Generalized Key Delegation for Hierarchical Identity-Based Encryption

Transcription

1 A prelmnary verson of ths paper appears n the proceedngs of ESORICS 2007, Lecture Notes n Computer Scence Vol.????, Sprnger-Verlag, Ths s the full verson. Generalzed Key Delegaton for Herarchcal Identty-Based Encrypton Mchel Abdalla 1 Eke Kltz 2 Gregory Neven 3 June 2007 Abstract In ths paper, we ntroduce a new prmtve called dentty-based encrypton wth wldcard key dervaton (WKD-IBE, or wcked IBE ) that enhances the concept of herarchcal dentty-based encrypton (HIBE) by allowng more general key delegaton patterns. A secret key s derved for a vector of dentty strngs, where entres can be left blank usng a wldcard. Ths key can then be used to derve keys for any pattern that replaces wldcards wth concrete dentty strngs. For example, one may want to allow the unversty s head system admnstrator to derve secret keys (and hence the ablty to decrypt) for all departmental sysadmn emal addresses sysadmn@*.unv.edu, where * s a wldcard that can be replaced wth any strng. We provde approprate securty notons and provably secure nstantatons wth dfferent tradeoffs n terms of cphertext sze and effcency. We also present a generc constructon of dentty-based broadcast encrypton (IBBE) from any WKD-IBE scheme. One of our nstantaton yelds an IBBE scheme wth constant cphertext sze. Keywords: Cryptographc protocols, Herarchcal dentty-based encrypton, key delegaton, broadcast encrypton. 1 Introducton Identty-based encrypton. Securely lnkng users to ther publc keys s a notorous obstacle n the adopton of publc-key encrypton schemes n practce. Most commonly, t s overcome by means of a publc key nfrastructure (PKI) where a trusted authorty certfes, by means of a dgtal sgnature, the relaton between users and ther publc keys. The hgh cost of settng up and mantanng such a PKI can be prohbtve for many organzatons however. In 1984, Shamr [19] proposed dentty-based encrypton (IBE) as a cheaper alternatve to tradtonal PKIs. Here, the publc key of a user s hs dentty (e.g. hs name or emal address), whle the correspondng prvate key s handed to hm by a trusted key dstrbuton center. It lasted untl 2000 however for the frst practcal IBE schemes [17, 6] to be proposed based on blnear maps. 1 Departement d Informatque, École normale supéreure, 45 Rue d Ulm, Pars Cedex 05, France. Emal: Mchel.Abdalla@ens.fr. URL: 2 CWI Amsterdam, The Netherlands. Emal: kltz@cw.nl. URL: 3 Department of Electrcal Engneerng, Katholeke Unverstet Leuven, Kasteelpark Arenberg 10, B-3001 Heverlee-Leuven, Belgum. Emal: Gregory.Neven@esat.kuleuven.be. URL: 1

2 Herarchcal dentty-based encrypton (HIBE) schemes [13, 11] are the herarchcal extenson of IBEs where user denttes are vectors of bt strngs. The root entty generates prvate keys for users at the frst level; users at level l can derve keys for ther chldren at level l + 1. Ths prevents the dstrbuton center from becomng a bottleneck n the system, and at the same tme reflects the herarchcal structure of many organzatons and user denttes, n partcular emal addresses. For example, the head of the computer scence department of a unversty could be gven the key for dentty (edu,unv,cs) allowng hm to derve keys for denttes (edu,unv,cs,username) correspondng to emal addresses username@cs.unv.edu. Wldcard key dervaton. Herarchcal key dervaton s a useful feature, but has ts lmtatons. For example, t would be reasonable to prevent end-users from further dervng keys for denttes below them. Ths feature was referred to before as lmted delegaton by Boneh- Boyen-Goh [5], who show a tweak to ther HIBE scheme offerng exactly ths functonalty albet wthout a formal securty noton or proof for ther approach. In some crcumstances, t could also be useful to be able to devate from the herarchcal structure. For example, one may want to allow the unversty s head system admnstrator to derve keys for all departmental sysadmn emal addresses sysadmn@*.unv.edu, where * s a wldcard that can be replaced wth any strng. As another example, t could be practcal to provde a company lke Google Inc. that regsters ts name at all top-level domans wth a key for *@google.*. These applcatons lead us to generalze the concept of HIBE schemes to dentty-based encrypton wth wldcard key dervaton (WKD-IBE), or more succnctly wcked IBE. After defnng adequate securty notons, we start lookng for constructons. Frst observe that f a HIBE scheme allows a maxmal herarchy depth L to be fxed, then the lmted-delegaton property of [5] can be acheved genercally by paddng the dentty vector wth dummy strngs at the unused lower levels. (But ths may come at the cost of effcency.) The more general functonalty of wldcard key delegaton cannot be acheved genercally though. Nevertheless, we show that many of the exstng HIBE schemes are amenable to a modfcaton that enables wldcard key dervaton, ncludng the Gentry-Slverberg [11], Boneh-Boyen [4], Waters [20], and Boneh- Boyen-Goh [5] HIBE schemes. For the former three ths may come as a bt of a surprse, because no lmted-delegaton tweaks were prevously proposed for these schemes. We prove the securty of the modfed schemes under our new notons, thereby provdng as a specal case formal ground for the ntuton of [5] regardng ther lmted-delegaton tweak. Applcaton to dentty-based broadcast encrypton. Broadcast encrypton [10] allows to encrypt a message to any subset S {1,...,N} of N users so that only users n S can decrypt the message. A trval soluton conssts of concatenatng encryptons of the message under the publc key of each user n S separately, but ths yelds cphertexts of sze lnear n S. The most effcent fully colluson-resstant (meanng where the adversary can corrupt all users outsde of S) publc-key broadcast encrypton schemes are due to Boneh et al. [7], who present a frst constructon wth constant-sze cphertexts and prvate keys but wth O(N)-sze publc keys, and a second constructon wth O( N)-sze cphertexts and publc keys. Identty-based broadcast encrypton (IBBE) s the natural extenson of broadcast encrypton to the dentty-based settng. It s partcularly appealng as a prmtve because the total number of users n the system N s lmted only by the sze of the dentty space. We propose a generc constructon of an IBBE schemes from any WKD-IBE scheme. The constructon nflates the prvate key sze by a factor L beng the maxmal number of denttes n a recpent set, but otherwse shares the same cost as the underlyng wcked IBE. Of all the nstantatons of wcked IBE that we propose, the most attractve resultng IBBE scheme s that obtaned from the scheme based on [5], because t acheves constant-sze c- 2

