7.2 Waters IBE

7.2.1 Security

Security of Waters IBE against chosen plaintext attack is established through the following theorem.

Theorem 7.1. The Waters IBE protocol described in Section 7.2 is(εibe,t,q)-CPA secure assuming that the(εdbdh,t^′)-DBDH assumption holds in(G,G_T,e), where

εibe≤16nqεdbdh

where n is the bit-length of identities, q is the maximum number of key extraction queries and t^′=t+O(τ^q);τis the time required for one scalar multiplication in G.

We want to show that the Waters IBE is(εibe,t,q)-CPA secure. This is established through a game sequence style of proofs discussed in Chapter 2. We start with the adversarial game defining the CPA-security of the protocol against an adversaryA

and then obtain a sequence of games. In each of the games, the simulator chooses a bitγand the adversary makes a guessγ^′. By Xiwe will denote the event that the bit γ is equal to the bitγ^′in the ith game.

Game 0:

This is the usual adversarial game used in defining CPA-secure IBE. We assume that the adversary’s runtime is t and it makes q key extraction queries. Also, we as- sume that the adversary maximizes the advantage among all adversaries with similar resources. Thus, we haveεibe=Pr[X₀]−¹₂.

Game 1:

Consider a tuple(P,P1=aP,P2=bP,P3=cP,Z=e(P,P)^abc)where a,band c are chosen uniformly and independently at random fromZZp. The simulator is assumed to know the values a,b and c. But, the simulator can setup the protocol as well as answer certain private key queries without the knowledge of these values. Also, for certain challenge identities it can generate the challenge ciphertext without the knowledge of a,b and c. In the following, we show how this can be done. If the simulator cannot answer a key extraction query or generate a challenge without using the knowledge of a,band c, it sets a flagflgto one. The value offlgis initially set to zero.

Note that the simulator is always able to answer the adversary (with or without using a,band c). The adversary is provided with proper replies to all its queries and is also provided the proper challenge ciphertext. Thus, irrespective of whetherflgis set to one, the adversary’s view in Game 1 is same as that in Game 0. Hence, we havePr[X₀] =Pr[X₁].

We next show how to setup the protocol and answer the queries based on the tuple(P,P1=aP,P2=bP,P3=cP,Z=e(P,P)^abc).

Set-Up: Let m=4q. Choose x^′,x1, . . . ,xn randomly from ZZm; y^′,y1, . . . ,yn ran- domly fromZZp. Choose k randomly from{0, . . . ,n}.

Now define U^′= (p−mk+x^′)P2+y^′Pand for 1≤i≤ndefine Ui=xiP2+yiP.

Set the public parameters of IBE to be(P,P1,P2,U^′,U1, . . . ,Un). The master secret is aP2=abP. In its attack,A will make some queries, which have to be properly answered by the simulator.

Let v= (v₁, . . . ,v_n)be an n-bit string. We define the following functions:

F(v) = p−mk+x^′+∑ⁿi=1x_iv_i J(v) =y^′+∑ⁿi=1y_iv_i

L(v) =x^′+∑ⁿi=1x_iv_i (mod m) K(v) =

0 if L(v) =0 1 otherwise.













(7.2.1)

Let Fmin and Fmaxbe the minimum and maximum values of F(v). Fminis achieved when k is maximum and x^′and the xi’s are all zero. Thus, Fmin=p−mn>0 (for practical choices of m,nand p). Similarly, Fmaxis achieved when k=0 and x^′, xi’s and vi’s are equal to their respective maximum values. We get Fmax<p+m(n+1)<

2p (again for practical choices of m,nand p, m(n+1)<p). Consequently, F(v)≡ 0 mod p if and only if F(v) =pwhich holds if and only if x^′+∑ⁿi=1xivi=mk.

Now we describe how the key extraction queries made byA are answered. The queries can be made in both Phase 1 and Phase 2 of the adversarial game (subject to the usual restrictions). The manner in which they are answered by the simulator is the same in both phases.

Key Extraction Query: SupposeA makes a key extraction query on the identity id= (id1, . . . ,idn). Choose a random r fromZZp. Suppose K(id) =1; otherwise set flgto 1. In the second case, the simulator uses the value of a to return the proper decryption key did= (aP2+rV(id),rP). In the first case, the simulator constructs a decryption key in the following manner.

d₀=−_F(id)^J(id)P₁+r(F(id)P₂+J(id)P) d1= _F(id)⁻¹ P1+rP

)

(7.2.2) The quantity did= (d₀,d₁)is a proper private key corresponding to the identityid.

