Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Decrypt: Decrypt C = 〈U, V 〉 using the private key d v as V ⊕ H 2 (e(d v , U)) = M.<br />
Suppose, for some identity v in BasicIdent, H 1 (v) is mapped to Q v of BasicPub. Then the<br />
Key Generation, <strong>Encryption</strong> and Decryption algorithms of BasicPub essentially corresponds<br />
to the respective algorithms of BasicIdent for the identity v.<br />
Let A 1 be an IND-ID-CPA adversary against BasicIdent and A 2 is an IND-CPA adversary<br />
against BasicPub, while B is an algorithm that solves the given BDH problem. The reduction<br />
proceeds in two steps. In the first step which we denote as Game 1, A 1 is used to construct<br />
A 2 . In the next step which we call Game 2, A 2 is used to construct B.<br />
B plays the role of challenger in the IND-CPA game with A 2 . It runs the Key Generation<br />
algorithm of BasicPub and gives pk = 〈P, P pub , Q v , H 2 〉 to A 2 . The secret key d v = sQ v is<br />
not revealed. From pk, A 2 passes on P, P pub and H 2 to A 1 . A 2 keeps Q v to itself and uses<br />
it to form H 1 . The crux of the proof in the first step is in the construction of H 1 ().<br />
To pose as a proper challenger to A 1 , A 2 should be able to answer the key extraction<br />
queries and also to generate a valid challenge. In simulating H 1 (), A 2 randomly partitions<br />
the identity space I into two disjoint subsets I 1 and I 2 in such a way that it is able to form<br />
a proper private key if and only if the queried identity is from I 1 . Similarly, it can form<br />
a proper challenge ciphertext if and only if the challenge identity is from I 2 . It aborts the<br />
game if the key extraction query is for an identity from I 2 or the challenge identity is from<br />
I 1 . This in turn results in a degradation in the security reduction.<br />
This is an intuitive explanation of the principal strategy in the security reduction of<br />
Game 1. In fact, partitioning of the identity space into two disjoint subsets, such that the<br />
private key queries can be answered for one subset, while a proper challenge can only be<br />
generated for a member of the second – this is a hallmark of the security reduction (with or<br />
without random oracle) of all the identity-based encryption schemes that we describe in this<br />
chapter.<br />
Given this intuitive understanding, we now proceed for a more formal description.<br />
Game 1<br />
H 1 -queries: A 1 can query the random oracle H 1 () at any time during the game. A 2<br />
maintains a list called H1 list to answer such queries. The ith entry to the list is a 4-tuple,<br />
〈v i , Q i , b i , c i 〉 ∈ {0, 1} ∗ × G ∗ 1 × Z ∗ p × {0, 1}. Suppose A 1 places a query to H 1 () for the identity<br />
v j . A 2 responds to this query in the following way.<br />
• If v j already exists in H list<br />
1 as 〈v j , Q j , b j , c j 〉 then A 2 returns H 1 (v j ) = Q j .<br />
• Otherwise A 2 takes the following steps.<br />
– Generate a random c ∈ {0, 1} where Pr[c = 0] = δ for some δ which is fixed<br />
a-priori for all queries.<br />
– Pick a random b ∈ Z ∗ p and set Q j = bP if c = 0; otherwise set Q j = bQ v .<br />
– Add 〈v j , Q j , b, c〉 to H list<br />
1 and return H 1 (v j ) = Q j to A 1 .<br />
20