Direct ChosenCiphertext Secure Hierarchical IBE Schemes

1
Direct Chosen-Ciphertext Secure Hierarchical IBE
Schemes
2
Overview

• Two Hierarchical Identity-Based Encryption (HIBE)
  schemes
• Secure against chosen ciphertext attacks
• Secure in the selective-ID security model without
  random oracles
• Based on BB1 BB04 and BBG BBG05 HIBE schemes
• Instead of generic transformation CHK04 for CCA
  secure HIBE
• Our approach is more compact (without extra
  one-bit padding)
• Without loosing a hierarchy level
• l-level CPA secure HIBE scheme one-time
  signature scheme
• ? l-level CCA secure HIBE scheme

3
Identity-Based Encryption (IBE)

• IBE primitive Sha84
• allows a sender to encrypt a message using only a
  receivers identity as a public key
• does not require a digital signature on the
  public key
• The first practical IBE schemes SOK00, Coc01,
  BF01
• SOK00, BF01 based on the bilinear maps (a
  pairing)
• Coc01 based on the quadratic residuosity
  problem

4
Definition of IBE Scheme
KGC
KeyGen(msk, ID) ? dID
Setup(k) ? (msk, PP)
Resister ID as Alice_at_palma
Sender
Receiver
Send a ciphertext CT
Encrypt(M, PP, IDAlice) ? CT
Decrypt(CT, dID) ? M
Using IDAliceAlice_at_palma
5
Hierarchical IBE (HIBE)

• HIBE primitive HL02, GS02
• distribute a workload of the (root) KGC to
  generate dID
• is the hierarchical extension of IBE schemes
• In HIBE scheme
• A delegation mechanism is essential
• Parents private key is used to derive
• private keys of its children

University
Math
Physics
Math Lower level KGC
Alice
Bob
IDAlice (Univ., Math, Alice)
6
Definition of HIBE Scheme
Root KGC

• Setup
• KeyGen
• Derive
• Encrypt
• Decrypt

Derive(PP, dKGC) ? dLKGC
Lower-level KGC
Receiver
Sender
CT
7
Delegation Structures in HIBE (1)

• Structure 1 BB04 (similar to GS02)
• Private key dIDk ( g2a ??k (g1IDkhk)rk,
  gr1,, grk )
• Lower-level private key is generated as
• dIDk1 ( g2a ??k (g1IDkhk)rk ?
  (g1IDk1hk1)rk1, gr1,, grk , grk1 )
• As the depth k increases,
• private key and ciphertext size grows linearly in
  the depth k
• computation for decryption also increases
  linearly

8
Delegation Structures in HIBE (2)

• Structure 2 BBG05
• Private key dIDk ( g2a ? (h1ID1 hkIDk
  ?g3)r, gr, hk1r,, hlr )
• Lower-level private key is generated as
• dIDk1 (g2a ? (h1ID1 hkIDk ? hk1IDk1 ?
  g3)r, gr, hk2r,, hlr )
• Independent of the depth k,
• Ciphertext and decryption time are of constant
  size
• Private key size becomes shorter as the depth k
  increases

9
Applications of HIBE Scheme

• With the delegation ability of HIBE, ID(ID1,
  ID2,,IDk) could be replaced by one of the
  following
• IDs for individual users
• Identity-Based Broadcast Encryption (IBBE) CS06
• Cf. BE in symmetric key setting ? BE in public
  key setting DF02
• Time components
• Forward-secure HIBE YFDL04 or fs-PKBE AFI06
• Keyword for searchable information HIBE with
  the property of recipient-anonymity BW06
• Public Key Encryption with Keyword Search (PEKS)
  Abdalla..05

10
Security for HIBE Scheme

• Chosen-ciphertext Security in the selective-ID
  model CHK03, 04

Challenger
Attacker
Setup(k)
dID, M
b?0,1
dID, M

• Def. a HIBE scheme is IND-sID-CCA secure if
  Prbb -1/2 lt e

11
Generic Transformation for CCA secure HIBE

• CHK transformation CHK04, BCHK06
• (l1)-level CPA-secure HIBE p (Setup, Kgen,
  Der, Enc, Dec) and one-time signature scheme ?
  (Skgen, Sign, Vrfy)
• Skgen ? (vk, sk), where vk is handled as an
  identity
• l-level CCA-secure HIBE p (Setup, Kgen, Der,
  Enc, Dec)
• For ID(ID1,,IDk) (k l), compute Enc(IDvk,
  m) ? C
• Obtain Sign(sk, C) ? s and CT(vk, C, s)
• Before decrypting C, check s is valid under vk
• In reality, need one-bit padding as IDvk ?
  (0ID1,,0IDk,1vk)

12
Direct CCA-Secure Construction

• Two HIBE schemes BB1 BB04, BBG BBG05
• Represents two different delegation structures
  until now
• Applying the CHK transformation to BB1 BBG
  schemes
• l-level CCA-secure HIBE schemes are derived from
  l-level CPA-secure HIBE schemes directly
• Does not need one-bit padding as IDvk ?
  (0ID1,,0IDk,1vk)
• Use IDvk ? (ID1,, IDk,vk)

