Cryptography Reference
In-Depth Information
a
(
q
+1)-BDHI
adversary
B
with the following properties:
B
runs in time at
most
τ
, plus the time to perform
O
(
Q
d
log
p
)
group operations and some minor
bookkeeping; moreover,
1
−
Adv-2BDHI
A
.
2
Q
d
p
Adv-BDHI
B
≥
Proof.
The (
q
+ 1)-BDHI adversary
B
works as follows, given a (
q
+1)-BDHI
challenge instance,
∈
Z
p
at random and generate the
twin BDHI challenge instance as showed in Theorem 2.3. Second,
B
randomly chooses
a, b, c
B
processes
each decision query using the trapdoor test. Finally, when
A
outputs (
T
x
,T
y
)
to
outputs
T
x
as its solution to the BDHI challenge. Provided the oracle
simulation is perfect, and adversary
B
,
B
's view is identical to its view in the real
environment. It remains to calculate the accuracy of the trapdoor test. Note that
the probability of the trapdoor test returning a wrong decision result for a query
is at most 2
/p
, and this happens at most
Q
d
times. Therefore the trapdoor test
can simulate the decision oracle perfectly with probability at least 1
A
−
2
Q
d
/p
.
This proves the result we desire.
We remark that the above result also holds when the
q
-BDHI problem and the
twin
q
-BDHI problem are constructed in asymmetric pairing groups. In the next
two sections, we present a variant of SK-IBE [11, 22] and a variant of SK-ID-
KEM [12] respectively. The related security notions of IBE and ID-KEM will be
shown in Appendix A.
3
Twin SK-IBE
In this section, we apply the twinning technique to SK-IBE [11], to yield the
twin SK-IBE scheme, which works as follows:
Setup.
The system parameters are generated as follows:
1. Pick two random generators
g
1
,g
2
∈
G
∗
.
2. Pick two random element
s
1
,s
2
∈
Z
p
and set
u
1
=
g
s
1
1
and
u
2
=
g
s
2
.
3. Pick four cryptographic hash functions
H
1
:
}
∗
→
Z
p
,
H
2
:
{
0
,
1
G
T
×
G
T
→
n
n
n
→
Z
p
×
Z
p
{
0
,
1
}
for some for some integer
n>
0,
H
3
:
{
0
,
1
}
×{
0
,
1
}
n
n
.
and
H
4
:
{
0
,
1
}
→{
0
,
1
}
n
. The ciphertext space is
2
n
The message space is
M
=
{
0
,
1
}
C
=
G
×{
0
,
1
}
×
n
. The master public key
mpk
and the master secret key
msk
are given by
{
0
,
1
}
mpk
=(
g
1
,g
2
,u
1
,u
2
)
,msk
=(
s
1
,s
2
)
.
}
∗
is generated as follows:
Extract.
The private key for identity
ID
∈{
0
,
1
d
ID
=(
d
1
,d
2
)=
g
1
,g
1
s
1
+
H
1
(ID)
1
s
2
+
H
1
(ID)
2
Search WWH ::
Custom Search