#### DMCA

## Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles) (2006)

### Cached

### Download Links

Venue: | CRYPTO 2006. LNCS, |

Citations: | 119 - 10 self |

### Citations

1742 | Identity-based encryption from the Weil pairing, in: Joe Kilian (Ed
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...stems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [10] and later formalized by Abdalla et al. [1]. Roughly speaking, PEKS is a form of public key encryption that allows an encryptor to make a document serarchable by keywords, and where the capabilities to search on particular keywords are delegated by a central authority. Anonymous HIBE further enables sophisticated access policies for PEKS and ID-based PEKS. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin [11]. Although they did not state it explicitly, the anonymity of their scheme followed readily from their proof of semantic security. One drawback of the Boneh-Franklin IBE paradigm is that its security proofs are set in the random oracle model. More recently, efficient IBE schemes due to Boneh and Boyen [5] and Waters [29] have been proven secure outside of the random oracle model, but these schemes are not anonymous when implemented using “symmetric” bilinear pairings e : G×G→ GT , because one can test if a given ciphertext was encrypted for a candidate identity. In retrospect, one notes that w... |

1127 |
Identity-based cryptosystems and signature schemes, in: G.R. Blakley, David Chaum (Eds
- Shamir
- 1985
(Show Context)
Citation Context ...dow the simulator with enough degrees of freedom to reduce a system of unknown keys to a single instance of the presumed hard problem. A notable feature of our construction is that it can be implemented using all known instantiations of the bilinear pairing (whether symmetric or asymmetric, with our without a computable or 2 invertible homomorphism, etc.). To cover all grounds, we describe both a symmetric IBE version for simplicitly, and a fully general asymmetric HIBE without homomorphisms for generality. 1.2 Related Work The concept of identity-based encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The Boneh-Franklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selective-ID, relative to which they were able to build an ine... |

431 | Practical techniques for searches on encrypted data
- Song, Wagner, et al.
- 2000
(Show Context)
Citation Context ..., and Goh [7], which features shorter ciphertexts and private keys. We note that the selective-ID vs. adaptive-ID distinction is not very important for any of the HIBE systems known to date, since in all of them the adaptiveID security degrades exponentially with the depth of the hierarchy: the two models are equivalent up to a constant factor inside the exponential. An important open problem in identity-based cryptography is to devise an adaptive-ID secure HIBE scheme whose security degrades polynomially with the depth of the hierarchy (under reasonable assumptions). Song, Wagner, and Perrig [28] presented the first scheme for searching on encrypted data. Their scheme is in the symmetric-key setting where the same party that encrypted the data would generate the keyword search capabilities. Boneh et al. [10] introduced Public Key Encryption with Keyword Search (PEKS), where any party with access to a public key could make an encrypted document that was searchable by keyword; they realized their construction by applying the BonehFranklin IBE scheme. Abdalla et al. [1] recently formalized the notion of Anonymous IBE and its relationship to PEKS. Additionally, they formalized the notion ... |

386 | Short group signatures
- Boneh, Boyen, et al.
(Show Context)
Citation Context ...is also anonymous. (In particular, the Gentry-Silverberg [19] HIBE scheme is not.) In their recent CRYPTO’05 paper, Abdalla et al. [1] cite the creation of an anonymous IBE system without random oracles and an anonymous HIBE system with or without random oracles as important open problems. 1.1 Our Results We present an Anonymous IBE and HIBE scheme without random oracles, therby solving both open problems from CRYPTO’05. Our scheme is very efficient for pure IBE, and reasonably efficient for HIBE with shallow hierarchies of practical interest. We prove it secure based solely on Boneh’s et al. [9] Decision Linear assumption, which is one of the mildest useful complexity assumptions in bilinear groups. At first sight, our construction bears a superficial resemblance to Boneh and Boyen’s “BB1” HIBE scheme [5, §4] — but with at least two big differences. First, we perform “linear splittings” on various portions of the ciphertext, to thwart the trial-and-error identity guessing to which other schemes fell prey. This idea gives us provable anonymity, even under symmetric pairings. Second, we use multiple parallel HIBE systems and constantly re-randomize the keys between them. This is what l... |

