Download Full Issue in PDF - Academy Publisher
Download Full Issue in PDF - Academy Publisher
Download Full Issue in PDF - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
JOURNAL OF COMPUTERS, VOL. 8, NO. 6, JUNE 2013 1623<br />
session keys) are bit str<strong>in</strong>gs <strong>in</strong> {0, 1} l of some fixed length<br />
l. We require the availability of five hash functions viewed<br />
as random oracles:<br />
• A hash function H 1 : {0, 1} ∗ → Z ∗ q ;<br />
• A hash function H 2 : G 1 × {0, 1} l → G;<br />
• A hash function H 3 : G 1 → {0, 1} l ;<br />
• A hash function H 4 : {0, 1} ∗ ×G×G×G×{0, 1} l →<br />
G;<br />
1) SetUp. To generate IBE system parameters, first<br />
select three <strong>in</strong>tegers α, β, γ ∈ Z p at random. Set<br />
g 1 = g α , g 2 = g t1 and h = g t2 <strong>in</strong> G, and<br />
compute v 0 = e(g, g) αβ . The public system parameters<br />
params and the masterkey are given by:<br />
params = (g, g 1 , g 3 , v 0 ), masterkey = (α, β, γ).<br />
Strictly speak<strong>in</strong>g, the generator need not be kept<br />
secret, but s<strong>in</strong>ce it will be used exclusively by the<br />
authority, it can be reta<strong>in</strong>ed <strong>in</strong> masterkey rather<br />
than published <strong>in</strong> params.<br />
2) Extract. To generate a private key d ID for an<br />
identity ID ∈ {0, 1} ∗ , us<strong>in</strong>g the masterkey, the<br />
PKG picks random s 0 , s 1 ∈ Zp, ∗ choose a hash<br />
function ˜H : Zp ∗ × {0, 1} ∗ → Zp ∗ and computes<br />
u 0 = ˜H(s 0 , ID), u 1 = ˜H(s 1 , ID). It outputs:<br />
d ID = (d 0 , d 1 ) = (g2 α (g H2(ID)<br />
1 h) u0 , g u0 ,<br />
g2 α (g H2(ID)<br />
1 h) u1 ). The PKG preserves (s 0 , s 1 ).<br />
3) Encrypt. To encrypt a message M ∈ {0, 1} l for<br />
a recipient {0, 1} ∗ , the sender chooses a randomly<br />
δ ∈ G and computes s = H 2 (δ, M), k = v0, s C 1 =<br />
g s , C 2 = h s g H1(ID)s<br />
1 , C 3 = δ·k, C 4 = M ⊕H 3 (δ),<br />
C 5 = H 4 (ID ‖ C 1 ‖ C 2 ‖ C 3 ‖ C 4 ) s , and then<br />
outputs C = (C 1 , C 2 , C 3 , C 4 , C 5 ).<br />
4) ReKeyGen. The PKG computes u ′ 1 = ˜H(s 1 , ID ′ )<br />
and randomly selects k 1 , k 2 , k 3 ∈ Zp,<br />
∗<br />
sets rk ID→ID ′ = ( αH1(ID′ )+t 2+k 1<br />
k 3(αH 1(ID)+t 2)<br />
+<br />
k 2 , g u′ 1 k3 , g u′ 1 k2k3 , g u′ 1 k1 ) and sends it to the<br />
proxy via secure channel. We must note that the<br />
PKG computes a different (k 1 , k 2 , k 3 ) for every<br />
different user pair (ID, ID ′ ).<br />
5) ReEnc. Given the identities (ID, ID ′ ),<br />
rk ID→ID ′ = (rk 1 , rk 2 , rk 3 , rk 4 ) =<br />
( αH1(ID′ )+t 2+k 1<br />
k 3(αH 1(ID)+t 2)<br />
+ k 2 , g u′ 1 k3 , g u′ 1 k2k3 , g u′ 1 k1 ),<br />
C ID = (C 1 , C 2 , C 3 , C 4 , C 5 ) with params, the<br />
proxy re-encrypts the ciphertext C ID <strong>in</strong>to C ID ′ as<br />
follows.<br />
a) First it computes v 0 = e(C 5 , g) and v 1 =<br />
e(H 4 (ID ‖ C 1 ‖ C 2 ‖ C 3 ‖ C 4 ), C 1 ). If<br />
v 0 ≠ v 1 , the ciphertext is rejected.<br />
b) Else computes C ID ′ =<br />
(C ′ 1, C ′ 2, C ′ 3, C ′ 4, C ′ 5, C ′ 6, C ′ 7, C ′ 8) =<br />
(C 1 , C 2 , C 3 , C rk1<br />
2 , rk 2 , rk 3 , rk 4 , C 4 ).<br />
6) Decrypt.<br />
a) To decrypt a normal ciphertext C =<br />
(C 1 , C 2 , C 3 , C 4 , C 5 ) us<strong>in</strong>g the private key<br />
d ID = (d 0 , d 1 , d ′ 0), it computes v 0 = e(C 5 , g)<br />
and v 1 = e(H 4 (ID ‖ C 1 ‖ C 2 ‖ C 3 ‖<br />
C 4 ), C 1 ). If v 0 ≠ v 1 , the ciphertext is rejected.<br />
