The k-BDH Assumption
Family: Bilinear
Cryptography from
Progressively Weaker
Assumptions
Karyn Benson (UCSD)
Hovav Shacham (UCSD)
Brent Waters (UT-Austin)
Provable Security
How to show your cryptosystem is secure:
Cryptosystem
If Assumption Holds then
Cryptosystem Secure
Assumption
Prove contrapositive
What if the Assumption is False?
Cryptosystem
Assumption

Cannot reason about security

Adversary can use the attack on assumption to break
cryptosystem
How to Pick a Good Assumption?

Increase the size of parameters

e.g., RSA assumes factoring a large
number into 2 primes is hard

Factor: 77, 3869, 702619, …

Use a family of assumptions

As you increase a parameter k you
become more confident in the security
of the assumption

Example: k-Linear [HK07, Sha07]
Family of Strictly Weaker Assumptions
𝐴1

𝐴2
<
≠
…
<
≠
𝐴𝑘
<
≠
𝐴𝑘+1
…
An assumption 𝐴𝑘+1 is weaker than assumption 𝐴𝑘 , if


<
≠
If 𝐴𝑘 holds then so does 𝐴𝑘+1 (Breaking 𝐴𝑘+1 also breaks 𝐴𝑘 )
The assumption, 𝐴𝑘+1 , is strictly weaker than assumption, 𝐴𝑘 , if

𝐴𝑘+1 is weaker than 𝐴𝑘

And an oracle for 𝐴𝑘 does not help break 𝐴𝑘+1
DDH Assumption

Given < 𝑔, 𝑔𝑎, 𝑔𝑏, 𝑇 >

For some
𝑔, 𝑔𝑎, 𝑔𝑏, 𝑇
∈𝐺
It is hard to compute a discrete log
in a finite cyclic group 𝐺

Does 𝑇 ?= 𝑔𝑎𝑏

No polynomial time algorithm can achieve non-negligible
advantage deciding
Bilinear Maps


𝒆: 𝐺 × 𝐺 → 𝐺𝑇

Bilinear: 𝒆 𝑔𝑎 , 𝑔𝑏 = 𝒆(𝑔, 𝑔)𝑎𝑏 for all 𝑎, 𝑏 ∈ 𝑍𝑝

Non-Degenerate: If 𝑔 generates 𝐺, then 𝒆(𝑔, 𝑔) ≠ 1

Computable: 𝒆 is efficiently computable on all input
DDH does not hold for groups in which bilinear maps can be
computed


< 𝑔, 𝑔𝑎, 𝑔𝑏, 𝑇 ?= 𝑔𝑎𝑏 >
𝒆 𝑔𝑎 , 𝑔𝑏
?
=
𝒆(𝑔, 𝑇)
DBDH Assumption

How can we use DDH in bilinear groups?

Given < 𝑔, 𝑔𝑎, 𝑔𝑏, 𝑔𝑐 , 𝑇 >

For some 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 ∈ 𝐺 and 𝑇 ∈ 𝐺𝑇
• Hard to compute discrete log: in 𝐺
and 𝐺𝑇
• Bilinear maps have 2 inputs
• Can’t undo a bilinear map

Does 𝑇 ?= 𝒆(𝑔, 𝑔)𝑎𝑏𝑐

No polynomial time algorithm can achieve non-negligible
advantage deciding
Decision Linear (DLIN) Assumption

How can we use DDH in settings where bilinear maps exist?

Given < 𝑔, 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑔 𝑠1 𝑟1 , 𝑔 𝑠2 𝑟2 , 𝑇 >


𝑔, 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑔 𝑠1𝑟1 , 𝑔 𝑠2𝑟2 , 𝑇 ∈ 𝐺
Does 𝑇 ?= 𝑔𝑟1 +𝑟2
This is like 2 DDH
problems:
𝑔, 𝑔 𝑠1 , 𝑔𝑟1 , 𝑔 𝑠1 𝑟1
• It is hard to compute discrete logs
• Bilinear maps only pair 2 elements
(not 3: 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑔𝑟1 +𝑟2 )

No polynomial time algorithm can achieve non-negligible
advantage deciding, even in generic bilinear groups [BBS04]