383 | Public key encryption with keyword search
- Boneh, Crescenzo, et al.
- 2004
(Show Context)
Citation Context ...eing the first to realize fully anonymous HIBE at all levels in the hierarchy. 1 Introduction The cryptographic primitive of identity-based encryption allows a sender to encrypt a message for a receiver using only the receiver’s identity as a public key. Recently, there has been interest in “anonymous” identity-based encryption systems, where the ciphertext does not leak the identity of the recipient. In addition to their obvious privacy benefits, anonymous IBE systems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [10] and later formalized by Abdalla et al. [1]. Roughly speaking, PEKS is a form of public key encryption that allows an encryptor to make a document serarchable by keywords, and where the capabilities to search on particular keywords are delegated by a central authority. Anonymous HIBE further enables sophisticated access policies for PEKS and ID-based PEKS. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin [11]. Although they did not state it explicitly, the anonymity of their scheme followed readily from their proof of semantic security. O... |

367 | Efficient Algorithms for Pairing-Based Cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...ing a “multi-pairing” approach [21], which is similar to multi-exponentiation. One can also exploit the fact that all the k··· are fixed for a given recipient to perform advantageous pre-computations =-=[3]-=-. 6 Consistency and Security The following theorems state that extracted and delegated private keys are identically distributed, and that extraction, encryption, and decryption, are consistent. We rem... |

345 | Efficient identity-based encryption without random oracles
- Waters
- 2005
(Show Context)
Citation Context ...capabilities to search on particular keywords are delegated by a central authority. Anonymous HIBE further enables sophisticated access policies for PEKS and ID-based PEKS. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin [11]. Although they did not state it explicitly, the anonymity of their scheme followed readily from their proof of semantic security. One drawback of the Boneh-Franklin IBE paradigm is that its security proofs are set in the random oracle model. More recently, efficient IBE schemes due to Boneh and Boyen [5] and Waters [29] have been proven secure outside of the random oracle model, but these schemes are not anonymous when implemented using “symmetric” bilinear pairings e : G×G→ GT , because one can test if a given ciphertext was encrypted for a candidate identity. In retrospect, one notes that with minor modifications Boneh and Boyen’s two schemes ∗Voltage Inc., Palo Alto — xb@boyen.org †SRI International — bwaters@csl.sri.com 1 “BB1” and “BB2”, and Waters’ by extension, may in fact become anonymous when implemented with an “asymmetric” pairing e : G × G → GT under strong additional assumptions (such as hardne... |

333 |
A One Round Protocol for Tripartite Diffie-Hellman
- Joux
- 2000
(Show Context)
Citation Context ... : G × G → GT , with the bilinearity property that e(gr, gs) = e(g, g)r s. Here, G, G, and GT are all multiplicative groups of prime order p, respectively generated by g, g, and e(g, g). It is asymmetric if G 6= G. We call bilinear instance a tuple G = [p, G, G, GT , g, g, e]. We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $←Gen(1Σ) where log2(p) = Θ(Σ). We write Zp = Z/pZ for the set of residues modp and Z × p = Zp \ {0} for its multiplicative group. 2.1 Assumptions Since bilinear groups first appeared in cryptography half a decade ago [21], several years after their first use in cryptanalysis [22], bilinear maps or pairings have been used in a large variety of ways under many different complexity assumptions. Some of them are very strong; others are weaker. 4 Informally, we say that an assumption is mild if it is tautological in the generic group model [27], and also “efficiently falsifiable” [25] in the sense that its problem instances are stated non-interactively and concisely (e.g., independently of the number of adversarial queries or such large quantity). Most IBE and HIBE schemes mentioned in Introduction (except “BB2” an... |

288 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...cedure that on input a security parameter Σ ∈ N outputs G $←Gen(1Σ) where log2(p) = Θ(Σ). We write Zp = Z/pZ for the set of residues modp and Z × p = Zp \ {0} for its multiplicative group. 2.1 Assumptions Since bilinear groups first appeared in cryptography half a decade ago [21], several years after their first use in cryptanalysis [22], bilinear maps or pairings have been used in a large variety of ways under many different complexity assumptions. Some of them are very strong; others are weaker. 4 Informally, we say that an assumption is mild if it is tautological in the generic group model [27], and also “efficiently falsifiable” [25] in the sense that its problem instances are stated non-interactively and concisely (e.g., independently of the number of adversarial queries or such large quantity). Most IBE and HIBE schemes mentioned in Introduction (except “BB2” and the Factoring-based system by Cocks) are based on mild bilinear complexity assumptions, such as BDH [21, 11] and Linear [9]. In this paper, our goal is to rely only on mild assumptions. Decision BDH: The Bilinear DH assumption was first used by Joux [21], and gained popularity for its role in the Boneh-Franklin IBE syste... |

