Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security<br />
Given an identity tuple v = (v 1 , . . . , v j ), j ≤ h in H, the sender encrypts the message M to<br />
a (j + 1) level identity ˆv = (Encode(v), (1vk)) of H ′ where vk is the verification key of the<br />
underlying signature scheme. The receiver having identity v first derives the private key of<br />
ˆv in H ′ from the private key d v in H using the key generation algorithm of H ′ . We assume<br />
that the probability of forging a signature, Pr[Forge] is negligible. Then by a reductionist<br />
security argument Boneh, Canetti, Halevi and Katz show that if there is an IND-sID-CCA<br />
adversary A against H in the selective-ID model then one can construct an IND-sID-CPA<br />
adversary A ′ against H ′ in the same model. Here we reproduce their argument:<br />
1. A ′ runs the IND-sID-CCA adversary A which outputs a target identity tuple v ∗ =<br />
〈v ∗ 1, . . . , v ∗ j〉, j ≤ h. A ′ next runs the key generation algorithm Key-Gen of Sig to<br />
generate (vk ∗ , sk ∗ ). It outputs Encode(v ∗ ), (1vk ∗ ) as its target identity.<br />
2. The challenger gives A ′ the public parameter PP, which it relays to A.<br />
3. A asks for the private key of an identity v, which is not a prefix of v ∗ . A ′ asks its<br />
challenger for the private key dˆv where ˆv = Encode(v) and returns it to A.<br />
4. For a decryption query of the form (v, 〈vk, C, σ〉) from A, A ′ takes the following action:<br />
(a) If v = v ∗ and vk = vk ∗ , return reject.<br />
(b) If v ≠ v ∗ or if v = v ∗ but vk ≠ vk ∗ , then A ′ sets ˆv = Encode(v) and requests<br />
its challenger for the private key of ˆv, (1vk). It decrypts the ciphertext using this<br />
private key and returns the result to A.<br />
5. In the challenge stage A outputs two messages M 0 , M 1 . The same messages are also<br />
output by A ′ . It receives a challenge ciphertext C ∗ . Now A ′ computes σ ∗ = Sign sk ∗(C ∗ )<br />
and returns the ciphertext 〈vk ∗ , C ∗ , σ ∗ 〉 to A.<br />
6. In phase 2 A makes additional decryption queries and private key extraction queries.<br />
These queries are answered as before.<br />
7. Finally A outputs its guess γ ′ . The same γ ′ is output by A ′ .<br />
In the above simulation, A ′ poses as a real challenger for A. Since we have assumed that<br />
the probability of forging a signature is negligible, the advantage of A against H translates<br />
into the advantage of A ′ against H ′ .<br />
Note that, if H ′ is adaptive chosen plaintext secure in the full model (i.e., IND-ID-CPA<br />
secure), then H will be adaptive chosen ciphertext secure (i.e., IND-ID-CCA secure) in the<br />
full model.<br />
Given this generic transformation to achieve CCA-security, protocol designers generally<br />
concentrate on constructing protocols that achieve CPA-security (be it in the full model<br />
or the selective-ID model) without random oracle and then apply this transformation to<br />
34