Computable. There exists an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1. From the literature [1], we note that such a bilinear pairing may be realized using the modified Weil pairing associated with supersingular elliptic curves.
Computable. For g , p ∈ G1 , there is an efficient algorithm to compute e(g, p) . Typically, the map e will be derived from either the Weil or Xxxx pairing on an elliptic curve over a finite field. Pairings and other parameters should be selected in proactive for efficiency and security.
Computable. There exists an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1.
Computable eˆ(P, Q) for any P, Q ∈ G1 is polynomial-time computable. In the literature the security of many the identity-based schemes are based on the following assumptions.
Assumption 1 ( Bilinear Xxxxxx-Xxxxxxx (BDH) [4]) For x, y, z ∈R Z∗q , P ∈ G1∗, eˆ : G1 × G1 → G2, given (P, xP, yP, zP), computing eˆ(P, P )xyz is hard.
Assumption 2 ( Decisional Bilinear Xxxxxx-Xxxxxxx (DBDH)) For x, y, z, r ∈R Z∗q , P ∈ G1∗, eˆ : G1 × G1 → G2, distinguishing between the distributions (P, xP , yP, zP, eˆ(P, P )xyz ) and (P, xP , yP, zP, eˆ(P, P )r) is hard.
Computable. An efficient algorithm to compute eˆ(P, Q) exists for any P, Q ∈ G1 where ri is a random number chosen by Ui.
Computable. There exists an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1. CDH Problem : A Computational Xxxxxx-Xxxxxxx (CDH) parameter generator CDH is a PPT algo- rithm takes a security parameter 1k and outputs addi- tive group G1 with an order q. When an algorithm solves CDH problem with an advantage s, the advantage is s = Pr[A(G, P, aP, bP ) = abP ], where P ∈ G1 and a, b ∈ Zq∗. - Send(U, i, M ) : Send message M to instance Πi and parameter generator IG is a PPT algorithm takes outputs the reply generated by this instance. - Execute(U1, ..., Un) : Execute the protocol between the players U1, ..., Un and outputs the transcript of ex- ecution. - Reveal(U, i) : Output the session key ski . - Corrupt(U ) : Output the long-term secret key Si. - T est(U, i) : asks any of the above queries, and then asks T est query only once. This query outputs a ran- dom bit b; if b = 1 the adversary can access ski , and a security parameter 1k and outputs G1 and G2 and bilinear map e. When an algorithm solves Decisional BDH (DBDH) problem with an advantage s, the advantage is |Pr[A(P, aP, bP, cP, e(P, P )abc) = 1] - Pr[A(P, aP, bP, cP, e(P, P )d) = 1]| ≤ s, where P ∈ G1 and a, b, c, d ∈ Zq∗.
Computable. The map e is efficiently computable. The Weil [21] and modified Txxx [22] pairings on elliptic curves can be used to construct such bilinear maps.
Computable eˆ(P, Q) for any P, Q ∈ G1 is polynomial-time computable. In the literature the security of many the identity-based schemes are based on the following assumptions.
Assumption 1 ( Bilinear Xxxxxx-Xxxxxxx (BDH) [4]) For x, y, z ∈R Z∗, P ∈ G∗, eˆ : G × G → G , given (P, xP, yP, zP ), computing eˆ(P, P )xyz
Computable. There is an efficient algorithm to compute for all . .
Computable. There is an efficient algorithm to compute eˆ(P, Q) for any P, Q ∈ G1. By using the pairing computation and a Xxxxxx-Xxxxxxx type scheme, the protocol2 requires each party to transmit only a single broadcast message to establish an agreed session key among three parties. After
1. A → B, C : aP
2. B → A, C : bP 3. C → A, B : cP
Fig. 1. Joux’s One-round Tripartite Key Agreement