282 | An identity based encryption scheme based on quadratic residues
- Cocks
- 2001
(Show Context)
Citation Context ...stance of the presumed hard problem. A notable feature of our construction is that it can be implemented using all known instantiations of the bilinear pairing (whether symmetric or asymmetric, with our without a computable or 2 invertible homomorphism, etc.). To cover all grounds, we describe both a symmetric IBE version for simplicitly, and a fully general asymmetric HIBE without homomorphisms for generality. 1.2 Related Work The concept of identity-based encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The Boneh-Franklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selective-ID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen [5] presented two ver... |

279 | Chosen-ciphertext security from identity-based encryption - Boneh, Canetti, et al. |

269 | Hierarchical identity based encryption with constant size ciphertext
- Boneh, Boyen, et al.
- 2005
(Show Context)
Citation Context ... construction was impractical. Waters [29] then proposed a much simpler extension to “BB1” also with an adaptive-ID security proof without random oracles; its efficiency was further improved in two recent independent papers, [16] and [24]. The notion of hierarchical identity-based encryption was first defined by Horwitz and Lynn [20], and a construction in the random oracle model given by Gentry and Silverberg [19]. The first HIBE scheme to be provably secure without random oracles is the “BB1” system of Boneh and Boyen; subsequent improvements include the HIBE scheme by Boneh, Boyen, and Goh [7], which features shorter ciphertexts and private keys. We note that the selective-ID vs. adaptive-ID distinction is not very important for any of the HIBE systems known to date, since in all of them the adaptiveID security degrades exponentially with the depth of the hierarchy: the two models are equivalent up to a constant factor inside the exponential. An important open problem in identity-based cryptography is to devise an adaptive-ID secure HIBE scheme whose security degrades polynomially with the depth of the hierarchy (under reasonable assumptions). Song, Wagner, and Perrig [28] presente... |

257 | Hierarchical ID-based cryptography
- Gentry, Silverberg
- 2002
(Show Context)
Citation Context ...ome anonymous when implemented with an “asymmetric” pairing e : G × G → GT under strong additional assumptions (such as hardness of DDH in G), but this is not easy to prove. Furthermore, for a fundamental reason this observation applies only to non-hierarchical IBE, and it would be nice not to rely on such “risky” assumptions which are patently false in the symmetric setting. At any rate, and even if one were to consider the use of random oracles, there simply does not exist any known hierarchical identity-based encryption scheme which is also anonymous. (In particular, the Gentry-Silverberg [19] HIBE scheme is not.) In their recent CRYPTO’05 paper, Abdalla et al. [1] cite the creation of an anonymous IBE system without random oracles and an anonymous HIBE system with or without random oracles as important open problems. 1.1 Our Results We present an Anonymous IBE and HIBE scheme without random oracles, therby solving both open problems from CRYPTO’05. Our scheme is very efficient for pure IBE, and reasonably efficient for HIBE with shallow hierarchies of practical interest. We prove it secure based solely on Boneh’s et al. [9] Decision Linear assumption, which is one of the mildest u... |

251 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...mmetric HIBE without homomorphisms for generality. 1.2 Related Work The concept of identity-based encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The Boneh-Franklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selective-ID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen [5] presented two very efficient IBE systems (“BB1” and “BB2”) with selective-ID security proofs, also without random oracles. The same authors [6] then proposed a coding-theoretic extension to their “BB1” scheme that allowed them to prove security for the full notion of adaptive identity or adaptive-ID security without random oracles, but the construction was impractical. Waters [2... |

216 | Pairing-Friendly Elliptic Curves of Prime Order. Selected Areas in Cryptography
- Barreto, Naehrig
- 2006
(Show Context)
Citation Context ...s our confidence in the assumptions we make; and (2) it gives us the flexibility to implement the bilinear pairing on a broad variety of algebraic curves with attractive computational characteristics =-=[2]-=-, whereas symmetric pairings tend to be confined to supersingular curves, to name this one distinction. Note that if we let G = ˆ G and g = ˆg, our assumptions regain their familiar “symmetric” forms:... |