13
CCA-secure HIBE from BB1 Scheme(1)

• Setup(k) g ? G, ? ? Zp, g1g?, g2, h, h1
  ,, hl
• PP (g, g1, g2, h, h1 ,, hl )
  msk ?
• KeyGen(msk, IDk)
• IDK (ID1,,IDk)
• dIDK ( g2a ??k (g1IDkhk)rk, gr1 ,, grk )
• ( do, d1,, dk )
• Derive(dIDK, IDk1)
• IDK1 (ID1,,IDk, IDK1)
• dIDK1 ( do ??k1(g1IDkhk)rk , d1 ?gr1,, dk
  ?grk, grk1 )
• Need a re-randomization for security proof

14
CCA-secure HIBE from BB1 Scheme(2)

• Encrypt(M, PP, ID)
• Run Skgen ? (vk, sk)
• C ( gs, e(g1, g2)s?M, (g1ID1h1)s,, (g1IDkhk)s,
  (g1vkh)s )
• CT ( C, Signsk(C), vk )
• Decrypt(CT, PP, dID)
• Verify the signature is valid under vk
• C (A, B, C1,,Ck, Ck1) and dID (d0,
  d1,,dk)
• For a random rk1 ? Zp
• ?k e(Ck, dk) ? e(Ck1, grk1 ) ? B / e(A, d0
  ? (g1vkh)rk1) M

15
Security Theorem

• Theorem 1.
• ? t-time alg. that ?-breaks IND-sID-CCA
  security in l-level HIBE
• ?
• ? t-time alg. that ?-solves Dec.-BDH in G
• or ? t-time forger that ?-forges
  one-time signature
• FactBB04
• g2 - r2 / r1 (g1r1gr2)r3
  g2u (g1r1gr2) r3 v / r1
• where r1?0, u loggg1, and v
  loggg2

16
Proof Idea(1)
17
Proof Idea(2)

• In case vk ? vk
• For the value h g1-vk ?gß (ß known value),
  the simulator can compute
• D g2ß / (vk vk) (g1(vk vk)g
  ß)rk1 and E g21 / (vk vk) grk1
• for some randomly selected rk1 ? Zp
• Then, for some (unknown) r rk1 b / (vk
  vk)
• D and E becomes
• D gab (g1vk h)r and E gr
• Based on D and E, the simulator creates a private
  key dID
• In case vk vk
• The forgery of one-time signature occurs

we use the algebraic fact
18
CCA-secure HIBE from BBG Scheme(1)

• Setup(k) g ? G, ? ? Zp, g1g?, g2, g3, h,
  h1 ,, hl
• PP (g, g1, g2, g3, h, h1 ,, hl )
  msk ?
• KeyGen(msk, IDk)
• IDK (ID1,,IDk)
• dIDK ( g2a ? (h1ID1???hkIDk ?g3)r, gr , hr,
  hk1r,, hlr )
• ( ao, a1, a2, bk1,, bl )
• Derive(dIDK, IDk1)
• IDK1 (ID1,,IDk, IDK1)
• dIDK1 ( do ?bk1IDk1 ? (h1ID1???hkIDk
  hk1IDk1 ? g3)r, a1 ?gr,
• a2 ?hr, bk2 ? hk2 r ,, bl
  ?hl r )

19
CCA-secure HIBE from BBG Scheme(2)

• Encrypt(M, PP, ID)
• Run Skgen ? (vk, sk)
• C ( gs, e(g1, g2)s?M, (h1ID1 ? ? ? hkIDk ?hvk ?
  g3)s )
• CT ( C, Signsk(C), vk )
• Decrypt(CT, PP, dID)
• Verify the signature is valid under vk
• C (A, B, C) and dID (a0, a1, a2,)
• For a random w ? Zp
• a0 a0 ?a2vk ?(h1ID1 ? ? ? hkIDk ?hvk ? g3)w ,
  a1a1 ?gw
• (e(A, a1) / e(C, a0)) ? B M

20
Security Theorem

• Theorem 2.
• ? t-time alg. that ?-breaks IND-sID-CCA
  security of l-level HIBE
• ?
• ? t-time alg. that ?-solves Dec.-(l1) BDHE
  in G
• or ? t-time forger that ?-forges
  one-time signature
• FactBB04
• g2 - r2 / r1 (g1r1gr2)r3
  g2u (g1r1gr2) r3 v / r1
• where r1?0, u loggg1, and v
  loggg2

21
Proof Idea(1)
22
Proof Idea(2)

• In case vk ? vk
• For the value g3 (h1ID1 ? ? ? hkIDk) -1 ?
  g1-vk ?gß (ß known value), the simulator has
• D (gl1 (vk - vk) ? gt )s and E
  gs
• where t known value and s unknown value
  
• The simulator compute
• D g1 t / (vk vk ) ? (gl1 (vk -
  vk) ? gt )s and E E ? g1 t / (vk vk )
• For some unknown r s a / (vk vk), D and
  E becomes
• D gl2 ? (gl1 (vk - vk) ? gt )r
  and E gr
• Based on D and E, the simulator creates a
  private key dID
• In case vk vk
• The forgery of one-time signature occurs

we use the algebraic fact
23
Conclusion

• We suggested a method to achieve chosen
  ciphertext security for HIBE schemes using the
  CHK transformation
• The resulting schemes are selective-ID
  chosen-ciphertext secure without random oracles,
  based on the BB1 and BBG HIBE schemes
• Our approach could be applied to schemes with BB1
  and BBG-like structures
• There is no HIBE scheme which is fully secure
  (against adaptive adversaries) with a tight
  security reduction and without random oracles

24
Thank you