Only a decisional problem – computationally same as DDH
k-Linear Family of Assumptions
 k-Linear
generalizes the Linear Assumption
 1-Linear
is DDH
 2-Linear
is Linear Assumption
 For
This is like k DDH
problems
𝑘 ≥ 1 Given < 𝑔, 𝑔 𝑠1 , … , 𝑔 𝑠𝑘 , 𝑔 𝑠1 𝑟1 , … , 𝑔 𝑠𝑘𝑟𝑘 , 𝑇 >
 𝑔, 𝑔 𝑠1 , … , 𝑔 𝑠𝑘 , 𝑔 𝑠1 𝑟1 , … , 𝑔 𝑠𝑘 𝑟𝑘 , 𝑇
 Does
∈𝐺
𝑇 ?= 𝑔𝑟1 +⋯+𝑟𝑘
 No
polynomial time algorithm can achieve non-negligible
advantage deciding
 Only
a decisional problem – computationally same as DDH
How are DLIN and DBDH Related?

If DLIN holds, then so does DBDH
< 𝑔, 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑔 𝑠1𝑟1 , 𝑔 𝑠2 𝑟2 , 𝑇 ?= 𝑔𝑟1+𝑟2 >
DLIN Instance
< 𝑔, 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑇 ?= 𝑔𝑟1+𝑟2 , 𝒆 𝑔 𝑠1 𝑟1 , 𝑔 𝑠2 ∙ 𝒆 𝑔 𝑠2 𝑟2 , 𝑔 𝑠1 > =
< 𝑔, 𝑔 𝑠1 , 𝑔 𝑠2 , 𝑇 ?= 𝑔𝑟1+𝑟2 , 𝒆(𝑔, 𝑔)(𝑠1 𝑠2)(𝑟1+𝑟2 ) >
DBDH Decider
[BW06]
Can extend DBDH to a Family of Assumptions?

DDH
DLIN
k-Linear
DBDH
????
Why?

For 𝑘 > 2 unclear how k-Linear
and DBDH are related

k-Linear only operates in the
source group

Example: Boneh-Boyen IBE – the
message is hidden in target
group
This is should be like
k DBDH problems
Failed Attempt

Given 𝑔, 𝑔𝑎, 𝑔𝑏, 𝑔 𝑠1 , … , 𝑔 𝑠𝑘 , 𝑔 𝑠1 𝑟1 , … , 𝑔 𝑠𝑘𝑟𝑘 𝜖 and 𝑇 𝜖 𝐺𝑇

Does 𝑇 ?=

Embeds k DBDH instances: (𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔 𝑠𝑖 𝑟𝑖 , 𝒆 𝑔, 𝑔

… But is equivalent to DBDH:
𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑖 𝑔 𝑠𝑖 𝑟𝑖 = 𝑔(𝑠1𝑟1 +⋯+𝑠𝑘𝑟𝑘) , 𝑇 ?=
𝑠𝑖
𝒆
𝑔,
𝑔
𝑖
𝑎𝑏𝑟𝑖
=
𝑖 𝒆 𝑔, 𝑔
𝑎𝑏𝑠𝑖 𝑟𝑖
= 𝒆 𝑔, 𝑔
𝑖 𝒆 𝑔, 𝑔
𝑎𝑏(𝑠1 𝑟1 +⋯+𝑠𝑘 𝑟𝑘 )
𝑎𝑏(𝑠𝑖 𝑟𝑖 ) )
𝑎𝑏𝑠𝑖 𝑟𝑖
k-BDH Assumption

Given 𝑔, 𝑔𝑎, 𝑔𝑏, 𝑔 𝑠1 , … , 𝑔 𝑠𝑘 , 𝑔 𝑠1 𝑟1 , … , 𝑔 𝑠𝑘𝑟𝑘 𝜖 𝐺 and 𝑇 𝜖 𝐺𝑇
?
=
𝑖 𝒆 𝑔, 𝑔
𝑎𝑏𝑟𝑖
=
𝑠𝑖 , 𝑔 𝑠𝑖
𝒆
𝑔
𝑖
(𝑎 𝑠𝑖 )(𝑏 𝑠𝑖 )𝑟𝑖