The recipient computes k = e(C1,d0)<br />
e(C 2,d 1)<br />
. It then<br />
computes δ =<br />
C3<br />
k , M = H 4(δ) ⊕ C 4 . It<br />
computes s ′ = H 2 (δ, M) and verifies that<br />
C 1 = g s′ , C 2 = h s′ g H1(ID)s′<br />
1 , if either checks<br />
fails, returns ⊥, otherwise returns M.<br />
b) To decrypt a re-encrypted ciphertext C ID ′ =<br />
(C 1, ′ C 2, ′ C 3, ′ C 4, ′ C 5, ′ C 6, ′ C 7, ′ C 8) ′ us<strong>in</strong>g the<br />
private key d ID = (d 0 , d 1 , d ′ 0), the recipient<br />
computes k =<br />
C ′ 3 e(rk2,C′ 4 )<br />
e(C 2 ′ ,rk3)e(C′ 1 ,rk4)e(d′ 0 ,C′ C3<br />
1<br />
C ′ 3 e(C′ 5 ,C′ 4 )<br />
e(C ′ 2 ,C′ 6 )e(C′ 1 ,C′ 7 )e(d′ 0 ,C′ 1 ) =<br />
). It then computes<br />
δ =<br />
k , M = H 3(δ) ⊕ C 8. ′ It computes<br />
s ′ = H(δ, M) and verifies that C 1 = g s′ ,<br />
C 2 = h s′ g H1(ID)s′<br />
1 , if either check fails,<br />
returns ⊥, otherwise returns M.<br />
G. Security Analysis<br />
Theorem 4: Suppose the DBDH assumption holds,<br />
then our scheme proposed <strong>in</strong> Section III-F is DGA-<br />
IBE-IND-ID-CCA secure for the proxy and delegatee’s<br />
collud<strong>in</strong>g.<br />
Proof: Let A be a p.p.t. algorithm that has nonnegligible<br />
advantage <strong>in</strong> attack<strong>in</strong>g the scheme proposed <strong>in</strong><br />
Section III-F. We use A <strong>in</strong> order to construct a second algorithm<br />
B which has non-negligible advantage at solv<strong>in</strong>g<br />
the DBDH problem <strong>in</strong> G. Algorithm B accepts as <strong>in</strong>put<br />
a properly-distributed tuple (g, g a , g b , g c , R) and outputs<br />
1 if R = e(g, g) abc . We now describe the algorithm B,<br />
which <strong>in</strong>teracts with algorithm A as follow<strong>in</strong>g.<br />
B simulates the random oracles H 1 , H 2 , H 3 , H 4 as<br />
follows.<br />
1) H 1 : {0, 1} ∗ → Zq ∗ . On receipt of a new query for<br />
ID ≠ ID ∗ , return t ← R Zq<br />
∗ and record (ID, t);<br />
On receipt of a new query for ID ∗ , select randomly<br />
T ∈ Zq ∗ , return T and record (ID ∗ , T ).<br />
2) H 2 : G 1 × {0, 1} l :→ Zq ∗ . On a new query (δ, M),<br />
returns s ← R G and record (δ, M, s).<br />
3) H 3 : G 1 :→ {0, 1} l . On receipt of a new query δ,<br />
select p ← {0, 1} l and return p. Record the tuple<br />
(δ, p).<br />
4) H 4 : {0, 1} ∗ × G × G × G × {0, 1} l :→ G. On<br />
receipt of a new query (ID ‖ C 1 ‖ C 2 ‖ C 3 ‖ C 4 ),<br />
select z ∈ Zq ∗ and return g z ∈ G, record (ID ‖<br />
C 1 ‖ C 2 ‖ C 3 ‖ C 4 , z, g z ).<br />
Our simulation proceeds as follows:<br />
1) Setup. B generates the scheme’s master parameter<br />
as follow<strong>in</strong>g. First it lets g 1 = g a , g 2 =<br />
g b , g 3 = g c , algorithm B picks α ∈ Z p at<br />
random and def<strong>in</strong>es h = g −T<br />
1 g α′ ∈ G B lets<br />
params = (G 1 , H 1 , H 2 , H 3 , H 4 , g, g 1 , g 2 , g 3 , h)<br />
and gives params to A.<br />
2) F<strong>in</strong>d/Guess. Dur<strong>in</strong>g the F<strong>in</strong>d stage, there are<br />
no restrictions on which queries A may issue.<br />
The scheme permits only a s<strong>in</strong>gle consecutive reencryption,<br />
therefore, dur<strong>in</strong>g the GUESS stage, A<br />
is restricted from issu<strong>in</strong>g the follow<strong>in</strong>g queries:<br />
a) (extract, ID ∗ ) where ID ∗ is the challenge<br />
identity.<br />
© 2013 ACADEMY PUBLISHER