To see this, suppose r^′=r−a/F(id), then d0=−J(id)

F(id)P1+r(F(id)P2+J(id)P)

=abP−F(id)

F(id)abP−J(id)

F(idaP+r(F(id)P₂+J(id)P)

=aP2− a

F(id)(F(id)P2+J(id)P) +r(F(id)P2+J(id)P)

=aP2+r^′(F(id)P2+J(id)P)

=aP2+r^′((p−mk+x^′)P2+y^′P+

∑

n i=1

(idi(xiP2+yiP)))

=aP₂+r^′(U^′+

∑

n i=1

idiU_i)

and it is easy to see that d1=r^′P. This did= (d₀,d₁)is provided toA.

Challenge: Let the challenge identity beid^∗= (id^∗₁, . . . ,id^∗_n), and the (equal length) messages be M0and M1. Choose a random bitγ. We need to have F(id^∗)≡0 mod p.

If this condition does not hold, then setflgto 1. In the second case, the simulator uses the value of c to provide a proper encryption of M_γtoA by computing(M_γ× e(P1,P2)^c,cP,cV(id^∗)). In the first case, it constructs a proper encryption of M_γin the following manner.

(M_γ×Z,C₁=P₃,C₂=J(id^∗)P₃).

We require C2to be equal to cV(id^∗). Recall that the definition of V(id)is V(id) = U^′+∑ⁿi=1idiUi. Using the definition of U^′and the Ui’s as defined inSet-Upby the simulator, we obtain,

cV(id^∗) =c(U^′+

∑

n i=1

id^∗_iUi)

=c((p−mk+x^′)P2+y^′P+

∑

n i=1

(id^∗_i(xiP2+yiP)))

=c(F(id^∗)P₂+J(id^∗)P)

=J(id^∗_i)cP

=J(id^∗)P3

Here we use the fact, F(id^∗)≡0 mod p.

Guess: The adversary outputs a guessγ^′ofγ and wins if they are equal.

Game 2:

This is a modification of Game 1 whereby the Z =e(P,P)^abc in Game 1 is now replaced by a random element of GT. This Z is used to mask the message M_γ in the challenge ciphertext. Since Z is random, the first component of the challenge ciphertext is a random element of GT and provides no information to the adversary aboutγ. Thus,Pr[X₂] =¹₂.

We show that it is possible to construct an algorithm Bfor solving the DBDH problem by extending Game 1 and Game 2. The extension of both the games is same and is described as follows.Btakes as input a tuple(P,aP,bP,cP,Z)and sets up the IBE protocol as in Game 1. Also, the key extraction queries are answered and the challenge ciphertext is generated as in Game 1. If at any stage,flgis set to 1, then Boutputs a random bit and aborts. At the end of the game, the adversary outputs the guessγ^′. IfBhas not aborted up to this stage, then it outputs 1 ifγ=γ^′; else 0.

If Z is equal to e(P,P)^abc, then the adversary is playing Game 1 and if Z is a random element of GT, then the adversary is playing Game 2. The time taken byB in either Game 1 or 2 is clearly t^′.

Suppose Pr[flg_i=0]is the probability that the simulatorBdoes not abort during Game i, i=1,2. In order to relate the advantage ofA against the IBE scheme with the advantage ofBto solve the DBDH problem, we need to find a bound on this probability.

Bounds on Probability of Not Abort

Before proceeding further with our analysis we state the following simple result which can be easily verified from elementary probability theory.

Proposition 7.1. Let X and Y be discrete random variables.

1. IfPr[X=c₁|Y=c₂]is a constant (i.e., the probability does not depend on c₁and c2), then X and Y are independent.

2. If X and Y are independent and uniformly distributed, then

Pr[g(X,f1(Y)) =c1|f1(Y) =c2,f2(Y) =c3] =Pr[g(X,f1(Y)) =c1|f1(Y) =c2] where f1,f2and g are arbitrary functions (with appropriate domains and ranges) and c1,c2and c3are arbitrary elements in the respective sets.

Letflg_idenote the random variableflgin Game i, i=1,2. Supposeid⁽¹⁾, . . . ,id^(q) are the identities in the q key extraction queries andid^∗is the challenge identity. Let V= (id^∗,id⁽¹⁾, . . . ,id^(q)). Let X be the tuple of random variables consisting of the xi’s and x^′used during set-up. Let Z be the tuple of random variables consisting of the adversary’s private random bits; the yi’s and y^′ used during set-up; and the r’s used in answering the key extraction queries. A specific value of X will be denoted by x; a specific value of Z will be denoted by z; and a specific value ofVwill be denoted by v. The following observation is due to Bellare and Ristenpart [23].

Proposition 7.2. 1.Vis independent ofX.