3 phertexts. However, t has the dsadvantage of havng prvate keys of sze O(L 2 ), where L s the maxmum number of recpents n a cphertext. The other concrete nstantatons are less attractve because they have cphertext sze O(L), just lke the trval scheme that concatenates ndvdual cphertexts. Unlke most other broadcast schemes however, they do have the remarkable feature that knowledge of the recpent set s not requred n order to decrypt the message. Wldcard sgnatures. Just lke the key dervaton of an IBE scheme automatcally gves rse to a sgnature scheme [6], a WKD-IBE scheme gves rse to a new prmtve that we call a wldcard sgnature scheme. It allows a sgner to ssue a sgnature on a message contanng wldcards, whch anyone can replace wth concrete values at a later pont wthout nvaldatng the sgnature. Our constructons of wcked dentty-based encrypton yeld a number of wldcard sgnature schemes wth dfferent tradeoffs. Related work. Wcked dentty-based encrypton can be seen as the dual noton of denttybased encrypton wth wldcards [1] (WIBE). There, one can use wldcards n the recpent dentty to whch a cphertext s encrypted, so that all users whose dentty matches the recpent pattern can decrypt t. In fact, the notons of WKD-IBE and WIBE could be combned nto a unversal prmtve that allows wldcards to be used n both the encrypton and key dervaton algorthms. Instantatons of ths prmtve can be obtaned from all WKD-IBE schemes presented n ths work, except for the one based on Gentry-Slverberg s HIBE [11]. Key-polcy attrbute-based encrypton (KP-ABE) [12] assocates to each decrypton key an access structure consstng of a logcal combnaton of attrbute values usng AND and OR gates. A cphertext s encrypted under a set of descrptve attrbutes and can only be decrypted wth a key whose access structure s satsfed by the set of attrbutes. As dscussed n [12], HIBE schemes are a specal case of KP-ABE schemes by mappng the dentty vector (edu, unv, cs, sysadmn) to the access structure (1 edu 2 unv 3 cs 4 sysadmn). Lkewse, wcked IBE can be seen as a specal case of KP-ABE by lettng the key for dentty (edu,*,*,sysadmn) be gven by the key for (1 edu 4 sysadmn). The wcked IBE scheme obtaned through the frst constructon of [12] has the dsadvantage of havng publc keys lnear n the sze of the attrbute unverse. The nstantaton obtaned from ther second, large-unverse constructon s qute smlar to the scheme that we derve from the Boneh-Boyen HIBE scheme [4]. None of the schemes derved from [12] acheve constant cphertext sze though, lke our wcked IBE constructon based on [5]. The use of HIBE schemes n the desgn of broadcast encrypton schemes was frst consdered by Dods and Fazo [9]. Chatterjee and Sarkar [8] gave a drect constructon of an IBBE scheme that s closely related to the nstantaton of our generc constructon wth the WKD-IBE scheme based on [5]. Our generc constructon provdes nsght nto the desgn of ther scheme, but ther constructon contans some nterestng effcency-mprovng tweaks. The schemes are compared n more detal n Secton 5.3. In ndependent work, Shacham [18] formalzes the concept of lmted delegaton for HIBE schemes and proves ths feature for the HIBE scheme of [5]. As we ponted out above, lmted delegaton for HIBEs can be seen as a specal case of WKD-IBE where wldcards can only appear at the end of the dentty vector. Our WKD-IBE scheme based on [5] can therefore be seen as a generalzaton of the result of [18]. 3

4 2 Basc Defntons In ths secton, we ntroduce some notaton and computatonal problems that we wll use throughout the rest of the paper. In dong so, we adopt the same notaton and defnton style used n [1]. Notaton. Let N = {0, 1,...} be the set of natural numbers. Let ε be the empty strng. If n N, then {0, 1} n denotes the set of n-bt strngs, and {0, 1} s the set of all bt strngs. More generally, f S s a set, then S n s the set of n-tuples of elements of S, S n s the set of tuples of length at most n. If S s fnte, then x S denotes the assgnment to x of an element chosen unformly at random from S. If A s an algorthm, then y A(x) denotes the assgnment to y of the output of A on nput x, and f A s randomzed, then y A(x) denotes that the output of an executon of A(x) wth fresh cons s assgned to y. The Decsonal Blnear Dffe-Hellman Assumpton [6]. Let G, G T be multplcatve groups of prme order p wth an admssble map ê : G G G T. By admssble we mean that the map s blnear, non-degenerate and effcently computable. Blnearty means that for all a, b Z p and all g G we have ê(g a, g b ) = ê(g, g) ab. By non-degenerate we mean that ê(g, g) = 1 f and only f g = 1. Let g G be a generator. In such a settng, the blnear decsonal Dffe-Hellman (BDDH) problem s to determne, gven g, A = g a, B = g b, C = g c, and Z = ê(g, g) z, whether Z = ê(g, g) abc for hdden values of a, b, c and z. More formally, let A be an adversary for the BDDH problem. Such an adversary has advantage ǫ n solvng the BDDH problem f Pr[A(g, A, B, C,ê(g, g) abc ) = 1] Pr[A(g, A, B, C,ê(g, g) z ) = 1] ǫ, where the probabltes are over the choce of a, b, c, z and over the random cons consumed by A. Defnton 2.1 The (t, ǫ)-bddh assumpton holds f no t-tme adversary has at least ǫ advantage n the above game. We note that throughout ths paper we wll assume that the tme t of an adversary ncludes ts code sze, n order to exclude trval lookup adversares. The Decsonal Blnear Dffe-Hellman Exponent Assumpton (BDHE) [5]. The l-bdhe problem n G s: gven g, h and g (α) G, for = 1,...,l 1, l + 1,...,2l as nput, output ê(g, h) (αl) G T. Boneh, Boyen and Goh, conjectured that the l-bdhe s a hard problem, meanng wth ths that no polynomally bounded adversary A can solve t wth more than neglgble probablty, over the random choces of g, h G, the choce of α Z p, and the random con tosses of A. The decsonal verson of the problem can be defned n the usual manner. Let y = (g α, g (α2),...,g (αl 1), g (αl+1),...,g (α2l) ). An algorthm B that outputs a bt b, has advantage ǫ n solvng the decsonal l-bdhe problem n G f Pr [ B(g, h, y, ê(g, h) (αl) ) = 1 ] Pr [ B(g, h, y, T) = 1 ] ǫ, where the probabltes are taken over the random choces of g, h G, the random choce of α Z p, the random choce of T G T, and the nternal con tosses of B. Defnton 2.2 The decsonal (t, ǫ, l)-bdhe assumpton holds n G f no t-tme (probablstc) algorthm has advantage at least ǫ n solvng the decsonal l-bdhe problem n G. 3 Wcked Identty-Based Encrypton Syntax. A wcked dentty-based encrypton scheme (WKD-IBE) s a generalzaton of a HIBE scheme whch allows for more general key delegaton patterns. In a WKD-IBE scheme, secret 4

