Constructing Efficient Certificate-based Encryption with Paring

JOURNAL OF COMPUTERS, VOL. 4, NO. 1, JANUARY 2009 21These queries may be asked adaptively, that is, theymay depend on the answers to previous queries.Challenge. On challenge query < ch , id ch , pk ch , sk ch , M 0 ,M 1 >, where M 0 , M 1 MSPC are of equal length, checksthat id ch , is a valid key-pair and < ch , id ch ,pk ch , sk ch > was not the subject of a certification query inphase 1. If so, it picks a random bit b{0, 1}, encryptsM b under the challenge public key pk ch and sends theresulting ciphertext C * to 1 ; else it returns .Phase 2. As in phase 1, with the restriction that < ch ,id ch , pk ch , sk ch , C * > is not the subject of a decryptionquery and < ch , id ch , pk ch , sk ch > is not the subject of acertification query.Guess. The adversary 1 outputs a guess b'{0, 1}and wins the game if b = b'. 1 's advantage in this gameis defined to be Adv( 1 ) := |2Pr[b = b']-1|.Game 2: runs Setup algorithm, gives params andsk CA to the adversary 2 . then runs SetKeyPair toobtain a key-pair and gives pk ch to 2 .Phase 1. 2 issues a series of decryption queries ofthe form . On this query, checks that id. Ifso, it runs Certify on input to obtainCert id, and outputs Dec(Cert id, , sk ch , C); else it returns .These queries may be asked adaptively.Challenge. On challenge query < ch , id ch , M 0 , M 1 >,where M 0 , M 1 MSPC are of equal length, checks thatid ch . If so, it picks a random bit b{0, 1}, encrypt M bunder the challenge public key pk ch and sends theresulting ciphertext C * to 2 ; else it returns .Phase 2. As in phase 1, with the restriction that < ch ,id ch , C * > is not the subject of a decryption query.Guess. 2 outputs a guess b'{0, 1} and wins thegame if b = b'. 2 's advantage in this game is defined tobe Adv( 2 ) := |2Pr[b = b']-1|.Definition 2. A CBE scheme is secure against adaptivechosen ciphertext attacks (or IND-CBE-CCA) if nopolynomial-time adversary has non-negligible advantagein either Game 1 or Game 2.Similarly, we can define the weak security notion IND-CBE-CPA for CBE schemes, in which the adversaries aredisallowed to issue any decryption queries.IV. AN EFFICIENT CBE SCHEMEIn this section, we first build a basic CBE schemecalled BasicCBE which is IND-CBE-CPA secure. Thenwe extend BasicCBE to an IND-CBE-CCA secure CBEscheme called FullCBE by using a security enhancingtransformation introduced in [11].A. BasicCBEThe scheme BasicCBE is consisted of the followingfive polynomial time algorithms:Setup: Given a security parameter kZ + , the parametergenerator takes the following steps:1. Generate three cyclic groups G 1 , G 2 and G T of primeorder q, an isomorphism from G 2 to G 1 , and a bilinearpairing map e: G 1 G 2 G T . Pick a randomgenerator P 2 G 2and set P1 ( P2).*2. Pick a random s Z qand compute Ppub sP1.3. Compute g eP (1, P2).*4. Pick two hash functions :{0,1} *H1 Zqand: { nH2 GTGT 0,1} for some integer n 0 .The message space is {0,1} n . The ciphertext space is*G1 {0,1} n . The system parameters are params = {q, G1,G 2 , G T , , e, n, P 1 , P 2 , g, P pub , H 1 , H 2 }. The certifier’smaster key is s.*SetKeyPair: This algorithm picks a random x Z qas auser’s private key SK and sets the corresponding publickey as PK = g x .Certify: On input , this algorithm1outputs Certid, P2.H1( || id || PK) sEnc: On input , this algorithm performsthe following steps:1. Check that PK is in G 2, if not output . This checksthe validity of the public key.2. Compute Qid H1( || id || PK)P1 Ppub.*3. Pick a random rZ qand compute the ciphertextC = = ,2( r r rQidM H g , PK ) .Dec: On input , thisalgorithm computes the plaintextSKM V H2 (( e U, Certid, ),(( e U, Certid, )) ).In the above construction, the certificates are shortsignatures computed using a signature scheme consideredin [28]. As proven in Theorem 3 of [28], this signaturescheme is existentially unforgeable under chosenmessageattack [27] in the random oracle model, providedthat the k-sCCA1 assumption is sound in G 2 .The consistency of the construction is easy to check aswe haveeU ( , Certid, ) er ( ( H1( || id|| PK) P1Ppub),1P2) eP (1, P2) r gr .H ( || id || PK) s1B. FullCBEThe scheme FullCBE is consisted of the following fivepolynomial time algorithms:Setup: As in the BasicCBE. In addition, we select two*hash functions :{0,1} *nnH3 Zqand H4:{0,1} {0,1} .Now, the message space is {0,1} n and the ciphertext space*0is G 1{0,1} n kfor some integer k0 0 .SetKeyPair: As in the scheme BasicCBE.Certify: As in the scheme BasicCBE.© 2009 ACADEMY PUBLISHER