Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

For 1 ≤ j ≤ h, we define several functions. Let v = (v 1 , . . . , v l ) where each v i is an n/l-bit string considered to be an integer from the set {0, . . . , 2 n/l − 1}. We define F j (v) = p − mk j + x ′ j + ∑ l i=1 x ⎫ iv i J j (v) = y j ′ + ∑ l i=1 y iv i L j (v) = x ′ j + ∑ ⎪⎬ l i=1 x iv i (mod m) (6.3.3) { 0 if Lj (v) = 0 K j (v) = ⎪⎭ 1 otherwise. Recall that we have assumed 2σ(1 + µ l ) < p. Let F min and F max be the minimum and maximum values of F j (v). F min is achieved when k j is maximum and x ′ j and the x i ’s are all zero. Thus, F min = p − mµ l . We have mµ l < 2σ(1 + µ l ) and by assumption 2σ(1 + µ l ) < p. Hence, F min > 0. Again F max is achieved when k j = 0 and x ′ j and the x i ’s and v i ’s are equal to their respective maximum values. We get F max < p + m(1 + l(2 n/l − 1)) = p + m(1 + µ l ) < p + 2σ(1 + µ l ) < 2p. Thus, we have 0 < F min ≤ F j (v) ≤ F max < 2p. Consequently, F j (v) ≡ 0 mod p if and only if F j (v) = p which holds if and only if −mk j +x ′ j + ∑ l i=1 x iv i = 0. Now we describe how the queries made by A are answered by B. The queries can be made in both Phases 1 and 2 of the adversarial game (subject to the usual restrictions). The manner in which they are answered by the simulator is the same in both the phases. Key Extraction Query: Suppose A makes a key extraction query on the identity v = (v 1 , . . . , v j ). Suppose there is a u with 1 ≤ u ≤ j such that K u (v u ) = 1. Otherwise set flg to one. In the second case, the simulator uses the value of a to return the proper decryption key d v = (aP 2 + ∑ j i=1 r iV i , r 1 V 1 , . . . , r j V j ). In the first case, the simulator constructs a decryption key in the following manner. Choose random r 1 , . . . , r j from Z p and define d 0|u = − Ju(vu) P ⎫ F u(v u) 1 + r u (F u (v u )P 2 + J u (v u )P ) −1 d u = P ⎪⎬ F u(v u) 1 + r u P (6.3.4) d k = r k P for k ≠ u d v = (d 0|u + ∑ k∈{1,...,j}\{u} r kV k , d 1 , . . . , d j ) ⎪⎭ The quantity d v is a proper private key corresponding to the identity v. The can be verified using an algebraic technique similar to that in the simulation of Theorem 5.2.1. of Chapter 5. This is provided to A. Challenge: Let the challenge identity be v ∗ = (v1, ∗ . . . , vh ∗ ∗), 1 ≤ h∗ ≤ h and the messages be M 0 and M 1 . Choose a random bit b. We need to have F k (vk ∗ ) ≡ 0 mod p for all 1 ≤ k ≤ h ∗ . If this condition does not hold, then set flg to one. In the second case, the simulator uses the value of c to provide a proper encryption of M b to A by computing (M b × e(P 1 , P 2 ) c , cP, cV 1 , . . . , cV h ∗). In the first case, it constructs a proper encryption of M b in the following manner. (M b × Z, C 1 = P 3 , B 1 = J 1 (v ∗ 1)P 3 , . . . , B h ∗ = J h ∗(v ∗ h ∗)P 3). 68
We require B j to be equal to cV j (vj) ∗ for 1 ≤ j ≤ h ∗ . Recall that the definition of V j (v) is V j (v) = U j ′ + ∑ l k=1 v kU k . <strong>Using</strong> the definition of U j ′ and the U k ’s as defined in the setup by the simulator, we obtain, cV i = c(F i (vi ∗ )P 2 + J i (vi ∗ )P ) = J i (vi ∗ )cP = J i (vi ∗ )P 3 . Here we use the fact, F i (vi ∗ ) ≡ 0 mod p. Hence, the quantities B 1 , . . . , B h ∗ are properly formed. Guess: The adversary outputs a guess b ′ of b. Game 2: This is a modification of Game 1 whereby the Z in Game 1 is now chosen to be a random element of G 2 . This Z is used to mask the message M b in the challenge ciphertext. Since Z is random, the first component of the challenge ciphertext is a random element of G 2 and provides no information to the adversary about b. Thus, Pr[X 2 ] = 1. 2 We have the following claim. Claim: |Pr[X 1 ] − Pr[X 2 ]| ≤ ɛ dbdh λ + ɛ hibe 2 . Proof : The change from Game 1 to Game 2 corresponds to an “indistinguishability” step in Shoup’s tutorial [85] on such games. Usually, it is easy to bound the probability difference. In this case, the situation is complicated by the fact that there is a need to abort. We show that it is possible to obtain an algorithm B for DBDH by extending Games 1 and 2. The extension of both the games is same and is described as follows. B takes as input a tuple (P, aP, bP, cP, Z) and sets up the HIBE protocol as in Game 1 (The setup of Games 1 and 2 are the same). The key extraction queries are answered and the challenge ciphertext is generated as in Game 1. If at any point of time flg is set to one by the game, then B outputs a random bit and aborts. This is because the query cannot be answered or the challenge ciphertext cannot be generated using the input tuple. At the end of the game, the adversary outputs the guess b ′ . B now goes through a separate abort stage as follows. “Artificial Abort”: The probability that B aborts in the query or challenge phases depends on the adversary’s input. The goal of the artificial abort step is to make the probability of abort independent of the adversary’s queries by ensuring that in all cases its probability of abort is the maximum possible. This is done by sampling the transcript of adversary’s query and in certain cases aborting. The sampling procedure introduces the extra component O(ɛ −2 hibe ln(ɛ−1 hibe )λ−1 ln(λ −1 )) into the simulator’s runtime. (For details see [89, 77].) Here λ is a lower bound on the probability that B does not abort before entering the artificial abort stage. The expression for λ is obtained in Proposition 6.3.3. of Section 6.3.2. Output: If B has not aborted up to this stage, then it outputs 1 if b = b ′ ; else 0. Note that if Z is real, then the adversary is playing Game 1 and if Z is random, then the adversary is playing Game 2. The time taken by the simulator in either Game 1 or 2 is clearly t + χ(ɛ hibe ). From this point, standard inequalities and probability calculations 69
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31: Chapter 3 Previous Works in Identit
Page 32 and 33: Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35: Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131:
B declares the public parameters to
Page 132 and 133:
So, the challenge ciphertext is ( C
Page 134 and 135:
Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

Create successful ePaper yourself

Delete template?

Save as template?