5 keys are assocated wth patterns rather than dentty vectors. A pattern P s a vector (P 1,..., P l ) ({0, 1} {*}) l of length l L, where * s a specal wldcard symbol and L s the maxmal depth of the WKD-IBE scheme. That s, each component of a pattern P s ether a specfc dentty strng or a wldcard. The man dea behnd the WKD-IBE noton s that a user n possesson of the secret key for a gven pattern P can generate secret keys for any pattern P that matches P. We say that a pattern P = (P 1,...,P l ) matches P, denoted P * P, f and only f l l; = 1...l, P = P or P = *; and = l l, P = *. More formally, a WKD-IBE scheme s a tuple of algorthms WKD-IBE = (Setup, KeyDer, Enc, Dec) provdng the followng functonalty. The root authorty frst generates a master key par (mpk,msk) Setup. Va sk P KeyDer(sk P, P ), a user possessng the secret key sk P for a pattern P = (P 1,...,P l ) can derve a secret key for any pattern P * P. The secret key of the root dentty s msk = sk (*,...,*). To create a cphertext of message m {0, 1} ntended for an dentty ID = (ID 1,...,ID l ), the sender computes C Enc(mpk,ID,m). Any user n possesson of the secret key for a pattern P such that ID * P can decrypt the cphertext usng sk P as m Dec(sk P,C,ID). Correctness requres that for all key pars (mpk,msk) output by Setup, all messages m {0, 1}, all 0 l L, all patterns P ({0, 1} {*}) l, and all denttes ID ({0, 1} ) l such that ID * P, Dec( KeyDer(msk, P), Enc(mpk,ID,m),ID ) = m wth probablty one. Securty. We defne the securty of WKD-IBE schemes n a way that s very smlar to the case of HIBE schemes, but where the adversary can query for the secret keys correspondng to arbtrary patterns, rather than specfc dentty vectors. Of course, the adversary s not allowed to query the key dervaton oracle for any pattern matched by the challenge dentty. More specfcally, securty s defned through the followng game wth an adversary. In the frst phase, the adversary s run on nput of the master publc key of a freshly generated key par (mpk,msk) Setup. In a chosen-plantext attack (IND-WKID-CPA), the adversary s gven access to a key dervaton oracle that on nput a pattern P ( {0, 1} {*} ) L returns sk P KeyDer(msk, P). At the end of the frst phase, the adversary outputs two equal-length challenge messages m0,m 1 {0, 1} and a challenge dentty ID = (ID 1,...,ID l ) where 0 l L. The adversary s gven a challenge cphertext C Enc(mpk,ID,mb ) for a randomly chosen bt b, and s gven access to the same oracles as durng the frst phase of the attack. The second phase ends when the adversary outputs a bt b. The adversary s sad to wn the IND-WKID-CPA game f b = b and f t never quered the key dervaton oracle for the key of any pattern P such that ID * P. If Succ s the event that the adversary wns the above game, then ts advantage s defned as ǫ = 2 Pr [Succ ] 1. Defnton 3.1 A WKD-IBE scheme s (t, q K, ǫ) IND-WKID-CPA-secure f all t-tme adversares makng at most q K queres to the key dervaton oracle have at most advantage ǫ n the IND-WKID-CPA game descrbed above. Selectve-dentty Securty. As for the case of HIBEs, we also defne the weaker selectvedentty (swkid) securty noton IND-sWKID-CPA. The IND-sWKID-CPA defnton s analogous to the IND-WKID-CPA one gven above except that the adversary has to commt to the challenge dentty at the begnnng of the game, before the master publc key s made avalable. 5

6 4 Constructons of Wcked Identty-Based Encrypton 4.1 Constructons wth Lnear-Sze Cphertexts A constructon from Gentry-Slverberg s HIBE scheme. In the followng, we present a wcked IBE scheme based on the Gentry-Slverberg HIBE scheme [11]. The scheme uses L ndependent random oracles H : {0, 1} G for 1 L. These can be derved from a sngle random oracle va standard technques [3]. We provde some ntuton nto our constructon by takng a closer look at the key dervaton of (a slght varant of) the orgnal Gentry-Slverberg HIBE scheme. For master secret key α Z p and master publc key g 1 g α, the decrypton key of an dentty (ID 0 ) at the top level s gven by sk (ID0 ) H 0 (ID 0 ) α. The key for a lower-level dentty (ID 0,...,ID l ) s gven by sk (ID0,...,ID l ) ( H 0 (ID 0 ) α l =1 H (ID ) r, g r 1,..., g r l ) for random r 1,...,r l Z p. One could nsert a wldcard at level 1 j l by omttng the factor H j (ID j ) r j from the product n the frst component and omttng the entry g r j n the vector; any value for ID j can then be flled n later by choosng r j, multplyng H j (ID j ) r j nto the frst component and nsertng a new component g r j. Insertng a wldcard at the top level s not so easy though, as knowledge of the master key α s requred to compute the factor H 0 (ID 0 ) α. We therefore dsable the top level by fxng t to dentty, or equvalently, by ncludng h 0 = H 0 ( ) n the publc key. A smlar fx can be used to prevent a user at level l < L to further derve keys for users at levels l + 1,...,L. Namely, the key s computed as f t were for the dentty at level L wth the components at levels l + 1,...,L fxed to. Equvalently, one can nclude the elements h = H ( ) for 1 L n the publc key. Before presentng the scheme, we frst need to ntroduce some addtonal notaton. If P = (P 1,...,P l ) s a pattern, then let P = l be the length of P, let W(P) be the set contanng all wldcard ndces n P,.e. the ndces 1 l such that P = *, and let W(P) be the complementary set contanng all non-wldcard ndces. Clearly, W(P) W(P) = and W(P) W(P) = {1,...,l}. We also extend the notatons P, P > and P I that we ntroduced for dentty vectors to patterns n the natural way. We are now ready to present the GS-WKD-IBE scheme n full detals: Setup. The root dentty chooses random generators g, h 0,...,h L G. It chooses α Z p and computes g 1 g α. It publshes mpk (g, g 1, h 0,...,h L ) as the master publc key and keeps msk h α 0 secret. Key Dervaton. To compute a secret key for a pattern P = (P 1,...,P l ) drectly from the master secret key, the root proceeds as follows. Let I = W(P) {l + 1,...,L}. For all I the root chooses r Z p and lets b g r. It then computes a msk W(P) H (P ) r =l+1,...,l hr. The secret key for pattern P s sk P (a,(b ) I ). Anyone knowng ths secret key can generate a key for a pattern P = (P 1,...,P l ) * P as follows. Let I = W(P ) {l + 1,...,L}. Note that P * P mples that I I. For all I, choose r Z p and compute b b g r ; for all I \ I, choose r Z p and compute b gr. Fnally, compute a a W(P ) H (P L )r =l +1 hr and return the secret key sk P (a, (b ) I ). Encrypton. To encrypt a message m G T to dentty ID = (ID 1,...,ID l ) under mpk = 6

