Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

6.2 Construction HIBE-spp The identities are of the type (v 1 , . . . , v j ), for ≤ j ≤ h where each v k = (v k,1 , . . . , v k,l ) and v k,i is an (n/l)-bit string which will also be considered to be an integer in the set {0, . . . , 2 n/l −1}. Choosing l = n gives v k to be an n-bit string as considered by Waters [89]. Set-Up: The public parameters are the following elements: P , P 1 = αP , P 2 , U ′ 1, . . . , U ′ h , U 1 , . . . , U l , where G 1 = 〈P 〉, α is chosen randomly from Z p and the other quantities are chosen randomly from G 1 . The master secret is αP 2 . (The quantities P 1 and P 2 are not directly required; instead e(P 1 , P 2 ) is required. Hence one may store e(P 1 , P 2 ) as part of the public parameters instead of P 1 and P 2 .) A Useful Notation: Let v = (v 1 , . . . , v l ), where each v i is an (n/l)-bit string and is considered to be an element of Z 2 n/l. For 1 ≤ k ≤ h we define, V k (v) = U ′ k + l∑ v i U i . (6.2.1) i=1 When v is clear from the context we will write V k instead of V k (v). The modularity introduced by this notation allows an easier understanding of the protocol. Note that for the jth level of the HIBE, we add a single element, i.e., U ′ j in the public parameter while the elements U 1 , . . . , U l are re-used for each level. This way we are able to shorten the public parameter size. Later in the security reduction we show that the simulator forms U ′ js, 1 ≤ j ≤ h in such a way that it is able to answer the adversarial queries. Key-Gen: Let v = (v 1 , . . . , v j ), j ≤ h, be the identity for which the private key is required. Choose r 1 , . . . , r j randomly from Z p and define d v = (d 0 , d 1 , . . . , d j ) where d 0 = αP 2 + j∑ r k V k (v k ) and d k = r k P for 1 ≤ k ≤ j. Key delegation can be done in the manner shown in [17]. Suppose (d ′ 0, d ′ 1, . . . , d ′ j−1) is a private key for the identity (v 1 , . . . , v j−1 ). To generate a private key for v, r j randomly from Z p and compute d v as follows. k=1 d 0 = d ′ 0 + r j V j (v j ); d i = d ′ i 1 ≤ i ≤ j − 1; d j = r j P. 64
Encrypt: Let v = (v 1 , . . . , v j ) be the identity under which a message M ∈ G 2 is to be encrypted. Choose s to be a random element of Z p . The ciphertext is (C 0 = M × e(P 1 , P 2 ) s , C 1 = sP, B 1 = sV 1 (v 1 ), . . . , B j = sV j (v j )). Decrypt: Let C = (C 0 , C 1 , B 1 , . . . , B j ) be a ciphertext and the corresponding identity v = (v 1 , . . . , v j ). Let (d 0 , d 1 , . . . , d j ) be the decryption key corresponding to the identity v. The decryption steps are as follows. Verify whether C 0 is in G 2 , C 1 and the B i ’s are in G 1 . If any of these verifications fail, then return bad, else proceed with further decryption as follows. Return ∏ j k=1 C 0 × e(B i, d i ) . e(d 0 , C 1 ) It is standard to verify the consistency of decryption. 6.3 Security We first state the result on security and discuss its implications. Theorem 6.3.1. The protocol HIBE-spp described in Section 6.2 is (ɛ hibe , t, q)-IND-ID-CPA secure assuming that the (t ′ , ɛ dbdh )-DBDH assumption holds in 〈G 1 , G 2 , e〉, where ɛ hibe 2ɛ dbdh /λ; t ′ = t + χ(ɛ hibe ) and χ(ɛ) = O(τq + O(ɛ −2 ln(ɛ −1 )λ −1 ln(λ −1 )); τ is the time required for one scalar multiplication in G 1 ; λ = 1/(2(2σ(µ l + 1)) h ) with µ l = l(N 1/l − 1), N = 2 n and σ = max(2q, 2 n/l ). We further assume 2σ(1 + µ l ) < p. Before proceeding to the proof, we discuss the above result. The main point of the theorem is the bound on ɛ hibe . This is given in terms of λ and in turn in terms of µ l . We simplify this bound. Since l ≥ 1, we have 1 + µ l = 1 + l(N 1/l − 1) ≤ lN 1/l = l2 n/l . Consequently, ɛ hibe ≤ 2ɛ dbdh = 4(2σ(µ l + 1)) h ɛ dbdh λ ≤ 4(2σl2 n/l ) h ɛ dbdh = 4(2l2 n/l ) h σ h ɛ dbdh (6.3.2) The reduction is not tight; security degrades by a factor of 4(2l2 n/l ) h σ h . We now consider several cases. The actual value of degradation depends on the value of q, the number of key extraction queries made by the adversary. A value of q used in the previous chapter and also in earlier analysis is q = 2 30 [47]. We will use this value of q in the subsequent analysis. 65 ≤
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27: the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127:
where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?