2. In the i-th game, the event X_iis independent ofX.

3. The random variableflg_iis a functionflg_i=^∆ flg_i(X,V).

Proof : (1) Fix any value x of X. Irrespective of this value, the independent and uniform random choices of the yi’s and y^′ensure that the public parameters are in- dependent and uniformly distributed points. Similarly, the independent and uniform random choices of the r’s ensure that the response to any query is uniform random and independent of other random variables. Similarly, the independent and uniform randomness of c ensures that the challenge ciphertext is independent of X. This is true irrespective of whetherflg_iis set to 1 or 0.

The adversary’s queries depends on its own random choices (which is indepen- dent of X), the distribution of the public parameters, the responses to the queries and the challenge ciphertext. By the above argument, for every fixed value of X, the distribution of these random variables are the same. Hence, for every fixed value of X, the probability that the adversary outputs a particular query sequence is a con- stant, i.e. Pr[V=v|X=x]is a constant. From Proposition 7.1(1), it follows thatV is independent of X.

(2) The bitγ is a uniform random bit which is independent of all other quanti- ties. In Games 0 and 1, the adversary’s outputγ^′is a function of its private random choices, the public parameters, the responses to the queries and the challenge ci- phertext. So, as argued above, the outputγ^′is independent of X and hence the event

γ=γ^′is also independent of X. In Game 2, the bitγis statistically hidden from the adversary and hence the probability of X2is 1/2 irrespective of the value of X.

(3) The value offlg_iis 0 if all the F-values corresponding to the key extraction queries are non-zero and the F-value for the challenge identity is 0. From the defi- nition of the function F, it follows that this event depends only on X andVand so the random variableflg_iis a function of these two random variables. ⊓⊔

From the above two propositions we obtain the following result.

Proposition 7.3. Pr[flg_i=0|V=v,X_i] =Pr[flg_i=0|V=v].

We further require the following two independence results in obtaining the re- quired bound.

Proposition 7.4. Let L(·)be as defined in (7.2.1) and letid∈ {0,1}ⁿbe any identity, then

1.Pr[L(id) =0] = 1 m.

2. Letid^′be an identity such thatid^′6=id. ThenPrL(id^′) =0|L(id) =0

= 1 m. The probability is over the independent and uniform random choices of x^′ and x1, . . . ,xnfromZZm.

Proof : Recall from (7.2.1) that L(id) =x^′+id1x1+···+id_nx_n. Each of the values x^′,x1, . . . ,x_l are chosen independently and uniformly at random fromZZ_m. This en- sures that L(id)is also independently and uniformly distributed overZZm. The first point follows from this observation.

For the second point, sinceid6=id^′, there is an i∈ {1, . . . ,n}such that not both ofidiandid^′_iare zeros. Without loss of generality, suppose thatid^′_iis non-zero. Then the result follows from the independent and uniform randomness of x^′,x1, . . . ,xn.

⊓

⊔

Proposition 7.5. For any fixed v, letλ^(v)=^∆ Pr[flg(X,v) =0]

λ⁻=^∆ 1−q

m

λ⁺≤λ^(v)≤λ⁺=^∆ 1

m(n+1). (7.2.3)

Proof : For any fixed v, letab(v)be the eventflg(X,v) =1. For 1≤i≤q, let Ei

denote the event that the simulator does not abort on the ith key extraction query and let C be the event that the simulator does not abort in the challenge stage. We have

Pr[ab(v)] =Pr

" _q

^ i=1

E_i

!

∧C

#

=Pr

" _q

^ i=1

E_i

!

|C

# Pr[C]

= 1−Pr

" _q _ i=1

¬E_i

!

|C

#!

Pr[C]

≥ 1−

∑

q i=1

Pr[¬E_i|C]

! Pr[C].

We first consider the event C. Suppose the challenge identity isid^∗. Event C holds if and only if F(id^∗)≡0 mod p. Recall that by choice of p, we can assume F(id^∗)≡ 0 mod p if and only if x^′+∑ⁿi=1x_iid^∗_i =mk. Hence,

Pr[C] =Pr

"

x^′+

∑

n i=1

xiid^∗_i =mk

!#

. (7.2.4)

For 0≤j≤n, denote the event x^′+∑ⁿi=1x_iid^∗_i =m j by Ajand the event k=jby B_j. Also, let Cjbe the event Aj∧B_j.

Note that the event^Wn_j=0A_jis equivalent to the condition x^′+∑ⁿi=1x_iid^∗_i ≡0 mod mand hence equivalent to the condition L(id^∗) =0. Since k is chosen uniformly at random from the set{0, . . . ,n}, we havePr[B_j] =1/(1+n)for all j. Also the event B_jis independent of the event Aj. We have

Pr

"

x^′+

∑

n i=1

x_iid^∗_i =mk

!#

=Pr

" _n _ i=0

C_i

!#

=Pr

"_n _ i=0

(A_i∧B_i)

#

=

∑

n i=0

Pr[A_i∧B_i]

=

∑

n i=0

Pr[A_i]×Pr[B_i]

= 1

(1+n)

∑

n i=0

Pr[Ai]

= 1

(1+n)Pr

"_n _ i=0

(Ai)

#

= 1

(1+n)Pr[(L(id^∗) =0)]

= 1

m(1+n)

The last equality follows from Proposition 7.4. This shows thatPr[C]≤1/(m(1+ n))and so

Pr[ab(v)] =Pr

" _q

^ i=1

E_i

!