Does 𝑇
= 𝒆 𝑔, 𝑔

Embeds k DBDH instances: (𝑔 𝑠𝑖 , 𝑔𝑎 , 𝑔𝑏 , 𝑔 𝑠𝑖 𝑟𝑖 ,𝒆 𝑔 𝑠𝑖 , 𝑔 𝑠𝑖

… And is a family of strictly weaker assumptions!
𝑎𝑏(𝑟1 +⋯+𝑟𝑘 )
(𝑎 𝑠𝑖 )(𝑏 𝑠𝑖 )𝑟𝑖
)
A Family of Weaker Assumptions

If the k-BDH assumption holds, so does the (k+1)-BDH assumption
𝑟
𝑟
𝑔, 𝑔𝑥, 𝑔𝑦, 𝑣1, … , 𝑣𝑘, 𝑣11 , … , 𝑣𝑘 𝑘 , 𝑇 ?=
𝒆 𝑔, 𝑔
𝑥𝑦𝑟𝑖
𝑣𝑘+1 , 𝑟𝑘+1
1≤𝑖≤𝑘
Random
Values
k-BDH Instance
𝑟
𝑟
𝑘+1
< 𝑔, 𝑔𝑥, 𝑔𝑦, 𝑣1, … , 𝑣𝑘+1 , 𝑣11 , … , 𝑣𝑘+1
,
𝑇 ∙ 𝒆(𝑔 𝑥 , 𝑔 𝑦 )𝑟𝑘+1
?
=
𝒆 𝑔, 𝑔
1≤𝑖≤𝑘+1
(k+1)-BDH Decider
𝑥𝑦𝑟𝑖 >
Evidence of a Family of Strictly Weaker Assumptions

An oracle for k-BDH does not help in deciding a (k+1)-BDH instance

Similar to the separation proof of k-Linear [Sha07]

Generic Group Model [BS84,Nechaev94,Shoup97]


Interact with adversary using an idealized version of groups

Bound the probability of finding an inconsistency if actual groups were used
Oracle to k-BDH is implemented as a modified k-multilinear map

maps k elements in 𝐺 and one element 𝐺𝑇 to an element group 𝐺𝑀
Application: IBE


Setup:
Public parameters: 𝑔, 𝑢 = 𝑔 𝑥 , 𝑣1 = 𝑔 𝑠1 , … , 𝑣𝑘 = 𝑔 𝑠𝑘 , 𝑣1 1 , … , 𝑣𝑘 𝑘 , 𝑤1 , … , 𝑤𝑘

Master key: 𝑠1 , … , 𝑠𝑘 , 𝑟1 , … , 𝑟𝑘 , 𝑥
KeyGen(ID):



Select random 𝑛1 , … , 𝑛𝑘 ∈ 𝑍𝑝∗
For each 1 ≤ 𝑖 ≤ 𝑘 output 𝐾𝐴,𝑖 , 𝐾𝐵,𝑖 = (𝑔
𝑥𝑟𝑖
𝑤 𝑢ID
𝑛𝑖
𝑖
𝑛
, 𝑣𝑖 𝑖 )
Encrypt (m, ID):

Select random 𝑦1 , … , 𝑦𝑘 ∈ 𝑍𝑝∗

Output 𝐶0 = 𝑚


𝑟
𝑟

1≤𝑖≤𝑘 𝒆
𝑔 𝑥 , 𝑣𝑖 𝑟𝑖
𝑦𝑖
For each 1 ≤ 𝑖 ≤ 𝑘 output 𝐶𝐴,𝑖 , 𝐶𝐵,𝑖 =
𝑦𝑖
(𝑣𝑖 ,
𝑤 𝑢ID
𝑖
𝑦𝑖
)
Decrypt(c):
𝐶0 ∙ 1≤𝑖≤𝑘 𝒆(𝐾𝐵,𝑖 ,𝐶𝐵,𝑖 )

1≤𝑖≤𝑘 𝒆(𝐾𝐴,𝑖 ,𝐶𝐴,𝑖 )
=
𝑚
𝑦𝑖
𝑛𝑖
𝒆
∙
𝒆(𝑣
, 𝑤𝑖 𝑢
1≤𝑖≤𝑘
1≤𝑖≤𝑘
𝑖
𝑛𝑖
𝑦𝑖
𝑥𝑟
𝑖 𝑤𝑖 𝑢
,𝑣𝑖 )
1≤𝑖≤𝑘 𝒆(𝑔
𝑔𝑥 ,𝑣𝑖 𝑟𝑖
ID
ID
𝑦𝑖
)
=𝑚
Conclusions

