Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
the Key-Gen algorithm and C is the output of the Encrypt algorithm for a message M ∈ M<br />
using v as a public key and PP; then the Decrypt algorithm must return M on input d v and<br />
C.<br />
2.5 Security Model of (H)IBE<br />
As we have already noted, HIBE is a generalisation of IBE i.e., an IBE can be thought of as a<br />
single level HIBE. So instead of describing the security models of IBE and HIBE separately,<br />
we only describe the security model of HIBE.<br />
2.5.1 Security Against Chosen Ciphertext Attack<br />
In case of public key encryption, we have seen that security against adaptive chosen ciphertext<br />
attack is the standard notion of security. Boneh and Franklin extended this notion of<br />
security to the identity-based setting [20]. They termed this as IND-ID-CCA security.<br />
Let H be an h-HIBE scheme as defined in the previous section. The IND-ID-CCA security<br />
for H is defined [56, 49, 17] in terms of the following game between a challenger and an<br />
adversary of the HIBE. The adversary is allowed to place two types of oracle queries –<br />
decryption queries to a decryption oracle O d and key-extraction queries to a key-extraction<br />
oracle O k .<br />
Setup The challenger takes input a security parameter 1 κ and runs the Setup algorithm of<br />
the HIBE. It provides A with the system parameters PP while keeping the master key msk<br />
to itself.<br />
Phase 1:<br />
two types:<br />
Adversary A makes a finite number of queries where each query is one of the<br />
• key-extraction query 〈v〉: This query is placed to the key-extraction oracle O k . O k<br />
generates a private key d v of v and returns it to A.<br />
• decryption query 〈v, C〉: This query is placed to the decryption oracle O d . It returns<br />
the resulting plaintext to A.<br />
A is allowed to make these queries adaptively, i.e., any query may depend on the previous<br />
queries as well as their answers.<br />
Challenge: When A decides that Phase 1 is complete, it fixes an identity v ∗ and two equal<br />
length messages M 0 , M 1 under the (obvious) constraint that it has not asked for the private<br />
key of v ∗ or any prefix of v ∗ . The challenger chooses uniformly at random a bit γ ∈ {0, 1}<br />
and obtains a ciphertext C ∗ corresponding to M γ , i.e., C ∗ is output of the Encrypt algorithm<br />
on input (M γ , v ∗ , PP). It returns C ∗ as the challenge ciphertext to A.<br />
14