∧C

#

≤Pr[C]≤ 1 m(1+n). This shows the required upper bound.

To obtain the lower bound, we now turn to boundingPr[¬E_i|C]. For simplicity of notation, we will drop the subscript i from Ei and consider the event E that the simulator does not abort on a particular key extraction query on an identityid. By the simulation, the event¬Eimplies that L(id) =0. This holds even when the event is conditioned under C. From Proposition 7.4 we havePr[¬E|C] =1/m.

Substituting this in the bound forPr[ab(v)]we obtain Pr[ab(v)]≥ 1−

∑

q i=1

Pr[¬E_i|C]

! Pr[C].

≥ 1−q

m 1

m(n+1). This completes the proof of Proposition 7.5. ⊓⊔

Based on the bounds on the probability of not abort, we continue our analysis of the relation between the advantage ofA andB. Let Yi be the event that the simulator outputs 1 in Game i, i=1,2. Then, we have

|Pr[Y1]−Pr[Y₂]| ≤εdbdh.

Letabibe the eventflg_i(X,v) =1, i.e., the event that the simulator aborts in Game i, i=1,2.

Proposition 7.6.εibe≤ εdbdh

1−m^q

λ^+.

Proof :

Pr[Y_i] =Pr[Y_i|abi]Pr[abi] +Pr[Y_i|abi]Pr[abi]

= 1

2Pr[abi] +Pr[X_i|abi]Pr[abi]

= 1

2Pr[abi] +Pr[Xi∧abi]

= 1

2Pr[abi] +Pr[Xi∧flg_i(X,V) =0]

= 1

2Pr[abi] +

∑

v

Pr[X_i∧flg_i(X,V) =0∧V=v]

= 1

2Pr[abi] +

∑

v

Pr[flg_i(X,V) =0|X_i∧V=v]Pr[Xi∧V=v]

= 1

2Pr[abi] +

∑

_v ^{Pr[flgi(X,V) =0|V=v]Pr[Xi∧V=v] (7.2.5)}

= 1

2Pr[abi] +

∑

v

Pr[flg_i(X,v) =0]Pr[Xi∧V=v]

= 1

2Pr[abi] +

∑

v λ(v)Pr[Xi∧V=v].

Step (7.2.5) follows from Proposition 7.3. So,

Pr[Y1]−Pr[Y2] =

∑

_v ^{λ(v)(Pr[X1∧V=v]−Pr[X2∧V=v])}

≤λ⁺

∑

v

(Pr[X1∧V=v]−Pr[X2∧V=v])

=λ⁺

∑

_v ^{Pr[X1∧V=v]−}

∑

_v ^Pr[X2∧V=v]

=λ^+(Pr[X1]−Pr[X2]).

Similarly, Pr[Y1]−Pr[Y2]≥λ⁻(Pr[X1]−Pr[X2]). Combining the two bounds, we get λ⁻(Pr[X1]−Pr[X2])≤Pr[Y1]−Pr[Y2]≤λ⁺(Pr[X1]−Pr[X2]). (7.2.6) Assuming(εdbdh,t^′)hardness of DBDH,|Pr[Y1]−Pr[Y2]| ≤εdbdh and so−εdbdh≤ Pr[Y1]−Pr[Y2]≤εdbdh. Combining this with (7.2.6), we have

−εdbdh

λ^{+ ≤Pr[X1]−Pr[X2]≤}εdbdh

λ^{− . (7.2.7)}

From Proposition 7.5, 1 λ⁻⁼

1

1−_m^qλ^+.Also, for m>q>0,− 1

1−_m^q<−1.

Using these two relations, we obtain

− εdbdh

1−m^q

λ^{+ ≤Pr[X1]−Pr[X2]≤}

εdbdh

1−m^q

λ^+. So,|Pr[X1]−Pr[X2]| ≤ εdbdh

1−_m^q

λ⁺. The proof is now completed as follows.

εibe =

Pr[X₀]−1 2

≤ |Pr[X0]−Pr[X2]|

≤ |Pr[X₀]−Pr[X₁]|+|Pr[X₁]−Pr[X₂]|

≤ εdbdh

1−m^q

λ^+.

⊓

⊔Putting m=4q gives us

εibe≤16nqεdbdh. This completes the proof of Theorem 7.1. ⊓⊔