Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

these are respectively 2.4 kb and 2.64 kb. There is an associated increase in computation cost by 30%. In typical applications, the protocol will be used in a key encapsulation mechanism (KEM). Thus the encryption and decryption algorithms will be invoked once for a message irrespective of its length. Also the key generation procedure is essentially a one-time offline activity. In view of this, the increase in computation cost will not substantially affect the throughput. On the other hand, the significant reduction in space requirement will be an advantage in implementing the protocol and also in reducing the time for downloading or transmitting the public parameter file over the net. Overall, we suggest l = 16 to be a good choice for implementing the protocol. 5.4 CCA Security One way to achieve CCA-security for our scheme is to follow the generic transformation of Canetti, Halevi and Katz [27] or Boneh and Katz [21] as discussed in Section 3.5. As our scheme closely resembles that of Waters [89] it is also possible to apply the endogenous transformation of Boyen, Mei and Waters [23] in essentially the same way and the reduction follows. We show that it is possible to take a different approach based on the oracle bilinear decision Diffie-Hellman (OBDH) assumption which is a variation of the ODH assumption used in [2]. The OBDH assumption is as follows [81]. • Instance : 〈P, aP, bP, cP, str〉 where a, b, c ∈ Z p and str ∈ {0, 1} k . • Oracle : H a (X, Y ), with X, Y ∈ G 1 . When invoked with (a 1 P, b 1 P ) it returns H(a 1 P, e(a 1 P, b 1 P ) a ), where H : G 1 × G 2 → {0, 1} k is a hash function. • Restriction : Cannot query H a (, ) on (cP, bP ). • Task : Determine whether str = H(cP, e(cP, bP ) a ) or str is random. Any algorithm A for OBDH takes as input an instance (P, aP, bP, cP, str) of OBDH and produces as output either zero or one. The advantage of an algorithm A in solving OBDH is defined in the following manner. Adv OBDH A = |Pr[A outputs 1|E 1 ] − Pr[A outputs 1|E 2 ]| where E 1 is the event that str = H(cP, e(cP, bP ) a ) and E 2 is the event that str is random. The quantity Adv OBDH (t, q) denotes the maximum of Adv OBDH A where the maximum is taken over all adversaries running in time at most t and making at most q queries to the oracle H a (, ). To suit into the OBDH assumption we modify our constructions of Section 5.2 as follows: Setup and Key-Gen remain unaltered. To encrypt a message, we first generate a symmetric key sym.key = H(tP, e(P 1 , P 2 ) t ). Then the ciphertext is C = 〈tP, tV, y)〉, where y is the 58
encryption of the message using the symmetric key sym.key. To decrypt, all that we need is e(P 1 , P 2 ) t = e(d 1 , tP )/e(d 2 , tV ) and then find sym.key using H. Security: Breaking the (modified) IBE implies either solving OBDH or breaking the symmetric encryption scheme. The later we assume to be unbreakable under chosen ciphertext attack. CCA security under the OBDH assumption is expressed in the following theorem. Theorem 5.4.1. The modified IBE protocol is (ɛ ibe , t, q)-IND-ID-CCA secure assuming that the (t ′ , ɛ obdh )-OBDH assumption holds in 〈G 1 , G 2 , e〉, where ɛ ibe ≤ 2ɛ obdh /λ; t ′ = t + O(τq) + χ(ɛ ibe ), where λ, χ(ɛ ibe ) and τ are as defined in Theorem 5.2.1. Proof : (Brief sketch) Given a tuple 〈P, aP, bP, cP, str〉, the simulator B has to decide whether str = H(cP, e(cP, bP ) a ) or str is random. The Setup and key-extraction queries of both Phase 1 and 2 are just the same as that in the simulation of Theorem 5.2.1. of Section 5.2.1. Whenever A places any decryption query C = 〈rP, rV, y〉, B queries the oracle H a () with (rP, P 2 ) and decrypts y using whatever value the oracle returns. In the Challenge phase, when A submits two messages M 0 , M 1 and an identity v ∗ , B aborts if S would have aborted under v ∗ in the simulation part of Theorem 5.2.1.. Otherwise B gives A the tuple C ′ = 〈cP, J(I ∗ )cP, y〉, where y is the encryption of M γ , γ ∈ {0, 1} using str as the symmetric key. If str is random then C ′ gives no information about B’s choice of γ. Otherwise C ′ is a valid encryption of M γ . The rest of the simulation exactly mimics that of Theorem 5.2.1. Use of OBDH assumption prevents the loss of one level in the conversion from CPA security to CCA security and does not require any one time signature or MAC as in the generic conversion discussed in Section 3.5. <strong>Using</strong> the endogenous technique of Boyen, Mei and Waters [23] we can avoid this MAC or signature. However, it still requires a 2 level HIBE. On the other hand, OBDH is a stronger assumption than DBDH. 5.5 Signature It is an observation of Naor that any identity-based encryption scheme can be converted to a signature scheme. Waters in his paper [89] has given a construction of a signature scheme based on his IBE scheme. A similar construction is possible for the generalised scheme IBE-SPP(l) which we detail here. The sketch of the security reduction is provided next. Let G 1 = 〈P 〉, G 2 and e() be as defined in Section 2.1. Messages are assumed to be elements of Z N where N = 2 n . Alternatively, if messages are assumed to be bit strings of arbitrary length, then we use a collision resistant hash function to map the messages into Z N . Setup: Choose a random x in Z p and compute P 1 = xP . Next, choose from G 1 random points P 2 , U ′ , U 1 , . . . , U l . The public key is 〈P, P 1 , P 2 , U ′ , U 1 , . . . , U l 〉 and the secret key is xP 2 . 59
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21: as it is closer to the known exampl
Page 22 and 23: Let P i = a i P . An algorithm A ha
Page 24 and 25: Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121:
Phase 1 and Phase 2: As discussed i
Page 122 and 123:
an adversary has to commit to an id
Page 124 and 125:
Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?