1

Hierarchical Identity-Based Encryption with Constant Size

Ciphertext

Dan Boneh, Xavier Boyen and Eu-Jin Goh

Eurocrypt 2005

投影片製作：張淑慧

2

Outline

• Notations

• Scheme 1: With constant size ciphertext based on Decision BDHE assumption

• Hybrid Scheme

• Application

• Conclusion

3

Bilinear map

1

1

:

ofgenerator a :

oder prime of groups cyclic :,

GGG

G

GG

e

g

p

4

l-Bilinear Diffie-Hellman Exponent (l-BDHE) Assumption

*** l-BDHE problem in G

*** l-BDHE assumption holds in G

if the l-BDHE problem in G is hard.

1),( :Output

),,,,,(Given 211

G

l

lll

hge

gggghg

5

KGC

(I1)

(I1,I2)

(I1,I2,…,Il)

Level 0

Level 1

Level 2

Level l

Hierarchical structure(key generation center)

6

Scheme 1 *A HIBE system with constant size ciphertext

* A selective-ID secure

• Setup

• KeyGen

• Encrypt

• Decrypt

7

Scheme 1 (continuous)

,,,,, ,

generator

e wher

;),,,,,,,(

parameters public :Output

,depth maxmumGiven :)(

1

2132*

*

2

21321

gg

Ghhhgg

Gg

gmaster-key

hhhggggparams

ll

RlpR

l

Z

Setup

8

Scheme 1 (continuous)

kl

b

rl

b

rk

a

r

a

rIk

I

pR

k

kID

lk

k hhgghhgd

r

lkIII

d

21312

21

1|

),,,,)((

Choose

),,,,(identity an Given

:),(

110

1 G

Z

ID

IDKeyGen

ID

9

Scheme 1 (continuous)

))( , ,),((

:Output

Choose

),,,,(identity an

and message aGiven

:),(

3121

21

1

1

C

sIk

I

B

s

A

s

pR

k

ghhgMgge

s

lkIII

M

,Mparams

k

CT

Z

ID

G

IDEncrypt

10

Scheme 1 (continuous)

ss

rIk

Is

sIk

Ir

lk

k

ggegge

ghhgge

ghhge

aBe

Cae

aBe

CaeAM

dbaad

CBAII

,d

k

k

),(

1

),(

1

))(,(

))(,(

),(

),( because

),(

),( Compute

),,,(

),,,( ciphertext a ),,,(Given

:),(

212

312

31

0

1

0

1

110

1

1

1

ID

ID

CTID

CIDDecrypt

11

Remark

• If l+1-BDHE assumption holds, then scheme 1 is selective identity, chosen plaintext (IND-sID-CPA) secure.

• Chosen ciphertext security: refer to Canetti et al. [10] (Eurocrypt 2004) or Boneh and Katz [7] (RSA-CT 2005) (more efficient)

• Arbitrary identities: hashing each Ii where ID=(I1,…,Ik)

12

Hybrid Scheme :

groups.between 2 scheme Use

group.each within 1 scheme Use

. size of groups econsecutiv into levelsPartition .3

)4,42

1,11 (e.g. .,Let .2

)2

1 (e.g. . value thedecide First, .1

21

211

21

ll

lllllll

size ciphertext

sizekey private

]1,0[

delegation Limited

1

lO

llO

13

Hybrid Scheme :

),()2,()1,(

),2()2,2()1,2(

),1()2,1()1,1(

2)1(1)1(

221

21

211

2111

2

2

212121

222

2

then

,,, If .4

llll

l

l

llllll

lll

l

l

III

III

III

III

III

III

lllII

I

I

size ciphertext

sizekey private

]1,0[

delegation Limited

1

lO

llO

14

Hybrid Scheme

• Setup

• KeyGen

• Encrypt

• Decrypt

15

Hybrid Scheme (continuous)

,,,,,,, ,

generator

e wher

;),,,,,,,,,(

parameters public :Output

., determinefirst ,depth maxmumGiven :)(

1

2112*

24

21121

21

21

21

gg

hhhffg

g

ggmaster-key

hhhffgggparams

llll

RllpR

ll

GZ

G

Setup

16

Hybrid Scheme (continuous)

221

2

1

2

12

1

2

1

1

11

1

1

0

1

1

)2,1(

2

)1,1(1

)2,(

2

)1,(

1

11

1

1

112

1

2121

1|

),,,,,,

,)()((

,, Choose

),(),,,,(identity an Given

:),(

klk

c

r

l

c

r

k

b

r

b

r

b

r

a

kk

I

k

Ik

i

ri

I

lI

pRk

k

kID

l

k

k

k

k

k

k

k

kkkilii

hhggg

fhhfhhgd

rr

lkkkIII

d

G

Z

ID

IDKeyGen

ID

17

Hybrid Scheme (continuous)

1

1

1

)2,1(

2

)1,1(

11

1

)2,11(

2

)1,11(

1

)2,1(

2

)1,1(

11111

1121

2121

1

))(,)(

,,)( , ,),((

:Output

Choose

),( ),,,,(identity an

and message aGiven

:),(

k

C

sk

I

k

I

C

sk

I

l

I

C

sI

lI

B

s

A

s

pR

k

k

kkk

k

lkk

l

fhhfhh

fhhgMgge

s

lkkkIII

M

,Mparams

GG

CT

Z

ID

G

IDEncrypt

18

Hybrid Scheme (continuous)

