1 hierarchical identity-based encryption with constant size ciphertext dan boneh, xavier boyen and...
TRANSCRIPT
1
Hierarchical Identity-Based Encryption with Constant Size
Ciphertext
Dan Boneh, Xavier Boyen and Eu-Jin Goh
Eurocrypt 2005
投影片製作:張淑慧
2
Outline
• Notations
• Scheme 1: With constant size ciphertext based on Decision BDHE assumption
• Hybrid Scheme
• Application
• Conclusion
3
Bilinear map
1
1
:
ofgenerator a :
oder prime of groups cyclic :,
GGG
G
GG
e
g
p
4
l-Bilinear Diffie-Hellman Exponent (l-BDHE) Assumption
*** l-BDHE problem in G
*** l-BDHE assumption holds in G
if the l-BDHE problem in G is hard.
1),( :Output
),,,,,(Given 211
G
l
lll
hge
gggghg
5
KGC
(I1)
(I1,I2)
(I1,I2,…,Il)
Level 0
Level 1
Level 2
Level l
Hierarchical structure(key generation center)
6
Scheme 1 *A HIBE system with constant size ciphertext
* A selective-ID secure
• Setup
• KeyGen
• Encrypt
• Decrypt
7
Scheme 1 (continuous)
,,,,, ,
generator
e wher
;),,,,,,,(
parameters public :Output
,depth maxmumGiven :)(
1
2132*
*
2
21321
gg
Ghhhgg
Gg
gmaster-key
hhhggggparams
ll
RlpR
l
Z
Setup
8
Scheme 1 (continuous)
kl
b
rl
b
rk
a
r
a
rIk
I
pR
k
kID
lk
k hhgghhgd
r
lkIII
d
21312
21
1|
),,,,)((
Choose
),,,,(identity an Given
:),(
110
1 G
Z
ID
IDKeyGen
ID
9
Scheme 1 (continuous)
))( , ,),((
:Output
Choose
),,,,(identity an
and message aGiven
:),(
3121
21
1
1
C
sIk
I
B
s
A
s
pR
k
ghhgMgge
s
lkIII
M
,Mparams
k
CT
Z
ID
G
IDEncrypt
10
Scheme 1 (continuous)
ss
rIk
Is
sIk
Ir
lk
k
ggegge
ghhgge
ghhge
aBe
Cae
aBe
CaeAM
dbaad
CBAII
,d
k
k
),(
1
),(
1
))(,(
))(,(
),(
),( because
),(
),( Compute
),,,(
),,,( ciphertext a ),,,(Given
:),(
212
312
31
0
1
0
1
110
1
1
1
ID
ID
CTID
CIDDecrypt
11
Remark
• If l+1-BDHE assumption holds, then scheme 1 is selective identity, chosen plaintext (IND-sID-CPA) secure.
