Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Key-Gen: Let v = (v 1 , . . . , v n ) ∈ {0, 1} n be any identity. A secret key for v is generated<br />
as follows. Choose a random r ∈ Z ∗ p, then the private key for v is<br />
where<br />
Encrypt:<br />
d v = (xP 2 + rV, rP ).<br />
V = U ′ +<br />
∑<br />
{i:v i =1}<br />
U i .<br />
Any message M ∈ G 2 is encrypted for an identity v as<br />
C = (e(P 1 , P 2 ) t M, tP, tV ),<br />
where t is a random element of Z p and V is as defined in key generation algorithm.<br />
Decrypt: Let C = (C 1 , C 2 , C 3 ) be a ciphertext and v be the corresponding identity. Then<br />
we decrypt C using secret key d v = (d 1 , d 2 ) by computing<br />
C 1<br />
e(d 2 , C 3 )<br />
e(d 1 , C 2 ) .<br />
We give an intuitive understanding of the security reduction of this protocol. One of<br />
the contributions of the present work is a generalisation of Waters construction. We give a<br />
security proof of this generalised construction in Chapter 5.<br />
Waters construction has some similarity with the BB-HIBE of Section 3.2. <strong>Using</strong> a<br />
similar algebraic technique of Boneh-Boyen, Waters forms a simulator B, that solves the<br />
DBDH problem given an adversary A against the IBE with advantage ɛ.<br />
In the simulation, B constructs a function F : I → Z p , where I is the set of identities,<br />
in such a way that given an identity v it can form a proper private key d v only if F (v) ≠<br />
0. In contrast, it can form a proper challenge for an identity v ∗ only if F (v ∗ ) = 0. We<br />
have already observed that this complementary condition for key generation and challenge<br />
generation is a hallmark of all the encryption protocols described so far. Because of this<br />
complementary condition there are certain identities for which the simulator cannot generate<br />
the private key and for some other identities it is unable to generate a proper challenge. In<br />
such situations, the simulator has to abort the game and we have no way to correlate the<br />
adversarial advantage against the encryption protocol to that of solving the underlying hard<br />
problem. This is the cause of degradation in the security reduction.<br />
The complementary condition of key generation and target generation is also true for the<br />
protocols secure under the selective-ID model. The simulator cannot generate the private<br />
key of the target identity or any of its prefix. In sID model, however, we do not have any<br />
security degradation because of the restriction of the model. The adversary commits to a<br />
target identity ahead of the system setup. So the simulator chooses the system parameters<br />
in such a way that it can answer all the key extraction queries of the adversary and also<br />
generate the target ciphertext with probability one.<br />
30