7 (g, g 1, h 0,...,h L ), the sender chooses t Z p, computes C 0 g t C H (ID ) t for = 1,...,l C h t for = l + 1,...,L C L+1 ê(g 1, h 0 ) t m and outputs the cphertext C = (C 0,...,C L+1 ). Decrypton. A recpent knowng the secret key sk P for a pattern P = (P 1,...,P l ) can decrypt a cphertext (C 0,...,C L+1 ) ntended to any dentty ID * P as follows. Let I = W(P) {l + 1,...,L} and let a P = (a,(b ) I ). The recpent recovers the plantext as I m C L+1 ê(b,c ). ê(c 0, a) Note that the recpent need not even know the exact dentty under whch the message was encrypted. The fact that decrypton works can be seen as follows. Let P = (P 1,...,P l ) be a pattern, let I = W(P) {l+1,..., L} and let sk P = (a,(b ) I ) be a secret key for P. For all I, let r be the dscrete logarthm of b wth respect to g,.e. b = g r. From the key dervaton algorthm one can see that a = h α 0 W(P) H (ID ) r L =l+1 hr. When (C 0,...,C L+1 ) s a cphertext ntended for ID = (ID 1,...,ID l ) * P, we have that ê(c 0, a) = ê (g t, h α 0 W(P) H (P ) r L ) =l+1 hr = ê(g t, h α 0) W(P) = ê(g 1, h 0 ) t ê(b,c ), I ê ( g r, H (P ) t) L =l+1 ê ( g r, h t ) where the last equalty holds because P = ID for all W(P) f ID * P. Hence, the value of K at decrypton s exactly the argument of H 2 at encrypton, and the correct message s recovered. The followng theorem states the securty of the above scheme n the selectve-dentty noton under the BDDH assumpton n the random oracle model. Securty n the full-dentty noton can be obtaned at the cost of losng a factor O(qH L ) n the reducton. Theorem 4.1 Under the (t, ǫ ) BDDH assumpton, thegs-wkd-ibe scheme descrbed above s (t, q K, q H, ǫ) IND-sWKID-CPA-secure n the random oracle model for ǫ 2ǫ and t t (q H + (q K + 3)L)t exp, where t exp s the tme requred to perform an exponentaton n G. Proof of Theorem 4.1: Gven an adversary A aganst the IND-sWKID-CPAsecurty of GS-WKD-IBE, consder the followng BDH algorthm B. On nput (g, A = g a, B = g b, C = g c, Z), B frst runs A to obtan the target dentty ID = (ID 1,...,ID l ). It then chooses random ntegers α 1,...,α L Z p, sets g 1 A, h 0 B, h g α B 1 for 1 l and h g α for l + 1 L, and runs A agan on nput mpk = (g, g 1, h 0,...,h L ). Note that from A s pont 7

8 of vew, the publc key conssts entrely of random elements of G, as requred. To answer A s oracle queres, B keeps a set Q and assocatve arrays L 1, [ ], s [ ] and L 2 [ ] for = 1,...,L. It ntalzes these by choosng s [ID ] Z p and L 1, [ID ] g s [ID ] for all = 1,...,L; all other entres are left undefned. Algorthm B responds to A s oracle queres as follows: Random oracle queres H (ID ): If L 1, [ID ] s defned, then B returns ths value. Otherwse, t chooses s [ID ] Z p, sets L 1, [ID ] g s [ID ] B 1 and returns L 1, [ID ]. Note that the response s unformly dstrbuted over G, as requred, due to the random choce of s [ID ]. Key dervaton queres for P = (P 1,...,P l ): Before gong nto the detals of how keys are smulated, let s have a closer look at the way they are supposed to be dstrbuted. If I = W(P) {l + 1,...,L}, then the secret key for pattern P s a tuple sk P = (a,(b ) I ) where the b are unformly dstrbuted over G and a s the unque element such that ê(a, g) = ê(g 1, h 0 ) W(P)ê(b, H (P )) L =l+1ê(b, h ). (1) Gven a key (a,(b ) I ) for whch the above relaton for a holds but the b are not unformly dstrbuted, t s easy to see that one can re-randomze the key nto a correctly dstrbuted one sk P = (a, (b ) I) by choosng r Z p for all I, settng b b g r and computng a a W(P) H (P ) r L =l+1 hr. Snce ID * P, at least one of the followng three condtons must be satsfed: 1. l < l. In ths case, B lets b l g x, b 1 for I \ {l } and a (g x ) α l. Snce ê(1, ) = ê(, 1) = 1, fllng these values nto the rght-hand sde of Equaton (1) gves ê(g 1, h 0 ) ê(b l, h l ) = ê(g x, g y ) ê(g x, g α l g y ) = ê(g x, g α l ) = ê(a, g). Re-randomzng ths key as explaned above gves a correctly dstrbuted key for P. 2. There exsts 1 j l such that P j * and P j ID j. In ths case, B sets b j g x, b 1 for I \{j}, a (g x ) s j[p j ] and re-randomzes (a,(b ) I ) as explaned above. Ths key satsfes Equaton (1) because ê(g 1, h 0 ) ê(b j, H 1,j (P j )) = ê(g x, g y ) ê(g x, g s j[p j ] g y ) = ê(g x, g s j[p j ] ) = ê(a, g). 3. There exsts l + 1 j L such that P *. In ths case, B proceeds exactly as n the prevous case. The correctness of the key holds by the same arguments. At some pont, A outputs challenge messages m 0,m 1. Algorthm B chooses a random bt b {0, 1} and generates the challenge cphertext (C 0,...,C L+1 ) that t feeds to A as C 0 C C C s [ID ] for 1 l C C α for l + 1 L C L+1 m b Z. If A outputs b = b, then B outputs 1; else, t outputs 0. 8

