Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

generalisation and move on to address the issue of concrete security in the context of this IBE protocol. To the best of our knowledge, this kind of concrete security analysis in the IBE scenario was not much emphasised before. Our next contribution is an extension of this IBE to HIBE. By reusing the public parameters, we are able to significantly reduce the size of the public parameter. The security reduction for the HIBE is not tight and suffers from a degradation along the line of the earlier works in the full model (with or without random oracle). We propose another HIBE secure in the full model in Chapter 8. This is a variant of constant size ciphertext HIBE originally proposed by Boneh, Boyen and Goh modified along the line of our generalisation of Waters suggestion in Chapter 5. In Table 10.1 we make a comparative study of these two HIBEs with earlier suggestions in the same security model. For all these HIBEs the security degradation is exponential in the number of levels. Consequently, construction of a HIBE in the full model where the security degradation is sub-exponential in the number of levels is an outstanding research problem in this area. A weaker security model, called the selective-ID model has been suggested in the literature where it is possible to avoid the security degradation. BB-HIBE and BBG-HIBE are the only HIBE protocols proposed in this model. We augment this selective-ID security model by allowing some flexibility to the adversary in choosing the target identity and call this augmented version selective + -ID model. We show that BB-HIBE can be easily proved to be secure in s + ID model and modify the original security reduction of BBG-HIBE to achieve security in this model. The modified reduction of the BBG-HIBE introduces a multiplicative security degradation. Next, we make some augmentation in the BBG-HIBE to achieve security in s + ID model without any degradation. This new constant size ciphertext HIBE secure in the s + ID model is called G 1 . In Table 10.2 we make a comparison of G 1 , BBG-HIBE and BB-HIBE. Though the selective-ID model for (H)IBE avoids security degradation, it is too restrictive on the adversary. This motivated us to propose a generalisation of this model where the adversary commits to sets of identities. In Chapter 7 we define two models M 1 and M 2 based on the adversarial behavior. Two HIBE protocols H 1 and H 2 secure respectively in M 1 and M 2 are also suggested. These protocols can be seen as augmentation of the BB- HIBE. We further propose a constant size ciphertext HIBE called ccHIBE by adapting the BBG-HIBE in M 2 . Another constant size ciphertext HIBE G 2 secure in the augmented (in the sense of s + ID model) M 2 is also suggested. A comparative study of these HIBEs is given in Table 10.3 To conclude, the HIBE protocols proposed in the dissertation broaden the choice of a designer of identity-based encryption protocols. Several different options of secure and efficient HIBE protocols are now available to choose from. HIBE as a cryptographic primitive has several interesting applications. Exploring these applications further based on the HIBEs proposed here would be an interesting future work. 126
Table 10.1: Comparison of HIBE <strong>Protocols</strong> Secure in Full Model. Protocol PP size Pvt. Key size CT size <strong>Pairing</strong> (elts. of G 1 ) (elts. of G 1 ) (elts. of G 1 ) Enc. Dec. GS [49] 2 j j 1 j Waters [89] (n + 1)h + 3 j + 1 j + 1 None j + 1 HIBE-spp h + l + 3 j + 1 j + 1 None j + 1 FullccHIBE (l + 1)h + 3 (l + 1)(h − 1) + 2 2 None 2 The columns for Pvt. Key size, ciphertext (CT) size and pairing in decryption corresponds to an identity at a level j, 1 ≤ j ≤ h. The GS-HIBE uses random oracle in the security reduction while the other three do not. Table 10.2: Comparison of HIBE protocols Secure in sID/s + ID Model. protocol security id public max pvt decryption model comp parameter key size subkey size G 1 s + ID Z p 3 + 2h 2h 2 BBG s + ID Z ∗ p 4 + h h + 1 2 BBG sID Z ∗ p 4 + h h + 1 2 BB s + ID Z p 3 + h h + 2 h + 2 protocol ciphertext encryption decryption Security expansion efficiency efficiency degradation G 1 2 h + 2 2 Nil BBG in s + ID 2 h + 2 2 h BBG in sID 2 h + 2 2 Nil BB h + 1 2h + 1 h + 1 Nil For a HIBE of maximum height h, the columns for public parameter, max pvt key size, decryption subkey size and ciphertext expansion denote the number of elements of G 1 , encryption efficiency denotes the number of scalar multiplications in G 1 and decryption efficiency denotes the number of pairing computations. 127
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43:
Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45:
Composite HIBE Boneh, Boyen and Goh
Page 46 and 47:
Security Given an identity tuple v
Page 48 and 49:
Chapter 4 Tate Pairing in General C
Page 50 and 51:
order on the elliptic curve E(IF p
Page 52 and 53:
the best result. In [57] the author
Page 54 and 55:
Hence, we require 3[S] + 8[M] for E
Page 56 and 57:
Algorithm 2 (iterated doubling): In
Page 58 and 59:
Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61:
Table 4.1: Cost Comparison. Note 1[
Page 62 and 63:
problem. - Our construction resembl
Page 64 and 65:
is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67:
aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69:
DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71:
these are respectively 2.4 kb and 2
Page 72 and 73:
Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75:
model without random oracles. Addit
Page 76 and 77:
6.2 Construction HIBE-spp The ident
Page 78 and 79:
Table 6.1: Comparison of HIBE Proto
Page 80 and 81:
For 1 ≤ j ≤ h, we define severa
Page 82 and 83:
establish the claim. We provide the
Page 84 and 85:
The probability is over the indepen
Page 86 and 87:
= ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143: [9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145: [31] Sanjit Chatterjee and Palash S
Page 146 and 147: [55] Florian Hess, Nigel P. Smart,
Page 148: [81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?