Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Security Given an identity tuple v = (v 1 , . . . , v j ), j ≤ h in H, the sender encrypts the message M to a (j + 1) level identity ˆv = (Encode(v), (1vk)) of H ′ where vk is the verification key of the underlying signature scheme. The receiver having identity v first derives the private key of ˆv in H ′ from the private key d v in H using the key generation algorithm of H ′ . We assume that the probability of forging a signature, Pr[Forge] is negligible. Then by a reductionist security argument Boneh, Canetti, Halevi and Katz show that if there is an IND-sID-CCA adversary A against H in the selective-ID model then one can construct an IND-sID-CPA adversary A ′ against H ′ in the same model. Here we reproduce their argument: 1. A ′ runs the IND-sID-CCA adversary A which outputs a target identity tuple v ∗ = 〈v ∗ 1, . . . , v ∗ j〉, j ≤ h. A ′ next runs the key generation algorithm Key-Gen of Sig to generate (vk ∗ , sk ∗ ). It outputs Encode(v ∗ ), (1vk ∗ ) as its target identity. 2. The challenger gives A ′ the public parameter PP, which it relays to A. 3. A asks for the private key of an identity v, which is not a prefix of v ∗ . A ′ asks its challenger for the private key dˆv where ˆv = Encode(v) and returns it to A. 4. For a decryption query of the form (v, 〈vk, C, σ〉) from A, A ′ takes the following action: (a) If v = v ∗ and vk = vk ∗ , return reject. (b) If v ≠ v ∗ or if v = v ∗ but vk ≠ vk ∗ , then A ′ sets ˆv = Encode(v) and requests its challenger for the private key of ˆv, (1vk). It decrypts the ciphertext using this private key and returns the result to A. 5. In the challenge stage A outputs two messages M 0 , M 1 . The same messages are also output by A ′ . It receives a challenge ciphertext C ∗ . Now A ′ computes σ ∗ = Sign sk ∗(C ∗ ) and returns the ciphertext 〈vk ∗ , C ∗ , σ ∗ 〉 to A. 6. In phase 2 A makes additional decryption queries and private key extraction queries. These queries are answered as before. 7. Finally A outputs its guess γ ′ . The same γ ′ is output by A ′ . In the above simulation, A ′ poses as a real challenger for A. Since we have assumed that the probability of forging a signature is negligible, the advantage of A against H translates into the advantage of A ′ against H ′ . Note that, if H ′ is adaptive chosen plaintext secure in the full model (i.e., IND-ID-CPA secure), then H will be adaptive chosen ciphertext secure (i.e., IND-ID-CCA secure) in the full model. Given this generic transformation to achieve CCA-security, protocol designers generally concentrate on constructing protocols that achieve CPA-security (be it in the full model or the selective-ID model) without random oracle and then apply this transformation to 34
achieve CCA-security. <strong>Protocols</strong> such as the Boneh-Boyen HIBE of Section 3.2.1 and the Boneh-Boyen-Goh HIBE of Section 3.4.1 accomplish this in the selective-ID model, while the Boneh-Boyen IBE and Waters IBE of Section 3.3 accomplish this in the full model. Boyen, Mei and Waters proposed an endogenous transformation to achieve CCA security [23]. Their technique uses the structure of the underlying HIBE and there by avoid the use of one time signature or MAC. In their work they have suggested that when applied to BB-HIBE or BBG-HIBE this technique yields a selective-ID CCA-secure hierarchical identity-based key encapsulation mechanism (HIB-KEM) and for Waters protocol modified to HIBE, an adaptive identity CCA-secure HIBE. In view of these developments, we concentrate on only designing CPA-secure protocols in this dissertation. Any of the transformations mentioned above can be applied on the CPA-secure protocols discussed in this work to achieve CCA-security. 3.6 Conclusion In this chapter, we reviewed some of the important (hierarchical) identity-based encryption protocols proposed in the literature. Along with the protocols, in some cases we have discussed the salient features of the proof technique while an intuitive justification of the proof is given for some others. These protocols are proved secure against chosen plaintext attack. Methods for achieving CCA-security is also mentioned. Our aim was not an exhaustive survey of the area, but an exposition of the basic issues in identity-based encryption, developments in the proof techniques, the prospects as well as the problems. It also helps to present our work in the proper context. This being an emerging research area, new concepts are still evolving. The IBE proposed by Gentry in [48] , the concept of anonymous IBE [1] and the anonymous HIBE proposed by Boyen and Waters in [24] are some important recent developments not discussed here. 35
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97:
7.4 Constructions We present severa
Page 98 and 99:
7.4.2 HIBE H 2 The description of H
Page 100 and 101:
Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?