Hierarchical Identity-Based
Encryption with Constant Size
Ciphertext
Dan Boneh, Xavier Boyen and Eu-Jin Goh
Eurocrypt 2005
投影片製作：張淑慧
1
Outline
• Notations
• Scheme 1: With constant size ciphertext based on
Decision BDHE assumption
• Hybrid Scheme
• Application
• Conclusion
2
Bilinear map
 G , G1 : cyclic groups of prime oder p
 g : a generator of G
 e : G  G  G1
3
l-Bilinear Diffie-Hellman Exponent
(l-BDHE) Assumption
*** l-BDHE problem in G
Given ( g , h, g ,, g  , g  g   )
l 1

l 1
2l
l
Output : e( g , h)  G1
*** l-BDHE assumption holds in G
if the l-BDHE problem in G is hard.
4
Hierarchical structure
(key generation center)
KGC
Level 0
(I1)
Level 1
(I1,I2)
(I1,I2,…,Il)
Level 2
Level l
5
Scheme 1
*A HIBE system with constant size ciphertext
* A selective-ID secure
•
•
•
•
Setup
KeyGen
Encrypt
Decrypt
6
Scheme 1 (continuous)
Setup(l ) : Given maxmum depth l ,
Output : public parameters
params  ( g , g1 , g 2 , g 3 , h1 , h2 ,  , hl );
master-key  g 2
wher e
generator g  G *
 R Z *p , g 2 , g 3 , h1 , h2 ,, hl R G
g1  g

7
Scheme 1 (continuous)
KeyGen(d ID|k 1 , ID ) :
Given an identity ID  ( I1 , I 2 ,, I k ), k  l
Choose r R Z p
dID  ( g 2  (h1I1  hkI k  g 3 ) r , 
g r , hkr1 , , hlr )  G 2l  k




a0
a1
bk 1
bl
8
Scheme 1 (continuous)
Encrypt ( params, ID,M ) :
Given a message M  G1 and
an identity ID  ( I1 , I 2 , , I k ), k  l
Choose s R Z p
Output :
g , (h  h  g 3 ) s )
CT  (e( g1 , g 2 )  M , 




s
A
s
B
I1
1
Ik
k
C
9
Scheme 1 (continuous)
Decrypt (d ID , ID,C ) :
Given ID  ( I1 ,  , I k ), a ciphertext CT  ( A, B, C ),
d ID  (a0 , a1 , bk 1  , d l )
A  e(a1 , C )
Compute M 
e ( B , a0 )
e( g r , (h1I1  hkI k  g 3 ) s )
e(a1 , C )
because

e( B, a0 ) e( g s , g 2 (h1I1  hkI k  g 3 ) r )
1
1


s
e( g , g 2 )
e( g1 , g 2 ) s
10
Remark
• If l+1-BDHE assumption holds, then scheme 1 is selective
identity, chosen plaintext (IND-sID-CPA) secure.
• Chosen ciphertext security:
refer to Canetti et al. [10] (Eurocrypt 2004) or
Boneh and Katz [7] (RSA-CT 2005) (more efficient)
• Arbitrary identities:
hashing each Ii where ID=(I1,…,Ik)
11
Limited delegation
Hybrid Scheme :
  [0,1]


O l  ciphertext size
O l   l 1 private key size

1
1. First, decide the value . (e.g.   )
2
1
2. Let l1  l , l2  l . (e.g. l  11,    l1  4, l2  4)
2
3. Partition levels into l1 consecutiv e groups of size l2 .

1
Use scheme 1 within each group.
Use scheme 2 between groups.
12
Limited delegation
Hybrid Scheme :
  [0,1]


O l  ciphertext size
O l   l 1 private key size

4. If I  I1 , , I l ,
l  l1l2
then
 I1

 I l2 1
I 


 I (l 1)l 1
 1 2
I2
I l2  2

I (l1 1)l2  2
I l2   I (1,1)
 
 I 2l2   I ( 2,1)


 

 
 I l1l2   I (l1 ,1)

I (1, 2)
I ( 2, 2)

I (l1 , 2)
 I (1,l2 ) 

 I ( 2 ,l 2 ) 

 

 I (l1 ,l2 ) 
13
Hybrid Scheme
•
•
•
•
Setup
KeyGen
Encrypt
Decrypt
14
Hybrid Scheme (continuous)
Setup(l ) : Given maxmum depth l , first determine l1 , l2 .
Output : public parameters
params  ( g , g1 , g 2 , f1 , , f l1 , h1 , h2 , , hl2 );
master-key g 4  g 2
wher e
generator g  G
 R Z *p , g 2 , f1 ,, f l , h1 , h2 ,, hl R G
1
2
g1  g 
15
Hybrid Scheme (continuous)
KeyGen(d ID|k 1 , ID ) :
Given an identity ID  ( I1 , I 2 ,  , I k ), (k1 , k 2 )  k  l
Choose r1 ,  , rk1 R Z p
dID
k1 1

