Download Full Issue in PDF - Academy Publisher
Download Full Issue in PDF - Academy Publisher
Download Full Issue in PDF - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1622 JOURNAL OF COMPUTERS, VOL. 8, NO. 6, JUNE 2013<br />
sets rk ID→ID ′ = x and returns it to A. He<br />
computes w = (gH 1 (ID) h) x<br />
and sends it to the<br />
(g H 1 (ID) h)<br />
proxy. We observe that<br />
rk 1 = αID′ + t 2 + k 1<br />
k 3 (αID + t 2 ) + k 2<br />
but from the simulation, α = a and t 2 = α ′ −<br />
aID ∗ , so we can get<br />
rk 1 = aID′ + α ′ − aID ∗ + k 1<br />
k 3 (aID + α ′ − aID ∗ ) + k 2<br />
Let rk 1 = x, we can get<br />
k 1 = k 3 (aID + α ′ − aID ∗ )(x − k 2 )<br />
−(aID ′ + α ′ − aID ∗ )<br />
= [k 3 (x − k 2 )a(ID − ID ∗ )<br />
−a(ID ′ − ID ∗ )] + k 3 α ′ (x − k 2 ) − α ′<br />
So the challenge B simulates as follows. He<br />
chooses a randomly k 2 , k 3 ∈ Z ∗ p, sets<br />
x =<br />
ID′ − ID ∗<br />
k 3 (ID − ID ∗ ) + k 2,<br />
k 1 = α ′ ( ID′ − ID ∗<br />
ID − ID ∗ ) − α′<br />
searches <strong>in</strong> User-key-list<br />
for item (ID ′ , α ′ , r, r ′ )(we assume<br />
sk ID ′ = (d 0 , d 1 , d ′ 0) =<br />
−α ′<br />
−1<br />
ID ′ −ID ∗<br />
ID<br />
(g<br />
′ −ID ∗<br />
2 (g (ID′ −ID ∗ )<br />
1 g a ) r , g2 g r ,<br />
−α ′<br />
ID<br />
g<br />
′ −ID ∗<br />
2 (g (ID′ −ID ∗ )<br />
1 g a ) r′ ) and computes<br />
rk 1 =<br />
rk 2 = g<br />
ID ′ − ID ∗<br />
k 3 (ID − ID ∗ ) + k 2,<br />
−k 3<br />
ID ′ −ID ∗<br />
2 g k3r′<br />
−k 2 k 3<br />
ID ′ −ID ∗<br />
rk 3 = g2 g k2k3r′ ,<br />
α ′ ( ID′ −ID ∗<br />
ID−ID ∗ )−α′<br />
ID<br />
rk 4 = g<br />
′ −ID ∗<br />
2 g (α′ ( ID′ −ID ∗<br />
ID−ID ∗ )−α ′ )r ′<br />
returns them to A. We can see<br />
C ′ 3e(rk 2 , C ′ 4)<br />
e(C ′ 2 , rk 3)e(C ′ 1 , rk 4)e(d ′ 0 , C′ 1 )<br />
can be reduced to<br />
Me(g 1 , g 2 ) r<br />
e(g α 2 , gr )<br />
= M<br />
Thus our simulation is <strong>in</strong>dist<strong>in</strong>guishable from<br />
the real algorithm runn<strong>in</strong>g. Thus our simulation<br />
is <strong>in</strong>dist<strong>in</strong>guishable from the real algorithm<br />
runn<strong>in</strong>g.<br />
• “A issues up to re-encryption queries on<br />
(C ID , ID, ID ′ )”. The challenge B runs<br />
ReEnc(rk ID→ID ′, C ID , ID, ID ′ ) and returns<br />
the results.<br />
4) Challenge When A decides that Phase1 is over,<br />
it outputs two messages M 0 , M 1 ∈ G. Algorithm<br />
B picks a random bit b and responds with the<br />
ciphertext C = (g c , (g α′ ) c , M b · T ). Hence if T =<br />
e(g, g) abc = e(g 1 , g 2 ) c , then C is a valid encryption<br />
of M b under ID ∗ . Otherwise, C is <strong>in</strong>dependent of<br />
b <strong>in</strong> the adversary’s view.<br />
5) Phase2 A issues queries as he does <strong>in</strong> Phase 1<br />
except natural constra<strong>in</strong>ts.<br />
6) Guess F<strong>in</strong>ally, A outputs a guess b ′ ∈ {0, 1}.<br />
Algorithm B concludes its own game by outputt<strong>in</strong>g<br />
a guess as follows. If b = b ′ , then B outputs 1<br />
