Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Given the security parameter κ, the challenger runs the Key-Generation algorithm to generate a public and private key pair (pk, sk). It gives A the public key pk. Given the public key, A adaptively issues decryption queries, which the challenger must properly answer. At some point, A outputs two equal length messages M 0 , M 1 and the challenger responds with an encryption C ∗ of M γ , where γ is a random bit. The adversary continues with adaptive decryption queries but not on C ∗ . Finally, A outputs its guess γ ′ of γ and wins if γ ′ = γ. The advantage of A against the encryption scheme is Adv A = | Pr[γ = γ ′ ] − 1/2|. An encryption scheme is said to be (t, q, ɛ)-IND-CCA2 secure, if no t time randomized algorithm A that makes at most q decryption queries, has advantage at least ɛ in the above game. A weaker notion of security, called semantic security or security against chosen plaintext attack (in short IND-CPA security) of a public key encryption scheme is available in the literature [50, 14]. In the IND-CPA security game the adversary is not allowed to place any decryption query. Given with a random public key, here the adversary outputs two equal length messages M 0 , M 1 and the challenger responds with an encryption C ∗ of M γ . The adversary wins if it can predict γ. 2.4 Identity-Based Encryption Protocols Following [84, 20] an identity-based encryption scheme E is specified by four probabilistic polynomial time algorithms: Setup, Key-Gen, Encrypt and Decrypt. Setup: This randomized algorithm takes input a security parameter 1 κ , and returns the system parameters PP together with the master key msk. The system parameters include a description of the message space M, the ciphertext space C and the identity space I. They are publicly known while the master key is known only to the private key generator (PKG). Key-Gen: This randomized algorithm takes as input an identity v ∈ I together with the system parameters PP and the master key msk and returns a private key d v , using the master key. The identity v is used as the public key while d v is the corresponding private key. Encrypt: This randomized algorithm takes as input an identity v ∈ I and a message M ∈ M and produces a ciphertext C ∈ C using the system parameters PP. Decrypt: This is a deterministic algorithm which takes as input a ciphertext C ∈ C, the private key d v of the corresponding identity v and the system parameters PP. It returns the message M or bad if the ciphertext is not valid. These set of algorithms must satisfy the standard consistency requirement: For (PP,msk) output by Setup, let d v be a private key generated by Key-Gen given input the identity v, then ∀M ∈ M : Decrypt(Encrypt(M, v, PP), d v , PP) = M 12
2.4.1 Hierarchical Identity-Based Encryption Hierarchical identity-based encryption (HIBE) is an extension of IBE. In contrast to IBE, here identities are represented as vectors. So for a HIBE of maximum height h (henceforth denoted as h-HIBE) any identity v is a tuple (v 1 , . . . , v τ ) where 1 ≤ τ ≤ h. Let, v ′ = v ′ 1, . . . , v ′ j, j < τ be another identity tuple. We say v ′ is a prefix of v if v ′ i = v i for all 1 ≤ i ≤ j. Like IBE, here also the PKG has a set of public parameters PP and a master key msk. For all identities at the first level the private key is generated by the PKG using msk. For identities at the second level on-wards, the private key can be generated by the PKG or any of its ancestors. In the above example, the private key d v of v can be generated by an entity whose identity is a prefix of v and who has obtained the corresponding private key. The generation of private key can be a computationally intensive task. The identity of an entity must be authenticated before issuing a private key and the private key needs to be transmitted securely to the concerned entity. HIBE reduces the workload of the PKG by delegating the task of private key generation and hence authentication of identity and secure transmission of private key to its lower levels. However, only the PKG has a set of public parameters. The identities at different levels do not have any public parameter associated with them. Apart from being a standalone cryptographic primitive, HIBE has many interesting applications such as forward secure encryption [26] and broadcast encryption [38]. Following [56, 49] an h-HIBE scheme H is specified by four PPT algorithms: Setup, Key-Gen, Encrypt and Decrypt. Setup: This randomized algorithm takes input a security parameter 1 κ and returns the system parameters PP together with the master key msk. The system parameters include a description of the finite message space M, the finite ciphertext space C and the finite identity space I. These are publicly known while the master key is known only to the private key generator (PKG). Key-Gen: This randomized algorithm takes as input an identity tuple v = (v 1 , . . . , v τ ) and the private key d v|τ−1 for the identity (v 1 , . . . , v τ−1 ) and returns a private key d v using d v|τ−1 , or directly using the master key. The identity v is used as the public key while d v is the corresponding private key. Encrypt: This randomized algorithm takes as input the identity v and a message M from the message space and produces a ciphertext C in the ciphertext space. Decrypt: This is a deterministic algorithm which takes as input the ciphertext C and a private key d v of the corresponding identity v and returns the message or bad if the ciphertext is not valid. The standard consistency requirement that we mention for IBE in Section 2.4 is also applicable for HIBE. If d v is a private key corresponding to the identity tuple v generated by 13
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75:
model without random oracles. Addit
Page 76 and 77:
6.2 Construction HIBE-spp The ident
Page 78 and 79:
Table 6.1: Comparison of HIBE Proto
Page 80 and 81:
For 1 ≤ j ≤ h, we define severa
Page 82 and 83:
establish the claim. We provide the
Page 84 and 85:
The probability is over the indepen
Page 86 and 87:
= ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89:
of public parameters is significant
Page 90 and 91:
to be I ∗ . It can then ask for t
Page 92 and 93:
Phase 2: The adversary issues addit
Page 94 and 95:
7.3 Interpreting Security Models Th
Page 96 and 97:
7.4 Constructions We present severa
Page 98 and 99:
7.4.2 HIBE H 2 The description of H
Page 100 and 101:
Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?