9 One can see from the way that H (ID ) and h were smulated for 1 l and for l + 1 L, respectvely, that the challenge cphertext s correctly dstrbuted f Z = ê(g, g) abc, so n ths case A outputs b = b wth probablty 1/2 ± ǫ/2. However, f Z s a random element from G T, then A s vew s ndependent of B s choce of b, so ts probablty of outputtng b = b s 1/2. Therefore, we have that the BDDH advantage of B s ǫ = 1/2 ± ǫ/2 1/2 = ǫ/2. The runnng tme of B s roughly that of A plus 2L exponentatons at the ntalzaton phase, q H +q K L exponentatons durng the smulaton, and L exponentatons to generate the challenge cphertext. Constructons from Boneh-Boyen s and Waters HIBE schemes. The attentve reader wll have notced the resemblance of the above scheme wth the HIBE schemes of Boneh-Boyen [4] and Waters [20]. Indeed, f dentty strngs are elements of Z p, then one can obtan a wcked IBE varant of [4] by settng H (ID ) = h,0 h ID,1, where h,0, h,1 are random elements of G that are fxed n the master publc key. Ths scheme can be proved IND-sWKID-CPA secure under the BDDH assumpton n the standard (.e., non-random oracle) model usng a proof qute smlar to the above analyss. Lkewse, one can obtan a varant based on Waters HIBE scheme when denttes are n-bt strngs by settng H (ID = ID,1...ID,n ) = h,0 ID,j =1 h,j. An analyss smlar to the one n [20] can be used to prove ths scheme IND-WKID-CPA secure under the BDDH assumpton n the standard model at the cost of losng a factor O((nq K ) L ) n the reducton. 4.2 Constructons wth Constant-Sze Cphertexts In ths secton, we descrbe effcent wcked IBE schemes wth constant-sze cphertexts based on the Boneh-Boyen-Goh [5] and Waters [20] HIBE schemes. We buld the wcked IBE scheme BBG-WKD-IBE = (Setup, KeyDer, Enc, Dec) descrbed as follows: Setup. The trusted authorty chooses random generators g from G, a random α Z p and sets g 1 g α. Next, t pcks random elements g 2, g 3, h 1,...,h L from G and sets g 4 g α 2. The master publc key s mpk = (g, g 1, g 2, g 3, h 1,...,h L ). The correspondng master secret key s msk = g 4. Key Dervaton. Let P = (P 1,...,P l ) ( Z p {*} ) L be the pattern for whch a secret key needs to be generated. To compute the secret key for P from the master secret key, frst a random r Z p s chosen, then the secret key sk P = (a 1,a 2,b ) for P s constructed as ( ) r a 1 = g 4 g 3 ; a 2 = g r ; b = (b = h r ) W(P ). W(P ) h P In order to generate the secret key sk P for pattern P from the secret key sk P = (a 1,a 2,b) for pattern P such that P * P, ones smply chooses a random r Z p and outputs sk P = (a 1,a 2,b ), where ( ) r ( ) a 1 = a 1 g 3 W(P ) a 2 = a 2 g r ( ) b = b = b h r h P W(P ) W(P ) T W(P) b P 9

10 Encrypton. To encrypt a message m G T for an dentty ID = (ID 1,...,ID l ), the sender frst chooses t Z p and outputs the cphertext C = (C 1,C 2,C 3 ) G G G T, where ( l C 1 = g t ; C 2 = g 3 =1 h ID ) t ; C 3 = m ê(g 1, g 2 ) t. Decrypton. Let be the C = (C 1,C 2,C 3 ) and ID = (ID 1,...,ID l ) be the dentty to whch the cphertext was created. If the recever s the root authorty holdng the master key msk, then he can recover the message by computng C 3 /ê(c 1,msk). Any other recever holdng a secret key for pattern P such that ID * P can decrypt the cphertext as follows. Let sk P = (a 1,a 2,b) be the decrypton key for the recever. He can recover the message by computng a 1 a 1 ( W(P) l bid ) and m C 3 ê(a 2, C 2 ) ê(c 1, a 1 ). The fact that decrypton works can be seen as follows. Snce ID * P, we have that P = ID for all W(P) l. Thus the quantty ê(a 2,C 2 ) ê(c 1,a 1 ) becomes: ê(a 2,C 2 ) ê(c 1,a 1 W(P) l b ID ) = ê(gr, (g l 3 =1 hid ) r ) ê(g t, g 4 (g 3 W(P) hp ) r W(P) l b ID ) = ê(g r, (g l 3 =1 hid ) t ) ê(g t, g 4 ) ê(g t, (g l 3 =1 hid ) r ) = 1 ê(g t, g 4 ) = 1 ê(g 1, g 2 ) t The followng theorem states the securty of the above scheme n the selectve-dentty noton under the l-bdhe assumpton n the standard model. We remark that, nterestngly, we can only prove securty of the scheme based on the l-bdhe assumpton, whereas the weaker l-bdhi assumpton was suffcent for the securty proof of the HIBE scheme [5]. Theorem 4.2 Let BBG-WKD-IBE be the WKD-IBE scheme as descrbed above. Under the decsonal (t, ǫ, l)-bdhe assumpton, thebbg-wkd-ibe scheme of depth L = l 1 s (t, q K, 2ǫ) IND-sWKID-CPA-secure where t = t O(Lq K ) t exp and t exp s the tme t takes to perform an exponentaton n G. Proof: We assume that there exst an adversary A that breaks the IND-WKID-CPA-securty of WKD-IBE scheme BBG-WKD-IBE and then we show how to effcently buld another adversary B that, usng A as a black box, manages to break the l-bdhe problem n G. Let g, h, y = (y 1,...,y l 1, y l+1,...,y 2l ) wth y = g α G, and T G T be gven to B as nput. Adversary B s task s to decde f T = ê(g, h) αl or f T s unform n G. Intalzaton. Adversary A frst outputs an dentty vector ID = (ID 1,...,ID m) (Z p) m for m L she ntends to attack. By paddng ID wth zero denttes we can assume that ID s a vector of sze L = l 1. Setup. Adversary A prepares a correctly dstrbuted master publc key mpk = (g, g 1, g 2, g 3, h 1,...,h L ) as follows. Intally t pcks random values γ, γ 1,...,γ L, δ from Z p and defnes g 1 y 1 = g α ; g 2 y l 1 g γ = g αl 1 +γ ; g 3 10 g δ L =1 y ID l

11 and h g γ /y l, 1 L = l 1. Note that the master secret key s mplctly defned as g 4 = g2 α = gαl +γα = y l y γ 1 unknown to A snce y l = g αl s unknown. whch s Key Dervaton queres. Suppose adversary B makes a key dervaton query for pattern P = (P 1,...,P u ) (Z p {*}) u of length u L. By paddng P wth zero denttes we can assume that P s a vector of sze L = l 1. By the defnton of the securty experment, we know that ID * P. That means that there exsts an ndex k W(P) such that P k ID k. We defne k to be the smallest of all possble ndces. B pcks a random r Z p and (mplctly) sets r αk ID k P + r Z p. The secret key sk k P = (a 1,a 2,b) for P s constructed as ( a 1 = g 4 g 3 W(P) h P ) r ; a 2 = g r ; (b = h r ) W(P) We have ( g 3 W(P) h P ) r = = ( L g δ =1 y ID l W(P) ( g δ+p W(P) P γ g γ P y P l W(P)\{k} ) r y ID P l y ID k P k l k W(P) y ID l ) r We splt ths term up nto the two factors A Z, where A = (y ID k P k l k ) r s the thrd product only. It can be checked that Z can be computed by A,.e. the terms y only appear wth ndces {1,...,l 1, l + 1,...,2l}. The term A can be expressed as Hence, A = g αl k (ID k P k)( α k ID k P k + r) = y 1 l y (ID k P k) r l k a 1 = g 4 A Z = y l y γ 1 y 1 l y (ID k P k) r l k Z = y γ 1 y(id k P k) r l k Z can be computed by A. Furthermore, g r = g α k ID k P + r k = y 1 ID k P k k g r and for each W(P), α k h r = (g γ /y l ) ID k P + r k = y can be computed snce k W(P). γ ID P k k y 1 ID k P k k+l g γ r y r l Challenge. Eventually A returns two messages m 0 and m 1 on whch she wants to be challenged on. Adversary B flps a con b and creates a challenge cphertext C = (C 1,C 2,C 3 ) for target dentty ID as follows C 1 = h ; C 2 = h δ+p L =1 ID γ ; C 3 = m b T ê(y 1, h) γ 11

