Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Table 6.1: Comparison of HIBE <strong>Protocols</strong>. HIBE Hardness Random Security PP size PK/CT size <strong>Pairing</strong> Protocol Assumption Oracle Degradation (elts. of G 1 ) (elts. of G 1 ) Enc. Dec. GS [49] BDH Yes q H q h 2 j 1 j Waters [89] DBDH No (32nq) h (n + 1)h + 3 j + 1 None j + 1 HIBE-spp DBDH No 4(2l2 n/l σ) h h + l + 3 j + 1 None j + 1 The maximum height of the HIBEs is h; PP, PK and CT respectively stand for public parameter, private key and ciphertext. We compare the PK/CT sizes and number of pairings during decryption for an identity tuple at level j. h = 1 and l = n: The value of h = 1 implies that the HIBE is actually an IBE and l = n implies that each identity is a bit vector of length n. This is the situation originally considered by Waters [89]. In this case, 2q = max(2q, 2 n/l ) and Equation (6.3.2) reduces to ɛ hibe ≤ 32nqɛ dbdh . For n = 160, the degradation is by a factor of 10 × 2 39 . h = 1: This correspond to the IBE considered in the previous chapter. The value of σ depends on the value of l. For example, if l = 1, then σ = 2 n/l = 2 n and hence ɛ hibe ≤ 2 2(n+1) ɛ dbdh . This makes the security degradation unacceptably bad. One would obtain a similar security degradation when converting a selective-ID secure IBE to an IBE secure in the full model. The situation for other values of l has already been discussed in the concrete security analysis of Section 5.3 and hence not repeated here. h > 1: This corresponds to a proper HIBE. If l = n, then we obtain ɛ hibe ≤ 4(8nq) h ɛ dbdh . For n = 160 (and q = 2 30 ), this amounts to ɛ hibe ≤ 4(10 × 2 37 ) h . We consider a few other values of l. If l = 10, then ɛ hibe ≤ 4(10 × 2 48 ) h ɛ dbdh and if l = 32, then ɛ hibe ≤ 2 42h+2 ɛ dbdh . In Table 6.1, we compare the known HIBE protocols which are secure in the full model. We note that HIBE protocols which are secure in the selective-ID model are also secure in the full model with a security degradation of ≈ 2 nh , where h is the number of levels in the HIBE and n is number of bits in the identity. This degradation is far worse than the protocols in Table 6.1. For the GS-HIBE [49], the parameter q H stands for the total number of random oracle queries and in general q H ≈ 2 60 ≫ q [47]. The parameter j in the private key size, ciphertext size and the encryption and decryption columns of Table 6.1 represents the number of levels of the identity on which the operations are performed. The parameter h is the maximum number of levels in the HIBE. For l = n, HIBE-spp requires (h + n + 3) many elements of G 1 as public parameters whereas Waters suggestion requires (n + 1)h + 3 many elements. The security degradation remains the same in both cases. For l < n, the new construction extends the IBE protocol of Chapter 5. In this setting, no previous HIBE protocols were known. 66
6.3.1 Security Reduction The security reduction follows along standard lines and develops on the proof given in previous chapter and in [89, 77]. We need to lower bound the probability of the simulator aborting on certain queries and in the challenge stage. The details of obtaining this lower bound is given in Section 6.3.2. In the following proof, we simply use the lower bound. We want to show that the HIBE is (ɛ hibe , t, q)-CPA secure. In the game sequence style of proofs, we start with the adversarial game defining the CPA-security of the protocol against an adversary A and then obtain a sequence of games as usual. In each of the games, the simulator chooses a bit b and the adversary makes a guess b ′ . By X i we will denote the event that the bit b is equal to the bit b ′ in the ith game. Game 0: This is the usual adversarial game used in defining CPA-secure HIBE. We assume that the adversary’s runtime is t and it makes q key extraction queries. Also, we assume that the adversary maximizes the advantage among all adversaries with similar resources. Thus, we have ɛ hibe = ∣ Pr[X0 ] − 1 ∣ 2 . Game 1: In this game, we setup the protocol from a tuple 〈P, P 1 = aP, P 2 = bP, P 3 = cP, Z = e(P 1 , P 2 ) abc 〉 and answer key extraction queries and generate the challenge. The simulator is assumed to know the values a, b and c. However, the simulator can setup the protocol as well as answer certain private key queries without the knowledge of these values. Also, for certain challenge identities it can generate the challenge ciphertext without the knowledge of a, b and c. In the following, we show how this can be done. If the simulator cannot answer a key extraction query or generate a challenge without using the knowledge of a, b and c, it sets a flag flg to one. The value of flg is initially set to zero. Note that the simulator is always able to answer the adversary (with or without using a, b and c). The adversary is provided with proper replies to all its queries and is also provided the proper challenge ciphertext. Thus, irrespective of whether flg is set to one, the adversary’s view in Game 1 is same as that in Game 0. Hence, we have Pr[X 0 ] = Pr[X 1 ]. We next show how to setup the protocol and answer the queries based on the tuple 〈P, P 1 = aP, P 2 = bP, P 3 = cP, Z = e(P 1 , P 2 ) abc 〉. Set-Up: Recall that σ = max(2q, 2 n/l ). Let m be a prime such that σ < m < 2σ. Our choice of m is different from that of previous works [89, 77] where m was chosen to be equal to 4q and 2q. Choose x ′ 1, . . . , x ′ h and x 1, . . . , x l randomly from Z m ; y 1, ′ . . . , y h ′ and y 1, . . . , y l randomly from Z p . Choose k 1 , . . . , k h randomly from {0, . . . , µ l }. For 1 ≤ j ≤ h, define U j ′ = (p−mk j +x ′ j)P 2 +y jP ′ and for 1 ≤ i ≤ l define U i = x i P 2 +y i P . Set the public parameters of HIBE to be (P, P 1 , P 2 , U 1, ′ . . . , U h ′ , U 1, . . . , U l ). The master secret is aP 2 = abP . The distribution of the public parameters is as expected by A. In its attack, A will make some queries, which have to be properly answered by the simulator. 67
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29: Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129:
The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?