Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

DBDH problem over (G 1 , G 2 , e) is to solve the discrete log problem (DLP) over either G 1 or G 2 . The best known algorithm for the former is the Pollard’s rho method while that for the later is number/function field sieve. Thus, if we want IBE-SPP(l) to have 80-bit security, then we must choose the group sizes such that, 2 80+lg δ ≤ min(t G1 , t G2 ), where t Gi stands for the time to solve DLP in G i for i ∈ {1, 2}. We have assumed that G 1 is a group of elliptic curve points of order p defined over a finite field IF a (a is a prime power). Suppose G 2 is a subgroup of order p of the finite field IF a k where k is the embedding degree. The Pollard’s rho algorithm to solve ECDLP takes time t G1 = O( √ p), while the number/function field seive method to solve the DLP in IF a k takes time t G2 = O(e c1/3 ln 1/3 a k ln 2/3 (ln a k) ) where c = 64/9 (resp. 32/9) in large characteristic fields (resp. small characteristic fields). 5.3.1 Space/time trade-off In this section, we parametrize the quantities by l wherever necessary. Let, δ (l) denote the degradation factor in IBE-SPP(l). We have already noted in Section 5.2 that l = n stands for Waters protocol. δ (l) and hence ρ (l) is minimum when l = n and we use this as a bench mark to compare with other values of l. Suppose ∆ρ (l) = ρ (l) −ρ (n) = lg(δ (l) /δ (n) ) = (n/l)−lg(n/l). This parameter ∆ρ (l) gives us an estimate of the extra bits required in case of IBE-SPP(l), to achieve the same security level as that of IBE-SPP(n) i.e., Waters protocol. Table 5.1: Approximate group sizes for attaining 80-bit security for IBE-SPP(l) for different values of l and relative space and time requirement. The first part corresponds to n = 160 and the second to n = 256. l ∆ρ (l) |p (l) | |G (l) 2 | α(l) β (l) (a) (b) (a) (b) (a) (b) 160 – 246 1891(2225) 3284(3872) – – – – 8 15 276 2443(2831) 4258(4944) 6.5(6.4) 6.5(6.4) 2.16(2.06) 2.18(2.08) 16 6 258 2102(2457) 3655(4288) 11.1(11.0) 11.1(11.1) 1.37(1.35) 1.38(1.35) 32 2 250 1960(2300) 3405(4006) 20.7(20.7) 20.7(20.7) 1.11(1.11) 1.12(1.11) 80 1 248 1924(2262) 3344(3939) 50.9(50.8) 50.9(50.9) 1.05(1.05) 1.06(1.05) 256 – 246 1891(2225) 3284(3872) – – - – 8 27 300 2948(3381) 5151(5919) 4.9(4.7) 4.9(4.8) 3.79(3.51) 3.86(3.57) 16 12 270 2326(2703) 4051(4717) 7.7(7.6) 7.7(7.6) 1.86(1.79) 1.88(1.81) 32 5 256 2066(2417) 3592(4212) 13.7(13.6) 13.7(13.6) 1.30(1.28) 1.31(1.29) 64 2 250 1960(2300) 3405(4006) 25.9(25.8) 25.9(25.9) 1.11(1.11) 1.11(1.11) 128 1 248 1924(2262) 3344(3939) 50.9(50.8) 50.9(50.9) 1.05(1.05) 1.06(1.05) 56
Suppose, |p (l) | (resp. |G (l) 2 |) denotes the bit length of representation of p (l) (resp. an element of G (l) 2 ). Like [46], we assume that the adversary A is allowed to make a maximum of q = 2 30 number of queries. For a given security level, we can now find the values of |p (l) | and |G (l) 2 | for IBE-SPP(l) based on the bit length of the identities (i.e., n), q and l. Note that, the value of |p (l) | (resp. |G (l) 2 |) thus obtained is the minimum required to avoid the Pollard’s rho (resp. number/function field seive) attack. In actual implementation, these values give an estimate of the size of suitable pairing groups G 1 , G 2 and the embedding degree so that the requirements can be optimally met. In our comparison, the embedding degree k is taken to be same for different values of l and |G (l) 2 | = k lg a (G (l) 2 is a multiplicative subgroup of order p (l) of the finite field IF k a). As already noted, the value of p (l) is given by Pollard’s rho. On the other hand, the logarithm of the size of G (l) 1 is equal to max(p (l) , |G (l) 2 |/k). For relatively small embedding degree (i.e., k ≤ 6), |G (l) 2 |/k > |p (l) | and so the logarithm of the size of G (l) 1 is equal to |G (l) 2 |/k = |IF (l) a |. For a given l, we have to store l elements of G (l) 1 in the public parameter file and a scalar multiplication in G (l) 1 takes time proportional to (|IF (l) a |) 3 . Now, we are in a position to compare the space requirement in the public parameter file and the time requirement for a scalar multiplication in G (l) 1 for different values of l. Let α (l) = l×|G(l) 1 | × 100 i.e., the relative amount of space (expressed in percentage) required to n×|G (n) 1 | store the public parameters in case of IBE-SPP(l) with respect to IBE-SPP(n) and β (l) = |IF (l) a | 3 /|IF (n) a | 3 , i.e., the relative increase in time for scalar multiplication in G (l) 1 in the case of IBE-SPP(l) with respect to IBE-SPP(n). Note that, β (l) can be computed from |G (l) 2 | and |G (n) 2 | since k cancels out from both numerator and denominator. We have seen in Chapter 4 that pairing computation is also of order |IF (l) a | 3 (but with a larger constant factor). So, the ratio β (l) also holds for pairing computation and exponentiation in case of IBE-SPP(l) with respect to Waters protocol. In Table 5.1, we sum-up these results for n = 160 and 256 for different values of l ranging from 8 to n for 80-bit security. The subcolumns (a) and (b) under α (l) and β (l) stand for the values obtained for general characteristic field and field of characteristic three respectively. The values of |G (l) 2 |, α (l) , β (l) are computed using the formula as suggested in [46] (see Section 3); while in parenthesis we give the corresponding values as computed from the formula obtained from [67] (as given in Section 3 of [46]). Note that, the values of α (l) and β (l) being the ratio of two quantities remain more or less invariant whether the underlying field is a general characteristic field or a field of characteristic three or which formula (of [46] or of [67]) is used. Public parameter consists of (l + 4) elements of G 1 . From Table 5.1, for 80-bit security in general characteristic fields using EC with MOV degree 2, the public parameter size for Waters protocol will be around 37 kilobyte (kb) for 160-bit identities and 59 kb for 256-bit identities. The corresponding values in case of IBE-SPP(l) with l = 16 will be around 4 kb and 4.5 kb respectively. Similarly, in characteristic three field EC with MOV degree 6, the corresponding values are respectively 21.5 kb and 34.2 kb and for IBE-SPP(l) with l = 16 57
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19: previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119:
Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?