12 Defne t Z p such that h = g t. We show that n case T = ê(g, h) αl, C s a correctly dstrbuted cphertext wth (unknown) randomness t. For C2 we have ( L ) t ( L L ) t g 3 h ID = g δ y ID l g γ ID ID y l =1 = =1 ( L g δ =1 g γ ID = h δ+p L =1 γ ID = C 2 For C 3 we use ê(y, y j ) = ê(g, y +j ) to show =1 ) t m b ê(g 1, g 2 ) t = m b ê(y 1, y l 1 g γ ) t = m b ê(h, y l ) ê(y 1, h) γ = C 3 Guess. Eventually, adversary A outputs a bt b. Fnally, adversary B termnates her game and returns 1 (meanng T = ê(g, h) αl ) f b = b, and returns 0 (meanng T G s random) otherwse. When T = ê(g, h) αl from adversary B s nput then A s vew s dentcal to ts vew n a real attack game and therefore A satsfes Pr[b = b ] 1/2 ε/2. When the T s unform n G then A s vew s ndependent of the bt b and therefore Pr [b = b ] = 1/2. Therefore, Pr [ B(g, h, y, ê(g, h) (αl) ) = 1 ] Pr [ B(g, h, y, T) = 1 ] (1/2 ± ε/2) 1/2 = ε/2, from whch the theorem follows. Full securty n the standard model. It s mentoned n [5] that usng technques from Waters [20] one can construct a varant of ther HIBE scheme that acheves full securty n the standard model. The same technques can be also used to acheve full IND-WKID-CPA securty n the standard model for the BBG-WKD-IBE scheme, at the cost of ncreasng the master publc key sze to (n + 1)L + 3 group elements, where n s the length of an dentty strng. 4.3 Full Securty n the Random Oracle Model As n the case of IBE and HIBE schemes [4, 5], any WKD-IBE schemewkd-ibe that s IND-sWKID-CPA-secure can be transformed nto a WKD-IBE schemewkd-ibe that s IND- WKID-CPA-secure n the random oracle model, by replacng every pattern (or dentty) at key dervaton or encrypton wth the hash of that pattern, f that pattern s not a wldcard. That s, any gven pattern P = (P 1,...,P l ) nwkd-ibe s mapped onto a pattern P = (P 1,...,P l ) n WKD-IBE, where P = H (P ) f P * or P = * otherwse, and H, 1 L are ndependent random oracles mappng arbtrary bt strngs nto an approprate range ID correspondng to the dentty space ofwkd-ibe. As n the cases of HIBE schemes, ths transformaton only works f the depth L s logarthmc n the securty parameter due to the loss of a factor O(qH L ) n the reducton. Moreover, ID needs to be suffcently large to make the probablty of collsons n the output of the hash functon neglgble. 12

13 5 Applcaton to Identty-Based Broadcast Encrypton 5.1 Defntons An dentty-based broadcast encrypton (IBBE) scheme s a tuple of algorthms IBBE = (Setup, KeyDer, Enc, Dec) provdng the followng functonalty. The trusted authorty runs Setup to generate a master key par (mpk,msk). It publshes the master publc key mpk and keeps the master secret key msk prvate. When a user wth dentty ID wshes to become part of the system, the trusted authorty generates a user decrypton key sk ID KeyDer(msk,ID), and sends ths key over a secure and authentcated channel to the user. To broadcast an encrypted message m to a set of users wth denttes S = {ID 1,...,ID k } of cardnalty k L, the sender computes the cphertext C Enc(mpk, S,m), whch can be decrypted by a user holdng sk ID for any ID S as m Dec(sk ID,C, S). Here the value L s an upper bound on the maxmal number of dstnct recevers for a broadcast encrypton. The securty of an IBBE scheme s defned through the followng game. In a frst phase, the adversary s gven as nput the master publc key mpk of a freshly generated key par (mpk,msk) Setup. In a chosen-plantext attack (IND-ID-CPA), the adversary s gven access to a key dervaton oracle that on nput of an dentty ID, returns the secret key sk ID KeyDer(msk, ID) correspondng to dentty ID. At the end of the frst phase, the adversary outputs two equal-length challenge messages m0,m 1 {0, 1} and a challenge set of denttes S = (ID 1,...,ID k ), where 0 k L. The game chooses a random bt b {0, 1}, generates a challenge cphertext C Enc(mpk, S,mb ) and gves C as nput to the adversary for the second phase, durng whch t gets access to the same oracles as durng the frst phase. Assume that durng the attack the adversary made key dervaton queres for denttes ID 1,...,ID qk. The adversary wns the game f t outputs a bt b = b and S {ID 1,...,ID qk } =. Defnton 5.1 An IBBE scheme s (t, q K, ǫ)-ind-id-cpa-secure f all t-tme adversares makng at most q K queres to the key dervaton oracle have at most advantage ǫ n wnnng the IND-ID-CPA game descrbed above. Selectve-dentty Securty. As for the prevous prmtves, we further defne the weaker (sid) securty noton IND-sID-CPA. The IND-sID-CPA defnton s analogous to the IND- ID-CPA one except that the adversary has to commt to the challenge set of denttes S = (ID 1,...,ID k ) at the begnnng of the game, before even seeng the publc-key. 5.2 A Constructon from any Wcked Identty-Based Encrypton Scheme Frst, observe that an IBBE scheme can be trvally constructed from any IBE scheme by concatenatng cphertext. Meanng, the IBBE encrypton for the dentty set ID = {ID 1,...,ID k } s smply the concatenaton of k separate cphertexts, one for each dentty ID n the set ID. Ths leads to IBBE cphertext szes that are a factor of k longer than the orgnal IBE cphertexts. We now present a generc constructon from any WKD-IBE scheme that, dependng on the nstantaton, can offer advantages over the trval one. To any WKD-IBE scheme WKD-IBE = (Setup, KeyDer, Enc, Dec), we assocate an IBBE schemeibbe = (Setup, KeyDer, Enc, Dec ). For an dentty ID {0, 1}, defne P (ID) = (*,...,*, }{{} ID,*,...,*) th poston as a pattern of length L that has ID at ts th poston and the rest conssts of wldcards. 13

