Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Encrypt: Let v = (v 1 , . . . , v j ) be the identity under which a message M ∈ G 2 is to be<br />
encrypted. Choose s to be a random element of Z p . The ciphertext is<br />
(C 0 = M × e(P 1 , P 2 ) s , C 1 = sP, B 1 = sV 1 (v 1 ), . . . , B j = sV j (v j )).<br />
Decrypt: Let C = (C 0 , C 1 , B 1 , . . . , B j ) be a ciphertext and the corresponding identity<br />
v = (v 1 , . . . , v j ). Let (d 0 , d 1 , . . . , d j ) be the decryption key corresponding to the identity v.<br />
The decryption steps are as follows.<br />
Verify whether C 0 is in G 2 , C 1 and the B i ’s are in G 1 . If any of these verifications fail,<br />
then return bad, else proceed with further decryption as follows. Return<br />
∏ j<br />
k=1<br />
C 0 ×<br />
e(B i, d i )<br />
.<br />
e(d 0 , C 1 )<br />
It is standard to verify the consistency of decryption.<br />
6.3 Security<br />
We first state the result on security and discuss its implications.<br />
Theorem 6.3.1. The protocol HIBE-spp described in Section 6.2 is (ɛ hibe , t, q)-IND-ID-CPA<br />
secure assuming that the (t ′ , ɛ dbdh )-DBDH assumption holds in 〈G 1 , G 2 , e〉, where ɛ hibe<br />
2ɛ dbdh /λ; t ′ = t + χ(ɛ hibe ) and<br />
χ(ɛ) = O(τq + O(ɛ −2 ln(ɛ −1 )λ −1 ln(λ −1 ));<br />
τ is the time required for one scalar multiplication in G 1 ;<br />
λ = 1/(2(2σ(µ l + 1)) h ) with µ l = l(N 1/l − 1), N = 2 n and σ = max(2q, 2 n/l ).<br />
We further assume 2σ(1 + µ l ) < p.<br />
Before proceeding to the proof, we discuss the above result. The main point of the theorem<br />
is the bound on ɛ hibe . This is given in terms of λ and in turn in terms of µ l . We simplify<br />
this bound.<br />
Since l ≥ 1, we have 1 + µ l = 1 + l(N 1/l − 1) ≤ lN 1/l = l2 n/l . Consequently,<br />
ɛ hibe ≤ 2ɛ dbdh<br />
= 4(2σ(µ l + 1)) h ɛ dbdh<br />
λ<br />
≤ 4(2σl2 n/l ) h ɛ dbdh<br />
= 4(2l2 n/l ) h σ h ɛ dbdh (6.3.2)<br />
The reduction is not tight; security degrades by a factor of 4(2l2 n/l ) h σ h . We now consider<br />
several cases. The actual value of degradation depends on the value of q, the number of key<br />
extraction queries made by the adversary. A value of q used in the previous chapter and also<br />
in earlier analysis is q = 2 30 [47]. We will use this value of q in the subsequent analysis.<br />
65<br />
≤