Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
F i (v ∗ i ) = α i P , so<br />
C = 〈M γ · Z, cP, cF 1 (v ∗ 1), . . . , cF h ′(v ∗ h ′)〉.<br />
If Z = e(P, P ) abc = e(P 1 , P 2 ) c then C is a valid encryption of M γ .<br />
Phase 2: A makes additional queries which B answers just like Phase 1. Total number of<br />
queries in Phase 1 and 2 together should not exceed q.<br />
Guess: Eventually, A outputs its guess γ ′ of γ. If γ ′ = γ, B outputs 1, otherwise it outputs<br />
0.<br />
When Z = e(P, P ) abc , then A’s view in the above game is identical to that in a real<br />
attack. In that case | Pr[γ = γ ′ ] − 1/2| ≥ ɛ. on the other hand if Z is a random element of<br />
G 2 then Pr[γ = γ ′ ] = 1/2. Hence we get,<br />
Adv DBDH<br />
B ≥ ɛ.<br />
In other words, if the (t, ɛ)-DBDH assumption holds in G 1 , G 2 then the h-HIBE of Boneh-<br />
Boyen is (t ′ , q, ɛ)-IND-sID-CPA secure for arbitrary h and q and any t ′ < t − O(τhq) where<br />
τ is the time for a scalar multiplication in G 1 .<br />
3.3 Full Model<br />
Boneh and Boyen were first to propose an IBE [18] whose proof of security in the full model<br />
does not rely on the random oracle heuristic. The construction, however, is not very efficient<br />
and as the authors observed, should be seen as a proof of concept. We reproduce their<br />
construction because of its chronological importance.<br />
Construction<br />
Here the identities are elements of {0, 1} w . These identities are mapped to a random n bit<br />
string through a hash function H k . H k is chosen from a family of hash functions {H k :<br />
{0, 1} w → {0, 1} n } k∈K , where K is the key space for the family of hash functions.<br />
Setup: Choose an arbitrary generator P ∈ G 1 , pick a random x ∈ Z p and set P 1 = xP .<br />
Also choose a random element P 2 ∈ G 1 . Construct a random n×2 matrix U = (U i,j ) ∈ G1<br />
n×2<br />
where each U i,j is uniform in G 1 . Finally pick a random hash function key k ∈ K. The<br />
public parameters are PP = 〈P, P 1 , P 2 , U, k〉 and the master key is msk = xP 2 .<br />
Key-Gen: To generate the private key d v for an identity v ∈ {0, 1} w , compute −→ a =<br />
H k (v) = a 0 , . . . , a n ∈ {0, 1} n and pick random r 1 , . . . , r n ∈ Z p . The private key is d v =<br />
〈xP 2 + ∑ n<br />
i=1 r iU i,ai , r 1 P, . . . , r n P 〉. Note that the private key consists of n + 1 elements of<br />
G 1 .<br />
28