14 Setup. Setup outputs whatever the WKD-IBE setup outputs. Key Dervaton. Let ID be the dentty for whch the user secret key sk ID needs to be generated. The user secret key s defned as the set of L dstnct WKD-IBE user secret keys sk ID = {sk P1 (ID),...,sk PL (ID)}, where sk P (ID) can be computed by callng KeyDer(msk, P (ID)). Encrypton. Let m be the message and let S = {ID 1,...,ID k } be the set of broadcast recpents of cardnalty k L that we assume to be ordered wth respect to some unque standard orderng. The IBBE cphertext s defned as the WKD-IBE encrypton of message m and dentty vector ID = (ID 1,...,ID k ). Decrypton. Let sk ID = {sk P1 (ID),...,sk PL (ID)} be the user secret key of dentty ID. Let S = {ID 1,...,ID k } be the set of k L recpents to whom the cphertext C was encrypted, and let ndex 1 j k be such that ID = ID j S. It s clear that (ID 1,...,ID,...,ID k ) * P j (ID), and therefore that the cphertext can be decrypted as m Dec(sk Pj (ID),C,ID). Theorem 5.2 Assume an WKD-IBE schemewkd-ibe s (t, q K, ǫ) IND-sWKID-CPA-secure (resp. IND-WKID-CPA-secure). Then the IBBE schemeibbe descrbed above s (t, q K, ǫ)- IND-sID-CPA-secure (resp. IND-ID-CPA-secure). The crucal observaton s the followng. Let S = {ID 1,...,ID k } be the set of challenge broadcast recevers and let ID 1,...,ID qk be the denttes an adversary attackng the IBBE scheme queres the user secret key for. The mposed requrement s that S {ID 1,...,ID qk } =. For 1 q K and 1 j L consder the user secret keys for the patterns P j (ID ) = (*,...,*,ID,*,...,*) (.e., ID s at the jth poston) that are establshed by the transformaton when smulatng the IBBE key dervaton oracle. For a successful smulaton we have to show that ID = (ID 1,...,ID k ) * P j (ID ). But ths s the case snce by S {ID 1,...,ID qk } = and we can guarantee that ID ID l for all 1 q K and 1 l k. The above constructon allows for the followng trade off between cphertext sze and key sze. If L = L A, then one can obtan an IBBE scheme wth cphertext sze of A tmes that of the WKD-IBE scheme, whle havng a key length that s only L tmes that of the WKD-IBE scheme. The new scheme creates master publc keys to allow for broadcast encrypton to sets of maxmal cardnalty L. To encrypt a message to a set of broadcast denttes S = {ID 1,...,ID k } of cardnalty k L splt the set S nto A smaller sets S 1,...,S A, each of cardnalty L/A L and defne the new broadcast cphertext to be (C 1,...,C A ), where C s the encrypton of the message m to the set S. 5.3 Instantatons Among all the nstantatons of IBBE schemes based on WKD-IBE schemes, the most attractve one s that obtaned from the WKD-IBE scheme based on [5] because t acheves constant-sze cphertexts. However, t has the dsadvantage of havng prvate keys of sze O(L 2 ). Instantatons wth any of the other WKD-IBE schemes that we proposed are less attractve because they have cphertext sze O(L), just lke the trval cphertext-concatenaton scheme. Unlke most other (publc-key) broadcast schemes however, these nstantatons do have the remarkable advantage that knowledge of the set of recpents s not requred n order to decrypt the message. Chatterjee and Sarkar [8] recently proposed a drect IBBE scheme that s closely related to our generc constructon when nstantated wth the WKD-IBE scheme based on [5]. Ther 14

15 scheme does not mpose an a pror maxmum on the number of recpents l, but makes clever use of a non-cryptographc hash functon to acheve an average cphertext sze O(l/L) and prvate key sze O(L), where the average s taken over the recpents denttes. Ths means that when l L, ther scheme has constant cphertext sze on average. Worst-case however, ther scheme has cphertext sze O(l), whch s worse than our constructon. 6 Wcked and Wldcard Sgnatures As observed by Naor [6], any IBE scheme automatcally gves rse to a sgnature scheme by usng as a sgnature on message m the decrypton key for dentty ID = m. Verfcaton can be done by encryptng a random message to dentty ID = m and testng whether t decrypts correctly, but most concrete schemes have a more natural and effcent verfcaton test. Lkewse, one can construct an L-level herarchcal dentty-based sgnature (HIBS) scheme from an (L + 1)- level HIBE [11] by lettng the sgnature on message m by dentty (ID 1,...,ID l ) be gven by the decrypton key for dentty (0 ID 1,...,0 ID l, 1 m). The same technque can be used to construct wcked dentty-based sgnatures (WKD-IBS), the sgnng analogue to wcked IBE. Here, a root authorty derves secret sgnng keys for dentty patterns wth wldcards, from whch anyone can further derve sgnng keys for matchng patterns. An L-level WKD-IBS s constructed from an (L + 1)-level WKD-IBE by lettng the sgnature on message m by dentty (ID 1,...,ID l ) be gven by the decrypton key for dentty (0 ID 1,...,0 ID l, 1 m). Alternatvely, and perhaps more nterestngly, one could also use the wldcard functonalty as a homomorphsm on the message beng sgned, rather than for the sgners denttes. Ths yelds a new prmtve that we call wldcard sgnatures, that allow to sgn message patterns nstead of smple messages, possbly contanng wldcards at certan postons. Gven such a sgnature, anyone can compute a vald sgnature for any message created by replacng wldcards wth concrete values. Ths could be used for example to mplement sgned fll-out forms, where each nput feld s represented by a wldcard n the message. The constructon from a WKD-IBE scheme s straghtforward: the key par s gven by the master key par of the WKD-IBE scheme. The sgnature on a message pattern P s gven by the decrypton key for P. Dervng a vald sgnature for a message pattern P * P can be done by dervng a decrypton key for P. Verfcaton s done by fllng up the remanng wldcards wth random messages to create a vector of messages M, encryptng a random message under dentty M, and checkng whether decrypton usng the sgnature as secret key returns the correct message. In fact, one can easly see that the schemes dscussed here allow for more effcent determnstc verfcaton algorthms. Wldcard sgnatures can be seen as a specal nstance of homomorphc sgnatures [16, 14, 2, 15]. Ther relaton to wcked IBE s partcularly remnscent of the relaton between HIBS schemes and append-only sgnatures [15]. They can also be seen as the dual of redactable sgnatures [14] that allow anyone to erase parts of a sgned message wthout nvaldatng the sgnature. A farly smple, generc constructon from standard sgnatures also exsts. Namely, for each wldcard n the message the sgner generates a fresh key par, and then sgns the message together wth all generated publc keys. The overall sgnature also contans the publc and secret keys correspondng to all wldcards. To replace a wldcard at poston wth a concrete value, the -th secret key s replaced wth a sgnature on the new value under the -th publc key. The dsadvantage of ths generc constructon s that sgnature length and verfcaton tme are both lnear n the number of orgnal wldcards n the message, even after these wldcards have been replaced wth orgnal values. The sgnature length and verfcaton tme of the scheme derved 15