I ( i ,l2 )
I
I
I ( i ,1 )
ri 

 ( g 2   (h1  hl2  f i )   (h1 ( k1 ,1)  hk2( k1 ,k2 )  f k1 ) k1 ,
i 1
 


a0
rk1
rk1
k 2 1
rk1
l2
1 k1  l2  k 2
g
,

,
g
,
g
,
h
,

,
h
)

G

  

r1
b1
rk11
bk 1
bk
ck2 1
cl2
16
Hybrid Scheme (continuous)
Encrypt ( params, ID,M ) :
Given a message M  G1 and
an identity ID  ( I1 , I 2 , , I k ), (k1 , k 2 )  k  l
Choose s R Z p
Output :
CT  (e( g1 , g 2 )  M , 
g , (h  h
 f1 ) s , ,






s
s
B
A
I ( 1,1 )
1
I (1,l2 )
l2
C1
(h1 ( k11,1)  hl2( k11,l2 )  f k1 1 ) s , (h1 ( k1 ,1)  hk2( k1 ,k2 )  f k1 ) s )  G1  G 1 k1


 
I
I
C k11
I
I
C k1
17
Hybrid Scheme (continuous)
Decrypt (d ID , ID,C ) :
Given ID  ( I1 ,  , I k ), a ciphertext CT  ( A, B, C1 ,  , Ck1 ),
d ID  (a0 , b1 ,  , bk1 , ck 2 1 ,  , cl2 )
k1
Compute M 
A   e(bi , Ci )
i 1
e ( B , a0 )
k1
 e(b , C )
i

i
i 1
e ( B , a0 )

 k1 1
I ( i ,l2 )
I ( i ,1 )
ri
e
g
,
(
h

h
 fi )s
1
l2

i 1

 s   k1 1 I ( i ,1)
I
e g , g 2  (h1  hl2( i ,l2 ) 
 i 1

1
1


e( g , g 2 ) s e( g1 , g 2 ) s
  e( g

rk1
, (h1 ( k1 ,1)  hk 2( k1 ,k2 )  f k1 ) s )
I
I
 I ( k1 ,1)
I ( k1 ,k2 )
rk1 
f i )   (h1  hk 2  f k1 ) ) 


ri
18
Scheme 1
Scheme 2
Hybrid scheme
ω=1/2
Private key size
O(l )
O(l )
O( l )
Ciphertext size
O(1)
O(l )
O( l )
19
Applications
• Forward secure encryption scheme
• Forward secure HIBE scheme
• Broadcast encryption scheme
20
Conclusion
• Is it possible to propose a HIBE scheme with
both private key size O(1) and ciphertext size
O(1)?
• To propose a HIBE scheme with constant size
ciphertext based on HDHI assumption is the
future research.
.END.
21
Scheme 1: How to generate dID by dID|k-1
KeyGen(d ID| j 1 , ID ) : Given an identity ID  ( I1 , I 2 ,  , I k ), k  l
and d ID|k 1  ( g 2  (h1I1  hkI k 11  g 3 ) r  , g r  , hkr  ,  , , hlr  )
 (a0 , a1 , bk ,  , bl )
r R Z p
dID  ( g 2  (h1I1  hkI k  g 3 ) r , g r , hkr1 ,  , , hlr )
where
t R Z p
Compute dID  (a0  bkI k (h1I1  hkI k  g 3 )t , a1  g t , bk 1  hkt 1 ,  , bl  hlt )
 r  r  t
Output : the private key dID
22
Scheme 2: ( [1] Eurocrypt 2004 )
Efficient selective identity HIBE based on BDH
without random oracles
•
•
•
•
Setup
KeyGen
Encrypt
Decrypt
23
Scheme 2 (continuous)
Setup(l ) : Given maxmum depth l ,
Output : public parameters
params  ( g , g1 , g 2 , h1 , h2 ,  , hl );
master-key  g 2
wher e
generators g , g 2  G
*
 R Z *p , h1 , h2 , , hl R G
g1  g 
24
Scheme 2 (continuous)
KeyGen(d ID| j 1 , ID ) : Given an identity ID  ( I1 , I 2 ,  , I j ), j  l
and d ID| j 1  (d 0 , d1 ,  , d j 1 )
rj R Z p
Compute dID  (d 0  ( g1 j h j ) j , d1 ,  , d j 1 , g j )
I
r
r
 ( g 2  ( g1I1 h1 ) r1  ( g1I 2 h2 ) r2  ( g1 j h j ) j , g r1 , g r2 ,  , g j )
I
r
r
 (d 0 , d1,  , d j )
Output : the private key dID
25
Scheme 2 (continuous)
Encrypt ( params, ID,M ) :
Given a message M  G1 and
an identity ID  ( I1 , I 2 ,, I j ), j  l
s R Z p
Output :