• Chosen ciphertext security: refer to Canetti et al. [10] (Eurocrypt 2004) or Boneh and Katz [7] (RSA-CT 2005) (more efficient)
• Arbitrary identities: hashing each Ii where ID=(I1,…,Ik)
12
Hybrid Scheme :
groups.between 2 scheme Use
group.each within 1 scheme Use
. size of groups econsecutiv into levelsPartition .3
)4,42
1,11 (e.g. .,Let .2
)2
1 (e.g. . value thedecide First, .1
21
211
21
ll
lllllll
size ciphertext
sizekey private
]1,0[
delegation Limited
1
lO
llO
13
Hybrid Scheme :
),()2,()1,(
),2()2,2()1,2(
),1()2,1()1,1(
2)1(1)1(
221
21
211
2111
2
2
212121
222
2
then
,,, If .4
llll
l
l
llllll
lll
l
l
III
III
III
III
III
III
lllII
I
I
size ciphertext
sizekey private
]1,0[
delegation Limited
1
lO
llO
14
Hybrid Scheme
• Setup
• KeyGen
• Encrypt
• Decrypt
15
Hybrid Scheme (continuous)
,,,,,,, ,
generator
e wher
;),,,,,,,,,(
parameters public :Output
., determinefirst ,depth maxmumGiven :)(
1
2112*
24
21121
21
21
21
gg
hhhffg
g
ggmaster-key
hhhffgggparams
llll
RllpR
ll
GZ
G
Setup
16
Hybrid Scheme (continuous)
221
2
1
2
12
1
2
1
1
11
1
1
0
1
1
)2,1(
2
)1,1(1
)2,(
2
)1,(
1
11
1
1
112
1
2121
1|
),,,,,,
,)()((
,, Choose
),(),,,,(identity an Given
:),(
klk
c
r
l
c
r
k
b
r
b
r
b
r
a
kk
I
k
Ik
i
ri
I
lI
pRk
k
kID
l
k
k
k
k
k
k
k
kkkilii
hhggg
fhhfhhgd
rr
lkkkIII
d
G
Z
ID
IDKeyGen
ID
17
Hybrid Scheme (continuous)
1
1
1
)2,1(
2
)1,1(
11
1
)2,11(
2
)1,11(
1
)2,1(
2
)1,1(
11111
1121
2121
1
))(,)(
,,)( , ,),((
:Output
Choose
),( ),,,,(identity an
and message aGiven
:),(
k
C
sk
I
k
I
C
sk
I
l
I
C
sI
lI
B
s
A
s
pR
k
k
kkk
k
lkk
l
fhhfhh
fhhgMgge
s
lkkkIII
M
,Mparams
GG
CT
Z
ID
G
IDEncrypt
18
Hybrid Scheme (continuous)
ss
r
k
I
k
Ik
i
ri
I
lIs
sk
I
k
Irk
i
si
I
lIr
k
iii
k
iii
lkk
kk
ggegge
fhhfhhgge
fhhgefhhge
aBe
Cbe
aBe
CbeAM
ccbbad
CCBAII
,d
kkkkilii
kkkkliii
),(
1
),(
1
))()(,
))(,()(,
),(
),(
),(
),( Compute
),,,,,,(
),,,,,( ciphertext a ),,,(Given
:),(
212
1
1
112
1
1
11
0
1
0
1
110
11
1
1
)2,1(
2
)1,1(1
)2,(
2
)1,(
1
)2,1(
2
)1,1(1
1)2,(
2
)1,(
1
1
221
1
ID
ID
CTID
CIDDecrypt
19
Scheme 1 Scheme 2 Hybrid scheme
ω=1/2
Private key size
Ciphertext size
)( lO
)( lO
)(lO
)(lO
)(lO
)1(O
20
Applications
• Forward secure encryption scheme
• Forward secure HIBE scheme
• Broadcast encryption scheme
21
Conclusion
• Is it possible to propose a HIBE scheme with both private key size O(1) and ciphertext size O(1)?
• To propose a HIBE scheme with constant size ciphertext based on HDHI assumption is the future research.
.END.
