When we look at a row of II, it forms a constant ciphertext HIBE, H, while each row taken together as a single identity forms another HIBE, H ′ . We obtain a product construction by instantiating H ′ to be H 1 of Chapter 7 and H to be the constant size ciphertext HIBE G 2 of Section 9.4. In this case, the components of the identity tuples are from Z p and we obtain security in M 1 . Since M 1 allows the target identity to be of any length up to the maximum height of the HIBE, the adversary has the flexibility to choose the length the target identity in the challenge phase. 9.5.1 Construction Let the maximum depth of the HIBE be h ≤ l 1 × l 2 . Here individual identity components are elements of Z p . 120
Setup: Let P be a generator of G 1 . Choose a random secret x ∈ Z p and set P 1 = xP . Randomly choose P 2 ; an l 1 × l 2 matrix R where ⎡ ⎤ R 1,1 · · · R 1,l2 ⎢ ⎥ R = ⎣ . . . ⎦ R l1 ,1 · · · R l1 ,l 2 and l 2 many vectors −→ U 1 , . . . , −→ U l2 from G 1 , where each −→ U i = (U i,1 , . . . , U i,n ). The public parameters are 〈P, P 1 , P 2 , R, −→ U 1 , . . . , −→ U l2 〉, while the master secret is xP 2 . Key Generation: Given an identity v = (v 1 , . . . , v u ) for any u, this algorithm generates the private key d v of v as follows. Let u = k 1 l 2 + k 2 with k 2 ∈ {1, . . . , l 2 }. We represent v by a (possibly incomplete) (k 1 + 1) × l 2 matrix I where the last row has k 2 elements. Choose (k 1 + 1) many random elements r 1 , . . . , r k1 , r k2 ∈ Z p and output ( ( ∑k 1 h∑ ) ( k2 ) ∑ d ID = xP 2 + r i V i,j + R i,j + r k2 V k1 +1,j + R k1 +1,j , r 1 P, . . . , r k1 P, r k2 P, i=1 j=1 j=1 ) −−−→ −→ r k2 R k1 +1,k 2 +1, . . . , r k2 R k1 +1,h, r k2 U k2 +1, . . . , r k2Ul2 where V i,j = ∑ n −→ j=1 vj U i,j and r k2Ui denotes that each element of −→ U i is multiplied by the scalar r k2 . The private key of v can also be generated given the private key of v |u−1 = v 1 , . . . , v u−1 as required. There are two cases to be considered. Case 1: Suppose u − 1 = k 1 l 2 + l 2 , then ( ( k∑ 1 +1 h∑ ) ) d v|u−1 = xP 2 + r i V i,j + R i,j , r 1 P, . . . , r k1 P, r k1 +1P i=1 j=1 = (a 0 , a 1 , . . . , a k1 , a k1 +1) (say) Choose a random r ∗ ∈ Z p and form d v as d v = a 0 + r ∗ (V k1 +2,1 + R k1 +2,1), a 1 , . . . , a k1 +1, r ∗ P, r ∗ R k1 +2,2, . . . , r ∗ R k1 +2,h, r ∗ −→ U2 , . . . , r ∗ −→ Ul2 Case 2: Let, u − 1 = k 1 l 2 + k 2 ′ with k 2 ′ < l 2 then, ( ∑k 1 h∑ ) ⎛ ⎞ k ∑2 ′ d v|u−1 = (xP 2 + r i V i,j + R i,j + r k ′ ⎝ 2 V k1 ,j + P k1 ⎠ +1,j , r 1 P, . . . , r k1 P, r k ′ 2 P, i=1 j=1 j=1 r k ′ 2 R k1 +1,k 2 ′ +1 , . . . , r k ′ 2 R k1 +1,h, r k ′ −→ 2 U k ′ 2 +1, . . . , r k ′ −→ 2 U l2 = (a 0 , a 1 , . . . , a k1 , a k1 +1, b k ′ 2 +1, . . . , b l2 , −→ c k ′ 2 +1, . . . , −→ c l2 ) (say) 121
- Page 1:
Construction of (Hierarchical) Iden
- Page 5:
The scientist does not study nature
- Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
- Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
- Page 14 and 15:
the public key. In this setting, an
- Page 16 and 17:
adversary in distinguishing two mes
- Page 18 and 19:
previous chapter. The second varian
- Page 20 and 21:
as it is closer to the known exampl
- Page 22 and 23:
Let P i = a i P . An algorithm A ha
- Page 24 and 25:
Given the security parameter κ, th
- Page 26 and 27:
the Key-Gen algorithm and C is the
- Page 28 and 29:
Phase 2: A now issues additional qu
- Page 30 and 31:
Chapter 3 Previous Works in Identit
- Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
- Page 34 and 35:
Game 2 Suppose B is given a BDH pro
- Page 36 and 37:
Security of BasicHIBE against chose
- Page 38 and 39:
BB-HIBE Here individual components
- Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
- Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
- Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
- Page 46 and 47:
Security Given an identity tuple v
- Page 48 and 49:
Chapter 4 Tate Pairing in General C
- Page 50 and 51:
order on the elliptic curve E(IF p
- Page 52 and 53:
the best result. In [57] the author
- Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
- Page 56 and 57:
Algorithm 2 (iterated doubling): In
- Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
- Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
- Page 62 and 63:
problem. - Our construction resembl
- Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
- Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
- Page 68 and 69:
DBDH problem over (G 1 , G 2 , e) i
- Page 70 and 71:
these are respectively 2.4 kb and 2
- Page 72 and 73:
Signing: Let M = (m 1 , m 2 , . . .
- Page 74 and 75:
model without random oracles. Addit
- Page 76 and 77:
6.2 Construction HIBE-spp The ident
- Page 78 and 79:
Table 6.1: Comparison of HIBE Proto
- Page 80 and 81:
For 1 ≤ j ≤ h, we define severa
- Page 82 and 83: establish the claim. We provide the
- Page 84 and 85: The probability is over the indepen
- Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
- Page 88 and 89: of public parameters is significant
- Page 90 and 91: to be I ∗ . It can then ask for t
- Page 92 and 93: Phase 2: The adversary issues addit
- Page 94 and 95: 7.3 Interpreting Security Models Th
- Page 96 and 97: 7.4 Constructions We present severa
- Page 98 and 99: 7.4.2 HIBE H 2 The description of H
- Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
- Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
- Page 104 and 105: 1. The encryption is converted into
- Page 106 and 107: Chapter 8 Constant Size Ciphertext
- Page 108 and 109: Let a private key for (v 1 , . . .
- Page 110 and 111: Phase 1: Suppose a key extraction q
- Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
- Page 114 and 115: Encrypt: To encrypt a message M ∈
- Page 116 and 117: and outputs a random bit if there i
- Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
- Page 120 and 121: Phase 1 and Phase 2: As discussed i
- Page 122 and 123: an adversary has to commit to an id
- Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
- Page 126 and 127: where ˜r = (r − αk F k ). Also
- Page 128 and 129: The maximum height of the HIBE be h
- Page 130 and 131: B declares the public parameters to
- Page 134 and 135: Choose a random r ∗ ∈ Z p and f
- Page 136 and 137: The size of the private key in the
- Page 138 and 139: generalisation and move on to addre
- Page 140 and 141: Table 10.3: Comparison of HIBE prot
- Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
- Page 144 and 145: [31] Sanjit Chatterjee and Palash S
- Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
- Page 148: [81] Palash Sarkar. Head: Hybrid en