Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The probability is over the independent and uniform random choices of x ′ 1, . . . , x ′ j, x 1 , . . . , x l<br />
from Z m . Consequently, we have<br />
[<br />
]<br />
Pr L θ (v θ) ′ j∧<br />
= 0<br />
(L k (v k ) = 0) = 1 ∣<br />
m .<br />
k=1<br />
Proof : The proof is similar to the proof of Proposition 6.3.1. Without loss of generality,<br />
we may assume that θ = j, since otherwise we may rename variables to achieve this. The<br />
condition (L θ (v θ ′ ) = 0) ∧ ∧ j<br />
k=1 (L k(v k ) = 0) is equivalent to a system of linear equations<br />
xA = 0 over Z m . In this case, the form of A is the following.<br />
[ ]<br />
Ij c<br />
A =<br />
T O j×l<br />
V l×j (v j) ′ T O l×l<br />
where c = (0, . . . , 0, 1); c T denotes the transpose of c and (v ′ j) T is the transpose of v ′ j. The<br />
first j columns of A are linearly independent. The (j + 1)th column of A is clearly linearly<br />
independent of the first (j − 1) columns. We have v j ≠ v ′ j. Since each component of both v j<br />
and v ′ j is less than 2 n/l and m > 2 n/l , we have v j ≢ v ′ j mod m. <strong>Using</strong> this, it is not difficult<br />
to see that the first (j + 1) columns of A are linearly independent and hence the rank of A is<br />
(j + 1). (Note that if m ≤ 2 n/l , then it is possible to have v j ≠ v ′ j but v j ≡ v ′ j mod m. Then<br />
the jth and (j + 1)th columns of A are equal and the rank of A is j.) Consequently, the<br />
dimension of the solution space is l − 1 and there are m l−1 solutions in (x ′ 1, . . . , x ′ j, x 1 , . . . , x l )<br />
to the system of linear equations. Since the x ′ ’s and the x’s are chosen independently and<br />
uniformly at random from Z m , the probability of getting a solution is m l−1 /m l+j = 1/m j+1 .<br />
This proves the first part of the result. The proof of the second part is similar to that of<br />
Proposition 6.3.1..<br />
Proposition 6.3.3. The probability that the simulator in the proof of Theorem 6.3.1. does<br />
not abort before the artificial abort stage is at least<br />
1<br />
2(2σ(µ l +1)) h .<br />
Proof : We consider the simulator in the proof of Theorem 6.3.1. Up to the artificial<br />
abort stage, the simulator could abort on either a key extraction query or in the challenge<br />
stage. Let abort be the event that the simulator aborts before the artificial abort stage. For<br />
1 ≤ i ≤ q, let E i denote the event that the simulator does not abort on the ith key extraction<br />
query and let C be the event that the simulator does not abort in the challenge stage. We<br />
have<br />
[( q∧<br />
) ]<br />
E i<br />
i=1<br />
Pr[abort] = Pr<br />
= Pr<br />
[( q∧<br />
i=1<br />
E i<br />
)<br />
∧ C<br />
|C<br />
]<br />
Pr[C]<br />
73