22
Scheme 1: How to generate dID by dID|k-1
ID
ID
ID
d
trr
hbhbgaghhbad
t
hhgghhgd
r
bbaa
hhgghhgd
lkIIId
tll
tkk
ttIk
IIk
pR
rl
rk
rrIk
I
pR
lk
rl
rk
rrIk
IkID
kjID
kk
k
k
key private the:Output
) , , , ,)(( Compute
where
),,,,,)((
),,,,(
),,,,,)(( and
),,,,(identity an Given :),(
111310
1312
10
31121|
211|
1
1
11
Z
Z
IDIDKeyGen
23
Scheme 2: ( [1] Eurocrypt 2004 )Efficient selective identity HIBE based on BDH
without random oracles
• Setup
• KeyGen
• Encrypt
• Decrypt
24
Scheme 2 (continuous)
,,, ,
, generators
e wher
;),,,,,,(
parameters public :Output
,depth maxmumGiven :)(
1
21*
*2
2
2121
gg
Ghhh
Ggg
gmaster-key
hhhgggparams
ll
RlpR
l
Z
Setup
25
Scheme 2 (continuous)
ID
ID
d
ddd
ggghghghgg
gddhgdd
r
dddd
ljIIId
j
rrrrj
IrIrI
rj
rj
I
pRj
jjID
jjID
jjj
jjj
key private the:Output
),,,(
),,,,)()()((
),,,,)(( Compute
),,,( and
),,,,(identity an Given :),(
10
121112
1110
1101|
211|
212211
Z
IDIDKeyGen
26
Scheme 2 (continuous)
sjIsIsIss
pR
j
hghghggMgge
s
ljIII
GM
,Mparams
j )(,,)(,)(,,),(
:Output
),,,,(identity an
and message aGiven
:),(
1211121
21
1
21
C
Z
ID
IDEncrypt
27
Scheme 2 (continuous)
),(),(),(
),(
),)((),)((),)((
))()()(,(),( because
),(
),(),(),( Compute
),,,(
),,,,,( ciphertext aGiven
:),(
2211
0
12111
12111221
0
2211
10
21
2211
2211
jj
rsj
IrsIrsI
rj
IrIrIss
jj
j
j
dCedCedCe
dBe
ghgeghgeghge
hghghgggegge
dBe
dCedCedCeAM
dddd
CCCBA
,d
jj
jj
ID
ID
C
CIDDecrypt
28
Hybrid Scheme: How to generate private key dID
12111
)2,2(
2
)2,2()1,2(
)2,1(
2
)2,1()1,1(
2111
2
2
2
2
1
),()2,()1,(
21
21
),()2,()1,(
),2()2,2()1,2(
),1()2,1()1,1(
21
lllll
I
lII
I
lII
llll
l
l
l
f
f
f
III
hhh
hhh
III
III
III
hhh
l
l
I
29
Hybrid Scheme : How to generate private key dID (continuous)
33
321
3)2,3()1,3(2)4,2()3,2()2,2()1,2(1)4,1()3,1()2,1()1,1(
)4,4()3,4()2,4()1,4(
)4,3()3,3()2,3()1,3(
)4,2()3,2()2,2()1,2(
)4,1()3,1()2,1()1,1(
43
32124321143212
4
3
2
1
4321
4321
4321
4321
)4,4()3,4()2,4()1,4(
)4,3()3,3()2,3()1,3(
)4,2()3,2()2,2()1,2(
)4,1()3,1()2,1()1,1(
4321
1012121
,
,,,
,
)2,3(10 ),,,(,16 ,4 ,4 :
rr
rrr
rIIrIIIIrIIII
ID
IIII
IIII
IIII
IIII
hh
ggg
fhhfhhhhfhhhhg
d
f
f
f
f
hhhh
hhhh
hhhh
hhhh
IIII
IIII
IIII
IIII
hhhh
IIIDlllll
I
exampleFor
30
Hybrid Scheme: An example for encryption
41321221
14121
211021
1
2121
3
)2,3()1,3(
2
)4,2()1,2(
1
)4,1()1,1(
)(,)(
,)( , ,),(
:Output
Choose
)2,3(),( ),,,,(identity an
and message aGiven
16,4,4
GG
CT
Z
ID
G
C
sII
C
sII
C
sII
B
s
A
s
pR
fhhfhh
fhhgMgge
s
kkIII
M
lllll :exampleFor
31
q-Bilinear Diffie-Hellman Inversion (q-BDHI) problem
*** q-SDH problem in G
*** q-BDHI problem in G
*1
where),( :Output
),,,,(Given 2
pcx
xxx
cgc
ggggq
Z
x
xxx
gge
gggggq
1
),( :Output
),,,,,(Given 2