Goal: Introduction the k-BDH Family of Assumptions

Relationship to standard assumptions (DDH, k-Linear, DBDH)

It is a family of strictly weaker assumptions

Usable: We construct an IBE in the Boneh-Boyen Framework

Future Work


IBE construction grows with k (public parameters, keys, encryption)

Different applications
http://eprint.iacr.org/2012/687
Efficient Delegation of Key Generation and
Revocation Functionalities in
Identity-Based Encryption
Jae Hong Seo
Myongji University, Republic of Korea
Session ID: CRYP-F41
Session Classification: Intermediate
Identity Based Encryption
[email protected]
Publish mpk
1 time
download
ABC University
Issue DK
Enc(mpk,
Sender
, M)
User
Revocation Functionality in Identity-Based Encryption
[email protected]
Publish mpk
1 time
download
ABC University
If user1 leaves the system (by expiration of contract)
or user1’s secret key is leaked (by hacking) and so he
want to obtain other secret key?
KGC should revoke user1’s secret key!!
(and issues a new key if needed)
Sender
user1
Trivial Approach for Revocation Functionality in IBE
[email protected]
Publish mpk
1 time
download
ABC University
Issue DK
Enc(mpk,
Sender
,T
, T, M)
User
Trivial Approach for Revocation Functionality in IBE
[email protected]
Publish mpk
1 time
download
ABC University
Revoke DK
Issue DK
,T
,T
[email protected]
User
Sender
User2
Trivial Approach for Revocation Functionality in IBE
[email protected]
Publish mpk
1 time
download
ABC University
Revoke DK
Issue DK
,T
,T
[email protected]
KGC’s role: Issuing/Revoking secret keys
Excessive workload for a single KGC
User
Sender
User2
Our Goal:
Delegation of KGC’s Roles (Key Generation & Revocation)
Publish mpk
1 time
download
ABC University
ABC, Science
ABC, Science, Math
0
0
0
0
0
0
0
ABC, Science, Math, prof. Emura
0
0
0
1
0
1
0
ABC, Law
1
0
1
1
0
0
1
1
1
0
0
0
1
0
1
1
1
0
1
1
0
1
1
1
Our Goal:
Delegation of KGC’s Roles (Key Generation & Revocation)
Publish mpk
1 time
download
ABC University
Efficient Key Generation & Revocation
ABC, Science
0
0
ABC, Law
1
Efficient Key Generation & Revocation
ABC, Science, Math
0
0
Efficient Key Generation & Revocation0
0
0
ABC, Science, Math, prof. Emura
0
0
0
1
0
1
0
0
1
1
0
0
1
1
1
0
0
0
1
0
1
1
1
0
1
1
0
1
1
1
Outline
► Previous Approaches
► Revocable Symmetric Key Encryption: Broadcast Encryption
► Revocable Identity-Based Encryption
► Trivial Approach – Exponentially large secret key
► Our Approach – Asymmetric trade
► Further Study
Broadcast Encryption (BE) Technique
Each node has the corresponding key.
KEY0
KEY000
KEY011
0
0
0
KEY1
0
1
KEY111
1
1
0
1
1
0
0
0
0
0
1
0
1
0
0
1
1
1
0
0
1
0
1
1
1
0
1
1
1
u1
u2
u3
u4
u5
u6
u7
u8
We consider a binary tree kept by KGC
Broadcast Encryption (BE) Technique
u1
u2
u3
u4
u5
u6
u7
U3 has secret keys on the path to the root node
u8
Broadcast Encryption (BE) Technique
If u3, u4, and u6 are revoked, first compute triangles containing only non-revoked users.
u1
u2
u3
u4
u5
Revoked
u6
u7
u8
Broadcast Encryption (BE) Technique
Encrypt a session key using KEY00, KEY101, KEY11.
Then, only non-revoked user can recover the session key.
