Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
these are respectively 2.4 kb and 2.64 kb. There is an associated increase in computation cost<br />
by 30%. In typical applications, the protocol will be used in a key encapsulation mechanism<br />
(KEM). Thus the encryption and decryption algorithms will be invoked once for a message<br />
irrespective of its length. Also the key generation procedure is essentially a one-time offline<br />
activity. In view of this, the increase in computation cost will not substantially affect the<br />
throughput. On the other hand, the significant reduction in space requirement will be an<br />
advantage in implementing the protocol and also in reducing the time for downloading or<br />
transmitting the public parameter file over the net. Overall, we suggest l = 16 to be a good<br />
choice for implementing the protocol.<br />
5.4 CCA Security<br />
One way to achieve CCA-security for our scheme is to follow the generic transformation<br />
of Canetti, Halevi and Katz [27] or Boneh and Katz [21] as discussed in Section 3.5. As<br />
our scheme closely resembles that of Waters [89] it is also possible to apply the endogenous<br />
transformation of Boyen, Mei and Waters [23] in essentially the same way and the reduction<br />
follows.<br />
We show that it is possible to take a different approach based on the oracle bilinear<br />
decision Diffie-Hellman (OBDH) assumption which is a variation of the ODH assumption<br />
used in [2]. The OBDH assumption is as follows [81].<br />
• Instance : 〈P, aP, bP, cP, str〉 where a, b, c ∈ Z p and str ∈ {0, 1} k .<br />
• Oracle : H a (X, Y ), with X, Y ∈ G 1 . When invoked with (a 1 P, b 1 P ) it returns<br />
H(a 1 P, e(a 1 P, b 1 P ) a ), where H : G 1 × G 2 → {0, 1} k is a hash function.<br />
• Restriction : Cannot query H a (, ) on (cP, bP ).<br />
• Task : Determine whether str = H(cP, e(cP, bP ) a ) or str is random.<br />
Any algorithm A for OBDH takes as input an instance (P, aP, bP, cP, str) of OBDH and<br />
produces as output either zero or one. The advantage of an algorithm A in solving OBDH<br />
is defined in the following manner.<br />
Adv OBDH<br />
A = |Pr[A outputs 1|E 1 ] − Pr[A outputs 1|E 2 ]|<br />
where E 1 is the event that str = H(cP, e(cP, bP ) a ) and E 2 is the event that str is random.<br />
The quantity Adv OBDH (t, q) denotes the maximum of Adv OBDH<br />
A where the maximum is taken<br />
over all adversaries running in time at most t and making at most q queries to the oracle<br />
H a (, ).<br />
To suit into the OBDH assumption we modify our constructions of Section 5.2 as follows:<br />
Setup and Key-Gen remain unaltered. To encrypt a message, we first generate a symmetric<br />
key sym.key = H(tP, e(P 1 , P 2 ) t ). Then the ciphertext is C = 〈tP, tV, y)〉, where y is the<br />
58