16 from thebbg-wkd-ibe scheme on the other hand s only lnear n the number of wldcards that are stll present n the message. Also, sgnatures generated by the generc constructon are lnkable n the sense that one can check whether a gven sgnature was derved from a second one by fllng n wldcards. The decrypton keys of thebbg-wkd-ibe scheme, and therefore the sgnatures of the assocated wldcard sgnature scheme, can be re-randomzed to prevent ths type of lnkablty. Fnally, one could even magne wcked wldcard sgnatures that allow for wldcards n both the sgners denttes and the messages beng sgned. Such schemes are easly constructed from a WKD-IBE scheme by usng a dfferent encodng for dentty strngs and messages, as was done n the constructon of WKD-IBS schemes above. Acknowledgements The authors have been supported n part by the European Commsson through the IST Program under Contract IST ECRYPT. The frst author was supported n part by France Telecom R&D as part of the contract CIDRE, between France Telecom R&D and École normale supéreure. The second author was supported n part by the research program Sentnels ( Sentnels s beng fnanced by Technology Foundaton STW, the Netherlands Organzaton for Scentfc Research (NWO), and the Dutch Mnstry of Economc Affars. The thrd author s a Postdoctoral Fellow of the Research Foundaton Flanders (FWO- Vlaanderen), and was supported n part by the European Commsson through IST Program under Contract IST SPEED, and n part by the IAP Programme P6/26 BCRYPT of the Belgan State (Belgan Scence Polcy). References [1] Mchel Abdalla, Daro Catalano, Alex Dent, John Malone-Lee, Gregory Neven, and Ngel Smart. Identty-based encrypton gone wld. In Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, ICALP 2006: 33rd Internatonal Colloquum on Automata, Languages and Programmng, Part II, volume 4052 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, Berln, Germany, July 9 16, [2] Mhr Bellare and Gregory Neven. Transtve sgnatures: new schemes and proofs. IEEE Transactons on Informaton Theory, 51(6): , [3] Mhr Bellare and Phllp Rogaway. Random oracles are practcal: A paradgm for desgnng effcent protocols. In ACM CCS 93: 1st Conference on Computer and Communcatons Securty, pages 62 73, Farfax, Vrgna, USA, November 3 5, ACM Press. [4] Dan Boneh and Xaver Boyen. Effcent selectve-id secure dentty based encrypton wthout random oracles. In Chrstan Cachn and Jan Camensch, edtors, Advances n Cryptology EUROCRYPT 2004, volume 3027 of Lecture Notes n Computer Scence, pages , Interlaken, Swtzerland, May 2 6, Sprnger-Verlag, Berln, Germany. [5] Dan Boneh, Xaver Boyen, and Eu-Jn Goh. Herarchcal dentty based encrypton wth constant sze cphertext. In Ronald Cramer, edtor, Advances n Cryptology EURO- CRYPT 2005, volume 3494 of Lecture Notes n Computer Scence, pages , Aarhus, Denmark, May 22 26, Sprnger-Verlag, Berln, Germany. 16

17 [6] Dan Boneh and Matthew K. Frankln. Identty based encrypton from the Wel parng. SIAM Journal on Computng, 32(3): , [7] Dan Boneh, Crag Gentry, and Brent Waters. Colluson resstant broadcast encrypton wth short cphertexts and prvate keys. In Vctor Shoup, edtor, Advances n Cryptology CRYPTO 2005, volume 3621 of Lecture Notes n Computer Scence, pages , Santa Barbara, CA, USA, August 14 18, Sprnger-Verlag, Berln, Germany. [8] Sanjt Chatterjee and Palash Sarkar. Mult-recever dentty-based key encapsulaton wth shortened cphertext. In Rana Barua and Tanja Lange, edtors, Progress n Cryptology INDOCRYPT 2006, volume 4329 of Lecture Notes n Computer Scence, pages , Kolkata, Inda, December 11 13, Sprnger-Verlag, Berln, Germany. [9] Yevgeny Dods and Nelly Fazo. Publc key broadcast encrypton for stateless recevers. In Dgtal Rghts Management Workshop, volume 2696 of Lecture Notes n Computer Scence, pages Sprnger, November [10] Amos Fat and Mon Naor. Broadcast encrypton. In Douglas R. Stnson, edtor, Advances n Cryptology CRYPTO 93, volume 773 of Lecture Notes n Computer Scence, pages , Santa Barbara, CA, USA, August 22 26, Sprnger-Verlag, Berln, Germany. [11] Crag Gentry and Alce Slverberg. Herarchcal ID-based cryptography. In Yulang Zheng, edtor, Advances n Cryptology ASIACRYPT 2002, volume 2501 of Lecture Notes n Computer Scence, pages , Queenstown, New Zealand, December 1 5, Sprnger- Verlag, Berln, Germany. [12] Vpul Goyal, Omkant Pandey, Amt Saha, and Brent Waters. Attrbute-based encrypton for fne-graned access control of encrypted data. In ACM CCS 06: 13th Conference on Computer and Communcatons Securty. ACM Press, Avalable as Cryptology eprnt Archve Report 2006/309. [13] Jeremy Horwtz and Ben Lynn. Toward herarchcal dentty-based encrypton. In Lars R. Knudsen, edtor, Advances n Cryptology EUROCRYPT 2002, volume 2332 of Lecture Notes n Computer Scence, pages , Amsterdam, The Netherlands, Aprl 28 May 2, Sprnger-Verlag, Berln, Germany. [14] Robert Johnson, Davd Molnar, Dawn Xaodong Song, and Davd Wagner. Homomorphc sgnature schemes. In Bart Preneel, edtor, Topcs n Cryptology CT-RSA 2002, volume 2271 of Lecture Notes n Computer Scence, pages , San Jose, CA, USA, February 18 22, Sprnger-Verlag, Berln, Germany. [15] Eke Kltz, Anton Mtyagn, Saurabh Panjwan, and Barath Raghavan. Append-only sgnatures. In Luís Cares, Guseppe F. Italano, Luís Montero, Catusca Palamdess, and Mot Yung, edtors, ICALP 2005: 32nd Internatonal Colloquum on Automata, Languages and Programmng, volume 3580 of Lecture Notes n Computer Scence, pages , Lsbon, Portugal, July 11 15, Sprnger-Verlag, Berln, Germany. [16] Ronald Rvest. Two sgnature schemes. Sldes from talk gven at Cambrdge Unversty, October 17, 2000., [17] Ryuch Saka, Kyosh Ohgsh, and Masao Kasahara. Cryptosystems based on parng. In SCIS 2000, Oknawa, Japan, January

18 [18] Hovav Shacham. The BBG HIBE has lmted delegaton. Cryptology eprnt Archve, Report 2007/201, [19] Ad Shamr. Identty-based cryptosystems and sgnature schemes. In G. R. Blakley and Davd Chaum, edtors, Advances n Cryptology CRYPTO 84, volume 196 of Lecture Notes n Computer Scence, pages 47 53, Santa Barbara, CA, USA, August 19 23, Sprnger- Verlag, Berln, Germany. [20] Brent R. Waters. Effcent dentty-based encrypton wthout random oracles. In Ronald Cramer, edtor, Advances n Cryptology EUROCRYPT 2005, volume 3494 of Lecture Notes n Computer Scence, pages , Aarhus, Denmark, May 22 26, Sprnger- Verlag, Berln, Germany. 18