# of triangles ~ log N
(where N is # of leaf nodes)
1
1
0
0
1
0
0
u1
u2
u3
u4
u5
Revoked
u6
u7
u8
Revocable IBE:
Combining BE technique with IBE scheme
Publish mpk
ABC University
Issue SK
KGC
1 time
download
Size of KUT is logN.
KUT
Each time period
download
Enc(mpk,
Sender
, T, M)
user
Revocable IBE:
Combining BE technique with IBE scheme
Publish mpk
ABC University
Issue SK
KGC
1 time
download
Size of KUT is logN.
KUT
Each time period
download
Enc(mpk,
Sender
, T, M)
user
Revocable IBE:
Combining BE technique with IBE scheme
Key Revocation
1
1
0
0
u1
Key Generation
1
0
0
u2 u3
u4 u5
u6 u7
u8
u1
Revoked
u2 u3
u4 u5
u6 u7
u8
Whenever a user is registered in the system,
the user is assigned in the leaf node of binary tree.
Revocable IBE:
Combining BE technique with IBE scheme
1
1
0
0
u1
1
0
0
u2 u3
u4 u5
u6 u7
u8
u1
u2 u3
u4 u5
u6 u7
Secret Key related to the identity of u2
Key Update Information related to time ‘T’
u8
Revocable IBE:
Combining BE technique with IBE scheme
Since u2 has both related to the same node,
u2 can create a decryption key related to
both his ‘identity’ and ‘time’
1
1
0
0
u1
1
0
0
u2 u3
u4 u5
u6 u7
u8
u1
u2 u3
u4 u5
u6 u7
Secret Key related to the identity of u2
Key Update Information related to time ‘T’
u8
Revocable IBE:
Combining BE technique with IBE scheme
Publish mpk
ABC University
KGC
1 time
download
Sender
Size of KUT is logN.
KUT
Issue SK
Each time period
download
Enc(mpk, , T, M)
Only non-revoked users can generate a
decryption key dk ,T from KUT and SK
user
Trivial Approach for Our Goal
Hierarchical Structure ABC University
for Key Generation
ABC, Science
0
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, Prof. Emura
0
1
ABC, Law
1
1
0
0
1
1
1
0
0
0
1
0
1
1
1
0
1
1
1
1
1
Trivial Approach
Binary Tree for Revocation
(managed by KGC)ABC University
Science
ABC, Science
0
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, Prof. Emura
0
1
ABC, Law
1
1
0
0
1
1
1
0
0
0
1
0
1
u2 u3 u4 u5
1
1
0
1
1
1
1
1
u6u7
Law
Trivial Approach
Binary Tree for Revocation
Binary Tree for Revocation
(managed by KGC)
(managed by College)
Math
u2 u3 u4 u5
u6u7
ABC, Science
…
0
0
0
0
0
0
0
Science
0
0
0
1
0
1
0
ABC, Science, Math, Prof. Emura
0
1
ABC, Law
1
1
0
0
1
1
1
0
0
0
1
0
1
u2 u3 u4 u5
1
1
0
1
1
1
1
1
u6u7
Law
Trivial Approach
Binary Tree for Revocation
Binary Tree for Revocation
(managed by KGC)
(managed by College)
Science u2 u3 u4 u5
Binary Tree for Revocation
(managed by Department)
Math
u2 u3 u4 u5
u6u7
NICT, NSRI
…
u2 u3 u4 u5
Emura
0
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, Prof. Emura
u6u7
0
1
ABC, Law
1
…
1
0
0
1
1
1
0
0
0
1
0
1
1
1
0
1
1
1
1
1
u6u7
Law
Trivial Approach
Binary Tree for Revocation
(managed by KGC)
ABC University
Science
ABC, Science
0
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, prof. Emura
0
1
ABC
1
1
0
0
1
1
1
0
0
0
1
0
1
u2 u3 u4 u5
1
1
0
u6u7
Science needs to
store log N size
secret keys
1
1
1
1
1
Law
Trivial Approach
Key Update for time period ‘T’
(managed by KGC)
0
0
Science
Binary Tree for Revocation
(managed by KGC)
1
1
1
0
0
u2u3 u4 u5 u6u7
ABC University
u8
Science
ABC, Science
0
