Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Signing: Let M = (m 1 , m 2 , . . . , m l ) is the message to be signed, where each m i , 1 ≤ i ≤ l<br />
is a bit string of length n/l. To generate a signature on M, first choose a random r ∈ Z ∗ p.<br />
Then the signature is<br />
σ M = (xP 2 + rV, rP ),<br />
where V = U ′ + ∑ l<br />
i=1 m iU i<br />
Verification: Given a message M = (m 1 , m 2 , . . . , m l ) and a signature σ = (σ 1 , σ 2 ) on M,<br />
one accepts σ as a valid signature on M if<br />
where V = U ′ + ∑ l<br />
i=1 m iU i .<br />
5.5.1 Security<br />
e(σ 1 , P ) = e(P 1 , P 2 )e(σ 2 , V )<br />
The security of the above signature scheme can be reduced from the hardness of the DBDH<br />
problem. In fact, using the same argument, we can show that the reduction in Theorem 5.2.1.<br />
also holds for this signature scheme. Moreover, the forged signature that the adversary<br />
returns can be used to break the computational Diffie-Hellman problem (CDH) in G 1 . The<br />
CDH problem in G 1 is: given a tuple 〈P, aP, bP 〉, compute abP . The success probability of<br />
an adversary B in solving the CDH problem in G 1 is defined as<br />
Succ CDH<br />
B = Pr[B(P, aP, bP ) = abP ]<br />
where the probability is calculated over the random choice of a, b ∈ Z p as well as the random<br />
bits used by B. Let (Adv SIG (t, q) in this context denote the maximum advantage where the<br />
maximum is taken over all adversaries running in time t and making at most q queries.<br />
Theorem 5.5.1. For t ≥ 1, q ≥ 1; Adv SIG (t, q) ≤ (2/λ)Succ CDH (t + O(τq)), where messages<br />
are chosen from Z N and 1 < l ≤ lg N is a size parameter.<br />
Proof : Brief sketch: This proof also is a reduction. Suppose A is a CPA adversary for<br />
the signature scheme. Then we construct an algorithm S for Computational Diffie-Hellman<br />
problem (CDH). S will take as input a 3-tuple 〈P, aP, bP 〉 where P is a generator of G 1 and<br />
aP, bP ∈ G 1 . We define the following game between S and A.<br />
The Setup and Signature Generation steps of this game is exactly same as the Setup and<br />
Phase 1 in the simulation part of Theorem 5.2.1.<br />
Forge: At this stage the adversary A submits a message M ∗ ∈ Z N and a signature<br />
σ ∗ = (σ ∗ 1, σ ∗ 2) with the constraint that it has not asked for the signature of M ∗ in the<br />
Signature Generation phase. A wins if σ ∗ is a valid signature on M ∗ .<br />
60