C  e( g1 , g 2 )  M , g , ( g h ) , ( g h2 ) , , ( g h j ) s
s
s
I1
s
1 1
I2
1
s
Ij
1
26

Scheme 2 (continuous)
Decrypt (d ID , ID,C ) :
Given a ciphertext C  ( A, B, C1 , C2 , , C j )
d ID  (d 0 , d1 , , d j )
Compute M 
A  e(C1 , d1 )  e(C2 , d 2 )  e(C j , d j )
e( B , d 0 )
e( g s , g 2 ( g1I1 h1 ) r1 ( g1I 2 h2 ) r2  ( g1 j h j ) j )
I
because e( g1 , g 2 ) s 

r
e(( g1I1 h1 ) s , g r1 )  e(( g1I 2 h2 ) s , g r2 )  e(( g1 j h j ) s , g j )
I
r
e( B , d 0 )
e(C1 , d1 )  e(C2 , d 2 )  e(C j , d j )
27
Hybrid Scheme: How to generate private key dID
h1
h2
 I (1,1)

 I ( 2,1)
I


 I ( l ,1)
 1
I (1, 2 )
 h1I (1,1)

 h1I ( 2 ,1)

 
I
 (l1 ,1)
I ( 2, 2 )

I (l1 , 2)
I
h2 (1, 2 )
I
h2 ( 2 , 2 )

I ( l1 , 2 )

hl2
 I (1,l2 ) 

 I ( 2 ,l 2 ) 

 

 I (l1 ,l2 ) 
I
 hl2(1,l2 ) 
I
 hl2( 2 ,l2 ) 


 
 I (l1 ,l2 ) 
f1
f2

f l1
28
Hybrid Scheme : How to generate private key
dID (continuous)
For example : l1  4, l2  4, l  l1l2  16, ID  ( I1 , , I10 ), 10  (3,2)
h1
h2
h3
 I (1,1)

 I ( 2,1)
I
I
 (3,1)
I
 ( 4,1)
I (1, 2 )
I (1,3)
I ( 2, 2)
I ( 2 , 3)
I ( 3, 2 )
I ( 3, 3 )
I ( 4, 2)
I ( 4 , 3)

d ID
h4
I (1, 4 ) 
 h1I (1,1)
 I

I ( 2, 4) 
 h1 ( 2 ,1)
  I ( 3 ,1 )

I ( 3, 4 )
 h1

 h I ( 4 ,1 )
I ( 4, 4 ) 
 1
 g   h I ( 1,1 ) h I (1 , 2 ) h I ( 1, 3 ) h I ( 1, 4 ) f
2
3
4
1
 2 1
  g r1 , g r2 , g r3 ,

 h3r3 , h4r3

 h
r1
I ( 2 ,1 )
1
I
h3 (1, 3 )
I
h3 ( 2 , 3 )
I
h3 ( 3, 3 )
I
h3 ( 4 , 3 )
h
I
h2 ( 2 , 2 )
I
h2 ( 3, 2 )
I
h2 ( 4 , 2 )
I ( 2, 2 ) I ( 2,3)
2
3
h
I
h4 (1, 4 ) 
I
h4 ( 2 , 4 ) 
I ( 3, 4 ) 
h4 
I
h4 ( 4 , 4 ) 
I
h2 (1, 2 )
I( 2,4)
4
h
f2
 h
r2
I ( 3 ,1 )
1
f1
f2
f3
f4
I ( 3, 2 )
2
h

f 3 , 



29 
r3
Hybrid Scheme: An example for encryption
For example : l1  4, l2  4, l  l1l2  16
Given a message M  G1 and
an identity ID  ( I1 , I 2 ,  , I10 ), (k1 , k 2 )  (3,2)
Choose s R Z p
Output :

I
I
CT   e( g1 , g 2 ) s  M , 
g s , (h1 (1,1)  h4 (1, 4 )  f1 ) s ,
 





B
A
C1


(h  h
 f 2 ) s , (h h
 f 3 ) s   G1  G 4

  
C2
C3

I ( 2 ,1 )
1
I( 2, 4)
2
I ( 3 ,1 )
1
I ( 3, 2 )
2
30
q-Bilinear Diffie-Hellman Inversion
(q-BDHI) problem
*** q-SDH problem in G
x2
x
xq
Given ( g , g , g ,, g )
Output : (c, g
1
x c
) where c  Z*p
*** q-BDHI problem in G
x2
x
xq
Given ( g , g , g , g ,, g )
Output : e( g , g )
1
x
31