154 | Efficient selective-id secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ... and where the capabilities to search on particular keywords are delegated by a central authority. Anonymous HIBE further enables sophisticated access policies for PEKS and ID-based PEKS. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin [11]. Although they did not state it explicitly, the anonymity of their scheme followed readily from their proof of semantic security. One drawback of the Boneh-Franklin IBE paradigm is that its security proofs are set in the random oracle model. More recently, efficient IBE schemes due to Boneh and Boyen [5] and Waters [29] have been proven secure outside of the random oracle model, but these schemes are not anonymous when implemented using “symmetric” bilinear pairings e : G×G→ GT , because one can test if a given ciphertext was encrypted for a candidate identity. In retrospect, one notes that with minor modifications Boneh and Boyen’s two schemes ∗Voltage Inc., Palo Alto — xb@boyen.org †SRI International — bwaters@csl.sri.com 1 “BB1” and “BB2”, and Waters’ by extension, may in fact become anonymous when implemented with an “asymmetric” pairing e : G × G → GT under strong additional assumptions... |

146 |
The Weil pairing and its efficient calculation.
- Miller
- 2004
(Show Context)
Citation Context ...oadcast innocent-looking ciphertexts that require a certain clearance to decrypt, without even hinting at the fact that their payload might be valuable. We can create more refined search capabilities with a deeper hierarchy. As the last applications we mention, forward-secure public-key encryption [14] and forwardsecure HIBE [31] are straightforward to construct from HIBE systems [31, 7]. We can implement Anonymous fs-HIBE with our scheme by embedding a time component within the hierarchy, while preserving the anonymity property. 2 Background Recall that a pairing is an efficiently computable [23], non-degenerate function, e : G × G → GT , with the bilinearity property that e(gr, gs) = e(g, g)r s. Here, G, G, and GT are all multiplicative groups of prime order p, respectively generated by g, g, and e(g, g). It is asymmetric if G 6= G. We call bilinear instance a tuple G = [p, G, G, GT , g, g, e]. We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $←Gen(1Σ) where log2(p) = Θ(Σ). We write Zp = Z/pZ for the set of residues modp and Z × p = Zp \ {0} for its multiplicative group. 2.1 Assumptions Since bilinear groups first appeared in cry... |

143 | Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extentions
- Abdalla, Bellare, et al.
(Show Context)
Citation Context ...enefits, anonymous IBE systems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [9] and later formalized by Abdalla et al. =-=[1]-=-. Roughly speaking, PEKS is a form of public key encryption that allows an encryptor to make a document serarchable by keywords, and where the capabilities to search on particular keywords are delegat... |

141 | Secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...inear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selective-ID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen [5] presented two very efficient IBE systems (“BB1” and “BB2”) with selective-ID security proofs, also without random oracles. The same authors [6] then proposed a coding-theoretic extension to their “BB1” scheme that allowed them to prove security for the full notion of adaptive identity or adaptive-ID security without random oracles, but the construction was impractical. Waters [29] then proposed a much simpler extension to “BB1” also with an adaptive-ID security proof without random oracles; its efficiency was further improved in two recent independent papers, [16] and [24]. The notion of hierarchical identity-based encryption was first defined by Horwitz and Lynn [20], and a construction in the random oracle model given by Gentry and... |

141 | Toward hierarchical identity-based encryption
- Horwitz, Lynn
(Show Context)
Citation Context ...e-ID security proofs, also without random oracles. The same authors [6] then proposed a coding-theoretic extension to their “BB1” scheme that allowed them to prove security for the full notion of adaptive identity or adaptive-ID security without random oracles, but the construction was impractical. Waters [29] then proposed a much simpler extension to “BB1” also with an adaptive-ID security proof without random oracles; its efficiency was further improved in two recent independent papers, [16] and [24]. The notion of hierarchical identity-based encryption was first defined by Horwitz and Lynn [20], and a construction in the random oracle model given by Gentry and Silverberg [19]. The first HIBE scheme to be provably secure without random oracles is the “BB1” system of Boneh and Boyen; subsequent improvements include the HIBE scheme by Boneh, Boyen, and Goh [7], which features shorter ciphertexts and private keys. We note that the selective-ID vs. adaptive-ID distinction is not very important for any of the HIBE systems known to date, since in all of them the adaptiveID security degrades exponentially with the depth of the hierarchy: the two models are equivalent up to a constant factor... |

114 | Keyprivacy in public-key encryption
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context ...at the first level, in the random oracle model. Another view of Anonymous IBE is as a combination of identity-based encryption with the property of key privacy, which was introduced by Bellare et al. =-=[4]-=-. 1.3 Applications In this section we discuss various applications of our fully anonymous HIBE system. The main applications can be split into several broad categories. Fully Private Communication. Th... |

