Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
If h > 1, then we have proper HIBE. In this case, M 1 differs fundamentally from the<br />
sID model.<br />
1. In the sID model, the adversary is allowed to query O k on a permutation of the<br />
challenge identity. This is not allowed in M 1 .<br />
2. In the sID model, the length of the challenge identity is fixed by the adversary in the<br />
commit phase. On the other hand, in M 1 , the adversary is free to choose this length<br />
(to be between 1 and h) in the challenge stage itself.<br />
In the case of HIBE, model M 1 is no longer a strict generalization of the usual sID model<br />
for HIBE. We cannot restrict the parameters of the model M 1 in any manner and obtain<br />
the sID model for HIBE. Thus, in this case, M 1 must be considered to be a new model.<br />
Model M 2 :<br />
Let I ∗ 1, . . . , I ∗ u be sets and |I ∗ j | = n j for 1 ≤ j ≤ u. We set<br />
S 1 = S 2 = I ∗ 1 × · · · × I ∗ u.<br />
If the maximum depth of the HIBE is h, then 1 ≤ u ≤ h.<br />
In this model, for 1 ≤ j ≤ u, the adversary is not allowed to obtain a private key for an<br />
identity v = (v 1 , . . . , v j ) such that v i ∈ Ii<br />
∗ for all 1 ≤ i ≤ j. Further, the challenge identity<br />
is a tuple (v1, ∗ . . . , vu), ∗ with v i ∈ Ii<br />
∗ for all 1 ≤ i ≤ u. Like the sID model, the length of the<br />
challenge identity is fixed by the adversary in the commit phase.<br />
This model is a strict generalization of the sID model for HIBE. This can be seen by<br />
setting n 1 = · · · = n h = 1, i.e., setting I1, ∗ . . . , Ih ∗ to be singleton sets. On the other hand,<br />
M 2 and M 1 are not comparable due to at least two reasons.<br />
1. In M 1 , the length of the challenge identity can vary, while in M 2 , the length is fixed<br />
in the commit phase.<br />
2. In M 2 , it may be possible for the adversary to obtain the private key for a permutation<br />
of the challenge identity, which is not allowed in M 1 .<br />
These two reasons are similar to the reasons for the difference between sID and M 1 .<br />
Parametrizing the models: A HIBE may have a bound on the maximum number of<br />
levels that can be supported. The corresponding security model also has the same restriction.<br />
For example, a HIBE of at most h levels will be called h-sID secure if it is secure in the sID<br />
model. The models M 1 and M 2 have additional parameters.<br />
For the case of M 1 , there is a single parameter n, which specifies the size of I ∗ , the set<br />
which the adversary specifies in the commit phase. In this case, we will talk of (h, n)-M 1<br />
security for an HIBE. Similarly, for M 2 , we will talk of (h, n 1 , . . . , n h )-M 2 security. Note<br />
that (h, 1 . . . , 1)-M 2 model is same as the h-sID model.<br />
81