Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

problem. – Our construction resembles closely the construction of Waters [89] and security against the chosen ciphertext attack (i.e., the CCA security) of the former follows from that of the later by constructing a 2-level HIBE and applying the technique of [27]. As an alternative, we show that CCA security can also be achieved by assuming the hardness of the oracle bilinear decision Diffie-Hellman assumption (OBDH). 5.2 Generalisation of Waters’ IBE Here we describe our generalisation of Waters scheme. The groups G 1 = 〈P 〉, G 2 and the map e() are as already defined in Section 2.1. In the following, we assume the message space M is G 2 , the cipher space C is G 2 × G 1 × G 1 . Note that, in Waters scheme identities are represented as n-bit strings. Because of this representation, Waters requires to store n elements of G 1 i.e., −→ U in the public parameter. Depending upon the choice of representation of the identities we can change the size of the public parameter. Let N = 2 n , then we can consider the identities as elements of Z N and one extreme case would be to consider the identities just as elements of Z N . A more moderate approach, however, is to fix a-priori a size parameter l, where 1 < l ≤ n. In this case, an identity v is represented as v = (v 1 , v 2 , . . . , v l ), where v i ∈ Z N 1/l i.e., each v i is an n/l bit string. (If identities are considered to be bit strings of arbitrary length, then as in Waters protocol we hash them into Z N using a collision resistant hash function.) In this case the protocol is changed to the following, which we call IBE-SPP(l). IBE-SPP(l) with 1 < l ≤ n Setup: Randomly choose a secret x ∈ Z p . Set P 1 = xP , then choose P 2 ∈ G 1 at random. Further, choose random elements U ′ , U 1 , U 2 , . . . , U l ∈ G 1 . The master secret is xP 2 whereas the public parameters are 〈P, P 1 , P 2 , U ′ , U 1 , U 2 , . . . , U l 〉. Key-Gen: Let v be any identity, a secret key for v is generated as follows. Choose a random r ∈ Z ∗ p, then the private key for v is where V = U ′ + ∑ l i=1 v iU i . d v = (xP 2 + rV, rP ). Encrypt: Any message M ∈ G 2 is encrypted for an identity v as C = (e(P 1 , P 2 ) s × M, sP, sV ), where s is a random element of Z p and V is as defined in key generation algorithm. 50
Decrypt: Let C = (C 1 , C 2 , C 3 ) be a ciphertext and v be the corresponding identity. Then we decrypt C using secret key d v = (d 1 , d 2 ) by computing C 1 × e(d 2, C 3 ) e(d 1 , C 2 ) = e(P 1, P 2 ) s e(rP, sV ) × M e(xP 2 + rV, sP ) = M Note that, for l = n this is exactly Waters protocol. For l = 1, some minor modifications in the above scheme give a protocol where the additional requirement in the public parameter is just a single element of G 1 as described below. IBE-SPP(1) Setup: Randomly choose a secret x ∈ Z N . Set P 1 = xP , then choose P 2 ∈ G 1 at random. Further, choose a random element U ′ ∈ G 1 . The master secret is xP 2 whereas the public parameters are 〈P, P 1 , P 2 , U ′ 〉. Key-Gen: Let v be any identity. A secret key for v is generated as follows. Choose a random r ∈ Z ∗ p, then the private key for v is d v = (xP 2 + rV, rP ). where V = U ′ + vP 2 . Here the Encrypt and Decrypt algorithms are same as IBE-SPP(l) with the modified definition of V . Note that, this is essentially the Boneh-Boyen HIBE of Section 3.2.1 restricted to IBE in the adaptive-ID model. Efficiency: Consider IBE-SPP(l) with 1 < l ≤ n. Let cost(V ) be the cost of computing V . The cost of key generation is two scalar multiplications over G 1 plus cost(V ). By including e(P 1 , P 2 ) instead of P 1 , P 2 in the public parameter, we can avoid the pairing computation during encryption. So the cost of encryption is one exponentiation over G 2 , two scalar multiplications over G 1 plus cost(V ). The cost of decryption is two pairings, one multiplication and one inversion over G 2 . The effect of l is in cost(V ) and affects key generation and encryption costs but does not affect decryption cost. We first consider the costs of scalar multiplication over G 1 and exponentiation over G 2 . As mentioned earlier, G 1 is an elliptic curve group. Let IF a denote the base field over which G 1 is defined. Then G 2 is a subgroup of IF k a, where k is the MOV degree. Additions and doublings over G 1 translate into a constant number of multiplications over IF a . The actual number is slightly different for addition and doubling, but we will ignore this difference. Let |IF a | be the size of the representation of an element of IF a . Assuming the cost of multiplication over G 1 is approximately equal to |IF a | 2 , the cost of a scalar multiplication over G 1 is equal to c 1 |IF a | 3 for some constant c 1 . One can also show that the cost of exponentiation over G 2 51
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11: 7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15: the public key. In this setting, an
Page 16 and 17: adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113:
= γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115:
Encrypt: To encrypt a message M ∈
Page 116 and 117:
and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?