Identity-Based Encryption Protocols Using Bilinear Pairing

More documents

Recommendations

Info

Phase 2: The adversary issues additional queries just as in Phase 1 with the following restrictions. It cannot ask O d for the decryption of C ∗ under v ∗ ; cannot ask O k for the private key of any prefix of an identity in S 1 ; and cannot make any useless query. Guess: The adversary outputs a guess γ ′ of γ. The adversary’s success is measured as defined in Section 2.5 7.2.1 Full Model Suppose S 1 = ∅ and S 2 is the set of all identities. By the rules of the game, the adversary is not allowed to query O k on any identity in S 1 . Since S 1 is empty, this means that the adversary is actually allowed to query O k on any identity. Further, since S 2 is the set of all identities, in the challenge stage, the adversary is allowed to choose any identity. In effect, this means that the adversary does not really commit to anything before set-up and hence, in this case, the commitment stage can be done away with. This particular choice of S 1 and S 2 is called the full model (defined in Section 2.5 and is currently believed to be the most general notion of security for HIBE. Note that the challenge stage restrictions as well as the restrictions in Phase 2 still apply. 7.2.2 Selective-ID Model Let S 1 = S 2 be a singleton set. This means that the adversary commits to one particular identity; does not ask for a private key of any of its prefixes; and in the challenge phase is given the encryption of M γ under this particular identity. This model is significantly weaker than the full model and is called the selective-ID model (defined in Section 2.5.3. 7.2.3 New Security Models We introduce two new security models by suitably defining the sets S 1 and S 2 . In our new models, (as well as the sID model), we have S 1 = S 2 . (Note that in the full model, S 1 = S 2 .) Model M 1 : Let I ∗ be a set. Define S 1 = S 2 to be the set of all tuples (v 1 , . . . , v j ), such that each v i ∈ I ∗ . If the HIBE is of maximum depth h, then 1 ≤ j ≤ h. The length of the target identity tuple is not fixed by the adversary in the commit phase. Let us now see what this means. In the commit phase, the adversary commits to a set I ∗ ; never asks for a private key of an identity all of whose components are in I ∗ ; and during the challenge phase presents an identity all of whose components are in I ∗ . Consider the case of IBE, i.e., h = 1, which means that only single component identities are allowed. Then, we have S 1 = S 2 = I ∗ . Let |I ∗ | = n. If we put n = 1, then we obtain the sID model for IBE as discussed in Section 7.2.2. In other words, for IBE protocol, M 1 is a strict generalization of sID model. 80
If h > 1, then we have proper HIBE. In this case, M 1 differs fundamentally from the sID model. 1. In the sID model, the adversary is allowed to query O k on a permutation of the challenge identity. This is not allowed in M 1 . 2. In the sID model, the length of the challenge identity is fixed by the adversary in the commit phase. On the other hand, in M 1 , the adversary is free to choose this length (to be between 1 and h) in the challenge stage itself. In the case of HIBE, model M 1 is no longer a strict generalization of the usual sID model for HIBE. We cannot restrict the parameters of the model M 1 in any manner and obtain the sID model for HIBE. Thus, in this case, M 1 must be considered to be a new model. Model M 2 : Let I ∗ 1, . . . , I ∗ u be sets and |I ∗ j | = n j for 1 ≤ j ≤ u. We set S 1 = S 2 = I ∗ 1 × · · · × I ∗ u. If the maximum depth of the HIBE is h, then 1 ≤ u ≤ h. In this model, for 1 ≤ j ≤ u, the adversary is not allowed to obtain a private key for an identity v = (v 1 , . . . , v j ) such that v i ∈ Ii ∗ for all 1 ≤ i ≤ j. Further, the challenge identity is a tuple (v1, ∗ . . . , vu), ∗ with v i ∈ Ii ∗ for all 1 ≤ i ≤ u. Like the sID model, the length of the challenge identity is fixed by the adversary in the commit phase. This model is a strict generalization of the sID model for HIBE. This can be seen by setting n 1 = · · · = n h = 1, i.e., setting I1, ∗ . . . , Ih ∗ to be singleton sets. On the other hand, M 2 and M 1 are not comparable due to at least two reasons. 1. In M 1 , the length of the challenge identity can vary, while in M 2 , the length is fixed in the commit phase. 