98 | D.: Building an encrypted and searchable audit log
- Waters, Balfanz, et al.
- 2004
(Show Context)
Citation Context ...us IBE provides a very convincing solution to the problem of secure anonymous communication, as it makes it harder to conduct traffic analysis attack on directory lookups. Search on Encrypted Data. The second main application of anonymous (H)IBE is for encrypted search. As mentioned earlier, anonymous IBE and HIBE give several application in the Public-key Encryption with Keyword Search (PEKS) domain, proposed by Boneh et al. [10], and further discussed by Abdalla et al. [1]. As a simple example of real-world application of our scheme, PEKS is a useful primitive for building secure audit logs [30, 18]. Furthermore, one can leverage the hierarchical identities in our anonymous HIBE in several interesting ways. For example, we can use a two-level anonymous HIBE scheme where the first level is an identity and the second level is a keyword. This gives us the first implementation of the Identity-Based Encryption with Keyword Search (IBEKS) primitive asked for in [1]. With this primitive, someone with the private key for an identity can delegate out search capabilities for encryptions to their identity, without requiring a central authority to act as the delegator. Conversely, by using certain k... |

89 | Improved efficiency for CCA-secure cryptosystems built using identity-based encryption - Boneh, Katz - 2005 |

83 | Direct Chosen Ciphertext Security from Identity-Based Techniques - Boyen, Mei, et al. - 2005 |

55 |
Reducing elliptic curve logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...s) = e(g, g)r s. Here, G, G, and GT are all multiplicative groups of prime order p, respectively generated by g, g, and e(g, g). It is asymmetric if G 6= G. We call bilinear instance a tuple G = [p, G, G, GT , g, g, e]. We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $←Gen(1Σ) where log2(p) = Θ(Σ). We write Zp = Z/pZ for the set of residues modp and Z × p = Zp \ {0} for its multiplicative group. 2.1 Assumptions Since bilinear groups first appeared in cryptography half a decade ago [21], several years after their first use in cryptanalysis [22], bilinear maps or pairings have been used in a large variety of ways under many different complexity assumptions. Some of them are very strong; others are weaker. 4 Informally, we say that an assumption is mild if it is tautological in the generic group model [27], and also “efficiently falsifiable” [25] in the sense that its problem instances are stated non-interactively and concisely (e.g., independently of the number of adversarial queries or such large quantity). Most IBE and HIBE schemes mentioned in Introduction (except “BB2” and the Factoring-based system by Cocks) are based on mild bi... |

38 | Chosen-Ciphertext Secure Public-Key Threshold Encryption Without Random Oracles - Boneh, Boyen, et al. - 2006 |

34 | Secure and practical identity-based encryption. Cryptology ePrint Archive, Report 2005/369
- Naccache
- 2005
(Show Context)
Citation Context ...les. Boneh and Boyen [5] presented two very efficient IBE systems (“BB1” and “BB2”) with selective-ID security proofs, also without random oracles. The same authors [6] then proposed a coding-theoretic extension to their “BB1” scheme that allowed them to prove security for the full notion of adaptive identity or adaptive-ID security without random oracles, but the construction was impractical. Waters [29] then proposed a much simpler extension to “BB1” also with an adaptive-ID security proof without random oracles; its efficiency was further improved in two recent independent papers, [16] and [24]. The notion of hierarchical identity-based encryption was first defined by Horwitz and Lynn [20], and a construction in the random oracle model given by Gentry and Silverberg [19]. The first HIBE scheme to be provably secure without random oracles is the “BB1” system of Boneh and Boyen; subsequent improvements include the HIBE scheme by Boneh, Boyen, and Goh [7], which features shorter ciphertexts and private keys. We note that the selective-ID vs. adaptive-ID distinction is not very important for any of the HIBE systems known to date, since in all of them the adaptiveID security degrades exp... |

