Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
=<br />
=<br />
=<br />
[ h ∗<br />
1 ∧<br />
Pr<br />
(1 + µ l ) h∗<br />
1<br />
(1 + µ l ) h∗ Pr<br />
1<br />
(m(1 + µ l )) h∗<br />
j=1<br />
[ h ∗<br />
∧<br />
j=1<br />
(<br />
µl<br />
)]<br />
∨<br />
A j,i<br />
i=0<br />
(L j (v j ) = 0)<br />
]<br />
The last equality follows from Proposition 6.3.1.<br />
Now we turn to bounding Pr[¬E i |C]. For simplicity of notation, we will drop the subscript<br />
i from E i and consider the event E that the simulator does not abort on a particular key<br />
extraction query on an identity (v 1 , . . . , v j ). By the simulation, the event ¬E implies that<br />
L i (v i ) = 0 for all 1 ≤ i ≤ j. This holds even when the event is conditioned under C. Thus,<br />
we have Pr[¬E|C] ≤ Pr[∧ j i=1 L i(v i ) = 0|C]. The number of components in the challenge<br />
identity is h ∗ and now two cases can happen:<br />
j ≤ h ∗ : By the protocol constraint (a prefix of the challenge identity cannot be queried to<br />
the key extraction oracle), we must have a θ with 1 ≤ θ ≤ j such that v θ ≠ vθ ∗.<br />
j > h ∗ : In this case, we choose θ = h ∗ + 1.<br />
Now we have<br />
[ j∧<br />
Pr[¬E|C] ≤ Pr L i (v i ) = 0|C<br />
i=1<br />
]<br />
≤ Pr[L θ (v θ ) = 0|C] = Pr<br />
[<br />
L θ (v θ ) = 0|<br />
h ∗<br />
∧<br />
i=1<br />
L i (v ∗ i ) = 0<br />
]<br />
= 1/m.<br />
The last equality follows from an application of either Proposition 6.3.1. or Proposition 6.3.2.<br />
according as whether j > h ∗ or j ≤ h ∗ . Substituting this in the bound for Pr[abort] we obtain<br />
(<br />
)<br />
q∑<br />
Pr[abort] ≥ 1 − Pr [¬E i |C ] Pr[C].<br />
≥<br />
≥<br />
i=1<br />
(<br />
1 − q )<br />
m<br />
(<br />
1 − q )<br />
m<br />
1<br />
(m(µ l + 1)) h∗<br />
1<br />
(m(µ l + 1)) h<br />
≥ 1 2 × 1<br />
(2σ(µ l + 1)) h .<br />
We use h ≥ h ∗ and 2q ≤ σ < m < 2σ to obtain the inequalities. This completes the proof.<br />
6.4 Conclusion<br />
In this chapter, we have presented a construction of a HIBE which builds upon the previous<br />
IBE protocols. The HIBE is secure in the full model without random oracle. The number<br />
75