Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Phase 2: A now issues additional queries just like Phase 1, with the (obvious) restriction<br />
that it cannot place a decryption query for the decryption of C ∗ under v ∗ or any of its prefixes<br />
nor a key-extraction query for the private key of v ∗ or any prefix of v ∗ . All other queries are<br />
valid and A can issue these queries adaptively just like Phase 1. The challenger responds as<br />
in Phase 1.<br />
Guess: A outputs a guess γ ′ of γ.<br />
The advantage of the adversary A in attacking the HIBE scheme H is defined as:<br />
Adv H A = |Pr[(γ = γ ′ )] − 1/2| .<br />
An h-HIBE scheme H is said to be (t, q ID , q C , ɛ)-secure against adaptive chosen ciphertext<br />
attack ((t, q ID , q C , ɛ)-IND-ID-CCA secure) if for any t-time adversary A that makes at most<br />
q ID private key queries and at most q C decryption queries, Adv H A ≤ ɛ. In short, we say H is<br />
IND-ID-CCA secure or when the context is clear, simply CCA-secure.<br />
2.5.2 Security Against Chosen Plaintext Attack<br />
Security reduction of (H)IBE protocols available in the literature [49, 17, 19, 89] generally<br />
concentrate on proving security in a weaker model. This is called security against chosen<br />
plaintext attack. Boneh and Franklin [20] defines this notion as IND-ID-CPA security. The<br />
corresponding game is similar to the game defined above, except that the adversary is not<br />
allowed access to the decryption oracle O d . The adversary is allowed to place adaptive<br />
private key extraction queries to the key-extraction oracle O k and everything else remains<br />
the same. For the sake of completeness, we give a description of the IND-ID-CPA game for<br />
an h-HIBE H below.<br />
Setup The challenger takes input a security parameter 1 κ and runs the Setup algorithm of<br />
the HIBE. It provides A with the system parameters PP while keeping the master key msk<br />
to itself.<br />
Phase 1: Adversary A makes a finite number of key-extraction query to O k . For a private<br />
key query corresponding to an identity v, the key-extraction oracle generates the private key<br />
d v of v and returns it to A. A is allowed to make these queries adaptively, i.e., any query<br />
may depend on the previous queries as well as their answers.<br />
Challenge: At this stage A fixes an identity, v ∗ and two equal length messages M 0 , M 1<br />
under the (obvious) constraint that it has not asked for the private key of v ∗ or any of<br />
its prefixes. The challenger chooses uniformly at random a bit γ ∈ {0, 1} and obtains a<br />
ciphertext (C ∗ ) corresponding to M γ , i.e., C ∗ is the output of the <strong>Encryption</strong> algorithm on<br />
input (M γ , v ∗ , PP). It returns C ∗ as the challenge ciphertext to A.<br />
15