31 |
Trading time for space: Towards an efficient IBE scheme with short(er) public parameters in the standard model
- Chatterjee, Sarkar
- 2005
(Show Context)
Citation Context ...ndom oracles. Boneh and Boyen [5] presented two very efficient IBE systems (“BB1” and “BB2”) with selective-ID security proofs, also without random oracles. The same authors [6] then proposed a coding-theoretic extension to their “BB1” scheme that allowed them to prove security for the full notion of adaptive identity or adaptive-ID security without random oracles, but the construction was impractical. Waters [29] then proposed a much simpler extension to “BB1” also with an adaptive-ID security proof without random oracles; its efficiency was further improved in two recent independent papers, [16] and [24]. The notion of hierarchical identity-based encryption was first defined by Horwitz and Lynn [20], and a construction in the random oracle model given by Gentry and Silverberg [19]. The first HIBE scheme to be provably secure without random oracles is the “BB1” system of Boneh and Boyen; subsequent improvements include the HIBE scheme by Boneh, Boyen, and Goh [7], which features shorter ciphertexts and private keys. We note that the selective-ID vs. adaptive-ID distinction is not very important for any of the HIBE systems known to date, since in all of them the adaptiveID security deg... |

13 |
Time-Scoped Searching of Encrypted Audit Logs. In:
- Davis, Monrose, et al.
- 2004
(Show Context)
Citation Context ...us IBE provides a very convincing solution to the problem of secure anonymous communication, as it makes it harder to conduct traffic analysis attack on directory lookups. Search on Encrypted Data. The second main application of anonymous (H)IBE is for encrypted search. As mentioned earlier, anonymous IBE and HIBE give several application in the Public-key Encryption with Keyword Search (PEKS) domain, proposed by Boneh et al. [10], and further discussed by Abdalla et al. [1]. As a simple example of real-world application of our scheme, PEKS is a useful primitive for building secure audit logs [30, 18]. Furthermore, one can leverage the hierarchical identities in our anonymous HIBE in several interesting ways. For example, we can use a two-level anonymous HIBE scheme where the first level is an identity and the second level is a keyword. This gives us the first implementation of the Identity-Based Encryption with Keyword Search (IBEKS) primitive asked for in [1]. With this primitive, someone with the private key for an identity can delegate out search capabilities for encryptions to their identity, without requiring a central authority to act as the delegator. Conversely, by using certain k... |

3 |
Yevgeniy Dodis, and Anna Lysyanskaya. ID-based encryption for complex hierarchies with applications to forward security and broadcast encryption.
- Yao, Fazio
- 2004
(Show Context)
Citation Context ...e key for an identity can delegate out search capabilities for encryptions to their identity, without requiring a central authority to act as the delegator. Conversely, by using certain keywords such as “Top Secret” at the first level of the hierarchy, it is possible to broadcast innocent-looking ciphertexts that require a certain clearance to decrypt, without even hinting at the fact that their payload might be valuable. We can create more refined search capabilities with a deeper hierarchy. As the last applications we mention, forward-secure public-key encryption [14] and forwardsecure HIBE [31] are straightforward to construct from HIBE systems [31, 7]. We can implement Anonymous fs-HIBE with our scheme by embedding a time component within the hierarchy, while preserving the anonymity property. 2 Background Recall that a pairing is an efficiently computable [23], non-degenerate function, e : G × G → GT , with the bilinearity property that e(gr, gs) = e(g, g)r s. Here, G, G, and GT are all multiplicative groups of prime order p, respectively generated by g, g, and e(g, g). It is asymmetric if G 6= G. We call bilinear instance a tuple G = [p, G, G, GT , g, g, e]. We assume an... |

1 |
Invited talk at CRYPTO
- Naor
- 2003
(Show Context)
Citation Context ... Σ ∈ N outputs G $←Gen(1Σ) where log2(p) = Θ(Σ). We write Zp = Z/pZ for the set of residues modp and Z × p = Zp \ {0} for its multiplicative group. 2.1 Assumptions Since bilinear groups first appeared in cryptography half a decade ago [21], several years after their first use in cryptanalysis [22], bilinear maps or pairings have been used in a large variety of ways under many different complexity assumptions. Some of them are very strong; others are weaker. 4 Informally, we say that an assumption is mild if it is tautological in the generic group model [27], and also “efficiently falsifiable” [25] in the sense that its problem instances are stated non-interactively and concisely (e.g., independently of the number of adversarial queries or such large quantity). Most IBE and HIBE schemes mentioned in Introduction (except “BB2” and the Factoring-based system by Cocks) are based on mild bilinear complexity assumptions, such as BDH [21, 11] and Linear [9]. In this paper, our goal is to rely only on mild assumptions. Decision BDH: The Bilinear DH assumption was first used by Joux [21], and gained popularity for its role in the Boneh-Franklin IBE system [11]. The decisional assumption posits ... |