1. ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
Danfeng Yao
Nelly Fazio
Brown University
New York University
Yevgeniy Dodis
Anna Lysyanskaya
Change the title
Change the names

2. Identity-based Encryption (IBE) and Hierarchical IBE (HIBE)
IBE [Shamir 84] [Boneh Frankline 01] [Cocks 01] [Canetti Halevi Katz 03] [Boneh Boyen 04] [Waters 04]
HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04]
Register as
PKG
params, secret s
Private Key
Bob
Math
Alice
School CS s
Ciphertext C =
(M, params)
ID-tuple!!!
References!!!
State that this will be the running example of the talk.
Public key corresponds to identity, e.g. address
Shamir 1984
Simplify public key certificate management
A Private Key Generator (PKG) generates the private keys for each user in its domain
Also chooses a set of public parameters
A HIBE scheme by Gentry-Silverberg
Based on Boneh-Frankline IBE
Root PKG
Has a root secret s
Lower-level PKGs
Obtain private keys from parent PKG
Bob’s public key is the ID-tuple (School, CS, Bob); his private key is computed by CS

3. Why need forward-secure HIBE?
In HIBE, exposure of parent private keys compromises children’s keys
Forward security
[Gunther 89] [Diffie Oorschot Wiener 92] [Anderson 97] [Bellare Miner 99] [Malkin Micciancio Miner 02] [Canetti Halevi Katz 03]
Secret keys are evolved with time
Compromising current key does NOT compromise past communications
Forward-secure HIBE mitigates key exposure s
School
Math CS
Bob
Alice
In a forward-secure public key encryption scheme, the private key is evolved with time
Safe
Time
Compromise

4. Applications of fs-HIBE
Forward-secure public-key broadcast encryption (fs-BE)
BE schemes: [Fiat Naor 93] [Luby Staddon 98] [Garay Staddon Wool 00] [Naor Naor Lotspiech 01] [Halevy Shamir 02] [Kim Hwang Lee 03] [Goodrich Sun Tamassia 04] [Gentry Ramzan 04]
HIBE is used in public-key broadcast encryption [Dodis Fazio 02]
Forward security is especially important in BE
Multiple HIBE: Encryption scheme for users with multiple roles
Hibe in BE. (references, RBAC references)
Separate slides for MHIBE, examples.
Time
Safe
Key compromised

5. Hierarchical IBE
HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04]
Root setup
Encrypt
Params, SSchool
Lower-level setup
SMath
SCS
Lower-level setup
(School, Math)
(School, CS)
(School, CS, Bob)
Decrypt(SBob)
SBob

6. Forward-secure Public-Key Encryption
fs-PKE (Canetti, Halevi, and Katz 2003)
Used to protect the private key of one user
Based on Gentry-Silverberg HIBE
A time period is a binary string
Private key contains decryption key and future secrets
Erase past secrets in algorithm Update
secret s
Total time periods: 4
Period 1: (0 0)
Period 2: (0 1)
Period 3: (1 0)
Period 4: (1 1) 1  s0 s1
Speak slowly here, each leaf is a time period. For example, January, etc.
pick a random secret for the root, use lower-level of hibe to compute ...
in order to preserve security of past communications, past secret keys are
erases at the end of a time period. so s00 will be erased. at a give time
period, a user needs to have not only a decryption key corresponding to
the current time period, but also secret for computing future keys.
Use current private key to compute future private keys
Separate slide introducing HIBE (references), then separate for Fs-PKE, stating the connections.
Brute force way of forward security
Encrypt(params, 0 0)
s00
s01

7. fs-HIBE requirements Dynamic joins Joining-time obliviousness
Users can join at any time
Joining-time obliviousness
Collusion resistance
Do naïve combinations of fs-PKE and HIBE work?
School
Math CS
Alice
Rectangle->parallelogram
Against breaking parent’s keys for past time periods
Against parent’s keys for future time periods
Against children’s keys for past time periods
User 1
User 2
John
Bob
Eve

8. An fs-HIBE attempt Each entity node maintains one tree
School
Each entity node maintains one tree
For computing children’s private keys
For the forward security of itself
Not joining-time-oblivious
CS joins at (0 1) with public key (School, 0, 1, CS)
Bob joins at (1 0) with public key (School, 0, 1, CS, 1, 0, Bob)
Sender needs to know when CS and Bob joined 1 1 1 CS 1
Add some animations to bring nodes in .
Forward-secure, but not joining-time obli…
Fundamentally conflict the concept of IBE, the sender just needs to know the identity.
Bob