ss

r

k

I

k

Ik

i

ri

I

lIs

sk

I

k

Irk

i

si

I

lIr

k

iii

k

iii

lkk

kk

ggegge

fhhfhhgge

fhhgefhhge

aBe

Cbe

aBe

CbeAM

ccbbad

CCBAII

,d

kkkkilii

kkkkliii

),(

1

),(

1

))()(,

))(,()(,

),(

),(

),(

),( Compute

),,,,,,(

),,,,,( ciphertext a ),,,(Given

:),(

212

1

1

112

1

1

11

0

1

0

1

110

11

1

1

)2,1(

2

)1,1(1

)2,(

2

)1,(

1

)2,1(

2

)1,1(1

1)2,(

2

)1,(

1

1

221

1

ID

ID

CTID

CIDDecrypt

19

Scheme 1 Scheme 2 Hybrid scheme

ω=1/2

Private key size

Ciphertext size

)( lO

)( lO

)(lO

)(lO

)(lO

)1(O

20

Applications

• Forward secure encryption scheme

• Forward secure HIBE scheme

• Broadcast encryption scheme

21

Conclusion

• Is it possible to propose a HIBE scheme with both private key size O(1) and ciphertext size O(1)?

• To propose a HIBE scheme with constant size ciphertext based on HDHI assumption is the future research.

.END.

22

Scheme 1: How to generate dID by dID|k-1

ID

ID

ID

d

trr

hbhbgaghhbad

t

hhgghhgd

r

bbaa

hhgghhgd

lkIIId

tll

tkk

ttIk

IIk

pR

rl

rk

rrIk

I

pR

lk

rl

rk

rrIk

IkID

kjID

kk

k

k

key private the:Output

) , , , ,)(( Compute

where

),,,,,)((

),,,,(

),,,,,)(( and

),,,,(identity an Given :),(

111310

1312

10

31121|

211|

1

1

11

Z

Z

IDIDKeyGen

23

Scheme 2: ( [1] Eurocrypt 2004 )Efficient selective identity HIBE based on BDH

without random oracles

• Setup

• KeyGen

• Encrypt

• Decrypt

24

Scheme 2 (continuous)

,,, ,

, generators

e wher

;),,,,,,(

parameters public :Output

,depth maxmumGiven :)(

1

21*

*2

2

2121

gg

Ghhh

Ggg

gmaster-key

hhhgggparams

ll

RlpR

l

Z

Setup

25

Scheme 2 (continuous)

ID

ID

d

ddd

ggghghghgg

gddhgdd

r

dddd

ljIIId

j

rrrrj

IrIrI

rj

rj

I

pRj

jjID

jjID

jjj

jjj

key private the:Output

),,,(

),,,,)()()((

),,,,)(( Compute

),,,( and

),,,,(identity an Given :),(

10

121112

1110

1101|

211|

212211

Z

IDIDKeyGen

26

Scheme 2 (continuous)

sjIsIsIss

pR

j

hghghggMgge

s

ljIII

GM

,Mparams

j )(,,)(,)(,,),(

:Output

),,,,(identity an

and message aGiven

:),(

1211121

21

1

21

C

Z

ID

IDEncrypt

27

Scheme 2 (continuous)

),(),(),(

),(

),)((),)((),)((

))()()(,(),( because

),(

),(),(),( Compute

),,,(

),,,,,( ciphertext aGiven

:),(

2211

0

12111

12111221

0

2211

10

21

2211

2211

jj

rsj

IrsIrsI

rj

IrIrIss

jj

j

j

dCedCedCe

dBe

ghgeghgeghge

hghghgggegge

dBe

dCedCedCeAM

dddd

CCCBA

,d

jj

jj

ID

ID

C

CIDDecrypt

28

Hybrid Scheme: How to generate private key dID

12111

)2,2(

2

)2,2()1,2(

)2,1(

2

)2,1()1,1(

2111

2

2

2

2

1

),()2,()1,(

21

21

),()2,()1,(

),2()2,2()1,2(

),1()2,1()1,1(

21

lllll

I

lII

I

lII

llll

l

l

l

f

f

f

III

hhh

hhh

III

III

III

hhh

l

l

I

29

Hybrid Scheme : How to generate private key dID (continuous)

33

321

3)2,3()1,3(2)4,2()3,2()2,2()1,2(1)4,1()3,1()2,1()1,1(

)4,4()3,4()2,4()1,4(

)4,3()3,3()2,3()1,3(

)4,2()3,2()2,2()1,2(

)4,1()3,1()2,1()1,1(

43

32124321143212

4

3

2

1

4321

4321

4321

4321

)4,4()3,4()2,4()1,4(

)4,3()3,3()2,3()1,3(

)4,2()3,2()2,2()1,2(

)4,1()3,1()2,1()1,1(

4321

1012121

,

,,,

,

)2,3(10 ),,,(,16 ,4 ,4 :

rr

rrr

rIIrIIIIrIIII

ID

IIII

IIII

IIII

IIII

hh

ggg

fhhfhhhhfhhhhg

d

f

f

f

f

hhhh

hhhh

hhhh

hhhh

IIII

IIII

IIII

IIII

hhhh

IIIDlllll

I

exampleFor

30

Hybrid Scheme: An example for encryption

41321221

14121

211021

1

2121

3

)2,3()1,3(

2

)4,2()1,2(

1

)4,1()1,1(

)(,)(

,)( , ,),(

:Output

Choose

)2,3(),( ),,,,(identity an

and message aGiven

16,4,4

GG

CT

Z

ID

G

C

sII

C

sII

C

sII

B

s

A

s

pR

fhhfhh

fhhgMgge

s

kkIII

M

lllll :exampleFor

31

q-Bilinear Diffie-Hellman Inversion (q-BDHI) problem

*** q-SDH problem in G

*** q-BDHI problem in G

*1

where),( :Output

),,,,(Given 2

pcx

xxx

cgc

ggggq

Z

x

xxx

gge

gggggq

1

),( :Output

),,,,,(Given 2