Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Composite HIBE Boneh, Boyen and Goh also suggested a “product” construction of the constant ciphertext BBG-HIBE and BB-HIBE [19]. In case of BBG-HIBE the private key size decreases with the increase in identity level. While in case of BB-HIBE the private key size increases with the height of an identity. Utilizing the algebraic similarities of both the systems they construct a composite scheme where the inner HIBE is the BBG-HIBE and the outer HIBE is the BB- HIBE. The composite scheme allows a trade-off between the ciphertext size and the private key size. We suggest a variant of this composite construction in Chapter 9. 3.5 Chosen Ciphertext Security Security against chosen-ciphertext attack (IND-ID-CCA security) is the strongest notion of security for any (hierarchical) identity-based encryption scheme. We have already observed that the initial proposals such as the Boneh-Franklin IBE and Gentry-Silverberg HIBE used the Fujisaki-Okamoto transformation to their basic schemes secure in the sense of IND-ID-CPA to achieve this goal. However, the Fujisaki-Okamoto transformation uses cryptographic hash functions that are modelled as random oracles. <strong>Protocols</strong> that achieve security against chosen-plaintext attack without random oracle require a different technique to achieve chosen-ciphertext security. Canetti, Halevi and Katz introduced a generic transformation [27] to achieve CCA security. Given any (h + 1) level HIBE which is secure against chosen-plaintext attack, this generic transformation yields an h level HIBE which is secure against chosen ciphertext attack. This transformation uses a strongly unforgable one time signature scheme. Boneh and Katz suggested a modification [21] where the one time signature scheme is replaced by a MAC, there by increasing the efficiency of the transformation. We now detail the signature based approach. A signature scheme is defined by three probabilistic polynomial time algorithms as follows: Key-Gen: On input the security parameter 1 κ , this probabilistic polynomial time algorithm outputs a pair of signing key (sk) and verification key (vk). Sign: This algorithm takes input a signing key sk and a message M from the appropriate message space M and outputs a signature σ. Verify: This is a deterministic algorithm which on input a verification key vk, a message M and a signature σ on M outputs accept or reject depending on whether σ is a proper signature on M or not. A signature scheme (Key-Gen, Sign, Verify) is a strong, one-time scheme if the success probability of any probabilistic polynomial time adversary A is negligible in κ in the following game. 32
1. Key-Gen(1 κ ) outputs (vk, sk). The adversary A is given κ and vk. 2. A(1 κ , vk) may take one of the following actions: (a) A outputs a pair (M ∗ , σ ∗ ) and halts. In this case (M, σ) is undefined. (b) A outputs a message M and in return is given a signature of M under the signing key sk, i.e., σ ← Sign sk (M). Then A outputs a pair (M ∗ , σ ∗ ). A succeeds in the game if σ ∗ is a proper signature of M ∗ under the verification key vk, i.e., Verify vk (M ∗ , σ ∗ ) = accept but (M ∗ , σ ∗ ) ≠ (M, σ). A may succeed even if M ∗ = M. Let H ′ = (Setup, Der ′ , E ′ , D ′ ) be an (h + 1)-HIBE for arbitrary h ≥ 1 handling (n + 1)-bit identities. Let Sig = (Key-Gen, Sig, Verify) be a signature scheme which outputs an n-bit signature. If H ′ is secure in the sense IND-sID-CPA and Sig is a strong one-time signature scheme, then one can construct an h-HIBE secure in the sense IND-sID-CCA that handles n-bit identities. Given an identity tuple v = (v 1 , . . . , v j ) ∈ ({0, 1} n ) j of H we map it to an identity tuple of H ′ as Encode(v) = (0v 1 , . . . , 0v j ) ∈ ({0, 1} n+1 ) j and Encode(ε) = ε, i.e the null string is mapped to itself. Let ˆv = Encode(v), the HIBE H is constructed in such a way that the private key d v of an identity tuple v in H is equal to the private key d ′ˆv of ˆv in H′ . Construction of H Setup: Same as the Setup algorithm of H ′ . The master key of H ′ , msk H ′ is the master key, msk H of H. Key-Gen: Let d v be the private key of v. To derive the private key of (v, r) find ˆv = Encode(v) and ˆr = Encode(r). Run Der ′ d v (ˆv,ˆr) and output the result as d v,r . Note that, d v,r = dˆv,ˆr , given d v = d ′ˆv . Encrypt: To encrypt a message M to an identity tuple v, run the key generation algorithm of Sig, Key-Gen(1 κ ) to obtain (vk, sk). Let ˆv = Encode(v)||(1vk), compute C = E PP ′ (ˆv, M) and σ = Sign sk (C). The ciphertext is the tuple 〈vk, C, σ〉. Decrypt: Given the ciphertext 〈vk, C, σ〉, first check whether Verify vk (C, σ) = accept. If not reject the ciphertext. Otherwise, let ˆv = Encode(v) and run Der ′ d v (ˆv, (1vk)) to generate the private key d∗ = d ′ˆv||(1vk). Then output M = D′ d∗ (ˆv, C). 33
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95:
7.3 Interpreting Security Models Th
Page 96 and 97:
7.4 Constructions We present severa
Page 98 and 99:
7.4.2 HIBE H 2 The description of H
Page 100 and 101:
Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?