9. Overview of our fs-HIBE scheme
Based on HIBE [Gentry Silverberg 02] and fs-PKE (Canetti Halevi Katz 03] schemes
Scalable, efficient, and provable secure
Forward security
Dynamic joins
Joining-time obliviousness
Collusion resistance
Security based on Bilinear Diffie-Hellman assumption [BF 01] and random oracle model [Bellare Rogaway 93]
Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, time) adversary
BDH reference

10. fs-HIBE algorithm definitions
Root setup (t = 0 0)
Encrypt 28.Oct.2004)
SSchool, 00
Lower-level setup
Update
SMath, t
SCS, t
Lower-level setup
Decrypt(SBob, 28.Oct.2004)
Add time to private keys!!!
Time consistency in the example, joining time
Encrypt( 28.oct.2004)
SBob, t’
Update

11. fs-HIBE Root setup S(School,00) Similar to key derivation of fs-PKE
Private key for time (0 0) contains decryption key for (0 0), and future secrets
Generates params, decryption key, and future secrets
= s  H (0 || School)
= s  H (1 || School)
= s’  H (0 0 || School)
= s’  H (0 1 || School)
Erase , s and s’  1 1 1
Group operations +, *
Change the shapes.
Adaptation to gs-hibe scheme, generalize to 2-d. not exactly the same, but similar.
S(School,00)
|| String concatenation
+ Group addition operation
 Group multiplication operation

12. fs-HIBE algorithms cont’d
S(School, 00)
Lower-level setup is used by a node at time t to compute keys for its children
Generalization of Root setup
Computes both decryption key
at time t, and future secrets
Update
Similar as in fs-PKE
Encrypt
Ciphertext: O(h log(N))
Decrypt
Bob’s decryption key is used
S(CS,00)
S(Bob,00)
= s2  H (0 || School CS)
= s2’  H (0 0 || School CS)
= s3  H (0 0 || School CS Bob)
= s3’  H (0 0 || School CS Bob)
Erase intermediate secrets
Time ->

13. HIBE in broadcast encryption
Center
Connection between HIBE and BE, no details!!!
Subset cover framework uses HIBE to construct.
In Enc, broadcast center covers valid users using subsets
Subset-cover framework [NNL01]
Each subset has a public key
Center encrypts messages under session key K
K is encrypted with public keys of all subsets in the cover
User decrypts K with secret keys obtained at Reg
May need to derive secret keys (e.g. Subset Difference Method [DF02])
Valid user
Revoked user

14. Forward-secure broadcast encryption
Public-key BE by Dodis and Fazio
Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01]
A scalable fs-BE scheme
Dynamic joins and joining-time obliviousness
Users update secret keys autonomously
Algorithms: KeyGen, Reg, Upd, Enc, Dec
KeyGen (t = 0)
SCenter,0
Want to join at t
Dec(Su, t)
Su, t
Reg
Enc(M, t)
Update

15. Security of fs-HIBE /  (( ) ) “Security definitions”
Security based on hardness of BDH problem and random oracle model
Theorem Suppose there is an adaptive adversary A that has advantage  against one-way secure fs-HIBE targeting some time and ID-tuple at level h, and that makes qH2 hash queries to hash function H2 and qE lower-level setup queries. Let N be total number of time, l = log2N. If H1, H2 are random oracles, then exists an algorithm B that solves BDH problem with advantage
(h+l)/2 
h + l 1 (( ) – ) /
qH2 .
e(2lqE + h + l) 2n
Define and prove, throw the security theorem.
Access control mhibe
delegation

16. fs-HIBE attempt II
Each entity maintains HIBE and fs-PKE trees separately
An entity obtains a forward-secure key and a HIBE key from parent
Forward-secure keys are shared by all users
Decryption requires HIBE key and fs-PKE key
Not forward-secure
Adversary first breaks in Alice at time (0 0), obtains s00, s01, s1
Then breaks in Bob and gets sBob at time (0 1)
Adversary can decrypt Bob’s past messages of time (0 0)
Bob CS
School
Math
sBob
Alice 1  s1
sAlice
s00
s01