Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Security of BasicHIBE against chosen plaintext attack (i.e., IND-ID-CPA security) can be proved in the same manner as that of the BasicIdent of previous section. In the first stage, an IND-ID-CPA adversary, A 1 against BasicHIBE is used to construct an IND-CPA adversary A 2 against BasicPub (the same public key encryption scheme defined in the context of Boneh-Franklin IBE). In the next stage, this A 2 is utilised to construct an algorithm B that solves the BDH problem. However, Gentry and Silverberg first prove the security in the non-adaptive setting and later extend it to the adaptive setting. In the non-adaptive setting, A 1 a-priori fixes a target identity v ∗ = (v1, ∗ . . . , vj), ∗ j ≥ 1. Given v ∗ , A 2 forms the H1 list in such a way that given any identity v it can generate the private key of v, provided v is not a prefix of v ∗ . Similarly in the challenge phase, it can generate a proper encryption of M γ under v ∗ , given a proper encryption of M γ in BasicPub. This way, the advantage of A 1 against BasicHIBE can be directly converted into the advantage of A 2 against BasicPub without any degradation. The security reduction in the adaptive setting, however, suffers from a large degradation factor. Let’s briefly see why this is so. Here, instead of a single identity, we have an identity tuple of arbitrary levels. Recall that in the reduction for BasicIdent of Section 3.1, a typical entry in H1 list is of the form 〈v, Q, b, c〉. In case of BasicHIBE an entry for v = (v 1 , . . . , v j ) is of the form 〈v i 〉, 〈Q vi 〉, 〈b i 〉, 〈c i 〉 where 1 ≤ i ≤ j, i.e., each 〈· · ·〉 contains j many entries, whereas in case of BasicIdent of Section 3.1 they contained only a single term. Let the target identity be v ∗ = (v1, ∗ . . . , vh ∗ ) then the corresponding entry in the Hlist 1 has terms c 1 , . . . , c h ∈ {0, 1} h . So, instead of a single c, we have to maintain h many c i s in H1 list . A 2 can generate a proper challenge ciphertext if and only if all these h c i s have the same value, 1. But these c i s are chosen independently at random, so the probability that all are 1 is the product of the probabilities that each is 1. Hence, we get a security degradation which is exponential in the number of levels in the target identity tuple. Once A 2 has been constructed, either in the adaptive or the non-adaptive setting, the next stage of the reduction is exactly that of Game 2 in case of Boneh-Franklin IBE. Finally, in the adaptive setting one gets the following result: Adv BasicHIBE A 1 ≤ (e × (q + h))h q H2 ɛ BDH h where e is the base of natural logarithm. This means, if there is an IND-ID-CPA adversary A 1 in the adaptive setting having advantage ɛ against BasicHIBE and that makes at most q H2 queries to H 2 and q private key extraction queries and H 1 , H 2 are random oracles then there is an algorithm B that solves the BDH problem with advantage at least (ɛ(h/e × (q + h)) h )q −1 H 2 , where h is the number of levels in the target identity. So the security degrades exponentially with the number of levels of the HIBE. Applying the Fujisaki-Okamoto transformation to the BasicHIBE, Gentry and Silverberg obtains an IND-ID-CCA secure HIBE which is called FullHIBE. The construction as well as the security proof is analogous to that of FullIdent and not detailed here. Similarly, Galindo’s observation [47] with respect to FullIdent is also applicable for the scheme FullHIBE. 24
3.2 From Random Oracle to Standard Model Both the Boneh-Franklin IBE and the Gentry-Silverberg HIBE schemes depend on the random oracle heuristic for their proof of security. The first move to get rid of the random oracle assumption was taken by Canetti, Halevi and Katz [26, 27]. However, they had to weaken the security notion from the full model to the so called selective-ID model of Section 2.5.3 while moving in this goal. We have already observed that two random oracles (namely H 1 , H 2 ) are used in the security proof of BasicIdent and BasicHIBE. We need another two random oracles, H 3 and H 4 to achieve CCA security for the above protocols. These four random oracle serve three distinct purposes. H 1 is used to map an identity to a random element of G 1 , H 2 is used to relate the security of the scheme with that of BDH problem while H 3 , H 4 come into play because of the Fujisaki-Okamoto transformation to achieve chosen ciphertext security from a given chosen plaintext secure scheme. H 2 can be done away with if one is prepared to rely on the (presumably stronger) decisional bilinear Diffie-Hellman assumption (DBDH). Canetti, Halevi and Katz [27] proposed a different generic transformation to achieve CCA security, thereby removing the need to rely on random oracles H 3 , H 4 . The efficiency of this generic transformation was later improved by Boneh and Katz [21]. We discuss this generic transformation in Section 3.5. Here we concentrate on constructions that achieve security against chosen plaintext attack under the selective-ID model. By restricting the adversary’s behaviour, it is possible to construct protocols secure in the selective-ID model that avoid any degradation in the security reduction. The BasicHIBE of Gentry-Silverberg [49] secure in the non-adaptive setting can be seen as secure in the selective-ID model, though the model was not formalised when the scheme was first proposed. Canetti, Halevi and Katz [26] introduced the notion of binary tree encryption (BTE). A BTE differs from HIBE in the sense that each node in the BTE has two children – the left child and the right child. BTE is a public key encryption scheme and they also show [26] how an (H)IBE can be constructed from any BTE. This gives the first (H)IBE construction that is secure without random oracle in the selective-ID model. We do not detail their construction and security proof here. One limitation of the construction is large computational overhead – one pairing computation for each bit of identity during decryption. 3.2.1 Selective-ID Secure HIBE Boneh and Boyen proposed two efficient IBE schemes that are secure in the selective-ID model without random oracle. The first construction was presented as an HIBE which we call BB-HIBE. We give a detailed description of the BB-HIBE protocol and its security reduction below. One reason being that we generalize this protocol to propose two new constructions in Chapter 7. Another reason is that the algebraic technique introduced in this work for private key extraction was adapted in later works (including ours). 25
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87:
= ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89:
of public parameters is significant
Page 90 and 91:
to be I ∗ . It can then ask for t
Page 92 and 93:
Phase 2: The adversary issues addit
Page 94 and 95:
7.3 Interpreting Security Models Th
Page 96 and 97:
7.4 Constructions We present severa
Page 98 and 99:
7.4.2 HIBE H 2 The description of H
Page 100 and 101:
Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?