2. In M 2 , it may be possible for the adversary to obtain the private key for a permutation of the challenge identity, which is not allowed in M 1 . These two reasons are similar to the reasons for the difference between sID and M 1 . Parametrizing the models: A HIBE may have a bound on the maximum number of levels that can be supported. The corresponding security model also has the same restriction. For example, a HIBE of at most h levels will be called h-sID secure if it is secure in the sID model. The models M 1 and M 2 have additional parameters. For the case of M 1 , there is a single parameter n, which specifies the size of I ∗ , the set which the adversary specifies in the commit phase. In this case, we will talk of (h, n)-M 1 security for an HIBE. Similarly, for M 2 , we will talk of (h, n 1 , . . . , n h )-M 2 security. Note that (h, 1 . . . , 1)-M 2 model is same as the h-sID model. 81
Page 1:
Construction of (Hierarchical) Iden
Page 5:
The scientist does not study nature
Page 9 and 10:
Contents 1 Introduction 1 1.1 Plan
Page 11:
7.4.1 HIBE H 1 . . . . . . . . . .
Page 14 and 15:
the public key. In this setting, an
Page 16 and 17:
adversary in distinguishing two mes
Page 18 and 19:
previous chapter. The second varian
Page 20 and 21:
as it is closer to the known exampl
Page 22 and 23:
Let P i = a i P . An algorithm A ha
Page 24 and 25:
Given the security parameter κ, th
Page 26 and 27:
the Key-Gen algorithm and C is the
Page 28 and 29:
Phase 2: A now issues additional qu
Page 30 and 31:
Chapter 3 Previous Works in Identit
Page 32 and 33:
Decrypt: Decrypt C = 〈U, V 〉 us
Page 34 and 35:
Game 2 Suppose B is given a BDH pro
Page 36 and 37:
Security of BasicHIBE against chose
Page 38 and 39:
BB-HIBE Here individual components
Page 40 and 41:
F i (v ∗ i ) = α i P , so C =
Page 42 and 43: Key-Gen: Let v = (v 1 , . . . , v n
Page 44 and 45: Composite HIBE Boneh, Boyen and Goh
Page 46 and 47: Security Given an identity tuple v
Page 48 and 49: Chapter 4 Tate Pairing in General C
Page 50 and 51: order on the elliptic curve E(IF p
Page 52 and 53: the best result. In [57] the author
Page 54 and 55: Hence, we require 3[S] + 8[M] for E
Page 56 and 57: Algorithm 2 (iterated doubling): In
Page 58 and 59: Level 1 : t 1 = Y 2 1 ; t 4 = Z 2 1
Page 60 and 61: Table 4.1: Cost Comparison. Note 1[
Page 62 and 63: problem. - Our construction resembl
Page 64 and 65: is equal to c 2 |IF a | 3 . Thus, t
Page 66 and 67: aborts if F (v ∗ ) ≠ 0 and outp
Page 68 and 69: DBDH problem over (G 1 , G 2 , e) i
Page 70 and 71: these are respectively 2.4 kb and 2
Page 72 and 73: Signing: Let M = (m 1 , m 2 , . . .
Page 74 and 75: model without random oracles. Addit
Page 76 and 77: 6.2 Construction HIBE-spp The ident
Page 78 and 79: Table 6.1: Comparison of HIBE Proto
Page 80 and 81: For 1 ≤ j ≤ h, we define severa
Page 82 and 83: establish the claim. We provide the
Page 84 and 85: The probability is over the indepen
Page 86 and 87: = ≥ ( ( 1 − Pr 1 − [( q∨ i=
Page 88 and 89: of public parameters is significant
Page 90 and 91: to be I ∗ . It can then ask for t
Page 94 and 95: 7.3 Interpreting Security Models Th
Page 96 and 97: 7.4 Constructions We present severa
Page 98 and 99: 7.4.2 HIBE H 2 The description of H
Page 100 and 101: Since b 0,1 , . . . , b 0,h , b 1 ,
Page 102 and 103: For 1 ≤ i ≤ h, we have V i (y)
Page 104 and 105: 1. The encryption is converted into
Page 106 and 107: Chapter 8 Constant Size Ciphertext
Page 108 and 109: Let a private key for (v 1 , . . .
Page 110 and 111: Phase 1: Suppose a key extraction q
Page 112 and 113: = γ ( P 3 + ) u∑ V i . i=1 If th
Page 114 and 115: Encrypt: To encrypt a message M ∈
Page 116 and 117: and outputs a random bit if there i
Page 118 and 119: Chapter 9 Augmented Selective-ID Mo
Page 120 and 121: Phase 1 and Phase 2: As discussed i
Page 122 and 123: an adversary has to commit to an id
Page 124 and 125: Table 9.1: Comparison of BBG-HIBE a
Page 126 and 127: where ˜r = (r − αk F k ). Also
Page 128 and 129: The maximum height of the HIBE be h
Page 130 and 131: B declares the public parameters to
Page 132 and 133: So, the challenge ciphertext is ( C
Page 134 and 135: Choose a random r ∗ ∈ Z p and f
Page 136 and 137: The size of the private key in the
Page 138 and 139: generalisation and move on to addre
Page 140 and 141: Table 10.3: Comparison of HIBE prot
Page 142 and 143:
[9] Paulo S. L. M. Barreto, Ben Lyn
Page 144 and 145:
[31] Sanjit Chatterjee and Palash S
Page 146 and 147:
[55] Florian Hess, Nigel P. Smart,
Page 148:
[81] Palash Sarkar. Head: Hybrid en
show all

Identity-Based Encryption Protocols Using Bilinear Pairing

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?