Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Composite HIBE<br />
Boneh, Boyen and Goh also suggested a “product” construction of the constant ciphertext<br />
BBG-HIBE and BB-HIBE [19]. In case of BBG-HIBE the private key size decreases with the<br />
increase in identity level. While in case of BB-HIBE the private key size increases with the<br />
height of an identity. Utilizing the algebraic similarities of both the systems they construct<br />
a composite scheme where the inner HIBE is the BBG-HIBE and the outer HIBE is the BB-<br />
HIBE. The composite scheme allows a trade-off between the ciphertext size and the private<br />
key size. We suggest a variant of this composite construction in Chapter 9.<br />
3.5 Chosen Ciphertext Security<br />
Security against chosen-ciphertext attack (IND-ID-CCA security) is the strongest notion<br />
of security for any (hierarchical) identity-based encryption scheme. We have already observed<br />
that the initial proposals such as the Boneh-Franklin IBE and Gentry-Silverberg<br />
HIBE used the Fujisaki-Okamoto transformation to their basic schemes secure in the sense<br />
of IND-ID-CPA to achieve this goal. However, the Fujisaki-Okamoto transformation uses<br />
cryptographic hash functions that are modelled as random oracles. <strong>Protocols</strong> that achieve<br />
security against chosen-plaintext attack without random oracle require a different technique<br />
to achieve chosen-ciphertext security.<br />
Canetti, Halevi and Katz introduced a generic transformation [27] to achieve CCA security.<br />
Given any (h + 1) level HIBE which is secure against chosen-plaintext attack, this<br />
generic transformation yields an h level HIBE which is secure against chosen ciphertext attack.<br />
This transformation uses a strongly unforgable one time signature scheme. Boneh and<br />
Katz suggested a modification [21] where the one time signature scheme is replaced by a<br />
MAC, there by increasing the efficiency of the transformation.<br />
We now detail the signature based approach. A signature scheme is defined by three<br />
probabilistic polynomial time algorithms as follows:<br />
Key-Gen: On input the security parameter 1 κ , this probabilistic polynomial time algorithm<br />
outputs a pair of signing key (sk) and verification key (vk).<br />
Sign: This algorithm takes input a signing key sk and a message M from the appropriate<br />
message space M and outputs a signature σ.<br />
Verify: This is a deterministic algorithm which on input a verification key vk, a message<br />
M and a signature σ on M outputs accept or reject depending on whether σ is a proper<br />
signature on M or not.<br />
A signature scheme (Key-Gen, Sign, Verify) is a strong, one-time scheme if the success<br />
probability of any probabilistic polynomial time adversary A is negligible in κ in the following<br />
game.<br />
32