Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

the best result. In [57] the authors suggested to take the so called simplified Jacobian- Chudnovsky coordinate J s as they store (X, Y, Z, Z 2 ) instead of (X, Y, Z). However, we have found out that if one encapsulates EC addition/doubling with line computation then there is no need to additionally store Z 2 – one can simply work in the Jacobian coordinate. Here we give the explicit formulae required for the encapsulated computation of double/add-andline computation. In what follows, by [M] and [S], we respectively denote the cost of one multiplication and one squaring in IF p . 4.3.1 Encapsulated Point Doubling and Line Computation Here P = (X 1 , Y 1 , Z 1 ) correspond to (X 1 /Z 2 1, Y 1 /Z 3 1) in affine coordinate. We encapsulate the computation of 2P given P together with the computation corresponding to the associated line. Point Doubling : From the EC point doubling rule we have the following formula: <strong>Using</strong> temporary variables, we compute: X 3 ′ = (3X2 1 + aZ1) 4 2 − 8X 1 Y1 2 4Y1 2 Z1 2 Y 3 ′ = 3X2 1 + aZ1 4 ( X 1 2Y 1 Z 1 Z1 2 − X 3) ′ − Y 1 Z1 3 X 3 = (3X1 2 + aZ1) 4 2 − 8X 1 Y1 2 Y 3 = (3X1 2 + aZ1)(4X 4 1 Y1 2 − X 3 ) − 8Y1 4 Z 3 = 2Y 1 Z 1 1. t 1 = Y1 2 ; 2. t 2 = 4X 1 t 1 ; 3. t 3 = 8t 2 1; 4. t 4 = Z1; 2 5. t 5 = 3X1 2 + aZ1; 4 6. X 3 = t 2 5 − 2t 2 ; 7. Y 3 = t 5 (t 2 − X 3 ) − t 3 ; 8. Z 3 = 2Y 1 Z 1 . So, we require 6[S] + 4[M] for EC doubling. Now consider t 5 . If a is a general element of IF p , then we have to count the multiplication a × (Z 4 1). However, if a is small, i.e., it can be represented using only a few (say ≤ 8) bits, then we do not count this multiplication. In this case, aZ 4 1 can be obtained summing Z 4 1 a total of a times. This reduces the operation count to 6[S]+3[M]. Further, if a = −3, then t 5 = 3(X 1 − Z 2 1)(X 1 + Z 2 1) = 3(X 1 − t 4 )(X 1 + t 4 ) and the operation count reduces to 4[S]+4[M]. These facts are known and can be found in [53]. Line Computation: Note that, the slope µ of h P,P , the line through P and −2P , is µ = t 5 /Z 3 . So, h P,P (x, y) = (y − Y 1 Z 3 1 Hence, h P,P (−x Q , iy Q ) = (y Q i − Y 1 ) + µ(x Z1 3 Q + X 1 ). Z1 2 By defining g P,P (x, y) = (2Y 1 Z1)h 3 P,P (x, y), we get, ) − µ(x − X 1 ). Z1 2 g P,P (−x Q , iy Q ) = (2Y 1 Z 1 )Z1y 2 Q i − 2Y1 2 + (3X1 2 + aZ1)(Z 4 1x 2 Q + X 1 ) = Z 3 t 4 y Q i − (2t 1 − t 5 (t 4 x Q + X 1 )) 40
The ultimate result is raised to the power (p 2 − 1)/r, where r|(p + 1) (see Section 4.2.1). Thus we have to compute (h P,P (−x Q , iy Q )) (p2 −1)/r = ((h P,P (−x Q , iy Q )) (p−1) ) (p+1)/r = ((g P,P (−x Q , iy Q )/(2Y 1 Z 3 1)) (p−1) ) (p+1)/r = ((g P,P (−x Q , iy Q )) (p−1) ) (p+1)/r . The last equation holds since (2Y 1 Z 3 1) ∈ IF p and consequently (2Y 1 Z 3 1) p−1 = 1. Thus, we can work entirely with g P,P (−x Q , iy Q ) instead of h P,P (−x Q , iy Q ). Since t 1 , t 4 and t 5 have already been computed, g P,P (−x Q , iy Q ) can be obtained using 4 additional multiplications. Hence, encapsulated point doubling and line computation requires 8[M] + 6[S]. In the case a is small, this cost is 7[M]+6[S] and for the case a = −3, this cost is 8[M]+4[S]. 4.3.2 Encapsulated (Mixed) Point Addition and Line Computation We encapsulate the computation of P + R given P in affine and R in Jacobian together with the computation corresponding to the associated line. Mixed Addition: Given R = (X 1 , Y 1 , Z 1 ) and P = (X, Y, 1) we compute R + P = (X 3 , Y 3 , Z 3 ) as follows. X ′ 3 = ( Y − Y 1 Z1 3 X − X 1 Z 2 1 ) 2 − X 1 Z 2 1 − X = Y ′ 3 = ( ) Y Z 3 2 1 − Y 1 − X 1 − X (XZ1 2 − X 1 )Z 1 Z1 2 ( ) Y Z 3 1 − Y 1 ( X 1 − X (XZ1 2 − X 1 )Z 1 Z 3) ′ − Y 1 1 2 Z1 3 X 3 = X 3Z ′ 3 = (Y Z1 3 − Y 1 ) 2 − X 1 (XZ1 2 − X 1 ) 2 − X(XZ1 2 − X 1 ) 2 Z1 2 = (Y Z1 3 − Y 1 ) 2 − (XZ1 2 − X 1 ) 2 (X 1 + XZ1) 2 Y 3 = Y 3Z ′ 3 = (Y Z1 3 − Y 1 )((XZ1 2 − X 1 ) 2 X 1 − X 3 ) − Y 1 (XZ1 2 − X 1 ) 3 Z 3 = (XZ 2 1 − X 1 )Z 1 <strong>Using</strong> temporary variables we compute: 1. t 1 = Z1; 2 2. t 2 = Z 1 t 1 ; 3. t 3 = Xt 1 ; 4. t 4 = Y t 2 ; 5. t 5 = t 3 − X 1 ; 6. t 6 = t 4 − Y 1 ; 7. t 7 = t 2 5; 8. t 8 = t 5 t 7 ; 9. t 9 = X 1 t 7 ; 10. X 3 = t 2 6 − (t 8 + 2t 9 ); 11. Y 3 = t 6 (t 9 − X 3 ) − Y 1 t 8 ; 12. Z 3 = Z 1 t 5 . 41
Page 1: Construction of (Hierarchical) Iden
Page 5: The scientist does not study nature
Page 9 and 10: Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103:
For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105:
1. The encryption is converted into
Page 106 and 107:
Chapter 8 Constant Size Ciphertext
Page 108 and 109:
Let a private key for (v 1 , . . .
Page 110 and 111:
Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?