Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Identity-Based Encryption Protocols Using Bilinear Pairing
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
plays the security game (h, n ′ )-M 1 with an adversary for (h, n)-H 1 . The adversary executes<br />
the commitment stage; then the simulator sets up the HIBE based on the adversary’s commitment<br />
as well as the DBDH instance. The simulator gives the public parameters to the<br />
adversary and continues the game by answering all queries made by the adversary. In the<br />
process, it randomly chooses a bit γ and encrypts M γ using the DBDH instance provided<br />
as input. Finally, the adversary outputs γ ′ . <strong>Based</strong> on the value of γ and γ ′ , the simulator<br />
decides whether the instance it received is real or random. Intuitively, if the adversary has<br />
an advantage in breaking the HIBE protocol, the simulator also has an advantage in distinguishing<br />
between real and random instances. This leads to an upper bound on the advantage<br />
of the adversary in terms of the advantage of the simulator in solving DBDH.<br />
We want to prove (h, n)-H 1 secure in model (h, n ′ )-M 1 , where 1 ≤ n ′ ≤ n. This means<br />
that the public parameters of the HIBE depend on n, while the adversary commits to a set<br />
I ∗ of size n ′ in the commit phase.<br />
DBDH Instance: The simulator receives an instance (P, P 1 = aP, P 2 = bP, Q = cP, Z)<br />
of DBDH.<br />
The simulator now starts the security game for model M 1 . This consists of several<br />
stages which we describe below. We will consider security against chosen plaintext attacks<br />
and hence the adversary will only have access to the key extraction oracle O k .<br />
Adversary’s Commitment: The adversary commits to a set I ∗ of size n ′ . The elements<br />
of I ∗ are from Z p . We write I ∗ = {v1, ∗ . . . , vn ∗ ′}.<br />
Set-Up:<br />
Define a polynomial F (x) in Z p [x] as follows.<br />
F (x) = (x − v1) ∗ · · · (x − vn ∗ ′) (7.5.1)<br />
= x n′ + a n ′ −1x n′ −1 + · · · + a 1 x + a 0 (7.5.2)<br />
where the coefficients a i ’s are in Z p and are obtained from the values {v1, ∗ . . . , vn ∗ ′}. Since<br />
F (x) is a polynomial of degree n ′ over Z p and v1, ∗ . . . , vn ∗ are its n distinct roots, we have<br />
′<br />
F (y) ≠ 0 for any y ∈ Z p \ {v1, ∗ . . . , vn ∗ ′}. The coefficients of F (x) depend on the adversary’s<br />
input and one cannot assume any distribution on these values. Define a n ′ = 1 and a n =<br />
a n−1 = · · · = a n ′ +1 = 0.<br />
For 1 ≤ i ≤ h, define another set of polynomials J i (x) each of degree n in the following<br />
manner. Randomly choose b 0,1 , . . . , b 0,h , b 1 , . . . , b n from Z p . Define<br />
J i (x) = b n x n + b n−1 x n−1 + · · · + b 1 x + b 0,i (7.5.3)<br />
The public parameters P 3,i s and Q j s are defined in the following manner.<br />
• For 1 ≤ i ≤ h, define P 3,i = a 0 P 2 + b 0,i P .<br />
• For 1 ≤ j ≤ n, define Q j = a j P 2 + b j P .<br />
87