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, prof. Emura
0
1
ABC
1
1
0
0
1
1
1
0
0
0
1
0
1
u2 u3 u4 u5
1
1
0
u6u7
Science needs to
store log N size
secret keys
1
1
1
1
1
Law
Science is not revoked on time ‘T’.
(1) It can create a decryption key relate to its identity & time ‘T’.
(2) It can generate Key Update for its children.
Trivial Approach
Key Update for time period ‘T’
(managed by KGC)
0
0
Science
Binary Tree for Revocation
(managed by KGC)
1
1
1
0
0
u2u3 u4 u5 u6u7
ABC University
u8
Science
ABC, Science
0
0
0
0
0
0
0
0
0
1
0
1
0
ABC, Science, Math, prof. Emura
0
1
0
1
0
0
0
1
0
1
u6u7
Science needs to
ABC,WNRI
store log N size
secret keys
1
1
0
0
1
1
u2 u3 u4 u5
1
1
0
1
1
1
1
1
Law
Trivial Approach
Key Update for time period ‘T’
(managed by KGC)
0
0
Science
Binary Tree for Revocation
(managed by KGC)
1
1
1
0
0
ABC University
u2u3 u4 u5 u6u7
u8
Science
ABC, Science
0
0
Math
0
0
0
1
0
0
u2u3 u4 u5 u6u7
0
0
0
0
0
1
1
1
u8
u6u7
Science needs to
store log N size
Binary Tree for Revocation
(managed by Science)secret keys
0
Key Update for ‘T’
(managed by Science)
u2 u3 u4 u5
0
1
0
0
1
0
1
1
0
0
1
1
1
0Math
0
ABC
0
1 1
u2 01u3 10
1
1
u4 u5
1
1
1u6u7
…
Law
Trivial Approach
Key Update for time period ‘T’
(managed by KGC)
0
0
Science
Binary Tree for Revocation
(managed by KGC)
1
1
1
0
0
ABC University
u2u3 u4 u5 u6u7
u8
Science
ABC, Science
0
(managed by Science)
0
0
Math
0
0
0
1
0
0
u2u3 u4 u5 u6u7
0
0
1
1
1
u8
0
1
0
u6u7
Science needs to
store log N size
Binary Tree for Revocation
(managed by Science)secret keys
0
Does Science need
log N size secret
key?
0
0
Key Update for ‘T’
u2 u3 u4 u5
0
1
0
1
1
0
0
1
1
1
0Math
0
A
0
1 1
u2 01u3 10
1
1
u4 u5
1
1
1u6u7
…
Law
Trivial Approach
No!
Key Update for time period ‘T’
The parent (Science) has log N size
(managed
by KGC)
Binary Tree for Revocation
(managed by KGC)
secret key and one subkey is used for
each time period.
1
1
1
0
A child (Math) does
not
know
0
Science u u
u8
3 u
5 u6u
4 uused
7 each
subkey2 will
be
for
0
0
ABC University
which
time
Science
period.
Therefore, children should have
ABC, Science
(logN)2 subkeys.
0
(managed by Science)
0
0
Math
0
0
0
1
0
0
u2u3 u4 u5 u6u7
0
0
1
1
1
u8
0
1
0
u6u7
A,WNRIScience needs to
store log N size
Binary Tree for Revocation
(managed by Science)secret keys
…
Does SAL need log
N sizensecret key?
n-th
level
user
has
(logN)
size
secret
0
0
Key Update for ‘T’
0
keys
u2 u3 u4 u5
0
1
0
1
1
0
0
1
1
1
0Math
0
0
1 1
u2 01u3 10
1
1
u4 u5
1
1
1u6u7
…
Law
Trivial Approach
Our Approach – Asymmetric Trade
Product
Product
Our Approach – Asymmetric Trade
Technically difficult part:
Separated subkeys do not
leak any information.
To this end, we used several
re-randomization
Product
techniques.
Product
Our Result
► We propose the first practical RHIBE scheme
► Our scheme is based on Boneh-Boyen HIBE scheme
► The size of secret key is O(l2log N), where l is user’s level.
► We proved that the proposed scheme satisfies a weaker security
notion such as selective security notion.
Further Study
► Fully secure RHIBE
► Different revocation method, such as Subset Difference
► Revocation methodology in functional encryption
► Thanks!