Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

= ≥ ( ( 1 − Pr 1 − [( q∨ i=1 ¬E i ) |C ]) ) q∑ Pr [¬E i |C ] Pr[C]. i=1 Pr[C] We first consider the event C. Suppose the challenge identity is v ∗ = (v1, ∗ . . . , vh ∗ ∗). Event C holds if and only if F j (vj) ∗ ≡ 0 mod p for 1 ≤ j ≤ h ∗ . Recall that by choice of p, we can assume F j (vj) ∗ ≡ 0 mod p if and only if x ′ j + ∑ l k=1 x kv j,k = mk j . Hence, [ h ∗ ( )] ∧ l∑ Pr[C] = Pr x ′ j + x k v j,k = mk j . (6.3.11) j=1 For 1 ≤ j ≤ h ∗ and 0 ≤ i ≤ µ l , denote the event x ′ j + ∑ l k=1 x kv j,k = mi by A j,i and the event k j = i by B j,i . Also, let C j,i be the event A j,i ∧ B j,i . Note that the event ∨ µ l i=0 A j,i is equivalent to the condition x ′ j + ∑ l k=1 x kv j,k ≡ 0 mod m and hence equivalent to the condition L j (v j ) = 0. Since k j is chosen uniformly at random from the set {0, . . . , µ l }, we have Pr[B j,i ] = 1/(1 + µ l ) for all j and i. The events B j,i ’s are independent of each other and also independent of the A j,i ’s. We have [ h ∗ ( )] ∧ l∑ Pr x ′ j + x k v j,k = mk j = Pr = Pr ⎣ [ h ∗ ∧ ⎡ = Pr ⎣ = = = = ⎡ j=1 j=1 ( µl k=1 )] ∨ C j,i i=0 ∨ i 1 ,...,i h ∗∈{0,...,µ l } ∨ i 1 ,...,i h ∗∈{0,...,µ l } ∑ i 1 ,...,i h ∗∈{0,...,µ l } ∑ i 1 ,...,i h ∗∈{0,...,µ l } 1 ∑ (1 + µ l ) h∗ ⎡ 1 ∨ Pr ⎣ (1 + µ l ) h∗ k=1 ⎤ (C 1,i1 ∧ · · · ∧ C h ∗ ,i h ∗) ⎦ (A 1,i1 ∧ B 1,i1 ∧ · · · ∧ A h ∗ ,i h ∗ ∧ B h ∗ ,i h ∗) ⎦ Pr [A 1,i1 ∧ B 1,i1 ∧ · · · ∧ A h ∗ ,i h ∗ ∧ B h ∗ ,i h ∗] Pr [A 1,i1 ∧ · · · ∧ A h ∗ ,i h ∗] × Pr [B 1,i1 ∧ · · · ∧ B h ∗ ,i h ∗] i 1 ,...,i h ∗∈{0,...,µ l } i 1 ,...,i h ∗∈{0,...,µ l } Pr [A 1,i1 ∧ · · · ∧ A h ∗ ,i h ∗] ⎤ (A 1,i1 ∧ · · · ∧ A h ∗ ,i h ∗) ⎦ 74 ⎤
= = = [ h ∗ 1 ∧ Pr (1 + µ l ) h∗ 1 (1 + µ l ) h∗ Pr 1 (m(1 + µ l )) h∗ j=1 [ h ∗ ∧ j=1 ( µl )] ∨ A j,i i=0 (L j (v j ) = 0) ] The last equality follows from Proposition 6.3.1. Now we turn to bounding Pr[¬E i |C]. For simplicity of notation, we will drop the subscript i from E i and consider the event E that the simulator does not abort on a particular key extraction query on an identity (v 1 , . . . , v j ). By the simulation, the event ¬E implies that L i (v i ) = 0 for all 1 ≤ i ≤ j. This holds even when the event is conditioned under C. Thus, we have Pr[¬E|C] ≤ Pr[∧ j i=1 L i(v i ) = 0|C]. The number of components in the challenge identity is h ∗ and now two cases can happen: j ≤ h ∗ : By the protocol constraint (a prefix of the challenge identity cannot be queried to the key extraction oracle), we must have a θ with 1 ≤ θ ≤ j such that v θ ≠ vθ ∗. j > h ∗ : In this case, we choose θ = h ∗ + 1. Now we have [ j∧ Pr[¬E|C] ≤ Pr L i (v i ) = 0|C i=1 ] ≤ Pr[L θ (v θ ) = 0|C] = Pr [ L θ (v θ ) = 0| h ∗ ∧ i=1 L i (v ∗ i ) = 0 ] = 1/m. The last equality follows from an application of either Proposition 6.3.1. or Proposition 6.3.2. according as whether j > h ∗ or j ≤ h ∗ . Substituting this in the bound for Pr[abort] we obtain ( ) q∑ Pr[abort] ≥ 1 − Pr [¬E i |C ] Pr[C]. ≥ ≥ i=1 ( 1 − q ) m ( 1 − q ) m 1 (m(µ l + 1)) h∗ 1 (m(µ l + 1)) h ≥ 1 2 × 1 (2σ(µ l + 1)) h . We use h ≥ h ∗ and 2q ≤ σ < m < 2σ to obtain the inequalities. This completes the proof. 6.4 Conclusion In this chapter, we have presented a construction of a HIBE which builds upon the previous IBE protocols. The HIBE is secure in the full model without random oracle. The number 75
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37: Security of BasicHIBE against chose
Page 38 and 39: BB-HIBE Here individual components
Page 40 and 41: F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 92 and 93: Phase 2: The adversary issues addit
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137:
The size of the private key in the
Page 138 and 139:
generalisation and move on to addre
Page 140 and 141:
Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?