mean<strong>in</strong>g T = e(g, g) abc . Otherwise it outputs 0<br />
mean<strong>in</strong>g T ≠ e(g, g) abc .<br />
When T = e(g, g) abc then A’s advantage for break<strong>in</strong>g<br />
the scheme is same as B’s advantage for solv<strong>in</strong>g DBDH<br />
problem.<br />
Theorem 2: Suppose the DBDH assumption holds,<br />
then our scheme proposed <strong>in</strong> Section III-C is DGE-<br />
IBE-IND-sID-CPA secure for the delegator and proxy’s<br />
collud<strong>in</strong>g.<br />
Proof: The security proof is same as the above<br />
theorem except that it does not allow “A issues up to<br />
rekey generation queries on (ID, ID ∗ )”, for B does not<br />
know the private key correspond<strong>in</strong>g to ID ∗ .<br />
Theorem 3: Suppose the DBDH assumption holds,<br />
then our scheme proposed <strong>in</strong> Section III-C is PKG-OW<br />
secure for the delegator, delegatee and proxy’s collud<strong>in</strong>g.<br />
Proof: We just give the <strong>in</strong>tuition for this<br />
theorem. The master-key is g2 α , and delegator’s private<br />
key is sk ID = (g2 α (g1 ID h) u0 , g u0 , (g2 α (g1 ID h) u1 )),<br />
the delegatee’s private key is sk ID ′ =<br />
(g2 α (g1 ID′ h) u0 , g u0 , (g2 α (g1 ID′ h) u1 )) , the proxy reencryption<br />
key is rk ID→ID ′ = ( αID′ +t 2+k 1<br />
k 3(αID+t 2)<br />
+<br />
k 2 , g u′ 1 k3 , g u′ 1 k2k3 , g u′ 1 k1 ). Because the re-encryption key<br />
rk ID→ID ′ is uniformly distributed <strong>in</strong> (Zp, ∗ G, G, G), and<br />
the orig<strong>in</strong>al BB 1 IBE is secure, we can conclude that<br />
g2<br />
α can not be disclosed by the proxy, delegatee and<br />
delegator’s collud<strong>in</strong>g.<br />
E. Toward Chosen Ciphertext Security<br />
As we all know, just consider<strong>in</strong>g IND-sID-CPA security<br />
is not enough for many applications. We consider<br />
construct IND-Pr-ID-CCA secure IBPRE based on a<br />
variant of BB 1 IBE. There are two ways to construct<br />
IND-Pr-ID-CCA secure IBPRE. One way is consider<strong>in</strong>g<br />
CHK transformation to hierarchal variant of BB 1 IBE<br />
to get IND-Pr-sID-CCA secure IBPRE or get IND-Pr-<br />
IDKEM-CCA secure IBPRE. The other way is consider<strong>in</strong>g<br />
variant of BB 1 IBE <strong>in</strong> the random oracle model.<br />
From a practical viewpo<strong>in</strong>t, we construct an IND-Pr-ID-<br />
CCA secure IBPRE based on a variant of BB 1 IBE <strong>in</strong><br />
the random oracle model.<br />
F. Our Proposed IND-Pr-ID-CCA Secure IBPRE Scheme<br />
Based on a Variant of BB 1 IBE<br />
Let G be a bil<strong>in</strong>ear group of prime order p(the security<br />
parameter determ<strong>in</strong>es the size of G). Let e : G × G →<br />
G 1 be the bil<strong>in</strong>ear map. Identities are represented us<strong>in</strong>g<br />
dist<strong>in</strong>ct arbitrary bit str<strong>in</strong>gs <strong>in</strong> {0, 1} l . The messages (or<br />
© 2013 ACADEMY PUBLISHER