Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Decrypt: Decrypt C = 〈U, V 〉 using the private key d v as V ⊕ H 2 (e(d v , U)) = M. Suppose, for some identity v in BasicIdent, H 1 (v) is mapped to Q v of BasicPub. Then the Key Generation, <strong>Encryption</strong> and Decryption algorithms of BasicPub essentially corresponds to the respective algorithms of BasicIdent for the identity v. Let A 1 be an IND-ID-CPA adversary against BasicIdent and A 2 is an IND-CPA adversary against BasicPub, while B is an algorithm that solves the given BDH problem. The reduction proceeds in two steps. In the first step which we denote as Game 1, A 1 is used to construct A 2 . In the next step which we call Game 2, A 2 is used to construct B. B plays the role of challenger in the IND-CPA game with A 2 . It runs the Key Generation algorithm of BasicPub and gives pk = 〈P, P pub , Q v , H 2 〉 to A 2 . The secret key d v = sQ v is not revealed. From pk, A 2 passes on P, P pub and H 2 to A 1 . A 2 keeps Q v to itself and uses it to form H 1 . The crux of the proof in the first step is in the construction of H 1 (). To pose as a proper challenger to A 1 , A 2 should be able to answer the key extraction queries and also to generate a valid challenge. In simulating H 1 (), A 2 randomly partitions the identity space I into two disjoint subsets I 1 and I 2 in such a way that it is able to form a proper private key if and only if the queried identity is from I 1 . Similarly, it can form a proper challenge ciphertext if and only if the challenge identity is from I 2 . It aborts the game if the key extraction query is for an identity from I 2 or the challenge identity is from I 1 . This in turn results in a degradation in the security reduction. This is an intuitive explanation of the principal strategy in the security reduction of Game 1. In fact, partitioning of the identity space into two disjoint subsets, such that the private key queries can be answered for one subset, while a proper challenge can only be generated for a member of the second – this is a hallmark of the security reduction (with or without random oracle) of all the identity-based encryption schemes that we describe in this chapter. Given this intuitive understanding, we now proceed for a more formal description. Game 1 H 1 -queries: A 1 can query the random oracle H 1 () at any time during the game. A 2 maintains a list called H1 list to answer such queries. The ith entry to the list is a 4-tuple, 〈v i , Q i , b i , c i 〉 ∈ {0, 1} ∗ × G ∗ 1 × Z ∗ p × {0, 1}. Suppose A 1 places a query to H 1 () for the identity v j . A 2 responds to this query in the following way. • If v j already exists in H list 1 as 〈v j , Q j , b j , c j 〉 then A 2 returns H 1 (v j ) = Q j . • Otherwise A 2 takes the following steps. – Generate a random c ∈ {0, 1} where Pr[c = 0] = δ for some δ which is fixed a-priori for all queries. – Pick a random b ∈ Z ∗ p and set Q j = bP if c = 0; otherwise set Q j = bQ v . – Add 〈v j , Q j , b, c〉 to H list 1 and return H 1 (v j ) = Q j to A 1 . 20
Note that, based on Pr[c = 0] = δ, the identity space I is partitioned into two disjoint subsets I 1 and I 2 . For identities in I 1 , we have c = 0 and A 2 can answer the private key extraction queries as we show in the next phase. While for identities in I 2 , c = 1 and A 2 can generate a proper challenge ciphertext. Phase 1: Suppose A 1 asks for the private key of v i in the ith query. A 2 runs the algorithm to answer the H 1 -queries. Suppose 〈v i , Q i , b i , c i 〉 be the corresponding tuple in H1 list . If c i = 1, A 2 aborts the game. Otherwise, we have c i = 0 and so Q i = b i P . Define d vi = b i P pub and return d vi to A 1 . Note that, d vi = b i sP = sQ i , where H 1 (v i ) = Q i . So this is a proper private key for v i . Challenge: When A 1 decides that Phase 1 is over; it outputs a challenge identity v ∗ and two equal length messages M 0 , M 1 . v ∗ should not be an identity for which A 1 placed a private key extraction query in Phase 1. A 2 relays M 0 , M 1 as its own challenge to B. B chooses γ uniformly at random from {0, 1} and responds with a BasicPub ciphertext C = 〈U, V 〉 of M γ . Next, A 2 runs the H 1 -queries to find a tuple 〈v ∗ , Q, b, c〉 in the H1 list . If c = 0, A 2 aborts the game. Otherwise, c = 1, so Q = bQ v and H 1 (v ∗ ) = Q. A 2 now sets C ∗ = 〈b −1 U, V 〉 and returns C ∗ to A 1 as the challenge ciphertext. Let U = rP and V = M γ ⊕ H 2 (e(Q v , P pub ) r for some random r ∈ Z p . A 2 sets U ′ = b −1 U = b −1 rP = r ′ P . So e(Q, P pub ) r = e(b −1 Q, P pub ) r = e(Q, P pub ) b−1r = e(Q, P pub ) r′ . Hence, C ∗ = 〈U ′ , V 〉 is a proper encryption of M γ under the identity v ∗ . Phase 2: A 1 places additional private key extraction queries with the restriction that it cannot ask for the private key of v ∗ . A 2 responds as in Phase 1. Guess: Finally A 1 outputs its guess γ ′ for γ. A 2 relays this γ ′ as its own guess for γ. If A 2 does not abort the above game, then from the view point of A 1 the situation is identical to that of a real attack. So we have | Pr[γ = γ ′ ] − 1/2| ≥ ɛ where ɛ is the advantage of A 1 against BasicIdent. Boneh and Franklin show that the probability that A 2 does not abort is δ q (1 − δ), where q is the number of key extraction queries and a lower bound is Pr[abort] ≥ 1/(e × (1 + q)), where e is the base of natural logarithms and should not be confused with the notation e() of bilinear map. Hence, A 2 ’s advantage against BasicPub is at least ɛ/(e × (1 + q)). The above technique is similar to Coron’s analysis of Full Domain Hash Signature [35]. In the next step, Boneh-Franklin constructs an algorithm B which solves the BDH problem given the adversary A 2 against BasicPub; relating the advantage of B with that of A 2 . The details of the reduction follow. 21
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83:
establish the claim. We provide the
Page 84 and 85:
The probability is over the indepen
Page 86 and 87:
= ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89:
of public parameters is significant
Page 90 and 91:
to be I ∗ . It can then ask for t
Page 92 and 93:
Phase 2: The adversary issues addit
Page 94 and 95:
7.3 Interpreting Security Models Th
Page 96 and 97:
7.4 Constructions We present severa
Page 98 and 99:
7.4.2 HIBE H 2 The description of H
Page 100 and 101:
Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?